@brightchain/brightchain-lib 0.29.26 → 0.29.27

package/src/lib/services/communication/groupService.js

@@ -2,12 +2,17 @@
 /**
  * GroupService — manages group lifecycle, key management, and messaging.
  *
- * Maintains in-memory stores for groups and messages, with symmetric key
- * generation per group and ECIES-style per-member key encryption.
- * Supports member management with key rotation on departure,
- * message edit/delete/pin/reaction operations.
+ * Maintains in-memory stores for groups and messages, with epoch-aware
+ * symmetric key management via IKeyEpochState. Each key rotation creates
+ * a new epoch. Messages record which epoch they were encrypted under.
+ * On member removal, all epoch keys are re-wrapped for remaining members only.
  *
- * Requirements: 10.2
+ * When an IChatStorageProvider is injected, groups and group messages are
+ * also persisted to the provider's collections (write-through). Sync helper
+ * methods continue to read from the in-memory Maps so their signatures
+ * remain unchanged.
+ *
+ * Requirements: 10.2, 5.1, 5.2, 5.3, 5.4, 9.3
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.GroupService = exports.MemberAlreadyInGroupError = exports.ReactionNotFoundError = exports.NotMessageAuthorError = exports.MemberMutedError = exports.GroupPermissionError = exports.GroupMessageNotFoundError = exports.NotGroupMemberError = exports.GroupNotFoundError = void 0;
@@ -15,9 +20,12 @@ exports.extractKeyFromDefault = extractKeyFromDefault;
 const uuid_1 = require("uuid");
 const platformCrypto_1 = require("../../crypto/platformCrypto");
 const communication_1 = require("../../enumerations/communication");
+const attachmentUtils_1 = require("./attachmentUtils");
 const events_1 = require("../../interfaces/events");
 const pagination_1 = require("../../utils/pagination");
+const encryptionErrors_1 = require("../../errors/encryptionErrors");
 const messageOperationsService_1 = require("./messageOperationsService");
+const rehydrationHelpers_1 = require("./rehydrationHelpers");
 // ─── Error classes ──────────────────────────────────────────────────────────
 class GroupNotFoundError extends Error {
     constructor(groupId) {
@@ -108,20 +116,86 @@ class GroupService {
     groups = new Map();
     /** groupId → messages (ordered by createdAt ascending) */
     messages = new Map();
-    /** groupId → raw symmetric key (Uint8Array) */
-    symmetricKeys = new Map();
+    /** groupId → epoch-aware key state (raw keys + wrapped keys per epoch) */
+    keyEpochStates = new Map();
     permissionService;
     encryptKey;
     messageOps;
     eventEmitter;
     randomBytesProvider;
-    constructor(permissionService, encryptKey = defaultKeyEncryption, messageOps, eventEmitter, randomBytesProvider) {
+    /** Optional persistent collection for groups (write-through). */
+    groupCollection;
+    /** Optional persistent collection for group messages (write-through). */
+    groupMessageCollection;
+    /** Optional block content store for storing message content as blocks. */
+    blockContentStore;
+    /** Whether init() has already been called (idempotency guard). */
+    initialized = false;
+    constructor(permissionService, encryptKey = defaultKeyEncryption, messageOps, eventEmitter, randomBytesProvider, storageProvider, blockContentStore) {
         this.permissionService = permissionService;
         this.encryptKey = encryptKey;
         this.messageOps =
             messageOps ?? new messageOperationsService_1.MessageOperationsService(permissionService);
         this.eventEmitter = eventEmitter ?? new events_1.NullEventEmitter();
         this.randomBytesProvider = randomBytesProvider ?? platformCrypto_1.getRandomBytes;
+        this.blockContentStore = blockContentStore;
+        if (storageProvider) {
+            this.groupCollection = storageProvider.groups;
+            this.groupMessageCollection = storageProvider.groupMessages;
+        }
+    }
+    // ─── Rehydration ──────────────────────────────────────────────────────
+    /**
+     * Load persisted groups and group messages back into in-memory Maps.
