whalibmob 2.1.0 → 3.0.0

package/README.md

@@ -1,354 +1,263 @@
 # whalibmob
 
-A pure JavaScript Node.js library and CLI for WhatsApp. Operates as a
-mobile iOS client with full Signal Protocol end-to-end encryption, SenderKey
-group messaging, multi-device fanout, persistent sessions, and automatic
-reconnection.
+> Pure JavaScript Node.js WhatsApp client library and CLI. Operates as a real mobile iOS device with full **Signal Protocol** end-to-end encryption, SenderKey group messaging, multi-device fanout, persistent sessions, and automatic reconnection. No native binaries — runs anywhere Node.js runs.
 
 ---
 
-> **⚠️ IMPORTANT — You need a brand-new phone number and a brand-new SIM card
-> dedicated to WhatsApp for this library to work for you.** Using an existing
-> WhatsApp account that is already active on a real phone will cause
-> WhatsApp to ban or revoke the session. Register a fresh number that has
-> never been used with WhatsApp before.
+> **⚠️ IMPORTANT:** Use a **brand-new phone number** dedicated exclusively to this library. Using an existing WhatsApp account already active on a real phone will cause WhatsApp to revoke the session. Register a fresh number that has never been used with WhatsApp before.
 
 ---
 
-## Features
+## Requirements
 
-- **Mobile iOS fingerprint** — authentic iOS device headers; behaves like
-  WhatsApp on an iPhone
-- **Signal Protocol E2E encryption** — X3DH session setup, Double Ratchet
-  for 1-to-1 messages
-- **SenderKey group encryption** — efficient group messaging with chain-key
-  advance and SKDM distribution
-- **Multi-device fanout** — messages delivered to all linked devices of each
-  recipient via usync device query
-- **All media types** — images, video, audio, voice notes (PTT), documents,
-  stickers; AES-256-CBC + HKDF-SHA256 encryption, uploaded to WhatsApp CDN
-- **Text, reactions, extended text** — full message type coverage
-- **Participant hash (phash)** — SHA-256 participant-list validation sent
-  with every multi-device and group message
-- **deviceSentMessage** — own linked devices (tablet, secondary phone) receive
-  a proper copy-sent wrapper so they show the message as sent
-- **senderKeyMap** — SKDM is sent to each device only once; subsequent group
-  messages skip SKDM entirely for devices that already have the key
-- **Automatic reconnection** — exponential backoff (1 s → 2 → 4 → 8 → 15 → 30 s)
-- **Pre-key replenishment** — automatic upload when supply drops below 20
-- **Persistent sessions** — JSON files on disk; no re-registration after restart
-- **Auth confirmation** — waits for server `<success>` before declaring the
-  connection open; handles `<failure>` (session revoked / account banned)
-- **Professional `wa` CLI** — yowsup-style interface for registration, sending,
-  listening, and interactive chat
+- **Node.js 18** or higher
+- A phone number that can receive SMS or voice calls
 
 ---
 
-## Installation
+## Global Installation
+
+Install once, use the `wa` command from anywhere on your system:
 
 ```bash
-cd tools/whalibmob
-npm install
-npm link          # makes `wa` available globally
+npm install -g whalibmob
 ```
 
-Requires **Node.js 18** or higher.
+Verify it works:
+
+```bash
+wa version
+```
 
 ---
 
-## CLI Usage
+## Quick Start
 
-### Check if a number is registered
+### 1 — Check if a number has WhatsApp
 
 ```bash
 wa registration --check 919634847671
 ```
 
-### Request a verification code
+### 2 — Request a verification code
 
 ```bash
-# via SMS (default)
+# Via SMS (default)
 wa registration --request-code 919634847671
 
-# via voice call
+# Via voice call
 wa registration --request-code 919634847671 --method voice
 
-# via backup WhatsApp account (wa_old)
+# Via an old WhatsApp account
 wa registration --request-code 919634847671 --method wa_old
 ```
 
