Deprecate /logging command in favor of /history for chat logging control.
/history off now stops persistence (sets PREF_DBLOG=off + PREF_CHLOG=false)
in addition to hiding history on open. /history on restores persistence
(re-enabling PREF_DBLOG=on if it was off) and PREF_CHLOG.
statusbar
- PREF_STATUSBAR_SHOW_DBBACKEND (default ON) gates the [sqlite] /
[flatfile] indicator; toggle via "/statusbar show|hide dbbackend"
/history off|on
- "/history off" now stops persistence as well as hiding history on
open: sets PREF_DBLOG=off + PREF_CHLOG=false in addition to
PREF_HISTORY=false
- "/history on" restores persistence (re-enabling PREF_DBLOG=on if
it was off) and PREF_CHLOG, in addition to PREF_HISTORY=true
/logging
- Deprecated /logging command. It now prints a single notice
pointing to /history; CMD_PREAMBLE trimmed (min_args=0, no
setting_func, syntax/args/examples dropped); subcommand 'group'
removed from autocomplete
- All "use '/logging chat on' to enable" hints replaced with
"/history on" across /omemo-log, /pgp-log, /otr-log, and /ox-log
/privacy logging
- Single-pass validation across {on, off, redact, flatfile}
- Backend-switching values (on, flatfile) now take effect
immediately when connected (via log_database_switch_backend),
matching "/history switch" behaviour; off/redact only flip
pref bits and keep the live backend open
/correction off
- win_print_outgoing and win_print_outgoing_with_receipt now gate
_win_correct on PREF_CORRECTION_ALLOW, matching incoming-msg
paths. Previously a peer's correction reflected via XEP-0280
carbons (or the user's own /correct invocation) was applied
in-buffer regardless of the pref
console
- Drop orphaned /logging chat reference from cons_privacy_setting()
- Delete cons_logging_setting() and remove its call from
cons_show_log_prefs()
autocomplete
- Add dbbackend to statusbar_show_ac
- Remove logging_ac entries for chat/group subcommands
- Remove _logging_autocomplete() param handler for chat subcommand
database_flatfile
- Two local g_strndup allocations switched from char* with manual
g_free to auto_gchar gchar* for automatic cleanup
tests
- Update test_cmd_otr.c to expect new /history-on warning messages
@author: jabber.developer2 <jabber.developer2@jabber.space>
Add an AI client module that integrates with OpenAI-compatible API
providers (OpenAI, Perplexity, and custom endpoints) to provide
AI-assisted chat within CProof. Users can start sessions with /ai start,
send prompts, receive responses in a dedicated AI window, switch between
providers and models, and manage API keys — all with tab-completion.
Providers are configured via /ai set commands with per-provider API keys,
endpoints, default models, and custom settings. Two default providers
(openai, perplexity) are seeded on first use. Provider state persists in
[ai/<name>] sections of the preferences keyfile with automatic migration
from the previous flat-key format.
The /ai command integrates into the existing command system with 8
subcommands covering provider management, session lifecycle, model
fetching, and conversation clearing. Autocomplete uses the standard
flat prefix-matching chain for reliable tab-completion at every nesting
level. A new ProfAiWin window type is added to the window system.
Architecture:
Async design: HTTP requests run on a background thread (pthread) to avoid blocking the ncurses UI loop; results are displayed on the main thread via direct function calls
Thread safety: AIProvider and AISession use atomic ref-counting and mutex-protected session state; the request thread snapshots all session data before making the HTTP call
Window validation: wins_ai_exists() prevents use-after-free when the user closes the AI window during an in-flight HTTP request (~60s)
Privacy: store:false is sent with every request to prevent providers from persisting conversations or using them for training
Response size limit: 10MB cap with immediate curl abort via CURL_WRITEFUNC_ERROR to prevent OOM
JSON parsing uses unified helpers for both chat responses and error
envelopes with consistent escape decoding. The response parser tries
Perplexity /v1/responses "text" field first, then falls back to OpenAI
"content". Error parsing extracts provider error.message from the
standard envelope format. Model parsing handles multiple API response
formats (OpenAI list, Perplexity, array) including edge cases.
Tests include 470+ lines of unit tests covering provider management,
session lifecycle, JSON parsing (multiple formats), autocomplete cycling,
and error handling, plus functional tests for /ai command dispatch.
A stub_ai.c module isolates unit tests from UI dependencies.
A flat-file alternative to the SQLite chatlog backend with runtime
switching, full migration tooling, integrity verification, and a
synthetic load harness. SQLite remains the default; both backends share
one dispatch layer (db_backend_t vtable) so callers don't change.