+     *
+     * Idempotent: only the first call performs rehydration. No-op when no
+     * storage provider was supplied at construction time.
+     *
+     * Requirements: 1.2, 1.5, 1.6, 3.1, 3.2, 3.3, 3.4, 3.5, 8.1, 8.2, 8.3, 9.1, 9.4
+     */
+    async init() {
+        if (this.initialized)
+            return;
+        if (!this.groupCollection)
+            return;
+        this.initialized = true;
+        // ── Load groups ───────────────────────────────────────────────────
+        let loadedGroups;
+        try {
+            loadedGroups = await this.groupCollection.findMany();
+        }
+        catch (error) {
+            console.error('[GroupService] Failed to load from groups collection:', error);
+            throw error;
+        }
+        for (const group of loadedGroups) {
+            this.groups.set(group.id, group);
+            // Reconstruct key epoch state
+            const epochState = (0, rehydrationHelpers_1.reconstructKeyEpochState)(group.encryptedSharedKey);
+            if (epochState) {
+                this.keyEpochStates.set(group.id, epochState);
+            }
+            else {
+                console.warn(`[GroupService] Skipping key epoch reconstruction for group ${group.id}: malformed encryptedSharedKey`);
+            }
+            // Register permissions for each member
+            for (const member of group.members) {
+                this.permissionService.assignRole(member.memberId, group.id, member.role);
+            }
+        }
+        // ── Load group messages ─────────────────────────────────────────────
+        let loadedMessages;
+        try {
+            loadedMessages = await this.groupMessageCollection.findMany();
+        }
+        catch (error) {
+            console.error('[GroupService] Failed to load from groupMessages collection:', error);
+            throw error;
+        }
+        const grouped = (0, rehydrationHelpers_1.groupAndSortMessages)(loadedMessages);
+        for (const [contextId, msgs] of grouped) {
+            this.messages.set(contextId, msgs);
+        }
     }
     // ─── Helpers ────────────────────────────────────────────────────────────
     assertGroupExists(groupId) {
@@ -149,29 +223,111 @@ class GroupService {
     generateSymmetricKey() {
         return this.randomBytesProvider(32); // AES-256
     }
-    encryptKeyForMembers(memberIds, symmetricKey) {
+    /**
+     * Encrypt a symmetric key for multiple members, returning a Map<memberId, wrappedKey>.
+     * Wraps key wrapping failures as KeyUnwrapError with context information.
+     *
+     * Requirements: 12.3
+     */
+    encryptKeyForMembers(memberIds, symmetricKey, contextId, epoch) {
         const encrypted = new Map();
         for (const id of memberIds) {
-            encrypted.set(id, this.encryptKey(id, symmetricKey));
+            try {
+                encrypted.set(id, this.encryptKey(id, symmetricKey));
+            }
+            catch (error) {
+                if (contextId !== undefined && epoch !== undefined) {
+                    throw new encryptionErrors_1.KeyUnwrapError(contextId, id, epoch);
+                }
+                throw error;
+            }
         }
         return encrypted;
     }
     /**
-     * Rotate the group's symmetric key and re-encrypt for remaining members.
-     * Requirement 10.2: key rotation on member departure.
+     * Assert that a key epoch exists in the epoch state for a given context.
+     * Throws KeyEpochNotFoundError if the epoch is not found.
+     *
+     * Requirements: 12.3
+     */
+    assertEpochExists(contextId, keyEpoch) {
+        const state = this.keyEpochStates.get(contextId);
+        if (!state || !state.epochKeys.has(keyEpoch)) {
+            throw new encryptionErrors_1.KeyEpochNotFoundError(contextId, keyEpoch);
+        }
+    }
+    /**
+     * Create initial epoch state (epoch 0) for a new group.
+     * Uses KeyEpochManager pattern: creates epoch 0 with wrapped keys for all members.
