@sjawhar/whatsapp-mcp 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 karlfoster
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,122 @@
+# WhatsApp MCP Server
+
+A Model Context Protocol (MCP) server that connects to WhatsApp via [Baileys](https://github.com/WhiskeySockets/Baileys), providing AI with the ability to manage WhatsApp. This is a security-hardened fork of [karlfoster/whatsapp-mcp-2.0](https://github.com/karlfoster/whatsapp-mcp-2.0).
+
+## ⚠️ WARNING
+
+**This project uses the UNOFFICIAL WhatsApp Web API (Baileys).**
+WhatsApp may ban accounts using unofficial clients.
+**USE A DEDICATED BURNER NUMBER** — never use your personal number.
+The authors take no responsibility for account bans or any other consequences of using this software.
+
+## What This Is
+
+This is a fork of `karlfoster/whatsapp-mcp-2.0` with significant security hardening and operational improvements. It allows an AI assistant (like Claude) to:
+- List and search chats, contacts, and messages.
+- Send text messages and files (images, videos, documents, audio).
+- Download media from received messages.
+- Transcribe voice notes via Whisper-compatible APIs.
+- Sync phone contacts from VCF files.
+
+## Setup
+
+1.  **Clone the repository**:
+    ```bash
+    git clone <repo-url>
+    cd whatsapp-mcp
+    ```
+
+2.  **Install dependencies**:
+    ```bash
+    npm ci
+    ```
+
+3.  **Configure environment variables**:
+    Create a `.env` file or set them in your MCP client configuration (see below).
+
+4.  **Run the server**:
+    ```bash
+    npm run dev
+    ```
+
+5.  **Scan the QR code**:
+    On first run, a QR code will appear in your terminal. Scan it with WhatsApp on your phone:
+    **WhatsApp > Settings > Linked Devices > Link a Device**
+
+## Environment Variables
+
+| Variable | Default | Description |
+| :--- | :--- | :--- |
+| `ALLOWED_SEND_DIR` | `./uploads/` | Directory for outbound file sends. |
+| `MAX_SEND_FILE_SIZE` | `67108864` (64MB) | Max file size for `send_file`. |
+| `DOWNLOADS_DIR` | `./downloads/` | Directory for downloaded media. |
+| `CONTACTS_DIR` | `./contacts/` | Base directory for VCF imports. |
+| `WHISPER_API_URL` | (none) | Whisper API endpoint for transcription. |
+| `WHISPER_API_KEY` | (none) | API key for Whisper. |
+| `WHISPER_MODEL` | `whisper-large-v3-turbo` | Model name for transcription. |
+| `ZOMBIE_TIMEOUT_MS` | `120000` (2min) | Silence before zombie connection detection. |
+| `MAX_SEND_FAILURES` | `3` | Consecutive failures before reconnect. |
+| `MIN_SEND_INTERVAL_MS` | `3000` (3s) | Minimum delay between sends. |
+| `SEND_JITTER_MS` | `2000` (2s) | Random jitter added to send delay. |
+| `MAX_RECONNECT_ATTEMPTS` | `10` | Max reconnect attempts before giving up. |
+
+## Storage Locations
+
+- `auth_info/`: WhatsApp authentication credentials (DO NOT commit).
+- `data/`: SQLite database containing messages, chats, and contacts.
+- `store/`: Baileys message store and `.whatsapp.lock` file.
+- `uploads/`: Files to send (only files in this directory can be sent via `send_file`).
+- `downloads/`: Downloaded media files.
+- `contacts/`: VCF files for contact import.
+
+## Running Tests
+
+This project uses Vitest for testing.
+
+```bash
+# Run all tests
+npx vitest run
+
+# Run tests with coverage
+npx vitest run --coverage
+```
+
+## Known Limitations
+
+- **No FTS5**: SQLite full-text search is not used; substring search (`LIKE`) is used instead.
+- **No Read Receipts**: The server does not send read receipts.
+- **No Reactions**: Message reactions are not supported.
+- **No Stories**: WhatsApp Stories/Status updates are not accessible.
+
+## Security Changes (What changed from upstream)
+
+- **Path Traversal Protection**: Strict containment checks for `send_file` and `download_media` using resolved paths.
+- **SSRF Validation**: `WHISPER_API_URL` is validated to prevent SSRF attacks (rejects localhost and private IP ranges).
+- **Atomic Lock File**: Prevents multiple instances from connecting to the same WhatsApp account simultaneously.
+- **Strict Filename Sanitization**: All filenames are sanitized to prevent injection and traversal.
+- **Bounded Memory Caches**: Prevents unbounded memory growth in Baileys message retry and device tracking.
+- **Pre-key Pruning**: Automatically prunes old pre-keys to prevent disk bloat.
+- **Removed `reply_spam`**: Removed the UAE-specific spam reply tool for better general-purpose use.
+- **Streamed Uploads**: `send_file` uses streams instead of loading full files into memory.
+
+## Available Tools
+
+- `list_chats`: List chats sorted by last activity.
+- `get_chat`: Get chat details with recent messages.
+- `list_messages`: Get messages from a chat.
+- `search_messages`: Substring search across messages.
+- `search_contacts`: Find contacts by name or phone number.
+- `get_message_context`: Get messages surrounding a specific message.
+- `get_my_profile`: Get your own JID and profile info.
+- `update_contact`: Update a contact's display name.
