@twsxtd/baileys 7.0.0-rc.9.commit.71ed75d4aae0 → 7.0.0-rc.9.commit.8d1e795328c7

package/lib/Socket/messages-recv.js

@@ -5,36 +5,63 @@ import Long from 'long';
 import { proto } from '../../WAProto/index.js';
 import { DEFAULT_CACHE_TTLS, KEY_BUNDLE_TYPE, MIN_PREKEY_COUNT, PLACEHOLDER_MAX_AGE_SECONDS, STATUS_EXPIRY_SECONDS } from '../Defaults/index.js';
 import { WAMessageStatus, WAMessageStubType } from '../Types/index.js';
-import { aesDecryptCTR, aesEncryptGCM, cleanMessage, Curve, decodeMediaRetryNode, decodeMessageNode, decryptMessageNode, delay, derivePairingCodeKey, encodeBigEndian, encodeSignedDeviceIdentity, extractAddressingContext, getCallStatusFromNode, getHistoryMsg, getNextPreKeys, getStatusFromReceiptType, handleIdentityChange, hkdf, MISSING_KEYS_ERROR_TEXT, NACK_REASONS, NO_MESSAGE_FOUND_ERROR_TEXT, toNumber, unixTimestampSeconds, xmppPreKey, xmppSignedPreKey } from '../Utils/index.js';
+import { aesDecryptCTR, aesEncryptGCM, cleanMessage, Curve, decodeMediaRetryNode, decodeMessageNode, decryptMessageNode, delay, derivePairingCodeKey, encodeBigEndian, encodeSignedDeviceIdentity, extractAddressingContext, getCallStatusFromNode, getHistoryMsg, getNextPreKeys, getStatusFromReceiptType, handleIdentityChange, hkdf, bindCleanupOnConnectionClose, MISSING_KEYS_ERROR_TEXT, NACK_REASONS, NO_MESSAGE_FOUND_ERROR_TEXT, SERVER_ERROR_CODES, toNumber, unixTimestampSeconds, xmppPreKey, xmppSignedPreKey } from '../Utils/index.js';
 import { makeMutex } from '../Utils/make-mutex.js';
 import { makeOfflineNodeProcessor } from '../Utils/offline-node-processor.js';
 import { buildAckStanza } from '../Utils/stanza-ack.js';
+import { buildMergedTcTokenIndexWrite, isTcTokenExpired, readTcTokenIndex, resolveIssuanceJid, resolveTcTokenJid, storeTcTokensFromIqResult, TC_TOKEN_INDEX_KEY } from '../Utils/tc-token-utils.js';
 import { areJidsSameUser, binaryNodeToString, getAllBinaryNodeChildren, getBinaryNodeChild, getBinaryNodeChildBuffer, getBinaryNodeChildren, getBinaryNodeChildString, isJidGroup, isJidNewsletter, isJidStatusBroadcast, isLidUser, isPnUser, jidDecode, jidNormalizedUser, S_WHATSAPP_NET } from '../WABinary/index.js';
 import { extractGroupMetadata } from './groups.js';
 import { makeMessagesSocket } from './messages-send.js';
 export const makeMessagesRecvSocket = (config) => {
     const { logger, retryRequestDelayMs, maxMsgRetryCount, getMessage, shouldIgnoreJid, enableAutoSessionRecreation } = config;
     const sock = makeMessagesSocket(config);
-    const { ev, authState, ws, messageMutex, notificationMutex, receiptMutex, signalRepository, query, upsertMessage, resyncAppState, onUnexpectedError, assertSessions, sendNode, relayMessage, sendReceipt, uploadPreKeys, sendPeerDataOperationMessage, messageRetryManager } = sock;
+    const { ev, authState, ws, messageMutex, notificationMutex, receiptMutex, signalRepository, query, upsertMessage, resyncAppState, onUnexpectedError, assertSessions, sendNode, relayMessage, sendReceipt, uploadPreKeys, sendPeerDataOperationMessage, messageRetryManager, issuePrivacyTokens } = sock;
+    const getLIDForPN = signalRepository.lidMapping.getLIDForPN.bind(signalRepository.lidMapping);
     /** this mutex ensures that each retryRequest will wait for the previous one to finish */
     const retryMutex = makeMutex();
-    const msgRetryCache = config.msgRetryCounterCache ||
-        new NodeCache({
+    const internalMsgRetryCache = config.msgRetryCounterCache
+        ? undefined
+        : new NodeCache({
             stdTTL: DEFAULT_CACHE_TTLS.MSG_RETRY, // 1 hour
             useClones: false
         });
-    const callOfferCache = config.callOfferCache ||
-        new NodeCache({
+    const msgRetryCache = config.msgRetryCounterCache || internalMsgRetryCache;
+    const internalCallOfferCache = config.callOfferCache
+        ? undefined
+        : new NodeCache({
             stdTTL: DEFAULT_CACHE_TTLS.CALL_OFFER, // 5 mins
             useClones: false
         });
-    const placeholderResendCache = config.placeholderResendCache ||
-        new NodeCache({
+    const callOfferCache = config.callOfferCache || internalCallOfferCache;
+    const internalPlaceholderResendCache = config.placeholderResendCache
+        ? undefined
+        : new NodeCache({
             stdTTL: DEFAULT_CACHE_TTLS.MSG_RETRY, // 1 hour
             useClones: false
         });
+    const placeholderResendCache = config.placeholderResendCache || internalPlaceholderResendCache;