+     *
+     * Requirements: 5.1
+     */
+    createInitialEpochState(symmetricKey, memberIds) {
+        const epochKeys = new Map();
+        epochKeys.set(0, symmetricKey);
+        const wrappedKeys = this.encryptKeyForMembers(memberIds, symmetricKey);
+        const encryptedEpochKeys = new Map();
+        encryptedEpochKeys.set(0, wrappedKeys);
+        return { currentEpoch: 0, epochKeys, encryptedEpochKeys };
+    }
+    /**
+     * Add a member to an existing epoch state: wrap ALL epoch keys for the new member.
+     * This gives the new member access to full message history.
+     *
+     * Requirements: 5.2
      */
-    rotateKey(group) {
+    addMemberToEpochState(state, newMemberId) {
+        for (const [epoch, rawKey] of state.epochKeys) {
+            const epochMap = state.encryptedEpochKeys.get(epoch) ?? new Map();
+            epochMap.set(newMemberId, this.encryptKey(newMemberId, rawKey));
+            state.encryptedEpochKeys.set(epoch, epochMap);
+        }
+    }
+    /**
+     * Rotate key: increment epoch, add new key, delete removed member from ALL epochs,
+     * re-wrap ALL epoch keys for remaining members.
+     *
+     * Requirements: 5.3
+     */
+    rotateEpochState(state, newKey, remainingMemberIds, removedMemberId) {
+        const newEpoch = state.currentEpoch + 1;
+        // Add new epoch key
+        state.epochKeys.set(newEpoch, newKey);
+        // Delete removed member from ALL epochs
+        for (const [, memberMap] of state.encryptedEpochKeys) {
+            memberMap.delete(removedMemberId);
+        }
+        // Re-wrap ALL epoch keys for remaining members
+        for (const [epoch, rawKey] of state.epochKeys) {
+            state.encryptedEpochKeys.set(epoch, this.encryptKeyForMembers(remainingMemberIds, rawKey));
+        }
+        return { ...state, currentEpoch: newEpoch };
+    }
+    /**
+     * Rotate the group's symmetric key using epoch-aware key management.
+     * Generates a new key, increments epoch, re-wraps all epoch keys for remaining members,
+     * and removes the departed member from all epochs.
+     *
+     * Requirements: 5.3
+     */
+    rotateKey(group, removedMemberId) {
         const newKey = this.generateSymmetricKey();
-        this.symmetricKeys.set(group.id, newKey);
-        group.encryptedSharedKey = this.encryptKeyForMembers(group.members.map((m) => m.memberId), newKey);
+        const state = this.keyEpochStates.get(group.id);
+        if (state) {
+            const remainingMemberIds = group.members.map((m) => m.memberId);
+            const newState = this.rotateEpochState(state, newKey, remainingMemberIds, removedMemberId);
+            this.keyEpochStates.set(group.id, newState);
+            group.encryptedSharedKey = newState.encryptedEpochKeys;
+        }
     }
     // ─── Group lifecycle ──────────────────────────────────────────────────
     /**
      * Create a new group with the given members.
      * Generates a shared symmetric key and encrypts it for each member.
      * The creator is assigned the OWNER role; others get MEMBER.
+     * Uses KeyEpochManager pattern to create initial epoch 0.
      *
-     * Requirement 10.2: group creation with symmetric key management.
+     * Requirements: 10.2, 5.1, 9.3
      */
     async createGroup(name, creatorId, memberIds) {
         const now = new Date();
@@ -186,30 +342,36 @@ class GroupService {
             role: id === creatorId ? communication_1.DefaultRole.OWNER : communication_1.DefaultRole.MEMBER,
             joinedAt: now,
         }));
-        const encryptedSharedKey = this.encryptKeyForMembers(allMemberIds, symmetricKey);
+        // Create initial epoch state (epoch 0) with wrapped keys for all members
+        const epochState = this.createInitialEpochState(symmetricKey, allMemberIds);
         const group = {
             id: groupId,
             name,
             creatorId,
             members,
-            encryptedSharedKey,
+            encryptedSharedKey: epochState.encryptedEpochKeys,
             createdAt: now,
             lastMessageAt: now,
             pinnedMessageIds: [],
         };
         this.groups.set(groupId, group);
         this.messages.set(groupId, []);
-        this.symmetricKeys.set(groupId, symmetricKey);
+        this.keyEpochStates.set(groupId, epochState);
         // Register roles in PermissionService
         for (const member of members) {
             this.permissionService.assignRole(member.memberId, groupId, member.role);
         }
+        // Persist to storage provider if available
+        if (this.groupCollection) {
+            await this.groupCollection.create(group);
+        }
         // Emit group created event
         this.eventEmitter.emitGroupCreated(groupId, groupId, creatorId, allMemberIds);
         return group;
     }
     /**
      * Create a group from a promoted conversation, preserving message history.
