@signalapp/libsignal-client 0.70.1 → 0.71.0

package/Native.d.ts

@@ -57,10 +57,16 @@ type SealedSenderMultiRecipientMessage = {
   offsetOfSharedData: number;
 };
 
+enum IdentityChange {
+  // This must be kept in sync with the Rust enum of the same name.
+  NewOrUnchanged = 0,
+  ReplacedExisting = 1,
+}
+
 type IdentityKeyStore = {
   _getIdentityKey(): Promise<PrivateKey>;
   _getLocalRegistrationId(): Promise<number>;
-  _saveIdentity(name: ProtocolAddress, key: PublicKey): Promise<boolean>;
+  _saveIdentity(name: ProtocolAddress, key: PublicKey): Promise<IdentityChange>;
   _isTrustedIdentity(
     name: ProtocolAddress,
     key: PublicKey,
@@ -148,6 +154,11 @@ type RegisterResponseBadge = {
   expirationSeconds: number;
 };
 
+type CheckSvr2CredentialsResponse = Map<
+  string,
+  'match' | 'no-match' | 'invalid'
+>;
+
 type SignedPublicPreKey = {
   keyId: number;
   publicKey: Buffer;
@@ -334,6 +345,12 @@ export function IncrementalMac_CalculateChunkSize(dataSize: number): number;
 export function IncrementalMac_Finalize(mac: Wrapper<IncrementalMac>): Buffer;
 export function IncrementalMac_Initialize(key: Buffer, chunkSize: number): IncrementalMac;
 export function IncrementalMac_Update(mac: Wrapper<IncrementalMac>, bytes: Buffer, offset: number, length: number): Buffer;
+export function KeyTransparency_AciSearchKey(aci: Buffer): Buffer;
+export function KeyTransparency_Distinguished(asyncRuntime: Wrapper<TokioAsyncContext>, environment: number, chatConnection: Wrapper<UnauthenticatedChatConnection>, lastDistinguishedTreeHead: Buffer | null): CancellablePromise<Buffer>;
+export function KeyTransparency_E164SearchKey(e164: string): Buffer;
+export function KeyTransparency_Monitor(asyncRuntime: Wrapper<TokioAsyncContext>, environment: number, chatConnection: Wrapper<UnauthenticatedChatConnection>, aci: Buffer, aciIdentityKey: Wrapper<PublicKey>, e164: string | null, unidentifiedAccessKey: Buffer | null, usernameHash: Buffer | null, accountData: Buffer | null, lastDistinguishedTreeHead: Buffer): CancellablePromise<Buffer>;
+export function KeyTransparency_Search(asyncRuntime: Wrapper<TokioAsyncContext>, environment: number, chatConnection: Wrapper<UnauthenticatedChatConnection>, aci: Buffer, aciIdentityKey: Wrapper<PublicKey>, e164: string | null, unidentifiedAccessKey: Buffer | null, usernameHash: Buffer | null, accountData: Buffer | null, lastDistinguishedTreeHead: Buffer): CancellablePromise<SearchResult>;
+export function KeyTransparency_UsernameHashSearchKey(hash: Buffer): Buffer;
 export function KyberKeyPair_Generate(): KyberKeyPair;
 export function KyberKeyPair_GetPublicKey(keyPair: Wrapper<KyberKeyPair>): KyberPublicKey;
 export function KyberKeyPair_GetSecretKey(keyPair: Wrapper<KyberKeyPair>): KyberSecretKey;
@@ -434,7 +451,7 @@ export function ReceiptCredential_CheckValidContents(buffer: Buffer): void;
 export function ReceiptCredential_GetReceiptExpirationTime(receiptCredential: Serialized<ReceiptCredential>): Timestamp;
 export function ReceiptCredential_GetReceiptLevel(receiptCredential: Serialized<ReceiptCredential>): bigint;
 export function RegisterAccountRequest_Create(): RegisterAccountRequest;
-export function RegisterAccountRequest_SetAccountPassword(registerAccount: Wrapper<RegisterAccountRequest>, accountPassword: Buffer): void;
+export function RegisterAccountRequest_SetAccountPassword(registerAccount: Wrapper<RegisterAccountRequest>, accountPassword: string): void;
 export function RegisterAccountRequest_SetIdentityPqLastResortPreKey(registerAccount: Wrapper<RegisterAccountRequest>, identityType: number, pqLastResortPreKey: SignedPublicPreKey): void;
 export function RegisterAccountRequest_SetIdentityPublicKey(registerAccount: Wrapper<RegisterAccountRequest>, identityType: number, identityKey: Wrapper<PublicKey>): void;
 export function RegisterAccountRequest_SetIdentitySignedPreKey(registerAccount: Wrapper<RegisterAccountRequest>, identityType: number, signedPreKey: SignedPublicPreKey): void;
@@ -449,6 +466,7 @@ export function RegisterAccountResponse_GetStorageCapable(response: Wrapper<Regi
 export function RegisterAccountResponse_GetUsernameHash(response: Wrapper<RegisterAccountResponse>): Buffer | null;
 export function RegisterAccountResponse_GetUsernameLinkHandle(response: Wrapper<RegisterAccountResponse>): Uuid | null;
 export function RegistrationAccountAttributes_Create(recoveryPassword: Buffer, aciRegistrationId: number, pniRegistrationId: number, registrationLock: string | null, unidentifiedAccessKey: Buffer | null, unrestrictedUnidentifiedAccess: boolean, capabilities: string[], discoverableByPhoneNumber: boolean): RegistrationAccountAttributes;
