Remove dependency on uuid (#5297 )

Update dependency vite to v8 (#5295 )
* Update dependency vite to v8 * Update lockfile --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Michael Telatynski <7t3chguy@gmail.com>
2026-04-23 09:53:18 +00:00 · 2026-04-22 16:16:29 +00:00 · 2026-04-22 09:10:39 +00:00 · 2026-04-21 14:38:05 +00:00 · 2026-04-21 13:58:22 +00:00 · 2026-04-21 12:37:38 +00:00
522 changed files with 156696 additions and 53344 deletions
@@ -1,22 +0,0 @@
-{
-    "sourceMaps": true,
-    "presets": [
-        [
-            "@babel/preset-env",
-            {
-                "targets": {
-                    "node": 10
-                },
-                "modules": "commonjs"
-            }
-        ],
-        "@babel/preset-typescript"
-    ],
-    "plugins": [
-        "@babel/plugin-proposal-numeric-separator",
-        "@babel/plugin-proposal-class-properties",
-        "@babel/plugin-proposal-object-rest-spread",
-        "@babel/plugin-syntax-dynamic-import",
-        "@babel/plugin-transform-runtime"
-    ]
-}
@@ -0,0 +1 @@
+_docs
@@ -1,6 +1,6 @@
 module.exports = {
-    plugins: ["matrix-org", "import", "jsdoc"],
-    extends: ["plugin:matrix-org/babel", "plugin:matrix-org/jest", "plugin:import/typescript"],
+    plugins: ["matrix-org", "import", "jsdoc", "n", "@vitest"],
+    extends: ["plugin:matrix-org/babel", "plugin:import/typescript"],
    parserOptions: {
        project: ["./tsconfig.json"],
    },
@@ -49,6 +49,26 @@ module.exports = {
            },
        ],

+        "no-restricted-properties": [
+            "error",
+            {
+                object: "window",
+                property: "setImmediate",
+                message: "Use setTimeout instead.",
+            },
+        ],
+        "no-restricted-globals": [
+            "error",
+            {
+                name: "setImmediate",
+                message: "Use setTimeout instead.",
+            },
+            {
+                name: "global",
+                message: "Use globalThis instead.",
+            },
+        ],
+
        "import/no-restricted-paths": [
            "error",
            {
@@ -63,20 +83,6 @@ module.exports = {
                ],
            },
        ],
-        // Disabled tests are a reality for now but as soon as all of the xits are
-        // eliminated, we should enforce this.
-        "jest/no-disabled-tests": "off",
-        // TODO: There are many tests with invalid expects that should be fixed,
-        // https://github.com/matrix-org/matrix-js-sdk/issues/2976
-        "jest/valid-expect": "off",
-        // Also treat "oldBackendOnly" as a test function.
-        // Used in some crypto tests.
-        "jest/no-standalone-expect": [
-            "error",
-            {
-                additionalTestBlockFunctions: ["beforeAll", "beforeEach", "oldBackendOnly"],
-            },
-        ],
    },
    overrides: [
        {
@@ -95,10 +101,13 @@ module.exports = {
                "@typescript-eslint/ban-ts-comment": "off",
                // We're okay with assertion errors when we ask for them
                "@typescript-eslint/no-non-null-assertion": "off",
-
-                // The non-TypeScript rule produces false positives
-                "func-call-spacing": "off",
-                "@typescript-eslint/func-call-spacing": ["error"],
+                "@typescript-eslint/no-empty-object-type": [
+                    "error",
+                    {
+                        // We do this sometimes to brand interfaces
+                        allowInterfaces: "with-single-extends",
+                    },
+                ],

                "quotes": "off",
                // We use a `logger` intermediary module
@@ -106,11 +115,8 @@ module.exports = {
            },
        },
        {
-            // We don't need amazing docs in our spec files
            files: ["src/**/*.ts"],
            rules: {
-                "tsdoc/syntax": "error",
-                // We use some select jsdoc rules as the tsdoc linter has only one rule
                "jsdoc/no-types": "error",
                "jsdoc/empty-tags": "error",
                "jsdoc/check-property-names": "error",
@@ -118,14 +124,61 @@ module.exports = {
                // These need a bit more work before we can enable
                // "jsdoc/check-param-names": "error",
                // "jsdoc/check-indentation": "error",
+                // Ensure .ts extension on imports outside of tests
+                "n/file-extension-in-import": [
+                    "error",
+                    "always",
+                    {
+                        tryExtensions: [".ts"],
+                    },
+                ],
+                "no-extra-boolean-cast": "error",
            },
        },
        {
            files: ["spec/**/*.ts"],
+            extends: ["plugin:@vitest/legacy-recommended"],
            rules: {
                // We don't need super strict typing in test utilities
                "@typescript-eslint/explicit-function-return-type": "off",
                "@typescript-eslint/explicit-member-accessibility": "off",
+                "@typescript-eslint/no-empty-object-type": "off",
+
+                // Disabled tests are a reality for now but as soon as all of the xits are
+                // eliminated, we should enforce this.