+     * Generates a FRESH CEK (not reusing the DM key) per Requirement 5.4.
      * Used by ConversationService.promoteToGroup.
      */
     async createGroupFromConversation(conversationId, existingParticipants, newMemberIds, existingMessages, requesterId) {
@@ -217,6 +379,7 @@ class GroupService {
             ...existingParticipants,
             ...newMemberIds.filter((id) => !existingParticipants.includes(id)),
         ];
+        // createGroup generates a FRESH CEK — does not reuse the DM key
         const group = await this.createGroup(`Group from conversation`, requesterId, allMemberIds.filter((id) => id !== requesterId));
         group.promotedFromConversation = conversationId;
         // Migrate existing messages into the group
@@ -228,6 +391,14 @@ class GroupService {
                 contextId: group.id,
             };
             groupMessages.push(migratedMsg);
+            // Persist migrated message to storage provider if available
+            if (this.groupMessageCollection) {
+                await this.groupMessageCollection.create(migratedMsg);
+            }
+        }
+        // Persist group update (promotedFromConversation) to storage provider if available
+        if (this.groupCollection) {
+            await this.groupCollection.update(group.id, group);
         }
         return group;
     }
@@ -242,52 +413,87 @@ class GroupService {
     // ─── Messaging ────────────────────────────────────────────────────────
     /**
      * Send a message to a group.
-     * Requirement 10.2: group messaging with permission and mute checks.
+     * Encrypts content with the current epoch's CEK and records the keyEpoch.
+     * Optionally accepts attachments which are validated against platform limits.
+     *
+     * Requirements: 10.2, 9.3, 11.1, 11.2, 11.4, 11.5
      */
-    async sendMessage(groupId, senderId, content) {
+    async sendMessage(groupId, senderId, content, attachments) {
         const group = this.assertGroupExists(groupId);
         this.assertIsMember(group, senderId);
         this.assertPermission(senderId, groupId, communication_1.Permission.SEND_MESSAGES);
         this.assertNotMuted(senderId, groupId);
+        // Validate and prepare attachment metadata before creating the message
+        const attachmentMetadata = attachments?.length
+            ? (0, attachmentUtils_1.validateAndPrepareAttachments)(attachments)
+            : [];
+        const state = this.keyEpochStates.get(groupId);
+        const currentEpoch = state?.currentEpoch ?? 0;
+        // Store content via block content store if available; otherwise use raw content
+        let messageContent = content;
+        if (this.blockContentStore) {
+            const memberIds = group.members.map((m) => m.memberId);
+            const { blockReference } = await this.blockContentStore.storeContent(content, senderId, memberIds);
+            messageContent = blockReference;
+        }
         const now = new Date();
         const message = {
             id: (0, uuid_1.v4)(),
             contextType: 'group',
             contextId: groupId,
             senderId,
-            encryptedContent: content,
+            encryptedContent: messageContent,
             createdAt: now,
             editHistory: [],
             deleted: false,
             pinned: false,
             reactions: [],
+            keyEpoch: currentEpoch,
+            attachments: attachmentMetadata,
         };
         this.messages.get(groupId).push(message);
         group.lastMessageAt = now;
+        // Persist to storage provider if available
+        if (this.groupMessageCollection) {
+            await this.groupMessageCollection.create(message);
+        }
+        if (this.groupCollection) {
+            await this.groupCollection.update(groupId, group);
+        }
         // Emit message sent event
         this.eventEmitter.emitMessageSent('group', groupId, message.id, senderId);
         return message;
     }
     /**
      * Get messages in a group with cursor-based pagination.