+- `sync_contacts`: Import phone contacts from a VCF file.
+- `send_message`: Send a text message (requires confirmation).
+- `send_file`: Send a media file (requires confirmation).
+- `delete_message`: Delete a message (requires confirmation).
+- `delete_chat`: Delete an entire chat (requires confirmation).
+- `download_media`: Download media from a message to disk.
+- `transcribe_voice_note`: Transcribe a voice note to text.
+
+## License
+
+MIT

package/dist/__tests__/connection.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=connection.test.d.ts.map

package/dist/__tests__/connection.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"connection.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/connection.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/connection.test.js

@@ -0,0 +1,105 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import { InMemoryTransport } from "@modelcontextprotocol/sdk/inMemory.js";
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { closeTestDb, seedTestDb, setupTestDb } from "./helpers/test-db.js";
+import { createFakeBaileysSocket } from "./helpers/fake-baileys.js";
+const mockState = vi.hoisted(() => ({
+    sockets: [],
+}));
+vi.mock("@whiskeysockets/baileys", () => ({
+    default: vi.fn(() => {
+        const socket = createFakeBaileysSocket();
+        mockState.sockets.push(socket);
+        return socket;
+    }),
+    DisconnectReason: { loggedOut: 401, connectionReplaced: 440 },
+    fetchLatestBaileysVersion: vi.fn(async () => ({ version: [2, 3000, 0] })),
+    downloadMediaMessage: vi.fn(),
+    getContentType: vi.fn(),
+    initAuthCreds: vi.fn(() => ({})),
+    BufferJSON: {
+        replacer: (_key, value) => value,
+        reviver: (_key, value) => value,
+    },
+    proto: {
+        Message: {
+            AppStateSyncKeyData: {
+                fromObject: (value) => value,
+            },
+        },
+    },
+}));
+function parseToolJson(result) {
+    const text = result.content?.find((entry) => entry.type === "text")?.text || "";
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        return text;
+    }
+}
+function latestSocket() {
+    const socket = mockState.sockets.at(-1);
+    if (!socket) {
+        throw new Error("No fake socket was created");
+    }
+    return socket;
+}
+describe("connection lifecycle", () => {
+    let server;
+    let client;
+    let whatsapp;
+    beforeEach(async () => {
+        vi.resetModules();
+        mockState.sockets.length = 0;
+        await setupTestDb();
+        seedTestDb();
+        whatsapp = await import("../whatsapp.js");
+        await whatsapp.initWhatsApp();
+        latestSocket().emitConnectionOpen();
+        server = new McpServer({ name: "whatsapp-test", version: "1.0.0" });
+        const { registerTools } = await import("../tools.js");
+        registerTools(server);
+        const [clientTransport, serverTransport] = InMemoryTransport.createLinkedPair();
+        client = new Client({ name: "whatsapp-test-client", version: "1.0.0" });
+        await Promise.all([server.connect(serverTransport), client.connect(clientTransport)]);
+    });
+    afterEach(async () => {
+        await Promise.all([client?.close(), server?.close()]);
+        await whatsapp?.closeWhatsApp();
+        closeTestDb();
+        vi.useRealTimers();
+    });
+    it("waits for reconnection after a 440 connectionReplaced disconnect and succeeds after reconnect", async () => {
+        latestSocket().emitConnectionClose(440);
+        const toolCall = client.callTool({
+            name: "list_chats",
+            arguments: { limit: 5 },
+        });
+        const stateBeforeReconnect = await Promise.race([
+            toolCall.then(() => "settled"),
+            new Promise((resolve) => setTimeout(() => resolve("pending"), 25)),
+        ]);
+        expect(stateBeforeReconnect).toBe("pending");
+        await whatsapp.initWhatsApp();
+        latestSocket().emitConnectionOpen();
+        const result = await toolCall;
+        const payload = parseToolJson(result);
+        expect(result.isError).toBeFalsy();
+        expect(Array.isArray(payload)).toBe(true);
+        const postReconnect = (await client.callTool({
+            name: "list_chats",
+            arguments: { limit: 5 },
+        }));
+        expect(postReconnect.isError).toBeFalsy();
+    });
+    it("clears pending reconnect timer on shutdown", async () => {
+        vi.useFakeTimers();
+        latestSocket().emitConnectionClose(500);
+        expect(vi.getTimerCount()).toBe(1);
+        await whatsapp.closeWhatsApp();
+        expect(vi.getTimerCount()).toBe(0);
+    });
+});
+//# sourceMappingURL=connection.test.js.map

