Commit Graph

74 Commits

Author SHA1 Message Date
3f36c303c2 feat(history): flat-file backend with bidirectional SQLite migration
All checks were successful
CI Code / Check spelling (push) Successful in 21s
CI Code / Check coding style (push) Successful in 31s
CI Code / Code Coverage (push) Successful in 2m21s
CI Code / Linux (ubuntu) (push) Successful in 4m30s
CI Code / Linux (debian) (push) Successful in 6m43s
CI Code / Linux (arch) (push) Successful in 10m8s
A flat-file alternative to the SQLite chatlog backend with runtime
switching, full migration tooling, integrity verification, and a
synthetic load harness. SQLite remains the default; both backends share
one dispatch layer (db_backend_t vtable) so callers don't change.

Storage layout
- Per-contact append-only `flatlog/<account>/<contact>/history.log`
  under XDG_DATA_HOME, one line per message
- Single-line file header with embedded format-version marker
  (FLATFILE_FORMAT_VERSION); reader warns on missing or mismatched
  marker, writer and checker stay in sync via preprocessor
  stringification
- Deterministic key=value metadata (`id`, `aid`, `corrects`, `to`,
  `to_res`, `read`) plus escaped body \u2014 `\|`, `\]`, `\\`, `\n`, `\r`
  literals prevent log injection
- Sparse byte-offset index (FF_INDEX_STEP=500) per contact for
  O(log n) time-range lookups; rebuilt on inode / size / mtime
  change, extended in-place when the file just grew
- Per-contact GHashTable caches for archive_id presence and
  stanza_id \u2192 from_jid mapping (O(1) MAM dedup, O(1) LMC sender
  validation)

Hardening
- Path-traversal protection: JID directory name normalisation
  (`@` \u2192 `_at_`, slashes and `..` rejected at construction); every
  per-contact path is anchored under the account's flatlog/
  directory and validated before open
- Symlink-attack protection: every fopen / open uses O_NOFOLLOW; on
  ELOOP the operation aborts with an error rather than following
- Filesystem permissions: log files created with mode 0600,
  directories with mode 0700; both enforced at creation, verified
  on each open and reported on drift by `/history verify`
- Atomic crash-safe export: write to a temp file via mkstemp (mode
  0600, random suffix, no name collisions between concurrent
  exports), fsync, then rename \u2014 partial state never replaces the
  live file
- Concurrency: advisory flock(LOCK_EX) held for the duration of
  every write, including append from live messages and full rewrite
  from export, so two profanity processes can't interleave bytes
  on the same log
- DoS / abuse guards:
    * FF_MAX_LINE_LEN = 10 MB \u2014 lines longer than this are rejected
      at read with a warning; the parser will not allocate
      unbounded memory for a single record
    * FF_MAX_LMC_DEPTH = 100 \u2014 `corrects:` chain walk stops at this
      depth and emits a warning, preventing a malicious correction
      cycle from spinning the apply pass
    * FF_VERSION_SCAN_MAX = 16 \u2014 header version probe never reads
      past 16 leading comment lines, even on garbage input
    * Empty / inverted byte-range early-return in page-up read path
      so a malformed time filter cannot cause an unbounded scan
    * Zero-entry index guard so a file whose every line failed to
      parse cannot cause a NULL deref on later page-up
- LMC sender validation: an incoming correction whose sender does
  not match the original message's sender is rejected at write
  time and surfaced via cons_show_error; a cycle in the apply pass
  is broken via a visited-set
- jid_create_from_bare_and_resource treats NULL, empty string, and
  the literal "(null)" as no resource and returns a bare jid;
  similar normalisation for barejid eliminates the legacy
  "user@host/(null)" artefact that leaked into stored fulljids
  whenever g_strdup_printf("%s", NULL) ran inside create_fulljid

