@agentunion/fastaun-browser 0.3.2 → 0.3.3

package/dist/bundle.js

@@ -109,41 +109,55 @@ function parseDerLength(data, offset) {
   }
   return { value, lenBytes: 1 + numBytes };
 }
+function readDerTlvRange(data, offset, expectedTag) {
+  if (offset >= data.length) return null;
+  const tag = data[offset];
+  if (expectedTag !== void 0 && tag !== expectedTag) return null;
+  const len = parseDerLength(data, offset + 1);
+  if (!len) return null;
+  const valueStart = offset + 1 + len.lenBytes;
+  const valueEnd = valueStart + len.value;
+  if (valueStart > data.length || valueEnd > data.length) return null;
+  return { fullStart: offset, valueStart, valueEnd, fullEnd: valueEnd, tag };
+}
+function skipDerTlv(data, offset, expectedTag) {
+  const tlv = readDerTlvRange(data, offset, expectedTag);
+  return tlv?.fullEnd ?? null;
+}
 function extractSpkiFromCertPem(certPem) {
   const certDer = new Uint8Array(pemToArrayBuffer(certPem));
-  const p256Oid = [6, 8, 42, 134, 72, 206, 61, 3, 1, 7];
-  for (let i = 0; i <= certDer.length - p256Oid.length; i++) {
-    let match = true;
-    for (let j = 0; j < p256Oid.length; j++) {
-      if (certDer[i + j] !== p256Oid[j]) {
-        match = false;
-        break;
-      }
+  const cert = readDerTlvRange(certDer, 0, 48);
+  if (!cert) {
+    throw new Error("unable to extract SPKI public key from certificate");
+  }
+  const tbs = readDerTlvRange(certDer, cert.valueStart, 48);
+  if (!tbs) {
+    throw new Error("unable to extract SPKI public key from certificate");
+  }
+  let pos = tbs.valueStart;
+  if (certDer[pos] === 160) {
+    const next = skipDerTlv(certDer, pos, 160);
+    if (next === null || next > tbs.valueEnd) {
+      throw new Error("unable to extract SPKI public key from certificate");
     }
-    if (!match) continue;
-    for (let seqStart = Math.max(0, i - 32); seqStart <= i; seqStart++) {
-      if (certDer[seqStart] !== 48) continue;
-      const seqLen = parseDerLength(certDer, seqStart + 1);
-      if (seqLen === null) continue;
-      const totalLen = 1 + seqLen.lenBytes + seqLen.value;
-      if (totalLen < 50 || totalLen > 140) continue;
-      const spkiCandidate = certDer.slice(seqStart, seqStart + totalLen);
-      let hasBitString = false;
-      for (let k = 20; k < spkiCandidate.length - 10; k++) {
-        if (spkiCandidate[k] === 3 && spkiCandidate[k + 2] === 0) {
-          hasBitString = true;
-          break;
-        }
-      }
-      if (hasBitString) {
-        return spkiCandidate.buffer.slice(
-          spkiCandidate.byteOffset,
-          spkiCandidate.byteOffset + spkiCandidate.byteLength
-        );
-      }
+    pos = next;
+  }
+  for (const tag of [2, 48, 48, 48, 48]) {
+    const next = skipDerTlv(certDer, pos, tag);
+    if (next === null || next > tbs.valueEnd) {
+      throw new Error("unable to extract SPKI public key from certificate");
     }
+    pos = next;
+  }
+  const spki = readDerTlvRange(certDer, pos, 48);
+  if (!spki || spki.fullEnd > tbs.valueEnd) {
+    throw new Error("unable to extract SPKI public key from certificate");
   }
-  throw new Error("unable to extract SPKI public key from certificate");
+  const spkiDer = certDer.slice(spki.fullStart, spki.fullEnd);
+  return spkiDer.buffer.slice(
+    spkiDer.byteOffset,
+    spkiDer.byteOffset + spkiDer.byteLength
+  );
 }
 async function certificateSha256Fingerprint(certPem) {
   const der = pemToArrayBuffer(certPem);
@@ -902,8 +916,15 @@ var GatewayDiscovery = class {
    * 选择 priority 最小的网关。
    */
   async discover(wellKnownUrl, timeout = 5e3) {
+    const urls = await this.discoverAll(wellKnownUrl, timeout);
+    return urls[0];
+  }
+  /**
+   * 从 well-known URL 发现所有 Gateway WebSocket 地址（按 priority 排序）。
+   */
+  async discoverAll(wellKnownUrl, timeout = 5e3) {
     const tStart = Date.now();
-    this._log.debug(`discover enter: url=${wellKnownUrl}`);
+    this._log.debug(`discoverAll enter: url=${wellKnownUrl}`);
     let payload;
     try {
       const controller = new AbortController();
@@ -921,7 +942,7 @@ var GatewayDiscovery = class {
       }
       payload = rawPayload;
     } catch (exc) {
-      this._log.debug(`discover exit (error): elapsed=${Date.now() - tStart}ms err=${exc instanceof Error ? exc.message : String(exc)}`);
+      this._log.debug(`discoverAll exit (error): elapsed=${Date.now() - tStart}ms err=${exc instanceof Error ? exc.message : String(exc)}`);
       throw new ConnectionError(
         `gateway discovery failed for ${wellKnownUrl}: ${exc}`,
         { retryable: true }
@@ -929,21 +950,21 @@ var GatewayDiscovery = class {
     }
     const gateways = payload.gateways;
     if (!Array.isArray(gateways) || gateways.length === 0) {
-      this._log.debug(`discover exit (error): elapsed=${Date.now() - tStart}ms err=empty_gateways`);
+      this._log.debug(`discoverAll exit (error): elapsed=${Date.now() - tStart}ms err=empty_gateways`);
       throw new ValidationError("well-known returned empty gateways");
     }
     const sorted = [...gateways].sort(
       (a, b) => Number(a.priority ?? 999) - Number(b.priority ?? 999)
     );
-    const url = sorted[0]?.url;
-    if (!url) {
-      this._log.debug(`discover exit (error): elapsed=${Date.now() - tStart}ms err=missing_url`);
+    const urls = sorted.map((g) => String(g.url ?? "")).filter((u) => u.length > 0);
+    if (urls.length === 0) {
+      this._log.debug(`discoverAll exit (error): elapsed=${Date.now() - tStart}ms err=missing_url`);
       throw new ValidationError("well-known missing gateway url");
     }
-    this.checkHealth(String(url), timeout).catch(() => {
+    this.checkHealth(urls[0], timeout).catch(() => {
     });
-    this._log.debug(`discover exit: elapsed=${Date.now() - tStart}ms gateway=${String(url)} candidates=${gateways.length}`);
-    return String(url);
+    this._log.debug(`discoverAll exit: elapsed=${Date.now() - tStart}ms gateways=${JSON.stringify(urls)}`);
+    return urls;
   }
 };
 
@@ -1490,6 +1511,14 @@ var RPCTransport = class {
       const protocolEvent = method.slice(6);
       const sdkEvent = EVENT_NAME_MAP[protocolEvent] ?? protocolEvent;
       this._log.debug(`event recv: event=${sdkEvent} ${summarizeDict(message.params, DIAG_RESULT_FIELDS)}`);
+      const meta2 = message._meta;
+      if (this._metaObserver !== null && isJsonObject(meta2)) {
+        try {
+          this._metaObserver(meta2);
+        } catch (exc) {
+          this._log.debug(`event meta_observer raised: ${String(exc)}`);
+        }
+      }
       const params = message.params ?? {};
       if ("_trace" in params) {
         const eventTrace = params._trace;
@@ -1508,6 +1537,14 @@ var RPCTransport = class {
       this._dispatcher.publish(`_raw.${sdkEvent}`, params);
       return;
     }
+    const meta = message._meta;
+    if (this._metaObserver !== null && isJsonObject(meta)) {
+      try {
+        this._metaObserver(meta);
+      } catch (exc) {
+        this._log.debug(`notification meta_observer raised: ${String(exc)}`);
+      }
+    }
     this._log.debug(`notification recv: method=${method || "<no-method>"}`);
     this._dispatcher.publish("notification", message);
   }
@@ -2854,7 +2891,7 @@ var _AuthFlow = class _AuthFlow {
     }
   }
   async _loadInstanceState(aid) {
-    if (!this._deviceId || typeof this._keystore.loadInstanceState !== "function") {
+    if (typeof this._keystore.loadInstanceState !== "function") {
       return null;
     }
     return await this._keystore.loadInstanceState(aid, this._deviceId, this._slotId);
@@ -2875,9 +2912,6 @@ var _AuthFlow = class _AuthFlow {
       }
     }
     await this._keystore.saveIdentity(aid, persisted);
-    if (!this._deviceId) {
-      return;
-    }
     if (Object.keys(instanceState).length === 0 || typeof this._keystore.updateInstanceState !== "function") {
       return;
     }
@@ -2952,6 +2986,14 @@ var SeqTracker = class {
   getMaxSeenSeq(ns) {
     return this._get(ns).maxSeenSeq;
   }
+  /** Push 专用：只扩展上界 maxSeenSeq，不动 contiguousSeq。 */
+  updateMaxSeen(ns, seq) {
+    if (seq <= 0) return;
+    const t = this._get(ns);
+    if (seq > t.maxSeenSeq) {
+      t.maxSeenSeq = seq;
+    }
+  }
   /** S2: 从持久化（keystore 最近 ack seq）恢复 baseline，
    *  以便首条 push 消息能构造 [baseline+1, seq-1] 的历史 gap。
    *  必须在收到首条消息前调用。 */
@@ -3128,10 +3170,9 @@ var SeqTracker = class {
   removeNamespace(ns) {
     this._trackers.delete(ns);
   }
-  /** 强制跳过不连续区间，将 contiguousSeq 拨到指定位置。
-   *  当服务端返回 server_ack_seq 且本地 contiguousSeq 落后时调用，
-   *  跳过 [contiguousSeq, server_ack_seq) 这段不连续区间。 */
+  /** Pull 专用：强制推进 contiguousSeq（已连续到达的下界）。 */
   forceContiguousSeq(ns, seq) {
+    if (seq <= 0) return;
     const t = this._get(ns);
     if (seq > t.contiguousSeq) {
       for (const [key, probe] of t.pendingGaps) {
@@ -3147,6 +3188,22 @@ var SeqTracker = class {
       this._tryAdvance(t);
     }
   }
+  /** 脏数据修复：允许 contiguousSeq 倒退到指定值。 */
+  repairContiguousSeq(ns, seq) {
+    if (seq < 0) seq = 0;
+    const t = this._get(ns);
+    if (seq < t.contiguousSeq) {
+      for (const s of t.receivedSeqs) {
+        if (s <= seq) t.receivedSeqs.delete(s);
+      }
+      for (const [key, probe] of t.pendingGaps) {
+        if (probe.gapStart <= seq) {
+          t.pendingGaps.delete(key);
+        }
+      }
+      t.contiguousSeq = seq;
+    }
+  }
   /** 导出各命名空间的 contiguousSeq，用于持久化 */
   exportState() {
     const result = {};
@@ -3286,7 +3343,7 @@ function extractCommonNameFromCertPem(certPem) {
   try {
     const bytes = new Uint8Array(pemToArrayBuffer(certPem));
     const oid = [6, 3, 85, 4, 3];
-    const decoder = new TextDecoder();
+    const decoder2 = new TextDecoder();
     let commonName = "";
     for (let i = 0; i <= bytes.length - oid.length - 2; i++) {
       let matched = true;
@@ -3305,9 +3362,9 @@ function extractCommonNameFromCertPem(certPem) {
       if (end > bytes.length) continue;
       const valueBytes = bytes.slice(start, end);
       if (tag === 12 || tag === 19 || tag === 22 || tag === 20 || tag === 30) {
-        commonName = decoder.decode(valueBytes).trim();
+        commonName = decoder2.decode(valueBytes).trim();
       } else {
-        commonName = decoder.decode(valueBytes).trim();
+        commonName = decoder2.decode(valueBytes).trim();
       }
     }
     return commonName;
@@ -3725,6 +3782,43 @@ var AuthNamespace = class {
       throw err;
     }
   }
+  async headAgentMd(aid) {
+    const tStart = Date.now();
+    const targetAid = String(aid ?? "").trim();
+    if (!targetAid) {
+      throw new ValidationError("headAgentMd requires non-empty aid");
+    }
+    this._log.debug(`headAgentMd enter: aid=${targetAid}`);
+    try {
+      const response = await fetchWithTimeout(await this._resolveAgentMdUrl(targetAid), {
+        method: "HEAD",
+        headers: { Accept: "text/markdown" }
+      });
+      const respHeaders = response.headers;
+      const etag = respHeaders ? String(respHeaders.get("ETag") ?? "").trim() : "";
+      const lastModified = respHeaders ? String(respHeaders.get("Last-Modified") ?? "").trim() : "";
+      if (response.status === 404) {
+        this._log.debug(`headAgentMd exit (not_found): elapsed=${Date.now() - tStart}ms aid=${targetAid}`);
+        return { aid: targetAid, found: false, etag: "", last_modified: "", status: 404 };
+      }
+      if (response.status < 200 || response.status >= 300) {
+        throw new AUNError(`head agent.md failed: HTTP ${response.status}`);
+      }
+      if (etag || lastModified) {
+        const cached = this._agentMdCache.get(targetAid) ?? { text: "", etag: "", lastModified: "" };
+        this._agentMdCache.set(targetAid, {
+          text: cached.text ?? "",
+          etag,
+          lastModified
+        });
+      }
+      this._log.debug(`headAgentMd exit: elapsed=${Date.now() - tStart}ms aid=${targetAid} status=${response.status} etag=${etag || "-"}`);
+      return { aid: targetAid, found: true, etag, last_modified: lastModified, status: response.status };
+    } catch (err) {
+      this._log.debug(`headAgentMd exit (error): elapsed=${Date.now() - tStart}ms aid=${targetAid} err=${err instanceof Error ? err.message : String(err)}`);
+      throw err;
+    }
+  }
   async downloadAgentMd(aid) {
     const tStart = Date.now();
     this._log.debug(`downloadAgentMd enter: aid=${aid}`);
@@ -4907,7 +5001,7 @@ async function _decryptPEM(enc, seed) {
   return new TextDecoder().decode(pt);
 }
 var DB_NAME = "aun-keystore";
-var DB_VERSION = 5;
+var DB_VERSION = 6;
 var STORE_KEY_PAIRS = "key_pairs";
 var STORE_CERTS = "certs";
 var STORE_METADATA = "metadata";
@@ -4917,6 +5011,7 @@ var STORE_GROUP_CURRENT = "group_current";
 var STORE_GROUP_OLD_EPOCHS = "group_old_epochs";
 var STORE_SESSIONS = "e2ee_sessions";
 var STORE_GROUP_STATE = "group_state";
+var STORE_AGENT_MD_CACHE = "agent_md_cache";
 var STRUCTURED_RECOVERY_RETENTION_MS = 7 * 24 * 3600 * 1e3;
 function metadataStoreKey(aid) {
   return safeAid(aid);
@@ -4987,6 +5082,59 @@ function seqTrackerPrefix(aid, deviceId, slotId) {
 function seqTrackerStoreKey(aid, deviceId, slotId, namespace) {
   return `${seqTrackerPrefix(aid, deviceId, slotId)}${encodePart(namespace)}`;
 }
+function agentMdCachePrefix(ownerAid) {
+  return `${safeAid(ownerAid)}|`;
+}
+function agentMdCacheStoreKey(ownerAid, targetAid) {
+  return `${agentMdCachePrefix(ownerAid)}${encodePart(targetAid)}`;
+}
+function defaultAgentMdCacheRecord(aid) {
+  return {
+    aid,
+    content: "",
+    local_etag: "",
+    remote_etag: "",
+    last_modified: "",
+    fetched_at: 0,
+    observed_at: 0,
+    checked_at: 0,
+    remote_status: "",
+    verify_status: "",
+    verify_error: "",
+    last_error: "",
+    updated_at: 0
+  };
+}
+function normalizeAgentMdCacheRecord(aid, value) {
+  if (!isRecord(value)) return null;
+  const out = defaultAgentMdCacheRecord(aid);
+  for (const key of ["content", "local_etag", "remote_etag", "last_modified", "remote_status", "verify_status", "verify_error", "last_error"]) {
+    out[key] = String(value[key] ?? "");
+  }
+  for (const key of ["fetched_at", "observed_at", "checked_at", "updated_at"]) {
+    const n = Number(value[key] ?? 0);
+    out[key] = Number.isFinite(n) ? Math.trunc(n) : 0;
+  }
+  out.aid = String(value.aid ?? aid).trim() || aid;
+  return out;
+}
+function mergeAgentMdCacheRecord(aid, current, fields) {
+  const out = current ? { ...current } : defaultAgentMdCacheRecord(aid);
+  out.aid = aid;
+  for (const key of ["content", "local_etag", "remote_etag", "last_modified", "remote_status", "verify_status", "verify_error", "last_error"]) {
+    if (Object.prototype.hasOwnProperty.call(fields, key) && fields[key] !== void 0 && fields[key] !== null) {
+      out[key] = String(fields[key] ?? "");
+    }
+  }
+  for (const key of ["fetched_at", "observed_at", "checked_at"]) {
+    if (Object.prototype.hasOwnProperty.call(fields, key) && fields[key] !== void 0 && fields[key] !== null) {
+      const n = Number(fields[key] ?? 0);
+      out[key] = Number.isFinite(n) ? Math.trunc(n) : 0;
+    }
+  }
+  out.updated_at = Date.now();
+  return out;
+}
 function stripStructuredFields(metadata) {
   const plain = deepClone(metadata);
   delete plain.e2ee_prekeys;
@@ -5030,6 +5178,9 @@ function openDB() {
       if (!db.objectStoreNames.contains(STORE_GROUP_STATE)) {
         db.createObjectStore(STORE_GROUP_STATE);
       }
+      if (!db.objectStoreNames.contains(STORE_AGENT_MD_CACHE)) {
+        db.createObjectStore(STORE_AGENT_MD_CACHE);
+      }
     };
     request.onsuccess = () => {
       const db = request.result;
@@ -6260,6 +6411,46 @@ var _IndexedDBKeyStore = class _IndexedDBKeyStore {
     const key = seqTrackerStoreKey(aid, deviceId, slotId, namespace);
     await idbDelete(STORE_INSTANCE_STATE, key);
   }
+  // ── agent.md Cache ───────────────────────────────────────
+  async loadAgentMdCache(ownerAid, targetAid) {
+    const owner = String(ownerAid ?? "").trim();
+    const target = String(targetAid ?? "").trim();
+    if (!owner || !target) return null;
+    const data = await idbGet(STORE_AGENT_MD_CACHE, agentMdCacheStoreKey(owner, target));
+    const record = normalizeAgentMdCacheRecord(target, data);
+    return record ? deepClone(record) : null;
+  }
+  async upsertAgentMdCache(ownerAid, targetAid, fields) {
+    const owner = String(ownerAid ?? "").trim();
+    const target = String(targetAid ?? "").trim();
+    if (!owner || !target) {
+      throw new Error("upsertAgentMdCache requires ownerAid and targetAid");
+    }
+    const current = await this.loadAgentMdCache(owner, target);
+    const record = mergeAgentMdCacheRecord(target, current, fields ?? {});
+    await idbPut(STORE_AGENT_MD_CACHE, agentMdCacheStoreKey(owner, target), record);
+    return deepClone(record);
+  }
+  async listAgentMdContentAids(agentMdPath) {
+    const root = String(agentMdPath ?? "").trim();
+    if (!root) return [];
+    const prefix = agentMdCachePrefix(root);
+    const suffix = "/agent.md";
+    const aids = /* @__PURE__ */ new Set();
+    for (const item of await idbGetAllByPrefix(STORE_AGENT_MD_CACHE, prefix)) {
+      const encodedTarget = item.key.slice(prefix.length);
+      let target = "";
+      try {
+        target = decodeURIComponent(encodedTarget);
+      } catch {
+        target = encodedTarget;
+      }
+      if (!target.endsWith(suffix)) continue;
+      const aid = target.slice(0, -suffix.length).trim();
+      if (aid) aids.add(aid);
+    }
+    return [...aids].sort();
+  }
   // ── Group State（群组状态快照） ─────────────────────────────
   async saveGroupState(groupId, state) {
     const key = encodePart(groupId);
@@ -6359,9 +6550,53 @@ var IndexedDBKeyStore = _IndexedDBKeyStore;
 
 // src/v2/session/keystore.ts
 var V2_DB_NAME = "aun_v2";
-var V2_DB_VERSION = 1;
+var V2_DB_VERSION = 3;
 var V2_STORE_NAME = "v2_device_keys";
 var V2_INDEX_BY_DEVICE_TYPE_CREATED = "by_device_type_created";
+async function spkIdForPubDer(pubDer) {
+  const buf = await crypto.subtle.digest("SHA-256", pubDer.slice().buffer);
+  const arr = new Uint8Array(buf);
+  let hex = "";
+  for (let i = 0; i < arr.length; i++) hex += arr[i].toString(16).padStart(2, "0");
+  return `sha256:${hex.slice(0, 16)}`;
+}
+function migrateRecord(raw) {
+  let groupId = String(raw.group_id ?? "");
+  let keyId = String(raw.key_id ?? "");
+  if ((raw.key_type === "group_spk" || raw.key_type === "group_spk_uploaded") && !groupId && keyId.includes("\0")) {
+    const parts = keyId.split("\0");
+    groupId = parts[0] ?? "";
+    keyId = parts.slice(1).join("\0");
+  }
+  return {
+    device_id: String(raw.device_id ?? ""),
+    key_type: raw.key_type,
+    group_id: groupId,
+    key_id: keyId,
+    private_key: new Uint8Array(raw.private_key ?? new Uint8Array()),
+    public_key: new Uint8Array(raw.public_key ?? new Uint8Array()),
+    created_at: Number(raw.created_at ?? Date.now())
+  };
+}
+function createV2Store(db) {
+  const store = db.createObjectStore(V2_STORE_NAME, {
+    keyPath: ["device_id", "key_type", "group_id", "key_id"]
+  });
+  store.createIndex(
+    V2_INDEX_BY_DEVICE_TYPE_CREATED,
+    ["device_id", "key_type", "group_id", "created_at"]
+  );
+  return store;
+}
+function recreateScopeCreatedIndex(store) {
+  if (store.indexNames.contains(V2_INDEX_BY_DEVICE_TYPE_CREATED)) {
+    store.deleteIndex(V2_INDEX_BY_DEVICE_TYPE_CREATED);
+  }
+  store.createIndex(
+    V2_INDEX_BY_DEVICE_TYPE_CREATED,
+    ["device_id", "key_type", "group_id", "created_at"]
+  );
+}
 var V2KeyStore = class _V2KeyStore {
   constructor(db) {
     this.db = db;
@@ -6370,16 +6605,28 @@ var V2KeyStore = class _V2KeyStore {
   static async open(dbName = V2_DB_NAME) {
     return new Promise((resolve, reject) => {
       const req = indexedDB.open(dbName, V2_DB_VERSION);
-      req.onupgradeneeded = () => {
+      req.onupgradeneeded = (event) => {
         const db = req.result;
         if (!db.objectStoreNames.contains(V2_STORE_NAME)) {
-          const store = db.createObjectStore(V2_STORE_NAME, {
-            keyPath: ["device_id", "key_type", "key_id"]
-          });
-          store.createIndex(
-            V2_INDEX_BY_DEVICE_TYPE_CREATED,
-            ["device_id", "key_type", "created_at"]
-          );
+          createV2Store(db);
+          return;
+        }
+        if (event.oldVersion < 2) {
+          const tx = req.transaction;
+          if (!tx) throw new Error("V2KeyStore.open: missing upgrade transaction");
+          const oldStore = tx.objectStore(V2_STORE_NAME);
+          const getAllReq = oldStore.getAll();
+          getAllReq.onsuccess = () => {
+            const records = getAllReq.result.map(migrateRecord);
+            db.deleteObjectStore(V2_STORE_NAME);
+            const store = createV2Store(db);
+            for (const record of records) store.put(record);
+          };
+          getAllReq.onerror = () => reject(getAllReq.error);
+        } else if (event.oldVersion < 3) {
+          const tx = req.transaction;