-### Register with the received code
+### 3 — Register with the code you received
 
 ```bash
 wa registration --register 919634847671 --code 123456
 ```
 
-### Connect and enter an interactive shell
+### 4 — Connect
 
 ```bash
 wa connect 919634847671
 ```
 
-Interactive commands at the `wa>` prompt:
+You will enter an interactive shell:
 
 ```
-/send <jid> <text>     Send a text message
-/presence              Set presence to available
-/presence away         Set presence to unavailable
-/quit                  Disconnect and exit
+wa> /send 911234567890@s.whatsapp.net Hello!
+wa> /presence
+wa> /presence away
+wa> /quit
 ```
 
-### Send messages
+---
+
+## CLI Reference
+
+### Registration
+
+| Command | Description |
+|---|---|
+| `wa registration --check <phone>` | Check if a number has WhatsApp |
+| `wa registration --request-code <phone>` | Request SMS verification code |
+| `wa registration --request-code <phone> --method voice` | Request code via voice call |
+| `wa registration --request-code <phone> --method wa_old` | Request code via old WA account |
+| `wa registration --register <phone> --code <code>` | Complete registration |
+
+### Connection
+
+| Command | Description |
+|---|---|
+| `wa connect <phone>` | Connect and open interactive shell |
+| `wa listen <phone>` | Connect and print all incoming messages |
+
+### Sending Messages
 
 ```bash
-# Text
-wa send 919634847671 --to 911234567890@s.whatsapp.net --text "Hello!"
+# Text message
+wa send <phone> --to <jid> --text "Hello!"
 
-# Image with caption
-wa send 919634847671 --to 911234567890@s.whatsapp.net --image ./photo.jpg --caption "Look at this"
+# Image (with optional caption)
+wa send <phone> --to <jid> --image ./photo.jpg --caption "Check this out"
 
-# Video
-wa send 919634847671 --to 911234567890@s.whatsapp.net --video ./clip.mp4
+# Video (with optional caption)
+wa send <phone> --to <jid> --video ./clip.mp4 --caption "Watch this"
 
-# Voice note (PTT)
-wa send 919634847671 --to 911234567890@s.whatsapp.net --ptt ./voice.ogg
+# Voice note (push-to-talk)
+wa send <phone> --to <jid> --ptt ./voice.ogg
 
 # Audio file
-wa send 919634847671 --to 911234567890@s.whatsapp.net --audio ./song.mp3
+wa send <phone> --to <jid> --audio ./song.mp3
 
 # Document
-wa send 919634847671 --to 911234567890@s.whatsapp.net --document ./report.pdf
+wa send <phone> --to <jid> --document ./report.pdf
 
 # Sticker
-wa send 919634847671 --to 911234567890@s.whatsapp.net --sticker ./sticker.webp
+wa send <phone> --to <jid> --sticker ./sticker.webp
 
 # Emoji reaction
-wa send 919634847671 --to 911234567890@s.whatsapp.net --reaction 👍 --msg-id 3EB0ABCDEF123456
+wa send <phone> --to <jid> --reaction 👍 --msg-id 3EB0ABCDEF123456
 
 # Group message
-wa send 919634847671 --to 120363000000000000@g.us --text "Hi everyone!"
-```
-
-### Listen for incoming messages
-
-```bash
-wa listen 919634847671
-```
-
-### Print version
-
-```bash
-wa version
+wa send <phone> --to 120363000000000000@g.us --text "Hi everyone!"
 ```
 
-### Full options reference
+### JID Format
 
-| Flag | Description |
+| Target | JID |
 |---|---|
-| `--session <dir>` | Session directory (default: `~/.waSession`) |
-| `--method sms\|voice\|wa_old` | Verification code delivery method |
-| `--code <code>` | Verification code |
-| `--to <jid>` | Recipient JID (`phone@s.whatsapp.net` or `groupid@g.us`) |
-| `--text <msg>` | Text message body |
-| `--caption <text>` | Caption for media messages |
-| `--reaction <emoji>` | Emoji to send as a reaction |
-| `--msg-id <id>` | Message ID to react to (required with `--reaction`) |
+| Individual | `919634847671@s.whatsapp.net` |
+| Group | `120363000000000000@g.us` |
 
----
+> Phone numbers must include the country code, without the `+` prefix.
 