+export function RegistrationService_CheckSvr2Credentials(asyncRuntime: Wrapper<TokioAsyncContext>, service: Wrapper<RegistrationService>, svrTokens: string[]): CancellablePromise<CheckSvr2CredentialsResponse>;
 export function RegistrationService_CreateSession(asyncRuntime: Wrapper<TokioAsyncContext>, createSession: RegistrationCreateSessionRequest, connectChat: ConnectChatBridge): CancellablePromise<RegistrationService>;
 export function RegistrationService_RegisterAccount(asyncRuntime: Wrapper<TokioAsyncContext>, service: Wrapper<RegistrationService>, registerAccount: Wrapper<RegisterAccountRequest>, accountAttributes: Wrapper<RegistrationAccountAttributes>): CancellablePromise<RegisterAccountResponse>;
 export function RegistrationService_RegistrationSession(service: Wrapper<RegistrationService>): RegistrationSession;
@@ -479,6 +497,11 @@ export function SealedSender_DecryptToUsmc(ctext: Buffer, identityStore: Identit
 export function SealedSender_Encrypt(destination: Wrapper<ProtocolAddress>, content: Wrapper<UnidentifiedSenderMessageContent>, identityKeyStore: IdentityKeyStore): Promise<Buffer>;
 export function SealedSender_MultiRecipientEncrypt(recipients: Wrapper<ProtocolAddress>[], recipientSessions: Wrapper<SessionRecord>[], excludedRecipients: Buffer, content: Wrapper<UnidentifiedSenderMessageContent>, identityKeyStore: IdentityKeyStore): Promise<Buffer>;
 export function SealedSender_MultiRecipientMessageForSingleRecipient(encodedMultiRecipientMessage: Buffer): Buffer;
+export function SearchResult_GetAccountData(res: Wrapper<SearchResult>): Buffer;
+export function SearchResult_GetAciForE164(res: Wrapper<SearchResult>): Buffer | null;
+export function SearchResult_GetAciForUsernameHash(res: Wrapper<SearchResult>): Buffer | null;
+export function SearchResult_GetAciIdentityKey(res: Wrapper<SearchResult>): PublicKey;
+export function SearchResult_GetTimestamp(res: Wrapper<SearchResult>): bigint;
 export function SenderCertificate_Deserialize(data: Buffer): SenderCertificate;
 export function SenderCertificate_GetCertificate(obj: Wrapper<SenderCertificate>): Buffer;
 export function SenderCertificate_GetDeviceId(obj: Wrapper<SenderCertificate>): number;
@@ -634,7 +657,10 @@ export function TESTING_PanicOnReturnIo(asyncRuntime: Wrapper<NonSuspendingBackg
 export function TESTING_PanicOnReturnSync(_needsCleanup: null): null;
 export function TESTING_ProcessBytestringArray(input: Buffer[]): Buffer[];
 export function TESTING_RegisterAccountResponse_CreateTestValue(): RegisterAccountResponse;
+export function TESTING_RegistrationService_CheckSvr2CredentialsErrorConvert(errorDescription: string): void;
+export function TESTING_RegistrationService_CheckSvr2CredentialsResponseConvert(): CheckSvr2CredentialsResponse;
 export function TESTING_RegistrationService_CreateSessionErrorConvert(errorDescription: string): void;
+export function TESTING_RegistrationService_RegisterAccountErrorConvert(errorDescription: string): void;
 export function TESTING_RegistrationService_RequestVerificationCodeErrorConvert(errorDescription: string): void;
 export function TESTING_RegistrationService_ResumeSessionErrorConvert(errorDescription: string): void;
 export function TESTING_RegistrationService_SubmitVerificationErrorConvert(errorDescription: string): void;
@@ -736,6 +762,7 @@ interface RegistrationService { readonly __type: unique symbol; }
 interface RegistrationSession { readonly __type: unique symbol; }
 interface SanitizedMetadata { readonly __type: unique symbol; }
 interface SealedSenderDecryptionResult { readonly __type: unique symbol; }
+interface SearchResult { readonly __type: unique symbol; }
 interface SenderCertificate { readonly __type: unique symbol; }
 interface SenderKeyDistributionMessage { readonly __type: unique symbol; }
 interface SenderKeyMessage { readonly __type: unique symbol; }

package/dist/acknowledgments.md

@@ -2708,133 +2708,6 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 ```
 
-## dunce 1.0.5
-
-```
-Creative Commons Legal Code
-
-CC0 1.0 Universal
-
-    CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
-    LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
-    ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
-    INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
-    REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
-    PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
-    THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
-    HEREUNDER.
-
-Statement of Purpose
-
-The laws of most jurisdictions throughout the world automatically confer
-exclusive Copyright and Related Rights (defined below) upon the creator
-and subsequent owner(s) (each and all, an "owner") of an original work of
-authorship and/or a database (each, a "Work").
