@nexustechpro/baileys 2.0.5 → 2.0.6

package/lib/Socket/messages-recv.js

@@ -4,17 +4,18 @@ import { randomBytes } from "crypto"
 import { proto } from "../../WAProto/index.js"
 import { DEFAULT_CACHE_TTLS, KEY_BUNDLE_TYPE, MIN_PREKEY_COUNT, PLACEHOLDER_MAX_AGE_SECONDS, STATUS_EXPIRY_SECONDS } from "../Defaults/index.js"
 import { WAMessageStatus, WAMessageStubType } from "../Types/index.js"
-import { aesDecryptCTR, aesEncryptGCM, cleanMessage, Curve, decodeMediaRetryNode, decodeMessageNode, decryptMessageNode, delay, derivePairingCodeKey, encodeBigEndian, encodeSignedDeviceIdentity, extractAddressingContext, getCallStatusFromNode, getHistoryMsg, getNextPreKeys, handleIdentityChange, getStatusFromReceiptType, hkdf, MISSING_KEYS_ERROR_TEXT, NACK_REASONS, NO_MESSAGE_FOUND_ERROR_TEXT, toNumber, unixTimestampSeconds, xmppPreKey, xmppSignedPreKey } from "../Utils/index.js"
+import { aesDecryptCTR, aesEncryptGCM, cleanMessage, Curve, decodeMediaRetryNode, decodeMessageNode, decryptMessageNode, delay, derivePairingCodeKey, encodeBigEndian, encodeSignedDeviceIdentity, extractAddressingContext, extractE2ESessionFromRetryReceipt, getCallStatusFromNode, getHistoryMsg, getNextPreKeys, getStatusFromReceiptType, handleIdentityChange, hkdf, MISSING_KEYS_ERROR_TEXT, NACK_REASONS, NO_MESSAGE_FOUND_ERROR_TEXT, SERVER_ERROR_CODES, toNumber, unixTimestampSeconds, xmppPreKey, xmppSignedPreKey, ACCOUNT_RESTRICTED_TEXT, buildMergedTcTokenIndexWrite, isTcTokenExpired, readTcTokenIndex, resolveTcTokenJid, resolveIssuanceJid, storeTcTokensFromIqResult, TC_TOKEN_INDEX_KEY } from "../Utils/index.js"
 import { makeMutex } from "../Utils/make-mutex.js"
-import { areJidsSameUser, binaryNodeToString, getAllBinaryNodeChildren, getBinaryNodeChild, getBinaryNodeChildBuffer, getBinaryNodeChildren, getBinaryNodeChildString, isJidGroup, isJidNewsletter, isJidStatusBroadcast, isLidUser, isPnUser, jidDecode, jidNormalizedUser, S_WHATSAPP_NET, jidEncode } from "../WABinary/index.js"
+import { areJidsSameUser, binaryNodeToString, getAllBinaryNodeChildren, getBinaryNodeChild, getBinaryNodeChildBuffer, getBinaryNodeChildren, getBinaryNodeChildString, getBinaryNodeChildUInt, isJidGroup, isJidNewsletter, isJidStatusBroadcast, isLidUser, isPnUser, jidDecode, jidNormalizedUser, S_WHATSAPP_NET, jidEncode } from "../WABinary/index.js"
 import { extractGroupMetadata } from "./groups.js"
 import { makeMessagesSocket } from "./messages-send.js"
 
 export const makeMessagesRecvSocket = (config) => {
   const { logger, retryRequestDelayMs, maxMsgRetryCount, getMessage, shouldIgnoreJid, enableAutoSessionRecreation } = config
   const sock = makeMessagesSocket(config)
-  const { ev, authState, ws, processingMutex, signalRepository, query, upsertMessage, resyncAppState, onUnexpectedError, assertSessions, sendNode, relayMessage, sendReceipt, uploadPreKeys, sendPeerDataOperationMessage, messageRetryManager, triggerPreKeyCheck } = sock
+  const { ev, authState, ws, processingMutex, signalRepository, query, upsertMessage, resyncAppState, onUnexpectedError, assertSessions, sendNode, relayMessage, sendReceipt, uploadPreKeys, sendPeerDataOperationMessage, messageRetryManager, registerSocketEndHandler, issuePrivacyTokens, fetchAccountReachoutTimelock } = sock
 
