@vex-chat/libvex 5.4.0 → 5.5.1

package/dist/Client.js

@@ -11,12 +11,49 @@ import * as uuid from "uuid";
 import { z } from "zod/v4";
 import { WebSocketAdapter } from "./transport/websocket.js";
 import { decodeFipsInitialExtraV1, decodeFipsSubsequentExtraV1, encodeFipsInitialExtraV1, encodeFipsSubsequentExtraV1, fipsP256AdFromIdentityPubs, fipsP256PreKeySignPayload, isFipsInitialExtraV1, isFipsSubsequentExtraV1, } from "./utils/fipsMailExtra.js";
-function sleep(ms) {
-    return new Promise((resolve) => setTimeout(resolve, ms));
+function debugLibvexDm(msg, data) {
+    if (!libvexDebugDmEnabled()) {
+        return;
+    }
+    const payload = data ? `${msg} ${JSON.stringify(data)}` : msg;
+    // eslint-disable-next-line no-console -- gated by LIBVEX_DEBUG_DM; remove when debugging is done
+    console.error(`[libvex:debug-dm] ${payload}`);
 }
 function isRecord(x) {
     return typeof x === "object" && x !== null;
 }
+/**
+ * Set `LIBVEX_DEBUG_DM=1` (e.g. in vitest / shell) to log DM multi-device / X3DH paths.
+ * Uses indirect `globalThis` lookup so the bare `process` global never appears in
+ * source that the platform-guard plugin scans (browser/RN/Tauri).
+ */
+function libvexDebugDmEnabled() {
+    try {
+        const g = Object.getOwnPropertyDescriptor(globalThis, "\u0070rocess");
+        if (!g) {
+            return false;
+        }
+        const proc = typeof g.get === "function" ? g.get() : g.value;
+        if (typeof proc !== "object" || proc === null) {
+            return false;
+        }
+        const envDesc = Object.getOwnPropertyDescriptor(proc, "env");
+        if (!envDesc) {
+            return false;
+        }
+        const env = typeof envDesc.get === "function" ? envDesc.get() : envDesc.value;
+        if (typeof env !== "object" || env === null) {
+            return false;
+        }
+        return Reflect.get(env, "LIBVEX_DEBUG_DM") === "1";
+    }
+    catch {
+        return false;
+    }
+}
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
 /**
  * Spire 5+ JSON error bodies use `{ "error": { "message", "requestId"?, "details"? } }`.
  * Responses are `arraybuffer` — decode UTF-8 and parse for a one-line `Error` message
@@ -69,45 +106,8 @@ function spireErrorBodyMessage(data, max = 8_000) {
     }
     return t.length > max ? t.slice(0, max) + "…" : t;
 }
-/**
- * Set `LIBVEX_DEBUG_DM=1` (e.g. in vitest / shell) to log DM multi-device / X3DH paths.
- * Uses indirect `globalThis` lookup so the bare `process` global never appears in
- * source that the platform-guard plugin scans (browser/RN/Tauri).