+     * Messages are returned with their keyEpoch so clients can decrypt
+     * using the appropriate epoch's CEK.
+     * Validates that each message's keyEpoch exists in the epoch state;
+     * throws KeyEpochNotFoundError if a message references a non-existent epoch.
+     *
+     * Requirements: 5.1, 12.3
      */
     async getMessages(groupId, memberId, cursor, limit = 50) {
         const group = this.assertGroupExists(groupId);
         this.assertIsMember(group, memberId);
         const msgs = this.messages.get(groupId) ?? [];
+        // Validate that each message's keyEpoch exists in the epoch state
+        for (const msg of msgs) {
+            this.assertEpochExists(groupId, msg.keyEpoch);
+        }
         return (0, pagination_1.paginateItems)(msgs, cursor, limit);
     }
     // ─── Member management ────────────────────────────────────────────────
     /**
-     * Add members to a group. Re-encrypts the shared key for new members.
-     * Requirement 10.2: membership management.
+     * Add members to a group. Wraps ALL epoch keys for new members.
+     * Requirements: 10.2, 5.2
      */
     async addMembers(groupId, requesterId, memberIds) {
         const group = this.assertGroupExists(groupId);
         this.assertIsMember(group, requesterId);
         this.assertPermission(requesterId, groupId, communication_1.Permission.MANAGE_MEMBERS);
         const now = new Date();
-        const currentKey = this.symmetricKeys.get(groupId);
+        const state = this.keyEpochStates.get(groupId);
         for (const memberId of memberIds) {
             if (group.members.some((m) => m.memberId === memberId)) {
                 throw new MemberAlreadyInGroupError(memberId);
@@ -297,16 +503,23 @@ class GroupService {
                 role: communication_1.DefaultRole.MEMBER,
                 joinedAt: now,
             });
-            // Encrypt existing key for new member
-            group.encryptedSharedKey.set(memberId, this.encryptKey(memberId, currentKey));
+            // Add member to epoch state: wrap ALL epoch keys for the new member
+            if (state) {
+                this.addMemberToEpochState(state, memberId);
+                group.encryptedSharedKey = state.encryptedEpochKeys;
+            }
             this.permissionService.assignRole(memberId, groupId, communication_1.DefaultRole.MEMBER);
             // Emit member joined event
             this.eventEmitter.emitMemberJoined('group', groupId, memberId);
         }
+        // Persist group update to storage provider if available
+        if (this.groupCollection) {
+            await this.groupCollection.update(groupId, group);
+        }
     }
     /**
-     * Remove a member from a group. Rotates the shared key.
-     * Requirement 10.2: key rotation on member removal.
+     * Remove a member from a group. Rotates the shared key using epoch-aware rotation.
+     * Requirements: 10.2, 5.3
      */
     async removeMember(groupId, requesterId, targetId) {
         const group = this.assertGroupExists(groupId);
@@ -314,24 +527,50 @@ class GroupService {
         this.assertIsMember(group, targetId);
         this.assertPermission(requesterId, groupId, communication_1.Permission.MANAGE_MEMBERS);
         group.members = group.members.filter((m) => m.memberId !== targetId);
-        group.encryptedSharedKey.delete(targetId);
-        // Rotate key for remaining members
-        this.rotateKey(group);
+        if (group.members.length > 0) {
+            this.rotateKey(group, targetId);
+        }
+        else {
+            // No members left — clean up epoch state
+            const state = this.keyEpochStates.get(groupId);
+            if (state) {
+                for (const [, epochMap] of state.encryptedEpochKeys) {
+                    epochMap.delete(targetId);
+                }
+                group.encryptedSharedKey = state.encryptedEpochKeys;
+            }
+        }
+        // Persist group update to storage provider if available
+        if (this.groupCollection) {
+            await this.groupCollection.update(groupId, group);
+        }
         // Emit member kicked event
         this.eventEmitter.emitMemberKicked('group', groupId, targetId, requesterId);
     }
     /**
-     * Leave a group voluntarily. Rotates the shared key.
