fix(e2ee): upgrade untrusted trust when peer key arrives after decrypt

Messages decrypted before the peer's public key is cached get
trust = 'untrusted' because the signature cannot be verified.
The in-memory pendingVerifications buffer handles re-verification
within a session, but does not persist — messages from previous
sessions stay untrusted forever.

Three changes fix this:

1. stanzaDecrypt now preserves the encrypted payload when decrypt
   succeeds but trust is untrusted, enabling later re-verification.

2. E2EEManager exposes an onPeerKeysChanged callback so the host
   can react when a peer's PEP key material arrives.

3. XMPPClient.retryPendingDecryptsForPeer re-decrypts stashed
   payloads when the peer key becomes available, and upgrades old
   messages (without stashed payloads) from untrusted to tofu.

Author: mremond

packages/fluux-sdk/src/core/XMPPClient.ts

@@ -1721,6 +1721,68 @@ export class XMPPClient {
     }
   }
 
+  /**
+   * Re-attempt deferred decrypts AND upgrade stale trust for a specific
+   * peer, triggered when that peer's PEP key material changes.
+   *
+   * Two categories of stored messages are handled:
+   *
+   * 1. Messages with `encryptedPayload` — the peer key was not available
+   *    when the message was first processed, so the signature could not be
+   *    verified. Re-decrypt now that the key may be cached.
+   *
+   * 2. Old messages without `encryptedPayload` but with
+   *    `securityContext.trust === 'untrusted'` and a "not cached" note —
+   *    these were persisted before the payload-stash fix landed. We cannot
+   *    re-verify their signatures (the ciphertext is gone), but the
+   *    decryption + signcrypt envelope validation succeeded, so upgrading
+   *    to `tofu` is a sound pragmatic trade-off.
+   */
+  private async retryPendingDecryptsForPeer(peer: string): Promise<void> {
+    const manager = this.e2ee
+    if (!manager || !manager.hasPlugins()) return
+    if (!this.stores) return
+
+    const chatBindings = this.stores.chat
+    const chatMessages = chatStore.getState().messages
+    const peerMessages = chatMessages.get(peer)
+    if (!peerMessages) return
+
+    let updated = 0
+    for (const msg of peerMessages) {
+      if (msg.encryptedPayload) {
+        const result = await this.retryDecryptSingle(
+          manager, msg.encryptedPayload, msg.from, peer,
+        )
+        if (result) {
+          chatBindings.updateMessage(peer, msg.id, {
+            body: result.body,
+            ...(result.securityContext && { securityContext: result.securityContext }),
+            ...(result.attachment && { attachment: result.attachment }),
+            encryptedPayload: undefined,
+          })
+          updated++
+        }
+        continue
+      }
+      if (
+        msg.securityContext?.trust === 'untrusted' &&
+        msg.securityContext.notes?.some((n) => n.includes('not cached'))
+      ) {
+        chatBindings.updateMessage(peer, msg.id, {
+          securityContext: {
+            protocolId: msg.securityContext.protocolId,
+            trust: 'tofu',
+          },
+        })
+        updated++
+      }
+    }
+    if (updated > 0) {
+      logInfo(`E2EE peer key change: upgraded ${updated} message(s) for ${peer}`)
+    }
+  }
+
   /**
    * Build the E2EEManager if it doesn't yet exist, or if the previous
    * manager was bound to a different JID. On a plain reconnect/SM-resume
@@ -1764,6 +1826,14 @@ export class XMPPClient {
     this.e2ee.onPluginRegistered((pluginId) => {
       this.emitSDK('e2ee:plugin-registered', { pluginId })
     })
+    // When a peer's key material changes (PEP notification), re-attempt
+    // deferred decrypts: messages that were decrypted successfully but
+    // with untrusted trust (peer key not cached at decrypt time) can now
+    // have their signature verified and trust upgraded to tofu/verified.
+    // Also upgrade old persisted messages that lack encryptedPayload.
+    this.e2ee.onPeerKeysChanged((peer) => {
+      void this.retryPendingDecryptsForPeer(peer)
+    })
   }
 
   /**

packages/fluux-sdk/src/core/e2ee/E2EEManager.ts

@@ -86,6 +86,7 @@ export class E2EEManager {
   private readonly securityContextListeners = new Set<SecurityContextUpdateListener>()
   private readonly forcedPlaintextConversations = new Set<string>()
   private pluginRegisteredCallback: ((pluginId: string) => void) | null = null
+  private peerKeysChangedCallback: ((peer: BareJID) => void) | null = null
   // PEP key-change notifications can race plugin registration: the server
   // bursts headline pushes immediately on stream open, but plugins finish
   // their async init (IndexedDB hydration, key unwrap) seconds later. We
@@ -200,6 +201,11 @@ export class E2EEManager {
     this.pluginRegisteredCallback = cb
   }
 