- */
-function libvexDebugDmEnabled() {
-    try {
-        const g = Object.getOwnPropertyDescriptor(globalThis, "\u0070rocess");
-        if (!g) {
-            return false;
-        }
-        const proc = typeof g.get === "function" ? g.get() : g.value;
-        if (typeof proc !== "object" || proc === null) {
-            return false;
-        }
-        const envDesc = Object.getOwnPropertyDescriptor(proc, "env");
-        if (!envDesc) {
-            return false;
-        }
-        const env = typeof envDesc.get === "function" ? envDesc.get() : envDesc.value;
-        if (typeof env !== "object" || env === null) {
-            return false;
-        }
-        return Reflect.get(env, "LIBVEX_DEBUG_DM") === "1";
-    }
-    catch {
-        return false;
-    }
-}
-function debugLibvexDm(msg, data) {
-    if (!libvexDebugDmEnabled()) {
-        return;
-    }
-    const payload = data ? `${msg} ${JSON.stringify(data)}` : msg;
-    // eslint-disable-next-line no-console -- gated by LIBVEX_DEBUG_DM; remove when debugging is done
-    console.error(`[libvex:debug-dm] ${payload}`);
-}
 import { msgpack } from "./codec.js";
-import { ActionTokenCodec, AuthResponseCodec, ChannelArrayCodec, ChannelCodec, ConnectResponseCodec, decodeAxios, DeviceArrayCodec, DeviceChallengeCodec, DeviceCodec, EmojiArrayCodec, EmojiCodec, FileSQLCodec, InviteArrayCodec, InviteCodec, KeyBundleCodec, OtkCountCodec, PermissionArrayCodec, PermissionCodec, ServerArrayCodec, ServerCodec, UserArrayCodec, UserCodec, WhoamiCodec, } from "./codecs.js";
+import { ActionTokenCodec, AuthResponseCodec, ChannelArrayCodec, ChannelCodec, ConnectResponseCodec, decodeAxios, DeviceArrayCodec, DeviceChallengeCodec, DeviceCodec, DeviceRegistrationResultCodec, EmojiArrayCodec, EmojiCodec, FileSQLCodec, InviteArrayCodec, InviteCodec, KeyBundleCodec, OtkCountCodec, PendingDeviceRequestArrayCodec, PendingDeviceRequestCodec, PermissionArrayCodec, PermissionCodec, ServerArrayCodec, ServerCodec, UserArrayCodec, UserCodec, WhoamiCodec, } from "./codecs.js";
 import { capitalize } from "./utils/capitalize.js";
 import { sqlSessionToCrypto } from "./utils/sqlSessionToCrypto.js";
 import { uuidToUint8 } from "./utils/uint8uuid.js";
@@ -133,6 +133,14 @@ const mailInboxEntry = z.tuple([
     MailWSSchema,
     z.string(),
 ]);
+const deviceRequestNotifyData = z.object({
+    requestID: z.string(),
+    status: z.union([
+        z.literal("approved"),
+        z.literal("pending"),
+        z.literal("rejected"),
+    ]),
+});
 export class Client {
     /**
      * Decrypts a secret key from encrypted data produced by encryptKeyData().
@@ -193,8 +201,12 @@ export class Client {
      * Device management methods.
      */
     devices = {
+        approveRequest: this.approveDeviceRequest.bind(this),
         delete: this.deleteDevice.bind(this),
+        getRequest: this.getDeviceRegistrationRequest.bind(this),
+        listRequests: this.listDeviceRegistrationRequests.bind(this),
         register: this.registerDevice.bind(this),
+        rejectRequest: this.rejectDeviceRequest.bind(this),
         retrieve: this.getDeviceByID.bind(this),
     };
     /**
@@ -397,6 +409,7 @@ export class Client {
          */
         retrieve: this.fetchUser.bind(this),
     };
+    cryptoProfile;
     database;
     dbPath;
     device;
@@ -407,23 +420,18 @@ export class Client {
     firstMailFetch = true;
     forwarded = new Set();
     host;
-    /**
-     * Node-only: per-client HTTP(S) agents (see `init()` + `storage/node/http-agents`).
-     * Dropped on `close()` so idle keep-alive sockets do not keep the process alive.
-     */
-    nodeHttpAgents;
+    http;
     /** Cancels in-flight axios work on `close()` so `postAuth`/`getMail` cannot hang forever. */
     httpAbortController = new AbortController();
-    http;
     idKeys;
     isAlive = true;
     mailInterval;
     manuallyClosing = false;
     /**
-     * Bumped when the WebSocket is torn down and re-opened so the previous
-     * `postAuth` loop exits instead of overlapping a new one.
+     * Node-only: per-client HTTP(S) agents (see `init()` + `storage/node/http-agents`).
+     * Dropped on `close()` so idle keep-alive sockets do not keep the process alive.