-     * Requirement 10.2: key rotation on member departure.
+     * Leave a group voluntarily. Rotates the shared key using epoch-aware rotation.
+     * Requirements: 10.2, 5.3
      */
     async leaveGroup(groupId, memberId) {
         const group = this.assertGroupExists(groupId);
         this.assertIsMember(group, memberId);
         group.members = group.members.filter((m) => m.memberId !== memberId);
-        group.encryptedSharedKey.delete(memberId);
-        // Rotate key for remaining members
         if (group.members.length > 0) {
-            this.rotateKey(group);
+            this.rotateKey(group, memberId);
+        }
+        else {
+            // No members left — clean up epoch state
+            const state = this.keyEpochStates.get(groupId);
+            if (state) {
+                for (const [, epochMap] of state.encryptedEpochKeys) {
+                    epochMap.delete(memberId);
+                }
+                group.encryptedSharedKey = state.encryptedEpochKeys;
+            }
+        }
+        // Persist group update to storage provider if available
+        if (this.groupCollection) {
+            await this.groupCollection.update(groupId, group);
         }
         // Emit member left event
         this.eventEmitter.emitMemberLeft('group', groupId, memberId);
@@ -345,7 +584,37 @@ class GroupService {
         const group = this.assertGroupExists(groupId);
         this.assertIsMember(group, memberId);
         const msgs = this.messages.get(groupId) ?? [];
+        if (this.blockContentStore) {
+            // Find the message manually to handle block storage
+            const message = msgs.find((m) => m.id === messageId);
+            if (!message)
+                throw new GroupMessageNotFoundError(messageId);
+            if (message.senderId !== memberId)
+                throw new NotMessageAuthorError();
+            // Store new content as a new block
+            const memberIds = group.members.map((m) => m.memberId);
+            const { blockReference } = await this.blockContentStore.storeContent(newContent, memberId, memberIds);
+            // Push old block reference to edit history
+            message.editHistory.push({
+                content: message.encryptedContent,
+                editedAt: new Date(),
+            });
+            // Update encryptedContent to new block reference
+            message.encryptedContent = blockReference;
+            message.editedAt = new Date();
+            // Persist edited message to storage provider if available
+            if (this.groupMessageCollection) {
+                await this.groupMessageCollection.update(messageId, message);
+            }
+            // Emit message edited event
+            this.eventEmitter.emitMessageEdited('group', groupId, messageId, memberId);
+            return message;
+        }
         const edited = this.messageOps.editMessage(msgs, messageId, memberId, newContent, (id) => new GroupMessageNotFoundError(id), () => new NotMessageAuthorError());
+        // Persist edited message to storage provider if available
+        if (this.groupMessageCollection) {
+            await this.groupMessageCollection.update(messageId, edited);
+        }
         // Emit message edited event
         this.eventEmitter.emitMessageEdited('group', groupId, messageId, memberId);
         return edited;
@@ -359,6 +628,13 @@ class GroupService {
         this.assertIsMember(group, memberId);
         const msgs = this.messages.get(groupId) ?? [];
         this.messageOps.deleteMessage(msgs, groupId, messageId, memberId, (id) => new GroupMessageNotFoundError(id), (p) => new GroupPermissionError(p));
+        // Persist deleted message to storage provider if available
+        if (this.groupMessageCollection) {
+            const deletedMsg = msgs.find((m) => m.id === messageId);
+            if (deletedMsg) {
+                await this.groupMessageCollection.update(messageId, deletedMsg);
+            }
+        }
         // Emit message deleted event
         this.eventEmitter.emitMessageDeleted('group', groupId, messageId, memberId);
     }
@@ -371,6 +647,16 @@ class GroupService {
         this.assertIsMember(group, memberId);