+                "@vitest/no-disabled-tests": "off",
+                // Used in some crypto tests.
+                "@vitest/no-standalone-expect": [
+                    "error",
+                    {
+                        additionalTestBlockFunctions: ["beforeAll", "beforeEach"],
+                    },
+                ],
+                "@vitest/expect-expect": [
+                    "error",
+                    {
+                        assertFunctionNames: [
+                            "expect",
+                            "expectDevices",
+                            "assert.isTrue",
+                            "assert.isFalse",
+                            "passwordTest",
+                            "compareHeaders",
+                            "doTest",
+                        ],
+                    },
+                ],
+            },
+        },
+        {
+            // Enable stricter promise rules for the MatrixRTC codebase
+            files: ["src/matrixrtc/**/*.ts", "spec/unit/matrixrtc/*.ts"],
+            rules: {
+                // Encourage proper usage of Promises:
+                "@typescript-eslint/no-floating-promises": "error",
+                "@typescript-eslint/no-misused-promises": "error",
+                "@typescript-eslint/require-await": "error",
+                "@typescript-eslint/await-thenable": "error",
            },
        },
    ],
@@ -1,6 +1,17 @@
-*                         @matrix-org/element-web
-/.github/workflows/**     @matrix-org/element-web-app-team
-/package.json             @matrix-org/element-web-app-team
-/yarn.lock                @matrix-org/element-web-app-team
+*                         @matrix-org/element-web-reviewers
+/.github/workflows/**     @matrix-org/element-web-team
+/package.json             @matrix-org/element-web-team
+/pnpm-lock.yaml           @matrix-org/element-web-team
+/scripts/**               @matrix-org/element-web-team
 /src/webrtc               @matrix-org/element-call-reviewers
+/src/matrixrtc               @matrix-org/element-call-reviewers
 /spec/*/webrtc            @matrix-org/element-call-reviewers
+/spec/*/matrixrtc            @matrix-org/element-call-reviewers
+
+/src/crypto-api           @matrix-org/element-crypto-web-reviewers
+/src/crypto               @matrix-org/element-crypto-web-reviewers
+/src/rust-crypto          @matrix-org/element-crypto-web-reviewers
+/spec/integ/crypto        @matrix-org/element-crypto-web-reviewers
+/spec/unit/crypto.spec.ts @matrix-org/element-crypto-web-reviewers
+/spec/unit/crypto         @matrix-org/element-crypto-web-reviewers
+/spec/unit/rust-crypto    @matrix-org/element-crypto-web-reviewers
@@ -2,12 +2,7 @@

 ## Checklist

-   [ ] Tests written for new code (and old code if feasible)
-   [ ] Linter and other CI checks pass
-   [ ] Sign-off given on the changes (see [CONTRIBUTING.md](https://github.com/matrix-org/matrix-js-sdk/blob/develop/CONTRIBUTING.md))
-
-<!--
-If you would like to specify text for the changelog entry other than your PR title, add the following:
-
-Notes: Add super cool feature
-->
+- [ ] Tests written for new code (and old code if feasible).
+- [ ] New or updated `public`/`exported` symbols have accurate [TSDoc](https://tsdoc.org/) documentation.
+- [ ] Linter and other CI checks pass.
+- [ ] Sign-off given on the changes (see [CONTRIBUTING.md](https://github.com/matrix-org/matrix-js-sdk/blob/develop/CONTRIBUTING.md)).
@@ -0,0 +1,28 @@
+name: Sign Release Tarball
+description: Generates signature for release tarball and uploads it as a release asset
+inputs:
+    gpg-fingerprint:
+        description: Fingerprint of the GPG key to use for signing the tarball.
+        required: true
+    upload-url:
+        description: GitHub release upload URL to upload the signature file to.
