fix(voip): guard CallLifecycle.end against re-entry and step-1 throws

Blocker 1: mediaCall.hangup() emits 'ended' synchronously
(@rocket.chat/media-signaling Call.js line 703). The 'ended' listener in
useCallStore re-calls callLifecycle.end('remote') BEFORE the outer
end() finishes assigning _endPromise — bypassing the re-entry guard and
triggering double teardown (callEnded twice, end command twice, infinite
recursion in tests). Defer _runTeardown to a microtask so _endPromise
is captured first; the synchronous re-entrant call now hits the guard
and shares the in-flight promise.

Blocker 3: wrap step 1 (mediaCall.reject/hangup) in try/catch with a
logger.warn so a throw does not abort subsequent teardown steps
(markActive, markAvailable, store reset, stopAudio, callEnded), which
would leak listeners and native CallKit/Telecom state.

Tests: regression for synchronous re-entry asserts callEnded fires
exactly once (toHaveBeenCalledTimes/toHaveLength) and the end command
issues exactly once. Step-1 throw isolation tests assert the remaining
six steps still run when reject/hangup throws. Integration tests
updated to flush the new teardown microtask via await act().

Author: diegolmello

app/containers/NewMediaCall/VoipCallLifecycle.integration.test.tsx

@@ -451,8 +451,10 @@ describe('VoIP call lifecycle (integration)', () => {
 		// Firing 'ended' triggers CallLifecycle teardown via the handleEnded listener.
 		// Navigation.back() is now handled by CallNavRouter (not wired in this integration test).
 		// We verify the teardown sequence runs: store cleared, native end issued.
-		act(() => {
+		// CallLifecycle.end() defers its body to a microtask (re-entry guard); flush it.
+		await act(async () => {
 			(call!.emitter as unknown as ReturnType<typeof mockCallEmitter>).emit('ended');
+			await Promise.resolve();
 		});
 		expect((voipNative as InMemoryVoipNative).recorded).toContainEqual({ cmd: 'end', callUuid: 'call-user-1' });
 		// Navigation.back() is now owned by CallNavRouter after callEnded emits.
@@ -639,8 +641,10 @@ describe('VoIP call lifecycle (integration)', () => {
 			await act(() => Promise.resolve());
 			expect(useCallStore.getState().call?.callId).toBe('call-user-1');
 
-			act(() => {
+			// CallLifecycle.end() defers its body to a microtask (re-entry guard); flush it.
+			await act(async () => {
 				useCallStore.getState().endCall();
+				await Promise.resolve();
 			});
 
 			expect((voipNative as InMemoryVoipNative).recorded).toContainEqual({ cmd: 'end', callUuid: 'call-user-1' });
@@ -651,16 +655,18 @@ describe('VoIP call lifecycle (integration)', () => {
 			expect(useCallStore.getState().callId).toBeNull();
 		});
 
-		it('B2: MediaSessionInstance.endCall during active state → voipNative cleanup, store reset', () => {
+		it('B2: MediaSessionInstance.endCall during active state → voipNative cleanup, store reset', async () => {
 			// endCall now delegates to callLifecycle.end('local'). CallLifecycle reads the
 			// active call from useCallStore, so the call must be set there first.
 			const activeCall = makeCall({ callId: 'active-1', state: 'active' });
 			act(() => {
 				useCallStore.getState().setCall(activeCall);
 			});
 
-			act(() => {
+			// CallLifecycle.end() defers its body to a microtask (re-entry guard); flush it.
+			await act(async () => {
 				mediaSessionInstance.endCall('active-1');
+				await Promise.resolve();
 			});
 
 			// CallLifecycle.end() steps 2-4 run via InMemoryVoipNative (records commands instead of calling RNCallKeep).
@@ -670,16 +676,18 @@ describe('VoIP call lifecycle (integration)', () => {
 			expect(useCallStore.getState().call).toBeNull();
 		});
 
-		it('B3: MediaSessionInstance.endCall during ringing → reject (not hangup) + voipNative cleanup', () => {
+		it('B3: MediaSessionInstance.endCall during ringing → reject (not hangup) + voipNative cleanup', async () => {
 			// CallLifecycle reads the active call from useCallStore to decide reject vs hangup.
 			// The ringing call must be in the store for reject() to be called.
 			const ringingCall = makeCall({ callId: 'ringing-1', state: 'ringing' });
 			act(() => {
 				useCallStore.getState().setCall(ringingCall);
 			});
 
-			act(() => {
+			// CallLifecycle.end() defers its body to a microtask (re-entry guard); flush it.
+			await act(async () => {
 				mediaSessionInstance.endCall('ringing-1');
+				await Promise.resolve();
 			});
 
 			expect(ringingCall.reject).toHaveBeenCalled();
@@ -814,7 +822,7 @@ describe('VoIP call lifecycle (integration)', () => {
 			expect(useCallStore.getState().isOnHold).toBe(true);
 		});
 