      */
-    postAuthVersion = 0;
+    nodeHttpAgents;
     /* Retrieves the userID with the user identifier.
     user identifier is checked for userID, then signkey,
     and finally falls back to username. */
@@ -431,6 +439,11 @@ export class Client {
     notFoundUsers = new Map();
     options;
     pingInterval = null;
+    /**
+     * Bumped when the WebSocket is torn down and re-opened so the previous
+     * `postAuth` loop exits instead of overlapping a new one.
+     */
+    postAuthVersion = 0;
     prefixes;
     reading = false;
     seenMailIDs = new Set();
@@ -442,7 +455,6 @@ export class Client {
     user;
     userRecords = {};
     xKeyRing;
-    cryptoProfile;
     constructor(material, options, storage) {
         this.options = options;
         this.cryptoProfile = material.cryptoProfile;
@@ -605,27 +617,6 @@ export class Client {
     static getMnemonic(session) {
         return xMnemonic(xKDF(XUtils.decodeHex(session.fingerprint)));
     }
-    /**
-     * True when running under Node (has `process.versions`).
-     * Uses indirect lookup so the bare `process` global never appears in
-     * source that the platform-guard plugin scans.
-     */
-    static isNodeRuntime() {
-        try {
-            const g = Object.getOwnPropertyDescriptor(globalThis, "\u0070rocess");
-            if (!g)
-                return false;
-            const proc = typeof g.get === "function" ? g.get() : g.value;
-            if (typeof proc !== "object" || proc === null) {
-                return false;
-            }
-            return ("versions" in proc &&
-                typeof proc.versions === "object");
-        }
-        catch {
-            return false;
-        }
-    }
     /**
      * Browser-safe NODE_ENV accessor.
      * Uses indirect lookup so the bare `process` global never appears in
@@ -663,12 +654,25 @@ export class Client {
         }
     }
     /**
-     * Fresh read of the `manuallyClosing` flag for async loops — direct property checks
-     * after `await` are flagged as always-false by control-flow analysis even though
-     * `close()` can run concurrently.
+     * True when running under Node (has `process.versions`).
+     * Uses indirect lookup so the bare `process` global never appears in
+     * source that the platform-guard plugin scans.
      */
-    isManualCloseInFlight() {
-        return this.manuallyClosing;
+    static isNodeRuntime() {
+        try {
+            const g = Object.getOwnPropertyDescriptor(globalThis, "\u0070rocess");
+            if (!g)
+                return false;
+            const proc = typeof g.get === "function" ? g.get() : g.value;
+            if (typeof proc !== "object" || proc === null) {
+                return false;
+            }
+            return ("versions" in proc &&
+                typeof proc.versions === "object");
+        }
+        catch {
+            return false;
+        }
     }
     /**
      * Closes the client — disconnects the WebSocket, shuts down storage,
@@ -723,57 +727,6 @@ export class Client {
         await new Promise((r) => setTimeout(r, 0));
         await this.negotiateOTK();
     }
-    /**
-     * Tears down the current WebSocket and opens a new one, keeping the same
-     * session (user + device in storage). Restarts the post-auth mail loop.
-     * Use for long-running processes or e2e where a fresh socket matches a
-     * newly-registered second device.
-     */
-    async reconnectWebsocket() {
-        this.postAuthVersion++;
-        if (this.pingInterval) {
-            clearInterval(this.pingInterval);
-            this.pingInterval = null;
-        }
-        this.socket.close();
-        try {
-            await new Promise((resolve, reject) => {
-                const t = setTimeout(() => {
-                    this.off("connected", onC);
-                    reject(new Error("reconnectWebsocket: timed out waiting for authorized"));
-                }, 15_000);
-                const onC = () => {
-                    clearTimeout(t);
-                    this.off("connected", onC);
-                    resolve();
-                };
-                this.on("connected", onC);
-                try {
-                    this.initSocket();
-                }
-                catch (err) {
-                    clearTimeout(t);
-                    this.off("connected", onC);
-                    const e = err instanceof Error
-                        ? err
-                        : new Error(String(err), { cause: err });
-                    reject(e);
-                }
-            });
-        }
-        catch (e) {
-            throw e instanceof Error ? e : new Error(String(e), { cause: e });
-        }
-        await new Promise((r) => setTimeout(r, 0));
-        await this.negotiateOTK();
-    }
-    /**
-     * Triggers an immediate inbox sync by fetching `/mail` once.