package/dist/__tests__/connection.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"connection.test.js","sourceRoot":"","sources":["../../src/__tests__/connection.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AACzE,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAC;AACnE,OAAO,EAAE,iBAAiB,EAAE,MAAM,uCAAuC,CAAC;AAC1E,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC5E,OAAO,EAAE,uBAAuB,EAA0B,MAAM,2BAA2B,CAAC;AAE5F,MAAM,SAAS,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IAClC,OAAO,EAAE,EAAyB;CACnC,CAAC,CAAC,CAAC;AAEJ,EAAE,CAAC,IAAI,CAAC,yBAAyB,EAAE,GAAG,EAAE,CAAC,CAAC;IACxC,OAAO,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE;QAClB,MAAM,MAAM,GAAG,uBAAuB,EAAE,CAAC;QACzC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC/B,OAAO,MAAM,CAAC;IAChB,CAAC,CAAC;IACF,gBAAgB,EAAE,EAAE,SAAS,EAAE,GAAG,EAAE,kBAAkB,EAAE,GAAG,EAAE;IAC7D,yBAAyB,EAAE,EAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;IACzE,oBAAoB,EAAE,EAAE,CAAC,EAAE,EAAE;IAC7B,cAAc,EAAE,EAAE,CAAC,EAAE,EAAE;IACvB,aAAa,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;IAChC,UAAU,EAAE;QACV,QAAQ,EAAE,CAAC,IAAY,EAAE,KAAc,EAAE,EAAE,CAAC,KAAK;QACjD,OAAO,EAAE,CAAC,IAAY,EAAE,KAAc,EAAE,EAAE,CAAC,KAAK;KACjD;IACD,KAAK,EAAE;QACL,OAAO,EAAE;YACP,mBAAmB,EAAE;gBACnB,UAAU,EAAE,CAAC,KAAc,EAAE,EAAE,CAAC,KAAK;aACtC;SACF;KACF;CACF,CAAC,CAAC,CAAC;AAOJ,SAAS,aAAa,CAAC,MAAqB;IAC1C,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,KAAK,MAAM,CAAC,EAAE,IAAI,IAAI,EAAE,CAAC;IAChF,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,YAAY;IACnB,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IACxC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;IACpC,IAAI,MAAiB,CAAC;IACtB,IAAI,MAAc,CAAC;IACnB,IAAI,QAAyC,CAAC;IAE9C,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,EAAE,CAAC,YAAY,EAAE,CAAC;QAClB,SAAS,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;QAE7B,MAAM,WAAW,EAAE,CAAC;QACpB,UAAU,EAAE,CAAC;QAEb,QAAQ,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAC1C,MAAM,QAAQ,CAAC,YAAY,EAAE,CAAC;QAC9B,YAAY,EAAE,CAAC,kBAAkB,EAAE,CAAC;QAEpC,MAAM,GAAG,IAAI,SAAS,CAAC,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;QACpE,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QACtD,aAAa,CAAC,MAAM,CAAC,CAAC;QAEtB,MAAM,CAAC,eAAe,EAAE,eAAe,CAAC,GAAG,iBAAiB,CAAC,gBAAgB,EAAE,CAAC;QAChF,MAAM,GAAG,IAAI,MAAM,CAAC,EAAE,IAAI,EAAE,sBAAsB,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;QACxE,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IACxF,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QACtD,MAAM,QAAQ,EAAE,aAAa,EAAE,CAAC;QAChC,WAAW,EAAE,CAAC;QACd,EAAE,CAAC,aAAa,EAAE,CAAC;IACrB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+FAA+F,EAAE,KAAK,IAAI,EAAE;QAC7G,YAAY,EAAE,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC;QAExC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;YAC/B,IAAI,EAAE,YAAY;YAClB,SAAS,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE;SACxB,CAA2B,CAAC;QAE7B,MAAM,oBAAoB,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;YAC9C,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC;YAC9B,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,EAAE,CAAC,CAAC;SACnE,CAAC,CAAC;QAEH,MAAM,CAAC,oBAAoB,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAE7C,MAAM,QAAQ,CAAC,YAAY,EAAE,CAAC;QAC9B,YAAY,EAAE,CAAC,kBAAkB,EAAE,CAAC;QAEpC,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC;QAC9B,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;QAEtC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,SAAS,EAAE,CAAC;QACnC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAE1C,MAAM,aAAa,GAAG,CAAC,MAAM,MAAM,CAAC,QAAQ,CAAC;YAC3C,IAAI,EAAE,YAAY;YAClB,SAAS,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE;SACxB,CAAC,CAAkB,CAAC;QACrB,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,SAAS,EAAE,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4CAA4C,EAAE,KAAK,IAAI,EAAE;QAC1D,EAAE,CAAC,aAAa,EAAE,CAAC;QAEnB,YAAY,EAAE,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC;QAExC,MAAM,CAAC,EAAE,CAAC,aAAa,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAEnC,MAAM,QAAQ,CAAC,aAAa,EAAE,CAAC;QAE/B,MAAM,CAAC,EAAE,CAAC,aAAa,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/disconnect.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=disconnect.test.d.ts.map

package/dist/__tests__/disconnect.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"disconnect.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/disconnect.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/disconnect.test.js

@@ -0,0 +1,166 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import fs from "fs";
+import { createFakeBaileysSocket } from "./helpers/fake-baileys.js";
+import { closeTestDb, seedTestDb, setupTestDb } from "./helpers/test-db.js";
+const mockState = vi.hoisted(() => ({
+    sockets: [],
+}));
+vi.mock("@whiskeysockets/baileys", () => ({
+    default: vi.fn(() => {
+        const socket = createFakeBaileysSocket();
+        mockState.sockets.push(socket);
+        return socket;
+    }),
+    DisconnectReason: {
+        loggedOut: 401,
+        forbidden: 403,
+        connectionLost: 408,
+        multideviceMismatch: 411,
+        connectionClosed: 428,
+        connectionReplaced: 440,
+        badSession: 500,
+        unavailableService: 503,
+        restartRequired: 515,
+    },