-## Library Usage
+### All Options
 
-### Connect and send messages
+| Flag | Default | Description |
+|---|---|---|
+| `--session <dir>` | `~/.waSession` | Directory where session files are stored |
+| `--method` | `sms` | Verification method: `sms`, `voice`, or `wa_old` |
+| `--code` | — | Verification code received via SMS/voice |
+| `--to` | — | Recipient JID |
+| `--text` | — | Text message body |
+| `--caption` | — | Caption for image or video |
+| `--reaction` | — | Emoji to react with |
+| `--msg-id` | — | Message ID to react to (required with `--reaction`) |
 
-```javascript
-const { WhalibmobClient } = require('whalibmob');
+---
 
-const client = new WhalibmobClient({ sessionDir: '/path/to/sessions' });
+## Sessions
 
-client.on('connected', async () => {
-  // Text
-  await client.sendText('919876543210@s.whatsapp.net', 'Hello!');
-
-  // Image
-  await client.sendImage('919876543210@s.whatsapp.net', '/path/to/photo.jpg', {
-    caption: 'My photo'
-  });
-
-  // Image from Buffer
-  const buf = require('fs').readFileSync('/path/to/photo.jpg');
-  await client.sendImage('919876543210@s.whatsapp.net', buf, { caption: 'From buffer' });
-
-  // Voice note
-  await client.sendAudio('919876543210@s.whatsapp.net', '/path/to/voice.ogg', {
-    ptt: true,
-    seconds: 12
-  });
-
-  // Document
-  await client.sendDocument('919876543210@s.whatsapp.net', '/path/to/file.pdf', {
-    fileName: 'report.pdf',
-    mimetype: 'application/pdf'
-  });
-
-  // Reaction
-  await client.sendReaction('919876543210@s.whatsapp.net', '3EB0ABC123', '👍');
-
-  // Group message
-  await client.sendText('120363000000000000@g.us', 'Hi group!');
-});
+Sessions are stored as JSON files in `~/.waSession/` by default.  
+Each phone number gets its own file: `~/.waSession/<phone>.json`.
 
-client.on('message', (msg) => {
-  console.log('From:', msg.from, '|', msg.text);
-});
+You only register once. After that, just connect:
 
-client.on('auth_failure', ({ reason }) => {
-  console.error('Session revoked by WhatsApp:', reason);
-  // reason values: '401', '403', 'not_authorized', 'device_removed', etc.
-});
+```bash
+wa connect 919634847671
+```
 
-client.on('close', () => console.log('Disconnected'));
-client.on('error', (err) => console.error(err));
+To use a custom session directory:
 
-await client.init('919634847671');
+```bash
+wa connect 919634847671 --session /data/my-sessions
+wa send   919634847671 --session /data/my-sessions --to 911234567890@s.whatsapp.net --text "Hi"
 ```
 
-### Registration (programmatic)
+---
+
+## Library API
 
-```javascript
+```js
 const {
-  createNewStore,
-  saveStore,
+  WhalibmobClient,
   loadStore,
-  checkIfRegistered,
-  requestSmsCode,
-  verifyCode
+  checkNumberStatus,
+  makeJid,
+  generateMessageId
 } = require('whalibmob');
-
-const storePath = '/path/to/sessions/919634847671.json';
-
-// Create or load a session store
-let store = loadStore(storePath) || createNewStore('919634847671');
-
-// Check if already registered
-const status = await checkIfRegistered(store);
-console.log(status.status);  // "ok" if registered
-
-// Request verification code — methods: "sms", "voice", "wa_old"
-const res = await requestSmsCode(store, 'sms');
-console.log(res.status);     // "sent" on success
-
-// Verify the received code and save session
-const reg = await verifyCode(store, '123456');
-if (reg.status === 'ok') {
-  saveStore(store, storePath);
-  console.log('Registered!');
-}
 ```
 