-     * Useful on mobile foreground resume where background work may pause.
-     */
-    async syncInboxNow() {
-        await this.getMail();
-    }
     /**
      * Delete all local data — message history, encryption sessions, and prekeys.
      * Closes the client afterward. Credentials (keychain) must be cleared by the consumer.
@@ -899,6 +852,50 @@ export class Client {
         this.emitter.once(event, fn, context);
         return this;
     }
+    /**
+     * Tears down the current WebSocket and opens a new one, keeping the same
+     * session (user + device in storage). Restarts the post-auth mail loop.
+     * Use for long-running processes or e2e where a fresh socket matches a
+     * newly-registered second device.
+     */
+    async reconnectWebsocket() {
+        this.postAuthVersion++;
+        if (this.pingInterval) {
+            clearInterval(this.pingInterval);
+            this.pingInterval = null;
+        }
+        this.socket.close();
+        try {
+            await new Promise((resolve, reject) => {
+                const t = setTimeout(() => {
+                    this.off("connected", onC);
+                    reject(new Error("reconnectWebsocket: timed out waiting for authorized"));
+                }, 15_000);
+                const onC = () => {
+                    clearTimeout(t);
+                    this.off("connected", onC);
+                    resolve();
+                };
+                this.on("connected", onC);
+                try {
+                    this.initSocket();
+                }
+                catch (err) {
+                    clearTimeout(t);
+                    this.off("connected", onC);
+                    const e = err instanceof Error
+                        ? err
+                        : new Error(String(err), { cause: err });
+                    reject(e);
+                }
+            });
+        }
+        catch (e) {
+            throw e instanceof Error ? e : new Error(String(e), { cause: e });
+        }
+        await new Promise((r) => setTimeout(r, 0));
+        await this.negotiateOTK();
+    }
     /**
      * Registers a new account on the server.
      *
@@ -956,6 +953,13 @@ export class Client {
         this.emitter.removeAllListeners(event);
         return this;
     }
+    /**
+     * Triggers an immediate inbox sync by fetching `/mail` once.
+     * Useful on mobile foreground resume where background work may pause.
+     */
+    async syncInboxNow() {
+        await this.getMail();
+    }
     /**
      * Returns a compact `<username><deviceID>` debug label.
      */
@@ -981,6 +985,24 @@ export class Client {
         const whoami = decodeAxios(WhoamiCodec, res.data);
         return whoami;
     }
+    async approveDeviceRequest(requestID) {
+        const req = await this.getDeviceRegistrationRequest(requestID);
+        if (!req) {
+            throw new Error("Device approval request not found.");
+        }
+        if (req.status !== "pending") {
+            throw new Error("Device approval request is not pending: " + req.status);
+        }
+        const signed = XUtils.encodeHex(await xSignAsync(XUtils.decodeUTF8(requestID), this.signKeys.secretKey));
+        const response = await this.http.post(this.prefixes.HTTP +
+            this.host +
+            "/user/" +
+            this.getUser().userID +
+            "/devices/requests/" +
+            requestID +
+            "/approve", msgpack.encode({ signed }), { headers: { "Content-Type": "application/msgpack" } });
+        return decodeAxios(DeviceCodec, response.data);
+    }
     censorPreKey(preKey) {
         if (!preKey.index) {
             throw new Error("Key index is required.");
@@ -1061,25 +1083,6 @@ export class Client {
         const res = await this.http.post(this.getHost() + "/server/" + globalThis.btoa(name));
         return decodeAxios(ServerCodec, res.data);
     }
-    /**
-     * `xDHAsync` and other helpers in `@vex-chat/crypto` use the process-wide
-     * active profile. When several {@link Client} instances use different
-     * `cryptoProfile` values, scope the global to this instance for the duration
-     * of that crypto work.