+          if (!tx) throw new Error("V2KeyStore.open: missing upgrade transaction");
+          recreateScopeCreatedIndex(tx.objectStore(V2_STORE_NAME));
         }
       };
       req.onsuccess = () => resolve(new _V2KeyStore(req.result));
@@ -6394,11 +6641,33 @@ var V2KeyStore = class _V2KeyStore {
   store(mode) {
     return this.db.transaction(V2_STORE_NAME, mode).objectStore(V2_STORE_NAME);
   }
+  async _listRecordsByTypeNewestFirst(deviceId, keyType, groupId) {
+    return new Promise((resolve, reject) => {
+      const idx = this.store("readonly").index(V2_INDEX_BY_DEVICE_TYPE_CREATED);
+      const range = IDBKeyRange.bound(
+        [deviceId, keyType, groupId, -Infinity],
+        [deviceId, keyType, groupId, Infinity]
+      );
+      const req = idx.openCursor(range, "prev");
+      const out = [];
+      req.onsuccess = () => {
+        const cursor = req.result;
+        if (cursor) {
+          out.push(cursor.value);
+          cursor.continue();
+        } else {
+          resolve(out);
+        }
+      };
+      req.onerror = () => reject(req.error);
+    });
+  }
   // ---------- SPK ----------
   async saveSPK(deviceId, spkId, priv, pubDer) {
     const record = {
       device_id: deviceId,
       key_type: "spk",
+      group_id: "",
       key_id: spkId,
       private_key: priv,
       public_key: pubDer,
@@ -6412,7 +6681,7 @@ var V2KeyStore = class _V2KeyStore {
   }
   async loadSPK(deviceId, spkId) {
     return new Promise((resolve, reject) => {
-      const req = this.store("readonly").get([deviceId, "spk", spkId]);
+      const req = this.store("readonly").get([deviceId, "spk", "", spkId]);
       req.onsuccess = () => {
         const r = req.result;
         resolve(r ? new Uint8Array(r.private_key) : null);
@@ -6425,8 +6694,8 @@ var V2KeyStore = class _V2KeyStore {
     return new Promise((resolve, reject) => {
       const idx = this.store("readonly").index(V2_INDEX_BY_DEVICE_TYPE_CREATED);
       const range = IDBKeyRange.bound(
-        [deviceId, "spk", -Infinity],
-        [deviceId, "spk", Infinity]
+        [deviceId, "spk", "", -Infinity],
+        [deviceId, "spk", "", Infinity]
       );
       const req = idx.openCursor(range, "prev");
       req.onsuccess = () => {
@@ -6446,20 +6715,49 @@ var V2KeyStore = class _V2KeyStore {
     });
   }
   async deleteSPK(deviceId, spkId) {
+    await new Promise((resolve, reject) => {
+      const req = this.store("readwrite").delete([deviceId, "spk", "", spkId]);
+      req.onsuccess = () => resolve();
+      req.onerror = () => reject(req.error);
+    });
+    await new Promise((resolve, reject) => {
+      const req = this.store("readwrite").delete([deviceId, "spk_uploaded", "", spkId]);
+      req.onsuccess = () => resolve();
+      req.onerror = () => reject(req.error);
+    });
+  }
+  async markSPKUploaded(deviceId, spkId) {
+    const record = {
+      device_id: deviceId,
+      key_type: "spk_uploaded",
+      group_id: "",
+      key_id: spkId,
+      private_key: new Uint8Array(),
+      public_key: new Uint8Array(),
+      created_at: Date.now()
+    };
     return new Promise((resolve, reject) => {
-      const req = this.store("readwrite").delete([deviceId, "spk", spkId]);
+      const req = this.store("readwrite").put(record);
       req.onsuccess = () => resolve();
       req.onerror = () => reject(req.error);
     });
   }
+  async loadLatestUploadedSPKId(deviceId) {
+    const records = await this._listRecordsByTypeNewestFirst(deviceId, "spk_uploaded", "");
+    for (const record of records) {
+      const spkId = record.key_id;
+      if (await this.loadSPK(deviceId, spkId)) return spkId;
+    }
+    return null;
+  }
   /** 返回最近 N 代 SPK 的 spk_id（按 created_at DESC）。 */
   async listRecentSPKIds(deviceId, n) {
     if (n <= 0) return [];
     return new Promise((resolve, reject) => {
       const idx = this.store("readonly").index(V2_INDEX_BY_DEVICE_TYPE_CREATED);
       const range = IDBKeyRange.bound(
-        [deviceId, "spk", -Infinity],
-        [deviceId, "spk", Infinity]
+        [deviceId, "spk", "", -Infinity],
+        [deviceId, "spk", "", Infinity]
       );
       const req = idx.openCursor(range, "prev");
       const out = [];
@@ -6480,8 +6778,8 @@ var V2KeyStore = class _V2KeyStore {
     return new Promise((resolve, reject) => {
       const idx = this.store("readonly").index(V2_INDEX_BY_DEVICE_TYPE_CREATED);
       const range = IDBKeyRange.bound(
-        [deviceId, "spk", -Infinity],
-        [deviceId, "spk", cutoff],
+        [deviceId, "spk", "", -Infinity],
+        [deviceId, "spk", "", cutoff],
         false,
         true
       );
@@ -6500,14 +6798,12 @@ var V2KeyStore = class _V2KeyStore {
     });
   }
   // ---------- Group SPK ----------
-  static _groupSpkKeyId(groupId, spkId) {
-    return `${groupId}\0${spkId}`;
-  }
   async saveGroupSPK(deviceId, groupId, spkId, priv, pubDer) {
     const record = {
       device_id: deviceId,
       key_type: "group_spk",
-      key_id: _V2KeyStore._groupSpkKeyId(groupId, spkId),
+      group_id: groupId,
+      key_id: spkId,
       private_key: priv,
       public_key: pubDer,
       created_at: Date.now()
@@ -6519,9 +6815,8 @@ var V2KeyStore = class _V2KeyStore {
     });
   }
   async loadGroupSPK(deviceId, groupId, spkId) {
-    const keyId = _V2KeyStore._groupSpkKeyId(groupId, spkId);
     return new Promise((resolve, reject) => {
-      const req = this.store("readonly").get([deviceId, "group_spk", keyId]);
+      const req = this.store("readonly").get([deviceId, "group_spk", groupId, spkId]);
       req.onsuccess = () => {
         const r = req.result;
         resolve(r ? new Uint8Array(r.private_key) : null);
@@ -6529,14 +6824,13 @@ var V2KeyStore = class _V2KeyStore {
       req.onerror = () => reject(req.error);
     });
   }
-  /** 取指定群最新 group SPK（按 created_at DESC，key_id 前缀匹配）。 */
+  /** 取指定群最新 group SPK（按 created_at DESC）。 */
   async loadCurrentGroupSPK(deviceId, groupId) {
-    const prefix = `${groupId}\0`;
     return new Promise((resolve, reject) => {
       const idx = this.store("readonly").index(V2_INDEX_BY_DEVICE_TYPE_CREATED);
       const range = IDBKeyRange.bound(
-        [deviceId, "group_spk", -Infinity],
-        [deviceId, "group_spk", Infinity]
+        [deviceId, "group_spk", groupId, -Infinity],
+        [deviceId, "group_spk", groupId, Infinity]
       );
       const req = idx.openCursor(range, "prev");
       req.onsuccess = () => {
@@ -6546,39 +6840,80 @@ var V2KeyStore = class _V2KeyStore {
           return;
         }
         const r = cursor.value;
-        if (r.key_id.startsWith(prefix)) {
-          const spkId = r.key_id.slice(prefix.length);
-          resolve({
-            spkId,
-            priv: new Uint8Array(r.private_key),
-            pubDer: new Uint8Array(r.public_key)
-          });
-        } else {
-          cursor.continue();
-        }
+        resolve({
+          spkId: r.key_id,
+          priv: new Uint8Array(r.private_key),
+          pubDer: new Uint8Array(r.public_key)
+        });
       };
       req.onerror = () => reject(req.error);
     });
   }
+  async markGroupSPKUploaded(deviceId, groupId, spkId) {
+    const record = {
+      device_id: deviceId,
+      key_type: "group_spk_uploaded",
+      group_id: groupId,
+      key_id: spkId,
+      private_key: new Uint8Array(),
+      public_key: new Uint8Array(),
+      created_at: Date.now()
+    };
+    return new Promise((resolve, reject) => {
+      const req = this.store("readwrite").put(record);
+      req.onsuccess = () => resolve();
+      req.onerror = () => reject(req.error);
+    });
+  }
+  async loadLatestUploadedGroupSPKId(deviceId, groupId) {
+    const records = await this._listRecordsByTypeNewestFirst(deviceId, "group_spk_uploaded", groupId);
+    for (const record of records) {
+      const spkId = record.key_id;
+      if (await this.loadGroupSPK(deviceId, groupId, spkId)) return spkId;
+    }
+    return null;
+  }
   // ---------- IK ----------
   async saveIK(deviceId, priv, pubDer) {
     const record = {
       device_id: deviceId,
       key_type: "ik",
+      group_id: "",
       key_id: "",
       private_key: priv,
       public_key: pubDer,
       created_at: Date.now()
     };
-    return new Promise((resolve, reject) => {
+    await new Promise((resolve, reject) => {
       const req = this.store("readwrite").put(record);
       req.onsuccess = () => resolve();
       req.onerror = () => reject(req.error);
     });
+    const alias = {
+      ...record,
+      key_id: await spkIdForPubDer(pubDer)
+    };
+    return new Promise((resolve, reject) => {
+      const req = this.store("readwrite").put(alias);
+      req.onsuccess = () => resolve();
+      req.onerror = () => reject(req.error);
+    });
   }
   async loadIK(deviceId) {
     return new Promise((resolve, reject) => {
-      const req = this.store("readonly").get([deviceId, "ik", ""]);
+      const req = this.store("readonly").get([deviceId, "ik", "", ""]);
+      req.onsuccess = () => {
+        const r = req.result;
+        resolve(
+          r ? { priv: new Uint8Array(r.private_key), pubDer: new Uint8Array(r.public_key) } : null
+        );
+      };
+      req.onerror = () => reject(req.error);
+    });
+  }
+  async loadIKSPK(deviceId, spkId) {
+    return new Promise((resolve, reject) => {
+      const req = this.store("readonly").get([deviceId, "ik", "", spkId]);
       req.onsuccess = () => {
         const r = req.result;
         resolve(
@@ -6601,6 +6936,7 @@ var V2KeyStore = class _V2KeyStore {
 
 // src/v2/crypto/canonical.ts
 var encoder = new TextEncoder();
+var MAX_SAFE_JSON_INTEGER = 9007199254740991;
 function canonicalJson(obj) {
   return encoder.encode(serialize(obj));
 }
@@ -6626,17 +6962,34 @@ function serializeNumber(n) {
   if (!isFinite(n)) {
     throw new RangeError("canonicalJson: Infinity and NaN not allowed");
   }
+  if (Object.is(n, -0)) return "0";
   if (Number.isInteger(n)) {
-    return n.toString(10);
-  }
-  let s = String(n);
-  if (s.includes("e") || s.includes("E")) {
-    s = n.toFixed(20).replace(/0+$/, "");
-    if (s.endsWith(".")) {
-      s += "0";
+    if (Math.abs(n) > MAX_SAFE_JSON_INTEGER) {
+      throw new RangeError(`canonicalJson: integer outside safe range ${n}`);
     }
+    return String(n);
   }
-  return s;
+  return expandExponent(String(n));
+}
+function expandExponent(s) {
+  if (!/[eE]/.test(s)) return s;
+  const match = /^(-?)(\d+)(?:\.(\d+))?[eE]([+-]?\d+)$/.exec(s);
+  if (!match) {
+    throw new TypeError(`canonicalJson: invalid number ${s}`);
+  }
+  const sign = match[1] ?? "";
+  const intPart = match[2] ?? "";
+  const fracPart = match[3] ?? "";
+  const exp = Number(match[4]);
+  const digits = intPart + fracPart;
+  const point = intPart.length + exp;
+  if (point <= 0) {
+    return `${sign}0.${"0".repeat(-point)}${digits}`;
+  }
+  if (point >= digits.length) {
+    return `${sign}${digits}${"0".repeat(point - digits.length)}`;
+  }
+  return `${sign}${digits.slice(0, point)}.${digits.slice(point)}`;
 }
 function serializeString(s) {
   let result = '"';
@@ -6671,12 +7024,23 @@ function serializeArray(arr) {
   return "[" + items.join(",") + "]";
 }
 function serializeObject(obj) {
-  const sortedKeys = Object.keys(obj).sort();
+  const sortedKeys = Object.keys(obj).sort(compareCodePoints);
   const pairs = sortedKeys.map(
     (key) => serializeString(key) + ":" + serialize(obj[key])
   );
   return "{" + pairs.join(",") + "}";
 }
+function compareCodePoints(a, b) {
+  const ac = Array.from(a);
+  const bc = Array.from(b);
+  const n = Math.min(ac.length, bc.length);
+  for (let i = 0; i < n; i++) {
+    const av = ac[i].codePointAt(0) ?? 0;
+    const bv = bc[i].codePointAt(0) ?? 0;
+    if (av !== bv) return av - bv;
+  }
+  return ac.length - bc.length;
+}
 
 // node_modules/@noble/hashes/utils.js
 function isBytes(a) {
@@ -8901,6 +9265,22 @@ function b64UrlToBytes(s) {
   for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
   return out;
 }
+function b64UrlToFixed32(s) {
+  const raw = b64UrlToBytes(s);
+  if (raw.length === 32) return raw;
+  if (raw.length < 32) {
+    const out = new Uint8Array(32);
+    out.set(raw, 32 - raw.length);
+    return out;
+  }
+  const extra = raw.length - 32;
+  for (let i = 0; i < extra; i++) {
+    if (raw[i] !== 0) {
+      throw new Error(`invalid P-256 private scalar length=${raw.length}`);
+    }
+  }
+  return raw.slice(extra);
+}
 function p256PublicXY(privateKeyScalar) {
   const pub = p256.getPublicKey(privateKeyScalar, false);
   if (pub.length !== 65 || pub[0] !== 4) {
@@ -8957,7 +9337,7 @@ async function generateP256Keypair() {
   if (!jwk.d) {
     throw new Error("exportKey(jwk) returned no private component");
   }
-  const priv = b64UrlToBytes(jwk.d);
+  const priv = b64UrlToFixed32(jwk.d);
   const pubDerBuf = await crypto.subtle.exportKey("spki", keyPair.publicKey);
   return [priv, new Uint8Array(pubDerBuf)];
 }
@@ -9254,10 +9634,14 @@ function concatBytes3(...parts) {
   }
   return out;
 }
+function scopedDeviceId(aid, deviceId) {
+  return `aid:${encodeURIComponent(String(aid ?? ""))}|device:${encodeURIComponent(String(deviceId ?? ""))}`;
+}
 var V2Session = class {
   constructor(store, deviceId, aid, ikPriv, ikPubDer) {
     __publicField(this, "_store");
     __publicField(this, "_deviceId");
+    __publicField(this, "_storeDeviceId");
     __publicField(this, "_aid");
     __publicField(this, "_ikPriv");
     __publicField(this, "_ikPubDer");
@@ -9276,6 +9660,7 @@ var V2Session = class {
     }
     this._store = store;
     this._deviceId = deviceId;
+    this._storeDeviceId = scopedDeviceId(aid, deviceId);
     this._aid = aid;
     this._ikPriv = ikPriv;
     this._ikPubDer = ikPubDer;
@@ -9302,8 +9687,9 @@ var V2Session = class {
   }
   /** 加载或生成当前 SPK；IK 由构造函数注入，无需加载。 */
   async ensureKeys() {
+    await this._store.saveIK(this._storeDeviceId, this._ikPriv, this._ikPubDer);
     if (this._spkPriv) return;
-    const cur = await this._store.loadCurrentSPK(this._deviceId);
+    const cur = await this._store.loadCurrentSPK(this._storeDeviceId);
     if (cur) {
       this._spkId = cur.spkId;
       this._spkPriv = cur.priv;
@@ -9316,11 +9702,20 @@ var V2Session = class {
     const [priv, pubDer] = await generateP256Keypair();
     const hex = await sha256Hex(pubDer);
     const spkId = `sha256:${hex.substring(0, 16)}`;
-    await this._store.saveSPK(this._deviceId, spkId, priv, pubDer);
+    await this._store.saveSPK(this._storeDeviceId, spkId, priv, pubDer);
     this._spkId = spkId;
     this._spkPriv = priv;
     this._spkPubDer = pubDer;
   }
+  async _ikSPKId() {
+    const hex = await sha256Hex(this._ikPubDer);
+    return `sha256:${hex.substring(0, 16)}`;
+  }
+  _normalizeGroupSPKLookup(groupId, spkId) {
+    const nul = spkId.indexOf("\0");
+    if (nul < 0) return { groupId, spkId };
+    return { groupId: spkId.slice(0, nul).trim(), spkId: spkId.slice(nul + 1) };
+  }
   /** SPK 由 AID 私钥（IK）签名背书并上报到 message.v2.put_peer_pk。 */
   async _registerSPK(callFn) {
     const spkTimestamp = Math.floor(this._nowFn() / 1e3);
@@ -9344,7 +9739,14 @@ var V2Session = class {
   async ensureRegistered(callFn) {
     if (this._registered) return;
     await this.ensureKeys();
+    const uploadedSPKId = await this._store.loadLatestUploadedSPKId(this._storeDeviceId);
+    if (uploadedSPKId) {
+      this._registered = true;
+      this._lastUploadedSPKId = uploadedSPKId;
+      return;
+    }
     await this._registerSPK(callFn);
+    await this._store.markSPKUploaded(this._storeDeviceId, this._spkId);
     this._registered = true;
     this._lastUploadedSPKId = this._spkId;
   }
@@ -9361,16 +9763,47 @@ var V2Session = class {
   /**
    * 返回解密所需的私钥。
    * - spkId 空：1DH（仅 IK）
-   * - spkId == 当前 SPK：当前 spkPriv
-   * - 否则：从 store 加载旧 SPK 私钥（可能 undefined = 已销毁）
+   * - spkId == 当前/历史 device SPK：对应 spkPriv
+   * - spkId == IK 指纹：走 IK 特殊 fallback，返回 IK 私钥作为 spkPriv
+   * - 否则：显式报 spk_missing
    */
   async getDecryptKeys(spkId) {
     await this.ensureKeys();
     if (!spkId) return { ikPriv: this._ikPriv };
     if (spkId === this._spkId) return { ikPriv: this._ikPriv, spkPriv: this._spkPriv };
-    const oldSPK = await this._store.loadSPK(this._deviceId, spkId);
-    if (!oldSPK) return { ikPriv: this._ikPriv };
-    return { ikPriv: this._ikPriv, spkPriv: oldSPK };
+    const oldSPK = await this._loadSPK(spkId);
+    if (oldSPK) return { ikPriv: this._ikPriv, spkPriv: oldSPK };
+    const ikAlias = await this._loadIKSPK(spkId);
+    if (ikAlias) return { ikPriv: ikAlias.priv, spkPriv: ikAlias.priv };
+    if (spkId === await this._ikSPKId()) {
+      await this._store.saveIK(this._storeDeviceId, this._ikPriv, this._ikPubDer);
+      return { ikPriv: this._ikPriv, spkPriv: this._ikPriv };
+    }
+    throw new Error(`spk_missing: spk_id=${spkId}`);
+  }
+  async _loadSPK(spkId) {
+    const scoped = await this._store.loadSPK(this._storeDeviceId, spkId);
+    if (scoped) return scoped;
+    if (this._storeDeviceId !== this._deviceId) {
+      return this._store.loadSPK(this._deviceId, spkId);
+    }
+    return null;
+  }
+  async _loadIKSPK(spkId) {
+    const scoped = await this._store.loadIKSPK(this._storeDeviceId, spkId);
+    if (scoped) return scoped;
+    if (this._storeDeviceId !== this._deviceId) {
+      return this._store.loadIKSPK(this._deviceId, spkId);
+    }
+    return null;
+  }
+  async _loadGroupSPK(groupId, spkId) {
+    const scoped = await this._store.loadGroupSPK(this._storeDeviceId, groupId, spkId);
+    if (scoped) return scoped;
+    if (this._storeDeviceId !== this._deviceId) {
+      return this._store.loadGroupSPK(this._deviceId, groupId, spkId);
+    }
+    return null;
   }
   /** 判断 spkId 是否命中当前活跃 SPK。 */
   isCurrentSPK(spkId) {
@@ -9399,7 +9832,7 @@ var V2Session = class {
     let recentKeep;
     try {
       recentKeep = new Set(
-        await this._store.listRecentSPKIds(this._deviceId, RECENT_GENERATIONS)
+        await this._store.listRecentSPKIds(this._storeDeviceId, RECENT_GENERATIONS)
       );
     } catch {
       recentKeep = /* @__PURE__ */ new Set();
@@ -9411,6 +9844,7 @@ var V2Session = class {
       if (recentKeep.has(spkId)) continue;
       try {
         await this._store.deleteSPK(this._deviceId, spkId);
+        await this._store.deleteSPK(this._storeDeviceId, spkId);
       } catch (err) {
         console.warn("[V2Session] deleteSPK failed", { spkId, err });
         continue;
@@ -9420,9 +9854,14 @@ var V2Session = class {
     }
     try {
       const expired = await this._store.listExpiredSPKIds(this._deviceId, HARD_LIMIT_MS);
+      const scopedExpired = await this._store.listExpiredSPKIds(this._storeDeviceId, HARD_LIMIT_MS);
+      for (const spkId of scopedExpired) {
+        if (!expired.includes(spkId)) expired.push(spkId);
+      }
       for (const spkId of expired) {
         if (spkId === this._spkId) continue;
         try {
+          await this._store.deleteSPK(this._storeDeviceId, spkId);
           await this._store.deleteSPK(this._deviceId, spkId);
         } catch {
           continue;
@@ -9438,6 +9877,7 @@ var V2Session = class {
   async rotateSPK(callFn) {
     await this._generateNewSPK();
     await this._registerSPK(callFn);
+    await this._store.markSPKUploaded(this._storeDeviceId, this._spkId);
     this._lastUploadedSPKId = this._spkId;
   }
   /** 判断 spkId 是否为本进程最后一次成功上传的 P2P SPK。 */
@@ -9448,25 +9888,31 @@ var V2Session = class {
   isLastUploadedGroupSPK(groupId, spkId) {
     if (!spkId) return false;
     const gk = (groupId || "").trim();
-    return this._lastUploadedGroupSPKIds.get(gk) === spkId;
+    const lookup = this._normalizeGroupSPKLookup(gk, spkId);
+    return this._lastUploadedGroupSPKIds.get(lookup.groupId) === lookup.spkId;
   }
   // ---------- Group SPK ----------
   /** 确保指定群有独立 group SPK，返回 { spkId, priv, pubDer }。 */
   async ensureGroupSPK(groupId) {
     await this.ensureKeys();
     const gk = (groupId || "").trim();
-    const existing = await this._store.loadCurrentGroupSPK(this._deviceId, gk);
+    const existing = await this._store.loadCurrentGroupSPK(this._storeDeviceId, gk);
     if (existing) return existing;
     const [priv, pubDer] = await generateP256Keypair();
     const hex = await sha256Hex(pubDer);
     const spkId = `sha256:${hex.substring(0, 16)}`;
-    await this._store.saveGroupSPK(this._deviceId, gk, spkId, priv, pubDer);
+    await this._store.saveGroupSPK(this._storeDeviceId, gk, spkId, priv, pubDer);
     return { spkId, priv, pubDer };
   }
   /** 注册指定群的 group SPK。group 服务负责成员鉴权。 */
   async ensureGroupRegistered(groupId, callFn) {
     await this.ensureKeys();
     const gk = (groupId || "").trim();
+    const uploadedSPKId = await this._store.loadLatestUploadedGroupSPKId(this._storeDeviceId, gk);
+    if (uploadedSPKId) {
+      this._lastUploadedGroupSPKIds.set(gk, uploadedSPKId);
+      return;
+    }