+  const getLIDForPN = signalRepository.lidMapping.getLIDForPN.bind(signalRepository.lidMapping)
   const messageMutex = makeMutex()
   const notificationMutex = makeMutex()
   const retryMutex = makeMutex()
@@ -109,18 +110,23 @@ export const makeMessagesRecvSocket = (config) => {
     }
   }
 
-  const sendMessageAck = async ({ tag, attrs, content }, errorCode) => {
-    const stanza = { tag: "ack", attrs: { id: attrs.id, to: attrs.from, class: tag } }
-    if (!!errorCode) stanza.attrs.error = errorCode.toString()
-    if (!!attrs.participant) stanza.attrs.participant = attrs.participant
-    if (!!attrs.recipient) stanza.attrs.recipient = attrs.recipient
-    if (!!attrs.type && (tag !== "message" || getBinaryNodeChild({ tag, attrs, content }, "unavailable") || errorCode !== 0)) stanza.attrs.type = attrs.type
-    if (tag === "message" && getBinaryNodeChild({ tag, attrs, content }, "unavailable")) stanza.attrs.from = authState.creds.me.id
-    logger.debug({ recv: { tag, attrs }, sent: stanza.attrs }, "sent ack")
+  const sendMessageAck = async (node, errorCode) => {
+    const { tag, attrs, content } = node
+    const hasUnavailable = !!getBinaryNodeChild({ tag, attrs, content }, 'unavailable')
+    const stanza = { tag: 'ack', attrs: { id: attrs.id, to: attrs.from, class: tag } }
+    if (errorCode) stanza.attrs.error = errorCode.toString()
+    if (attrs.participant) stanza.attrs.participant = attrs.participant
+    if (attrs.recipient) stanza.attrs.recipient = attrs.recipient
+    // include type always when present (upstream), but also force-include on unavailable/error
+    if (attrs.type || hasUnavailable || errorCode) stanza.attrs.type = attrs.type
+    // include from for all message-class ACKs (upstream), not just unavailable
+    if (tag === 'message' && authState.creds.me?.id) stanza.attrs.from = authState.creds.me.id
+    logger.debug({ recv: { tag, attrs }, sent: stanza.attrs }, 'sent ack')
     try {
       await sendNode(stanza)
     } catch (error) {
-      if (error?.output?.statusCode === 428 || error?.message?.includes("Connection")) logger.warn({ id: attrs.id, error: error?.message }, "Failed to send ACK (connection closed) - message already received")
+      if (error?.output?.statusCode === 428 || error?.message?.includes('Connection'))
+        logger.warn({ id: attrs.id, error: error?.message }, 'Failed to send ACK (connection closed) - message already received')
       else throw error
     }
   }
@@ -263,20 +269,42 @@ export const makeMessagesRecvSocket = (config) => {
     }, authState?.creds?.me?.id || "sendRetryRequest")
   }
 