-     */
-    async runWithThisCryptoProfile(fn) {
-        const prev = getCryptoProfile();
-        if (prev === this.cryptoProfile) {
-            return await fn();
-        }
-        setCryptoProfile(this.cryptoProfile);
-        try {
-            return await fn();
-        }
-        finally {
-            setCryptoProfile(prev);
-        }
-    }
     async createSession(device, user, message, group, 
     /* this is passed through if the first message is
     part of a group message */
@@ -1255,6 +1258,19 @@ export class Client {
     async deleteServer(serverID) {
         await this.http.delete(this.getHost() + "/server/" + serverID);
     }
+    deviceListFailureDetail(err) {
+        if (!isAxiosError(err)) {
+            return "";
+        }
+        const st = err.response?.status;
+        if (typeof st === "number") {
+            return ` (HTTP ${String(st)})`;
+        }
+        if (err.code !== undefined) {
+            return ` (${err.code})`;
+        }
+        return "";
+    }
     /**
      * Gets a list of permissions for a server.
      *
@@ -1295,6 +1311,50 @@ export class Client {
             return [null, isAxiosError(err) ? err : null];
         }
     }
+    async fetchUserDeviceListOnce(userID) {
+        if (this.isManualCloseInFlight()) {
+            return [];
+        }
+        const res = await this.http.get(this.getHost() + "/user/" + userID + "/devices");
+        const devices = decodeAxios(DeviceArrayCodec, res.data);
+        for (const device of devices) {
+            this.deviceRecords[device.deviceID] = device;
+        }
+        return devices;
+    }
+    /**
+     * DM / forward paths need the peer’s (or self) device rows under load: bounded
+     * retries with exponential backoff (same shape as session pubkey hydration).
+     */
+    async fetchUserDeviceListWithBackoff(userID, label) {
+        const base = label === "own"
+            ? "Couldn't get own devices"
+            : "Couldn't get device list";
+        let lastErr;
+        for (let attempt = 0; attempt < 5; attempt++) {
+            if (this.isManualCloseInFlight()) {
+                return [];
+            }
+            if (attempt > 0) {
+                const delayMs = 100 * 2 ** (attempt - 1);
+                // Chunk the delay so close() can finish before we retry HTTP.
+                const chunkMs = 10;
+                for (let elapsed = 0; elapsed < delayMs; elapsed += chunkMs) {
+                    if (this.isManualCloseInFlight()) {
+                        return [];
+                    }
+                    await sleep(Math.min(chunkMs, delayMs - elapsed));
+                }
+            }
+            try {
+                return await this.fetchUserDeviceListOnce(userID);
+            }
+            catch (err) {
+                lastErr = err;
+            }
+        }
+        throw new Error(`${base}${this.deviceListFailureDetail(lastErr)}`);
+    }
     async forward(message) {
         if (this.isManualCloseInFlight()) {
             return;
@@ -1363,6 +1423,23 @@ export class Client {
             return null;
         }
     }
+    async getDeviceRegistrationRequest(requestID) {
+        try {
+            const response = await this.http.get(this.prefixes.HTTP +
+                this.host +
+                "/user/" +
+                this.getUser().userID +
+                "/devices/requests/" +
+                requestID);
+            return decodeAxios(PendingDeviceRequestCodec, response.data);
+        }
+        catch (err) {
+            if (isAxiosError(err) && err.response?.status === 404) {
+                return null;
+            }
+            throw err;
+        }
+    }
     /* Retrieves the current list of users you have sessions with. */
     async getFamiliars() {
         const sessions = await this.database.getAllSessions();
@@ -1415,8 +1492,8 @@ export class Client {
                     }
                 })();
                 debugLibvexDm("getMail: inbox", {
-                    deviceID: did,
                     count: String(inbox.length),
+                    deviceID: did,
                 });
             }
             for (const mailDetails of inbox) {
@@ -1425,8 +1502,8 @@ export class Client {
                     if (libvexDebugDmEnabled()) {
                         debugLibvexDm("getMail: readMail one", {
                             mailID: mailBody.mailID,
-                            type: String(mailBody.mailType),
                             recipient: mailBody.recipient,
+                            type: String(mailBody.mailType),
                         });
                     }
                     await this.readMail(mailHeader, mailBody, timestamp);
@@ -1526,19 +1603,6 @@ export class Client {
         }
         return this.user;
     }
-    deviceListFailureDetail(err) {
-        if (!isAxiosError(err)) {
-            return "";
-        }
-        const st = err.response?.status;
-        if (typeof st === "number") {
-            return ` (HTTP ${String(st)})`;
-        }
-        if (err.code !== undefined) {
-            return ` (${err.code})`;
-        }
-        return "";
-    }
     /**
      * Single GET for `/user/:id/devices`. On failure returns `null` (swallows errors)
      * — callers that need reliability should use `fetchUserDeviceListWithBackoff`.