-		it('D3: press end button → call.hangup, voipNative.call.end, store cleared', () => {
+		it('D3: press end button → call.hangup, voipNative.call.end, store cleared', async () => {
 			const call = makeCall({ callId: 'btn-end', role: 'caller', state: 'active' });
 			act(() => {
 				useCallStore.getState().setCall(call);
@@ -826,8 +834,10 @@ describe('VoIP call lifecycle (integration)', () => {
 				</Wrapper>
 			);
 
-			act(() => {
+			// CallLifecycle.end() defers its body to a microtask (re-entry guard); flush it.
+			await act(async () => {
 				fireEvent.press(getByTestId('call-view-end'));
+				await Promise.resolve();
 			});
 
 			expect(call.hangup).toHaveBeenCalled();

app/lib/services/voip/CallLifecycle.test.ts

@@ -356,4 +356,133 @@ describe('CallLifecycle.end(reason)', () => {
 			await expect((freshLifecycle as any)._runTeardown('local')).resolves.toBeUndefined();
 		});
 	});
+
+	// Blocker 1 regression: faithful spy whose hangup() synchronously emits 'ended'
+	// (mirrors @rocket.chat/media-signaling/dist/lib/Call.js behavior at line 703).
+	// The 'ended' listener at useCallStore.ts handleEnded re-enters callLifecycle.end('remote').
+	// The re-entry guard MUST be set BEFORE _runTeardown body runs, otherwise re-entrant
+	// teardown happens (callEnded fires twice, end command issues twice).
+	describe('re-entry guard against synchronous ended emission from hangup()', () => {
+		function makeCallWithSyncEndedOnHangup(callId: string): IClientMediaCall {
+			const listeners: Record<string, Set<(...args: unknown[]) => void>> = {};
+			const emitter = {
+				on: (ev: string, fn: (...args: unknown[]) => void) => {
+					if (!listeners[ev]) listeners[ev] = new Set();
+					listeners[ev].add(fn);
+					return () => listeners[ev].delete(fn);
+				},
+				off: (ev: string, fn: (...args: unknown[]) => void) => {
+					listeners[ev]?.delete(fn);
+				},
+				emit: (ev: string, ...args: unknown[]) => {
+					listeners[ev]?.forEach(fn => fn(...args));
+				}
+			};
+			const hangup = jest.fn(() => {
+				// Mirror Call.js line 703: changeState('hangup') → emitter.emit('ended')
+				emitter.emit('ended');
+			});
+			return {
+				callId,
+				state: 'active',
+				hidden: false,
+				localParticipant: {
+					local: true,
+					role: 'caller',
+					muted: false,
+					held: false,
+					contact: {},
+					setMuted: jest.fn(),
+					setHeld: jest.fn()
+				},
+				remoteParticipants: [
+					{
+						local: false,
+						role: 'callee',
+						muted: false,
+						held: false,
+						contact: { id: 'u', displayName: 'U', username: 'u', sipExtension: '' }
+					}
+				],
+				hangup,
+				reject: jest.fn(),
+				sendDTMF: jest.fn(),
+				emitter
+			} as unknown as IClientMediaCall;
+		}
+
+		it('end() called from inside hangup() synchronous ended emit hits the re-entry guard', async () => {
+			const call = makeCallWithSyncEndedOnHangup('reentry-1');
+			useCallStore.getState().setCall(call);
+			native.reset();
+
+			const callEndedListener = jest.fn();
+			const unsub = callLifecycle.emitter.on('callEnded', callEndedListener);
+
+			// Outer end('local') triggers hangup() → 'ended' → handleEnded → end('remote')
+			// Re-entrant call MUST hit the guard and return the in-flight promise.
+			await callLifecycle.end('local');
+
+			unsub();
+
+			// callEnded fires exactly once — guard worked.
+			expect(callEndedListener).toHaveBeenCalledTimes(1);
+			// End command issued exactly once.
+			const endCmds = native.recorded.filter(c => c.cmd === 'end');
+			expect(endCmds).toHaveLength(1);
+			// hangup invoked exactly once.
+			expect(call.hangup).toHaveBeenCalledTimes(1);
+		});
+	});
+
+	// Blocker 3 regression: step 1 (mediaCall.reject/hangup) is wrapped in try/catch
+	// so a throw doesn't abort subsequent steps (markActive, markAvailable, store reset, stopAudio, callEnded).
+	describe('step 1 throw isolation', () => {
+		it('continues teardown when mediaCall.hangup() throws', async () => {
+			const call = makeCall({ callId: 'throw-1', state: 'active' });
+			(call.hangup as jest.Mock).mockImplementationOnce(() => {
+				throw new Error('hangup boom');
+			});
+			useCallStore.getState().setCall(call);
+			native.reset();
+
+			const callEndedListener = jest.fn();
+			const unsub = callLifecycle.emitter.on('callEnded', callEndedListener);
+
+			await expect(callLifecycle.end('local')).resolves.toBeUndefined();
+
+			unsub();
+
+			// All subsequent steps still ran.
+			expect(native.recorded).toContainEqual({ cmd: 'end', callUuid: 'throw-1' });
+			expect(native.recorded).toContainEqual({ cmd: 'markActive', callUuid: '' });
+			expect(native.recorded).toContainEqual({ cmd: 'markAvailable', callUuid: 'throw-1' });
+			expect(native.recorded).toContainEqual({ cmd: 'stopAudio' });
+			expect(useCallStore.getState().call).toBeNull();
+			expect(callEndedListener).toHaveBeenCalledTimes(1);
+		});
+
+		it('continues teardown when mediaCall.reject() throws (ringing path)', async () => {
+			const call = makeCall({ callId: 'throw-rej-1', state: 'ringing' });
+			(call.reject as jest.Mock).mockImplementationOnce(() => {
+				throw new Error('reject boom');
+			});
+			useCallStore.getState().setCall(call);
+			native.reset();
+
+			const callEndedListener = jest.fn();
+			const unsub = callLifecycle.emitter.on('callEnded', callEndedListener);
+
+			await expect(callLifecycle.end('rejected')).resolves.toBeUndefined();
+
+			unsub();
+
+			expect(native.recorded).toContainEqual({ cmd: 'end', callUuid: 'throw-rej-1' });
+			expect(native.recorded).toContainEqual({ cmd: 'markActive', callUuid: '' });
+			expect(native.recorded).toContainEqual({ cmd: 'markAvailable', callUuid: 'throw-rej-1' });
+			expect(native.recorded).toContainEqual({ cmd: 'stopAudio' });
+			expect(useCallStore.getState().call).toBeNull();
+			expect(callEndedListener).toHaveBeenCalledTimes(1);
+		});
+	});
 });