-
-Certain owners wish to permanently relinquish those rights to a Work for
-the purpose of contributing to a commons of creative, cultural and
-scientific works ("Commons") that the public can reliably and without fear
-of later claims of infringement build upon, modify, incorporate in other
-works, reuse and redistribute as freely as possible in any form whatsoever
-and for any purposes, including without limitation commercial purposes.
-These owners may contribute to the Commons to promote the ideal of a free
-culture and the further production of creative, cultural and scientific
-works, or to gain reputation or greater distribution for their Work in
-part through the use and efforts of others.
-
-For these and/or other purposes and motivations, and without any
-expectation of additional consideration or compensation, the person
-associating CC0 with a Work (the "Affirmer"), to the extent that he or she
-is an owner of Copyright and Related Rights in the Work, voluntarily
-elects to apply CC0 to the Work and publicly distribute the Work under its
-terms, with knowledge of his or her Copyright and Related Rights in the
-Work and the meaning and intended legal effect of CC0 on those rights.
-
-1. Copyright and Related Rights. A Work made available under CC0 may be
-protected by copyright and related or neighboring rights ("Copyright and
-Related Rights"). Copyright and Related Rights include, but are not
-limited to, the following:
-
-  i. the right to reproduce, adapt, distribute, perform, display,
-     communicate, and translate a Work;
- ii. moral rights retained by the original author(s) and/or performer(s);
-iii. publicity and privacy rights pertaining to a person's image or
-     likeness depicted in a Work;
- iv. rights protecting against unfair competition in regards to a Work,
-     subject to the limitations in paragraph 4(a), below;
-  v. rights protecting the extraction, dissemination, use and reuse of data
-     in a Work;
- vi. database rights (such as those arising under Directive 96/9/EC of the
-     European Parliament and of the Council of 11 March 1996 on the legal
-     protection of databases, and under any national implementation
-     thereof, including any amended or successor version of such
-     directive); and
-vii. other similar, equivalent or corresponding rights throughout the
-     world based on applicable law or treaty, and any national
-     implementations thereof.
-
-2. Waiver. To the greatest extent permitted by, but not in contravention
-of, applicable law, Affirmer hereby overtly, fully, permanently,
-irrevocably and unconditionally waives, abandons, and surrenders all of
-Affirmer's Copyright and Related Rights and associated claims and causes
-of action, whether now known or unknown (including existing as well as
-future claims and causes of action), in the Work (i) in all territories
-worldwide, (ii) for the maximum duration provided by applicable law or
-treaty (including future time extensions), (iii) in any current or future
-medium and for any number of copies, and (iv) for any purpose whatsoever,
-including without limitation commercial, advertising or promotional
-purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
-member of the public at large and to the detriment of Affirmer's heirs and
-successors, fully intending that such Waiver shall not be subject to
-revocation, rescission, cancellation, termination, or any other legal or
-equitable action to disrupt the quiet enjoyment of the Work by the public
-as contemplated by Affirmer's express Statement of Purpose.
-
-3. Public License Fallback. Should any part of the Waiver for any reason
-be judged legally invalid or ineffective under applicable law, then the
-Waiver shall be preserved to the maximum extent permitted taking into
-account Affirmer's express Statement of Purpose. In addition, to the
-extent the Waiver is so judged Affirmer hereby grants to each affected
-person a royalty-free, non transferable, non sublicensable, non exclusive,
-irrevocable and unconditional license to exercise Affirmer's Copyright and
-Related Rights in the Work (i) in all territories worldwide, (ii) for the
-maximum duration provided by applicable law or treaty (including future
-time extensions), (iii) in any current or future medium and for any number
-of copies, and (iv) for any purpose whatsoever, including without
-limitation commercial, advertising or promotional purposes (the
-"License"). The License shall be deemed effective as of the date CC0 was
-applied by Affirmer to the Work. Should any part of the License for any
-reason be judged legally invalid or ineffective under applicable law, such
-partial invalidity or ineffectiveness shall not invalidate the remainder
-of the License, and in such case Affirmer hereby affirms that he or she
-will not (i) exercise any of his or her remaining Copyright and Related
-Rights in the Work or (ii) assert any associated claims and causes of
-action with respect to the Work, in either case contrary to Affirmer's
-express Statement of Purpose.
-
-4. Limitations and Disclaimers.
-
- a. No trademark or patent rights held by Affirmer are waived, abandoned,
-    surrendered, licensed or otherwise affected by this document.
- b. Affirmer offers the Work as-is and makes no representations or
-    warranties of any kind concerning the Work, express, implied,
-    statutory or otherwise, including without limitation warranties of
-    title, merchantability, fitness for a particular purpose, non
-    infringement, or the absence of latent or other defects, accuracy, or
-    the present or absence of errors, whether or not discoverable, all to
-    the greatest extent permissible under applicable law.
- c. Affirmer disclaims responsibility for clearing rights of other persons
-    that may apply to the Work or any use thereof, including without
-    limitation any person's Copyright and Related Rights in the Work.
-    Further, Affirmer disclaims responsibility for obtaining any necessary
-    consents, permissions or other rights required for any use of the
-    Work.
- d. Affirmer understands and acknowledges that Creative Commons is not a
-    party to this document and has no duty or obligation with respect to
-    this CC0 or use of the Work.