@@ -1553,56 +1617,19 @@ export class Client {
             return null;
         }
     }
-    async fetchUserDeviceListOnce(userID) {
-        if (this.isManualCloseInFlight()) {
-            return [];
-        }
-        const res = await this.http.get(this.getHost() + "/user/" + userID + "/devices");
-        const devices = decodeAxios(DeviceArrayCodec, res.data);
-        for (const device of devices) {
-            this.deviceRecords[device.deviceID] = device;
-        }
-        return devices;
-    }
-    /**
-     * DM / forward paths need the peer’s (or self) device rows under load: bounded
-     * retries with exponential backoff (same shape as session pubkey hydration).
-     */
-    async fetchUserDeviceListWithBackoff(userID, label) {
-        const base = label === "own"
-            ? "Couldn't get own devices"
-            : "Couldn't get device list";
-        let lastErr;
-        for (let attempt = 0; attempt < 5; attempt++) {
-            if (this.isManualCloseInFlight()) {
-                return [];
-            }
-            if (attempt > 0) {
-                const delayMs = 100 * 2 ** (attempt - 1);
-                // Chunk the delay so close() can finish before we retry HTTP.
-                const chunkMs = 10;
-                for (let elapsed = 0; elapsed < delayMs; elapsed += chunkMs) {
-                    if (this.isManualCloseInFlight()) {
-                        return [];
-                    }
-                    await sleep(Math.min(chunkMs, delayMs - elapsed));
-                }
-            }
-            try {
-                return await this.fetchUserDeviceListOnce(userID);
-            }
-            catch (err) {
-                lastErr = err;
-            }
-        }
-        throw new Error(`${base}${this.deviceListFailureDetail(lastErr)}`);
-    }
     async getUserList(channelID) {
         const res = await this.http.post(this.getHost() + "/userList/" + channelID);
         return decodeAxios(UserArrayCodec, res.data);
     }
     async handleNotify(msg) {
         switch (msg.event) {
+            case "deviceRequest": {
+                const parsed = deviceRequestNotifyData.safeParse(msg.data);
+                if (parsed.success) {
+                    this.emitter.emit("deviceRequest", parsed.data);
+                }
+                break;
+            }
             case "mail":
                 await this.getMail();
                 this.fetchingMail = false;
@@ -1617,24 +1644,6 @@ export class Client {
                 break;
         }
     }
-    /**
-     * Pipeline for decrypted messages — registered in `init`. After `close()` sets
-     * `manuallyClosing`, this becomes a no-op so fire-and-forget `forward` does not
-     * race HTTP teardown (we avoid `off()` here — it can interact badly with emit).
-     */
-    onInternalMessage = (message) => {
-        if (this.isManualCloseInFlight()) {
-            return;
-        }
-        if (message.direction === "outgoing" && !message.forward) {
-            void this.forward(message);
-        }
-        if (message.direction === "incoming" &&
-            message.recipient === message.sender) {
-            return;
-        }
-        void this.database.saveMessage(message);
-    };
     /**
      * Initializes the keyring. This must be called before anything else.