+        required: true
+runs:
+    using: composite
+    steps:
+        - name: Generate tarball signature
+          shell: bash
+          run: |
+              git -c tar.tar.gz.command='gzip -cn' archive --format=tar.gz --prefix="${REPO#*/}-${VERSION#v}/" -o "/tmp/${VERSION}.tar.gz" "${VERSION}"
+              gpg -u "$GPG_FINGERPRINT" --armor --output "${VERSION}.tar.gz.asc" --detach-sig "/tmp/${VERSION}.tar.gz"
+              rm "/tmp/${VERSION}.tar.gz"
+          env:
+              GPG_FINGERPRINT: ${{ inputs.gpg-fingerprint }}
+              REPO: ${{ github.repository }}
+
+        - name: Upload tarball signature
+          if: ${{ inputs.upload-url }}
+          uses: shogo82148/actions-upload-release-asset@96bc1f0cb850b65efd58a6b5eaa0a69f88d38077 # v1
+          with:
+              upload_url: ${{ inputs.upload-url }}
+              asset_path: ${{ env.VERSION }}.tar.gz.asc
@@ -0,0 +1,41 @@
+name: Upload release assets
+description: Uploads assets to an existing release and optionally signs them
+inputs:
+    gpg-fingerprint:
+        description: Fingerprint of the GPG key to use for signing the assets, if any.
+        required: false
+    upload-url:
+        description: GitHub release upload URL to upload the assets to.
+        required: true
+    asset-path:
+        description: |
+            The path to the asset you want to upload, if any. You can use glob patterns here.
+            Will be GPG signed and an `.asc` file included in the release artifacts if `gpg-fingerprint` is set.
+        required: true
+runs:
+    using: composite
+    steps:
+        - name: Sign assets
+          if: inputs.gpg-fingerprint
+          shell: bash
+          run: |
+              for FILE in $ASSET_PATH
+              do
+                  gpg -u "$GPG_FINGERPRINT" --armor --output "$FILE".asc --detach-sig "$FILE"
+              done
+          env:
+              GPG_FINGERPRINT: ${{ inputs.gpg-fingerprint }}
+              ASSET_PATH: ${{ inputs.asset-path }}
+
+        - name: Upload asset signatures
+          if: inputs.gpg-fingerprint
+          uses: shogo82148/actions-upload-release-asset@96bc1f0cb850b65efd58a6b5eaa0a69f88d38077 # v1
+          with:
+              upload_url: ${{ inputs.upload-url }}
+              asset_path: ${{ inputs.asset-path }}.asc
+
+        - name: Upload assets
+          uses: shogo82148/actions-upload-release-asset@96bc1f0cb850b65efd58a6b5eaa0a69f88d38077 # v1
+          with:
+              upload_url: ${{ inputs.upload-url }}
+              asset_path: ${{ inputs.asset-path }}
@@ -0,0 +1,46 @@
+- name: "A-Element-R"
+  description: "Issues affecting the port of Element's crypto layer to Rust"
+  color: "bfd4f2"
+- name: "A-Packaging"
+  description: "Packaging, signing, releasing"
+  color: "bfd4f2"
+- name: "A-Technical-Debt"
+  color: "bfd4f2"
+- name: "A-Testing"
+  description: "Testing, code coverage, etc."
+  color: "bfd4f2"
+- name: "backport staging"
+  description: "Label to automatically backport PR to staging branch"
+  color: "B60205"
+- name: "Dependencies"
+  description: "Pull requests that update a dependency file"
+  color: "0366d6"
+- name: "Easy"
+  color: "5dc9f7"
+- name: "Sponsored"
+  color: "ffc8f4"
+- name: "T-Deprecation"
+  description: "A pull request that makes something deprecated"
+  color: "98e6ae"
+- name: "T-Other"
+  description: "Questions, user support, anything else"
+  color: "98e6ae"
+- name: "X-Blocked"
+  color: "ff7979"
+- name: "X-Breaking-Change"
+  color: "ff7979"
+- name: "X-Reverted"
+  description: "PR has been reverted"
+  color: "F68AA3"
+- name: "X-Upcoming-Release-Blocker"
+  description: "This does not affect the current release cycle but will affect the next one"
+  color: "e99695"
+- name: "Z-Community-PR"
+  description: "Issue is solved by a community member's PR"
+  color: "ededed"
+- name: "Z-Flaky-Test"
+  description: "A test is raising false alarms"
+  color: "ededed"
+- name: "Z-Skip-Coverage"
+  description: "Skip SonarQube coverage for this PR"
+  color: "ededed"
@@ -0,0 +1,35 @@
+name-template: "v$RESOLVED_VERSION"
+tag-template: "v$RESOLVED_VERSION"
+change-template: "* $TITLE ([#$NUMBER]($URL)). Contributed by @$AUTHOR."