-
-```
-
 ## boring-sys 4.15.0
 
 ```
@@ -3175,7 +3048,7 @@ DEALINGS IN THE SOFTWARE.
 
 ```
 
-## backtrace 0.3.74, cc 1.2.18, cfg-if 1.0.0, cmake 0.1.48, jobserver 0.1.33, openssl-probe 0.1.6, pkg-config 0.3.32, rustc-demangle 0.1.24, scoped-tls 1.0.1, socket2 0.5.9
+## backtrace 0.3.74, cc 1.2.18, cfg-if 1.0.0, cmake 0.1.48, openssl-probe 0.1.6, pkg-config 0.3.32, rustc-demangle 0.1.24, scoped-tls 1.0.1, socket2 0.5.9
 
 ```
 Copyright (c) 2014 Alex Crichton
@@ -7222,7 +7095,7 @@ SOFTWARE.
 
 ```
 
-## cesu8 1.1.0, pqcrypto-internals 0.2.10, pqcrypto-kyber 0.7.9, pqcrypto-kyber 0.8.1, pqcrypto-traits 0.3.5
+## cesu8 1.1.0
 
 ```
 MIT License

package/dist/index.d.ts

@@ -268,15 +268,19 @@ export declare abstract class SessionStore implements Native.SessionStore {
     abstract getSession(name: ProtocolAddress): Promise<SessionRecord | null>;
     abstract getExistingSessions(addresses: ProtocolAddress[]): Promise<SessionRecord[]>;
 }
+export declare enum IdentityChange {
+    NewOrUnchanged = 0,
+    ReplacedExisting = 1
+}
 export declare abstract class IdentityKeyStore implements Native.IdentityKeyStore {
     _getIdentityKey(): Promise<Native.PrivateKey>;
     _getLocalRegistrationId(): Promise<number>;
-    _saveIdentity(name: Native.ProtocolAddress, key: Native.PublicKey): Promise<boolean>;
+    _saveIdentity(name: Native.ProtocolAddress, key: Native.PublicKey): Promise<Native.IdentityChange>;
     _isTrustedIdentity(name: Native.ProtocolAddress, key: Native.PublicKey, sending: boolean): Promise<boolean>;
     _getIdentity(name: Native.ProtocolAddress): Promise<Native.PublicKey | null>;
     abstract getIdentityKey(): Promise<PrivateKey>;
     abstract getLocalRegistrationId(): Promise<number>;
-    abstract saveIdentity(name: ProtocolAddress, key: PublicKey): Promise<boolean>;
+    abstract saveIdentity(name: ProtocolAddress, key: PublicKey): Promise<IdentityChange>;
     abstract isTrustedIdentity(name: ProtocolAddress, key: PublicKey, direction: Direction): Promise<boolean>;
     abstract getIdentity(name: ProtocolAddress): Promise<PublicKey | null>;
 }

package/dist/index.js

@@ -18,8 +18,8 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.sealedSenderMultiRecipientMessageForSingleRecipient = exports.sealedSenderMultiRecipientEncrypt = exports.sealedSenderEncrypt = exports.sealedSenderEncryptMessage = exports.signalDecryptPreKey = exports.signalDecrypt = exports.signalEncrypt = exports.processPreKeyBundle = exports.DecryptionErrorMessage = exports.PlaintextContent = exports.CiphertextMessage = exports.SealedSenderDecryptionResult = exports.groupDecrypt = exports.groupEncrypt = exports.SenderKeyStore = exports.KyberPreKeyStore = exports.SignedPreKeyStore = exports.PreKeyStore = exports.IdentityKeyStore = exports.SessionStore = exports.UnidentifiedSenderMessageContent = exports.SenderKeyMessage = exports.processSenderKeyDistributionMessage = exports.SenderKeyDistributionMessage = exports.SenderCertificate = exports.SenderKeyRecord = exports.ServerCertificate = exports.SessionRecord = exports.PreKeySignalMessage = exports.SignalMessage = exports.KyberPreKeyRecord = exports.SignedPreKeyRecord = exports.PreKeyRecord = exports.PreKeyBundle = exports.KEMKeyPair = exports.KEMSecretKey = exports.KEMPublicKey = exports.Aes256GcmSiv = exports.Fingerprint = exports.DisplayableFingerprint = exports.ScannableFingerprint = exports.hkdf = exports.ContentHint = exports.Direction = exports.CiphertextMessageType = exports.WebpSanitizer = exports.Mp4Sanitizer = exports.Net = exports.io = exports.usernames = void 0;
-exports.initLogger = exports.LogLevel = exports.HsmEnclaveClient = exports.Cds2Client = exports.sealedSenderDecryptToUsmc = exports.sealedSenderDecryptMessage = void 0;
+exports.sealedSenderMultiRecipientEncrypt = exports.sealedSenderEncrypt = exports.sealedSenderEncryptMessage = exports.signalDecryptPreKey = exports.signalDecrypt = exports.signalEncrypt = exports.processPreKeyBundle = exports.DecryptionErrorMessage = exports.PlaintextContent = exports.CiphertextMessage = exports.SealedSenderDecryptionResult = exports.groupDecrypt = exports.groupEncrypt = exports.SenderKeyStore = exports.KyberPreKeyStore = exports.SignedPreKeyStore = exports.PreKeyStore = exports.IdentityKeyStore = exports.IdentityChange = exports.SessionStore = exports.UnidentifiedSenderMessageContent = exports.SenderKeyMessage = exports.processSenderKeyDistributionMessage = exports.SenderKeyDistributionMessage = exports.SenderCertificate = exports.SenderKeyRecord = exports.ServerCertificate = exports.SessionRecord = exports.PreKeySignalMessage = exports.SignalMessage = exports.KyberPreKeyRecord = exports.SignedPreKeyRecord = exports.PreKeyRecord = exports.PreKeyBundle = exports.KEMKeyPair = exports.KEMSecretKey = exports.KEMPublicKey = exports.Aes256GcmSiv = exports.Fingerprint = exports.DisplayableFingerprint = exports.ScannableFingerprint = exports.hkdf = exports.ContentHint = exports.Direction = exports.CiphertextMessageType = exports.WebpSanitizer = exports.Mp4Sanitizer = exports.Net = exports.io = exports.usernames = void 0;