     const { spkId, pubDer } = await this.ensureGroupSPK(gk);
     await this._publishGroupSPK(gk, spkId, pubDer, callFn);
   }
@@ -9477,18 +9923,19 @@ var V2Session = class {
     const [priv, pubDer] = await generateP256Keypair();
     const hex = await sha256Hex(pubDer);
     const spkId = `sha256:${hex.substring(0, 16)}`;
-    await this._store.saveGroupSPK(this._deviceId, gk, spkId, priv, pubDer);
+    await this._store.saveGroupSPK(this._storeDeviceId, gk, spkId, priv, pubDer);
     await this._publishGroupSPK(gk, spkId, pubDer, callFn);
     return { spkId, priv, pubDer };
   }
-  /** 群消息解密优先查 group SPK；找不到时 fallback 旧 P2P SPK 兼容历史消息。 */
+  /** 群消息解密按 group SPK -> device SPK -> IK fallback；仍找不到则显式报错。 */
   async getGroupDecryptKeys(groupId, spkId) {
     await this.ensureKeys();
     const gk = (groupId || "").trim();
     if (!spkId) return { ikPriv: this._ikPriv };
-    const groupSpk = await this._store.loadGroupSPK(this._deviceId, gk, spkId);
+    const lookup = this._normalizeGroupSPKLookup(gk, spkId);
+    const groupSpk = await this._loadGroupSPK(lookup.groupId, lookup.spkId);
     if (groupSpk) return { ikPriv: this._ikPriv, spkPriv: groupSpk };
-    return this.getDecryptKeys(spkId);
+    return this.getDecryptKeys(lookup.spkId);
   }
   async _publishGroupSPK(groupId, spkId, spkPubDer, callFn) {
     const spkTimestamp = Math.floor(this._nowFn() / 1e3);
@@ -9507,6 +9954,7 @@ var V2Session = class {
       spk_signature: bytesToBase64(signature),
       spk_timestamp: spkTimestamp
     });
+    await this._store.markGroupSPKUploaded(this._storeDeviceId, groupId, spkId);
     this._lastUploadedGroupSPKIds.set(groupId, spkId);
   }
   cachePeerIK(peerAid, deviceId, ikPubDer) {
@@ -9546,6 +9994,18 @@ function bytesToBase642(b) {
   for (let i = 0; i < b.length; i++) bin += String.fromCharCode(b[i]);
   return btoa(bin);
 }
+function base64ToBytes(s) {
+  const bin = atob(s);
+  const out = new Uint8Array(bin.length);
+  for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
+  return out;
+}
+function bytesEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+  return diff === 0;
+}
 async function hmacSha256(key, data) {
   const hmacKey = await crypto.subtle.importKey(
     "raw",
@@ -9581,9 +10041,45 @@ async function withMetadataAuth(metadata, key, domain) {
     }
   };
 }
+async function verifyMetadataAuth(metadata, key, domain, fieldName) {
+  if (metadata == null) return;
+  if (!isPlainObject(metadata)) {
+    throw new Error(`${fieldName} must be an object`);
+  }
+  const body = {};
+  for (const [k, v] of Object.entries(metadata)) {
+    if (k !== "_auth") body[k] = v;
+  }
+  if (Object.keys(body).length === 0) return;
+  const auth = metadata._auth;
+  if (!isPlainObject(auth)) {
+    throw new Error(`${fieldName} missing _auth`);
+  }
+  if (auth.alg !== "HMAC-SHA256") {
+    throw new Error(`${fieldName} unsupported _auth alg`);
+  }
+  if (typeof auth.tag !== "string" || auth.tag.length === 0) {
+    throw new Error(`${fieldName} missing _auth tag`);
+  }
+  const actual = base64ToBytes(auth.tag);
+  const expected = await metadataAuthTag(key, domain, body);
+  if (!bytesEqual(actual, expected)) {
+    throw new Error(`${fieldName} _auth verification failed`);
+  }
+}
+function isPlainObject(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return false;
+  }
+  const proto = Object.getPrototypeOf(value);
+  return proto === Object.prototype || proto === null;
+}
 
 // src/v2/e2ee/encrypt-p2p.ts
 var encoder3 = new TextEncoder();
+var decoder = new TextDecoder();
+var E2EE_SDK_LANG = "javascript";
+var E2EE_SDK_VERSION = "0.3.2";
 async function sha2563(data) {
   const buf = await crypto.subtle.digest("SHA-256", data.slice().buffer);
   return new Uint8Array(buf);
@@ -9642,7 +10138,7 @@ async function encryptP2PMessage(sender, targetSet, payload, opts = {}) {
   ];
   const protocolSet = /* @__PURE__ */ new Set();
   for (const t of allTargetsForProto) {
-    if (t.spkPkDer && (t.keySource === "peer_device_prekey" || t.keySource === "group_device_prekey")) {
+    if (usesSPKWrap(t)) {
       protocolSet.add("3DH");
     } else {
       protocolSet.add("1DH");
@@ -9727,6 +10223,10 @@ async function encryptP2PMessage(sender, targetSet, payload, opts = {}) {
     recipients: sortedRows,
     aad
   };
+  const payloadType = payload?.type == null ? "" : String(payload.type);
+  if (payloadType) {
+    envelope.payload_type = payloadType;
+  }
   const normalizedHeaders = normalizeProtectedHeaders(opts.protectedHeaders, payload);
   if (Object.keys(normalizedHeaders).length > 0) {
     envelope.protected_headers = await withMetadataAuth(normalizedHeaders, masterKey, PROTECTED_HEADERS_DOMAIN);
@@ -9741,25 +10241,43 @@ function normalizeProtectedHeaders(headers, payload) {
   const normalized = {};
   if (headers && typeof headers === "object") {
     for (const [k, v] of Object.entries(headers)) {
-      if (k === "_auth") continue;
-      const sv = v != null ? String(v) : "";
-      if (sv) normalized[k] = sv;
+      normalized[normalizeProtectedHeaderKey(k)] = normalizeProtectedHeaderValue(v);
     }
   }
   const payloadType = typeof payload?.type === "string" ? payload.type : "";
   if (payloadType && !("payload_type" in normalized)) {
     normalized["payload_type"] = payloadType;
   }
+  normalized.sdk_lang = E2EE_SDK_LANG;
+  normalized.sdk_vesion = E2EE_SDK_VERSION;
   return normalized;
 }
+function normalizeProtectedHeaderKey(key) {
+  const value = String(key ?? "").trim().toLowerCase();
+  if (!value || !/^[a-z0-9_-]+$/.test(value)) {
+    throw new Error("protected header key must match [a-z0-9_-]+");
+  }
+  if (value === "_auth") {
+    throw new Error("protected header key is reserved");
+  }
+  return value;
+}
+function normalizeProtectedHeaderValue(value) {
+  if (value == null) return "";
+  if (typeof value === "string") return value;
+  return decoder.decode(canonicalJson(value));
+}
 async function wrapForRecipient(target, masterKey, senderSessionPriv, senderMasterPriv, wrapSalt, defaultRole) {
   const role = target.role ?? defaultRole;
   const keySource = target.keySource ?? "aid_master";
   const fpHash = bytesToHex4(await sha2563(target.ikPkDer));
   const fp = `sha256:${fpHash.substring(0, 16)}`;
   const wrapNonce = randomBytes3(12);
+  const use3DH = usesSPKWrap(target);
+  const rowKeySource = use3DH ? keySource : "aid_master";
+  const rowSpkId = use3DH ? target.spkId ?? "" : "";
   let wrapKey;
-  if (target.spkPkDer && (keySource === "peer_device_prekey" || keySource === "group_device_prekey")) {
+  if (use3DH) {
     wrapKey = await compute3DHWrap(
       senderSessionPriv,
       senderMasterPriv,
@@ -9783,13 +10301,18 @@ async function wrapForRecipient(target, masterKey, senderSessionPriv, senderMast
     target.aid,
     target.deviceId,
     role,
-    keySource,
+    rowKeySource,
     fp,
-    target.spkId ?? "",
+    rowSpkId,
     bytesToBase643(wrapNonce),
     bytesToBase643(wrappedKey)
   ];
 }
+function usesSPKWrap(target) {
+  return Boolean(
+    target.spkId && target.spkPkDer && (target.keySource === "peer_device_prekey" || target.keySource === "group_device_prekey")
+  );
+}
 
 // src/v2/e2ee/encrypt-group.ts
 var encoder4 = new TextEncoder();
@@ -9840,7 +10363,7 @@ async function encryptGroupMessage(sender, groupId, epoch, targets, payload, opt
   const timestamp = opts.timestamp ?? Date.now();
   const protocolSet = /* @__PURE__ */ new Set();
   for (const t of targets) {
-    if (t.spkPkDer && (t.keySource === "peer_device_prekey" || t.keySource === "group_device_prekey")) {
+    if (usesSPKWrap2(t)) {
       protocolSet.add("3DH");
     } else {
       protocolSet.add("1DH");
@@ -9918,6 +10441,10 @@ async function encryptGroupMessage(sender, groupId, epoch, targets, payload, opt
     recipients: sortedRows,
     aad
   };
+  const payloadType = payload?.type == null ? "" : String(payload.type);
+  if (payloadType) {
+    envelope.payload_type = payloadType;
+  }
   const { context } = opts;
   const normalizedHeaders = normalizeProtectedHeaders(opts.protectedHeaders, payload);
   if (Object.keys(normalizedHeaders).length > 0) {
@@ -9934,8 +10461,11 @@ async function wrapForRecipient2(target, masterKey, senderSessionPriv, senderMas
   const fpHash = bytesToHex5(await sha2564(target.ikPkDer));
   const fp = `sha256:${fpHash.substring(0, 16)}`;
   const wrapNonce = randomBytes4(12);
+  const use3DH = usesSPKWrap2(target);
+  const rowKeySource = use3DH ? keySource : "aid_master";
+  const rowSpkId = use3DH ? target.spkId ?? "" : "";
   let wrapKey;
-  if (target.spkPkDer && (keySource === "peer_device_prekey" || keySource === "group_device_prekey")) {
+  if (use3DH) {
     wrapKey = await compute3DHWrap(
       senderSessionPriv,
       senderMasterPriv,
@@ -9959,13 +10489,18 @@ async function wrapForRecipient2(target, masterKey, senderSessionPriv, senderMas
     target.aid,
     target.deviceId,
     role,
-    keySource,
+    rowKeySource,
     fp,
-    target.spkId ?? "",
+    rowSpkId,
     bytesToBase644(wrapNonce),
     bytesToBase644(wrappedKey)
   ];
 }
+function usesSPKWrap2(target) {
+  return Boolean(
+    target.spkId && target.spkPkDer && (target.keySource === "peer_device_prekey" || target.keySource === "group_device_prekey")
+  );
+}
 
 // src/v2/e2ee/decrypt.ts
 var encoder5 = new TextEncoder();
@@ -9975,7 +10510,7 @@ async function sha2565(data) {
   const buf = await crypto.subtle.digest("SHA-256", data.slice().buffer);
   return new Uint8Array(buf);
 }
-function base64ToBytes(s) {
+function base64ToBytes2(s) {
   const bin = atob(s);
   const out = new Uint8Array(bin.length);
   for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
@@ -10030,7 +10565,7 @@ async function decryptMessage(envelope, selfAid, selfDeviceId, selfIkPriv, selfS
   } else {
     return null;
   }
-  const senderSessionPkDer = base64ToBytes(env.sender_session_pk);
+  const senderSessionPkDer = base64ToBytes2(env.sender_session_pk);
   const aadBytes = canonicalJson(env.aad);
   const suiteStr = env.suite ?? SUITE_NAME;
   const suiteBytes = encoder5.encode(suiteStr);
@@ -10049,33 +10584,49 @@ async function decryptMessage(envelope, selfAid, selfDeviceId, selfIkPriv, selfS
     senderPubDer,
     wrapSalt
   );
-  const wrapNonce = base64ToBytes(row[6]);
-  const wrappedKey = base64ToBytes(row[7]);
+  const wrapNonce = base64ToBytes2(row[6]);
+  const wrappedKey = base64ToBytes2(row[7]);
   if (wrappedKey.length < 16) {
     throw new Error(`wrapped_key too short: ${wrappedKey.length}`);
   }
   const wrappedCt = wrappedKey.subarray(0, wrappedKey.length - 16);
   const wrappedTag = wrappedKey.subarray(wrappedKey.length - 16);
-  const masterKey = await aesGcmDecrypt(
-    wrapKey,
-    wrapNonce,
-    wrappedCt,
-    wrappedTag,
-    new Uint8Array(0)
-  );
-  const msgNonce = base64ToBytes(env.nonce);
-  const ct = base64ToBytes(env.ciphertext);
-  const tag = base64ToBytes(env.tag);
-  const plaintext = await aesGcmDecrypt(masterKey, msgNonce, ct, tag, aadBytes);
-  return JSON.parse(new TextDecoder().decode(plaintext));
-}
-async function verifySenderSignature(env, senderPubDer) {
-  const sig = base64ToBytes(env.sender_signature);
-  const ct = base64ToBytes(env.ciphertext);
-  const tag = base64ToBytes(env.tag);
-  const aadBytes = canonicalJson(env.aad);
-  const digestBytes = hexToBytes6(env.recipients_digest);
-  const signInput = new Uint8Array(
+  let masterKey;
+  try {
+    masterKey = await aesGcmDecrypt(
+      wrapKey,
+      wrapNonce,
+      wrappedCt,
+      wrappedTag,
+      new Uint8Array(0)
+    );
+  } catch (exc) {
+    throw new Error(
+      `wrap_key_decrypt_failed: ${rowContext(row)}; master_key unwrap AEAD authentication failed; likely wrong local SPK/IK, stale sender bootstrap, or tampered recipient wrap; cause=${formatCaught(exc)}`
+    );
+  }
+  await verifyMetadataAuth(env.protected_headers, masterKey, PROTECTED_HEADERS_DOMAIN, "protected_headers");
+  await verifyMetadataAuth(env.context, masterKey, PROTECTED_CONTEXT_DOMAIN, "context");
+  const msgNonce = base64ToBytes2(env.nonce);
+  const ct = base64ToBytes2(env.ciphertext);
+  const tag = base64ToBytes2(env.tag);
+  let plaintext;
+  try {
+    plaintext = await aesGcmDecrypt(masterKey, msgNonce, ct, tag, aadBytes);
+  } catch (exc) {
+    throw new Error(
+      `body_decrypt_failed: ${envelopeContext(env, row)}; message body AEAD authentication failed after master_key unwrap; likely AAD/ciphertext/tag mismatch or envelope body corruption; cause=${formatCaught(exc)}`
+    );
+  }
+  return JSON.parse(new TextDecoder().decode(plaintext));
+}
+async function verifySenderSignature(env, senderPubDer) {
+  const sig = base64ToBytes2(env.sender_signature);
+  const ct = base64ToBytes2(env.ciphertext);
+  const tag = base64ToBytes2(env.tag);
+  const aadBytes = canonicalJson(env.aad);
+  const digestBytes = hexToBytes6(env.recipients_digest);
+  const signInput = new Uint8Array(
     ct.length + tag.length + aadBytes.length + digestBytes.length
   );
   let pos = 0;
@@ -10094,8 +10645,39 @@ function findMyRow(recipients, selfAid, selfDeviceId) {
   }
   return null;
 }
+function formatCaught(exc) {
+  if (exc instanceof Error) {
+    return exc.message ? `${exc.name}: ${exc.message}` : exc.name;
+  }
+  return String(exc);
+}
+function rowContext(row) {
+  return [
+    `recipient=${String(row[0] ?? "")}/${String(row[1] ?? "")}`,
+    `role=${String(row[2] ?? "")}`,
+    `key_source=${String(row[3] ?? "")}`,
+    `spk_id=${String(row[5] ?? "") || "<empty>"}`
+  ].join("; ");
+}
+function envelopeContext(env, row) {
+  const aad = env.aad && typeof env.aad === "object" && !Array.isArray(env.aad) ? env.aad : {};
+  const messageId = String(aad.message_id ?? "");
+  const groupId = String(aad.group_id ?? "") || "<p2p>";
+  const from = String(aad.from ?? "");
+  const fromDevice = String(aad.from_device ?? "");
+  return [
+    `message_id=${messageId}`,
+    `group_id=${groupId}`,
+    `from=${from}`,
+    `from_device=${fromDevice}`,
+    rowContext(row)
+  ].join("; ");
+}
 async function computeWrapKey(row, selfIkPriv, selfSpkPriv, senderSessionPkDer, senderMasterPkDer, salt) {
   const spkId = row[5];
+  if (spkId && !selfSpkPriv) {
+    throw new Error(`spk_missing: spk_id=${spkId}`);
+  }
   if (spkId && selfSpkPriv) {
     const dh12 = await ecdhComputeShared(selfIkPriv, senderSessionPkDer);
     const dh2 = await ecdhComputeShared(selfSpkPriv, senderMasterPkDer);
@@ -10146,11 +10728,14 @@ function sortPayload(payload) {
   }
 }
 async function computeStateCommitment(groupId, epoch, statePayload) {
+  if (!Number.isInteger(epoch) || epoch < 0 || epoch > 4294967295) {
+    throw new Error(`epoch out of uint32 range: ${epoch}`);
+  }
   const sorted = deepClone2(statePayload);
   sortPayload(sorted);
   const groupBytes = new TextEncoder().encode(groupId);
   const epochBytes = new Uint8Array(4);
-  new DataView(epochBytes.buffer).setUint32(0, epoch >>> 0, false);
+  new DataView(epochBytes.buffer).setUint32(0, epoch, false);
   const payloadBytes = canonicalJson(sorted);
   const total = STATE_PREFIX.length + groupBytes.length + 4 + payloadBytes.length;
   const data = new Uint8Array(total);
@@ -10195,9 +10780,12 @@ function formatMessage(template, args) {
 var AUNLogger = class {
   constructor(opts) {
     __publicField(this, "_debug");
+    __publicField(this, "_aunPath");
+    __publicField(this, "_deviceId", "-");
     __publicField(this, "_aid", null);
     __publicField(this, "_minLevel");
     this._debug = opts.debug;
+    this._aunPath = String(opts.aunPath || "-");
     this._minLevel = this._debug ? LEVEL_ORDER.DEBUG : LEVEL_ORDER.INFO;
   }
   for(module) {
@@ -10211,13 +10799,16 @@ var AUNLogger = class {
   bindAid(aid) {
     this._aid = aid || null;
   }
+  bindDeviceId(deviceId) {
+    this._deviceId = String(deviceId || "").trim() || "-";
+  }
   close() {
   }
   _emit(level, module, msg, args) {
     if (LEVEL_ORDER[level] < this._minLevel) return;
     if (level === "DEBUG" && !this._debug) return;
     const { date, time, ms } = this._now();
-    const head = `[${date} ${time}.${ms}][${level}][${module}]`;
+    const head = `[${date} ${time}.${ms}][${level}][${module}][aun_path=${this._aunPath || "-"}][device_id=${this._deviceId || "-"}]`;
     const aidPart = this._aid ? ` [${this._aid}]` : "";
     const formatted = formatMessage(msg, args);
     const line = `${head}${aidPart} ${formatted}`;
@@ -10272,6 +10863,15 @@ function stableStringify(obj) {
   }
   return JSON.stringify(obj);
 }
+function getV2DeviceId(dev) {
+  if (Object.prototype.hasOwnProperty.call(dev, "device_id")) {
+    return { present: true, value: String(dev.device_id ?? "").trim() };
+  }
+  if (Object.prototype.hasOwnProperty.call(dev, "owner_device_id")) {
+    return { present: true, value: String(dev.owner_device_id ?? "").trim() };
+  }
+  return { present: false, value: "" };
+}
 function sortObjectKeys(obj) {
   if (obj === null || obj === void 0 || typeof obj !== "object") return obj;
   if (Array.isArray(obj)) return obj.map(sortObjectKeys);
@@ -10342,7 +10942,21 @@ var REMOVED_E2EE_METHODS = /* @__PURE__ */ new Set([
   "group.rotate_epoch"
 ]);
 var SIGNED_METHODS = /* @__PURE__ */ new Set([
+  "message.send",
+  "message.v2.put_peer_pk",
+  "message.v2.bootstrap",
+  "message.v2.group_bootstrap",
+  "message.v2.pull",
+  "message.v2.ack",
   "group.send",
+  "group.v2.put_group_pk",
+  "group.v2.bootstrap",
+  "group.v2.send",
+  "group.v2.pull",
+  "group.v2.ack",
+  "group.v2.propose_state",
+  "group.v2.confirm_state",
+  "group.v2.get_proposal",
   "group.kick",
   "group.add_member",
   "group.leave",
@@ -10491,6 +11105,41 @@ function _v2B64ToBytes(s) {
   for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
   return out;
 }
+function _v2B64ToBytesStrict(s) {
+  const text = String(s ?? "").trim();
+  if (!text || text.length % 4 === 1 || !/^[A-Za-z0-9+/]*={0,2}$/.test(text)) {
+    throw new Error("invalid base64");
+  }
+  return _v2B64ToBytes(text);
+}
+function _v2BytesEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i];
+  return diff === 0;
+}
+function _v2ConcatBytes(...parts) {
+  const total = parts.reduce((sum, part) => sum + part.length, 0);
+  const out = new Uint8Array(total);
+  let offset = 0;
+  for (const part of parts) {
+    out.set(part, offset);
+    offset += part.length;
+  }
+  return out;
+}
+function _v2LengthPrefixedTextKey(...parts) {
+  const enc = new TextEncoder();
+  return parts.map((part) => `${enc.encode(part).length}:${part};`).join("");
+}
+function _v2LengthPrefixedBytes(...parts) {
+  const enc = new TextEncoder();
+  const framed = [];
+  for (const part of parts) {
+    framed.push(enc.encode(`${part.length}:`), part, enc.encode(";"));
+  }
+  return _v2ConcatBytes(...framed);
+}
 function _v2B64uToBytes(s) {
   const std = s.replace(/-/g, "+").replace(/_/g, "/");
   const pad = std.length % 4 === 0 ? "" : "=".repeat(4 - std.length % 4);
@@ -10502,12 +11151,65 @@ function formatCaughtError(error) {
 function v2E2eeMeta(envelope) {
   const suite = String(envelope.suite ?? "");
   const modeSuite = String(envelope.suite ?? "unknown");
-  return {
+  const meta = {
     version: "v2",
     suite,
     encryption_mode: `v2_${modeSuite}`,
     forward_secrecy: true
   };
+  const protectedHeaders = metadataWithoutAuth(envelope.protected_headers);
+  if (protectedHeaders && Object.keys(protectedHeaders).length > 0) {
+    meta.protected_headers = protectedHeaders;
+  }
+  const payloadType = String(envelope.payload_type ?? protectedHeaders?.payload_type ?? "").trim();
+  if (payloadType) {
+    meta.payload_type = payloadType;
+  }
+  const context = metadataWithoutAuth(envelope.context);
+  if (context && Object.keys(context).length > 0) {
+    meta.context = context;
+  }
+  const agentMd = metadataWithoutAuth(envelope.agent_md);
+  if (agentMd && Object.keys(agentMd).length > 0) {
+    meta.agent_md = agentMd;
+  }
+  return meta;
+}
+function attachV2EnvelopeMetadata(message, meta) {
+  if (!meta) return;
+  const payloadType = typeof meta.payload_type === "string" ? meta.payload_type.trim() : "";
+  if (payloadType) message.payload_type = payloadType;
+  if (isJsonObject(meta.protected_headers)) {
+    message.protected_headers = { ...meta.protected_headers };
+  }
+  if (isJsonObject(meta.agent_md)) {
+    message.agent_md = { ...meta.agent_md };
+  }
+}
+function attachV2EnvelopeMetadataFromSource(message, source) {
+  const envelope = extractV2EnvelopeFromSource(source);
+  if (envelope) attachV2EnvelopeMetadata(message, v2E2eeMeta(envelope));
+}
+function extractV2EnvelopeFromSource(source) {
+  if (!isJsonObject(source)) return null;
+  if (isJsonObject(source.payload)) return source.payload;
+  if (typeof source.envelope_json === "string" && source.envelope_json) {
+    try {
+      const parsed = JSON.parse(source.envelope_json);
+      if (isJsonObject(parsed)) return parsed;
+    } catch {