         const msgs = this.messages.get(groupId) ?? [];
         this.messageOps.pinMessage(msgs, groupId, messageId, memberId, group, (id) => new GroupMessageNotFoundError(id), (p) => new GroupPermissionError(p));
+        // Persist pin changes to storage provider if available
+        if (this.groupMessageCollection) {
+            const pinnedMsg = msgs.find((m) => m.id === messageId);
+            if (pinnedMsg) {
+                await this.groupMessageCollection.update(messageId, pinnedMsg);
+            }
+        }
+        if (this.groupCollection) {
+            await this.groupCollection.update(groupId, group);
+        }
         // Emit message pinned event
         this.eventEmitter.emitMessagePinEvent(communication_1.CommunicationEventType.MESSAGE_PINNED, 'group', groupId, messageId, memberId);
     }
@@ -383,6 +669,16 @@ class GroupService {
         this.assertIsMember(group, memberId);
         const msgs = this.messages.get(groupId) ?? [];
         this.messageOps.unpinMessage(msgs, groupId, messageId, memberId, group, (id) => new GroupMessageNotFoundError(id), (p) => new GroupPermissionError(p));
+        // Persist unpin changes to storage provider if available
+        if (this.groupMessageCollection) {
+            const unpinnedMsg = msgs.find((m) => m.id === messageId);
+            if (unpinnedMsg) {
+                await this.groupMessageCollection.update(messageId, unpinnedMsg);
+            }
+        }
+        if (this.groupCollection) {
+            await this.groupCollection.update(groupId, group);
+        }
         // Emit message unpinned event
         this.eventEmitter.emitMessagePinEvent(communication_1.CommunicationEventType.MESSAGE_UNPINNED, 'group', groupId, messageId, memberId);
     }
@@ -395,6 +691,13 @@ class GroupService {
         this.assertIsMember(group, memberId);
         const msgs = this.messages.get(groupId) ?? [];
         const reactionId = this.messageOps.addReaction(msgs, messageId, memberId, emoji, (id) => new GroupMessageNotFoundError(id));
+        // Persist reaction change to storage provider if available
+        if (this.groupMessageCollection) {
+            const msg = msgs.find((m) => m.id === messageId);
+            if (msg) {
+                await this.groupMessageCollection.update(messageId, msg);
+            }
+        }
         // Emit reaction added event
         this.eventEmitter.emitReactionEvent(communication_1.CommunicationEventType.REACTION_ADDED, 'group', groupId, messageId, memberId, emoji, reactionId);
         return reactionId;
@@ -408,6 +711,13 @@ class GroupService {
         this.assertIsMember(group, memberId);
         const msgs = this.messages.get(groupId) ?? [];
         this.messageOps.removeReaction(msgs, messageId, reactionId, (id) => new GroupMessageNotFoundError(id), (id) => new ReactionNotFoundError(id));
+        // Persist reaction removal to storage provider if available
+        if (this.groupMessageCollection) {
+            const msg = msgs.find((m) => m.id === messageId);
+            if (msg) {
+                await this.groupMessageCollection.update(messageId, msg);
+            }
+        }
         // Emit reaction removed event
         this.eventEmitter.emitReactionEvent(communication_1.CommunicationEventType.REACTION_REMOVED, 'group', groupId, messageId, memberId, '', // emoji not needed for removal
         reactionId);
@@ -420,10 +730,20 @@ class GroupService {
         return this.groups.get(groupId);
     }
     /**
-     * Get the raw symmetric key for a group (testing only).
+     * Get the current epoch's raw symmetric key for a group.
+     * Returns the key for the latest epoch (backward-compatible accessor).
      */
     getSymmetricKey(groupId) {
-        return this.symmetricKeys.get(groupId);
+        const state = this.keyEpochStates.get(groupId);
+        if (!state)
+            return undefined;
+        return state.epochKeys.get(state.currentEpoch);
+    }
+    /**
+     * Get the full epoch state for a group (testing / internal use).
+     */
+    getKeyEpochState(groupId) {
+        return this.keyEpochStates.get(groupId);
     }
     /**
      * Get all messages for a group without pagination (testing/internal).