     // Debounce identity-change session refreshes per JID to avoid bursts
     const identityAssertDebounce = new NodeCache({ stdTTL: 5, useClones: false });
+    let cleanedUp = false;
+    const cleanupInternalCaches = async () => {
+        if (cleanedUp) {
+            return;
+        }
+        cleanedUp = true;
+        const closers = [Promise.resolve(identityAssertDebounce.close())];
+        if (internalMsgRetryCache) {
+            closers.push(Promise.resolve(internalMsgRetryCache.close()));
+        }
+        if (internalCallOfferCache) {
+            closers.push(Promise.resolve(internalCallOfferCache.close()));
+        }
+        if (internalPlaceholderResendCache) {
+            closers.push(Promise.resolve(internalPlaceholderResendCache.close()));
+        }
+        await Promise.allSettled(closers);
+    };
+    bindCleanupOnConnectionClose(ev, cleanupInternalCaches);
     let sendActiveReceipts = false;
     const fetchMessageHistory = async (count, oldestMsgKey, oldestMsgTimestamp) => {
         if (!authState.creds.me?.id) {
@@ -89,20 +116,34 @@ export const makeMessagesRecvSocket = (config) => {
     // Handles mex newsletter notifications
     const handleMexNewsletterNotification = async (node) => {
         const mexNode = getBinaryNodeChild(node, 'mex');
-        if (!mexNode?.content) {
+        const updateNode = mexNode?.content ? null : getBinaryNodeChild(node, 'update') || getAllBinaryNodeChildren(node)[0];
+        const payloadNode = mexNode?.content ? mexNode : updateNode;
+        if (!payloadNode?.content) {
             logger.warn({ node }, 'Invalid mex newsletter notification');
             return;
         }
         let data;
         try {
-            data = JSON.parse(mexNode.content.toString());
+            const payloadContent = payloadNode.content;
+            if (Array.isArray(payloadContent)) {
+                logger.warn({ payloadNode }, 'Invalid mex newsletter notification payload format');
+                return;
+            }
+            const contentBuf = typeof payloadContent === 'string' ? Buffer.from(payloadContent, 'binary') : Buffer.from(payloadContent);
+            data = JSON.parse(contentBuf.toString());
         }
         catch (error) {
             logger.error({ err: error, node }, 'Failed to parse mex newsletter notification');
             return;
         }
-        const operation = data?.operation;
-        const updates = data?.updates;
+        const operation = data?.operation ?? payloadNode?.attrs?.op_name;
+        let updates = data?.updates;
+        if (!updates) {
+            const linkedProfiles = data?.data?.xwa2_notify_linked_profiles;
+            if (linkedProfiles) {
+                updates = [linkedProfiles];
+            }
+        }
         if (!updates || !operation) {
             logger.warn({ data }, 'Invalid mex newsletter notification content');
             return;
@@ -132,6 +173,22 @@ export const makeMessagesRecvSocket = (config) => {
                     }
                 }
                 break;
+            case 'NotificationLinkedProfilesUpdates':
+                for (const update of updates) {
+                    const lid = update?.jid;
+                    const addedProfiles = Array.isArray(update?.added_profiles) ? update.added_profiles : [];
+                    const mappings = [];
+                    for (const profile of addedProfiles) {
+                        const pn = typeof profile === 'string' ? profile : (profile?.pn ?? profile?.jid ?? null);
+                        if (lid && pn) {
+                            const mapping = { lid, pn };
+                            ev.emit('lid-mapping.update', mapping);
+                            mappings.push(mapping);
+                        }
+                    }
+                    await signalRepository.lidMapping.storeLIDPNMappings(mappings);
+                }
+                break;
             default:
                 logger.info({ operation, data }, 'Unhandled mex newsletter notification');
                 break;
@@ -376,6 +433,35 @@ export const makeMessagesRecvSocket = (config) => {
             logger.info({ msgAttrs: node.attrs, retryCount }, 'sent retry receipt');
         }, authState?.creds?.me?.id || 'sendRetryRequest');
     };
+    /**
+     * Fire-and-forget tctoken re-issuance after a peer's device identity changed.