+      return null;
+    }
+  }
+  return null;
+}
+function metadataWithoutAuth(value) {
+  if (!isJsonObject(value)) return null;
+  const body = {};
+  for (const [key, item] of Object.entries(value)) {
+    if (key !== "_auth") body[key] = item;
+  }
+  return body;
 }
 function normalizeDeliveryModeConfig(raw, opts = {}) {
   const defaultMode = String(opts.defaultMode ?? "fanout").trim().toLowerCase() || "fanout";
@@ -10585,6 +11287,8 @@ var _AUNClient = class _AUNClient {
     __publicField(this, "_v2Session");
     __publicField(this, "_v2KeyStore");
     __publicField(this, "_v2BootstrapCache", /* @__PURE__ */ new Map());
+    __publicField(this, "_v2SenderIKPending", /* @__PURE__ */ new Map());
+    __publicField(this, "_v2SenderIKFetching", /* @__PURE__ */ new Set());
     /** V2 state 签名验证缓存：cacheKey(hex) → expiry_unix_ms */
     __publicField(this, "_v2SigCache", /* @__PURE__ */ new Map());
     /** V2 state chain 本地记录：group_id → [state_version, chain_hash] */
@@ -10607,6 +11311,11 @@ var _AUNClient = class _AUNClient {
     __publicField(this, "_localAgentMdEtag", "");
     /** gateway 在 RPC envelope._meta.agent_md_etag 注入的服务端 etag；纯观察，无下游依赖。 */
     __publicField(this, "_remoteAgentMdEtag", "");
+    /** 浏览器侧 AgentMDs 逻辑根目录，正文映射到 IndexedDB 里的 {aid}/agent.md。 */
+    __publicField(this, "_agentMdPath", "");
+    __publicField(this, "_agentMdCache", /* @__PURE__ */ new Map());
+    __publicField(this, "_agentMdFetchInflight", /* @__PURE__ */ new Set());
+    __publicField(this, "_agentMdListLock", Promise.resolve());
     /** 消息序列号跟踪器（群消息 + P2P 空洞检测） */
     __publicField(this, "_seqTracker", new SeqTracker());
     __publicField(this, "_seqTrackerContext", null);
@@ -10650,7 +11359,10 @@ var _AUNClient = class _AUNClient {
       root_ca_path: this.configModel.rootCaPem,
       seed_password: this.configModel.seedPassword
     };
-    this._logger = new AUNLogger({ debug: _debug });
+    this._agentMdPath = this._agentMdDefaultRoot();
+    this._deviceId = getDeviceId();
+    this._logger = new AUNLogger({ debug: _debug, aunPath: this.configModel.aunPath });
+    this._logger.bindDeviceId(this._deviceId);
     this._clientLog = this._logger.for("aun_core.client");
     this._logAuth = this._logger.for("aun_core.auth");
     this._logTransport = this._logger.for("aun_core.transport");
@@ -10661,7 +11373,6 @@ var _AUNClient = class _AUNClient {
     this._dispatcher = new EventDispatcher();
     this._discovery = new GatewayDiscovery();
     this._keystore = new IndexedDBKeyStore();
-    this._deviceId = getDeviceId();
     this._slotId = "";
     this._connectDeliveryMode = normalizeDeliveryModeConfig({ mode: "fanout" });
     this._defaultConnectDeliveryMode = { ...this._connectDeliveryMode };
@@ -10680,7 +11391,11 @@ var _AUNClient = class _AUNClient {
       timeout: DEFAULT_SESSION_OPTIONS.timeouts.call,
       onDisconnect: (error, closeCode) => this._handleTransportDisconnect(error, closeCode)
     });
-    this._transport.setMetaObserver((meta) => this._observeRpcMeta(meta));
+    this._transport.setMetaObserver((meta) => {
+      void this._observeRpcMeta(meta).catch((exc) => {
+        this._clientLog.debug(`agent.md meta observer skipped: ${String(exc)}`);
+      });
+    });
     this.auth = new AuthNamespace(this);
     this.custody = new CustodyNamespace(this);
     this.meta = new MetaNamespace(this);
@@ -10745,28 +11460,63 @@ var _AUNClient = class _AUNClient {
   get aid() {
     return this._aid;
   }
+  setAgentMdPath(root) {
+    const next = String(root ?? "").trim() || this._agentMdDefaultRoot();
+    this._agentMdPath = next;
+    this._agentMdCache.clear();
+    return next;
+  }
+  setAgentMDPath(root) {
+    return this.setAgentMdPath(root);
+  }
+  SetAgentMDPath(root) {
+    return this.setAgentMdPath(root);
+  }
   /**
-   * 浏览器版本 publishAgentMd。接收 agent.md 文本（应用层用 `<input type=file>` 等读出文本传入），
-   * 内部签名 → 上传 → 更新 _localAgentMdEtag（quoted sha256，与服务端一致）。
+   * 浏览器版本 publishAgentMd。默认从 {agentMdPath}/{self_aid}/agent.md 的等价 IndexedDB 正文读取，
+   * 然后签名、上传，并刷新 list.json 元数据。
    *
-   * @throws ValidationError content 为空
+   * 兼容旧浏览器调用：传入 content 时会先写入等价正文，再从该正文发布。
    */
   async publishAgentMd(content) {
-    const text = String(content ?? "");
-    if (text.length === 0) {
-      throw new ValidationError("publishAgentMd requires non-empty content");
+    const target = this._agentMdOwnerAid();
+    if (!target) {
+      throw new ValidationError("publishAgentMd requires local AID");
     }
-    const signed = await this.auth.signAgentMd(text);
+    if (content !== void 0 && content !== null) {
+      const text = String(content ?? "");
+      if (text.length === 0) {
+        throw new ValidationError("publishAgentMd requires non-empty content");
+      }
+      await this._saveAgentMdRecord(target, {
+        content: text,
+        local_etag: await this._agentMdContentEtag(text),
+        fetched_at: Date.now()
+      });
+    }
+    const localContent = await this._readAgentMdContent(target);
+    if (localContent === null || localContent.length === 0) {
+      throw new ValidationError("publishAgentMd requires local agent.md content");
+    }
+    const signed = await this.auth.signAgentMd(localContent);
     const result = await this.auth.uploadAgentMd(signed);
-    const buf = new TextEncoder().encode(signed);
-    const digest = await crypto.subtle.digest("SHA-256", buf);
-    const hex = Array.from(new Uint8Array(digest)).map((b) => b.toString(16).padStart(2, "0")).join("");
-    this._localAgentMdEtag = `"${hex}"`;
+    this._localAgentMdEtag = await this._agentMdContentEtag(signed);
+    const remoteEtag = isJsonObject(result) ? String(result.etag ?? "").trim() : "";
+    if (remoteEtag) this._remoteAgentMdEtag = remoteEtag;
+    await this._saveAgentMdRecord(target, {
+      content: signed,
+      local_etag: this._localAgentMdEtag,
+      remote_etag: remoteEtag || void 0,
+      last_modified: isJsonObject(result) ? String(result.last_modified ?? "").trim() : "",
+      fetched_at: Date.now(),
+      remote_status: remoteEtag ? "found" : "unknown",
+      last_error: ""
+    });
     return result;
   }
   /**
-   * 浏览器版本 fetchAgentMd。aid 缺省时取自身；不接受 savePath（浏览器无文件系统）；
-   * 若 aid 是自己则同步刷新 _localAgentMdEtag 与 in_sync。
+   * 浏览器版本 fetchAgentMd。aid 缺省时取自身；下载后的正文固定写入
+   * {agentMdPath}/{aid}/agent.md 的等价 IndexedDB 正文，list.json 只保存元数据。
    */
   async fetchAgentMd(aid) {
     const target = String(aid ?? this._aid ?? "").trim();
@@ -10776,15 +11526,29 @@ var _AUNClient = class _AUNClient {
     const content = await this.auth.downloadAgentMd(target);
     const signature = await this.auth.verifyAgentMd(content, { aid: target });
     const isSelf = target === (this._aid ?? "");
+    const localEtag = await this._agentMdContentEtag(content);
+    const cacheMeta = this._agentMdAuthCacheMeta(target);
+    const remoteEtag = String(cacheMeta.etag ?? "").trim();
+    const lastModified = String(cacheMeta.lastModified ?? cacheMeta.last_modified ?? "").trim();
+    if (isSelf) {
+      this._localAgentMdEtag = localEtag;
+      if (remoteEtag) this._remoteAgentMdEtag = remoteEtag;
+    }
+    await this._saveAgentMdRecord(target, {
+      content,
+      local_etag: localEtag,
+      remote_etag: remoteEtag || void 0,
+      last_modified: lastModified || void 0,
+      fetched_at: Date.now(),
+      remote_status: "found",
+      verify_status: isJsonObject(signature) ? String(signature.status ?? "") : "",
+      verify_error: isJsonObject(signature) ? String(signature.reason ?? "") : "",
+      last_error: ""
+    });
     let in_sync = null;
     if (isSelf) {
-      const buf = new TextEncoder().encode(content);
-      const digest = await crypto.subtle.digest("SHA-256", buf);
-      const hex = Array.from(new Uint8Array(digest)).map((b) => b.toString(16).padStart(2, "0")).join("");
-      this._localAgentMdEtag = `"${hex}"`;
-      const local = this._localAgentMdEtag || "";
-      const remote = this._remoteAgentMdEtag || "";
-      in_sync = local && remote ? local === remote : false;
+      const remote = remoteEtag || this._remoteAgentMdEtag || "";
+      in_sync = localEtag && remote ? localEtag === remote : false;
     }
     return {
       aid: target,
@@ -10793,12 +11557,396 @@ var _AUNClient = class _AUNClient {
       in_sync
     };
   }
+  getLocalAgentMdEtag() {
+    return this._localAgentMdEtag;
+  }
+  getRemoteAgentMdEtag() {
+    return this._remoteAgentMdEtag;
+  }
+  async _agentMdContentEtag(content) {
+    const digest = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(String(content ?? "")));
+    const hex = Array.from(new Uint8Array(digest)).map((b) => b.toString(16).padStart(2, "0")).join("");
+    return `"${hex}"`;
+  }
+  _agentMdOwnerAid() {
+    return String(this._aid ?? "").trim();
+  }
+  _agentMdDefaultRoot() {
+    return this._joinAgentMdPath(this.configModel.aunPath || ".", "AgentMDs");
+  }
+  _joinAgentMdPath(base, name) {
+    const left = String(base ?? "").trim().replace(/[\\/]+$/g, "");
+    return left ? `${left}/${name}` : name;
+  }
+  _agentMdRoot() {
+    return this._agentMdPath || this._agentMdDefaultRoot();
+  }
+  _agentMdSafeAid(aid) {
+    const target = String(aid ?? "").trim();
+    if (!target || target.includes("/") || target.includes("\\") || target.includes("\0")) {
+      throw new ValidationError("agent.md aid is empty or contains path separators");
+    }
+    return target;
+  }
+  _agentMdListKey() {
+    return "list.json";
+  }
+  _agentMdContentKey(aid) {
+    return `${this._agentMdSafeAid(aid)}/agent.md`;
+  }
+  async _readAgentMdStorage(logicalKey) {
+    const key = String(logicalKey ?? "").trim();
+    if (!key) return null;
+    const load = this._keystore.loadAgentMdCache;
+    if (typeof load !== "function") {
+      throw new Error("IndexedDB agent.md storage unavailable");
+    }
+    const record = await load.call(this._keystore, this._agentMdRoot(), key);
+    if (record && Object.prototype.hasOwnProperty.call(record, "content")) {
+      return String(record.content ?? "");
+    }
+    return null;
+  }
+  async _writeAgentMdStorage(logicalKey, content) {
+    const key = String(logicalKey ?? "").trim();
+    if (!key) return;
+    const save = this._keystore.upsertAgentMdCache;
+    if (typeof save !== "function") {
+      throw new Error("IndexedDB agent.md storage unavailable");
+    }
+    const text = String(content ?? "");
+    await save.call(this._keystore, this._agentMdRoot(), key, {
+      content: text,
+      local_etag: await this._agentMdContentEtag(text),
+      fetched_at: Date.now()
+    });
+  }
+  async _listAgentMdContentAids() {
+    const list = this._keystore.listAgentMdContentAids;
+    if (typeof list !== "function") {
+      throw new Error("IndexedDB agent.md storage unavailable");
+    }
+    return await list.call(this._keystore, this._agentMdRoot());
+  }
+  async _withAgentMdListLock(fn) {
+    const previous = this._agentMdListLock.catch(() => void 0);
+    let release;
+    const current = new Promise((resolve) => {
+      release = resolve;
+    });
+    this._agentMdListLock = previous.then(() => current);
+    await previous;
+    try {
+      return await fn();
+    } finally {
+      release();
+    }
+  }
+  _normalizeAgentMdList(data) {
+    const records = {};
+    let iterable = [];
+    if (isJsonObject(data)) {
+      const payload = data;
+      if (Array.isArray(payload.records)) iterable = payload.records;
+      else if (isJsonObject(payload.records)) iterable = Object.values(payload.records);
+    } else if (Array.isArray(data)) {
+      iterable = data;
+    }
+    for (const item of iterable) {
+      if (!isJsonObject(item)) continue;
+      const raw = item;
+      const aid = String(raw.aid ?? "").trim();
+      if (!aid) continue;
+      const record = {};
+      for (const [key, value] of Object.entries(raw)) {
+        if (key !== "content") record[key] = value;
+      }
+      record.aid = aid;
+      for (const key of ["fetched_at", "observed_at", "checked_at", "updated_at"]) {
+        record[key] = Number(record[key] ?? 0) || 0;
+      }
+      records[aid] = record;
+    }
+    return records;
+  }
+  async _writeAgentMdListUnlocked(records) {
+    const sorted = {};
+    for (const aid of Object.keys(records).sort()) sorted[aid] = records[aid];
+    await this._writeAgentMdStorage(this._agentMdListKey(), `${JSON.stringify({ version: 1, updated_at: Date.now(), records: sorted }, null, 2)}
+`);
+  }
+  async _rebuildAgentMdListUnlocked() {
+    const records = {};
+    const now = Date.now();
+    for (const aid of await this._listAgentMdContentAids()) {
+      try {
+        const content = await this._readAgentMdStorage(this._agentMdContentKey(aid));
+        if (content === null) continue;
+        records[aid] = {
+          aid,
+          local_etag: await this._agentMdContentEtag(content),
+          fetched_at: now,
+          updated_at: now
+        };
+      } catch (err) {
+        this._clientLog.warn(`agent.md rebuild skipped unreadable file aid=${aid} err=${err instanceof Error ? err.message : String(err)}`);
+      }
+    }
+    await this._writeAgentMdListUnlocked(records);
+    this._agentMdCache.clear();
+    return records;
+  }
+  async _readAgentMdListUnlocked() {
+    const raw = await this._readAgentMdStorage(this._agentMdListKey());
+    if (raw === null) {
+      return await this._rebuildAgentMdListUnlocked();
+    }
+    try {
+      return this._normalizeAgentMdList(JSON.parse(raw));
+    } catch (err) {
+      this._clientLog.warn(`agent.md list.json damaged, rebuilding: ${err instanceof Error ? err.message : String(err)}`);
+      return await this._rebuildAgentMdListUnlocked();
+    }
+  }
+  async _readAgentMdContent(aid) {
+    return await this._readAgentMdStorage(this._agentMdContentKey(aid));
+  }
+  async _writeAgentMdContent(aid, content) {
+    await this._writeAgentMdStorage(this._agentMdContentKey(aid), String(content ?? ""));
+  }
+  _agentMdAuthCacheMeta(aid) {
+    try {
+      const store = this.auth._agentMdCache;
+      const record = store?.get(String(aid ?? "").trim());
+      return record && typeof record === "object" ? { ...record } : {};
+    } catch {
+      return {};
+    }
+  }
+  async _loadAgentMdRecord(aid) {
+    const target = String(aid ?? "").trim();
+    if (!target) return null;
+    try {
+      const records = await this._withAgentMdListLock(async () => await this._readAgentMdListUnlocked());
+      const record = records[target];
+      if (record && typeof record === "object") {
+        const loaded = { ...record, aid: target };
+        const content = await this._readAgentMdContent(target);
+        if (content !== null) {
+          loaded.content = content;
+          loaded.local_etag = await this._agentMdContentEtag(content);
+        } else {
+          this._clientLog.warn(`agent.md content read failed: aid=${target}`);
+        }
+        this._agentMdCache.set(target, { ...loaded });
+        return { ...loaded };
+      }
+    } catch (err) {
+      this._clientLog.debug(`agent.md cache load skipped: aid=${target} err=${err instanceof Error ? err.message : String(err)}`);
+    }
+    return null;
+  }
+  async _saveAgentMdRecord(aid, fields) {
+    const target = String(aid ?? "").trim();
+    if (!target) return {};
+    try {
+      const inputFields = { ...fields };
+      const hasContent = Object.prototype.hasOwnProperty.call(inputFields, "content") && inputFields.content !== void 0 && inputFields.content !== null;
+      if (hasContent) {
+        const text = String(inputFields.content ?? "");
+        await this._writeAgentMdContent(target, text);
+        if (!inputFields.local_etag) inputFields.local_etag = await this._agentMdContentEtag(text);
+        if (!inputFields.fetched_at) inputFields.fetched_at = Date.now();
+      }
+      delete inputFields.content;
+      const record = await this._withAgentMdListLock(async () => {
+        const records = await this._readAgentMdListUnlocked();
+        const next = { ...records[target] ?? {}, aid: target };
+        for (const [key, value] of Object.entries(inputFields)) {
+          if (value !== void 0 && value !== null) next[key] = value;
+        }
+        next.updated_at = Date.now();
+        records[target] = { ...next };
+        await this._writeAgentMdListUnlocked(records);
+        return next;
+      });
+      const loaded = { ...record };
+      if (hasContent) loaded.content = String(fields.content ?? "");
+      this._agentMdCache.set(target, { ...loaded });
+      const owner = this._agentMdOwnerAid();
+      if (target === owner) {
+        const localEtag = String(loaded.local_etag ?? "").trim();
+        const remoteEtag = String(loaded.remote_etag ?? "").trim();
+        if (localEtag) this._localAgentMdEtag = localEtag;
+        if (remoteEtag) this._remoteAgentMdEtag = remoteEtag;
+      }
+      return { ...loaded };
+    } catch (err) {
+      this._clientLog.debug(`agent.md cache save skipped: aid=${target} err=${err instanceof Error ? err.message : String(err)}`);
+    }
+    return {};
+  }
+  async _agentMdHasLocalContent(aid, record) {
+    if (record && typeof record.content === "string" && record.content.length > 0) return true;
+    try {
+      return await this._readAgentMdContent(aid) !== null;
+    } catch {
+      return false;
+    }
+  }
+  _agentMdCheckedAtFresh(checkedAtMs, maxUnsyncedDays) {
+    const days = Number(maxUnsyncedDays || 0);
+    if (!Number.isFinite(days) || days <= 0) return false;
+    if (!Number.isFinite(checkedAtMs) || checkedAtMs <= 0) return false;
+    return Date.now() - checkedAtMs <= days * 864e5;
+  }
+  _agentMdLastModifiedFresh(lastModified, maxUnsyncedDays) {
+    const days = Number(maxUnsyncedDays || 0);
+    if (!Number.isFinite(days) || days <= 0) return false;
+    const ts = Date.parse(String(lastModified ?? "").trim());
+    if (!Number.isFinite(ts)) return false;
+    return Date.now() <= ts + days * 864e5;
+  }
+  async _scheduleAgentMdFetchIfMissing(aid, record, source = "") {
+    const target = String(aid ?? "").trim();
+    if (!target || await this._agentMdHasLocalContent(target, record)) return;
+    if (this._agentMdFetchInflight.has(target)) return;
+    this._agentMdFetchInflight.add(target);
+    try {
+      await this.fetchAgentMd(target);
+    } catch (err) {
+      await this._saveAgentMdRecord(target, {
+        last_error: err instanceof Error ? err.message : String(err),
+        remote_status: "found"
+      });
+      this._clientLog.debug(`agent.md auto fetch failed: aid=${target} source=${source || "-"} err=${err instanceof Error ? err.message : String(err)}`);
+    } finally {
+      this._agentMdFetchInflight.delete(target);
+    }
+  }
+  async _observeAgentMdMeta(aid, etag = "", lastModified = "", source = "") {
+    const target = String(aid ?? "").trim();
+    const remoteEtag = String(etag ?? "").trim();
+    const remoteLastModified = String(lastModified ?? "").trim();
+    if (!target || !remoteEtag && !remoteLastModified) return;
+    let before = this._agentMdCache.get(target);
+    if (!before || typeof before !== "object") before = await this._loadAgentMdRecord(target) ?? {};
+    const same = (!remoteEtag || String(before.remote_etag ?? "").trim() === remoteEtag) && (!remoteLastModified || String(before.last_modified ?? "").trim() === remoteLastModified);
+    let record = { ...before };
+    if (!same || Object.keys(before).length === 0) {
+      const fields = {
+        observed_at: Date.now(),
+        remote_status: "found"
+      };
+      if (remoteEtag) fields.remote_etag = remoteEtag;
+      if (remoteLastModified) fields.last_modified = remoteLastModified;
+      record = await this._saveAgentMdRecord(target, fields) || record;
+    }
+    if (target === this._agentMdOwnerAid() && remoteEtag) this._remoteAgentMdEtag = remoteEtag;
+    await this._scheduleAgentMdFetchIfMissing(target, record, source);
+    this._clientLog.debug(`agent.md meta observed: aid=${target} etag=${remoteEtag || "-"} last_modified=${remoteLastModified || "-"} source=${source || "-"}`);
+  }
+  async _observeAgentMdEtag(aid, etag, source = "") {
+    await this._observeAgentMdMeta(aid, etag, "", source);
+  }
+  async _observeAgentMdFromEnvelope(envelope) {
+    if (!isJsonObject(envelope)) return;
+    const env = envelope;
+    if (!isJsonObject(env.agent_md)) return;
+    const agentMd = env.agent_md;
+    if (!isJsonObject(agentMd.sender)) return;
+    const sender = agentMd.sender;
+    let senderAid = String(sender.aid ?? "").trim();
+    if (!senderAid) {
+      const aad = isJsonObject(env.aad) ? env.aad : {};
+      senderAid = String(aad.from ?? env.from ?? "").trim();
+    }
+    await this._observeAgentMdMeta(
+      senderAid,
+      String(sender.etag ?? "").trim(),
+      String(sender.last_modified ?? sender.lastModified ?? "").trim(),
+      "envelope"