----
+### Connect and send a message
 
-## Events
+```js
+const { WhalibmobClient, loadStore } = require('whalibmob');
+const path = require('path');
 
-| Event | Payload | Description |
-|---|---|---|
-| `connected` | — | Server confirmed `<success>`, session is live |
-| `close` | — | Connection closed |
-| `disconnected` | — | TCP connection dropped (reconnect scheduled) |
-| `reconnecting` | `{ delay, attempt }` | About to reconnect after backoff delay |
-| `reconnected` | — | Reconnection succeeded |
-| `auth_failure` | `{ reason, node }` | Server sent `<failure>` — session revoked or account banned |
-| `error` | `Error` | Non-fatal error occurred |
-| `message` | `{ id, from, participant, ts, text?, plaintext?, isGroup? }` | Incoming message (plaintext is a Buffer) |
-| `receipt` | `{ id, from, type }` | Delivery or read receipt |
-| `presence` | `{ from, available }` | Contact came online / went offline |
-| `call` | `{ from, node }` | Incoming call (auto-rejected by the library) |
-| `notification` | `{ type, attrs, node }` | Raw server notification |
-| `decrypt_error` | `{ id, from, err }` | Decryption failed; retry request sent automatically |
-| `media_conn` | `{ hosts, auth }` | Media upload server connection ready |
-| `session_refresh` | `{ node }` | Server sent a late `<success>` (re-auth flow) |
-| `stream_error` | `{ reason }` | Server-side stream error |
-
----
+const sessionDir = path.join(process.env.HOME, '.waSession');
+const store = loadStore('919634847671', sessionDir);
 
-## Session Files
+const client = new WhalibmobClient(store, { sessionDir });
 
-Sessions are stored as JSON in the session directory (default `~/.waSession`):
-
-```
-~/.waSession/919634847671.json         # WhatsApp credentials and keys
-~/.waSession/919634847671.signal.json  # Signal Protocol session state
-~/.waSession/919634847671.sk.json      # SenderKey group state + SKDM map
-```
-
-Once registered, sessions persist across restarts. Re-registration is only
-required if WhatsApp revokes the session (you will receive an `auth_failure`
-event with reason `401` or `not_authorized`).
-
----
-
-## Signal Protocol
+client.on('connected', async () => {
+  await client.sendText('911234567890@s.whatsapp.net', 'Hello from whalibmob!');
+});
 
-End-to-end encryption follows the Signal Protocol spec:
+client.on('message', msg => {
+  console.log('Received:', msg);
+});
 
-1. On first connection, pre-keys are generated and uploaded to WhatsApp.
-2. When contacting a new recipient, the library fetches their pre-key bundle
-   and runs X3DH to establish a session.
-3. All subsequent messages use the Double Ratchet algorithm.
-4. Pre-keys are automatically replenished when supply drops below 20.
-5. Session state is persisted to disk between restarts.
+client.on('disconnected', ({ reason }) => {
+  console.log('Disconnected:', reason);
+});
 
----
+await client.connect();
+```
 
-## Group Messaging (SenderKey)
+### Send media
 
-Group messages use the SenderKey protocol for efficient delivery:
+```js
+await client.sendImage   ('911234567890@s.whatsapp.net', './photo.jpg',   'Caption');
+await client.sendVideo   ('911234567890@s.whatsapp.net', './clip.mp4',    'Caption');
+await client.sendPtt     ('911234567890@s.whatsapp.net', './voice.ogg');
+await client.sendAudio   ('911234567890@s.whatsapp.net', './song.mp3');
+await client.sendDocument('911234567890@s.whatsapp.net', './report.pdf');
+await client.sendSticker ('911234567890@s.whatsapp.net', './sticker.webp');
+```
 