+  const reissueTcTokenAfterIdentityChange = (from) => {
+    void (async () => {
+      const normalizedJid = jidNormalizedUser(from)
+      const tcJid = await resolveTcTokenJid(normalizedJid, getLIDForPN)
+      const tcTokenData = await authState.keys.get('tctoken', [tcJid])
+      const senderTs = tcTokenData?.[tcJid]?.senderTimestamp
+      if (senderTs === null || senderTs === undefined || isTcTokenExpired(senderTs)) return
+      logger.debug({ jid: normalizedJid, senderTimestamp: senderTs }, 'identity changed, re-issuing tctoken')
+      const getPNForLID = signalRepository.lidMapping.getPNForLID.bind(signalRepository.lidMapping)
+      const issueJid = await resolveIssuanceJid(normalizedJid, sock.serverProps.lidTrustedTokenIssueToLid, getLIDForPN, getPNForLID)
+      const result = await issuePrivacyTokens([issueJid], senderTs)
+      await storeTcTokensFromIqResult({ result, fallbackJid: tcJid, keys: authState.keys, getLIDForPN, onNewJidStored: trackTcTokenJid })
+    })().catch(err => logger.debug({ jid: from, err: err?.message }, 'failed to re-issue tctoken after identity change'))
+  }
+
   const handleEncryptNotification = async (node) => {
     const from = node.attrs.from
     if (from === S_WHATSAPP_NET) {
+      const stanzaId = node.attrs.id
+      if (stanzaId && inFlightPreKeyLow.has(stanzaId)) return
       const countChild = getBinaryNodeChild(node, "count")
       const count = +countChild.attrs.value
       const shouldUploadMorePreKeys = count < MIN_PREKEY_COUNT
       logger.debug({ count, shouldUploadMorePreKeys }, "recv pre-key count")
-      if (shouldUploadMorePreKeys) await uploadPreKeys()
+      if (shouldUploadMorePreKeys) {
+        if (stanzaId) inFlightPreKeyLow.add(stanzaId)
+        try { await uploadPreKeys() } finally { if (stanzaId) inFlightPreKeyLow.delete(stanzaId) }
+      }
     } else {
-      const identityNode = getBinaryNodeChild(node, 'identity')
-      if (identityNode) { logger.info({ jid: from }, 'identity changed') } else { logger.info({ node }, 'unknown encrypt notification') }
+      const result = await handleIdentityChange(node, { meId: authState.creds.me?.id, meLid: authState.creds.me?.lid, validateSession: signalRepository.validateSession, assertSessions, debounceCache: identityAssertDebounce, logger, onBeforeSessionRefresh: reissueTcTokenAfterIdentityChange })
+      if (result.action === 'no_identity_node') logger.info({ node }, 'unknown encrypt notification')
     }
   }
 
+  const inFlightPreKeyLow = new Set()
+
   const handleGroupNotification = (fullNode, child, msg) => {
     const actingParticipantLid = fullNode.attrs.participant
     const actingParticipantPn = fullNode.attrs.participant_pn
@@ -356,19 +384,57 @@ export const makeMessagesRecvSocket = (config) => {
 
   const handlePrivacyTokenNotification = async (node) => {
     const tokensNode = getBinaryNodeChild(node, "tokens")
-    const from = jidNormalizedUser(node.attrs.from)
     if (!tokensNode) return
-    const tokenNodes = getBinaryNodeChildren(tokensNode, "token")
-    for (const tokenNode of tokenNodes) {
-      const { attrs, content } = tokenNode
-      const type = attrs.type
-      const timestamp = attrs.t
-      if (type === "trusted_contact" && content instanceof Buffer) {
-        logger.debug({ from, timestamp, tcToken: content }, "received trusted contact token")
-        await authState.keys.set({ tctoken: { [from]: { token: content, timestamp } } })
-        ev.emit("chats.update", [{ id: from, tcToken: content }])
-      }
+    const from = jidNormalizedUser(node.attrs.from)
+    const senderLid = node.attrs.sender_lid && isLidUser(jidNormalizedUser(node.attrs.sender_lid)) ? jidNormalizedUser(node.attrs.sender_lid) : undefined
+    const fallbackJid = senderLid ?? (await resolveTcTokenJid(from, getLIDForPN))
+    logger.debug({ from, storageJid: fallbackJid }, 'processing privacy token notification')
+    await storeTcTokensFromIqResult({ result: node, fallbackJid, keys: authState.keys, getLIDForPN, onNewJidStored: trackTcTokenJid })
+  }
+
+  const handleDevicesNotification = async (node) => {
+    const [child] = getAllBinaryNodeChildren(node)
+    const from = jidNormalizedUser(node.attrs.from)
+    if (!child) { logger.debug({ from }, 'devices notification missing child, skipping'); return }
+    const tag = child.tag
+    const deviceHash = child.attrs.device_hash
+    const devices = getBinaryNodeChildren(child, 'device')
+    if (areJidsSameUser(from, authState.creds.me.id) || areJidsSameUser(from, authState.creds.me.lid)) { const deviceJids = devices.map(d => d.attrs.jid); logger.info({ deviceJids }, 'got my own devices') }
+    if (!devices.length) { logger.debug({ from, tag }, 'no devices in notification, skipping'); return }
+    const decoded = []
+    for (const d of devices) {
+      const jid = d.attrs.jid
+      if (!jid) continue
+      const parts = jidDecode(jid)
+      if (!parts) { logger.debug({ jid }, 'failed to decode device jid, skipping'); continue }
+      decoded.push({ jid, user: parts.user, server: parts.server, device: parts.device })
     }
+    if (!decoded.length) return
+    await sock.devicesMutex.mutex(async () => {
+      const byUser = new Map()
+      for (const d of decoded) { const list = byUser.get(d.user) || []; list.push(d); byUser.set(d.user, list) }
+      for (const [user, entries] of byUser) {
+        if (tag === 'update') { logger.debug({ user }, `${user}'s device list updated, dropping cached devices`); await sock.userDevicesCache?.del(user); continue }
+        if (tag === 'remove') await signalRepository.deleteSession(entries.map(e => e.jid))
+        const existingCache = (await sock.userDevicesCache?.get(user)) || []
+        if (!existingCache.length) { logger.debug({ user, tag }, 'device list not cached, deferring to USync refresh'); continue }
+        const affected = new Set(entries.map(e => e.device))
+        let updatedDevices
+        switch (tag) {
+          case 'add':
+            logger.info({ deviceHash, count: entries.length }, 'devices added')
+            updatedDevices = [...existingCache.filter(d => !affected.has(d.device)), ...entries.map(e => ({ user: e.user, server: e.server, device: e.device }))]
+            break
+          case 'remove':
+            logger.info({ deviceHash, count: entries.length }, 'devices removed')
+            updatedDevices = existingCache.filter(d => !affected.has(d.device))
+            break
+          default: logger.debug({ tag }, 'unknown device list change tag'); continue
+        }
+        if (updatedDevices.length === 0) await sock.userDevicesCache?.del(user)
+        else await sock.userDevicesCache?.set(user, updatedDevices)
+      }
+    })
   }
 