+exports.initLogger = exports.LogLevel = exports.HsmEnclaveClient = exports.Cds2Client = exports.sealedSenderDecryptToUsmc = exports.sealedSenderDecryptMessage = exports.sealedSenderMultiRecipientMessageForSingleRecipient = void 0;
 const uuid = require("uuid");
 const Errors = require("./Errors");
 __exportStar(require("./Errors"), exports);
@@ -619,6 +619,12 @@ class SessionStore {
     }
 }
 exports.SessionStore = SessionStore;
+var IdentityChange;
+(function (IdentityChange) {
+    // This must be kept in sync with the Rust enum of the same name.
+    IdentityChange[IdentityChange["NewOrUnchanged"] = 0] = "NewOrUnchanged";
+    IdentityChange[IdentityChange["ReplacedExisting"] = 1] = "ReplacedExisting";
+})(IdentityChange || (exports.IdentityChange = IdentityChange = {}));
 class IdentityKeyStore {
     async _getIdentityKey() {
         const key = await this.getIdentityKey();

package/dist/net/Chat.d.ts

@@ -3,7 +3,8 @@ import * as Native from '../../Native';
 import { LibSignalError } from '../Errors';
 import { Wrapper } from '../../Native';
 import { Buffer } from 'node:buffer';
-import { TokioAsyncContext } from '../net';
+import { TokioAsyncContext, Environment } from '../net';
+import * as KT from './KeyTransparency';
 export type ChatRequest = Readonly<{
     verb: string;
     path: string;
@@ -11,7 +12,7 @@ export type ChatRequest = Readonly<{
     body?: Uint8Array;
     timeoutMillis?: number;
 }>;
-type ConnectionManager = Wrapper<Native.ConnectionManager>;
+type ConnectionManager = Native.Wrapper<Native.ConnectionManager>;
 export declare class ChatServerMessageAck {
     readonly _nativeHandle: Native.ServerMessageAck;
     constructor(_nativeHandle: Native.ServerMessageAck);
@@ -83,7 +84,8 @@ export declare class UnauthenticatedChatConnection implements ChatConnection {
     private readonly asyncContext;
     private readonly chatService;
     private readonly chatListener;
-    static connect(asyncContext: TokioAsyncContext, connectionManager: ConnectionManager, listener: ConnectionEventsListener, options?: {
+    private readonly env?;
+    static connect(asyncContext: TokioAsyncContext, connectionManager: ConnectionManager, listener: ConnectionEventsListener, env?: Environment, options?: {
         abortSignal?: AbortSignal;
     }): Promise<UnauthenticatedChatConnection>;
     /**
@@ -101,6 +103,7 @@ export declare class UnauthenticatedChatConnection implements ChatConnection {
     }): Promise<Native.ChatResponse>;
     disconnect(): Promise<void>;
     connectionInfo(): ConnectionInfo;
+    keyTransparencyClient(): KT.Client;
 }
 export declare class AuthenticatedChatConnection implements ChatConnection {
     private readonly asyncContext;

package/dist/net/Chat.js

@@ -8,6 +8,7 @@ exports.buildHttpRequest = exports.AuthenticatedChatConnection = exports.Unauthe
 const Native = require("../../Native");
 const node_buffer_1 = require("node:buffer");
 const net_1 = require("../net");
+const KT = require("./KeyTransparency");
 const DEFAULT_CHAT_REQUEST_TIMEOUT_MILLIS = 5000;
 class ChatServerMessageAck {
     constructor(_nativeHandle) {
@@ -41,13 +42,13 @@ class ConnectionInfoImpl {
     }
 }
 class UnauthenticatedChatConnection {
-    static async connect(asyncContext, connectionManager, listener, options) {
+    static async connect(asyncContext, connectionManager, listener, env, options) {
         const nativeChatListener = makeNativeChatListener(asyncContext, listener);
         const connect = Native.UnauthenticatedChatConnection_connect(asyncContext, connectionManager);
         const chat = await asyncContext.makeCancellable(options?.abortSignal, connect);
         const connection = (0, net_1.newNativeHandle)(chat);
         Native.UnauthenticatedChatConnection_init_listener(connection, new WeakListenerWrapper(nativeChatListener));
-        return new UnauthenticatedChatConnection(asyncContext, connection, nativeChatListener);
+        return new UnauthenticatedChatConnection(asyncContext, connection, nativeChatListener, env);
     }
     /**
      * Creates a chat connection backed by a fake remote end.
