@queenanya/baileys 9.2.4 → 9.4.1

package/lib/Socket/messages-recv.js

@@ -3,17 +3,19 @@ import { Boom } from '@hapi/boom';
 import { randomBytes } from 'crypto';
 import Long from 'long';
 import { proto } from '../../WAProto/index.js';
-import { DEFAULT_CACHE_TTLS, KEY_BUNDLE_TYPE, MIN_PREKEY_COUNT } from '../Defaults/index.js';
-import { WAMessageStatus, WAMessageStubType } from '../Types/index.js';
-import { aesDecryptCTR, aesEncryptGCM, cleanMessage, Curve, decodeMediaRetryNode, decodeMessageNode, decryptMessageNode, delay, derivePairingCodeKey, encodeBigEndian, encodeSignedDeviceIdentity, extractAddressingContext, getCallStatusFromNode, getHistoryMsg, getNextPreKeys, getStatusFromReceiptType, hkdf, MISSING_KEYS_ERROR_TEXT, NACK_REASONS, NO_MESSAGE_FOUND_ERROR_TEXT, toNumber, unixTimestampSeconds, xmppPreKey, xmppSignedPreKey } from '../Utils/index.js';
+import { DEFAULT_CACHE_TTLS, KEY_BUNDLE_TYPE, MIN_PREKEY_COUNT, PLACEHOLDER_MAX_AGE_SECONDS, STATUS_EXPIRY_SECONDS } from '../Defaults/index.js';
+import { ReachoutTimelockEnforcementType, WAMessageStatus, WAMessageStubType } from '../Types/index.js';
+import { aesDecryptCTR, aesEncryptGCM, cleanMessage, Curve, decodeMediaRetryNode, decodeMessageNode, decryptMessageNode, delay, derivePairingCodeKey, encodeBigEndian, encodeSignedDeviceIdentity, extractAddressingContext, getCallStatusFromNode, getHistoryMsg, getNextPreKeys, getStatusFromReceiptType, handleIdentityChange, hkdf, MISSING_KEYS_ERROR_TEXT, NACK_REASONS, NO_MESSAGE_FOUND_ERROR_TEXT, SERVER_ERROR_CODES, toNumber, unixTimestampSeconds, xmppPreKey, xmppSignedPreKey } from '../Utils/index.js';
 import { makeMutex } from '../Utils/make-mutex.js';
-import { areJidsSameUser, binaryNodeToString, getAllBinaryNodeChildren, getBinaryNodeChild, getBinaryNodeChildBuffer, getBinaryNodeChildren, getBinaryNodeChildString, isJidGroup, isJidNewsletter, isJidStatusBroadcast, isLidUser, isPnUser, jidDecode, jidNormalizedUser, S_WHATSAPP_NET } from '../WABinary/index.js';
+import { buildMergedTcTokenIndexWrite, isTcTokenExpired, readTcTokenIndex, resolveIssuanceJid, resolveTcTokenJid, storeTcTokensFromIqResult, TC_TOKEN_INDEX_KEY } from '../Utils/tc-token-utils.js';
+import { areJidsSameUser, binaryNodeToString, getAllBinaryNodeChildren, getBinaryNodeChild, getBinaryNodeChildBuffer, getBinaryNodeChildren, getBinaryNodeChildString, isJidGroup, isJidNewsletter, isJidStatusBroadcast, isLidUser, isPnUser, jidDecode, jidEncode, jidNormalizedUser, S_WHATSAPP_NET } from '../WABinary/index.js';
 import { extractGroupMetadata } from './groups.js';
 import { makeMessagesSocket } from './messages-send.js';
 export const makeMessagesRecvSocket = (config) => {
     const { logger, retryRequestDelayMs, maxMsgRetryCount, getMessage, shouldIgnoreJid, enableAutoSessionRecreation } = config;
     const sock = makeMessagesSocket(config);
-    const { ev, authState, ws, messageMutex, notificationMutex, receiptMutex, signalRepository, query, upsertMessage, resyncAppState, onUnexpectedError, assertSessions, sendNode, relayMessage, sendReceipt, uploadPreKeys, sendPeerDataOperationMessage, messageRetryManager } = sock;
+    const { ev, authState, ws, messageMutex, notificationMutex, receiptMutex, signalRepository, query, upsertMessage, resyncAppState, onUnexpectedError, assertSessions, sendNode, relayMessage, sendReceipt, uploadPreKeys, sendPeerDataOperationMessage, generateMessageTag, getUSyncDevices, createParticipantNodes, messageRetryManager, issuePrivacyTokens } = sock;
+    const getLIDForPN = signalRepository.lidMapping.getLIDForPN.bind(signalRepository.lidMapping);
     /** this mutex ensures that each retryRequest will wait for the previous one to finish */
     const retryMutex = makeMutex();
     const msgRetryCache = config.msgRetryCounterCache ||
@@ -50,7 +52,7 @@ export const makeMessagesRecvSocket = (config) => {
         };
         return sendPeerDataOperationMessage(pdoMessage);
     };
-    const requestPlaceholderResend = async (messageKey) => {
+    const requestPlaceholderResend = async (messageKey, msgData) => {
         if (!authState.creds.me?.id) {
             throw new Boom('Not authenticated');
         }
@@ -59,7 +61,9 @@ export const makeMessagesRecvSocket = (config) => {
             return;
         }
         else {
-            await placeholderResendCache.set(messageKey?.id, true);
+            // Store original message data so PDO response handler can preserve
+            // metadata (LID details, timestamps, etc.) that the phone may omit
+            await placeholderResendCache.set(messageKey?.id, msgData || true);
         }
         await delay(2000);
         if (!(await placeholderResendCache.get(messageKey?.id))) {
@@ -82,25 +86,145 @@ export const makeMessagesRecvSocket = (config) => {
         }, 8000);
         return sendPeerDataOperationMessage(pdoMessage);
     };
-    // Handles mex newsletter notifications
-    const handleMexNewsletterNotification = async (node) => {
+    const ENFORCEMENT_TYPE_VALUES = new Set(Object.values(ReachoutTimelockEnforcementType));
+    function isValidEnforcementType(value) {
+        return typeof value === 'string' && ENFORCEMENT_TYPE_VALUES.has(value);
+    }
+    // ── Top-level mex dispatcher (PR: feat-mex-notification-dispatch) ─────────
+    const handleMexNotification = async (node) => {
+        const updateNode = getBinaryNodeChild(node, 'update');
+        if (updateNode) {
+            const opName = updateNode.attrs?.op_name;
+            if (!opName) {
+                logger.warn({ node: binaryNodeToString(node) }, 'mex notification missing op_name');
+                return;
+            }
+            let mexResponse;
+            try {
+                mexResponse = JSON.parse(updateNode.content.toString());
+            }
+            catch (error) {
+                logger.error({ err: error, opName }, 'failed to parse mex notification JSON');
+                return;
+            }
+            if (mexResponse.errors?.length) {
+                logger.warn({ errors: mexResponse.errors, opName }, 'mex notification has GQL errors');
+                return;
+            }
+            const data = mexResponse.data;
+            if (!data) {
+                logger.warn({ opName }, 'mex notification has null data');
+                return;
+            }
+            logger.debug({ opName }, 'processing mex notification');
+            switch (opName) {
+                case 'NotificationUserReachoutTimelockUpdate':
+                    handleReachoutTimelockNotification(data);
+                    break;
+                case 'MessageCappingInfoNotification':