+    fetchLatestBaileysVersion: vi.fn(async () => ({ version: [2, 3000, 0] })),
+    downloadMediaMessage: vi.fn(),
+    getContentType: vi.fn(),
+    initAuthCreds: vi.fn(() => ({})),
+    BufferJSON: {
+        replacer: (_key, value) => value,
+        reviver: (_key, value) => value,
+    },
+    proto: {
+        Message: {
+            AppStateSyncKeyData: {
+                fromObject: (value) => value,
+            },
+        },
+    },
+}));
+function latestSocket() {
+    const socket = mockState.sockets.at(-1);
+    if (!socket) {
+        throw new Error("No fake socket was created");
+    }
+    return socket;
+}
+async function importWhatsAppResolved() {
+    const whatsapp = await import("../whatsapp.js");
+    whatsapp.resolveConnectionAsReadOnly();
+    return whatsapp;
+}
+describe("disconnect handling", () => {
+    beforeEach(() => {
+        vi.resetModules();
+        vi.useFakeTimers();
+        mockState.sockets.length = 0;
+        delete process.env.MAX_RECONNECT_ATTEMPTS;
+    });
+    afterEach(async () => {
+        vi.useRealTimers();
+        vi.restoreAllMocks();
+        const whatsapp = await import("../whatsapp.js");
+        await whatsapp.closeWhatsApp();
+    });
+    it("401 (loggedOut) does not reconnect, clears auth, and logs re-scan QR required", async () => {
+        const errorSpy = vi.spyOn(console, "error").mockImplementation(() => undefined);
+        const readdirSpy = vi.spyOn(fs.promises, "readdir").mockResolvedValue(["creds.json"]);
+        const rmSpy = vi.spyOn(fs.promises, "rm").mockResolvedValue(undefined);
+        const whatsapp = await importWhatsAppResolved();
+        await whatsapp.handleDisconnect(401, null);
+        expect(vi.getTimerCount()).toBe(0);
+        expect(readdirSpy).toHaveBeenCalled();
+        expect(rmSpy).toHaveBeenCalled();
+        expect(errorSpy.mock.calls.flat().join(" ")).toContain("re-scan QR required");
+    });
+    it("403 (forbidden) does not reconnect and logs warning", async () => {
+        const errorSpy = vi.spyOn(console, "error").mockImplementation(() => undefined);
+        const whatsapp = await importWhatsAppResolved();
+        await whatsapp.handleDisconnect(403, null);
+        expect(vi.getTimerCount()).toBe(0);
+        expect(errorSpy.mock.calls.flat().join(" ")).toContain("forbidden");
+    });
+    it("408 (connectionLost) reconnects with backoff", async () => {
+        const errorSpy = vi.spyOn(console, "error").mockImplementation(() => undefined);
+        const whatsapp = await importWhatsAppResolved();
+        await whatsapp.handleDisconnect(408, null);
+        expect(vi.getTimerCount()).toBe(1);
+        expect(errorSpy.mock.calls.flat().join(" ")).toContain("Reconnecting in 2s");
+    });
+    it("411 (multideviceMismatch) does not reconnect and logs update Baileys", async () => {
+        const errorSpy = vi.spyOn(console, "error").mockImplementation(() => undefined);
+        const whatsapp = await importWhatsAppResolved();
+        await whatsapp.handleDisconnect(411, null);
+        expect(vi.getTimerCount()).toBe(0);
+        expect(errorSpy.mock.calls.flat().join(" ")).toContain("update Baileys");
+    });
+    it("428 (connectionClosed) reconnects with backoff", async () => {
+        const errorSpy = vi.spyOn(console, "error").mockImplementation(() => undefined);
+        const whatsapp = await importWhatsAppResolved();
+        await whatsapp.handleDisconnect(428, null);
+        expect(vi.getTimerCount()).toBe(1);
+        expect(errorSpy.mock.calls.flat().join(" ")).toContain("Reconnecting in 2s");
+    });
+    it("440 (connectionReplaced) reconnects with extended delay", async () => {
+        const errorSpy = vi.spyOn(console, "error").mockImplementation(() => undefined);
+        const whatsapp = await importWhatsAppResolved();
+        await whatsapp.handleDisconnect(440, null);
+        expect(vi.getTimerCount()).toBe(1);
+        expect(errorSpy.mock.calls.flat().join(" ")).toContain("Reconnecting in 10s");
+    });
+    it("500 (badSession) clears auth and reconnects", async () => {
+        const errorSpy = vi.spyOn(console, "error").mockImplementation(() => undefined);
+        const readdirSpy = vi.spyOn(fs.promises, "readdir").mockResolvedValue(["creds.json"]);
+        const rmSpy = vi.spyOn(fs.promises, "rm").mockResolvedValue(undefined);
+        const whatsapp = await importWhatsAppResolved();
+        await whatsapp.handleDisconnect(500, null);
+        expect(vi.getTimerCount()).toBe(1);
+        expect(readdirSpy).toHaveBeenCalled();
+        expect(rmSpy).toHaveBeenCalled();
+        expect(errorSpy.mock.calls.flat().join(" ")).toContain("Bad session");
+    });
+    it("503 (unavailableService) reconnects with backoff", async () => {
+        const errorSpy = vi.spyOn(console, "error").mockImplementation(() => undefined);
+        const whatsapp = await importWhatsAppResolved();
+        await whatsapp.handleDisconnect(503, null);
+        expect(vi.getTimerCount()).toBe(1);