-1. Each sender generates a SenderKey (signing key pair + chain key).
-2. On first group message, a SenderKey Distribution Message (SKDM) is
-   encrypted individually for every device of every group member and sent.
-3. Subsequent messages are encrypted once with the SenderKey and broadcast
-   — no per-member re-encryption needed.
-4. The library tracks which devices have already received the SKDM (persisted
-   in `.sk.json`) and skips them on subsequent messages.
-5. The chain key advances with each message (HMAC-SHA256).
-6. Out-of-order message decryption is supported via cached message keys.
+### Check a number
 
----
+```js
+const { checkNumberStatus } = require('whalibmob');
 
-## Multi-Device
+const result = await checkNumberStatus('919634847671');
+// result.status → 'registered' | 'registered_blocked' | 'not_registered' | 'cooldown' | 'unknown'
+console.log(result.status);
+```
 
-The library fully supports WhatsApp's multi-device architecture:
+### Events
 
-- Device lists are fetched via usync queries.
-- Signal sessions are established for each linked device.
-- All outgoing DMs are fanned out to every device of every recipient as well
-  as the sender's own linked devices (tablet, secondary phone, etc.).
-- Own linked devices receive a `deviceSentMessage` wrapper so they display
-  the message as sent (not received).
-- All multi-device stanzas include a `phash` (SHA-256 participant hash) so
-  the server can validate the participant list.
-- SKDM distribution in groups covers all member devices.
+| Event | Payload | Description |
+|---|---|---|
+| `connected` | — | Session authenticated and ready |
+| `disconnected` | `{ reason }` | Connection closed |
+| `auth_failure` | `{ reason }` | Auth failed (banned or session revoked) |
+| `message` | message object | Incoming message received |
+| `message.sent` | message object | Outgoing message confirmed by server |
+| `error` | Error | Unhandled transport error |
 
 ---
 
-## Noise Handshake & Auth
-
-The transport uses **Noise_XX_25519_AESGCM_SHA256**:
+## Features
 
-1. TCP connection to `g.whatsapp.net:443`.
-2. Client sends `ClientHello` with ephemeral X25519 public key.
-3. Server replies with `ServerHello` (ephemeral + encrypted static + payload).
-4. Three Diffie-Hellman steps (EE, SE, SS) derive the session keys.
-5. Client sends `ClientFinish` (encrypted static + encrypted payload).
-6. **Library waits for the server's `<success>` or `<failure>` node.**
-7. Only after `<success>` is the channel opened and the `connected` event
-   emitted. A `<failure>` rejects with an `auth_failure` event.
+- **Mobile iOS fingerprint** — authentic iOS headers; WhatsApp servers treat it as an iPhone
+- **Signal Protocol E2E encryption** — X3DH key agreement, Double Ratchet for 1-to-1 messages, fully inlined (no native binaries, no GitHub dependencies)
+- **SenderKey group encryption** — efficient group messaging with chain-key advance and SKDM distribution
+- **Multi-device fanout** — messages delivered to every linked device of each recipient
+- **All media types** — images, video, audio, voice notes, documents, stickers
+- **Media encryption** — AES-256-CBC + HKDF-SHA256; files uploaded to WhatsApp CDN
+- **Emoji reactions** — react to any message by its ID
+- **Automatic reconnection** — exponential backoff (1 s → 2 → 4 → 8 → 15 → 30 s cap)
+- **Pre-key replenishment** — automatic upload when supply drops below threshold
+- **Persistent sessions** — JSON files on disk; no re-registration after restart
+- **Zero native dependencies** — pure JavaScript; works on Linux, macOS, Windows, Termux (Android)
 
 ---
 
-## Automatic Reconnection
-
-The client reconnects on disconnect with exponential backoff:
+## Reconnection Backoff
 
 | Attempt | Delay |
 |---|---|
@@ -361,16 +270,26 @@ The client reconnects on disconnect with exponential backoff:
 