+    );
+  }
+  async checkAgentMd(aid, maxUnsyncedDays = 0) {
+    const target = String(aid ?? this._aid ?? "").trim();
+    if (!target) throw new ValidationError("checkAgentMd requires aid (or local AID)");
+    const before = await this._loadAgentMdRecord(target) ?? {};
+    const localEtag = String(before.local_etag ?? "").trim();
+    const localFound = !!(Object.keys(before).length > 0 && (String(before.content ?? "") || localEtag));
+    const remoteEtagCached = String(before.remote_etag ?? "").trim();
+    const lastModifiedCached = String(before.last_modified ?? "").trim();
+    const checkedAtCached = Number(before.checked_at ?? 0);
+    const cachedInSync = !!(localFound && localEtag && remoteEtagCached && localEtag === remoteEtagCached);
+    if (cachedInSync && this._agentMdCheckedAtFresh(checkedAtCached, maxUnsyncedDays)) {
+      return {
+        aid: target,
+        local_found: true,
+        remote_found: true,
+        local_etag: localEtag,
+        remote_etag: remoteEtagCached,
+        in_sync: true,
+        last_modified: lastModifiedCached,
+        status: 200,
+        cached: true,
+        verify_status: String(before.verify_status ?? ""),
+        verify_error: String(before.verify_error ?? "")
+      };
+    }
+    const now = Date.now();
+    let remote;
+    try {
+      remote = await this.auth.headAgentMd(target);
+    } catch (err) {
+      await this._saveAgentMdRecord(target, { checked_at: now, remote_status: "error", last_error: err instanceof Error ? err.message : String(err) });
+      throw err;
+    }
+    const remoteFound = !!remote.found;
+    const remoteEtag = String(remote.etag ?? "").trim();
+    const lastModified = String(remote.last_modified ?? remote.lastModified ?? "").trim();
+    const saved = await this._saveAgentMdRecord(target, {
+      remote_etag: remoteFound ? remoteEtag : "",
+      last_modified: lastModified,
+      checked_at: now,
+      remote_status: remoteFound ? "found" : "missing",
+      last_error: ""
+    });
+    if (target === this._agentMdOwnerAid() && remoteEtag) this._remoteAgentMdEtag = remoteEtag;
+    const inSync = !!(localFound && remoteFound && localEtag && remoteEtag && localEtag === remoteEtag);
+    return {
+      aid: target,
+      local_found: localFound,
+      remote_found: remoteFound,
+      local_etag: localEtag,
+      remote_etag: remoteEtag,
+      in_sync: inSync,
+      last_modified: lastModified,
+      status: Number(remote.status ?? (remoteFound ? 200 : 404)),
+      cached: false,
+      verify_status: String(saved.verify_status ?? before.verify_status ?? ""),
+      verify_error: String(saved.verify_error ?? before.verify_error ?? "")
+    };
+  }
   /** transport 的 meta observer：吸收 gateway 注入的 _meta 字段。失败不影响业务。 */
-  _observeRpcMeta(meta) {
+  async _observeRpcMeta(meta) {
     if (!isJsonObject(meta)) return;
     const etag = String(meta.agent_md_etag ?? "").trim();
     if (etag) {
       this._remoteAgentMdEtag = etag;
+      await this._observeAgentMdMeta(this._aid ?? "", etag, "", "rpc.self");
+    }
+    const etags = meta.agent_md_etags;
+    if (isJsonObject(etags)) {
+      for (const key of ["requester", "peer", "receiver", "target", "to", "sender", "from"]) {
+        const item = etags[key];
+        if (!isJsonObject(item)) continue;
+        await this._observeAgentMdMeta(
+          String(item.aid ?? ""),
+          String(item.etag ?? ""),
+          String(item.last_modified ?? item.lastModified ?? ""),
+          `rpc.${key}`
+        );
+      }
     }
   }
   get state() {
@@ -10851,16 +11999,29 @@ var _AUNClient = class _AUNClient {
     this._sessionOptions = this._buildSessionOptions(normalized);
     this._transport.setTimeout(this._sessionOptions.timeouts.call);
     this._closing = false;
-    try {
-      await this._connectOnce(normalized, false);
-      this._clientLog.debug(`connect exit: elapsed=${Date.now() - tStart}ms state=${this._state}`);
-    } catch (err) {
-      if (this._state === "connecting" || this._state === "authenticating") {
-        this._state = "disconnected";
+    const gateways = this._resolveGateways(normalized);
+    let lastErr = null;
+    for (const gw of gateways) {
+      try {
+        const gwParams = { ...normalized, gateway: gw };
+        await this._connectOnce(gwParams, false);
+        this._clientLog.debug(`connect exit: elapsed=${Date.now() - tStart}ms state=${this._state}`);
+        return;
+      } catch (err) {
+        lastErr = err;
+        if (gateways.length > 1) {
+          this._clientLog.warn(`connect: gateway ${gw} failed, trying next: ${err instanceof Error ? err.message : String(err)}`);
+        }
+        if (this._state === "connecting" || this._state === "authenticating") {
+          this._state = "connecting";
+        }
       }
-      this._clientLog.debug(`connect exit (error): elapsed=${Date.now() - tStart}ms err=${err instanceof Error ? err.message : String(err)}`);
-      throw err;
     }
+    if (this._state === "connecting" || this._state === "authenticating") {
+      this._state = "disconnected";
+    }
+    this._clientLog.debug(`connect exit (error): elapsed=${Date.now() - tStart}ms err=${lastErr instanceof Error ? lastErr.message : String(lastErr)}`);
+    throw lastErr;
   }
   /** 断开连接但保留本地状态，可再次 connect */
   async disconnect() {
@@ -10983,6 +12144,9 @@ var _AUNClient = class _AUNClient {
       throw new PermissionError(`legacy E2EE method is removed in this SDK: ${method}`);
     }
     const p = { ...params ?? {} };
+    if (method === "message.send" || method === "group.send") {
+      this._normalizeOutboundMessagePayload(p, method);
+    }
     this._validateOutboundCall(method, p);
     this._injectMessageCursorContext(method, p);
     if (method.startsWith("group.") && p.group_id !== void 0 && p.group_id !== null) {
@@ -10993,7 +12157,7 @@ var _AUNClient = class _AUNClient {
       }
       p.group_id = normalizedGroupId;
     }
-    if (method.startsWith("group.") && this._deviceId && p.device_id === void 0) {
+    if (method.startsWith("group.") && p.device_id === void 0) {
       p.device_id = this._deviceId;
     }
     if (method.startsWith("group.") && p.slot_id === void 0) {
@@ -11081,7 +12245,11 @@ var _AUNClient = class _AUNClient {
       );
     }
     if (SIGNED_METHODS.has(method)) {
-      await this._signClientOperation(method, p);
+      if (this._shouldSkipClientSignature(method, p)) {
+        delete p.client_signature;
+      } else {
+        await this._signClientOperation(method, p);
+      }
     }
     const callTimeout = NON_IDEMPOTENT_METHODS.has(method) ? NON_IDEMPOTENT_TIMEOUT : void 0;
     let result = callTimeout ? await this._transport.call(method, p, callTimeout) : await this._transport.call(method, p);
@@ -11211,14 +12379,17 @@ var _AUNClient = class _AUNClient {
       const seq = msg.seq;
       if (seq !== void 0 && seq !== null && this._aid) {
         const ns = `p2p:${this._aid}`;
+        if (seq > 0) this._seqTracker.updateMaxSeen(ns, seq);
         const needPull = this._seqTracker.onMessageSeq(ns, seq);
         if (needPull) {
           this._safeAsync(this._fillP2pGap());
         }
         const contig = this._seqTracker.getContiguousSeq(ns);
         if (contig > 0) {
+          const maxSeen = this._seqTracker.getMaxSeenSeq(ns);
+          const ackSeq = maxSeen > 0 ? Math.min(contig, maxSeen) : contig;
           this._transport.call("message.ack", {
-            seq: contig,
+            seq: ackSeq,
             device_id: this._deviceId,
             slot_id: this._slotId
           }).catch((e) => {
@@ -11245,6 +12416,7 @@ var _AUNClient = class _AUNClient {
           timestamp: src.timestamp ?? null,
           _decrypt_error: String(exc)
         };
+        attachV2EnvelopeMetadataFromSource(safeEvent, data);
         await this._publishAppEvent("message.undecryptable", safeEvent);
       }
     }
@@ -11277,6 +12449,18 @@ var _AUNClient = class _AUNClient {
     }
     try {
       const ns = `group:${groupId}`;
+      this._seqTracker.updateMaxSeen(ns, seq);
+      const contigBefore = this._seqTracker.getContiguousSeq(ns);
+      if (contigBefore === seq) {
+        this._clientLog.debug(`_onRawGroupV2MessageCreated duplicate push already covered: group=${groupId} seq=${seq}`);
+        return;
+      }
+      const afterSeq = this._repairPushContiguousBound(
+        ns,
+        seq,
+        false,
+        "_raw.group.v2.message_created"
+      );
       const dedupKey = `group_pull:${ns}`;
       if (this._gapFillDone.has(dedupKey)) {
         this._clientLog.debug(`_onRawGroupV2MessageCreated skipped: dedupKey=${dedupKey} in flight`);
@@ -11284,7 +12468,6 @@ var _AUNClient = class _AUNClient {
       }
       this._gapFillDone.add(dedupKey);
       try {
-        const afterSeq = Math.max(0, this._seqTracker.getContiguousSeq(ns));
         this._clientLog.debug(`_onRawGroupV2MessageCreated -> group.v2.pull group=${groupId} after_seq=${afterSeq}`);
         const messages = await this.pullGroupV2(groupId, afterSeq, 50);
         this._clientLog.debug(`_onRawGroupV2MessageCreated pulled ${messages.length} msgs for group=${groupId}`);
@@ -11322,15 +12505,18 @@ var _AUNClient = class _AUNClient {
       }
       if (groupId && seq !== void 0 && seq !== null) {
         const ns = `group:${groupId}`;
+        if (seq > 0) this._seqTracker.updateMaxSeen(ns, seq);
         const needPull = this._seqTracker.onMessageSeq(ns, seq);
         if (needPull) {
           this._safeAsync(this._fillGroupGap(groupId));
         }
         const contig = this._seqTracker.getContiguousSeq(ns);
         if (contig > 0) {
+          const maxSeen = this._seqTracker.getMaxSeenSeq(ns);
+          const ackSeq = maxSeen > 0 ? Math.min(contig, maxSeen) : contig;
           this._transport.call("group.ack_messages", {
             group_id: groupId,
-            msg_seq: contig,
+            msg_seq: ackSeq,
             device_id: this._deviceId,
             slot_id: this._slotId
           }).catch((e) => {
@@ -11357,6 +12543,7 @@ var _AUNClient = class _AUNClient {
           timestamp: src.timestamp ?? null,
           _decrypt_error: String(exc)
         };
+        attachV2EnvelopeMetadataFromSource(safeEvent, data);
         await this._publishAppEvent("group.message_undecryptable", safeEvent);
       }
     }
@@ -11470,50 +12657,73 @@ var _AUNClient = class _AUNClient {
     this._gapFillDone.add(dedupKey);
     this._gapFillActive = true;
     try {
-      const result = await this.call("group.pull_events", {
-        group_id: groupId,
-        after_event_seq: afterSeq,
-        device_id: this._deviceId,
-        limit: 50
-      });
-      if (isJsonObject(result)) {
+      let nextAfterSeq = afterSeq;
+      const maxPages = 100;
+      let pageCount = 0;
+      while (pageCount < maxPages) {
+        pageCount += 1;
+        const result = await this.call("group.pull_events", {
+          group_id: groupId,
+          after_event_seq: nextAfterSeq,
+          device_id: this._deviceId,
+          limit: 50
+        });
+        if (!isJsonObject(result)) return;
         const events = result.events;
-        if (Array.isArray(events)) {
-          this._seqTracker.onPullResult(ns, events.filter(isJsonObject), afterSeq);
-          const cursor = isJsonObject(result.cursor) ? result.cursor : null;
-          const serverAck = cursor ? Number(cursor.current_seq ?? 0) : 0;
-          if (serverAck > 0) {
-            const contigBefore = this._seqTracker.getContiguousSeq(ns);
-            if (contigBefore < serverAck) {
-              this._clientLog.info("group.pull_events retention-floor advance: ns=" + ns + " contiguous=" + contigBefore + " -> cursor.current_seq=" + serverAck);
-              this._seqTracker.forceContiguousSeq(ns, serverAck);
-            }
-          }
-          this._saveSeqTrackerState();
-          const contig = this._seqTracker.getContiguousSeq(ns);
-          if (contig > 0 && (events.length > 0 || serverAck > 0)) {
-            this._transport.call("group.ack_events", {
-              group_id: groupId,
-              event_seq: contig,
-              device_id: this._deviceId,
-              slot_id: this._slotId
-            }).catch((e) => {
-              this._clientLog.warn("group event auto-ack failed: group=" + groupId, e);
-            });
+        if (!Array.isArray(events)) return;
+        const pageContigBefore = this._seqTracker.getContiguousSeq(ns);
+        const eventObjects = events.filter(isJsonObject);
+        if (eventObjects.length > 0) {
+          this._seqTracker.onPullResult(ns, eventObjects, nextAfterSeq);
+        }
+        const cursor = isJsonObject(result.cursor) ? result.cursor : null;
+        const serverAck = cursor ? Number(cursor.current_seq ?? 0) : 0;
+        if (serverAck > 0) {
+          const contigBeforeFloor = this._seqTracker.getContiguousSeq(ns);
+          if (contigBeforeFloor < serverAck) {
+            this._clientLog.info("group.pull_events retention-floor advance: ns=" + ns + " contiguous=" + contigBeforeFloor + " -> cursor.current_seq=" + serverAck);
+            this._seqTracker.forceContiguousSeq(ns, serverAck);
           }
-          for (const evt of events) {
-            if (isJsonObject(evt)) {
-              evt._from_gap_fill = true;
-              const et = String(evt.event_type ?? "");
-              if (et === "group.message_created") continue;
-              const cs = evt.client_signature;
-              if (cs && typeof cs === "object") {
-                evt._verified = await this._verifyEventSignature(evt, cs);
-              }
-              await this._dispatcher.publish("group.changed", evt);
+        }
+        const eventSeqs = [];
+        for (const evt of eventObjects) {
+          const eventSeq = Number(evt.event_seq ?? 0);
+          if (Number.isFinite(eventSeq) && eventSeq > 0) eventSeqs.push(eventSeq);
+          evt._from_gap_fill = true;
+          const et = String(evt.event_type ?? "");
+          if (et === "group.message_created") continue;
+          const cs = evt.client_signature;
+          if (cs && typeof cs === "object") {
+            if (this._shouldSkipEventSignature(evt)) {
+              delete evt.client_signature;
+            } else {
+              evt._verified = await this._verifyEventSignature(evt, cs);
             }
           }
+          await this._dispatcher.publish("group.changed", evt);
+        }
+        const contig = this._seqTracker.getContiguousSeq(ns);
+        if (contig !== pageContigBefore) {
+          this._saveSeqTrackerState();
+        }
+        if (eventObjects.length > 0 && contig > 0 && contig !== pageContigBefore) {
+          const maxSeen = this._seqTracker.getMaxSeenSeq(ns);
+          const ackSeq = maxSeen > 0 ? Math.min(contig, maxSeen) : contig;
+          this._transport.call("group.ack_events", {
+            group_id: groupId,
+            event_seq: ackSeq,
+            device_id: this._deviceId,
+            slot_id: this._slotId
+          }).catch((e) => {
+            this._clientLog.warn("group event auto-ack failed: group=" + groupId, e);
+          });
         }
+        const nextAfter = Math.max(eventSeqs.length > 0 ? Math.max(...eventSeqs) : nextAfterSeq, nextAfterSeq);
+        if (eventObjects.length === 0 || nextAfter <= nextAfterSeq || result.has_more === false) break;
+        nextAfterSeq = nextAfter;
+      }
+      if (pageCount >= maxPages) {
+        this._clientLog.warn(`group event gap fill reached max_pages=${maxPages} group=${groupId} after_seq=${nextAfterSeq}`);
       }
     } catch (exc) {
       this._clientLog.warn(`group event gap-fill failed:${String(exc)}`);
@@ -11611,10 +12821,10 @@ var _AUNClient = class _AUNClient {
   _attachCurrentInstanceContext(payload) {
     if (!isJsonObject(payload)) return payload;
     const result = { ...payload };
-    if (this._deviceId && !String(result.device_id ?? "").trim()) {
+    if (!("device_id" in result)) {
       result.device_id = this._deviceId;
     }
-    if (this._slotId && !String(result.slot_id ?? "").trim()) {
+    if (!("slot_id" in result)) {
       result.slot_id = this._slotId;
     }
     return result;
@@ -11664,6 +12874,15 @@ var _AUNClient = class _AUNClient {
     const trace = `${this._echoTimestamp()} [AUN-SDK.send] aid=${this._aid ?? "-"} conn_uptime=${uptime}s`;
     params.payload = { ...payload, text: payload.text + "\n" + trace };
   }
+  _shouldSkipClientSignature(method, params) {
+    if (method !== "message.send" && method !== "group.send") return false;
+    if (params.encrypted || params.encrypt) return false;
+    return this._isEchoPayload(params.payload);
+  }
+  _shouldSkipEventSignature(event) {
+    if (event.encrypted || event.encrypt) return false;
+    return this._isEchoPayload(event.payload);
+  }
   _maybeAppendEchoTraceReceive(msg) {
     if (msg.encrypted) return;
     const payload = msg.payload;
@@ -11674,13 +12893,17 @@ var _AUNClient = class _AUNClient {
   }
   _messageTargetsCurrentInstance(message) {
     if (!isJsonObject(message)) return true;
-    const targetDeviceId = String(message.device_id ?? "").trim();
-    if (targetDeviceId && this._deviceId && targetDeviceId !== this._deviceId) {
-      return false;
+    if ("device_id" in message) {
+      const targetDeviceId = String(message.device_id ?? "").trim();
+      if (targetDeviceId !== this._deviceId) {
+        return false;
+      }
     }
-    const targetSlotId = String(message.slot_id ?? "").trim();
-    if (targetSlotId && this._slotId && targetSlotId !== this._slotId) {
-      return false;
+    if ("slot_id" in message) {
+      const targetSlotId = String(message.slot_id ?? "").trim();
+      if (targetSlotId !== this._slotId) {
+        return false;
+      }
     }
     return true;
   }
@@ -11762,26 +12985,36 @@ var _AUNClient = class _AUNClient {
         const d = data;
         const cs = d.client_signature;
         if (cs && isJsonObject(cs)) {
-          d._verified = await this._verifyEventSignature(d, cs);
+          if (this._shouldSkipEventSignature(d)) {
+            delete d.client_signature;
+          } else {
+            d._verified = await this._verifyEventSignature(d, cs);
+          }
         }
         await this._dispatcher.publish("group.changed", d);
         const groupId = d.group_id ?? "";
         if (groupId) {
           this._v2BootstrapCache.delete(`group:${groupId}`);
         }
+        const membershipActions = /* @__PURE__ */ new Set([
+          "member_added",
+          "member_left",
+          "member_removed",
+          "role_changed",
+          "owner_transferred",
+          "joined",
+          "join_approved",
+          "invite_code_used"
+        ]);
         if (this._v2Session && groupId) {
-          const membershipActions = /* @__PURE__ */ new Set([
-            "member_added",
-            "member_left",
-            "member_removed",
-            "role_changed",
-            "owner_transferred",
-            "joined",
-            "join_approved"
-          ]);
           if (membershipActions.has(action)) {
             const callFn = async (method, params) => this.call(method, params);
-            if (action === "joined" || action === "join_approved") {
+            const joinedAid = String(d.joined_aid ?? d.member_aid ?? d.aid ?? "").trim();
+            const actorAid = String(d.actor_aid ?? "").trim();
+            const selfAid = String(this._aid ?? "").trim();
+            const joinActions = /* @__PURE__ */ new Set(["member_added", "joined", "join_approved", "invite_code_used"]);
+            const isSelfJoin = joinActions.has(action) && !!selfAid && (joinedAid === selfAid || !joinedAid && (action === "joined" || action === "invite_code_used") && actorAid === selfAid);
+            if (isSelfJoin) {
               this._v2Session.ensureGroupRegistered?.(groupId, callFn)?.catch((exc) => {
                 this._clientLog.debug(`group SPK registration failed (non-fatal): group=${groupId} action=${action} err=${exc}`);
               });
@@ -11792,7 +13025,7 @@ var _AUNClient = class _AUNClient {
             }
           }
         }
-        if (groupId && action === "upsert" && this._v2Session) {
+        if (groupId && this._v2Session && (action === "upsert" || membershipActions.has(action))) {
           this._safeAsync(this._v2AutoProposeState(groupId, { leaderDelay: true }));
         }
         let needPull = false;
@@ -11849,12 +13082,16 @@ var _AUNClient = class _AUNClient {
   async _onGroupStateCommittedImpl(d, groupId) {
     const cs = d.client_signature;
     if (cs && isJsonObject(cs)) {
-      const verified = await this._verifyEventSignature(d, cs);
-      if (verified === false) {
-        this._clientLog.warn(`state_committed committer signature verify failed group=%s${String(groupId)}`);
-        return;
+      if (this._shouldSkipEventSignature(d)) {