   const processNotification = async (node) => {
@@ -397,11 +463,7 @@ export const makeMessagesRecvSocket = (config) => {
         await handleEncryptNotification(node)
         break
       case "devices":
-        const devices = getBinaryNodeChildren(child, "device")
-        if (areJidsSameUser(child.attrs.jid, authState.creds.me.id) || areJidsSameUser(child.attrs.lid, authState.creds.me.lid)) {
-          const deviceData = devices.map((d) => ({ id: d.attrs.jid, lid: d.attrs.lid }))
-          logger.info({ deviceData }, "my own devices changed")
-        }
+        try { await handleDevicesNotification(node) } catch (error) { logger.error({ error, node }, 'failed to handle devices notification') }
         break
       case "server_sync":
         const update = getBinaryNodeChild(node, "collection")
@@ -462,6 +524,28 @@ export const makeMessagesRecvSocket = (config) => {
     if (Object.keys(result).length) return result
   }
 
+  const tcTokenKnownJids = new Set()
+  const tcTokenIndexLoaded = (async () => {
+    try { const jids = await readTcTokenIndex(authState.keys); for (const jid of jids) tcTokenKnownJids.add(jid); logger.debug({ count: tcTokenKnownJids.size }, 'loaded tctoken index') }
+    catch (err) { logger.warn({ err: err?.message }, 'failed to load tctoken index') }
+  })()
+
+  let tcTokenIndexTimer
+  async function flushTcTokenIndex() {
+    if (tcTokenIndexTimer) { clearTimeout(tcTokenIndexTimer); tcTokenIndexTimer = undefined }
+    const write = await buildMergedTcTokenIndexWrite(authState.keys, tcTokenKnownJids)
+    return authState.keys.set({ tctoken: write })
+  }
+
+  function scheduleTcTokenIndexSave() {
+    if (tcTokenIndexTimer) clearTimeout(tcTokenIndexTimer)
+    tcTokenIndexTimer = setTimeout(() => { tcTokenIndexTimer = undefined; flushTcTokenIndex().catch(err => logger.warn({ err: err?.message }, 'failed to save tctoken index')) }, 5000)
+  }
+
+  function trackTcTokenJid(jid) {
+    if (jid && jid !== TC_TOKEN_INDEX_KEY && !tcTokenKnownJids.has(jid)) { tcTokenKnownJids.add(jid); scheduleTcTokenIndexSave() }
+  }
+
   async function decipherLinkPublicKey(data) {
     const buffer = toRequiredBuffer(data)
     const salt = buffer.slice(0, 32)
@@ -488,10 +572,11 @@ export const makeMessagesRecvSocket = (config) => {
     await msgRetryCache.set(key, newValue)
   }
 