@@ -69,10 +70,11 @@ class UnauthenticatedChatConnection {
     constructor(asyncContext, chatService, 
     // Unused except to keep the listener alive since the Rust code only holds a
     // weak reference to the same object.
-    chatListener) {
+    chatListener, env) {
         this.asyncContext = asyncContext;
         this.chatService = chatService;
         this.chatListener = chatListener;
+        this.env = env;
     }
     fetch(chatRequest, options) {
         return this.asyncContext.makeCancellable(options?.abortSignal, Native.UnauthenticatedChatConnection_send(this.asyncContext, this.chatService, buildHttpRequest(chatRequest), chatRequest.timeoutMillis ?? DEFAULT_CHAT_REQUEST_TIMEOUT_MILLIS));
@@ -83,6 +85,12 @@ class UnauthenticatedChatConnection {
     connectionInfo() {
         return new ConnectionInfoImpl(Native.UnauthenticatedChatConnection_info(this.chatService));
     }
+    keyTransparencyClient() {
+        if (this.env == null) {
+            throw new Error('KeyTransparency is not supported on local test server');
+        }
+        return new KT.ClientImpl(this.asyncContext, this.chatService, this.env);
+    }
 }
 exports.UnauthenticatedChatConnection = UnauthenticatedChatConnection;
 class AuthenticatedChatConnection {

package/dist/net/KeyTransparency.d.ts

@@ -0,0 +1,129 @@
+/// <reference types="node" />
+import * as Native from '../../Native';
+import { Aci } from '../Address';
+import { PublicKey } from '../EcKeys';
+import { Environment, type TokioAsyncContext } from '../net';
+/**
+ * Interface of a local persistent key transparency data store.
+ *
+ * Contents of the store are opaque to the client and are only supposed to be
+ * used by the {@link Client}.
+ */
+export interface Store {
+    getLastDistinguishedTreeHead(): Promise<Buffer | null>;
+    setLastDistinguishedTreeHead(bytes: Readonly<Buffer> | null): Promise<void>;
+    getAccountData(aci: Aci): Promise<Buffer | null>;
+    setAccountData(aci: Aci, bytes: Readonly<Buffer>): Promise<void>;
+}
+/**
+ * Options that are accepted by all {@link Client} APIs.
+ *
+ * abortSignal, if present, can be used to cancel long-running network IO.
+ */
+export type Options = {
+    abortSignal?: AbortSignal;
+};
+/**
+ * ACI descriptor for key transparency requests.
+ */
+export type AciInfo = {
+    aci: Aci;
+    identityKey: PublicKey;
+};
+/**
+ * E.164 descriptor for key transparency requests.
+ */
+export type E164Info = {
+    e164: string;
+    unidentifiedAccessKey: Readonly<Buffer>;
+};
+/**
+ * Key transparency client request
+ *
+ */
+export type Request = {
+    /** ACI and ACI Identity Key for the account. Required. */
+    aciInfo: AciInfo;
+    /** Unidentified access key associated with the account. Optional. */
+    e164Info?: E164Info;
+    usernameHash?: Readonly<Buffer>;
+};
+/**
+ * Typed API to access the key transparency subsystem using an existing
+ * unauthenticated chat connection.
+ *
+ * Unlike {@link UnauthenticatedChatConnection}, the client does
+ * not export "raw" send/receive APIs, and instead uses them internally to
+ * implement high-level key transparency operations.
+ *
+ * See {@link ClientImpl} for the implementation details.
+ *
+ * Instances should be obtained by calling {@link UnauthenticatedChatConnection.keyTransparencyClient}
+ *
+ * Example usage:
+ *
+ * @example
+ * ```ts
+ * const network = new Net({
+ *   localTestServer: false,
+ *   env: Environment.Staging,
+ *   userAgent: 'key-transparency-example'
+ * });
+ *
+ * const chat = await network.connectUnauthenticatedChat({
+ *   onConnectionInterrupted: (_cause) => {}
+ * });
+ *
+ * const kt = chat.keyTransparencyClient();
+ *
+ * // Promise fulfillment means the operation succeeded with no further steps required.
+ * await kt.search({ aciInfo: { aci: myACI, identityKey: myAciIdentityKey } }, store);
+ * ```
+ *
+ */
+export interface Client {
+    /**
+     * Search for account information in the key transparency tree.
+     *
+     *
+     * @param request - Key transparency client {@link Request}.
+     * @param store - Local key transparency storage. It will be queried for both
+     * the account data and the latest distinguished tree head before sending the
+     * server request and, if the request succeeds, will be updated with the
+     * search operation results.
+     * @param options - options for the asynchronous operation. Optional.
+     *
+     * @returns A promise that resolves if the search succeeds and the local state has been updated
+     * to reflect the latest changes. If the promise is rejected, the UI should be updated to notify
+     * the user of the failure.
+     */
+    search(request: Request, store: Store, options?: Readonly<Options>): Promise<void>;
+    /**
+     * Perform a monitor operation for an account previously searched for.