+        delete d.client_signature;
+      } else {
+        const verified = await this._verifyEventSignature(d, cs);
+        if (verified === false) {
+          this._clientLog.warn(`state_committed committer signature verify failed group=%s${String(groupId)}`);
+          return;
+        }
+        d._verified = verified;
       }
-      d._verified = verified;
     }
     const stateVersion = Number(d.state_version ?? 0);
     const stateHash = String(d.state_hash ?? "").trim();
@@ -12110,6 +13347,7 @@ var _AUNClient = class _AUNClient {
       let e2eeMeta = null;
       let decryptFailed = false;
       if (isV2Envelope) {
+        e2eeMeta = v2E2eeMeta(payload);
         const plaintext = await this._decryptV2EnvelopeForThought({
           envelope: payload,
           fromAid: senderAid
@@ -12120,7 +13358,7 @@ var _AUNClient = class _AUNClient {
           decryptedPayload = payload;
         } else {
           decryptedPayload = plaintext;
-          const e2eeObj = v2E2eeMeta(payload);
+          const e2eeObj = e2eeMeta;
           const ph = payload.protected_headers;
           if (isJsonObject(ph)) {
             const phBody = {};
@@ -12150,6 +13388,7 @@ var _AUNClient = class _AUNClient {
         created_at: item.created_at,
         e2ee: e2eeMeta
       };
+      if (isJsonObject(e2eeMeta)) attachV2EnvelopeMetadata(thought, e2eeMeta);
       if (decryptFailed) thought.decrypt_failed = true;
       if ("context" in item) thought.context = item.context;
       thoughts.push(thought);
@@ -12184,6 +13423,8 @@ var _AUNClient = class _AUNClient {
       let decrypted = message;
       let decryptFailed = false;
       if (payload?.type === "e2ee.p2p_encrypted") {
+        const e2eeObj = v2E2eeMeta(payload);
+        message.e2ee = e2eeObj;
         const plaintext = await this._decryptV2EnvelopeForThought({
           envelope: payload,
           fromAid
@@ -12194,7 +13435,6 @@ var _AUNClient = class _AUNClient {
         } else {
           decrypted = { ...message };
           decrypted.payload = plaintext;
-          const e2eeObj = v2E2eeMeta(payload);
           const ph = payload.protected_headers;
           if (isJsonObject(ph)) {
             const phBody = {};
@@ -12216,6 +13456,7 @@ var _AUNClient = class _AUNClient {
       } else if (payload?.type === "e2ee.encrypted") {
         decryptFailed = true;
       }
+      const exposedE2ee = (decrypted ?? message).e2ee;
       const thought = {
         thought_id: thoughtId,
         message_id: thoughtId,
@@ -12223,8 +13464,9 @@ var _AUNClient = class _AUNClient {
         to: toAid,
         payload: (decrypted ?? message).payload,
         created_at: item.created_at,
-        e2ee: (decrypted ?? message).e2ee
+        e2ee: exposedE2ee
       };
+      if (isJsonObject(exposedE2ee)) attachV2EnvelopeMetadata(thought, exposedE2ee);
       if (decryptFailed) thought.decrypt_failed = true;
       if ("context" in item) thought.context = item.context;
       thoughts.push(thought);
@@ -12236,7 +13478,7 @@ var _AUNClient = class _AUNClient {
    * 获取对方证书（带缓存 + 完整 PKI 验证：链 + CRL + OCSP + AID 绑定）。
    * 跨域时自动将请求路由到 peer 所在域的 Gateway。
    */
-  async _fetchPeerCert(aid, certFingerprint) {
+  async _fetchPeerCert(aid, certFingerprint, timeoutMs = 5e3) {
     const tStart = Date.now();
     this._clientLog.debug(`_fetchPeerCert enter: aid=${aid} fingerprint=${certFingerprint ?? "<none>"}`);
     try {
@@ -12256,7 +13498,7 @@ var _AUNClient = class _AUNClient {
       try {
         const certUrl = buildCertUrl(peerGatewayUrl, aid, certFingerprint);
         const controller = new AbortController();
-        const timeoutId = setTimeout(() => controller.abort(), 5e3);
+        const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
         try {
           const resp = await fetch(certUrl, { signal: controller.signal });
           if (!resp.ok) throw new ValidationError(`failed to fetch peer cert for ${aid}: HTTP ${resp.status}`);
@@ -12269,7 +13511,7 @@ var _AUNClient = class _AUNClient {
           throw exc;
         }
         const fallbackController = new AbortController();
-        const fallbackTimeoutId = setTimeout(() => fallbackController.abort(), 5e3);
+        const fallbackTimeoutId = setTimeout(() => fallbackController.abort(), timeoutMs);
         try {
           const fallbackResp = await fetch(buildCertUrl(peerGatewayUrl, aid), { signal: fallbackController.signal });
           if (!fallbackResp.ok) {
@@ -12526,6 +13768,10 @@ var _AUNClient = class _AUNClient {
     }
   }
   _resolveGateway(params) {
+    const gateways = this._resolveGateways(params);
+    return gateways[0];
+  }
+  _resolveGateways(params) {
     const topology = isJsonObject(params.topology) ? params.topology : null;
     if (topology) {
       const mode = String(topology.mode ?? "gateway");
@@ -12536,9 +13782,14 @@ var _AUNClient = class _AUNClient {
         throw new ValidationError("relay topology is not implemented in the Browser SDK");
       }
     }
-    const gateway = String(params.gateway ?? this._gatewayUrl ?? "");
+    const gw = params.gateway ?? params.gateways;
+    if (Array.isArray(gw)) {
+      const urls = gw.map((g) => String(g ?? "")).filter((u) => u.length > 0);
+      if (urls.length > 0) return urls;
+    }
+    const gateway = String(gw ?? this._gatewayUrl ?? "");
     if (!gateway) throw new StateError("missing gateway in connect params");
-    return gateway;
+    return [gateway];
   }
   async _syncIdentityAfterConnect(accessToken) {
     let identity = null;
@@ -12798,6 +14049,16 @@ var _AUNClient = class _AUNClient {
     };
     scheduleRefresh(0);
   }
+  _normalizeOutboundMessagePayload(params, method = "") {
+    if (!Object.prototype.hasOwnProperty.call(params, "payload") && Object.prototype.hasOwnProperty.call(params, "content")) {
+      params.payload = params.content;
+      delete params.content;
+    }
+    const payload = params.payload;
+    if (isJsonObject(payload) && !Object.prototype.hasOwnProperty.call(payload, "type") && typeof payload.text === "string") {
+      params.payload = { type: "text", ...payload };
+    }
+  }
   _validateMessageRecipient(toAid) {
     if (isGroupServiceAid(toAid)) {
       throw new ValidationError("message.send receiver cannot be group.{issuer}; use group.send instead");
@@ -13204,6 +14465,8 @@ var _AUNClient = class _AUNClient {
     this._gapFillDone.clear();
     this._pushedSeqs.clear();
     this._pendingOrderedMsgs.clear();
+    this._v2SenderIKPending.clear();
+    this._v2SenderIKFetching.clear();
     this._groupSynced.clear();
   }
   _refreshSeqTrackerContext() {
@@ -13213,6 +14476,8 @@ var _AUNClient = class _AUNClient {
     this._gapFillDone.clear();
     this._pushedSeqs.clear();
     this._pendingOrderedMsgs.clear();
+    this._v2SenderIKPending.clear();
+    this._v2SenderIKFetching.clear();
     this._groupSynced.clear();
     this._seqTrackerContext = nextContext;
   }
@@ -13264,6 +14529,46 @@ var _AUNClient = class _AUNClient {
       });
     }
   }
+  _persistRepairedSeq(ns) {
+    if (!this._aid || !ns) return;
+    const seq = this._seqTracker.getContiguousSeq(ns);
+    try {
+      if (seq > 0 && typeof this._keystore.saveSeq === "function") {
+        this._keystore.saveSeq(this._aid, this._deviceId, this._slotId, ns, seq).catch((exc) => {
+          this._clientLog.debug(`persist repaired seq failed: ns=${ns} err=${formatCaughtError(exc)}`);
+        });
+        return;
+      }
+      const deleteSeq = this._keystore.deleteSeq;
+      if (seq <= 0 && typeof deleteSeq === "function") {
+        deleteSeq.call(this._keystore, this._aid, this._deviceId, this._slotId, ns).catch((exc) => {
+          this._clientLog.debug(`delete repaired seq failed: ns=${ns} err=${formatCaughtError(exc)}`);
+        });
+        return;
+      }
+      if (seq > 0) {
+        this._saveSeqTrackerState();
+      }
+    } catch (exc) {
+      this._clientLog.debug(`persist repaired seq failed: ns=${ns} err=${formatCaughtError(exc)}`);
+    }
+  }
+  _repairPushContiguousBound(ns, pushSeq, hasPayload, label) {
+    if (!ns || !Number.isFinite(pushSeq) || pushSeq <= 0) {
+      return ns ? this._seqTracker.getContiguousSeq(ns) : 0;
+    }
+    const contig = this._seqTracker.getContiguousSeq(ns);
+    const shouldRepair = contig > pushSeq;
+    if (!shouldRepair) return contig;
+    const repairedTo = Math.max(0, pushSeq - 1);
+    this._seqTracker.repairContiguousSeq(ns, repairedTo);
+    const repaired = this._seqTracker.getContiguousSeq(ns);
+    this._persistRepairedSeq(ns);
+    this._clientLog.warn(
+      `${label} push repaired contiguous_seq: ns=${ns} payload=${hasPayload} push_seq=${pushSeq} contiguous=${contig}->${repaired}`
+    );
+    return repaired;
+  }
   // ── V2 E2EE API（async，与 Python `client.py` `_init_v2_session` / `send_v2` / `pull_v2` / `ack_v2` 对齐） ──
   /**
    * 初始化 V2 session：从 AID PEM 私钥提取 raw scalar + DER 公钥，
@@ -13322,39 +14627,212 @@ var _AUNClient = class _AUNClient {
     this._clientLog.debug(`V2 session initialized aid=${this._aid} device=${this._deviceId}`);
     this._safeAsync(this._v2AutoConfirmPendingProposals());
   }
+  async _v2TrustedIKPubDer(aid) {
+    const normalizedAid = String(aid ?? "").trim();
+    if (!normalizedAid) throw new E2EEError("spk_aid_missing");
+    if (this._aid && normalizedAid === this._aid) {
+      if (!this._v2Session) throw new E2EEError("V2 session not initialized");
+      return this._v2Session.currentIkPubDer;
+    }
+    const certPem = await this._fetchPeerCert(normalizedAid);
+    const pubKey = await importCertPublicKeyEcdsa(certPem);
+    return new Uint8Array(await crypto.subtle.exportKey("spki", pubKey));
+  }
+  _v2SPKTimestampText(value, aid, deviceId, spkId) {
+    if (value === null || value === void 0 || value === "") {
+      throw new E2EEError(`spk_timestamp_missing: aid=${aid} device_id=${deviceId} spk_id=${spkId}`);
+    }
+    if (typeof value === "boolean") {
+      throw new E2EEError(`spk_timestamp_invalid: aid=${aid} device_id=${deviceId} spk_id=${spkId}`);
+    }
+    if (typeof value === "number") {
+      if (!Number.isSafeInteger(value)) {
+        throw new E2EEError(`spk_timestamp_invalid: aid=${aid} device_id=${deviceId} spk_id=${spkId}`);
+      }
+      return String(value);
+    }
+    const text = String(value).trim();
+    if (!/^\d+$/.test(text)) {
+      throw new E2EEError(`spk_timestamp_invalid: aid=${aid} device_id=${deviceId} spk_id=${spkId}`);
+    }
+    return BigInt(text).toString();
+  }
+  async _v2VerifySPKDevice(args) {
+    if (!this._v2Session) throw new E2EEError("V2 session not initialized");
+    const spkId = String(args.dev.spk_id ?? "").trim();
+    if (!spkId) return;
+    if (args.keySource !== "peer_device_prekey" && args.keySource !== "group_device_prekey") {
+      throw new E2EEError(`spk_key_source_invalid: aid=${args.aid} device_id=${args.deviceId} spk_id=${spkId} key_source=${args.keySource}`);
+    }
+    if (!args.spkPkDer || args.spkPkDer.length === 0) {
+      throw new E2EEError(`spk_public_key_missing: aid=${args.aid} device_id=${args.deviceId} spk_id=${spkId}`);
+    }
+    const spkHash = bytesToHex6(new Uint8Array(await crypto.subtle.digest("SHA-256", args.spkPkDer.slice().buffer)));
+    const expectedSpkId = `sha256:${spkHash.substring(0, 16)}`;
+    if (spkId !== expectedSpkId) {
+      throw new E2EEError(`spk_id_mismatch: aid=${args.aid} device_id=${args.deviceId} spk_id=${spkId} expected=${expectedSpkId}`);
+    }
+    const trustedIK = await this._v2TrustedIKPubDer(args.aid);
+    if (!_v2BytesEqual(trustedIK, args.ikPkDer)) {
+      throw new E2EEError(`spk_ik_mismatch: aid=${args.aid} device_id=${args.deviceId} spk_id=${spkId}`);
+    }
+    if (_v2BytesEqual(args.spkPkDer, trustedIK)) {
+      this._v2Session.markPeerSPKVerified(args.aid, args.deviceId, spkId);
+      return;
+    }
+    const sigB64 = String(args.dev.spk_signature ?? "").trim();
+    if (!sigB64) {
+      throw new E2EEError(`spk_signature_missing: aid=${args.aid} device_id=${args.deviceId} spk_id=${spkId}`);
+    }
+    let signature;
+    try {
+      signature = _v2B64ToBytesStrict(sigB64);
+    } catch {
+      throw new E2EEError(`spk_signature_invalid_base64: aid=${args.aid} device_id=${args.deviceId} spk_id=${spkId}`);
+    }
+    const encoder6 = new TextEncoder();
+    const tsText = this._v2SPKTimestampText(args.dev.spk_timestamp, args.aid, args.deviceId, spkId);
+    const signData = _v2ConcatBytes(args.spkPkDer, encoder6.encode(spkId), encoder6.encode(tsText));
+    if (!await ecdsaVerifyRaw(trustedIK, signature, signData)) {
+      throw new E2EEError(`spk_signature_invalid: aid=${args.aid} device_id=${args.deviceId} spk_id=${spkId}`);
+    }
+    this._v2Session.markPeerSPKVerified(args.aid, args.deviceId, spkId);
+  }
+  async _v2BuildTargetFromDevice(args) {
+    const aid = String(args.aid ?? "").trim();
+    const devId = getV2DeviceId(args.dev);
+    const deviceId = devId.present ? devId.value : String(args.deviceId ?? "").trim();
+    const ikPk = String(args.dev.ik_pk ?? "").trim();
+    if (!aid || !devId.present || !ikPk) return null;
+    const ikPkDer = _v2B64ToBytes(ikPk);
+    const spkPkDer = args.dev.spk_pk ? _v2B64ToBytes(String(args.dev.spk_pk)) : void 0;
+    const keySource = String(args.dev.key_source ?? args.defaultKeySource).trim() || args.defaultKeySource;
+    await this._v2VerifySPKDevice({ dev: args.dev, aid, deviceId, ikPkDer, spkPkDer, keySource });
+    this._v2Session?.cachePeerIK(aid, deviceId, ikPkDer);
+    return {
+      aid,
+      deviceId,
+      role: args.role,
+      keySource,
+      ikPkDer,
+      spkPkDer,
+      spkId: String(args.dev.spk_id ?? "").trim()
+    };
+  }
   async _getV2SenderPubDer(fromAid, senderDeviceId) {
     const session = this._v2Session;
     if (!session || !fromAid) return null;
     let senderPubDer = session.getPeerIK(fromAid, senderDeviceId);
     if (senderPubDer) return senderPubDer;
     try {
-      const bs = await this.call("message.v2.bootstrap", { peer_aid: fromAid });
-      const peers = Array.isArray(bs?.peer_devices) ? bs.peer_devices : [];
-      for (const dev of peers) {
-        const devId = String(dev.device_id ?? dev.owner_device_id ?? "");
-        const ikPk = String(dev.ik_pk ?? "");
-        if (!devId || !ikPk) continue;
-        session.cachePeerIK(fromAid, devId, _v2B64ToBytes(ikPk));
-      }
-      senderPubDer = session.getPeerIK(fromAid, senderDeviceId);
-      if (senderPubDer) return senderPubDer;
-    } catch (exc) {
-      this._clientLog.warn(`V2 decrypt: bootstrap for sender ${fromAid} failed: ${String(formatCaughtError(exc))}`);
-    }
-    try {
-      const certPem = await this._fetchPeerCert(fromAid);
+      const certPem = await this._fetchPeerCert(fromAid, void 0, 3e3);
       const pubKey = await importCertPublicKeyEcdsa(certPem);
       senderPubDer = new Uint8Array(await crypto.subtle.exportKey("spki", pubKey));
-      if (senderDeviceId) {
-        session.cachePeerIK(fromAid, senderDeviceId, senderPubDer);
-      }
-      this._clientLog.debug(`V2 decrypt: sender IK fallback from CA cert for ${fromAid}`);
+      session.cachePeerIK(fromAid, senderDeviceId, senderPubDer);
+      this._clientLog.debug(`V2 decrypt: sender IK fallback from PKI cert for ${fromAid}`);
       return senderPubDer;
     } catch (exc) {
-      this._clientLog.warn(`V2 decrypt: CA fallback for ${fromAid} failed: ${String(formatCaughtError(exc))}`);
+      this._clientLog.warn(`V2 decrypt: PKI cert sender IK fallback failed for ${fromAid}: ${String(formatCaughtError(exc))}`);
       return null;
     }
   }
+  _v2PendingSenderIKMessageKey(msg, groupId) {
+    const messageId = String(msg.message_id ?? "").trim();
+    const seq = String(msg.seq ?? "").trim();
+    const prefix = groupId ? `group:${groupId}` : `p2p:${this._aid ?? ""}`;
+    return `${prefix}:${messageId || seq || Math.random().toString(36).slice(2)}`;
+  }
+  _v2PendingSenderIKFetchKey(fromAid, senderDeviceId, groupId) {
+    return `${fromAid}#${senderDeviceId}#${groupId || ""}`;
+  }
+  _cacheV2PeerIKFromDevice(dev, fallbackAid = "") {
+    const session = this._v2Session;
+    if (!session || !isJsonObject(dev)) return;
+    const device = dev;
+    const devId = getV2DeviceId(device);
+    const aid = String(device.aid ?? fallbackAid ?? "").trim();
+    const ikPk = String(device.ik_pk ?? "").trim();
+    if (!devId.present || !aid || !ikPk) return;
+    try {
+      session.cachePeerIK(aid, devId.value, _v2B64ToBytes(ikPk));
+    } catch (exc) {
+      this._clientLog.debug(`V2 sender IK cache from bootstrap skipped aid=${aid} dev=${devId.value}: ${String(formatCaughtError(exc))}`);
+    }
+  }
+  _scheduleV2SenderIKPending(args) {
+    const fromAid = String(args.fromAid ?? "").trim();
+    if (!fromAid) return;
+    const senderDeviceId = String(args.senderDeviceId ?? "");
+    const groupId = String(args.groupId ?? "").trim();
+    const messageKey = this._v2PendingSenderIKMessageKey(args.msg, groupId);
+    this._v2SenderIKPending.set(messageKey, {
+      msg: { ...args.msg },
+      fromAid,
+      senderDeviceId,
+      groupId,
+      createdAt: Date.now()
+    });
+    this._clientLog.debug(`V2 decrypt pending sender IK: key=${messageKey} from=${fromAid} device=${senderDeviceId || "-"} group=${groupId || "<p2p>"} pending=${this._v2SenderIKPending.size}`);
+    this._scheduleV2SenderIKFetch(fromAid, senderDeviceId, groupId);
+  }
+  _scheduleV2SenderIKFetch(fromAid, senderDeviceId, groupId) {
+    const fetchKey = this._v2PendingSenderIKFetchKey(fromAid, senderDeviceId, groupId);
+    if (!fromAid || this._v2SenderIKFetching.has(fetchKey)) return;
+    this._v2SenderIKFetching.add(fetchKey);
+    this._safeAsync(this._resolveV2SenderIKPending(fromAid, senderDeviceId, groupId, fetchKey));
+  }
+  async _resolveV2SenderIKPending(fromAid, senderDeviceId, groupId, fetchKey) {
+    try {
+      const session = this._v2Session;
+      if (session && fromAid) {
+        try {
+          const bs = await this.call("message.v2.bootstrap", { peer_aid: fromAid });
+          const peers = Array.isArray(bs?.peer_devices) ? bs.peer_devices : [];
+          for (const dev of peers) this._cacheV2PeerIKFromDevice(dev, fromAid);
+        } catch (exc) {
+          this._clientLog.warn(`V2 sender IK pending bootstrap failed peer=${fromAid}: ${String(formatCaughtError(exc))}`);
+        }
+        if (groupId) {
+          try {
+            const gbs = await this.call("group.v2.bootstrap", { group_id: groupId });
+            const devices = Array.isArray(gbs?.devices) ? gbs.devices : [];
+            const audit = Array.isArray(gbs?.audit_recipients) ? gbs.audit_recipients : [];
+            for (const dev of devices) this._cacheV2PeerIKFromDevice(dev);
+            for (const dev of audit) this._cacheV2PeerIKFromDevice(dev);
+          } catch (exc) {
+            this._clientLog.warn(`V2 sender IK pending group bootstrap failed group=${groupId}: ${String(formatCaughtError(exc))}`);
+          }
+        }
+        if (!session.getPeerIK(fromAid, senderDeviceId)) {
+          await this._getV2SenderPubDer(fromAid, senderDeviceId);
+        }
+      }
+      const pendingItems = [...this._v2SenderIKPending.entries()].filter(([, entry]) => entry.fromAid === fromAid && entry.senderDeviceId === senderDeviceId && entry.groupId === groupId);
+      for (const [key, entry] of pendingItems) {
+        let plaintext = null;
+        try {
+          plaintext = await this._decryptV2Message(entry.msg, false);
+        } catch (exc) {
+          this._clientLog.warn(`V2 sender IK pending retry raised: key=${key} err=${String(formatCaughtError(exc))}`);
+        }
+        this._v2SenderIKPending.delete(key);
+        if (plaintext === null) {
+          this._clientLog.debug(`V2 sender IK pending retry failed: key=${key}`);
+          continue;
+        }
+        const seq = Number(entry.msg.seq ?? 0);
+        if (entry.groupId) {
+          plaintext.group_id = entry.groupId;
+          await this._publishPulledMessage("group.message_created", `group:${entry.groupId}`, seq, plaintext);
+        } else {
+          await this._publishPulledMessage("message.received", `p2p:${this._aid ?? ""}`, seq, plaintext);
+        }
+        this._clientLog.debug(`V2 sender IK pending retry delivered: key=${key}`);
+      }
+    } finally {
+      this._v2SenderIKFetching.delete(fetchKey);
+    }
+  }
   /**
    * V2 P2P 加密发送（推测性：用缓存 bootstrap 直接发，失败刷新重试一次）。
    *
@@ -13367,105 +14845,19 @@ var _AUNClient = class _AUNClient {
     if (!this._v2Session) {
       throw new StateError("V2 session not initialized (not connected?)");
     }
-    const session = this._v2Session;
     const toAid = String(to ?? "").trim();
     if (!toAid) throw new ValidationError("message.send requires 'to'");
     if (!isJsonObject(payload)) throw new ValidationError("message.send payload must be a dict for V2 encryption");