-  const sendMessagesAgain = async (key, ids, retryNode) => {
+  const sendMessagesAgain = async (key, ids, retryNode, receiptNode) => {
     const remoteJid = key.remoteJid
     const participant = key.participant || remoteJid
     const retryCount = +retryNode.attrs.count || 1
+    const msgId = ids[0]
     const msgs = []
     for (const id of ids) {
       let msg
@@ -506,11 +591,35 @@ export const makeMessagesRecvSocket = (config) => {
       msgs.push(msg)
     }
     const sendToAll = !jidDecode(participant)?.device
+    const sessionId = signalRepository.jidToSignalProtocolAddress(participant)
+    let injectedFromBundle = false
+    const bundle = extractE2ESessionFromRetryReceipt(receiptNode)
+    if (bundle) {
+      try { await signalRepository.injectE2ESession({ jid: participant, session: bundle }); injectedFromBundle = true; logger.debug({ participant, retryCount }, 'injected session from retry receipt key bundle') }
+      catch (error) { logger.warn({ error, participant }, 'failed to inject session from retry receipt') }
+    }
+    if (!injectedFromBundle && typeof signalRepository.getSessionInfo === 'function') {
+      const receivedRegId = getBinaryNodeChildUInt(receiptNode, 'registration', 4)
+      if (typeof receivedRegId === 'number' && Number.isInteger(receivedRegId)) {
+        const info = await signalRepository.getSessionInfo(participant)
+        if (info && info.registrationId !== 0 && info.registrationId !== receivedRegId) { logger.info({ participant, stored: info.registrationId, received: receivedRegId }, 'reg id mismatch on retry without bundle, deleting session'); await authState.keys.set({ session: { [sessionId]: null } }) }
+      }
+    }
+    const BASE_KEY_CHECK_RETRY = 2
+    if (msgId && messageRetryManager && typeof messageRetryManager.saveBaseKey === 'function') {
+      const info = typeof signalRepository.getSessionInfo === 'function' ? await signalRepository.getSessionInfo(participant) : undefined
+      if (info) {
+        if (retryCount === BASE_KEY_CHECK_RETRY) messageRetryManager.saveBaseKey(sessionId, msgId, info.baseKey)
+        else if (retryCount > BASE_KEY_CHECK_RETRY) {
+          if (messageRetryManager.hasSameBaseKey(sessionId, msgId, info.baseKey)) { logger.warn({ participant, retryCount }, 'base key collision on retry, forcing fresh session'); await authState.keys.set({ session: { [sessionId]: null } }) }
+          messageRetryManager.deleteBaseKey(sessionId, msgId)
+        }
+      }
+    }
     let shouldRecreateSession = false
     let recreateReason = ""
-    if (enableAutoSessionRecreation && messageRetryManager && retryCount > 1) {
+    if (enableAutoSessionRecreation && messageRetryManager && retryCount > 1 && !injectedFromBundle) {
       try {
-        const sessionId = signalRepository.jidToSignalProtocolAddress(participant)
         const hasSession = await signalRepository.validateSession(participant)
         const result = messageRetryManager.shouldRecreateSession(participant, retryCount, hasSession.exists)
         shouldRecreateSession = result.recreate
@@ -518,9 +627,9 @@ export const makeMessagesRecvSocket = (config) => {
         if (shouldRecreateSession) { logger.debug({ participant, retryCount, reason: recreateReason }, "recreating session for outgoing retry"); await authState.keys.set({ session: { [sessionId]: null } }) }
       } catch (error) { logger.warn({ error, participant }, "failed to check session recreation for outgoing retry") }
     }
-    await assertSessions([participant], false);
+    if (!injectedFromBundle) await assertSessions([participant], true)
     if (isJidGroup(remoteJid)) await authState.keys.set({ "sender-key-memory": { [remoteJid]: null } })
-    logger.debug({ participant, sendToAll, shouldRecreateSession, recreateReason }, "preparing retry recp")
+    logger.debug({ participant, sendToAll, shouldRecreateSession, recreateReason, injectedFromBundle }, "preparing retry recp")
     for (const [i, msg] of msgs.entries()) {
       if (!ids[i]) continue
       if (msg && (await willSendMessageAgain(ids[i], participant))) {
@@ -565,7 +674,7 @@ export const makeMessagesRecvSocket = (config) => {
               try {
                 await updateSendMessageAgainCount(ids[0], key.participant)
                 logger.debug({ attrs, key }, "recv retry request")
-                await sendMessagesAgain(key, ids, retryNode)
+                await sendMessagesAgain(key, ids, retryNode, node)
               } catch (error) { logger.error({ key, ids, trace: error instanceof Error ? error.stack : "Unknown error" }, "error in sending message again") }
             } else logger.info({ attrs, key }, "recv retry for not fromMe message")
           } else {
@@ -681,7 +790,14 @@ export const makeMessagesRecvSocket = (config) => {
         cleanMessage(msg, authState.creds.me.id, authState.creds.me.lid)
         await upsertMessage(msg, node.attrs.offline ? "append" : "notify")
       })
-    } catch (error) { logger.error({ error, stack: error?.stack, msg: error?.message || String(error), node: binaryNodeToString(node) }, "error in handling message") }
+    } catch (error) {
+      const isClosed = error?.message?.includes('Connection Closed') || error?.output?.statusCode === 428
+      if (isClosed) {
+        logger.debug({ msg: error?.message }, "Connection closed while handling message")
+      } else {
+        logger.error({ error, stack: error?.stack, msg: error?.message || String(error), node: binaryNodeToString(node) }, "error in handling message")
+      }
+    }
   }
 