+        expect(errorSpy.mock.calls.flat().join(" ")).toContain("Reconnecting in 2s");
+    });
+    it("515 (restartRequired) reconnects immediately", async () => {
+        const errorSpy = vi.spyOn(console, "error").mockImplementation(() => undefined);
+        const whatsapp = await importWhatsAppResolved();
+        await whatsapp.handleDisconnect(515, null);
+        expect(vi.getTimerCount()).toBe(1);
+        expect(errorSpy.mock.calls.flat().join(" ")).toContain("Reconnecting in 0s");
+    });
+    it("unknown code reconnects with backoff and logs warning", async () => {
+        const errorSpy = vi.spyOn(console, "error").mockImplementation(() => undefined);
+        const whatsapp = await importWhatsAppResolved();
+        await whatsapp.handleDisconnect(999, null);
+        expect(vi.getTimerCount()).toBe(1);
+        expect(errorSpy.mock.calls.flat().join(" ")).toContain("Unknown disconnect code");
+    });
+    it("stops reconnecting after MAX_RECONNECT_ATTEMPTS", async () => {
+        process.env.MAX_RECONNECT_ATTEMPTS = "2";
+        const errorSpy = vi.spyOn(console, "error").mockImplementation(() => undefined);
+        const whatsapp = await importWhatsAppResolved();
+        await whatsapp.handleDisconnect(428, null);
+        await whatsapp.handleDisconnect(428, null);
+        await whatsapp.handleDisconnect(428, null);
+        expect(vi.getTimerCount()).toBe(1);
+        expect(errorSpy.mock.calls.flat().join(" ")).toContain("Fatal");
+    });
+    it("successful connection resets reconnect attempt counter to zero", async () => {
+        await setupTestDb();
+        seedTestDb();
+        const whatsapp = await import("../whatsapp.js");
+        await whatsapp.initWhatsApp();
+        latestSocket().emitConnectionClose(428);
+        expect(whatsapp.getReconnectAttempts()).toBe(1);
+        latestSocket().emitConnectionOpen();
+        expect(whatsapp.getReconnectAttempts()).toBe(0);
+        closeTestDb();
+    });
+});
+//# sourceMappingURL=disconnect.test.js.map

package/dist/__tests__/disconnect.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"disconnect.test.js","sourceRoot":"","sources":["../../src/__tests__/disconnect.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AACzE,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,EAAE,uBAAuB,EAA0B,MAAM,2BAA2B,CAAC;AAC5F,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAE5E,MAAM,SAAS,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IAClC,OAAO,EAAE,EAAyB;CACnC,CAAC,CAAC,CAAC;AAEJ,EAAE,CAAC,IAAI,CAAC,yBAAyB,EAAE,GAAG,EAAE,CAAC,CAAC;IACxC,OAAO,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE;QAClB,MAAM,MAAM,GAAG,uBAAuB,EAAE,CAAC;QACzC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC/B,OAAO,MAAM,CAAC;IAChB,CAAC,CAAC;IACF,gBAAgB,EAAE;QAChB,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;QACd,cAAc,EAAE,GAAG;QACnB,mBAAmB,EAAE,GAAG;QACxB,gBAAgB,EAAE,GAAG;QACrB,kBAAkB,EAAE,GAAG;QACvB,UAAU,EAAE,GAAG;QACf,kBAAkB,EAAE,GAAG;QACvB,eAAe,EAAE,GAAG;KACrB;IACD,yBAAyB,EAAE,EAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;IACzE,oBAAoB,EAAE,EAAE,CAAC,EAAE,EAAE;IAC7B,cAAc,EAAE,EAAE,CAAC,EAAE,EAAE;IACvB,aAAa,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;IAChC,UAAU,EAAE;QACV,QAAQ,EAAE,CAAC,IAAY,EAAE,KAAc,EAAE,EAAE,CAAC,KAAK;QACjD,OAAO,EAAE,CAAC,IAAY,EAAE,KAAc,EAAE,EAAE,CAAC,KAAK;KACjD;IACD,KAAK,EAAE;QACL,OAAO,EAAE;YACP,mBAAmB,EAAE;gBACnB,UAAU,EAAE,CAAC,KAAc,EAAE,EAAE,CAAC,KAAK;aACtC;SACF;KACF;CACF,CAAC,CAAC,CAAC;AAEJ,SAAS,YAAY;IACnB,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IACxC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,KAAK,UAAU,sBAAsB;IACnC,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAChD,QAAQ,CAAC,2BAA2B,EAAE,CAAC;IACvC,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;IACnC,UAAU,CAAC,GAAG,EAAE;QACd,EAAE,CAAC,YAAY,EAAE,CAAC;QAClB,EAAE,CAAC,aAAa,EAAE,CAAC;QACnB,SAAS,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;QAC7B,OAAO,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,EAAE,CAAC,aAAa,EAAE,CAAC;QACnB,EAAE,CAAC,eAAe,EAAE,CAAC;QACrB,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAChD,MAAM,QAAQ,CAAC,aAAa,EAAE,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+EAA+E,EAAE,KAAK,IAAI,EAAE;QAC7F,MAAM,QAAQ,GAAG,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QAChF,MAAM,UAAU,GAAG,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,iBAAiB,CAAC,CAAC,YAAY,CAAQ,CAAC,CAAC;QAC7F,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;QAEvE,MAAM,QAAQ,GAAG,MAAM,sBAAsB,EAAE,CAAC;QAChD,MAAM,QAAQ,CAAC,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAE3C,MAAM,CAAC,EAAE,CAAC,aAAa,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,CAAC,UAAU,CAAC,CAAC,gBAAgB,EAAE,CAAC;QACtC,MAAM,CAAC,KAAK,CAAC,CAAC,gBAAgB,EAAE,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,qBAAqB,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,MAAM,QAAQ,GAAG,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QAChF,MAAM,QAAQ,GAAG,MAAM,sBAAsB,EAAE,CAAC;QAEhD,MAAM,QAAQ,CAAC,