+categories:
+    - title: "🚨 BREAKING CHANGES"
+      label: "X-Breaking-Change"
+    - title: "🦖 Deprecations"
+      label: "T-Deprecation"
+    - title: "✨ Features"
+      label: "T-Enhancement"
+    - title: "🐛 Bug Fixes"
+      label: "T-Defect"
+    - title: "🧰 Maintenance"
+      label: "Dependencies"
+      collapse-after: 5
+change-title-escapes: '\<*_&' # You can add # and @ to disable mentions, and add ` to disable code blocks.
+version-resolver:
+    major:
+        labels:
+            - "X-Breaking-Change"
+    default: minor
+exclude-labels:
+    - "T-Task"
+    - "X-Reverted"
+    - "backport staging"
+exclude-contributors:
+    - "RiotRobot"
+template: |
+    $CHANGES
+#no-changes-template: ""
+prerelease: true
+prerelease-identifier: rc
+include-pre-releases: false
+stable-ref: master
+staging-ref: staging
@@ -1,16 +1,20 @@
 name: Backport
 on:
-    pull_request_target:
+    # Privilege escalation necessary to enable backporting PRs from forks
+    # 🚨 We must not execute any checked out code here.
+    pull_request_target: # zizmor: ignore[dangerous-triggers]
        types:
            - closed
            - labeled
        branches:
            - develop

+permissions: {} # We use ELEMENT_BOT_TOKEN instead
+
 jobs:
    backport:
        name: Backport
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
        # Only react to merged PRs for security reasons.
        # See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target.
        if: >
@@ -23,7 +27,7 @@ jobs:
              )
            )
        steps:
-            - uses: tibdex/backport@2e217641d82d02ba0603f46b1aeedefb258890ac # v2
+            - uses: tibdex/backport@9565281eda0731b1d20c4025c43339fb0a23812e # v2
              with:
                  labels_template: "<%= JSON.stringify([...labels, 'X-Release-Blocker']) %>"
                  # We can't use GITHUB_TOKEN here or CI won't run on the new PR
@@ -1,28 +1,31 @@
 name: Deploy documentation PR preview

 on:
-    workflow_run:
+    # Privilege escalation necessary to publish to Netlify
+    # 🚨 We must not execute any checked out code here.
+    workflow_run: # zizmor: ignore[dangerous-triggers]
        workflows: ["Static Analysis"]
        types:
            - completed
-
+permissions: {}
 jobs:
    netlify:
        if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request'
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
+        permissions:
+            actions: read
+            deployments: write
        steps:
-            # There's a 'download artifact' action, but it hasn't been updated for the workflow_run action
-            # (https://github.com/actions/download-artifact/issues/60) so instead we get this mess:
            - name: 📥 Download artifact
-              uses: dawidd6/action-download-artifact@5e780fc7bbd0cac69fc73271ed86edf5dcb72d67 # v2
+              uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
              with:
-                  workflow: static_analysis.yml
-                  run_id: ${{ github.event.workflow_run.id }}
+                  github-token: ${{ secrets.GITHUB_TOKEN }}
+                  run-id: ${{ github.event.workflow_run.id }}
                  name: docs
                  path: docs

            - name: 📤 Deploy to Netlify
-              uses: matrix-org/netlify-pr-preview@v1
+              uses: matrix-org/netlify-pr-preview@9805cd123fc9a7e421e35340a05e1ebc5dee46b5 # v3
              with:
                  path: docs
                  owner: ${{ github.event.workflow_run.head_repository.owner.login }}
@@ -32,3 +35,4 @@ jobs:
                  site_id: ${{ secrets.NETLIFY_SITE_ID }}
                  desc: Documentation preview
                  deployment_env: PR Documentation Preview
+        environment: PR Documentation Preview
@@ -0,0 +1,34 @@
+# Triggers after the "Downstream artifacts" build has finished, to run the
+# element-web playwright tests (with access to repo secrets)
+
+name: Element Web End to End Tests
+on:
+    merge_group:
+        types: [checks_requested]
+
+    pull_request: {}
+
+    # For now at least, we don't run this or the downstream-end-to-end-tests against pushes
+    # to develop or master.
+    #
+    #push:
+    #    branches: [develop, master]
+permissions: {} # No permissions required
+concurrency:
+    group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.run_id }}
+    cancel-in-progress: ${{ github.event.workflow_run.event == 'pull_request' }}
+
+jobs:
+    playwright:
+        name: Playwright
+        uses: element-hq/element-web/.github/workflows/build-and-test.yaml@develop # zizmor: ignore[unpinned-uses]
+        permissions:
+            actions: read
+            issues: read
+            pull-requests: read
+            contents: read
+        with:
+            matrix-js-sdk-sha: ${{ github.sha }}
+            # We only want to run the playwright tests on merge queue to prevent regressions
+            # from creeping in. They take a long time to run and consume multiple concurrent runners.