+                    handleMessageCappingNotification(data);
+                    break;
+                case 'NotificationLinkedProfilesUpdates': {
+                    // PR: fix-mex-linked-profiles
+                    const linkedProfiles = data.xwa2_notify_linked_profiles;
+                    if (!linkedProfiles)
+                        break;
+                    const lid = linkedProfiles.jid;
+                    for (const profile of linkedProfiles.added_profiles ?? []) {
+                        const pn = typeof profile === 'string' ? profile : (profile?.pn ?? profile?.jid ?? null);
+                        if (lid && pn)
+                            ev.emit('lid-mapping.update', { lid, pn });
+                    }
+                    break;
+                }
+                // newsletter ops still use the legacy <mex> child structure
+                case 'NotificationNewsletterUpdate':
+                case 'NotificationNewsletterAdminPromote':
+                case 'NotificationNewsletterAdminDemote':
+                case 'NotificationNewsletterUserSettingChange':
+                case 'NotificationNewsletterJoin':
+                case 'NotificationNewsletterLeave':
+                case 'NotificationNewsletterStateChange':
+                case 'NotificationNewsletterAdminMetadataUpdate':
+                case 'NotificationNewsletterOwnerUpdate':
+                case 'NotificationNewsletterAdminInviteRevoke':
+                case 'NotificationNewsletterWamoSubStatusChange':
+                case 'NotificationNewsletterBlockUser':
+                case 'NotificationNewsletterPaidPartnership':
+                case 'NotificationNewsletterMilestone':
+                case 'NewsletterResponseStateUpdate':
+                    await handleLegacyMexNewsletterNotification(node);
+                    break;
+                default:
+                    logger.debug({ opName }, 'unhandled mex notification');
+                    break;
+            }
+            return;
+        }
+        await handleLegacyMexNewsletterNotification(node);
+    };
+    const handleReachoutTimelockNotification = (data) => {
+        const payload = data.xwa2_notify_account_reachout_timelock;
+        if (!payload) {
+            logger.warn('reachout timelock notification missing payload');
+            return;
+        }
+        if (!payload.is_active) {
+            logger.info('reachout timelock restriction lifted');
+            ev.emit('connection.update', {
+                reachoutTimeLock: {
+                    isActive: false,
+                    enforcementType: ReachoutTimelockEnforcementType.DEFAULT
+                }
+            });
+            return;
+        }
+        // WA Web defaults to now+60s when the server omits the expiry
+        const timeEnforcementEnds = payload.time_enforcement_ends
+            ? new Date(parseInt(payload.time_enforcement_ends, 10) * 1000)
+            : new Date(Date.now() + 60000);
+        const enforcementType = isValidEnforcementType(payload.enforcement_type)
+            ? payload.enforcement_type
+            : ReachoutTimelockEnforcementType.DEFAULT;
+        logger.info({ enforcementType, timeEnforcementEnds }, 'reachout timelock restriction set');
+        ev.emit('connection.update', {
+            reachoutTimeLock: {
+                isActive: true,
+                timeEnforcementEnds,
+                enforcementType
+            }
+        });
+    };
+    const handleMessageCappingNotification = (data) => {
+        const payload = data.xwa2_notify_new_chat_messages_capping_info_update;
+        if (!payload) {
+            logger.warn('message capping notification missing payload');
+            return;
+        }
+        logger.info({ payload }, 'received message capping update');
+        ev.emit('message-capping.update', payload);
+    };
+    // ── Legacy mex newsletter notification handler ────────────────────────────
+    const handleLegacyMexNewsletterNotification = async (node) => {
         const mexNode = getBinaryNodeChild(node, 'mex');
         if (!mexNode?.content) {
-            logger.warn({ node }, 'Invalid mex newsletter notification');
+            logger.warn({ node: binaryNodeToString(node) }, 'invalid mex newsletter notification');
             return;
         }
-        let data;
+        let parsed;
         try {
-            data = JSON.parse(mexNode.content.toString());
+            // PR fix-mex-linked-profiles: handle binary-encoded content correctly
+            const payloadContent = mexNode.content;
+            const contentBuf = typeof payloadContent === 'string' ? Buffer.from(payloadContent, 'binary') : Buffer.from(payloadContent);
+            parsed = JSON.parse(contentBuf.toString());
         }
         catch (error) {
-            logger.error({ err: error, node }, 'Failed to parse mex newsletter notification');
+            logger.error({ err: error, node: binaryNodeToString(node) }, 'failed to parse mex newsletter notification');
             return;
         }
-        const operation = data?.operation;
-        const updates = data?.updates;
+        const { operation, updates } = parsed;
         if (!updates || !operation) {
-            logger.warn({ data }, 'Invalid mex newsletter notification content');
+            logger.warn({ parsed }, 'invalid mex newsletter notification content');
             return;
         }
         logger.info({ operation, updates }, 'got mex newsletter notification');
@@ -129,7 +253,7 @@ export const makeMessagesRecvSocket = (config) => {
                 }
                 break;
             default:
-                logger.info({ operation, data }, 'Unhandled mex newsletter notification');
+                logger.info({ operation, parsed }, 'unhandled mex newsletter notification');
                 break;
         }
     };
@@ -243,26 +367,275 @@ export const makeMessagesRecvSocket = (config) => {
         logger.debug({ recv: { tag, attrs }, sent: stanza.attrs }, 'sent ack');
         await sendNode(stanza);
     };
+    // ── Call handlers ─────────────────────────────────────────────────
     const rejectCall = async (callId, callFrom) => {
-        const stanza = {
+        await query({
             tag: 'call',
-            attrs: {
-                from: authState.creds.me.id,
-                to: callFrom
-            },
+            attrs: { from: authState.creds.me.id, to: callFrom },
+            content: [
+                { tag: 'reject', attrs: { 'call-id': callId, 'call-creator': callFrom, count: '0' }, content: undefined }
+            ]
+        });