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAE3C,MAAM,CAAC,EAAE,CAAC,aAAa,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,QAAQ,GAAG,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QAChF,MAAM,QAAQ,GAAG,MAAM,sBAAsB,EAAE,CAAC;QAEhD,MAAM,QAAQ,CAAC,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAE3C,MAAM,CAAC,EAAE,CAAC,aAAa,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC;IAC/E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sEAAsE,EAAE,KAAK,IAAI,EAAE;QACpF,MAAM,QAAQ,GAAG,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QAChF,MAAM,QAAQ,GAAG,MAAM,sBAAsB,EAAE,CAAC;QAEhD,MAAM,QAAQ,CAAC,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAE3C,MAAM,CAAC,EAAE,CAAC,aAAa,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;IAC3E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,QAAQ,GAAG,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QAChF,MAAM,QAAQ,GAAG,MAAM,sBAAsB,EAAE,CAAC;QAEhD,MAAM,QAAQ,CAAC,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAE3C,MAAM,CAAC,EAAE,CAAC,aAAa,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC;IAC/E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;QACvE,MAAM,QAAQ,GAAG,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QAChF,MAAM,QAAQ,GAAG,MAAM,sBAAsB,EAAE,CAAC;QAEhD,MAAM,QAAQ,CAAC,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAE3C,MAAM,CAAC,EAAE,CAAC,aAAa,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,qBAAqB,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;QAC3D,MAAM,QAAQ,GAAG,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QAChF,MAAM,UAAU,GAAG,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,iBAAiB,CAAC,CAAC,YAAY,CAAQ,CAAC,CAAC;QAC7F,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;QACvE,MAAM,QAAQ,GAAG,MAAM,sBAAsB,EAAE,CAAC;QAEhD,MAAM,QAAQ,CAAC,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAE3C,MAAM,CAAC,EAAE,CAAC,aAAa,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,CAAC,UAAU,CAAC,CAAC,gBAAgB,EAAE,CAAC;QACtC,MAAM,CAAC,KAAK,CAAC,CAAC,gBAAgB,EAAE,CAAC;QACjC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;IACxE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;QAChE,MAAM,QAAQ,GAAG,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QAChF,MAAM,QAAQ,GAAG,MAAM,sBAAsB,EAAE,CAAC;QAEhD,MAAM,QAAQ,CAAC,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAE3C,MAAM,CAAC,EAAE,CAAC,aAAa,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC;IAC/E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,QAAQ,GAAG,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QAChF,MAAM,QAAQ,GAAG,MAAM,sBAAsB,EAAE,CAAC;QAEhD,MAAM,QAAQ,CAAC,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAE3C,MAAM,CAAC,EAAE,CAAC,aAAa,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC;IAC/E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;QACrE,MAAM,QAAQ,GAAG,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QAChF,MAAM,QAAQ,GAAG,MAAM,sBAAsB,EAAE,CAAC;QAEhD,MAAM,QAAQ,CAAC,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAE3C,MAAM,CAAC,EAAE,CAAC,aAAa,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,yBAAyB,CAAC,CAAC;IACpF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAC/D,OAAO,CAAC,GAAG,CAAC,sBAAsB,GAAG,GAAG,CAAC;QACzC,MAAM,QAAQ,GAAG,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QAChF,MAAM,QAAQ,GAAG,MAAM,sBAAsB,EAAE,CAAC;QAEhD,MAAM,QAAQ,CAAC,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,QAAQ,CAAC,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC3C,MAAM,QAAQ,CAAC,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAE3C,MAAM,CAAC,EAAE,CAAC,aAAa,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACnC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gEAAgE,EAAE,KAAK,IAAI,EAAE;QAC9E,MAAM,WAAW,EAAE,CAAC;QACpB,UAAU,EAAE,CAAC;QAEb,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAChD,MAAM,QAAQ,CAAC,YAAY,EAAE,CAAC;QAE9B,YAAY,EAAE,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC;QACxC,MAAM,CAAC,QAAQ,CAAC,oBAAoB,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAEhD,YAAY,EAAE,CAAC,kBAAkB,EAAE,CAAC;QACpC,MAAM,CAAC,QAAQ,CAAC,oBAAoB,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAEhD,WAAW,EAAE,CAAC;IAChB,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/download-media.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=download-media.test.d.ts.map

package/dist/__tests__/download-media.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"download-media.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/download-media.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/download-media.test.js

@@ -0,0 +1,110 @@
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { afterEach, describe, expect, it, vi } from "vitest";
+const getMessageBlobMock = vi.fn(() => JSON.stringify({ message: { imageMessage: { mimetype: "image/png" } } }));
+vi.mock("@whiskeysockets/baileys", () => ({
+    default: vi.fn(() => ({})),
+    DisconnectReason: { loggedOut: 401, connectionReplaced: 440 },
+    fetchLatestBaileysVersion: vi.fn(async () => ({ version: [2, 3000, 0] })),