+            skip: ${{ github.event_name != 'merge_group' }}
@@ -3,6 +3,7 @@ on:
    push:
        branches: [develop]
 concurrency: ${{ github.workflow }}-${{ github.ref }}
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
    notify-downstream:
        # Only respect triggers from our develop branch, ignore that of forks
@@ -12,15 +13,13 @@ jobs:
            fail-fast: false
            matrix:
                include:
-                    - repo: vector-im/element-web
+                    - repo: element-hq/element-web
                      event: element-web-notify
-                    - repo: matrix-org/matrix-react-sdk
-                      event: upstream-sdk-notify

-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
        steps:
-            - name: Notify matrix-react-sdk repo that a new SDK build is on develop so it can CI against it
-              uses: peter-evans/repository-dispatch@26b39ed245ab8f31526069329e112ab2fb224588 # v2
+            - name: Notify element-web repo that a new SDK build is on develop so it can CI against it
+              uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4
              with:
                  token: ${{ secrets.ELEMENT_BOT_TOKEN }}
                  repository: ${{ matrix.repo }}
@@ -1,6 +1,9 @@
 name: Pull Request
 on:
-    pull_request_target:
+    # Privilege escalation necessary access members of the review teams
+    # 🚨 We must not execute any checked out code here, and be careful around use of user-controlled inputs.
+    # FIXME: only `community-prs` job needs this privilege, so it should be in its own workflow file.
+    pull_request_target: # zizmor: ignore[dangerous-triggers]
        types: [opened, edited, labeled, unlabeled, synchronize]
    merge_group:
        types: [checks_requested]
@@ -9,25 +12,33 @@ on:
            ELEMENT_BOT_TOKEN:
                required: true
 concurrency: ${{ github.workflow }}-${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
    changelog:
        name: Preview Changelog
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
        steps:
-            - uses: matrix-org/allchange@main
+            - uses: mheap/github-action-required-labels@0ac283b4e65c1fb28ce6079dea5546ceca98ccbe # v5
              if: github.event_name != 'merge_group'
              with:
-                  ghToken: ${{ secrets.GITHUB_TOKEN }}
-                  requireLabel: true
+                  labels: |
+                      X-Breaking-Change
+                      T-Deprecation
+                      T-Enhancement
+                      T-Defect
+                      T-Task
+                      Dependencies
+                  mode: minimum
+                  count: 1

    prevent-blocked:
        name: Prevent Blocked
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
        permissions:
            pull-requests: read
        steps:
            - name: Add notice
-              uses: actions/github-script@v6
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
              if: contains(github.event.pull_request.labels.*.name, 'X-Blocked')
              with:
                  script: |
@@ -35,11 +46,14 @@ jobs:

    community-prs:
        name: Label Community PRs
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
        if: github.event.action == 'opened'
+        permissions:
+            pull-requests: write
        steps:
            - name: Check membership
-              uses: tspascoal/get-user-teams-membership@37c08f7b52a72ca95d12af2e7ab2553ca9adf13b # v2
+              if: github.event.pull_request.user.login != 'renovate[bot]' && github.event.pull_request.user.login != 'dependabot[bot]'
+              uses: tspascoal/get-user-teams-membership@57e9f42acd78f4d0f496b3be4368fc5f62696662 # v3
              id: teams
              with:
                  username: ${{ github.event.pull_request.user.login }}
@@ -48,8 +62,8 @@ jobs:
                  GITHUB_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}

            - name: Add label
-              if: ${{ steps.teams.outputs.isTeamMember == 'false' }}
-              uses: actions/github-script@v6
+              if: steps.teams.outputs.isTeamMember == 'false'
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
              with:
                  script: |
                      github.rest.issues.addLabels({
@@ -61,14 +75,16 @@ jobs:

    close-if-fork-develop:
        name: Forbid develop branch fork contributions
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
+        permissions:
+            pull-requests: write
        if: >
            github.event.action == 'opened' &&
            github.event.pull_request.head.ref == 'develop' &&
            github.event.pull_request.head.repo.full_name != github.repository
        steps:
            - name: Close pull request
-              uses: actions/github-script@v6
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
              with:
                  script: |
                      github.rest.issues.createComment({
@@ -0,0 +1,38 @@
+name: Release Sanity checks
+on:
+    workflow_call:
+        secrets:
+            ELEMENT_BOT_TOKEN:
+                required: false
+        inputs:
+            repository:
+                type: string
+                required: false
+                default: ${{ github.repository }}
+                description: "The repository (in form owner/repo) to check for release blockers"
+
+permissions: {}
+jobs:
+    checks:
+        name: Sanity checks
+        runs-on: ubuntu-24.04
+        steps:
+            - name: Check for X-Release-Blocker label on any open issues or PRs
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+              env:
+                  REPO: ${{ inputs.repository }}
+              with:
+                  github-token: ${{ secrets.ELEMENT_BOT_TOKEN || secrets.GITHUB_TOKEN }}
+                  script: |
+                      const { REPO } = process.env;
+                      const { data } = await github.rest.search.issuesAndPullRequests({
+                          q: `repo:${REPO} label:X-Release-Blocker is:open`,
+                          per_page: 50,
+                      });
+
+                      if (data.total_count) {
+                          data.items.forEach(item => {
+                              core.error(`Release blocker: ${item.html_url}`);
+                          });
+                          core.setFailed(`Found release blockers!`);
+                      }
@@ -0,0 +1,94 @@
+# Workflow used by other workflows to generate draft releases.