+     * Mirrors WAWebSendTcTokenWhenDeviceIdentityChange — runs in parallel with
+     * the session refresh (not after it).
+     */
+    const reissueTcTokenAfterIdentityChange = (from) => {
+        void (async () => {
+            const normalizedJid = jidNormalizedUser(from);
+            const tcJid = await resolveTcTokenJid(normalizedJid, getLIDForPN);
+            const tcTokenData = await authState.keys.get('tctoken', [tcJid]);
+            const senderTs = tcTokenData?.[tcJid]?.senderTimestamp;
+            if (senderTs === null || senderTs === undefined || isTcTokenExpired(senderTs)) {
+                return;
+            }
+            logger.debug({ jid: normalizedJid, senderTimestamp: senderTs }, 'identity changed, re-issuing tctoken');
+            const getPNForLID = signalRepository.lidMapping.getPNForLID.bind(signalRepository.lidMapping);
+            const issueJid = await resolveIssuanceJid(normalizedJid, sock.serverProps.lidTrustedTokenIssueToLid, getLIDForPN, getPNForLID);
+            const result = await issuePrivacyTokens([issueJid], senderTs);
+            await storeTcTokensFromIqResult({
+                result,
+                fallbackJid: tcJid,
+                keys: authState.keys,
+                getLIDForPN,
+                onNewJidStored: trackTcTokenJid
+            });
+        })().catch(err => {
+            logger.debug({ jid: from, err: err?.message }, 'failed to re-issue tctoken after identity change');
+        });
+    };
     const handleEncryptNotification = async (node) => {
         const from = node.attrs.from;
         if (from === S_WHATSAPP_NET) {
@@ -394,7 +480,8 @@ export const makeMessagesRecvSocket = (config) => {
                 validateSession: signalRepository.validateSession,
                 assertSessions,
                 debounceCache: identityAssertDebounce,
-                logger
+                logger,
+                onBeforeSessionRefresh: reissueTcTokenAfterIdentityChange
             });
             if (result.action === 'no_identity_node') {
                 logger.info({ node }, 'unknown encrypt notification');
@@ -405,6 +492,7 @@ export const makeMessagesRecvSocket = (config) => {
         // TODO: Support PN/LID (Here is only LID now)
         const actingParticipantLid = fullNode.attrs.participant;
         const actingParticipantPn = fullNode.attrs.participant_pn;
+        const actingParticipantUsername = fullNode.attrs.participant_username;
         const affectedParticipantLid = getBinaryNodeChild(child, 'participant')?.attrs?.jid || actingParticipantLid;
         const affectedParticipantPn = getBinaryNodeChild(child, 'participant')?.attrs?.phone_number || actingParticipantPn;
         switch (child?.tag) {
@@ -424,7 +512,8 @@ export const makeMessagesRecvSocket = (config) => {
                     {
                         ...metadata,
                         author: actingParticipantLid,
-                        authorPn: actingParticipantPn
+                        authorPn: actingParticipantPn,
+                        authorUsername: actingParticipantUsername
                     }
                 ]);
                 break;
@@ -455,6 +544,7 @@ export const makeMessagesRecvSocket = (config) => {
                         id: attrs.jid,
                         phoneNumber: isLidUser(attrs.jid) && isPnUser(attrs.phone_number) ? attrs.phone_number : undefined,
                         lid: isPnUser(attrs.jid) && isLidUser(attrs.lid) ? attrs.lid : undefined,
+                        username: attrs.participant_username || attrs.username || undefined,
                         admin: (attrs.type || null)
                     };
                 });
@@ -680,27 +770,70 @@ export const makeMessagesRecvSocket = (config) => {
             return result;
         }
     };
+    /**
+     * In-memory cache of storage JIDs with stored tctokens, seeded from the persisted index.