+    downloadMediaMessage: vi.fn(async () => Buffer.from("fake-image")),
+    getContentType: vi.fn(() => "imageMessage"),
+    initAuthCreds: vi.fn(() => ({})),
+    BufferJSON: {
+        replacer: (_key, value) => value,
+        reviver: (_key, value) => value,
+    },
+    proto: {
+        Message: {
+            AppStateSyncKeyData: {
+                fromObject: (value) => value,
+            },
+        },
+    },
+}));
+vi.mock("../db.js", () => ({
+    getMessageBlob: getMessageBlobMock,
+    getChatName: vi.fn(() => null),
+    getContactName: vi.fn(() => null),
+    upsertContact: vi.fn(),
+    upsertChat: vi.fn(),
+    saveJidMapping: vi.fn(),
+    upsertChats: vi.fn(),
+    upsertContacts: vi.fn(),
+    upsertMessages: vi.fn(),
+    upsertMessage: vi.fn(),
+    deleteChat: vi.fn(),
+    deleteChatMessages: vi.fn(),
+    getChats: vi.fn(() => []),
+    getChat: vi.fn(() => ({})),
+    getMessages: vi.fn(() => []),
+    searchMessages: vi.fn(() => []),
+    searchContacts: vi.fn(() => []),
+    getMessageContext: vi.fn(() => ({})),
+    getLastMessageKey: vi.fn(() => null),
+    getMessageFromMe: vi.fn(() => null),
+    deleteMessage: vi.fn(),
+    getMessageTypeById: vi.fn(() => "voice_note"),
+    getTranscription: vi.fn(() => null),
+    saveTranscription: vi.fn(),
+}));
+const originalDownloadsDir = process.env.DOWNLOADS_DIR;
+afterEach(() => {
+    vi.resetModules();
+    vi.clearAllMocks();
+    vi.doUnmock("../utils.js");
+    if (originalDownloadsDir === undefined) {
+        delete process.env.DOWNLOADS_DIR;
+    }
+    else {
+        process.env.DOWNLOADS_DIR = originalDownloadsDir;
+    }
+});
+describe("download_media security hardening", () => {
+    it("sanitizes traversal messageId so writes stay inside downloads dir", async () => {
+        const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), "download-media-"));
+        process.env.DOWNLOADS_DIR = tempDir;
+        const whatsapp = await import("../whatsapp.js");
+        whatsapp.resolveConnectionAsReadOnly();
+        const result = await whatsapp.downloadMessageMedia("15550001111", "../../../tmp/evil");
+        expect(result.fileName).toBe(".._.._.._tmp_evil.png");
+        expect(path.resolve(String(result.filePath)).startsWith(path.resolve(tempDir) + path.sep)).toBe(true);
+        expect(fs.existsSync(String(result.filePath))).toBe(true);
+        fs.rmSync(tempDir, { recursive: true, force: true });
+    });
+    it("sanitizes backslashes in messageId", async () => {
+        const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), "download-media-"));
+        process.env.DOWNLOADS_DIR = tempDir;
+        const whatsapp = await import("../whatsapp.js");
+        whatsapp.resolveConnectionAsReadOnly();
+        const result = await whatsapp.downloadMessageMedia("15550001111", "..\\..\\evil");
+        expect(result.fileName).toBe(".._.._evil.png");
+        expect(path.resolve(String(result.filePath)).startsWith(path.resolve(tempDir) + path.sep)).toBe(true);
+        fs.rmSync(tempDir, { recursive: true, force: true });
+    });
+    it("keeps traversal-like message IDs inside downloads directory", async () => {
+        const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), "download-media-"));
+        process.env.DOWNLOADS_DIR = tempDir;
+        const whatsapp = await import("../whatsapp.js");
+        whatsapp.resolveConnectionAsReadOnly();
+        const result = await whatsapp.downloadMessageMedia("15550001111", "../../../tmp/evil");
+        expect(path.resolve(String(result.filePath)).startsWith(path.resolve(tempDir) + path.sep)).toBe(true);
+        fs.rmSync(tempDir, { recursive: true, force: true });
+    });
+    it("keeps normal message IDs unchanged", async () => {
+        const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), "download-media-"));
+        process.env.DOWNLOADS_DIR = tempDir;
+        const whatsapp = await import("../whatsapp.js");
+        whatsapp.resolveConnectionAsReadOnly();
+        const result = await whatsapp.downloadMessageMedia("15550001111", "abc-123-def");
+        expect(result.fileName).toBe("abc-123-def.png");
+        fs.rmSync(tempDir, { recursive: true, force: true });
+    });
+    it("exports strict sanitizeFilename allowlist behavior", async () => {
+        const { sanitizeFilename } = await import("../utils.js");
+        expect(sanitizeFilename("../../../tmp/evil")).toBe(".._.._.._tmp_evil");
+        expect(sanitizeFilename("..\\..\\evil")).toBe(".._.._evil");
+        expect(sanitizeFilename("abc-123_DEF.9")).toBe("abc-123_DEF.9");
+    });
+});
+//# sourceMappingURL=download-media.test.js.map