+name: Release Drafter Reusable
+on:
+    workflow_call:
+        inputs:
+            include-changes:
+                description: Project to include changelog entries from in this release.
+                type: string
+                required: false
+concurrency: release-drafter-action
+permissions: {}
+jobs:
+    draft:
+        runs-on: ubuntu-24.04
+        permissions:
+            contents: write
+        steps:
+            - name: 🧮 Checkout code
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+              with:
+                  ref: staging
+                  fetch-depth: 0
+                  persist-credentials: false
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  node-version-file: package.json
+                  cache: "pnpm"
+
+            - name: Install Deps
+              run: "pnpm install --frozen-lockfile"
+
+            - uses: t3chguy/release-drafter@105e541c2c3d857f032bd522c0764694758fabad
+              id: draft-release
+              env:
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+              with:
+                  disable-autolabeler: true
+
+            - name: Get actions scripts
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+              with:
+                  repository: matrix-org/matrix-js-sdk
+                  persist-credentials: false
+                  path: .action-repo
+                  sparse-checkout: |
+                      .github/actions
+                      scripts/release
+
+            - name: Ingest upstream changes
+              if: inputs.include-changes
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+              env:
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                  RELEASE_ID: ${{ steps.draft-release.outputs.id }}
+                  DEPENDENCY: ${{ inputs.include-changes }}
+                  VERSION: ${{ steps.draft-release.outputs.tag_name }}
+              with:
+                  retries: 3
+                  script: |
+                      const { RELEASE_ID: releaseId, DEPENDENCY, VERSION } = process.env;
+                      const { owner, repo } = context.repo;
+                      const script = require("./.action-repo/scripts/release/merge-release-notes.cjs");
+
+                      let deps = [];
+                      if (DEPENDENCY.includes("/")) {
+                          deps.push(DEPENDENCY.replace("$VERSION", VERSION))
+                      } else {
+                          const fromVersion = JSON.parse((await github.request(`https://raw.githubusercontent.com/${owner}/${repo}/master/package.json`)).data).dependencies[DEPENDENCY];
+                          const toVersion = require("./package.json").dependencies[DEPENDENCY];
+
+                          if (toVersion.endsWith("#develop")) {
+                              core.warning(`${DEPENDENCY} will be kept at ${fromVersion}`, { title: "Develop dependency found" });
+                          } else {
+                              deps.push([DEPENDENCY, fromVersion, toVersion]);
+                          }
+                      }
+
+                      if (deps.length) {
+                          const notes = await script({
+                              github,
+                              releaseId,
+                              dependencies: deps,
+                          });
+
+                          await github.rest.repos.updateRelease({
+                              owner,
+                              repo,
+                              release_id: releaseId,
+                              body: notes,
+                              tag_name: VERSION,
+                          });
+                      }
@@ -0,0 +1,16 @@
+# Generates the draft release for the js-sdk
+# Normally triggered whenever anything is merged to the staging branch, but
+# also has a workflow dispatch trigger in case it needs running manually due
+# to failures / workflow updates etc.