+     *
+     * If the monitor request discovers that the client has changed their username
+     * or phone number, the search request will be performed instead.
+     *
+     * @param request - Key transparency client {@link Request}.
+     * @param store - Local key transparency storage. It will be queried for both
+     * the account data and the latest distinguished tree head before sending the
+     * server request and, if the request succeeds, will be updated with the
+     * search operation results.
+     * @param options - options for the asynchronous operation. Optional.
+     *
+     * @returns A promise that resolves if the monitor succeeds and the local state has been updated
+     * to reflect the latest changes. If the promise is rejected, the UI should be updated to notify
+     * the user of the failure.
+     */
+    monitor(request: Request, store: Store, options?: Readonly<Options>): Promise<void>;
+}
+export declare class ClientImpl implements Client {
+    private readonly asyncContext;
+    private readonly chatService;
+    private readonly env;
+    constructor(asyncContext: TokioAsyncContext, chatService: Native.Wrapper<Native.UnauthenticatedChatConnection>, env: Environment);
+    search(request: Request, store: Store, options?: Readonly<Options>): Promise<void>;
+    monitor(request: Request, store: Store, options?: Readonly<Options>): Promise<void>;
+    private updateDistinguished;
+    private getLatestDistinguished;
+}

package/dist/net/KeyTransparency.js

@@ -0,0 +1,50 @@
+"use strict";
+//
+// Copyright 2025 Signal Messenger, LLC.
+// SPDX-License-Identifier: AGPL-3.0-only
+//
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ClientImpl = void 0;
+const Native = require("../../Native");
+const net_1 = require("../net");
+class ClientImpl {
+    constructor(asyncContext, chatService, env) {
+        this.asyncContext = asyncContext;
+        this.chatService = chatService;
+        this.env = env;
+    }
+    async search(request, store, options) {
+        const distinguished = await this.getLatestDistinguished(store, options ?? {});
+        const { abortSignal } = options ?? {};
+        const { aciInfo: { aci, identityKey: aciIdentityKey }, e164Info, usernameHash, } = request;
+        const { e164, unidentifiedAccessKey } = e164Info ?? {
+            e164: null,
+            unidentifiedAccessKey: null,
+        };
+        const searchResultHandle = await this.asyncContext.makeCancellable(abortSignal, Native.KeyTransparency_Search(this.asyncContext, this.env, this.chatService, aci.getServiceIdFixedWidthBinary(), aciIdentityKey, e164, unidentifiedAccessKey, usernameHash ?? null, await store.getAccountData(aci), distinguished));
+        const accountData = Native.SearchResult_GetAccountData((0, net_1.newNativeHandle)(searchResultHandle));
+        await store.setAccountData(aci, accountData);
+    }
+    async monitor(request, store, options) {
+        const distinguished = await this.getLatestDistinguished(store, options ?? {});
+        const { abortSignal } = options ?? {};
+        const { aciInfo: { aci, identityKey: aciIdentityKey }, e164Info, usernameHash, } = request;
+        const { e164, unidentifiedAccessKey } = e164Info ?? {
+            e164: null,
+            unidentifiedAccessKey: null,
+        };
+        const accountData = await this.asyncContext.makeCancellable(abortSignal, Native.KeyTransparency_Monitor(this.asyncContext, this.env, this.chatService, aci.getServiceIdFixedWidthBinary(), aciIdentityKey, e164, unidentifiedAccessKey, usernameHash ?? null, await store.getAccountData(aci), distinguished));
+        await store.setAccountData(aci, accountData);
+    }
+    async updateDistinguished(store, { abortSignal }) {
+        const bytes = await this.asyncContext.makeCancellable(abortSignal, Native.KeyTransparency_Distinguished(this.asyncContext, this.env, this.chatService, await store.getLastDistinguishedTreeHead()));
+        await store.setLastDistinguishedTreeHead(bytes);
+        return bytes;
+    }
+    async getLatestDistinguished(store, options) {
+        return ((await store.getLastDistinguishedTreeHead()) ??
+            (await this.updateDistinguished(store, options)));
+    }
+}
+exports.ClientImpl = ClientImpl;
+//# sourceMappingURL=KeyTransparency.js.map

package/dist/net/Registration.d.ts

@@ -26,6 +26,7 @@ type ResumeSessionArgs = Readonly<{
     sessionId: string;
     e164: string;
 }>;
+export type Svr2CredentialResult = 'match' | 'no-match' | 'invalid';
 /**
  * A client for the Signal registration service.