     const attempt = async (useCache) => {
-      let peerDevices = [];
-      let auditRaw = [];
-      const cached = useCache ? this._v2BootstrapCache.get(toAid) : void 0;
-      if (cached && Date.now() - cached.cachedAt < _AUNClient.V2_BOOTSTRAP_TTL_MS) {
-        peerDevices = cached.devices;
-        auditRaw = cached.auditRecipients;
-      } else {
-        const bs = await this.call("message.v2.bootstrap", { peer_aid: toAid });
-        peerDevices = Array.isArray(bs?.peer_devices) ? bs.peer_devices : [];
-        auditRaw = Array.isArray(bs?.audit_recipients) ? bs.audit_recipients : [];
-        if (peerDevices.length > 0) {
-          this._v2BootstrapCache.set(toAid, {
-            devices: peerDevices,
-            auditRecipients: auditRaw,
-            cachedAt: Date.now()
-          });
-        }
-      }
-      if (peerDevices.length === 0) {
-        throw new E2EEError(`V2 bootstrap: no devices found for ${toAid}`);
-      }
-      const targets = [];
-      for (const dev of peerDevices) {
-        const ikDer = _v2B64ToBytes(String(dev.ik_pk ?? ""));
-        const spkDer = dev.spk_pk ? _v2B64ToBytes(String(dev.spk_pk)) : void 0;
-        session.cachePeerIK(toAid, String(dev.device_id ?? ""), ikDer);
-        targets.push({
-          aid: toAid,
-          deviceId: String(dev.device_id ?? ""),
-          role: "peer",
-          keySource: String(dev.key_source ?? "peer_device_prekey"),
-          ikPkDer: ikDer,
-          spkPkDer: spkDer,
-          spkId: String(dev.spk_id ?? "")
-        });
-      }
-      const auditTargets = [];
-      for (const dev of auditRaw) {
-        if (!dev.ik_pk) continue;
-        const ikDer = _v2B64ToBytes(String(dev.ik_pk));
-        const spkDer = dev.spk_pk ? _v2B64ToBytes(String(dev.spk_pk)) : void 0;
-        auditTargets.push({
-          aid: String(dev.aid ?? ""),
-          deviceId: String(dev.device_id ?? ""),
-          role: "audit",
-          keySource: String(dev.key_source ?? "peer_device_prekey"),
-          ikPkDer: ikDer,
-          spkPkDer: spkDer,
-          spkId: String(dev.spk_id ?? "")
-        });
-      }
-      if (this._aid && this._aid !== toAid) {
-        try {
-          const selfCached = this._v2BootstrapCache.get(this._aid);
-          let selfDevices = [];
-          if (selfCached && Date.now() - selfCached.cachedAt < _AUNClient.V2_BOOTSTRAP_TTL_MS) {
-            selfDevices = selfCached.devices;
-          } else {
-            const selfBs = await this.call("message.v2.bootstrap", { peer_aid: this._aid });
-            selfDevices = Array.isArray(selfBs?.peer_devices) ? selfBs.peer_devices : [];
-            if (selfDevices.length > 0) {
-              this._v2BootstrapCache.set(this._aid, {
-                devices: selfDevices,
-                auditRecipients: [],
-                cachedAt: Date.now()
-              });
-            }
-          }
-          for (const dev of selfDevices) {
-            const devId = String(dev.owner_device_id ?? dev.device_id ?? "");
-            if (devId === this._deviceId) continue;
-            const ikDer = _v2B64ToBytes(String(dev.ik_pk ?? ""));
-            const spkDer = dev.spk_pk ? _v2B64ToBytes(String(dev.spk_pk)) : void 0;
-            targets.push({
-              aid: this._aid,
-              deviceId: devId,
-              role: "self_sync",
-              keySource: String(dev.key_source ?? "peer_device_prekey"),
-              ikPkDer: ikDer,
-              spkPkDer: spkDer,
-              spkId: String(dev.spk_id ?? "")
-            });
-          }
-        } catch (exc) {
-          this._clientLog.debug(`V2 self-sync bootstrap failed (non-fatal): ${String(exc)}`);
-        }
-      }
-      const sender = await session.getSenderIdentity();
-      const envelope = await encryptP2PMessage(
-        sender,
-        { targets, auditRecipients: auditTargets },
+      const envelope = await this._buildV2P2PEnvelope({
+        to: toAid,
         payload,
-        opts ?? {}
-      );
+        messageId: opts?.messageId,
+        timestamp: opts?.timestamp,
+        protectedHeaders: opts?.protectedHeaders,
+        context: opts?.context,
+        useCache
+      });
       return this.call("message.send", {
         to: toAid,
         payload: envelope,
@@ -13495,77 +14887,93 @@ var _AUNClient = class _AUNClient {
       throw new StateError("V2 session not initialized (not connected?)");
     }
     const ns = this._aid ? `p2p:${this._aid}` : "";
-    const effective = afterSeq || (ns ? this._seqTracker.getContiguousSeq(ns) : 0);
-    const result = await this.call("message.v2.pull", {
-      after_seq: effective,
-      limit
-    });
-    const messages = Array.isArray(result?.messages) ? result.messages : [];
     const decrypted = [];
-    const seqs = messages.map((msg) => Number(msg.seq ?? 0)).filter((seq) => Number.isFinite(seq) && seq > 0);
-    const contigBefore = ns ? this._seqTracker.getContiguousSeq(ns) : 0;
-    if (ns && seqs.length > 0 && seqs[0] > contigBefore) {
-      this._seqTracker.forceContiguousSeq(ns, seqs[0]);
-    }
-    for (const msg of messages) {
-      const seq = Number(msg.seq ?? 0);
-      if (!Number.isFinite(seq) || seq <= 0) continue;
-      const version = String(msg.version ?? "v2");
-      if (version === "v1") {
-        const legacy = isJsonObject(msg.legacy_v1) ? msg.legacy_v1 : {};
-        const legacyPayload = legacy.payload;
-        const payloadType = isJsonObject(legacyPayload) ? String(legacyPayload.type ?? "").trim() : "";
-        if (legacyPayload !== void 0 && legacyPayload !== null && payloadType !== "e2ee.encrypted" && payloadType !== "e2ee.group_encrypted") {
-          const v1Msg = {
-            message_id: String(msg.message_id ?? ""),
-            from: String(msg.from_aid ?? ""),
-            to: String(legacy.to ?? this._aid ?? ""),
-            seq: msg.seq,
-            type: String(msg.type ?? ""),
-            timestamp: msg.t_server,
-            payload: legacyPayload,
-            encrypted: false
-          };
-          if (ns) await this._publishPulledMessage("message.received", ns, seq, v1Msg);
-          else await this._publishAppEvent("message.received", v1Msg);
-          decrypted.push(v1Msg);
+    let nextAfterSeq = afterSeq || (ns ? this._seqTracker.getContiguousSeq(ns) : 0);
+    let pageCount = 0;
+    const maxPages = 100;
+    while (pageCount < maxPages) {
+      pageCount += 1;
+      const result = await this.call("message.v2.pull", {
+        after_seq: nextAfterSeq,
+        limit
+      });
+      const messages = Array.isArray(result?.messages) ? result.messages : [];
+      const seqs = messages.map((msg) => Number(msg.seq ?? 0)).filter((seq) => Number.isFinite(seq) && seq > 0);
+      const pageContigBefore = ns ? this._seqTracker.getContiguousSeq(ns) : 0;
+      const pageMaxSeq = seqs.length > 0 ? Math.max(...seqs) : nextAfterSeq;
+      if (ns && seqs.length > 0) {
+        this._seqTracker.forceContiguousSeq(ns, pageMaxSeq);
+      }
+      for (const msg of messages) {
+        const seq = Number(msg.seq ?? 0);
+        if (!Number.isFinite(seq) || seq <= 0) continue;
+        const version = String(msg.version ?? "v2");
+        if (version === "v1") {
+          const legacy = isJsonObject(msg.legacy_v1) ? msg.legacy_v1 : {};
+          const legacyPayload = legacy.payload;
+          const payloadType = isJsonObject(legacyPayload) ? String(legacyPayload.type ?? "").trim() : "";
+          if (legacyPayload !== void 0 && legacyPayload !== null && payloadType !== "e2ee.encrypted" && payloadType !== "e2ee.group_encrypted") {
+            const v1Msg = {
+              message_id: String(msg.message_id ?? ""),
+              from: String(msg.from_aid ?? ""),
+              to: String(legacy.to ?? this._aid ?? ""),
+              seq: msg.seq,
+              type: String(msg.type ?? ""),
+              timestamp: msg.t_server,
+              payload: legacyPayload,
+              encrypted: false
+            };
+            if (ns) await this._publishPulledMessage("message.received", ns, seq, v1Msg);
+            else await this._publishAppEvent("message.received", v1Msg);
+            decrypted.push(v1Msg);
+          } else {
+            this._clientLog.debug(`message.v2.pull skipping V1 envelope seq=${seq} payload_type=${payloadType || "<none>"} (V1 E2EE removed)`);
+          }
+          continue;
+        }
+        if (version !== "v2") {
+          this._clientLog.debug(`message.v2.pull skipping non-V2 row seq=${seq} version=${String(msg.version ?? "")}`);
+          continue;
+        }
+        const msgSpkId = String(msg.spk_id ?? "");
+        if (msgSpkId && this._v2Session && !this._v2Session.isCurrentSPK(msgSpkId)) {
+          this._v2Session.trackOldSPKMaxSeq(msgSpkId, seq);
+        }
+        const plaintext = await this._decryptV2Message(msg);
+        if (plaintext === null) continue;
+        if (ns) {
+          await this._publishPulledMessage("message.received", ns, seq, plaintext);
+          decrypted.push(plaintext);
         } else {
-          this._clientLog.debug(`message.v2.pull skipping V1 envelope seq=${seq} payload_type=${payloadType || "<none>"} (V1 E2EE removed)`);
+          await this._publishAppEvent("message.received", plaintext);
+          decrypted.push(plaintext);
         }
-        continue;
       }
-      if (version !== "v2") {
-        this._clientLog.debug(`message.v2.pull skipping non-V2 row seq=${seq} version=${String(msg.version ?? "")}`);
-        continue;
-      }
-      const msgSpkId = String(msg.spk_id ?? "");
-      if (msgSpkId && this._v2Session && !this._v2Session.isCurrentSPK(msgSpkId)) {
-        this._v2Session.trackOldSPKMaxSeq(msgSpkId, seq);
+      const serverAckSeq = Number(result.server_ack_seq ?? 0);
+      if (ns && Number.isFinite(serverAckSeq) && serverAckSeq > 0) {
+        const contig = this._seqTracker.getContiguousSeq(ns);
+        if (contig < serverAckSeq) {
+          this._clientLog.info(`message.v2.pull retention-floor advance: ns=${ns} contiguous=${contig} -> server_ack_seq=${serverAckSeq}`);
+          this._seqTracker.forceContiguousSeq(ns, serverAckSeq);
+        }
       }
-      const plaintext = await this._decryptV2Message(msg);
-      if (plaintext === null) continue;
       if (ns) {
-        await this._publishPulledMessage("message.received", ns, seq, plaintext);
-        decrypted.push(plaintext);
-      } else {
-        await this._publishAppEvent("message.received", plaintext);
-        decrypted.push(plaintext);
-      }
-    }
-    if (ns && seqs.length > 0) {
-      const maxSeq = Math.max(...seqs);
-      const contig = this._seqTracker.getContiguousSeq(ns);
-      if (maxSeq > contig) {
-        this._seqTracker.forceContiguousSeq(ns, maxSeq);
-        await this._drainOrderedMessages(ns);
-      }
-      const ackSeq = this._seqTracker.getContiguousSeq(ns);
-      if (ackSeq !== contigBefore) {
-        this._saveSeqTrackerState();
-        if (ackSeq > 0) {
+        const ackSeq = this._seqTracker.getContiguousSeq(ns);
+        const contigAdvanced = ackSeq !== pageContigBefore;
+        if (contigAdvanced) {
+          await this._drainOrderedMessages(ns);
+          this._saveSeqTrackerState();
+        }
+        if (messages.length > 0 && contigAdvanced && ackSeq > 0) {
           this._safeAsync(this.ackV2(ackSeq).then(() => void 0));
         }
       }
+      const nextAfter = Math.max(pageMaxSeq, nextAfterSeq);
+      if (messages.length === 0 || nextAfter <= nextAfterSeq || result.has_more === false) break;
+      nextAfterSeq = nextAfter;
+    }
+    if (pageCount >= maxPages) {
+      this._clientLog.warn(`message.v2.pull reached max_pages=${maxPages} after_seq=${nextAfterSeq}`);
     }
     return decrypted;
   }
@@ -13576,8 +14984,15 @@ var _AUNClient = class _AUNClient {
    */
   async ackV2(upToSeq) {
     const ns = this._aid ? `p2p:${this._aid}` : "";
-    const seq = upToSeq ?? (ns ? this._seqTracker.getContiguousSeq(ns) : 0);
+    let seq = upToSeq ?? (ns ? this._seqTracker.getContiguousSeq(ns) : 0);
     if (seq <= 0) return { acked: 0 };
+    if (ns) {
+      const maxSeen = this._seqTracker.getMaxSeenSeq(ns);
+      if (maxSeen > 0 && seq > maxSeen) {
+        this._clientLog.warn(`ackV2 clamp: up_to_seq=${seq} > max_seen=${maxSeen}, clamp`);
+        seq = maxSeen;
+      }
+    }
     const raw = await this.call("message.v2.ack", { up_to_seq: seq });
     const result = isJsonObject(raw) ? { ...raw } : { result: raw };
     let actualAckSeq = seq;
@@ -13600,8 +15015,8 @@ var _AUNClient = class _AUNClient {
     }
     return result;
   }
-  /** 解密单条 V2 消息（与 Python `_decrypt_v2_message` 对齐） */
-  async _decryptV2Message(msg) {
+  /** 解密单条 V2 消息（与 Python `_decrypt_v2_message` 对齐）。缺 sender IK 时先入 pending，后台补齐后重试。 */
+  async _decryptV2Message(msg, allowPending = true) {
     const session = this._v2Session;
     if (!session) return null;
     const envJson = msg.envelope_json;
@@ -13613,6 +15028,8 @@ var _AUNClient = class _AUNClient {
       this._clientLog.warn(`V2 decrypt: invalid envelope_json for msg seq=${String(msg.seq)}`);
       return null;
     }
+    const e2eeMeta = v2E2eeMeta(envelope);
+    await this._observeAgentMdFromEnvelope(envelope);
     let spkId = "";
     let recipientKeySource = "";
     const recipientObj = envelope.recipient;
@@ -13640,29 +15057,68 @@ var _AUNClient = class _AUNClient {
     }
     const aad = isJsonObject(envelope.aad) ? envelope.aad : {};
     const groupIdForKeys = String(msg.group_id ?? aad.group_id ?? envelope.group_id ?? "").trim();
+    const undecryptableEvent = groupIdForKeys ? "group.message_undecryptable" : "message.undecryptable";
     let ikPriv;
     let spkPriv;
-    if (groupIdForKeys) {
-      const keys = await session.getGroupDecryptKeys(groupIdForKeys, spkId);
-      ikPriv = keys.ikPriv;
-      spkPriv = keys.spkPriv;
-    } else {
-      const keys = await session.getDecryptKeys(spkId);
-      ikPriv = keys.ikPriv;
-      spkPriv = keys.spkPriv;
+    try {
+      if (groupIdForKeys) {
+        const keys = await session.getGroupDecryptKeys(groupIdForKeys, spkId);
+        ikPriv = keys.ikPriv;
+        spkPriv = keys.spkPriv;
+      } else {
+        const keys = await session.getDecryptKeys(spkId);
+        ikPriv = keys.ikPriv;
+        spkPriv = keys.spkPriv;
+      }
+    } catch (exc) {
+      this._clientLog.warn(`V2 decrypt: SPK lookup failed seq=${String(msg.seq)} spk_id=${spkId}: ${String(exc)}`);
+      try {
+        const event = {
+          message_id: String(msg.message_id ?? ""),
+          from: String(msg.from_aid ?? ""),
+          to: String(msg.to ?? ""),
+          seq: msg.seq,
+          timestamp: msg.t_server ?? msg.timestamp,
+          device_id: String(msg.device_id ?? ""),
+          slot_id: String(msg.slot_id ?? ""),
+          _decrypt_error: String(exc),
+          _decrypt_stage: "spk_lookup",
+          _envelope_type: String(envelope.type ?? ""),
+          _suite: String(envelope.suite ?? ""),
+          _spk_id: spkId
+        };
+        attachV2EnvelopeMetadata(event, e2eeMeta);
+        await this._dispatcher.publish(undecryptableEvent, event);
+      } catch {
+      }
+      return null;
     }
     const fromAid = String(msg.from_aid ?? "");
     const senderDeviceId = String(aad.from_device ?? "");
     const senderPubDer = await this._getV2SenderPubDer(fromAid, senderDeviceId);
     if (!senderPubDer) {
-      this._clientLog.warn(`V2 decrypt: no sender IK for ${fromAid}, cannot verify signature`);
+      this._clientLog.warn(`V2 decrypt: no sender IK for ${fromAid} device=${senderDeviceId}`);
+      if (allowPending) {
+        this._scheduleV2SenderIKPending({ msg, fromAid, senderDeviceId, groupId: groupIdForKeys });
+        return null;
+      }
       try {
-        await this._dispatcher.publish("message.undecryptable", {
+        const event = {
           message_id: String(msg.message_id ?? ""),
           from: fromAid,
+          to: String(msg.to ?? ""),
           seq: msg.seq,
-          _decrypt_error: "sender_ik_not_found"
-        });
+          timestamp: msg.t_server ?? msg.timestamp,
+          device_id: String(msg.device_id ?? ""),
+          slot_id: String(msg.slot_id ?? ""),
+          _decrypt_error: "sender_ik_not_found",
+          _decrypt_stage: "sender_ik",
+          _envelope_type: String(envelope.type ?? ""),
+          _suite: String(envelope.suite ?? ""),
+          _sender_device_id: String(aad.from_device ?? "")
+        };
+        attachV2EnvelopeMetadata(event, e2eeMeta);
+        await this._dispatcher.publish(undecryptableEvent, event);
       } catch {
       }
       return null;
@@ -13680,12 +15136,22 @@ var _AUNClient = class _AUNClient {
     } catch (exc) {
       this._clientLog.warn(`V2 decrypt failed for msg seq=${String(msg.seq)}: ${String(exc)}`);
       try {
-        await this._dispatcher.publish("message.undecryptable", {
+        const event = {
           message_id: String(msg.message_id ?? ""),
           from: fromAid,
+          to: String(msg.to ?? ""),
           seq: msg.seq,
-          _decrypt_error: String(exc)
-        });
+          timestamp: msg.t_server ?? msg.timestamp,
+          device_id: String(msg.device_id ?? ""),
+          slot_id: String(msg.slot_id ?? ""),
+          _decrypt_error: String(exc),
+          _decrypt_stage: "decrypt",
+          _envelope_type: String(envelope.type ?? ""),
+          _suite: String(envelope.suite ?? ""),
+          _sender_device_id: String(aad.from_device ?? "")
+        };
+        attachV2EnvelopeMetadata(event, e2eeMeta);
+        await this._dispatcher.publish(undecryptableEvent, event);
       } catch {
       }
       return null;
@@ -13707,7 +15173,8 @@ var _AUNClient = class _AUNClient {
         this._clientLog.debug(`V2 SPK rotation failed (non-fatal): ${exc}`);
       });
     }
-    return {
+    const e2ee = v2E2eeMeta(envelope);
+    const result = {
       message_id: String(msg.message_id ?? ""),
       from: fromAid,
       to: this._aid ?? "",
@@ -13715,8 +15182,10 @@ var _AUNClient = class _AUNClient {
       t_server: msg.t_server,
       payload: plaintext,
       encrypted: true,
-      e2ee: v2E2eeMeta(envelope)
+      e2ee
     };
+    attachV2EnvelopeMetadata(result, e2ee);
+    return result;
   }
   /**
    * V2 Group 加密发送（推测性：用缓存 bootstrap 直接发，失败刷新重试一次）。
@@ -13797,29 +15266,49 @@ var _AUNClient = class _AUNClient {
     const gid = normalizeGroupId(groupId) || String(groupId ?? "").trim();
     if (!gid) throw new ValidationError("group.pull requires group_id");
     const ns = `group:${gid}`;
-    const effective = afterSeq || this._seqTracker.getContiguousSeq(ns);
-    const result = await this.call("group.v2.pull", {
-      group_id: gid,
-      after_seq: effective,
-      limit
-    });
-    const messages = Array.isArray(result?.messages) ? result.messages : [];
     const decrypted = [];
-    const seqs = messages.map((msg) => Number(msg.seq ?? 0)).filter((seq) => Number.isFinite(seq) && seq > 0);
-    const contigBefore = this._seqTracker.getContiguousSeq(ns);
-    if (seqs.length > 0 && seqs[0] > contigBefore) {
-      this._seqTracker.forceContiguousSeq(ns, seqs[0]);
-    }
-    for (const msg of messages) {
-      const seq = Number(msg.seq ?? 0);
-      if (!Number.isFinite(seq) || seq <= 0) continue;
-      const version = String(msg.version ?? "v2");
-      if (version === "v1") {
-        const payload = msg.payload;
-        const payloadObj = isJsonObject(payload) ? payload : null;
-        if (payloadObj) {
-          const payloadType = String(payloadObj.type ?? "").trim();
-          if (payloadType !== "e2ee.encrypted" && payloadType !== "e2ee.group_encrypted") {
+    let nextAfterSeq = afterSeq || this._seqTracker.getContiguousSeq(ns);
+    let pageCount = 0;
+    const maxPages = 100;
+    while (pageCount < maxPages) {
+      pageCount += 1;
+      const result = await this.call("group.v2.pull", {
+        group_id: gid,
+        after_seq: nextAfterSeq,
+        limit
+      });
+      const messages = Array.isArray(result?.messages) ? result.messages : [];
+      const seqs = messages.map((msg) => Number(msg.seq ?? 0)).filter((seq) => Number.isFinite(seq) && seq > 0);
+      const pageContigBefore = this._seqTracker.getContiguousSeq(ns);
+      const pageMaxSeq = seqs.length > 0 ? Math.max(...seqs) : nextAfterSeq;
+      if (seqs.length > 0) {
+        this._seqTracker.forceContiguousSeq(ns, pageMaxSeq);
+      }
+      for (const msg of messages) {
+        const seq = Number(msg.seq ?? 0);
+        if (!Number.isFinite(seq) || seq <= 0) continue;
+        const version = String(msg.version ?? "v2");
+        if (version === "v1") {
+          const payload = msg.payload;
+          const payloadObj = isJsonObject(payload) ? payload : null;
+          if (payloadObj) {
+            const payloadType = String(payloadObj.type ?? "").trim();