+name: Release Drafter
+on:
+    push:
+        branches: [staging]
+    workflow_dispatch: {}
+concurrency: ${{ github.workflow }}
+permissions: {}
+jobs:
+    draft:
+        permissions:
+            contents: write
+        uses: matrix-org/matrix-js-sdk/.github/workflows/release-drafter-workflow.yml@develop # zizmor: ignore[unpinned-uses]
@@ -0,0 +1,91 @@
+# Gitflow merge-back master->develop
+name: Merge master -> develop
+on:
+    push:
+        branches: [master]
+    workflow_call:
+        secrets:
+            ELEMENT_BOT_TOKEN:
+                required: true
+        inputs:
+            dependencies:
+                description: List of dependencies to reset.
+                type: string
+                required: false
+            dir:
+                description: The directory to release
+                type: string
+                default: "."
+concurrency: ${{ github.workflow }}
+permissions: {} # Uses ELEMENT_BOT_TOKEN
+jobs:
+    merge:
+        runs-on: ubuntu-24.04
+        steps:
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+              with:
+                  # We will be pushing to this branch and want the CI to run after we do so we cannot use the GITHUB_TOKEN
+                  token: ${{ secrets.ELEMENT_BOT_TOKEN }}
+                  fetch-depth: 0
+                  persist-credentials: true
+
+            - name: Get actions scripts
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+              with:
+                  repository: matrix-org/matrix-js-sdk
+                  persist-credentials: false
+                  path: .action-repo
+                  sparse-checkout: |
+                      scripts/release
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  cache: "pnpm"
+                  node-version-file: package.json
+
+            - name: Install Deps
+              run: "pnpm install --frozen-lockfile"
+
+            - name: Set up git
+              run: |
+                  git config --global user.email "releases@riot.im"
+                  git config --global user.name "RiotRobot"
+
+            - name: Merge to develop
+              run: |
+                  git checkout develop
+                  git merge -X ours master
+
+            - name: Reset dependencies
+              if: inputs.dependencies
+              working-directory: ${{ inputs.dir }}
+              run: |
+                  while IFS= read -r PACKAGE; do
+                      [ -z "$PACKAGE" ] && continue
+
+                      CURRENT_VERSION=$(cat package.json | jq -r .dependencies[\"$PACKAGE\"])
+                      echo "Current $PACKAGE version is $CURRENT_VERSION"
+
+                      if [[ "$CURRENT_VERSION" == "null" ]]
+                      then
+                          echo "Unable to find $PACKAGE in package.json"
+                          exit 1
+                      fi
+
+                      if [[ "$CURRENT_VERSION" == *"#develop" ]]
+                      then
+                          echo "Not updating dependency $PACKAGE"
+                          continue
+                      fi
+
+                      echo "Resetting $PACKAGE to develop branch..."
+                      pnpm add "github:matrix-org/$PACKAGE#develop"
+                      git add -u
+                      git commit -m "Reset $PACKAGE back to develop branch"
+                  done <<< "$DEPENDENCIES"
+              env:
+                  DEPENDENCIES: ${{ inputs.dependencies }}
+
+            - name: Push changes
+              run: git push origin develop
@@ -0,0 +1,332 @@
+name: Release Make
+on:
+    workflow_call:
+        secrets:
+            ELEMENT_BOT_TOKEN:
+                required: true
+            GPG_PASSPHRASE:
+                required: false
+            GPG_PRIVATE_KEY:
+                required: false
+        inputs:
+            final:
+                description: Make final release
+                required: true
+                default: false
+                type: boolean
+            npm:
+                description: Publish to npm
+                type: boolean
+                default: false
+            gpg-fingerprint:
+                description: Fingerprint of the GPG key to use for signing the git tag and assets, if any.
+                type: string
+                required: false
+            asset-path:
+                description: |
+                    The path to the asset you want to upload, if any. You can use glob patterns here.
+                    Will be GPG signed and an `.asc` file included in the release artifacts if `gpg-fingerprint` is set.
+                    Relative to `dir`.
+                type: string
+                required: false
+            expected-asset-count:
+                description: The number of expected assets, including signatures, excluding generated zip & tarball.
+                type: number
+                required: false
+            dist-dir:
+                description: The directory to release
+                type: string
+                default: "."