+    };
+    const offerCall = async (toJid, isVideo = false) => {
+        const callId = randomBytes(16).toString('hex').toUpperCase().substring(0, 64);
+        const offerContent = [];
+        if (isVideo) {
+            offerContent.push({
+                tag: 'video',
+                attrs: {
+                    enc: 'vp8',
+                    dec: 'vp8',
+                    orientation: '0',
+                    screen_width: '1920',
+                    screen_height: '1080',
+                    device_orientation: '0'
+                },
+                content: undefined
+            });
+        }
+        offerContent.push({ tag: 'audio', attrs: { enc: 'opus', rate: '16000' }, content: undefined });
+        offerContent.push({ tag: 'audio', attrs: { enc: 'opus', rate: '8000' }, content: undefined });
+        offerContent.push({ tag: 'net', attrs: { medium: '3' }, content: undefined });
+        offerContent.push({ tag: 'capability', attrs: { ver: '1' }, content: new Uint8Array([1, 4, 255, 131, 207, 4]) });
+        offerContent.push({ tag: 'encopt', attrs: { keygen: '2' }, content: undefined });
+        const encKey = randomBytes(32);
+        const devices = (await getUSyncDevices([toJid], true, false)).map(({ user, device }) => jidEncode(user, 's.whatsapp.net', device));
+        await assertSessions(devices, true);
+        const { nodes: destinations, shouldIncludeDeviceIdentity } = await createParticipantNodes(devices, { call: { callKey: new Uint8Array(encKey) } }, { count: '0' });
+        offerContent.push({ tag: 'destination', attrs: {}, content: destinations });
+        if (shouldIncludeDeviceIdentity) {
+            offerContent.push({
+                tag: 'device-identity',
+                attrs: {},
+                content: encodeSignedDeviceIdentity(authState.creds.account, true)
+            });
+        }
+        await query({
+            tag: 'call',
+            attrs: { id: generateMessageTag(), to: toJid },
+            content: [
+                { tag: 'offer', attrs: { 'call-id': callId, 'call-creator': authState.creds.me.id }, content: offerContent }
+            ]
+        });
+        return { id: callId, to: toJid };
+    };
+    const initiateCall = async (jid, options = {}) => {
+        const meId = authState.creds.me?.id;
+        if (!meId)
+            throw new Boom('Not authenticated');
+        const isVideo = !!options.isVideo;
+        const isGroup = isJidGroup(jid);
+        const result = await offerCall(jid, isVideo);
+        const callId = result.id;
+        await callOfferCache.set(callId, {
+            chatId: jid,
+            from: meId,
+            id: callId,
+            date: new Date(),
+            offline: false,
+            status: 'offer',
+            isVideo,
+            isGroup,
+            groupJid: isGroup ? jid : undefined
+        });
+        return { callId, to: jid, isVideo };
+    };
+    const terminateCall = async (callId, callTo, callCreator, reason, duration) => {
+        const meId = authState.creds.me?.id;
+        if (!meId)
+            throw new Boom('Not authenticated', { statusCode: 401 });
+        const attrs = { 'call-id': callId, 'call-creator': callCreator || meId };
+        if (reason)
+            attrs.reason = reason;
+        if (typeof duration === 'number') {
+            attrs.duration = String(duration);
+            attrs.audio_duration = String(duration);
+        }
+        await query({
+            tag: 'call',
+            attrs: { to: callTo, id: randomBytes(16).toString('hex').toUpperCase() },
+            content: [{ tag: 'terminate', attrs, content: undefined }]
+        });
+        await callOfferCache.del(callId);
+    };
+    const cancelCall = async (callId, callTo) => terminateCall(callId, callTo);
+    const acceptCall = async (callId, callFrom, isVideo) => {
+        const meId = authState.creds.me?.id;
+        if (!meId)
+            throw new Boom('Not authenticated', { statusCode: 401 });
+        const content = [{ tag: 'audio', attrs: { rate: '16000', enc: 'opus' }, content: undefined }];
+        if (isVideo)
+            content.push({ tag: 'video', attrs: { dec: 'H264,AV1', device_orientation: '1' }, content: undefined });
+        content.push({ tag: 'net', attrs: { medium: '2' }, content: undefined }, { tag: 'encopt', attrs: { keygen: '2' }, content: undefined });
+        await query({
+            tag: 'call',
+            attrs: { from: meId, to: callFrom, id: randomBytes(16).toString('hex').toUpperCase() },
+            content: [{ tag: 'accept', attrs: { 'call-id': callId, 'call-creator': callFrom }, content }]
+        });
+    };
+    const preacceptCall = async (callId, callCreator, isVideo) => {
+        const content = [{ tag: 'audio', attrs: { rate: '16000', enc: 'opus' }, content: undefined }];
+        if (isVideo) {
+            content.push({
+                tag: 'video',
+                attrs: { screen_width: '1080', screen_height: '2400', dec: 'H264,H265,AV1', device_orientation: '0' },
+                content: undefined
+            });
+        }
+        content.push({ tag: 'encopt', attrs: { keygen: '2' }, content: undefined }, { tag: 'capability', attrs: { ver: '1' }, content: undefined });
+        await query({
+            tag: 'call',
+            attrs: { to: callCreator, id: randomBytes(16).toString('hex').toUpperCase() },
+            content: [{ tag: 'preaccept', attrs: { 'call-id': callId, 'call-creator': callCreator }, content }]
+        });
+    };
+    const sendRelayLatency = async (callId, callCreator, relays, transactionId) => {
+        const attrs = { 'call-id': callId, 'call-creator': callCreator };
+        if (transactionId)
+            attrs['transaction-id'] = transactionId;
+        await sendNode({
+            tag: 'call',
+            attrs: { to: callCreator, id: randomBytes(16).toString('hex').toUpperCase() },
             content: [
                 {
-                    tag: 'reject',
+                    tag: 'relaylatency',
+                    attrs,
+                    content: relays.map(r => {
+                        const a = {};
+                        if (r.relayName)
+                            a.relay_name = r.relayName;
+                        a.latency = String(r.latency);
+                        if (r.relayId)
+                            a.relay_id = r.relayId;
+                        if (r.dlBw !== undefined)
+                            a.dl_bw = String(r.dlBw);
+                        if (r.ulBw !== undefined)
+                            a.ul_bw = String(r.ulBw);