+     * Used to coalesce writes during a session; pruning always re-reads the persisted index
+     * to cover writes made by other layers (e.g. history sync).
+     */
+    const tcTokenKnownJids = new Set();
+    const tcTokenIndexLoaded = (async () => {
+        try {
+            const jids = await readTcTokenIndex(authState.keys);
+            for (const jid of jids)
+                tcTokenKnownJids.add(jid);
+            logger.debug({ count: tcTokenKnownJids.size }, 'loaded tctoken index');
+        }
+        catch (err) {
+            logger.warn({ err: err?.message }, 'failed to load tctoken index');
+        }
+    })();
+    let tcTokenIndexTimer;
+    async function flushTcTokenIndex() {
+        if (tcTokenIndexTimer) {
+            clearTimeout(tcTokenIndexTimer);
+            tcTokenIndexTimer = undefined;
+        }
+        // Merge with whatever is already persisted so we don't clobber writes from other
+        // paths (history sync, concurrent sessions on the same store).
+        const write = await buildMergedTcTokenIndexWrite(authState.keys, tcTokenKnownJids);
+        return authState.keys.set({ tctoken: write });
+    }
+    function scheduleTcTokenIndexSave() {
+        if (tcTokenIndexTimer) {
+            clearTimeout(tcTokenIndexTimer);
+        }
+        tcTokenIndexTimer = setTimeout(() => {
+            tcTokenIndexTimer = undefined;
+            flushTcTokenIndex().catch(err => {
+                logger.warn({ err: err?.message }, 'failed to save tctoken index');
+            });
+        }, 5000);
+    }
+    function trackTcTokenJid(jid) {
+        if (jid && jid !== TC_TOKEN_INDEX_KEY && !tcTokenKnownJids.has(jid)) {
+            tcTokenKnownJids.add(jid);
+            scheduleTcTokenIndexSave();
+        }
+    }
     const handlePrivacyTokenNotification = async (node) => {
         const tokensNode = getBinaryNodeChild(node, 'tokens');
-        const from = jidNormalizedUser(node.attrs.from);
         if (!tokensNode)
             return;
-        const tokenNodes = getBinaryNodeChildren(tokensNode, 'token');
-        for (const tokenNode of tokenNodes) {
-            const { attrs, content } = tokenNode;
-            const type = attrs.type;
-            const timestamp = attrs.t;
-            if (type === 'trusted_contact' && content instanceof Buffer) {
-                logger.debug({
-                    from,
-                    timestamp,
-                    tcToken: content
-                }, 'received trusted contact token');
-                await authState.keys.set({
-                    tctoken: { [from]: { token: content, timestamp } }
-                });
-            }
-        }
+        const from = jidNormalizedUser(node.attrs.from);
+        // WA Web uses: senderLid ?? toLid(from) for the storage key
+        // The sender_lid attribute provides the LID directly when available
+        const senderLid = node.attrs.sender_lid && isLidUser(jidNormalizedUser(node.attrs.sender_lid))
+            ? jidNormalizedUser(node.attrs.sender_lid)
+            : undefined;
+        const fallbackJid = senderLid ?? (await resolveTcTokenJid(from, getLIDForPN));
+        logger.debug({ from, storageJid: fallbackJid }, 'processing privacy token notification');
+        await storeTcTokensFromIqResult({
+            result: node,
+            fallbackJid,
+            keys: authState.keys,
+            getLIDForPN,
+            onNewJidStored: trackTcTokenJid
+        });
     };
     async function decipherLinkPublicKey(data) {
         const buffer = toRequiredBuffer(data);
@@ -819,11 +952,6 @@ export const makeMessagesRecvSocket = (config) => {
             fromMe,
             participant: attrs.participant
         };
-        if (shouldIgnoreJid(remoteJid) && remoteJid !== S_WHATSAPP_NET) {
-            logger.debug({ remoteJid }, 'ignoring receipt from jid');
-            await sendMessageAck(node);
-            return;
-        }
         const ids = [attrs.id];
         if (Array.isArray(content)) {
             const items = getBinaryNodeChildren(content[0], 'item');
@@ -888,11 +1016,6 @@ export const makeMessagesRecvSocket = (config) => {
     };
     const handleNotification = async (node) => {
         const remoteJid = node.attrs.from;
-        if (shouldIgnoreJid(remoteJid) && remoteJid !== S_WHATSAPP_NET) {
-            logger.debug({ remoteJid, id: node.attrs.id }, 'ignored notification');
-            await sendMessageAck(node);
-            return;
-        }
         try {
             await Promise.all([
                 notificationMutex.mutex(async () => {
@@ -905,6 +1028,7 @@ export const makeMessagesRecvSocket = (config) => {