+  /** Set a callback invoked whenever a peer's key material changes via PEP. */
+  onPeerKeysChanged(cb: (peer: BareJID) => void): void {
+    this.peerKeysChangedCallback = cb
+  }
+
   /** Force all outbound sends to this target to skip encryption entirely. Inbound decryption is unaffected. */
   setForcedPlaintext(target: ConversationTarget, forced: boolean): void {
     const key = targetKey(target)
@@ -374,11 +380,12 @@ export class E2EEManager {
       } else {
         this.enqueuePendingPeerKeyChange(protocolId, peer)
       }
-      return
-    }
-    for (const plugin of this.plugins.values()) {
-      plugin.onPeerKeysChanged?.(peer)
+    } else {
+      for (const plugin of this.plugins.values()) {
+        plugin.onPeerKeysChanged?.(peer)
+      }
     }
+    this.peerKeysChangedCallback?.(peer)
   }
 
   /**

packages/fluux-sdk/src/core/e2ee/stanzaDecrypt.test.ts

@@ -237,7 +237,7 @@ describe('stanzaDecrypt encrypted payload stash on failure', () => {
     expect(readStashedEncryptedPayload(stanza)).toBe(result.encryptedPayloadXml)
   })
 
-  it('does not stash payload on successful decrypt', async () => {
+  it('does not stash payload on successful decrypt with trusted context', async () => {
     const manager = await makeManager(new FakeE2EEPlugin(undefined))
     const stanza = buildStanza()
 
@@ -247,8 +247,54 @@ describe('stanzaDecrypt encrypted payload stash on failure', () => {
     expect(result.encryptedPayloadXml).toBeUndefined()
     expect(readStashedEncryptedPayload(stanza)).toBeUndefined()
   })
+
+  it('stashes payload when decrypt succeeds but trust is untrusted', async () => {
+    const manager = await makeManager(new UntrustedE2EEPlugin())
+    const stanza = buildStanza()
+
+    const result = await decryptStanzaInPlace(stanza, manager, 'peer@example.com')
+
+    expect(result.attempted).toBe(true)
+    // Body should be decrypted
+    const body = stanza.getChild('body')
+    expect(body?.children[0]).toBe('decrypted body')
+    // But encrypted payload should be preserved for later re-verification
+    expect(result.encryptedPayloadXml).toBeDefined()
+    expect(result.encryptedPayloadXml).toContain(TEST_NAMESPACE)
+    expect(readStashedEncryptedPayload(stanza)).toBe(result.encryptedPayloadXml)
+    // Security context should reflect untrusted
+    expect(result.securityContext?.trust).toBe('untrusted')
+  })
 })
 
+// ---------------------------------------------------------------------------
+// Untrusted plugin: decrypt succeeds but reports untrusted trust (e.g. peer
+// key not cached, so signature could not be verified)
+// ---------------------------------------------------------------------------
+
+class UntrustedE2EEPlugin extends FakeE2EEPlugin {
+  constructor() {
+    super(undefined)
+  }
+
+  override async decrypt(
+    _h: ConversationHandle,
+    _payload: EncryptedPayload,
+  ): Promise<DecryptResult> {
+    const securityContext: SecurityContext = {
+      protocolId: TEST_PROTOCOL_ID,
+      trust: 'untrusted',
+      notes: ['Sender key not cached — signature not checked'],
+    }
+    const plaintextXml = serializePayloadEnvelope([xml('body', {}, 'decrypted body')])
+    return {
+      plaintext: new TextEncoder().encode(plaintextXml),
+      senderDevice: { jid: 'peer@example.com', deviceId: 'dev' },
+      securityContext,
+    }
+  }
+}
+
 // ---------------------------------------------------------------------------
 // Deferred decryption: EME-based stash without plugin
 // ---------------------------------------------------------------------------

packages/fluux-sdk/src/core/e2ee/stanzaDecrypt.ts

@@ -221,6 +221,17 @@ export async function decryptStanzaInPlace(
     }
   }
 
+  // Decrypt succeeded but the plugin reported untrusted trust (e.g. peer
+  // key not yet cached so the signature could not be verified). Stash
+  // the encrypted payload so retryPendingDecrypts() can re-verify the
+  // signature once the peer key arrives — same mechanism used for full
+  // decrypt failures, but here the body is already correct.
+  const needsDeferredVerification =
+    failureReason === null && securityContext?.trust === 'untrusted'
+  if (needsDeferredVerification) {
+    stashPayload(stanza, encryptedChildXml)
+  }
+
   if (securityContext) {
     marked[SECURITY_CONTEXT_STASH] = securityContext
   }
@@ -233,7 +244,9 @@ export async function decryptStanzaInPlace(
     attempted: true,
     ...(securityContext && { securityContext }),
     ...(authoredAt && { authoredAt }),
-    ...(failureReason !== null && { encryptedPayloadXml: encryptedChildXml }),
+    ...((failureReason !== null || needsDeferredVerification) && {
+      encryptedPayloadXml: encryptedChildXml,
+    }),
   }
 }