Commands
- `/history switch sqlite|flatfile` \u2014 runtime backend swap, closes
  the old backend and opens the new one without reconnecting
- `/history export [<jid>]` \u2014 SQLite -> flat-file, merging with any
  existing flatlog (dedup keyed on a SHA-256 hash mixing stanza_id,
  timestamp, from_jid, body \u2014 robust against id reuse by older
  clients)
- `/history import [<jid>]` \u2014 flat-file -> SQLite, same merge
  semantics, runs inside a single SQLite transaction with rollback
  on per-contact failure
- `/history verify [<jid>]` \u2014 integrity check; emits a structured
  list of issues (ERROR / WARNING / INFO) per file:
    * file-level: missing log, wrong permissions (\u2260 0600), UTF-8
      BOM present, CRLF line endings, empty file
    * line-level: invalid UTF-8 (with byte offset), embedded
      control characters, unparsable lines, timestamps out of
      order, duplicate `id:` and `aid:` (tracked separately so a
      stanza/archive id collision isn't double-reported)
    * cross-line: broken `corrects:` references whose target id is
      not present in the file
- `/history backend` \u2014 show currently active backend
- Active backend indicator `[sqlite]` / `[flatfile]` in the status
  bar next to the JID
- Roster-JID autocomplete for verify / export / import
- export and import open a SQLite handle on demand when the
  flatfile backend is currently active, so migration works
  regardless of which backend is live

Tests
- Unit: database_export (parser round-trip, escape/unescape, dedup
  key stability, JID normalisation), database_stress (14 cases
  exercising rapid writes, large messages, deep LMC chains, MAM
  dedup, concurrent contacts)
- Functional: history persistence across reconnects, export /
  import round-trip with content equality, MUC migration,
  timestamp normalisation across timezones
- Bench harness P1\u2013P5 (synthetic load: bulk insert, time-range
  read, page-up scroll, MAM ingest, mixed workload) and failure
  modes F1\u2013F17 (page-up cursor and forward-iteration symmetry,
  oversized lines, MAM dedup, LMC depth and cycles, BOM/CRLF,
  missing log, empty file, mtime+inode flip, broken corrects, etc.)
- All bench tests integrate with the existing make targets and
  emit CSV rows for baseline comparison

Author: jabber.developer2 <jabber.developer2@jabber.space>
Reviewed-by: jabber.developer <jabber.developer@jabber.space>
2026-05-05 19:26:07 +00:00
Michael Vetter
07dfeec816 Release 0.15.0 2025-03-27 20:06:38 +01:00
Steffen Jaeckel
662a0be633 Add --cmd option
This allows to kind of automate what profanity should do as first jobs,
e.g. `--cmd /foo --cmd /bar --cmd /quit` so one can easily check for memory
leaks.

Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
2025-03-07 21:09:16 +01:00
John Hernandez
23692fedff Add ALT+UP/DOWN/mouse wheel scroll support
Before the change, the only way to scroll was usage of page up/down,
it allowed to scroll only by skipping pages, which was not smooth.
2023-11-28 15:04:53 +01:00
John Hernandez
dac6d0c4f8 Handle alt+enter as newline char
Let user print newline character using alt+enter keybind,
it allows great flexibility in communication,
now user will be able to write much better longer messages.
2023-11-13 09:40:04 +01:00
Stefan Kropp
2ef528ecd7 Add section Using profanity to profanity.1 2023-10-28 20:38:23 +02:00
Michael Vetter
fd2b977d6a Fix my email 2023-08-04 08:35:27 +02:00
Michael Vetter
6b0fddd925 Release 0.14.0 2023-08-03 08:01:43 +02:00
Michael Vetter
1b679498b6 doscs: Add terminology section to man page
Let's just define some basic terminology.

In many sections of the /help we actually use these terms.
This should help new users understand what they mean.
2023-04-17 11:25:44 +02:00
Michael Vetter
ee6bf23b8d Add encryption section to man page
The goal should be that users can make a more informed decision about
which encryption they actually want to use.