   const handleCall = async (node) => {
@@ -700,11 +816,38 @@ export const makeMessagesRecvSocket = (config) => {
     await sendMessageAck(node)
   }
 
+  const inFlight463Recoveries = new Set()
+
   const handleBadAck = async ({ attrs }) => {
     const key = { remoteJid: attrs.from, fromMe: true, id: attrs.id }
     if (attrs.error) {
-      logger.warn({ attrs }, "received error in ack")
-      ev.emit("messages.update", [{ key, update: { status: WAMessageStatus.ERROR, messageStubParameters: [attrs.error] } }])
+      const isReachoutTimelocked = attrs.error === String(NACK_REASONS.SenderReachoutTimelocked)
+      if (attrs.error === SERVER_ERROR_CODES.MessageAccountRestriction) {
+        logger.warn({ msgId: attrs.id, from: attrs.from }, 'error 463: account restricted or missing tctoken for contact')
+        const ackFrom = attrs.from
+        if (ackFrom && !inFlight463Recoveries.has(ackFrom)) {
+          inFlight463Recoveries.add(ackFrom)
+          void (async () => {
+            try {
+              const getPNForLID = signalRepository.lidMapping.getPNForLID.bind(signalRepository.lidMapping)
+              const tcStorageJid = await resolveTcTokenJid(ackFrom, getLIDForPN)
+              const issueJid = await resolveIssuanceJid(ackFrom, sock.serverProps.lidTrustedTokenIssueToLid, getLIDForPN, getPNForLID)
+              const result = await issuePrivacyTokens([issueJid], unixTimestampSeconds())
+              await storeTcTokensFromIqResult({ result, fallbackJid: tcStorageJid, keys: authState.keys, getLIDForPN, onNewJidStored: trackTcTokenJid })
+              logger.debug({ from: ackFrom }, 'completed 463 token recovery issuance')
+            } catch (err) { logger.debug({ from: ackFrom, err: err?.message }, 'failed 463 token recovery issuance') }
+            finally { inFlight463Recoveries.delete(ackFrom) }
+          })()
+        }
+      } else if (attrs.error === SERVER_ERROR_CODES.SmaxInvalid) {
+        logger.warn({ msgId: attrs.id, from: attrs.from }, 'smax-invalid (479): stale device session or malformed addressing')
+      } else if (isReachoutTimelocked) {
+        await fetchAccountReachoutTimelock().catch(err => logger.warn({ err }, 'failed to fetch reachout timelock'))
+        logger.warn({ attrs }, 'received error in ack')
+      } else {
+        logger.warn({ attrs }, 'received error in ack')
+      }
+      ev.emit("messages.update", [{ key, update: { status: WAMessageStatus.ERROR, messageStubParameters: isReachoutTimelocked ? [attrs.error, ACCOUNT_RESTRICTED_TEXT] : [attrs.error] } }])
     }
   }
 