 ---
 
-## Media Encryption
-
-Media files use WhatsApp's standard encryption scheme:
+## Media Encryption Scheme
 
 1. A random 32-byte media key is generated.
-2. HKDF-SHA256 expands it to produce the IV, cipher key, and MAC key.
+2. HKDF-SHA256 expands it into an IV, cipher key, and MAC key.
 3. The file is encrypted with AES-256-CBC.
 4. A 10-byte HMAC-SHA256 MAC is appended.
-5. The encrypted ciphertext is uploaded to WhatsApp's CDN.
-6. The media key and URL are sent in the message envelope.
+5. The ciphertext is uploaded to WhatsApp CDN.
+6. The media key and CDN URL are embedded in the message envelope.
+
+---
+
+## Transport
+
+Uses **Noise_XX_25519_AESGCM_SHA256** over TCP to `g.whatsapp.net:443`:
+
+1. Client sends `ClientHello` with an ephemeral X25519 public key.
+2. Server replies `ServerHello` (ephemeral + encrypted static + payload).
+3. Three DH steps (EE, SE, SS) derive the final session keys.
+4. Client sends `ClientFinish` (encrypted static + encrypted payload).
+5. Library waits for server `<success>` before emitting `connected`, or `<failure>` for `auth_failure`.
 
 ---
 

package/lib/noise.js

@@ -10,6 +10,61 @@ const { MOBILE_PROLOGUE, WHATSAPP_HOST, WHATSAPP_PORT } = require('./constants')
 const { encodeHandshakeClientHello, encodeHandshakeClientFinish,
         decodeServerHello, encodeClientPayload } = require('./proto');
 
+// ─── CertChain validator (matches Baileys WA_CERT_DETAILS.SERIAL = 0) ────────
+//
+// Server payload inside ServerHello is a CertChain protobuf:
+//   CertChain.field2 (intermediate) → NoiseCertificate
+//     NoiseCertificate.field1 (details) → NoiseCertificate.Details
+//       Details.field2 (issuerSerial) must === 0
+//
+// All decoded manually to avoid a protobufjs dependency in noise.js.
+
+function _pbReadVarint(buf, off) {
+  let v = 0, shift = 0;
+  while (off.pos < buf.length) {
+    const b = buf[off.pos++];
+    v |= (b & 0x7f) << shift;
+    if (!(b & 0x80)) break;
+    shift += 7;
+  }
+  return v;
+}
+
+function _pbReadFields(buf) {
+  const fields = {};
+  const off = { pos: 0 };
+  while (off.pos < buf.length) {
+    const tag = _pbReadVarint(buf, off);
+    const fn  = tag >>> 3;
+    const wt  = tag & 7;
+    if (wt === 0) {
+      fields[fn] = _pbReadVarint(buf, off);
+    } else if (wt === 2) {
+      const len = _pbReadVarint(buf, off);
+      fields[fn] = buf.slice(off.pos, off.pos + len);
+      off.pos += len;
+    } else {
+      break; // unexpected wire type — stop parsing
+    }
+  }
+  return fields;
+}
+
+function validateServerCert(payloadBuf) {
+  // payloadBuf is the decrypted ServerHello.payload (CertChain protobuf)
+  const chain        = _pbReadFields(payloadBuf);
+  const intermediate = chain[2]; // field 2 = intermediate NoiseCertificate
+  if (!Buffer.isBuffer(intermediate)) return; // no intermediate cert — skip
+  const cert    = _pbReadFields(intermediate);
+  const details = cert[1]; // field 1 = details bytes
+  if (!Buffer.isBuffer(details)) return;
+  const det          = _pbReadFields(details);
+  const issuerSerial = det[2]; // field 2 = issuerSerial (uint32)
+  if (issuerSerial !== undefined && issuerSerial !== 0) {
+    throw new Error('WA server cert validation failed: issuerSerial=' + issuerSerial + ' expected 0');
+  }
+}
+
 // ─── Curve25519 DH helpers ───────────────────────────────────────────────────
 