      */
@@ -1722,6 +1731,14 @@ export class Client {
             throw new Error("Error initiating websocket connection " + String(err));
         }
     }
+    /**
+     * Fresh read of the `manuallyClosing` flag for async loops — direct property checks
+     * after `await` are flagged as always-false by control-flow analysis even though
+     * `close()` can run concurrently.
+     */
+    isManualCloseInFlight() {
+        return this.manuallyClosing;
+    }
     async kickUser(userID, serverID) {
         const permissionList = await this.fetchPermissionList(serverID);
         for (const permission of permissionList) {
@@ -1740,6 +1757,14 @@ export class Client {
             }
         }
     }
+    async listDeviceRegistrationRequests() {
+        const response = await this.http.get(this.prefixes.HTTP +
+            this.host +
+            "/user/" +
+            this.getUser().userID +
+            "/devices/requests");
+        return decodeAxios(PendingDeviceRequestArrayCodec, response.data);
+    }
     async markSessionVerified(sessionID) {
         return this.database.markSessionVerified(sessionID);
     }
@@ -1760,6 +1785,24 @@ export class Client {
         }
         this.xKeyRing.ephemeralKeys = await xBoxKeyPairAsync();
     }
+    /**
+     * Pipeline for decrypted messages — registered in `init`. After `close()` sets
+     * `manuallyClosing`, this becomes a no-op so fire-and-forget `forward` does not
+     * race HTTP teardown (we avoid `off()` here — it can interact badly with emit).
+     */
+    onInternalMessage = (message) => {
+        if (this.isManualCloseInFlight()) {
+            return;
+        }
+        if (message.direction === "outgoing" && !message.forward) {
+            void this.forward(message);
+        }
+        if (message.direction === "incoming" &&
+            message.recipient === message.sender) {
+            return;
+        }
+        void this.database.saveMessage(message);
+    };
     ping() {
         if (!this.isAlive) {
         }
@@ -1880,7 +1923,7 @@ export class Client {
                     const deviceEntry = await this.getDeviceByID(mail.sender);
                     const [user, _err] = await this.fetchUser(mail.authorID);
                     if (deviceEntry && user) {
-                        void this.createSession(deviceEntry, user, XUtils.decodeUTF8(`��RETRY_REQUEST:${mail.mailID}��`), mail.group, uuid.v4(), false, true);
+                        void this.createSession(deviceEntry, user, new Uint8Array(), mail.group, uuid.v4(), false, true);
                     }
                 };
                 switch (mail.mailType) {
@@ -1901,8 +1944,8 @@ export class Client {
                                 try {
                                     debugLibvexDm("readMail initial: abort (otk index mismatch)", {
                                         mailID: mail.mailID,
-                                        preKeyIndex: String(preKeyIndex),
                                         otkIndex: String(otk?.index ?? "null"),
+                                        preKeyIndex: String(preKeyIndex),
                                         thisDevice: this.getDevice().deviceID,
                                     });
                                 }
@@ -1929,8 +1972,8 @@ export class Client {
                             if (libvexDebugDmEnabled()) {
                                 try {
                                     debugLibvexDm("readMail initial: abort (IK_A null, Ed→X25519?)", {
-                                        mailID: mail.mailID,
                                         fips: String(fipsRead),
+                                        mailID: mail.mailID,
                                         thisDevice: this.getDevice().deviceID,
                                     });
                                 }
@@ -2024,9 +2067,9 @@ export class Client {
                                 try {
                                     debugLibvexDm("readMail initial: ok (emit message)", {
                                         mailID: mail.mailID,
+                                        plaintextLen: String(plaintext.length),
                                         preKeyIndex: String(preKeyIndex),
                                         thisDevice: this.getDevice().deviceID,
-                                        plaintextLen: String(plaintext.length),
                                     });
                                 }
                                 catch {
@@ -2211,7 +2254,16 @@ export class Client {
             "/user/" +