Storage layout
- Per-contact append-only `flatlog/<account>/<contact>/history.log`
under XDG_DATA_HOME, one line per message
- Single-line file header with embedded format-version marker
(FLATFILE_FORMAT_VERSION); reader warns on missing or mismatched
marker, writer and checker stay in sync via preprocessor
stringification
- Deterministic key=value metadata (`id`, `aid`, `corrects`, `to`,
`to_res`, `read`) plus escaped body \u2014 `\|`, `\]`, `\\`, `\n`, `\r`
literals prevent log injection
- Sparse byte-offset index (FF_INDEX_STEP=500) per contact for
O(log n) time-range lookups; rebuilt on inode / size / mtime
change, extended in-place when the file just grew
- Per-contact GHashTable caches for archive_id presence and
stanza_id \u2192 from_jid mapping (O(1) MAM dedup, O(1) LMC sender
validation)
Hardening
- Path-traversal protection: JID directory name normalisation
(`@` \u2192 `_at_`, slashes and `..` rejected at construction); every
per-contact path is anchored under the account's flatlog/
directory and validated before open
- Symlink-attack protection: every fopen / open uses O_NOFOLLOW; on
ELOOP the operation aborts with an error rather than following
- Filesystem permissions: log files created with mode 0600,
directories with mode 0700; both enforced at creation, verified
on each open and reported on drift by `/history verify`
- Atomic crash-safe export: write to a temp file via mkstemp (mode
0600, random suffix, no name collisions between concurrent
exports), fsync, then rename \u2014 partial state never replaces the
live file
- Concurrency: advisory flock(LOCK_EX) held for the duration of
every write, including append from live messages and full rewrite
from export, so two profanity processes can't interleave bytes
on the same log
- DoS / abuse guards:
* FF_MAX_LINE_LEN = 10 MB \u2014 lines longer than this are rejected
at read with a warning; the parser will not allocate
unbounded memory for a single record
* FF_MAX_LMC_DEPTH = 100 \u2014 `corrects:` chain walk stops at this
depth and emits a warning, preventing a malicious correction
cycle from spinning the apply pass
* FF_VERSION_SCAN_MAX = 16 \u2014 header version probe never reads
past 16 leading comment lines, even on garbage input
* Empty / inverted byte-range early-return in page-up read path
so a malformed time filter cannot cause an unbounded scan
* Zero-entry index guard so a file whose every line failed to
parse cannot cause a NULL deref on later page-up
- LMC sender validation: an incoming correction whose sender does
not match the original message's sender is rejected at write
time and surfaced via cons_show_error; a cycle in the apply pass
is broken via a visited-set
- jid_create_from_bare_and_resource treats NULL, empty string, and
the literal "(null)" as no resource and returns a bare jid;
similar normalisation for barejid eliminates the legacy
"user@host/(null)" artefact that leaked into stored fulljids
whenever g_strdup_printf("%s", NULL) ran inside create_fulljid
Commands
- `/history switch sqlite|flatfile` \u2014 runtime backend swap, closes
the old backend and opens the new one without reconnecting
- `/history export [<jid>]` \u2014 SQLite -> flat-file, merging with any
existing flatlog (dedup keyed on a SHA-256 hash mixing stanza_id,
timestamp, from_jid, body \u2014 robust against id reuse by older
clients)
- `/history import [<jid>]` \u2014 flat-file -> SQLite, same merge
semantics, runs inside a single SQLite transaction with rollback
on per-contact failure
- `/history verify [<jid>]` \u2014 integrity check; emits a structured
list of issues (ERROR / WARNING / INFO) per file:
* file-level: missing log, wrong permissions (\u2260 0600), UTF-8
BOM present, CRLF line endings, empty file
* line-level: invalid UTF-8 (with byte offset), embedded
control characters, unparsable lines, timestamps out of
order, duplicate `id:` and `aid:` (tracked separately so a
stanza/archive id collision isn't double-reported)
* cross-line: broken `corrects:` references whose target id is
not present in the file
- `/history backend` \u2014 show currently active backend
- Active backend indicator `[sqlite]` / `[flatfile]` in the status
bar next to the JID
- Roster-JID autocomplete for verify / export / import
- export and import open a SQLite handle on demand when the
flatfile backend is currently active, so migration works
regardless of which backend is live
Tests
- Unit: database_export (parser round-trip, escape/unescape, dedup
key stability, JID normalisation), database_stress (14 cases
exercising rapid writes, large messages, deep LMC chains, MAM
dedup, concurrent contacts)
- Functional: history persistence across reconnects, export /
import round-trip with content equality, MUC migration,
timestamp normalisation across timezones
- Bench harness P1\u2013P5 (synthetic load: bulk insert, time-range
read, page-up scroll, MAM ingest, mixed workload) and failure
modes F1\u2013F17 (page-up cursor and forward-iteration symmetry,
oversized lines, MAM dedup, LMC depth and cycles, BOM/CRLF,
missing log, empty file, mtime+inode flip, broken corrects, etc.)