+            if (payloadType !== "e2ee.encrypted" && payloadType !== "e2ee.group_encrypted") {
+              const v1Msg = {
+                message_id: String(msg.message_id ?? ""),
+                from: String(msg.from_aid ?? ""),
+                group_id: gid,
+                seq: msg.seq,
+                type: String(msg.type ?? ""),
+                timestamp: msg.t_server,
+                payload,
+                encrypted: false
+              };
+              await this._publishPulledMessage("group.message_created", ns, seq, v1Msg);
+              decrypted.push(v1Msg);
+              continue;
+            }
+          } else if (payload !== void 0 && payload !== null) {
             const v1Msg = {
               message_id: String(msg.message_id ?? ""),
               from: String(msg.from_aid ?? ""),
@@ -13834,48 +15323,43 @@ var _AUNClient = class _AUNClient {
             decrypted.push(v1Msg);
             continue;
           }
-        } else if (payload !== void 0 && payload !== null) {
-          const v1Msg = {
-            message_id: String(msg.message_id ?? ""),
-            from: String(msg.from_aid ?? ""),
-            group_id: gid,
-            seq: msg.seq,
-            type: String(msg.type ?? ""),
-            timestamp: msg.t_server,
-            payload,
-            encrypted: false
-          };
-          await this._publishPulledMessage("group.message_created", ns, seq, v1Msg);
-          decrypted.push(v1Msg);
+          this._clientLog.debug(`group.v2.pull skipping V1 envelope group=${gid} seq=${seq} payload_type=${payloadObj ? String(payloadObj.type ?? "") : "<none>"} (V1 E2EE removed)`);
           continue;
         }
-        this._clientLog.debug(`group.v2.pull skipping V1 envelope group=${gid} seq=${seq} payload_type=${payloadObj ? String(payloadObj.type ?? "") : "<none>"} (V1 E2EE removed)`);
-        continue;
-      }
-      if (version !== "v2") {
-        this._clientLog.debug(`group.v2.pull skipping non-V2 row group=${gid} seq=${seq} version=${String(msg.version ?? "")}`);
-        continue;
+        if (version !== "v2") {
+          this._clientLog.debug(`group.v2.pull skipping non-V2 row group=${gid} seq=${seq} version=${String(msg.version ?? "")}`);
+          continue;
+        }
+        const plaintext = await this._decryptV2Message(msg);
+        if (plaintext === null) continue;
+        plaintext.group_id = gid;
+        await this._publishPulledMessage("group.message_created", ns, seq, plaintext);
+        decrypted.push(plaintext);
       }
-      const plaintext = await this._decryptV2Message(msg);
-      if (plaintext === null) continue;
-      plaintext.group_id = gid;
-      await this._publishPulledMessage("group.message_created", ns, seq, plaintext);
-      decrypted.push(plaintext);
-    }
-    if (seqs.length > 0) {
-      const maxSeq = Math.max(...seqs);
-      const contig = this._seqTracker.getContiguousSeq(ns);
-      if (maxSeq > contig) {
-        this._seqTracker.forceContiguousSeq(ns, maxSeq);
-        await this._drainOrderedMessages(ns);
+      const cursor = isJsonObject(result.cursor) ? result.cursor : null;
+      const serverAckSeq = Number(cursor?.current_seq ?? 0);
+      if (Number.isFinite(serverAckSeq) && serverAckSeq > 0) {
+        const contig = this._seqTracker.getContiguousSeq(ns);
+        if (contig < serverAckSeq) {
+          this._clientLog.info(`group.v2.pull retention-floor advance: ns=${ns} contiguous=${contig} -> cursor.current_seq=${serverAckSeq}`);
+          this._seqTracker.forceContiguousSeq(ns, serverAckSeq);
+        }
       }
       const ackSeq = this._seqTracker.getContiguousSeq(ns);
-      if (ackSeq !== contigBefore) {
+      const contigAdvanced = ackSeq !== pageContigBefore;
+      if (contigAdvanced) {
+        await this._drainOrderedMessages(ns);
         this._saveSeqTrackerState();
-        if (ackSeq > 0) {
-          this._safeAsync(this.ackGroupV2(gid, ackSeq).then(() => void 0));
-        }
       }
+      if (messages.length > 0 && contigAdvanced && ackSeq > 0) {
+        this._safeAsync(this.ackGroupV2(gid, ackSeq).then(() => void 0));
+      }
+      const nextAfter = Math.max(pageMaxSeq, nextAfterSeq);
+      if (messages.length === 0 || nextAfter <= nextAfterSeq || result.has_more === false) break;
+      nextAfterSeq = nextAfter;
+    }
+    if (pageCount >= maxPages) {
+      this._clientLog.warn(`group.v2.pull reached max_pages=${maxPages} group=${gid} after_seq=${nextAfterSeq}`);
     }
     return decrypted;
   }
@@ -13889,8 +15373,13 @@ var _AUNClient = class _AUNClient {
     const gid = normalizeGroupId(groupId) || String(groupId ?? "").trim();
     if (!gid) throw new ValidationError("group.ack_messages requires group_id");
     const ns = `group:${gid}`;
-    const seq = upToSeq ?? this._seqTracker.getContiguousSeq(ns);
+    let seq = upToSeq ?? this._seqTracker.getContiguousSeq(ns);
     if (seq <= 0) return { acked: 0 };
+    const maxSeen = this._seqTracker.getMaxSeenSeq(ns);
+    if (maxSeen > 0 && seq > maxSeen) {
+      this._clientLog.warn(`ackGroupV2 clamp: group=${gid} up_to_seq=${seq} > max_seen=${maxSeen}, clamp`);
+      seq = maxSeen;
+    }
     return this.call("group.v2.ack", { group_id: gid, up_to_seq: seq });
   }
   // ── V2 thought（per-device wrap，服务端透传，不持久化）──────────
@@ -13929,32 +15418,25 @@ var _AUNClient = class _AUNClient {
     }
     const targets = [];
     for (const dev of peerDevices) {
-      const ikDer = _v2B64ToBytes(String(dev.ik_pk ?? ""));
-      const spkDer = dev.spk_pk ? _v2B64ToBytes(String(dev.spk_pk)) : void 0;
-      session.cachePeerIK(to, String(dev.device_id ?? ""), ikDer);
-      targets.push({
+      const devId = getV2DeviceId(dev);
+      const target = await this._v2BuildTargetFromDevice({
+        dev,
         aid: to,
-        deviceId: String(dev.device_id ?? ""),
+        deviceId: devId.value,
         role: "peer",
-        keySource: String(dev.key_source ?? "peer_device_prekey"),
-        ikPkDer: ikDer,
-        spkPkDer: spkDer,
-        spkId: String(dev.spk_id ?? "")
+        defaultKeySource: "peer_device_prekey"
       });
+      if (target) targets.push(target);
     }
     for (const dev of auditRaw) {
-      if (!dev.ik_pk) continue;
-      const ikDer = _v2B64ToBytes(String(dev.ik_pk));
-      const spkDer = dev.spk_pk ? _v2B64ToBytes(String(dev.spk_pk)) : void 0;
-      targets.push({
+      const target = await this._v2BuildTargetFromDevice({
+        dev,
         aid: String(dev.aid ?? ""),
         deviceId: String(dev.device_id ?? ""),
         role: "audit",
-        keySource: String(dev.key_source ?? "peer_device_prekey"),
-        ikPkDer: ikDer,
-        spkPkDer: spkDer,
-        spkId: String(dev.spk_id ?? "")
+        defaultKeySource: "peer_device_prekey"
       });
+      if (target) targets.push(target);
     }
     if (this._aid && this._aid !== to) {
       try {
@@ -13974,19 +15456,16 @@ var _AUNClient = class _AUNClient {
           }
         }
         for (const dev of selfDevices) {
-          const devId = String(dev.owner_device_id ?? dev.device_id ?? "");
-          if (devId === this._deviceId) continue;
-          const ikDer = _v2B64ToBytes(String(dev.ik_pk ?? ""));
-          const spkDer = dev.spk_pk ? _v2B64ToBytes(String(dev.spk_pk)) : void 0;
-          targets.push({
+          const devId = getV2DeviceId(dev);
+          if (!devId.present || devId.value === this._deviceId) continue;
+          const target = await this._v2BuildTargetFromDevice({
+            dev,
             aid: this._aid,
-            deviceId: devId,
+            deviceId: devId.value,
             role: "self_sync",
-            keySource: String(dev.key_source ?? "peer_device_prekey"),
-            ikPkDer: ikDer,
-            spkPkDer: spkDer,
-            spkId: String(dev.spk_id ?? "")
+            defaultKeySource: "peer_device_prekey"
           });
+          if (target) targets.push(target);
         }
       } catch (exc) {
         this._clientLog.debug(`V2 thought self-sync bootstrap failed (non-fatal): ${String(exc)}`);
@@ -14019,14 +15498,14 @@ var _AUNClient = class _AUNClient {
     const thoughtId = String(params.thought_id ?? "") || `mt-${_uuidV4()}`;
     const timestamp = Number(params.timestamp ?? Date.now());
     const attempt = async (useCache) => {
-      const envelopeContext = params.context && typeof params.context === "object" && !Array.isArray(params.context) ? params.context : void 0;
+      const envelopeContext2 = params.context && typeof params.context === "object" && !Array.isArray(params.context) ? params.context : void 0;
       const envelope = await this._buildV2P2PEnvelope({
         to: toAid,
         payload,
         messageId: thoughtId,
         timestamp,
         useCache,
-        context: envelopeContext
+        context: envelopeContext2
       });
       const sendParams = {
         to: toAid,
@@ -14079,6 +15558,9 @@ var _AUNClient = class _AUNClient {
       allDevices = Array.isArray(bs?.devices) ? bs.devices : [];
       epoch = Number(bs?.epoch ?? 0);
       auditRecipientsRaw = Array.isArray(bs?.audit_recipients) ? bs.audit_recipients : [];
+      await this._v2CheckFork(groupId, String(bs?.state_chain ?? ""));
+      await this._v2VerifyStateSignature(groupId, bs);
+      await this._publishV2GroupSecurityLevel(groupId, bs);
       stateCommitment = {
         state_version: Number(bs?.state_version ?? 0) || 0,
         state_hash: String(bs?.state_hash_signed ?? bs?.state_hash ?? ""),
@@ -14093,9 +15575,6 @@ var _AUNClient = class _AUNClient {
           stateCommitment
         });
       }
-      await this._v2CheckFork(groupId, String(bs?.state_chain ?? ""));
-      await this._v2VerifyStateSignature(groupId, bs);
-      await this._publishV2GroupSecurityLevel(groupId, bs);
       const pendingAdds = Array.isArray(bs?.pending_adds) ? bs.pending_adds : [];
       if (pendingAdds.length > 0 && this._v2Session) {
         this._v2MaybeTriggerAutoPropose(groupId);
@@ -14107,34 +15586,27 @@ var _AUNClient = class _AUNClient {
     const targets = [];
     for (const dev of allDevices) {
       const devAid = String(dev.aid ?? "");
-      const devId = String(dev.device_id ?? "");
-      if (devAid === this._aid && devId === this._deviceId) continue;
-      const ikDer = _v2B64ToBytes(String(dev.ik_pk ?? ""));
-      const spkDer = dev.spk_pk ? _v2B64ToBytes(String(dev.spk_pk)) : void 0;
+      const devId = getV2DeviceId(dev);
+      if (devAid === this._aid && devId.present && devId.value === this._deviceId) continue;
       const role = devAid === this._aid ? "self_sync" : "member";
-      targets.push({
+      const target = await this._v2BuildTargetFromDevice({
+        dev,
         aid: devAid,
-        deviceId: devId,
+        deviceId: devId.value,
         role,
-        keySource: String(dev.key_source ?? "peer_device_prekey"),
-        ikPkDer: ikDer,
-        spkPkDer: spkDer,
-        spkId: String(dev.spk_id ?? "")
+        defaultKeySource: "peer_device_prekey"
       });
+      if (target) targets.push(target);
     }
     for (const dev of auditRecipientsRaw) {
-      if (!dev.ik_pk) continue;
-      const ikDer = _v2B64ToBytes(String(dev.ik_pk));
-      const spkDer = dev.spk_pk ? _v2B64ToBytes(String(dev.spk_pk)) : void 0;
-      targets.push({
+      const target = await this._v2BuildTargetFromDevice({
+        dev,
         aid: String(dev.aid ?? ""),
         deviceId: String(dev.device_id ?? ""),
         role: "audit",
-        keySource: String(dev.key_source ?? "peer_device_prekey"),
-        ikPkDer: ikDer,
-        spkPkDer: spkDer,
-        spkId: String(dev.spk_id ?? "")
+        defaultKeySource: "peer_device_prekey"
       });
+      if (target) targets.push(target);
     }
     if (targets.length === 0) {
       throw new E2EEError(`V2 group: no target devices for ${groupId}`);
@@ -14179,14 +15651,14 @@ var _AUNClient = class _AUNClient {
     const thoughtId = String(params.thought_id ?? "") || `gt-${_uuidV4()}`;
     const timestamp = Number(params.timestamp ?? Date.now());
     const attempt = async (useCache) => {
-      const envelopeContext = params.context && typeof params.context === "object" && !Array.isArray(params.context) ? params.context : void 0;
+      const envelopeContext2 = params.context && typeof params.context === "object" && !Array.isArray(params.context) ? params.context : void 0;
       const envelope = await this._buildV2GroupEnvelope({
         groupId,
         payload,
         messageId: thoughtId,
         timestamp,
         useCache,
-        context: envelopeContext
+        context: envelopeContext2
       });
       const sendParams = {
         group_id: groupId,
@@ -14237,20 +15709,26 @@ var _AUNClient = class _AUNClient {
     const groupIdForKeys = String(aad.group_id ?? opts.envelope.group_id ?? "").trim();
     let ikPriv;
     let spkPriv;
-    if (groupIdForKeys) {
-      const keys = await session.getGroupDecryptKeys(groupIdForKeys, spkId);
-      ikPriv = keys.ikPriv;
-      spkPriv = keys.spkPriv;
-    } else {
-      const keys = await session.getDecryptKeys(spkId);
-      ikPriv = keys.ikPriv;
-      spkPriv = keys.spkPriv;
+    try {
+      if (groupIdForKeys) {
+        const keys = await session.getGroupDecryptKeys(groupIdForKeys, spkId);
+        ikPriv = keys.ikPriv;
+        spkPriv = keys.spkPriv;
+      } else {
+        const keys = await session.getDecryptKeys(spkId);
+        ikPriv = keys.ikPriv;
+        spkPriv = keys.spkPriv;
+      }
+    } catch (exc) {
+      this._clientLog.warn(`V2 thought decrypt: SPK lookup failed from=${opts.fromAid}, group=${groupIdForKeys || "<p2p>"}, spk_id=${spkId || "<empty>"}: ${exc}`);
+      return null;
     }
     const fromAid = String(opts.fromAid || aad.from || "").trim();
     const senderDeviceId = String(aad.from_device ?? "");
     const senderPubDer = await this._getV2SenderPubDer(fromAid, senderDeviceId);
     if (!senderPubDer) {
       this._clientLog.warn(`V2 thought decrypt: no sender IK for ${fromAid} device=${senderDeviceId}`);
+      this._scheduleV2SenderIKFetch(fromAid, senderDeviceId, groupIdForKeys);
       return null;
     }
     try {
@@ -14304,11 +15782,12 @@ var _AUNClient = class _AUNClient {
       const signPayload = stableStringify(signPayloadObj);
       const signPayloadBytes = new TextEncoder().encode(signPayload);
       const sigBytes = base64ToUint8(stateSignature);
-      const cacheInput = new TextEncoder().encode(actorAid + "\0" + signPayload + "\0");
-      const cacheData = new Uint8Array(cacheInput.length + sigBytes.length);
-      cacheData.set(cacheInput, 0);
-      cacheData.set(sigBytes, cacheInput.length);
-      const cacheHashBuf = await crypto.subtle.digest("SHA-256", cacheData.buffer);
+      const cacheData = _v2LengthPrefixedBytes(
+        new TextEncoder().encode(actorAid),
+        signPayloadBytes,
+        sigBytes
+      );
+      const cacheHashBuf = await crypto.subtle.digest("SHA-256", cacheData.slice().buffer);
       const cacheHashArr = new Uint8Array(cacheHashBuf);
       let cacheKey = "";
       for (let i = 0; i < cacheHashArr.length; i++) cacheKey += cacheHashArr[i].toString(16).padStart(2, "0");
@@ -14502,8 +15981,9 @@ var _AUNClient = class _AUNClient {
       const candidates = [];
       for (const dev of devices) {
         const aid = String(dev.aid ?? "").trim();
+        const hasDeviceId = "device_id" in dev;
         const deviceId = String(dev.device_id ?? "").trim();
-        if (aid && deviceId && onlineAdminAids.has(aid)) {
+        if (aid && hasDeviceId && onlineAdminAids.has(aid)) {
           candidates.push(`${aid}${deviceId}`);
         }
       }
@@ -14517,7 +15997,7 @@ var _AUNClient = class _AUNClient {
         this._clientLog.debug(`V2 auto propose leader elected: group=${groupId} leader=${leader}`);
         return true;
       }
-      const delayMs = await this._v2LeaderDelayMs(`${groupId}\0${myKey}`);
+      const delayMs = await this._v2LeaderDelayMs(_v2LengthPrefixedTextKey(groupId, myKey));
       this._clientLog.debug(`V2 auto propose non-leader delay: group=${groupId} leader=${leader} self=${myKey} delay_ms=${delayMs}`);
       await this._sleep(delayMs);
       return true;
@@ -14785,45 +16265,57 @@ var _AUNClient = class _AUNClient {
     const pushFrom = isJsonObject(data) ? String(data.from_aid ?? "") : "";
     const pushMsgId = isJsonObject(data) ? String(data.message_id ?? "") : "";
     const envelopeJson = isJsonObject(data) ? data.envelope_json : void 0;
+    const hasPayload = !!envelopeJson;
     const ns = this._aid ? `p2p:${this._aid}` : "";
     let contigBefore = ns ? this._seqTracker.getContiguousSeq(ns) : 0;
     this._clientLog.debug(
-      `_onV2PushNotification: push_seq=${pushSeq || "null"} push_from=${pushFrom} push_msg_id=${pushMsgId} has_payload=${!!envelopeJson} contiguous_seq=${contigBefore}`
+      `_onV2PushNotification: push_seq=${pushSeq || "null"} push_from=${pushFrom} push_msg_id=${pushMsgId} has_payload=${hasPayload} contiguous_seq=${contigBefore}`
     );
-    if (envelopeJson && pushSeq > 0 && ns) {
+    if (pushSeq > 0 && ns) {
+      this._seqTracker.updateMaxSeen(ns, pushSeq);
+      if (contigBefore === pushSeq) {
+        this._clientLog.debug(
+          `_onV2PushNotification: push seq=${pushSeq} already covered by contiguous_seq=${contigBefore}, ignore duplicate push`
+        );
+        return;
+      }
+      contigBefore = this._repairPushContiguousBound(
+        ns,
+        pushSeq,
+        hasPayload,
+        "_raw.peer.v2.message_received"
+      );
+    }
+    if (hasPayload && pushSeq > 0 && ns) {
       try {
         const decrypted = await this._decryptV2Message(data);
         if (decrypted) {
-          this._seqTracker.onMessageSeq(ns, pushSeq);
-          if (pushSeq === contigBefore + 1) {
-            this._seqTracker.forceContiguousSeq(ns, pushSeq);
-          }
-          await this._publishOrderedMessage("message.received", ns, pushSeq, decrypted);
+          const needPull = this._seqTracker.onMessageSeq(ns, pushSeq);
+          const published = await this._publishOrderedMessage("message.received", ns, pushSeq, decrypted);
           const newContig = this._seqTracker.getContiguousSeq(ns);
           if (newContig !== contigBefore) {
             this._saveSeqTrackerState();
           }
           if (newContig > 0 && newContig !== contigBefore) {
-            this._transport.call("message.v2.ack", { up_to_seq: newContig }).catch((e) => this._clientLog.debug(`V2 P2P push-ack failed: ${e}`));
+            const maxSeen = this._seqTracker.getMaxSeenSeq(ns);
+            const ackSeq = maxSeen > 0 ? Math.min(newContig, maxSeen) : newContig;
+            this.call("message.v2.ack", { up_to_seq: ackSeq }).catch((e) => this._clientLog.debug(`V2 P2P push-ack failed: ${e}`));
           }
           this._clientLog.debug(
             `_onV2PushNotification: push \u5E26 payload \u89E3\u5BC6\u6210\u529F, contiguous_seq=${contigBefore}->${newContig} push_seq=${pushSeq}`
           );
-          return;
+          if (!needPull && (published || newContig >= pushSeq || pushSeq <= contigBefore)) {
+            return;
+          }
+          this._clientLog.debug(
+            `_onV2PushNotification: payload push seq=${pushSeq} \u56E0\u7A7A\u6D1E\u6302\u8D77\uFF0C\u7EE7\u7EED pull \u8865\u9F50 after_seq=${newContig}`
+          );
         }
       } catch (exc) {
         this._clientLog.debug(`_onV2PushNotification: push payload \u89E3\u5BC6\u5931\u8D25, fallback to pull: ${exc}`);
       }
     }
     if (pushSeq > 0 && ns) {
-      if (contigBefore >= pushSeq) {
-        this._clientLog.warn(
-          `_onV2PushNotification: contiguous_seq=${contigBefore} \u8D8A\u754C\uFF08>= push_seq=${pushSeq}\uFF09\uFF0C\u5F3A\u5236\u4FEE\u590D\u4E3A ${pushSeq - 1}`
-        );
-        this._seqTracker.forceContiguousSeq(ns, pushSeq - 1);
-        this._saveSeqTrackerState();
-        contigBefore = pushSeq - 1;
-      }
       this._clientLog.debug(
         `_onV2PushNotification: \u7EAF\u901A\u77E5 push_seq=${pushSeq} > contiguous_seq=${contigBefore}, \u89E6\u53D1 pull(after_seq=${contigBefore})`
       );
@@ -14891,8 +16383,7 @@ var _AUNClient = class _AUNClient {
 };
 __publicField(_AUNClient, "V2_BOOTSTRAP_TTL_MS", 60 * 60 * 1e3);
 __publicField(_AUNClient, "V2_RETRYABLE_CODES", /* @__PURE__ */ new Set([-33011, -33012, -33050, -33052, -33054]));
-__publicField(_AUNClient, "_V2_SIG_CACHE_TTL", 6e5);
-// 10 min
+__publicField(_AUNClient, "_V2_SIG_CACHE_TTL", 60 * 60 * 1e3);
 __publicField(_AUNClient, "_V2_SIG_CACHE_MAX", 16384);
 // ── 内部：断线重连 ────────────────────────────────
 /** 不重连 close code 集合：认证失败/权限错误/被踢等，重连无意义 */
@@ -14964,7 +16455,7 @@ var ProtectedHeaders = class _ProtectedHeaders {
 };
 
 // src/index.ts
-var __version__ = "0.2.13";
+var __version__ = "0.3.2";
 export {
   AUNClient,
   AUNError,