+                        return { tag: 'te', attrs: a, content: undefined };
+                    })
+                }
+            ]
+        });
+    };
+    const sendTransport = async (callId, callCreator, to, candidates, round) => {
+        const attrs = {
+            'call-id': callId,
+            'call-creator': callCreator,
+            'transport-message-type': '1'
+        };
+        if (round !== undefined)
+            attrs['p2p-cand-round'] = String(round);
+        await sendNode({
+            tag: 'call',
+            attrs: { to, id: randomBytes(16).toString('hex').toUpperCase() },
+            content: [
+                {
+                    tag: 'transport',
+                    attrs,
+                    content: candidates.map(c => ({ tag: 'te', attrs: { priority: c.priority }, content: c.data }))
+                }
+            ]
+        });
+    };
+    const sendCallDuration = async (callId, callCreator, peer, audioDuration, callType = '1x1') => {
+        await sendNode({
+            tag: 'call',
+            attrs: { to: 'call', id: randomBytes(16).toString('hex').toUpperCase() },
+            content: [
+                {
+                    tag: 'duration',
                     attrs: {
                         'call-id': callId,
-                        'call-creator': callFrom,
-                        count: '0'
+                        'call-creator': callCreator,
+                        peer,
+                        audio_duration: String(audioDuration),
+                        type: callType
                     },
                     content: undefined
                 }
             ]
-        };
-        await query(stanza);
+        });
+    };
+    const muteCall = async (callId, callCreator, to, muted) => {
+        await sendNode({
+            tag: 'call',
+            attrs: { to, id: randomBytes(16).toString('hex').toUpperCase() },
+            content: [
+                {
+                    tag: 'mute_v2',
+                    attrs: { 'mute-state': muted ? '1' : '0', 'call-id': callId, 'call-creator': callCreator },
+                    content: undefined
+                }
+            ]
+        });
+    };
+    const sendHeartbeat = async (callId, callCreator) => {
+        await sendNode({
+            tag: 'call',
+            attrs: { to: `${callId}@call`, id: randomBytes(16).toString('hex').toUpperCase() },
+            content: [{ tag: 'heartbeat', attrs: { 'call-id': callId, 'call-creator': callCreator }, content: undefined }]
+        });
+    };
+    const sendEncRekey = async (callId, callCreator, to, transactionId) => {
+        await sendNode({
+            tag: 'call',
+            attrs: { to, id: randomBytes(16).toString('hex').toUpperCase() },
+            content: [
+                {
+                    tag: 'enc_rekey',
+                    attrs: { 'transaction-id': transactionId, 'call-id': callId, 'call-creator': callCreator },
+                    content: [
+                        { tag: 'encopt', attrs: { keygen: '2' }, content: undefined },
+                        { tag: 'enc', attrs: { v: '2', type: 'msg' }, content: undefined }
+                    ]
+                }
+            ]
+        });
+    };
+    const sendVideoState = async (callId, callCreator, to, enabled, orientation = '1') => {
+        await sendNode({
+            tag: 'call',
+            attrs: { to, id: randomBytes(16).toString('hex').toUpperCase() },
+            content: [
+                {
+                    tag: 'video',
+                    attrs: {
+                        'call-id': callId,
+                        'call-creator': callCreator,
+                        state: enabled ? '1' : '0',
+                        device_orientation: orientation
+                    },
+                    content: undefined
+                }
+            ]
+        });
+    };
+    const queryCallLink = async (token, media = 'video') => {
+        return await query({
+            tag: 'call',
+            attrs: { to: 'call', id: randomBytes(16).toString('hex').toUpperCase() },
+            content: [{ tag: 'link_query', attrs: { media, token }, content: undefined }]
+        });
+    };
+    const joinCallLink = async (token, media = 'video') => {
+        const content = [
+            { tag: 'audio', attrs: { rate: '16000', enc: 'opus' }, content: undefined },
+            { tag: 'net', attrs: { medium: '2' }, content: undefined },
+            { tag: 'capability', attrs: { ver: '1' }, content: undefined }
+        ];
+        if (media === 'video') {
+            content.splice(1, 0, {
+                tag: 'video',
+                attrs: { screen_width: '1080', screen_height: '2400', dec: 'H264,H265,AV1', device_orientation: '0' },
+                content: undefined
+            });
+        }
+        return await query({
+            tag: 'call',
+            attrs: { to: 'call', id: randomBytes(16).toString('hex').toUpperCase() },
+            content: [{ tag: 'link_join', attrs: { media, token }, content }]
+        });
     };
     const sendRetryRequest = async (node, forceIncludeKeys = false) => {
         const { fullMessage } = decodeMessageNode(node, authState.creds.me.id, authState.creds.me.lid || '');
@@ -407,22 +780,16 @@ export const makeMessagesRecvSocket = (config) => {
             }
         }
         else {
-            const identityNode = getBinaryNodeChild(node, 'identity');
-            if (identityNode) {
-                logger.info({ jid: from }, 'identity changed');
-                if (identityAssertDebounce.get(from)) {
-                    logger.debug({ jid: from }, 'skipping identity assert (debounced)');
-                    return;
-                }
-                identityAssertDebounce.set(from, true);
-                try {
-                    await assertSessions([from], true);
-                }
-                catch (error) {
-                    logger.warn({ error, jid: from }, 'failed to assert sessions after identity change');
-                }
-            }
-            else {
+            const result = await handleIdentityChange(node, {
+                meId: authState.creds.me?.id,
+                meLid: authState.creds.me?.lid,
+                validateSession: signalRepository.validateSession,
+                assertSessions,
+                debounceCache: identityAssertDebounce,
+                logger,
+                onBeforeSessionRefresh: reissueTcTokenAfterIdentityChange
+            });
+            if (result.action === 'no_identity_node') {
                 logger.info({ node }, 'unknown encrypt notification');