 function stripKeyPrefix(pub) {
@@ -216,7 +271,8 @@ class NoiseSocket extends EventEmitter {
       this.noiseState.mixKey(sharedSE);
 
       if (serverHello.payload) {
-        this.noiseState.decryptWithAd(serverHello.payload);
+        const certPlain = this.noiseState.decryptWithAd(serverHello.payload);
+        validateServerCert(certPlain);
       }
 
       const noisePriv  = this.store.noiseKeyPair.private;

package/lib/proto/MessageProto.js

@@ -8,11 +8,13 @@ function tag(fieldNumber, wireType) {
 }
 
 function encodeVarint(n) {
+  // Use Math.floor/% instead of bitwise ops to handle values > 2^31 safely
+  // (JavaScript bitwise ops coerce to Int32, breaking timestamps in ms, large file sizes etc.)
   const bytes = [];
-  let val = n >>> 0;
+  let val = Math.floor(n);
   while (val > 127) {
-    bytes.push((val & 0x7f) | 0x80);
-    val = val >>> 7;
+    bytes.push((val % 128) | 0x80);
+    val = Math.floor(val / 128);
   }
   bytes.push(val);
   return Buffer.from(bytes);
@@ -101,23 +103,25 @@ function encodeVideoMessage(opts) {
     field(9,  WIRE_VARINT, varint(opts.height || 0)),
     field(10, WIRE_VARINT, varint(opts.width  || 0)),
     field(11, WIRE_LEN,    bytes(opts.fileEncSha256)),
-    field(12, WIRE_LEN,    str(opts.directPath)),
-    field(13, WIRE_VARINT, varintS(opts.mediaKeyTimestamp || Math.floor(Date.now() / 1000)))
+    field(13, WIRE_LEN,    str(opts.directPath)),
+    field(14, WIRE_VARINT, varintS(opts.mediaKeyTimestamp || Math.floor(Date.now() / 1000)))
   ];
-  if (opts.jpegThumbnail) parts.push(field(16, WIRE_LEN, bytes(opts.jpegThumbnail)));
   if (opts.gifPlayback)   parts.push(field(8,  WIRE_VARINT, bool(true)));
+  if (opts.jpegThumbnail) parts.push(field(16, WIRE_LEN, bytes(opts.jpegThumbnail)));
   if (opts.contextInfo)   parts.push(field(17, WIRE_LEN, encodeContextInfo(opts.contextInfo)));
   return Buffer.concat(parts);
 }
 
 function encodeAudioMessage(opts) {
+  // ptt (field 6) goes between seconds (5) and mediaKey (7) — must be in field-number order
+  const pttField = opts.ptt ? field(6, WIRE_VARINT, bool(true)) : Buffer.alloc(0);
   const parts = [
     field(1,  WIRE_LEN,    str(opts.url)),
     field(2,  WIRE_LEN,    str(opts.mimetype || 'audio/ogg; codecs=opus')),
     field(3,  WIRE_LEN,    bytes(opts.fileSha256)),
     field(4,  WIRE_VARINT, varint(opts.fileLength)),
     field(5,  WIRE_VARINT, varint(opts.seconds || 0)),
-    field(6,  WIRE_VARINT, bool(opts.ptt || false)),
+    pttField,
     field(7,  WIRE_LEN,    bytes(opts.mediaKey)),
     field(8,  WIRE_LEN,    bytes(opts.fileEncSha256)),
     field(9,  WIRE_LEN,    str(opts.directPath)),

package/lib/signal/SignalProtocol.js

@@ -11,6 +11,31 @@ const PRE_KEY_COUNT   = 100;
 const PRE_KEY_MIN     = 10;
 const PRE_KEY_START   = 1;
 