app/lib/services/voip/CallLifecycle.ts

@@ -15,9 +15,13 @@
  * `callId` in the `callEnded` event uses `callId ?? nativeAcceptedCallId` (Pre-bind-safe).
  */
 
+import { MediaCallLogger } from './MediaCallLogger';
 import { voipNative, type VoipNativePort } from './VoipNative';
 import { useCallStore } from './useCallStore';
 
+const logger = new MediaCallLogger();
+const TAG = '[CallLifecycle]';
+
 // ── Event types ───────────────────────────────────────────────────────────────
 
 export type CallEndReason = 'local' | 'remote' | 'rejected' | 'error' | 'cleanup'; // 'cleanup' reserved for slice 08 Pre-bind FSM cleanupAt elapse
@@ -108,9 +112,17 @@ class CallLifecycle {
 			// Concurrent caller — share the in-flight teardown.
 			return this._endPromise;
 		}
-		this._endPromise = this._runTeardown(reason).finally(() => {
-			this._endPromise = null;
-		});
+		// Defer the teardown body to a microtask so `_endPromise` is assigned BEFORE
+		// `_runTeardown` runs. This guarantees that any synchronous re-entry from
+		// inside teardown (e.g. mediaCall.hangup() emits 'ended' synchronously and
+		// useCallStore's handleEnded re-calls callLifecycle.end('remote')) hits the
+		// guard above and shares the in-flight promise instead of starting a second
+		// teardown. See @rocket.chat/media-signaling Call.js line 703.
+		this._endPromise = Promise.resolve()
+			.then(() => this._runTeardown(reason))
+			.finally(() => {
+				this._endPromise = null;
+			});
 		return this._endPromise;
 	}
 
@@ -125,12 +137,21 @@ class CallLifecycle {
 
 		// Step 1: Hang up the MediaCall (reject if ringing, hangup otherwise).
 		// Read the active call from useCallStore — MediaSessionInstance owns it.
+		// Wrapped in try/catch so a throw from reject/hangup does not abort
+		// subsequent teardown steps (which would leak listeners / native state).
 		const mediaCall = useCallStore.getState().call;
 		if (mediaCall) {
-			if ((mediaCall as any).state === 'ringing') {
-				mediaCall.reject();
-			} else {
-				mediaCall.hangup();
+			try {
+				if ((mediaCall as any).state === 'ringing') {
+					mediaCall.reject();
+				} else {
+					mediaCall.hangup();
+				}
+			} catch (error) {
+				logger.warn(
+					`${TAG} mediaCall.${(mediaCall as any).state === 'ringing' ? 'reject' : 'hangup'}() threw; continuing teardown`,
+					error
+				);
 			}
 		}