             }
         }
@@ -431,6 +798,7 @@ export const makeMessagesRecvSocket = (config) => {
         // TODO: Support PN/LID (Here is only LID now)
         const actingParticipantLid = fullNode.attrs.participant;
         const actingParticipantPn = fullNode.attrs.participant_pn;
+        const actingParticipantUsername = fullNode.attrs.participant_username;
         const affectedParticipantLid = getBinaryNodeChild(child, 'participant')?.attrs?.jid || actingParticipantLid;
         const affectedParticipantPn = getBinaryNodeChild(child, 'participant')?.attrs?.phone_number || actingParticipantPn;
         switch (child?.tag) {
@@ -450,7 +818,8 @@ export const makeMessagesRecvSocket = (config) => {
                     {
                         ...metadata,
                         author: actingParticipantLid,
-                        authorPn: actingParticipantPn
+                        authorPn: actingParticipantPn,
+                        authorUsername: actingParticipantUsername
                     }
                 ]);
                 break;
@@ -560,7 +929,7 @@ export const makeMessagesRecvSocket = (config) => {
                 await handleNewsletterNotification(node);
                 break;
             case 'mex':
-                await handleMexNewsletterNotification(node);
+                await handleMexNotification(node);
                 break;
             case 'w:gp2':
                 // TODO: HANDLE PARTICIPANT_PN
@@ -592,6 +961,7 @@ export const makeMessagesRecvSocket = (config) => {
             case 'picture':
                 const setPicture = getBinaryNodeChild(node, 'set');
                 const delPicture = getBinaryNodeChild(node, 'delete');
+                // TODO: WAJIDHASH stuff proper support inhouse
                 ev.emit('contacts.update', [
                     {
                         id: jidNormalizedUser(node?.attrs?.from) || (setPicture || delPicture)?.attrs?.hash || '',
@@ -644,7 +1014,7 @@ export const makeMessagesRecvSocket = (config) => {
                 const companionSharedKey = Curve.sharedKey(authState.creds.pairingEphemeralKeyPair.private, codePairingPublicKey);
                 const random = randomBytes(32);
                 const linkCodeSalt = randomBytes(32);
-                const linkCodePairingExpanded = await hkdf(companionSharedKey, 32, {
+                const linkCodePairingExpanded = hkdf(companionSharedKey, 32, {
                     salt: linkCodeSalt,
                     info: 'link_code_pairing_key_bundle_encryption_key'
                 });
@@ -658,7 +1028,7 @@ export const makeMessagesRecvSocket = (config) => {
                 const encryptedPayload = Buffer.concat([linkCodeSalt, encryptIv, encrypted]);
                 const identitySharedKey = Curve.sharedKey(authState.creds.signedIdentityKey.private, primaryIdentityPublicKey);
                 const identityPayload = Buffer.concat([companionSharedKey, identitySharedKey, random]);
-                authState.creds.advSecretKey = (await hkdf(identityPayload, 32, { info: 'adv_secret' })).toString('base64');
+                authState.creds.advSecretKey = Buffer.from(hkdf(identityPayload, 32, { info: 'adv_secret' })).toString('base64');
                 await query({
                     tag: 'iq',
                     attrs: {
@@ -705,27 +1075,91 @@ export const makeMessagesRecvSocket = (config) => {
             return result;
         }
     };
+    /**
+     * In-memory cache of storage JIDs with stored tctokens, seeded from the persisted index.
+     */
+    const tcTokenKnownJids = new Set();
+    const tcTokenIndexLoaded = (async () => {
+        try {
+            const jids = await readTcTokenIndex(authState.keys);
+            for (const jid of jids)
+                tcTokenKnownJids.add(jid);
+            logger.debug({ count: tcTokenKnownJids.size }, 'loaded tctoken index');
+        }
+        catch (err) {
+            logger.warn({ err: err?.message }, 'failed to load tctoken index');
+        }
+    })();
+    let tcTokenIndexTimer;
+    async function flushTcTokenIndex() {
+        if (tcTokenIndexTimer) {
+            clearTimeout(tcTokenIndexTimer);
+            tcTokenIndexTimer = undefined;
+        }
+        const write = await buildMergedTcTokenIndexWrite(authState.keys, tcTokenKnownJids);
+        return authState.keys.set({ tctoken: write });
+    }
+    function scheduleTcTokenIndexSave() {
+        if (tcTokenIndexTimer) {
+            clearTimeout(tcTokenIndexTimer);
+        }
+        tcTokenIndexTimer = setTimeout(() => {
+            tcTokenIndexTimer = undefined;
+            flushTcTokenIndex().catch(err => {
+                logger.warn({ err: err?.message }, 'failed to save tctoken index');
+            });
+        }, 5000);
+    }
+    function trackTcTokenJid(jid) {
+        if (jid && jid !== TC_TOKEN_INDEX_KEY && !tcTokenKnownJids.has(jid)) {
+            tcTokenKnownJids.add(jid);
+            scheduleTcTokenIndexSave();
+        }
+    }
     const handlePrivacyTokenNotification = async (node) => {
         const tokensNode = getBinaryNodeChild(node, 'tokens');
-        const from = jidNormalizedUser(node.attrs.from);
         if (!tokensNode)
             return;
-        const tokenNodes = getBinaryNodeChildren(tokensNode, 'token');
-        for (const tokenNode of tokenNodes) {
-            const { attrs, content } = tokenNode;
-            const type = attrs.type;
-            const timestamp = attrs.t;
-            if (type === 'trusted_contact' && content instanceof Buffer) {
-                logger.debug({
-                    from,
-                    timestamp,
-                    tcToken: content
-                }, 'received trusted contact token');
-                await authState.keys.set({
-                    tctoken: { [from]: { token: content, timestamp } }
-                });
+        const from = jidNormalizedUser(node.attrs.from);
+        const senderLid = node.attrs.sender_lid && isLidUser(jidNormalizedUser(node.attrs.sender_lid))
+            ? jidNormalizedUser(node.attrs.sender_lid)
+            : undefined;
+        const fallbackJid = senderLid ?? (await resolveTcTokenJid(from, getLIDForPN));
+        logger.debug({ from, storageJid: fallbackJid }, 'processing privacy token notification');
+        await storeTcTokensFromIqResult({
+            result: node,
+            fallbackJid,
+            keys: authState.keys,
+            getLIDForPN,
+            onNewJidStored: trackTcTokenJid
+        });
+    };
+    /**
+     * Fire-and-forget tctoken re-issuance after a peer's device identity changed.