                             fromMe,
                             participant: node.attrs.participant,
                             participantAlt,
+                            participantUsername: node.attrs.participant_username,
                             addressingMode,
                             id: node.attrs.id,
                             ...(msg.key || {})
@@ -922,11 +1046,6 @@ export const makeMessagesRecvSocket = (config) => {
         }
     };
     const handleMessage = async (node) => {
-        if (shouldIgnoreJid(node.attrs.from) && node.attrs.from !== S_WHATSAPP_NET) {
-            logger.debug({ key: node.attrs.key }, 'ignored message');
-            await sendMessageAck(node, NACK_REASONS.UnhandledError);
-            return;
-        }
         const encNode = getBinaryNodeChild(node, 'enc');
         // TODO: temporary fix for crashes and issues resulting of failed msmsg decryption
         if (encNode?.attrs.type === 'msmsg') {
@@ -1144,6 +1263,13 @@ export const makeMessagesRecvSocket = (config) => {
                 offline: !!attrs.offline,
                 status
             };
+            if (status === 'relaylatency') {
+                const latencyValue = infoChild.attrs.latency || infoChild.attrs['latency_ms'] || infoChild.attrs['latency-ms'];
+                const latencyMs = latencyValue ? Number(latencyValue) : undefined;
+                if (Number.isFinite(latencyMs)) {
+                    call.latencyMs = latencyMs;
+                }
+            }
             if (status === 'offer') {
                 call.isVideo = !!getBinaryNodeChild(infoChild, 'video');
                 call.isGroup = infoChild.attrs.type === 'group' || !!infoChild.attrs['group-jid'];
@@ -1188,7 +1314,19 @@ export const makeMessagesRecvSocket = (config) => {
         // error in acknowledgement,
         // device could not display the message
         if (attrs.error) {
-            logger.warn({ attrs }, 'received error in ack');
+            if (attrs.error === SERVER_ERROR_CODES.MissingTcToken) {
+                // 463 = account restricted + no tctoken for this contact.
+                // WA Web prevents this client-side (disables compose bar).
+                // No retry — retrying worsens the restriction by counting
+                // as another "reach out" to an unknown contact.
+                logger.warn({ msgId: attrs.id, from: attrs.from }, 'error 463: account restricted or missing tctoken for contact');
+            }
+            else if (attrs.error === SERVER_ERROR_CODES.SmaxInvalid) {
+                logger.warn({ msgId: attrs.id, from: attrs.from }, 'smax-invalid (479): stanza rejected by server — likely stale device session or malformed addressing');
+            }
+            else {
+                logger.warn({ attrs }, 'received error in ack');
+            }
             ev.emit('messages.update', [
                 {
                     key,
@@ -1198,19 +1336,6 @@ export const makeMessagesRecvSocket = (config) => {
                     }
                 }
             ]);
-            // resend the message with device_fanout=false, use at your own risk
-            // if (attrs.error === '475') {
-            // 	const msg = await getMessage(key)
-            // 	if (msg) {
-            // 		await relayMessage(key.remoteJid!, msg, {
-            // 			messageId: key.id!,
-            // 			useUserDevicesCache: false,
-            // 			additionalAttributes: {
-            // 				device_fanout: 'false'
-            // 			}
-            // 		})
-            // 	}
-            // }
         }
     };
     /// processes a node with the given function
@@ -1234,6 +1359,19 @@ export const makeMessagesRecvSocket = (config) => {
         yieldToEventLoop: () => new Promise(resolve => setImmediate(resolve))
     });
     const processNode = async (type, node, identifier, exec) => {
+        // Fast path: ack and drop ignored JIDs before entering the buffer/queue
+        const from = node.attrs.from;
+        let ignoreJid = from;
+        if (type === 'receipt' && from) {
+            const attrs = node.attrs;
+            const isLid = attrs.from.includes('lid');
+            const isNodeFromMe = areJidsSameUser(attrs.participant || attrs.from, isLid ? authState.creds.me?.lid : authState.creds.me?.id);
+            ignoreJid = !isNodeFromMe || isJidGroup(attrs.from) ? attrs.from : attrs.recipient;
+        }
+        if (ignoreJid && ignoreJid !== S_WHATSAPP_NET && shouldIgnoreJid(ignoreJid)) {
+            await sendMessageAck(node, type === 'message' ? NACK_REASONS.UnhandledError : undefined);