@@ -770,8 +913,51 @@ export const makeMessagesRecvSocket = (config) => {
     }
   })
 
-  ev.on("connection.update", ({ isOnline }) => {
+  let lastTcTokenPruneTs = 0
+
+  async function pruneExpiredTcTokens() {
+    try {
+      await tcTokenIndexLoaded
+      const persisted = await readTcTokenIndex(authState.keys)
+      const allJids = new Set(tcTokenKnownJids)
+      for (const jid of persisted) allJids.add(jid)
+      if (!allJids.size) return
+      const jids = [...allJids]
+      const allTokens = await authState.keys.get('tctoken', jids)
+      const writes = {}, survivors = new Set()
+      let mutated = 0
+      for (const jid of jids) {
+        const entry = allTokens[jid]
+        if (!entry) { mutated++; continue }
+        const hasPeerToken = !!entry.token?.length
+        const peerTokenExpired = hasPeerToken && isTcTokenExpired(entry.timestamp)
+        const hasSenderTs = entry.senderTimestamp !== undefined
+        const senderTsExpired = hasSenderTs && isTcTokenExpired(entry.senderTimestamp)
+        const keepPeerToken = hasPeerToken && !peerTokenExpired
+        const keepSenderTs = hasSenderTs && !senderTsExpired
+        if (!keepPeerToken && !keepSenderTs) { writes[jid] = null; mutated++ }
+        else if (peerTokenExpired && keepSenderTs) { writes[jid] = { token: Buffer.alloc(0), senderTimestamp: entry.senderTimestamp }; survivors.add(jid); mutated++ }
+        else survivors.add(jid)
+      }
+      if (mutated === 0) return
+      await authState.keys.set({ tctoken: { ...writes, [TC_TOKEN_INDEX_KEY]: { token: Buffer.from(JSON.stringify([...survivors])) } } })
+      tcTokenKnownJids.clear()
+      for (const jid of survivors) tcTokenKnownJids.add(jid)
+      logger.debug({ mutated, remaining: survivors.size }, 'pruned expired tctokens')
+    } catch (err) { logger.warn({ err: err?.message }, 'failed to prune expired tctokens') }
+  }
+
+  ev.on("connection.update", ({ isOnline, connection }) => {
     if (typeof isOnline !== "undefined") { sendActiveReceipts = isOnline; logger.trace(`sendActiveReceipts set to "${sendActiveReceipts}"`) }
+    if (connection === 'close' && tcTokenIndexTimer) { clearTimeout(tcTokenIndexTimer); tcTokenIndexTimer = undefined; try { void Promise.resolve(flushTcTokenIndex()).catch(() => { }) } catch { } }
+    if (isOnline) { const now = Date.now(); const DAY_MS = 24 * 60 * 60 * 1000; if (now - lastTcTokenPruneTs >= DAY_MS) { lastTcTokenPruneTs = now; void pruneExpiredTcTokens() } }
+  })
+
+  registerSocketEndHandler(() => {
+    if (!config.msgRetryCounterCache && msgRetryCache.close) msgRetryCache.close()
+    if (!config.callOfferCache && callOfferCache.close) callOfferCache.close()
+    identityAssertDebounce.close()
+    sendActiveReceipts = false
   })
 
   return { ...sock, sendMessageAck, sendRetryRequest, rejectCall, offerCall, fetchMessageHistory, requestPlaceholderResend, messageRetryManager }