- All bench tests integrate with the existing make targets and
emit CSV rows for baseline comparison
Author: jabber.developer2 <jabber.developer2@jabber.space>
Reviewed-by: jabber.developer <jabber.developer@jabber.space>
While trying to get the unit tests working again I stumbled over all those
things that I thought could be better^TM.
Now we also know "TODO: why does this make the test fail?" - because
the unit tests are brittle AF ... and we have to init the subsystems
we use in the test, otherwise the cleanup will fail...
BTW. you can now also only run a single test ... or a pattern or so ...
you'd have to read how `cmocka_set_test_filter()` works exactly.
Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
Return static tabmode as default,
separate previous change in `dynamic` mode.
Despite usefulness of the solution,
it was not approved to be a new default.
Vote (link below) amongst users to change default
has shown inconclusive result and it was not representative,
as it had low number of participants.
https://github.com/profanity-im/profanity/pull/1912#issuecomment-1816232546
Add ability to completely turn logs off,
Needed since `/logging` and `/history` didn't stop history logging
in the DB, only in files.
Command might break something on usage,
hence it was primarily introduced for privacy geeks.
Privacy command discussion #1836
Refactor `p_gpg_list_keys`
Add `/pgp autoimport` command,
it's not described in XEP-0027, but used in some clients,
such as PSI, Pidgin. It will autoimport keys received with
`/pgp sendpub`, in plain text as a message, or using features,
provided in other clients. It doesn't autoassign them, but shows
command to assign, letting user to decide.
Improve documentation for some preexisting functions
Add contact argument to `/pgp sendpub`
Command allows to share your PGP pub key with ease,
it's not described in XEP-0027, but used in some clients,
such as PSI, Pidgin.
Fix typos
Minor improvements
Add "/avatar disable" to comply with point "3.5 Publisher Disables
Avatar Publishing" in XEP-0084.
src/command/cmd_defs.c:2416
Add "disable" argument. Reword the "/avatar" command description
so it flows better.
src/command/cmd_ac.c:1101
Add "disable" to the "/avatar" autocomplete dictionary.
src/command/cmd_funcs.c:9277
Split "/avatar" commands into two groups with an if statement; those
with a parameter and those without. "cons_bad_cmd_usage()" is in both
groups, which is messy. "disable" has similar logic to "set", but it
includes a failure message.
src/xmpp/avatar.c:152
"avatar_publishing_disable()" uses the same logic to publish metadata
as in "avatar_set()".
src/xmpp/avatar.c:238
Add a message to inform users when they do not receive an avatar after
using "/avatar get" and "/avatar open". In case of a failure, the user
will be subscribed to future avatar updates as long as they continue
to use their current instance of profanity. Adding
"caps_remove_feature()" after "cons_show()" will unsubscribe the user
from avatar updates and prevent the user from downloading an avatar
unexpectedly hours later without issuing an "/avatar" command.
src/xmpp/stanza.c:2698
The new "disable" function follows the same logic as
"stanza_create_avatar_metadata_publish_iq()".
Introduce new feature: sessions_alarm.
Added new account setting: max_connections. On exceeding this number,
user will get an alert. If number is less than 1, no alert will happen.
Tests altered to fit new feature.
The existing way how active tabs are displayed didn't allow showing more
than 10 tabs. This patch adds a mode where the statusbar shows a
comma-separated list of tabs which were active since the last time viewed.
This view is inspired by how `irssi` shows the active tabs, therefore
it is also called `actlist`.
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
Before this change the same hashtable was re-created each time one used the
auto-completion feature.
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
Previously after the url if you pressed tab, even if you typed out a
filepath, profanity would erase that and cycle through url autocomplete
results.
This patch solves that and autocompletes filepaths after the url.
Fixes https://github.com/profanity-im/profanity/issues/1783
Only nicknames, photos, birthdays, addresses, telephone numbers, emails,
JIDs, titles, roles, notes, and URLs are supported
Due to the synopsis array not having enough space, `/vcard photo
open-self` and `/vcard photo save-self` are not documented properly in
the synopsis section of the `/vcard` command, but they are documented in
the arguments section
Fixed memory leak in vcard autocomplete (thanks to debXwoody)
`/lastactivity` used autocompletion for /status instead.
There was no get/set autocompletion thus user had to write `/lastactivity
get` to get the proper results.
Original fix by Stefan at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021028
Proper commit message and adapted patch by jubalh.
Co-authored-by: jubalh@iodoru.org
`/log level INFO|DEBUG|WARN|ERROR` is now available.
Looks like this solves a TODO (see removed comment in source) from 2013
:-)
Works only with default log file. Not with user provided log file during
start up via the -f parameter.
Fix https://github.com/profanity-im/profanity/issues/1627
Use `/avatar set <path>` where <path> is an image file to upload a new
avatar for the current user. When the avatar is too big it gets scaled
down. Scaling code copied from dino.
Fixes https://github.com/profanity-im/profanity/issues/1687