package/dist/__tests__/download-media.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"download-media.test.js","sourceRoot":"","sources":["../../src/__tests__/download-media.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAE7D,MAAM,kBAAkB,GAAG,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,EAAE,YAAY,EAAE,EAAE,QAAQ,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;AAEjH,EAAE,CAAC,IAAI,CAAC,yBAAyB,EAAE,GAAG,EAAE,CAAC,CAAC;IACxC,OAAO,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;IAC1B,gBAAgB,EAAE,EAAE,SAAS,EAAE,GAAG,EAAE,kBAAkB,EAAE,GAAG,EAAE;IAC7D,yBAAyB,EAAE,EAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;IACzE,oBAAoB,EAAE,EAAE,CAAC,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAClE,cAAc,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,cAAc,CAAC;IAC3C,aAAa,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;IAChC,UAAU,EAAE;QACV,QAAQ,EAAE,CAAC,IAAY,EAAE,KAAc,EAAE,EAAE,CAAC,KAAK;QACjD,OAAO,EAAE,CAAC,IAAY,EAAE,KAAc,EAAE,EAAE,CAAC,KAAK;KACjD;IACD,KAAK,EAAE;QACL,OAAO,EAAE;YACP,mBAAmB,EAAE;gBACnB,UAAU,EAAE,CAAC,KAAc,EAAE,EAAE,CAAC,KAAK;aACtC;SACF;KACF;CACF,CAAC,CAAC,CAAC;AAEJ,EAAE,CAAC,IAAI,CAAC,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC;IACzB,cAAc,EAAE,kBAAkB;IAClC,WAAW,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC;IAC9B,cAAc,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC;IACjC,aAAa,EAAE,EAAE,CAAC,EAAE,EAAE;IACtB,UAAU,EAAE,EAAE,CAAC,EAAE,EAAE;IACnB,cAAc,EAAE,EAAE,CAAC,EAAE,EAAE;IACvB,WAAW,EAAE,EAAE,CAAC,EAAE,EAAE;IACpB,cAAc,EAAE,EAAE,CAAC,EAAE,EAAE;IACvB,cAAc,EAAE,EAAE,CAAC,EAAE,EAAE;IACvB,aAAa,EAAE,EAAE,CAAC,EAAE,EAAE;IACtB,UAAU,EAAE,EAAE,CAAC,EAAE,EAAE;IACnB,kBAAkB,EAAE,EAAE,CAAC,EAAE,EAAE;IAC3B,QAAQ,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC;IACzB,OAAO,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;IAC1B,WAAW,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC;IAC5B,cAAc,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC;IAC/B,cAAc,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC;IAC/B,iBAAiB,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;IACpC,iBAAiB,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC;IACpC,gBAAgB,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC;IACnC,aAAa,EAAE,EAAE,CAAC,EAAE,EAAE;IACtB,kBAAkB,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,YAAY,CAAC;IAC7C,gBAAgB,EAAE,EAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC;IACnC,iBAAiB,EAAE,EAAE,CAAC,EAAE,EAAE;CAC3B,CAAC,CAAC,CAAC;AAEJ,MAAM,oBAAoB,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;AAEvD,SAAS,CAAC,GAAG,EAAE;IACb,EAAE,CAAC,YAAY,EAAE,CAAC;IAClB,EAAE,CAAC,aAAa,EAAE,CAAC;IACnB,EAAE,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;IAE3B,IAAI,oBAAoB,KAAK,SAAS,EAAE,CAAC;QACvC,OAAO,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IACnC,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,aAAa,GAAG,oBAAoB,CAAC;IACnD,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,mCAAmC,EAAE,GAAG,EAAE;IACjD,EAAE,CAAC,mEAAmE,EAAE,KAAK,IAAI,EAAE;QACjF,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,aAAa,GAAG,OAAO,CAAC;QAEpC,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAChD,QAAQ,CAAC,2BAA2B,EAAE,CAAC;QAEvC,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,oBAAoB,CAAC,aAAa,EAAE,mBAAmB,CAAC,CAAC;QAEvF,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QACtD,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtG,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAE1D,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,aAAa,GAAG,OAAO,CAAC;QAEpC,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAChD,QAAQ,CAAC,2BAA2B,EAAE,CAAC;QAEvC,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,oBAAoB,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;QAElF,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAC/C,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEtG,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6DAA6D,EAAE,KAAK,IAAI,EAAE;QAC3E,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,aAAa,GAAG,OAAO,CAAC;QAEpC,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAChD,QAAQ,CAAC,2BAA2B,EAAE,CAAC;QAEvC,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,oBAAoB,CAAC,aAAa,EAAE,mBAAmB,CAAC,CAAC;QACvF,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEtG,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,aAAa,GAAG,OAAO,CAAC;QAEpC,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAChD,QAAQ,CAAC,2BAA2B,EAAE,CAAC;QAEvC,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,oBAAoB,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;QACjF,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QAEhD,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACvD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QAEzD,MAAM,CAAC,gBAAgB,CAAC,mBAAmB,CAAC,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;QACxE,MAAM,CAAC,gBAAgB,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC5D,MAAM,CAAC,gBAAgB,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/failures/connection-failures.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=connection-failures.test.d.ts.map

package/dist/__tests__/failures/connection-failures.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"connection-failures.test.d.ts","sourceRoot":"","sources":["../../../src/__tests__/failures/connection-failures.test.ts"],"names":[],"mappings":""}