             userDetails.userID +
             "/devices", msgpack.encode(devMsg), { headers: { "Content-Type": "application/msgpack" } });
-        return decodeAxios(DeviceCodec, res.data);
+        return decodeAxios(DeviceRegistrationResultCodec, res.data);
+    }
+    async rejectDeviceRequest(requestID) {
+        await this.http.post(this.prefixes.HTTP +
+            this.host +
+            "/user/" +
+            this.getUser().userID +
+            "/devices/requests/" +
+            requestID +
+            "/reject");
     }
     async respond(msg) {
         const response = {
@@ -2282,9 +2334,13 @@ export class Client {
                 await this.database.purgeKeyData();
                 await this.populateKeyRing();
                 const newDevice = await this.registerDevice();
-                if (newDevice) {
+                if (newDevice && "deviceID" in newDevice) {
                     device = newDevice;
                 }
+                else if (newDevice && "status" in newDevice) {
+                    throw new Error("Device registration requires approval from an existing device. requestID=" +
+                        newDevice.requestID);
+                }
                 else {
                     throw new Error("Error registering device.");
                 }
@@ -2295,6 +2351,25 @@ export class Client {
         }
         return device;
     }
+    /**
+     * `xDHAsync` and other helpers in `@vex-chat/crypto` use the process-wide
+     * active profile. When several {@link Client} instances use different
+     * `cryptoProfile` values, scope the global to this instance for the duration
+     * of that crypto work.
+     */
+    async runWithThisCryptoProfile(fn) {
+        const prev = getCryptoProfile();
+        if (prev === this.cryptoProfile) {
+            return await fn();
+        }
+        setCryptoProfile(this.cryptoProfile);
+        try {
+            return await fn();
+        }
+        finally {
+            setCryptoProfile(prev);
+        }
+    }
     /* header is 32 bytes and is either empty
     or contains an HMAC of the message with
     a derived SK */
@@ -2344,9 +2419,9 @@ export class Client {
             if (!session || retry) {
                 if (libvexDebugDmEnabled()) {
                     debugLibvexDm("sendMail: createSession path", {
+                        hasSession: String(!!session),
                         peerDevice: device.deviceID,
                         retry: String(retry),
-                        hasSession: String(!!session),
                     });
                 }
                 await this.createSession(device, user, msg, group, mailID, forward, false);
@@ -2466,11 +2541,11 @@ export class Client {
             const deviceList = [...deviceListRaw].sort((a, b) => a.deviceID.localeCompare(b.deviceID, "en"));
             if (libvexDebugDmEnabled()) {
                 debugLibvexDm("sendMessage: peer device list (merged, sorted)", {
-                    userID,
                     nAfterBackoff: String(afterBackoff.length),
                     nMerged: String(deviceListRaw.length),
                     nSorted: String(deviceList.length),
                     ourDevice: this.getDevice().deviceID,
+                    userID,
                 });
                 for (const [i, d] of deviceList.entries()) {
                     debugLibvexDm(`sendMessage: device[${String(i)}]`, {
@@ -2480,16 +2555,18 @@ export class Client {
             }
             let lastErr;
             let failCount = 0;
+            // One logical DM fan-outs to multiple recipient devices. Reuse a
+            // single mailID so local/UI dedupe treats it as one message.
+            const messageMailID = uuid.v4();
             for (const device of deviceList) {
-                const mailID = uuid.v4();
                 try {
                     if (libvexDebugDmEnabled()) {
                         debugLibvexDm("sendMessage: sendMail start", {
+                            mailID: messageMailID,
                             recipientDevice: device.deviceID,
-                            mailID,
                         });
                     }
-                    await this.sendMail(device, userEntry, XUtils.decodeUTF8(message), null, mailID, false);
+                    await this.sendMail(device, userEntry, XUtils.decodeUTF8(message), null, messageMailID, false);
                     if (libvexDebugDmEnabled()) {
                         debugLibvexDm("sendMessage: sendMail ok", {
                             recipientDevice: device.deviceID,