+            return;
+        }
         const isOffline = !!node.attrs.offline;
         if (isOffline) {
             offlineNodeProcessor.enqueue(type, node);
@@ -1289,14 +1427,104 @@ export const makeMessagesRecvSocket = (config) => {
             await upsertMessage(protoMsg, call.offline ? 'append' : 'notify');
         }
     });
-    ev.on('connection.update', ({ isOnline }) => {
+    /** timestamp of last tctoken prune run — throttles to once per 24h */
+    let lastTcTokenPruneTs = 0;
+    ev.on('connection.update', ({ isOnline, connection }) => {
         if (typeof isOnline !== 'undefined') {
             sendActiveReceipts = isOnline;
             logger.trace(`sendActiveReceipts set to "${sendActiveReceipts}"`);
         }
+        // Flush pending tctoken index save on disconnect to avoid writing after close
+        if (connection === 'close' && tcTokenIndexTimer) {
+            clearTimeout(tcTokenIndexTimer);
+            tcTokenIndexTimer = undefined;
+            // Best-effort flush — may fail if store is already closed
+            try {
+                void Promise.resolve(flushTcTokenIndex()).catch(() => { });
+            }
+            catch {
+                /* ignore sync errors */
+            }
+        }
+        // Prune expired tctokens when coming online, at most once per 24 hours
+        // Matches WA Web's CLEAN_TC_TOKENS task
+        // Note: don't gate on tcTokenKnownJids.size — the index may still be loading
+        if (isOnline) {
+            const now = Date.now();
+            const DAY_MS = 24 * 60 * 60 * 1000;
+            if (now - lastTcTokenPruneTs >= DAY_MS) {
+                lastTcTokenPruneTs = now;
+                void pruneExpiredTcTokens();
+            }
+        }
     });
+    async function pruneExpiredTcTokens() {
+        try {
+            await tcTokenIndexLoaded;
+            // Union with the persisted index picks up JIDs added by other layers
+            // (history sync) without needing inter-module wiring.
+            const persisted = await readTcTokenIndex(authState.keys);
+            const allJids = new Set(tcTokenKnownJids);
+            for (const jid of persisted)
+                allJids.add(jid);
+            if (!allJids.size)
+                return;
+            const jids = [...allJids];
+            const allTokens = await authState.keys.get('tctoken', jids);
+            const writes = {};
+            const survivors = new Set();
+            let mutated = 0;
+            for (const jid of jids) {
+                const entry = allTokens[jid];
+                if (!entry) {
+                    // Tracked but nothing in store — drop from index.
+                    mutated++;
+                    continue;
+                }
+                const hasPeerToken = !!entry.token?.length;
+                const peerTokenExpired = hasPeerToken && isTcTokenExpired(entry.timestamp);
+                const hasSenderTs = entry.senderTimestamp !== undefined;
+                const senderTsExpired = hasSenderTs && isTcTokenExpired(entry.senderTimestamp);
+                const keepPeerToken = hasPeerToken && !peerTokenExpired;
+                const keepSenderTs = hasSenderTs && !senderTsExpired;
+                if (!keepPeerToken && !keepSenderTs) {
+                    writes[jid] = null;
+                    mutated++;
+                }
+                else if (peerTokenExpired && keepSenderTs) {
+                    writes[jid] = { token: Buffer.alloc(0), senderTimestamp: entry.senderTimestamp };
+                    survivors.add(jid);
+                    mutated++;
+                }
+                else {
+                    survivors.add(jid);
+                }
+            }
+            if (mutated === 0)
+                return;
+            await authState.keys.set({
+                tctoken: {
+                    ...writes,
+                    [TC_TOKEN_INDEX_KEY]: {
+                        token: Buffer.from(JSON.stringify([...survivors]))
+                    }
+                }
+            });
+            tcTokenKnownJids.clear();
+            for (const jid of survivors)
+                tcTokenKnownJids.add(jid);
+            logger.debug({ mutated, remaining: survivors.size }, 'pruned expired tctokens');
+        }
+        catch (err) {
+            logger.warn({ err: err?.message }, 'failed to prune expired tctokens');
+        }
+    }
     return {
         ...sock,
+        end: async (error) => {
+            await cleanupInternalCaches();
+            await sock.end(error);
+        },
         sendMessageAck,
         sendRetryRequest,
         rejectCall,