+     */
+    const reissueTcTokenAfterIdentityChange = (from) => {
+        void (async () => {
+            const normalizedJid = jidNormalizedUser(from);
+            const tcJid = await resolveTcTokenJid(normalizedJid, getLIDForPN);
+            const tcTokenData = await authState.keys.get('tctoken', [tcJid]);
+            const senderTs = tcTokenData?.[tcJid]?.senderTimestamp;
+            if (senderTs === null || senderTs === undefined || isTcTokenExpired(senderTs)) {
+                return;
             }
-        }
+            logger.debug({ jid: normalizedJid, senderTimestamp: senderTs }, 'identity changed, re-issuing tctoken');
+            const getPNForLID = signalRepository.lidMapping.getPNForLID.bind(signalRepository.lidMapping);
+            const issueJid = await resolveIssuanceJid(normalizedJid, sock.serverProps.lidTrustedTokenIssueToLid, getLIDForPN, getPNForLID);
+            const result = await issuePrivacyTokens([issueJid], senderTs);
+            await storeTcTokensFromIqResult({
+                result,
+                fallbackJid: tcJid,
+                keys: authState.keys,
+                getLIDForPN,
+                onNewJidStored: trackTcTokenJid
+            });
+        })().catch(err => {
+            logger.debug({ jid: from, err: err?.message }, 'failed to re-issue tctoken after identity change');
+        });
     };
     async function decipherLinkPublicKey(data) {
         const buffer = toRequiredBuffer(data);
@@ -959,81 +1393,148 @@ export const makeMessagesRecvSocket = (config) => {
             await sendMessageAck(node, NACK_REASONS.MissingMessageSecret);
             return;
         }
-        const { fullMessage: msg, category, author, decrypt } = decryptMessageNode(node, authState.creds.me.id, authState.creds.me.lid || '', signalRepository, logger);
-        const alt = msg.key.participantAlt || msg.key.remoteJidAlt;
-        // store new mappings we didn't have before
-        if (!!alt) {
-            const altServer = jidDecode(alt)?.server;
-            const primaryJid = msg.key.participant || msg.key.remoteJid;
-            if (altServer === 'lid') {
-                if (!(await signalRepository.lidMapping.getPNForLID(alt))) {
-                    await signalRepository.lidMapping.storeLIDPNMappings([{ lid: alt, pn: primaryJid }]);
-                    await signalRepository.migrateSession(primaryJid, alt);
+        let acked = false;
+        try {
+            const { fullMessage: msg, category, author, decrypt } = decryptMessageNode(node, authState.creds.me.id, authState.creds.me.lid || '', signalRepository, logger);
+            const alt = msg.key.participantAlt || msg.key.remoteJidAlt;
+            // store new mappings we didn't have before
+            if (!!alt) {
+                const altServer = jidDecode(alt)?.server;
+                const primaryJid = msg.key.participant || msg.key.remoteJid;
+                if (altServer === 'lid') {
+                    if (!(await signalRepository.lidMapping.getPNForLID(alt))) {
+                        await signalRepository.lidMapping.storeLIDPNMappings([{ lid: alt, pn: primaryJid }]);
+                        await signalRepository.migrateSession(primaryJid, alt);
+                    }
+                }
+                else {
+                    await signalRepository.lidMapping.storeLIDPNMappings([{ lid: primaryJid, pn: alt }]);
+                    await signalRepository.migrateSession(alt, primaryJid);
                 }
             }
-            else {
-                await signalRepository.lidMapping.storeLIDPNMappings([{ lid: primaryJid, pn: alt }]);
-                await signalRepository.migrateSession(alt, primaryJid);
+            // Cache for retry receipts BEFORE decrypt — so retry logic works even if decryption throws
+            if (msg.key?.remoteJid && msg.key?.id && messageRetryManager) {
+                messageRetryManager.addRecentMessage(msg.key.remoteJid, msg.key.id, msg.message);
+                logger.debug({ jid: msg.key.remoteJid, id: msg.key.id }, 'Added message to recent cache for retry receipts');
             }
-        }
-        if (msg.key?.remoteJid && msg.key?.id && messageRetryManager) {
-            messageRetryManager.addRecentMessage(msg.key.remoteJid, msg.key.id, msg.message);
-            logger.debug({
-                jid: msg.key.remoteJid,
-                id: msg.key.id
-            }, 'Added message to recent cache for retry receipts');
-        }
-        try {
             await messageMutex.mutex(async () => {
                 await decrypt();
                 // message failed to decrypt
                 if (msg.messageStubType === proto.WebMessageInfo.StubType.CIPHERTEXT && msg.category !== 'peer') {
-                    if (msg?.messageStubParameters?.[0] === MISSING_KEYS_ERROR_TEXT ||
-                        msg.messageStubParameters?.[0] === NO_MESSAGE_FOUND_ERROR_TEXT) {
-                        return sendMessageAck(node);
+                    if (msg?.messageStubParameters?.[0] === MISSING_KEYS_ERROR_TEXT) {
+                        acked = true;
+                        return sendMessageAck(node, NACK_REASONS.ParsingError);
                     }
-                    const errorMessage = msg?.messageStubParameters?.[0] || '';
-                    const isPreKeyError = errorMessage.includes('PreKey');
-                    logger.debug(`[handleMessage] Attempting retry request for failed decryption`);
-                    // Handle both pre-key and normal retries in single mutex
-                    await retryMutex.mutex(async () => {
-                        try {
-                            if (!ws.isOpen) {
-                                logger.debug({ node }, 'Connection closed, skipping retry');
-                                return;
-                            }
-                            // Handle pre-key errors with upload and delay
-                            if (isPreKeyError) {
-                                logger.info({ error: errorMessage }, 'PreKey error detected, uploading and retrying');
-                                try {
-                                    logger.debug('Uploading pre-keys for error recovery');
-                                    await uploadPreKeys(5);
-                                    logger.debug('Waiting for server to process new pre-keys');
-                                    await delay(1000);
-                                }
-                                catch (uploadErr) {
-                                    logger.error({ uploadErr }, 'Pre-key upload failed, proceeding with retry anyway');
-                                }
+                    if (msg.messageStubParameters?.[0] === NO_MESSAGE_FOUND_ERROR_TEXT) {
+                        // Message arrived without encryption (e.g. CTWA ads messages).
+                        // Check if this is eligible for placeholder resend (matching WA Web filters).
+                        const unavailableNode = getBinaryNodeChild(node, 'unavailable');
+                        const unavailableType = unavailableNode?.attrs?.type;
+                        if (unavailableType === 'bot_unavailable_fanout' ||
+                            unavailableType === 'hosted_unavailable_fanout' ||
+                            unavailableType === 'view_once_unavailable_fanout') {
+                            logger.debug({ msgId: msg.key.id, unavailableType }, 'skipping placeholder resend for excluded unavailable type');
+                            acked = true;
+                            return sendMessageAck(node);
+                        }
+                        const messageAge = unixTimestampSeconds() - toNumber(msg.messageTimestamp);
+                        if (messageAge > PLACEHOLDER_MAX_AGE_SECONDS) {
+                            logger.debug({ msgId: msg.key.id, messageAge }, 'skipping placeholder resend for old message');
+                            acked = true;
+                            return sendMessageAck(node);
+                        }
+                        // Request the real content from the phone via placeholder resend PDO.