+// ─── Per-JID async mutex (matches Baileys encryptionMutex pattern) ────────────
+// Prevents race conditions when two messages are encrypted simultaneously
+// for the same Signal session (e.g. rapid sends or parallel fanout calls).
+
+const _mutexQueues = new Map();
+
+async function _withMutex(key, fn) {
+  // If no queue exists for this key, run immediately
+  if (!_mutexQueues.has(key)) {
+    _mutexQueues.set(key, Promise.resolve());
+  }
+  const prev = _mutexQueues.get(key);
+  let releasePrev;
+  const next = new Promise(r => { releasePrev = r; });
+  _mutexQueues.set(key, next);
+  await prev;
+  try {
+    return await fn();
+  } finally {
+    releasePrev();
+    // Cleanup: if no more waiters, remove from map
+    if (_mutexQueues.get(key) === next) _mutexQueues.delete(key);
+  }
+}
+
 // ─── Padding ──────────────────────────────────────────────────────────────────
 
 function randomPadding() {
@@ -159,14 +184,17 @@ class SignalProtocol {
   // ─── 1-to-1 encrypt / decrypt ─────────────────────────────────────────────
 
   async encrypt(jid, plaintext) {
-    const addr   = jidToAddress(jid);
-    const cipher = new SessionCipher(this.store, addr);
-    const padded = pad(Buffer.from(plaintext));
-    const result = await cipher.encrypt(padded);
-    return {
-      type:       result.type === 3 ? 'pkmsg' : 'msg',
-      ciphertext: Buffer.from(result.body, 'binary')
-    };
+    // Mutex per JID — prevents Signal session race conditions (matches Baileys encryptionMutex)
+    return _withMutex(jid, async () => {
+      const addr   = jidToAddress(jid);
+      const cipher = new SessionCipher(this.store, addr);
+      const padded = pad(Buffer.from(plaintext));
+      const result = await cipher.encrypt(padded);
+      return {
+        type:       result.type === 3 ? 'pkmsg' : 'msg',
+        ciphertext: Buffer.from(result.body, 'binary')
+      };
+    });
   }
 
   async decrypt(jid, type, ciphertext) {
@@ -182,18 +210,17 @@ class SignalProtocol {
   }
 
   // ─── Bulk encrypt for multiple devices (MD fanout) ─────────────────────────
+  // All devices encrypted in parallel (like Baileys Promise.all).
+  // Each JID is protected by its own mutex so parallel calls on the
+  // same JID are still serialized — no Signal session corruption possible.
   // Returns [{jid, type, ciphertext}]
   async bulkEncryptForDevices(jids, plaintext) {
-    const results = [];
-    for (const jid of jids) {
-      try {
-        const enc = await this.encrypt(jid, plaintext);
-        results.push({ jid, type: enc.type, ciphertext: enc.ciphertext });
-      } catch (err) {
-        // Skip devices with no session or errors
-      }
-    }
-    return results;
+    const settled = await Promise.allSettled(
+      jids.map(jid => this.encrypt(jid, plaintext).then(enc => ({ jid, type: enc.type, ciphertext: enc.ciphertext })))
+    );
+    return settled
+      .filter(r => r.status === 'fulfilled')
+      .map(r => r.value);
   }
 
   // ─── SenderKey group encrypt / decrypt ────────────────────────────────────

package/package.json

@@ -1,13 +1,25 @@
 {
   "name": "whalibmob",
-  "version": "2.1.0",
+  "version": "3.0.0",
   "description": "WhatsApp mobile-only Node.js client library with Signal Protocol encryption",
   "main": "index.js",
   "bin": {
     "wa": "./cli.js"
   },
+  "files": [
+    "index.js",
+    "cli.js",
+    "lib/**/*.js"
+  ],
   "type": "commonjs",
   "license": "MIT",
+  "keywords": [
+    "whatsapp",
+    "signal-protocol",
+    "mobile",
+    "client",
+    "encryption"
+  ],
   "dependencies": {
     "@noble/curves": "^1.8.1",
     "@noble/hashes": "^1.7.2",