We can also use this to document usage details of implementation quirks,
if any.
2023-04-17 10:59:41 +02:00
Michael Vetter
e1d45f05d3 Update to new mailing list
Maintained by https://github.com/StefanKropp
2023-03-01 15:25:41 +01:00
Michael Vetter
3adc399da0 Update copyright year 2023-01-10 10:37:25 +01:00
Michael Vetter
0bae298746 Update mailing list link 2023-01-10 10:24:44 +01:00
Michael Vetter
3e7457f42a Release 0.13.1 2022-10-12 16:56:20 +02:00
Michael Vetter
a8e6b26ee1 Release 0.13.0 2022-09-13 11:50:49 +02:00
Michael Vetter
e8ae825709 Add minor hint to manpage 2022-06-28 18:24:42 +02:00
Michael Vetter
1330ad4e1e Update copyright year 2022-05-09 15:43:33 +02:00
Paul Fertser
18242102f8 Mention C-x C-r (reload inputrc) in the man page
Add mentions of less-known but quite useful bindindings to the man
page.
2022-04-09 11:14:12 +03:00
Michael Vetter
e87d09aabf Release 0.12.1 2022-04-04 18:13:32 +02:00
Paul Fertser
8ffa6f7452 Document custom input configuration in man page 2022-03-30 22:41:49 +03:00
Paul Fertser
66bd041617 Improve manpage formatting a bit 2022-03-30 21:01:40 +03:00
Paul Fertser
3478438df5 Add all missing key bindings to man page 2022-03-30 20:59:21 +03:00
Michael Vetter
9214b0a10a Release 0.12.0 2022-03-30 14:08:49 +02:00
Michael Vetter
e6f96cd7d7 Release 0.11.1 2021-09-28 19:48:42 +02:00
Michael Vetter
619204f4f5 man: add more keybindings 2021-09-15 11:24:59 +02:00
Michael Vetter
c89e31269c Mention keybindings in man page 2021-08-31 22:33:00 +02:00
Michael Vetter
d382023961 Release 0.10.0 2021-01-09 08:08:10 +01:00
Michael Vetter
300b60722b Mention new manpages in main manpage 2020-12-04 17:50:30 +01:00
Michael Vetter
3af5f33489 0.9.5 2020-07-01 18:47:07 +02:00
Michael Vetter
1332a4a6c2 Release 0.9.4 2020-06-24 13:56:34 +02:00
Michael Vetter
177c953991 Release 0.9.3 2020-06-19 20:29:31 +02:00
Michael Vetter
c58726d67f Release 0.9.2 2020-06-13 18:37:51 +02:00
Michael Vetter
8551d3dcb1 Release 0.9.1 2020-06-11 10:06:56 +02:00
Michael Vetter
439c6a63b9 Correct and update manpage 2020-06-09 16:34:34 +02:00
Michael Vetter
7d7f0ef5a5 Update copyright in manpage 2020-05-16 10:03:55 +02:00
Michael Vetter
a1ee1ad139 Add description of new flags to manpage 2020-05-16 10:02:19 +02:00
toogley
03b75c833d Update mailing list in manpage 2020-05-16 09:49:13 +02:00
Michael Vetter
10ca3e8c31 Possibility to specify alternative config file
Introduce `profanity -c` to specify an alternative config file.
2019-08-02 15:55:47 +02:00
Michael Vetter
d4892b29c4 Update profanity repo URL
Move from github.com/boothj5/* to github.com/profanity-im/*
2019-05-03 10:51:28 +02:00
Michael Vetter
6f59a57b68 Update profanity URL in manpage
Regards https://github.com/profanity-im/profanity/issues/1085
2019-05-03 10:27:13 +02:00
kaffeekanne
f8640019f3 Update copyright years 2019-04-24 01:08:38 +02:00
Raf Czlonka
89fcaed31d Fix style and warnings - found with mandoc -T lint 2018-10-20 09:50:31 +01:00
James Booth
250e972b7a Update copyright 2018-01-21 15:00:02 +00:00
James Booth
68a3daedb9 Update Copyright 2017-01-28 17:24:22 +00:00
James Booth
a49c63fc75 Updated man page 2016-08-21 23:48:22 +01:00
Pete Maynard
14c8f53f85 Updated GPL URL 2016-07-21 11:49:52 +01:00
James Booth
a27906e1ae Updated man page link 2016-05-10 18:51:17 +01:00
James Booth
e53e94f1e2 Updated copyright 2016-02-14 22:54:46 +00:00
James Booth
9d2745e462 Removed --disable-tls command line option 2015-10-18 00:17:45 +01:00
James Booth
f4459f7f67 Updated man page 2015-02-10 23:30:21 +00:00