+                        // Upsert the CIPHERTEXT stub as a placeholder (like WA Web's processPlaceholderMsg),
+                        // and store the requestId in stubParameters[1] so users can correlate
+                        // with the incoming PDO response event.
+                        const cleanKey = {
+                            remoteJid: msg.key.remoteJid,
+                            fromMe: msg.key.fromMe,
+                            id: msg.key.id,
+                            participant: msg.key.participant
+                        };
+                        // Cache the original message metadata so the PDO response handler
+                        // can preserve key fields (LID details etc.) that the phone may omit
+                        const msgData = {
+                            key: msg.key,
+                            messageTimestamp: msg.messageTimestamp,
+                            pushName: msg.pushName,
+                            participant: msg.participant,
+                            verifiedBizName: msg.verifiedBizName
+                        };
+                        requestPlaceholderResend(cleanKey, msgData)
+                            .then(requestId => {
+                            if (requestId && requestId !== 'RESOLVED') {
+                                logger.debug({ msgId: msg.key.id, requestId }, 'requested placeholder resend for unavailable message');
+                                ev.emit('messages.update', [
+                                    {
+                                        key: msg.key,
+                                        update: { messageStubParameters: [NO_MESSAGE_FOUND_ERROR_TEXT, requestId] }
+                                    }
+                                ]);
                             }
-                            const encNode = getBinaryNodeChild(node, 'enc');
-                            await sendRetryRequest(node, !encNode);
-                            if (retryRequestDelayMs) {
-                                await delay(retryRequestDelayMs);
+                        })
+                            .catch(err => {
+                            logger.warn({ err, msgId: msg.key.id }, 'failed to request placeholder resend for unavailable message');
+                        });
+                        acked = true;
+                        await sendMessageAck(node);
+                        // Don't return — fall through to upsertMessage so the stub is emitted
+                    }
+                    else {
+                        // Skip retry for expired status messages (>24h old)
+                        if (isJidStatusBroadcast(msg.key.remoteJid)) {
+                            const messageAge = unixTimestampSeconds() - toNumber(msg.messageTimestamp);
+                            if (messageAge > STATUS_EXPIRY_SECONDS) {
+                                logger.debug({ msgId: msg.key.id, messageAge, remoteJid: msg.key.remoteJid }, 'skipping retry for expired status message');
+                                acked = true;
+                                return sendMessageAck(node);
                             }
                         }
-                        catch (err) {
-                            logger.error({ err, isPreKeyError }, 'Failed to handle retry, attempting basic retry');
-                            // Still attempt retry even if pre-key upload failed
+                        const errorMessage = msg?.messageStubParameters?.[0] || '';
+                        const isPreKeyError = errorMessage.includes('PreKey');
+                        logger.debug(`[handleMessage] Attempting retry request for failed decryption`);
+                        // Handle both pre-key and normal retries in single mutex
+                        await retryMutex.mutex(async () => {
                             try {
+                                if (!ws.isOpen) {
+                                    logger.debug({ node }, 'Connection closed, skipping retry');
+                                    return;
+                                }
+                                // Handle pre-key errors with upload and delay
+                                if (isPreKeyError) {
+                                    logger.info({ error: errorMessage }, 'PreKey error detected, uploading and retrying');
+                                    try {
+                                        logger.debug('Uploading pre-keys for error recovery');
+                                        await uploadPreKeys(5);
+                                        logger.debug('Waiting for server to process new pre-keys');
+                                        await delay(1000);
+                                    }
+                                    catch (uploadErr) {
+                                        logger.error({ uploadErr }, 'Pre-key upload failed, proceeding with retry anyway');
+                                    }
+                                }
                                 const encNode = getBinaryNodeChild(node, 'enc');
                                 await sendRetryRequest(node, !encNode);
+                                if (retryRequestDelayMs) {
+                                    await delay(retryRequestDelayMs);
+                                }
                             }
-                            catch (retryErr) {
-                                logger.error({ retryErr }, 'Failed to send retry after error handling');
+                            catch (err) {
+                                logger.error({ err, isPreKeyError }, 'Failed to handle retry, attempting basic retry');
+                                // Still attempt retry even if pre-key upload failed
+                                try {
+                                    const encNode = getBinaryNodeChild(node, 'enc');
+                                    await sendRetryRequest(node, !encNode);
+                                }
+                                catch (retryErr) {
+                                    logger.error({ retryErr }, 'Failed to send retry after error handling');
+                                }
                             }
-                        }
-                        await sendMessageAck(node, NACK_REASONS.UnhandledError);
-                    });
+                            acked = true;
+                            await sendMessageAck(node, NACK_REASONS.UnhandledError);
+                        });
+                    }
                 }
                 else {
                     if (messageRetryManager && msg.key.id) {
@@ -1059,6 +1560,7 @@ export const makeMessagesRecvSocket = (config) => {
                         else if (!sendActiveReceipts) {
                             type = 'inactive';
                         }
+                        acked = true;
                         await sendReceipt(msg.key.remoteJid, participant, [msg.key.id], type);
                         // send ack for history message
                         const isAnyHistoryMsg = getHistoryMsg(msg.message);
@@ -1068,6 +1570,7 @@ export const makeMessagesRecvSocket = (config) => {
                         }
                     }
                     else {
+                        acked = true;
                         await sendMessageAck(node);
                         logger.debug({ key: msg.key }, 'processed newsletter message without receipts');
                     }
@@ -1078,6 +1581,9 @@ export const makeMessagesRecvSocket = (config) => {
         }
         catch (error) {
             logger.error({ error, node: binaryNodeToString(node) }, 'error in handling message');
+            if (!acked) {
+                await sendMessageAck(node, NACK_REASONS.UnhandledError).catch(ackErr => logger.error({ ackErr }, 'failed to ack message after error'));
+            }
         }
     };
     const handleCall = async (node) => {
@@ -1092,6 +1598,7 @@ export const makeMessagesRecvSocket = (config) => {
         const call = {
             chatId: attrs.from,
             from,
+            callerPn: infoChild.attrs['caller_pn'],
             id: callId,
             date: new Date(+attrs.t * 1000),
             offline: !!attrs.offline,
@@ -1108,6 +1615,7 @@ export const makeMessagesRecvSocket = (config) => {
         if (existingCall) {
             call.isVideo = existingCall.isVideo;
             call.isGroup = existingCall.isGroup;
+            call.callerPn = call.callerPn || existingCall.callerPn;
         }
         // delete data once call has ended
         if (status === 'reject' || status === 'accept' || status === 'timeout' || status === 'terminate') {
@@ -1118,23 +1626,22 @@ export const makeMessagesRecvSocket = (config) => {
     };
     const handleBadAck = async ({ attrs }) => {
         const key = { remoteJid: attrs.from, fromMe: true, id: attrs.id };
-        // WARNING: REFRAIN FROM ENABLING THIS FOR NOW. IT WILL CAUSE A LOOP
-        // // current hypothesis is that if pash is sent in the ack
-        // // it means -- the message hasn't reached all devices yet
-        // // we'll retry sending the message here
-        // if(attrs.phash) {
-        // 	logger.info({ attrs }, 'received phash in ack, resending message...')