  *
@@ -88,8 +89,9 @@ export declare class RegistrationService {
         languages: string[];
     }): Promise<void>;
     verifySession(code: string): Promise<boolean>;
+    checkSvr2Credentials(svr2Tokens: Array<string>): Promise<Map<string, Svr2CredentialResult>>;
     registerAccount(inputs: {
-        accountPassword: Uint8Array;
+        accountPassword: string;
         skipDeviceTransfer: boolean;
         accountAttributes: AccountAttributes;
         aciPublicKey: PublicKey;

package/dist/net/Registration.js

@@ -83,10 +83,13 @@ class RegistrationService {
         await Native.RegistrationService_SubmitVerificationCode(this.tokioAsyncContext, this, code);
         return this.sessionState.verified;
     }
+    async checkSvr2Credentials(svr2Tokens) {
+        return Native.RegistrationService_CheckSvr2Credentials(this.tokioAsyncContext, this, svr2Tokens);
+    }
     async registerAccount(inputs) {
         const { accountPassword, skipDeviceTransfer = false, accountAttributes, aciPublicKey, pniPublicKey, aciSignedPreKey, pniSignedPreKey, aciPqLastResortPreKey, pniPqLastResortPreKey, } = inputs;
         const args = (0, net_1.newNativeHandle)(Native.RegisterAccountRequest_Create());
-        Native.RegisterAccountRequest_SetAccountPassword(args, Buffer.from(accountPassword));
+        Native.RegisterAccountRequest_SetAccountPassword(args, accountPassword);
         if (skipDeviceTransfer) {
             Native.RegisterAccountRequest_SetSkipDeviceTransfer(args);
         }

package/dist/net.d.ts

@@ -55,6 +55,7 @@ export type ProxyOptions = {
 /** The "scheme" for Signal TLS proxies. See {@link Net.setProxy()}. */
 export declare const SIGNAL_TLS_PROXY_SCHEME = "org.signal.tls";
 export declare class Net {
+    private readonly options;
     private readonly asyncContext;
     /** Exposed only for testing. */
     readonly _connectionManager: ConnectionManager;
@@ -177,7 +178,24 @@ export declare class Net {
      * was set, calling this method is a no-op.
      */
     clearProxy(): void;
-    /** Updates the remote config settings used by libsignal. */
+    /**
+     * Updates libsignal's remote configuration settings.
+     *
+     * The provided configuration map must conform to the following requirements:
+     * - Each key represents an enabled configuration and directly indicates that the setting is enabled.
+     * - Keys must have had the platform-specific prefix (e.g., `"desktop.libsignal."`) removed.
+     * - Entries explicitly disabled by the server must not appear in the map.
+     * - Values originally set to `null` by the server must be represented as empty strings.
+     * - Values should otherwise maintain the same format as they are returned by the server.
+     *
+     * These constraints ensure configurations passed to libsignal precisely reflect enabled
+     * server-provided settings without ambiguity.
+     *
+     * Only new connections made *after* this call will use the new remote config settings.
+     * Existing connections are not affected.
+     *
+     * @param remoteConfig A map containing preprocessed libsignal configuration keys and their associated values.
+     */
     setRemoteConfig(remoteConfig: Map<string, string>): void;
     /**
      * Notifies libsignal that the network has changed.

package/dist/net.js

@@ -65,6 +65,7 @@ exports.TokioAsyncContext = TokioAsyncContext;
 exports.SIGNAL_TLS_PROXY_SCHEME = 'org.signal.tls';
 class Net {
     constructor(options) {
+        this.options = options;
         this.asyncContext = new TokioAsyncContext(Native.TokioAsyncContext_new());
         if (options.localTestServer) {
             this._connectionManager = newNativeHandle(Native.TESTING_ConnectionManager_newLocalOverride(options.userAgent, options.TESTING_localServer_chatPort, options.TESTING_localServer_cdsiPort, options.TESTING_localServer_svr2Port, options.TESTING_localServer_rootCertificateDer));
@@ -96,7 +97,8 @@ class Net {
      * @returns the connected listener, if the connection succeeds.
      */
     async connectUnauthenticatedChat(listener, options) {
-        return Chat_1.UnauthenticatedChatConnection.connect(this.asyncContext, this._connectionManager, listener, options);
+        const env = this.options.localTestServer ? undefined : this.options.env;
+        return Chat_1.UnauthenticatedChatConnection.connect(this.asyncContext, this._connectionManager, listener, env, options);
     }
     /**
      * Creates a new instance of {@link AuthenticatedChatConnection}.
@@ -240,7 +242,24 @@ class Net {
     clearProxy() {
         Native.ConnectionManager_clear_proxy(this._connectionManager);
     }
-    /** Updates the remote config settings used by libsignal. */
+    /**
+     * Updates libsignal's remote configuration settings.
+     *
+     * The provided configuration map must conform to the following requirements:
+     * - Each key represents an enabled configuration and directly indicates that the setting is enabled.
+     * - Keys must have had the platform-specific prefix (e.g., `"desktop.libsignal."`) removed.
+     * - Entries explicitly disabled by the server must not appear in the map.
+     * - Values originally set to `null` by the server must be represented as empty strings.
+     * - Values should otherwise maintain the same format as they are returned by the server.
+     *
+     * These constraints ensure configurations passed to libsignal precisely reflect enabled
+     * server-provided settings without ambiguity.
+     *
+     * Only new connections made *after* this call will use the new remote config settings.
+     * Existing connections are not affected.
+     *
+     * @param remoteConfig A map containing preprocessed libsignal configuration keys and their associated values.
+     */
     setRemoteConfig(remoteConfig) {
         Native.ConnectionManager_set_remote_config(this._connectionManager, new internal_1.BridgedStringMap(remoteConfig));
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@signalapp/libsignal-client",
-  "version": "0.70.1",
+  "version": "0.71.0",
   "license": "AGPL-3.0-only",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",