-        // 	const msg = await getMessage(key)
-        // 	if(msg) {
-        // 		await relayMessage(key.remoteJid!, msg, { messageId: key.id!, useUserDevicesCache: false })
-        // 	} else {
-        // 		logger.warn({ attrs }, 'could not send message again, as it was not found')
-        // 	}
-        // }
         // error in acknowledgement,
         // device could not display the message
         if (attrs.error) {
-            logger.warn({ attrs }, 'received error in ack');
+            if (attrs.error === SERVER_ERROR_CODES.MissingTcToken) {
+                // 463 = account restricted + no tctoken for this contact.
+                // WA Web prevents this client-side (disables compose bar).
+                // No retry — retrying worsens the restriction by counting
+                // as another "reach out" to an unknown contact.
+                logger.warn({ msgId: attrs.id, from: attrs.from }, 'error 463: account restricted or missing tctoken for contact');
+            }
+            else if (attrs.error === SERVER_ERROR_CODES.SmaxInvalid) {
+                logger.warn({ msgId: attrs.id, from: attrs.from }, 'smax-invalid (479): stanza rejected by server — likely stale device session or malformed addressing');
+            }
+            else {
+                logger.warn({ attrs }, 'received error in ack');
+            }
             ev.emit('messages.update', [
                 {
                     key,
@@ -1144,19 +1651,6 @@ export const makeMessagesRecvSocket = (config) => {
                     }
                 }
             ]);
-            // resend the message with device_fanout=false, use at your own risk
-            // if (attrs.error === '475') {
-            // 	const msg = await getMessage(key)
-            // 	if (msg) {
-            // 		await relayMessage(key.remoteJid!, msg, {
-            // 			messageId: key.id!,
-            // 			useUserDevicesCache: false,
-            // 			additionalAttributes: {
-            // 				device_fanout: 'false'
-            // 			}
-            // 		})
-            // 	}
-            // }
         }
     };
     /// processes a node with the given function
@@ -1271,17 +1765,112 @@ export const makeMessagesRecvSocket = (config) => {
             await upsertMessage(protoMsg, call.offline ? 'append' : 'notify');
         }
     });
-    ev.on('connection.update', ({ isOnline }) => {
+    /** timestamp of last tctoken prune run — throttles to once per 24h */
+    let lastTcTokenPruneTs = 0;
+    ev.on('connection.update', ({ isOnline, connection }) => {
         if (typeof isOnline !== 'undefined') {
             sendActiveReceipts = isOnline;
             logger.trace(`sendActiveReceipts set to "${sendActiveReceipts}"`);
         }
+        // Flush pending tctoken index save on disconnect to avoid writing after close
+        if (connection === 'close' && tcTokenIndexTimer) {
+            clearTimeout(tcTokenIndexTimer);
+            tcTokenIndexTimer = undefined;
+            try {
+                void Promise.resolve(flushTcTokenIndex()).catch(() => { });
+            }
+            catch {
+                /* ignore sync errors */
+            }
+        }
+        // Prune expired tctokens when coming online, at most once per 24 hours
+        if (isOnline) {
+            const now = Date.now();
+            const DAY_MS = 24 * 60 * 60 * 1000;
+            if (now - lastTcTokenPruneTs >= DAY_MS) {
+                lastTcTokenPruneTs = now;
+                void pruneExpiredTcTokens();
+            }
+        }
     });
+    async function pruneExpiredTcTokens() {
+        try {
+            await tcTokenIndexLoaded;
+            const persisted = await readTcTokenIndex(authState.keys);
+            const allJids = new Set(tcTokenKnownJids);
+            for (const jid of persisted)
+                allJids.add(jid);
+            if (!allJids.size)
+                return;
+            const jids = [...allJids];
+            const allTokens = await authState.keys.get('tctoken', jids);
+            const writes = {};
+            const survivors = new Set();
+            let mutated = 0;
+            for (const jid of jids) {
+                const entry = allTokens[jid];
+                if (!entry) {
+                    mutated++;
+                    continue;
+                }
+                const hasPeerToken = !!entry.token?.length;
+                const peerTokenExpired = hasPeerToken && isTcTokenExpired(entry.timestamp);
+                const hasSenderTs = entry.senderTimestamp !== undefined;
+                const senderTsExpired = hasSenderTs && isTcTokenExpired(entry.senderTimestamp);
+                const keepPeerToken = hasPeerToken && !peerTokenExpired;
+                const keepSenderTs = hasSenderTs && !senderTsExpired;
+                if (!keepPeerToken && !keepSenderTs) {
+                    writes[jid] = null;
+                    mutated++;
+                }
+                else if (peerTokenExpired && keepSenderTs) {
+                    writes[jid] = { token: Buffer.alloc(0), senderTimestamp: entry.senderTimestamp };
+                    survivors.add(jid);
+                    mutated++;
+                }
+                else {
+                    survivors.add(jid);
+                }
+            }
+            if (mutated === 0)
+                return;
+            await authState.keys.set({
+                tctoken: {
+                    ...writes,
+                    [TC_TOKEN_INDEX_KEY]: {
+                        token: Buffer.from(JSON.stringify([...survivors]))
+                    }
+                }
+            });
+            tcTokenKnownJids.clear();
+            for (const jid of survivors)
+                tcTokenKnownJids.add(jid);
+            logger.debug({ mutated, remaining: survivors.size }, 'pruned expired tctokens');
+        }
+        catch (err) {
+            logger.warn({ err: err?.message }, 'failed to prune expired tctokens');
+        }
+    }
     return {
         ...sock,
         sendMessageAck,
         sendRetryRequest,
+        offerCall,
+        initiateCall,
+        cancelCall,
         rejectCall,
+        acceptCall,
+        preacceptCall,
+        terminateCall,
+        sendRelayLatency,
+        sendTransport,
+        sendCallDuration,
+        muteCall,
+        sendHeartbeat,
+        sendEncRekey,
+        sendVideoState,
+        queryCallLink,
+        joinCallLink,
         fetchMessageHistory,
         requestPlaceholderResend,
         messageRetryManager