+            version-dirs:
+                description: Directories in which to update package.json `version` field
+                type: string
+                required: false
+        outputs:
+            npm-id:
+                description: "The npm package@version string we published"
+                value: ${{ jobs.npm.outputs.id }}
+permissions: {}
+jobs:
+    checks:
+        name: Sanity checks
+        permissions:
+            issues: read
+            pull-requests: read
+        uses: matrix-org/matrix-js-sdk/.github/workflows/release-checks.yml@develop # zizmor: ignore[unpinned-uses]
+
+    release:
+        name: Release
+        runs-on: ubuntu-24.04
+        environment: Release
+        needs: checks
+        permissions:
+            contents: write
+        steps:
+            - name: Load GPG key
+              id: gpg
+              if: inputs.gpg-fingerprint
+              uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7
+              with:
+                  gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+                  passphrase: ${{ secrets.GPG_PASSPHRASE }}
+                  fingerprint: ${{ inputs.gpg-fingerprint }}
+
+            - name: Get draft release
+              id: draft-release
+              uses: cardinalby/git-get-release-action@5172c3a026600b1d459b117738c605fabc9e4e44 # 1.2.5
+              env:
+                  GITHUB_TOKEN: ${{ github.token }}
+              with:
+                  draft: true
+                  latest: true
+
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+              with:
+                  ref: staging
+                  # We will be pushing to this branch and want the CI to run after we do so we cannot use the GITHUB_TOKEN
+                  token: ${{ secrets.ELEMENT_BOT_TOKEN }}
+                  fetch-depth: 0
+                  persist-credentials: true
+
+            - name: Get actions scripts
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+              with:
+                  repository: matrix-org/matrix-js-sdk
+                  persist-credentials: false
+                  path: .action-repo
+                  sparse-checkout: |
+                      .github/actions
+                      scripts/release
+
+            - name: Prepare variables
+              id: prepare
+              working-directory: ${{ inputs.dist-dir }}
+              run: |
+                  echo "VERSION=$VERSION" >> $GITHUB_ENV
+
+                  HAS_DIST=0
+                  jq -e .scripts.dist package.json >/dev/null 2>&1 && HAS_DIST=1
+                  echo "has-dist-script=$HAS_DIST" >> $GITHUB_OUTPUT
+              env:
+                  VERSION: ${{ steps.draft-release.outputs.tag_name }}
+
+            - name: Finalise version
+              if: inputs.final
+              run: echo "VERSION=$(echo $VERSION | cut -d- -f1)" >> $GITHUB_ENV
+
+            - name: Check version number not in use
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+              with:
+                  script: |
+                      const { VERSION } = process.env;
+                      github.rest.repos.getReleaseByTag({
+                          owner: context.repo.owner,
+                          repo: context.repo.repo,
+                          tag: VERSION,
+                      }).then(() => {
+                          core.setFailed(`Version ${VERSION} already exists`);
+                      }).catch(() => {
+                        // This is fine, we expect there to not be any release with this version yet
+                      });
+
+            - name: Set up git
+              run: |
+                  git config --global user.email "releases@riot.im"
+                  git config --global user.name "RiotRobot"
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  cache: "pnpm"
+                  node-version-file: ${{ inputs.dist-dir }}/package.json
+
+            - name: Install dependencies
+              run: "pnpm install --frozen-lockfile"
+
+            - name: Handle develop dependencies
+              working-directory: ${{ inputs.dist-dir }}
+              run: |
+                  ret=0
+                  cat package.json | jq -r '.dependencies | to_entries | .[] | "\(.key) \(.value)"' | grep '#develop$' | while read -r dep ; do
+                      IFS=" "
+                      PACKAGE=${dep[0]}
+                      VERSION=${dep[1]}
+
+                      echo "::warning title=Develop dependency found::$DEPENDENCY will be kept at $VERSION"
+                      pnpm add "$PACKAGE@$VERSION" --save-exact
+                      git add -u
+                      git commit -m "Keep $PACKAGE at $VERSION"
+                  done
+
+            - name: Bump package.json versions
+              run: |
+                  for DIR in $DIRS; do
+                      pnpm version -C "$DIR" --no-git-tag-version "${VERSION#v}"
+                      git add "$DIR"/package.json
+                  done
+              env:
+                  DIRS: ${{ inputs.version-dirs || inputs.dist-dir }}
+
+            - name: Add to CHANGELOG.md
+              if: inputs.final
+              run: |
+                  mv CHANGELOG.md CHANGELOG.md.old
+                  HEADER="Changes in [${VERSION#v}](https://github.com/${{ github.repository }}/releases/tag/$VERSION) ($(date '+%Y-%m-%d'))"
+
+                  {
+                      echo "$HEADER"
+                      printf '=%.0s' $(seq ${#HEADER})
+                      echo ""
+                      echo "$RELEASE_NOTES"
+                      echo ""
+                  } > CHANGELOG.md
+
+                  cat CHANGELOG.md.old >> CHANGELOG.md
+                  rm CHANGELOG.md.old
+                  git add CHANGELOG.md
+              env:
+                  RELEASE_NOTES: ${{ steps.draft-release.outputs.body }}
+
+            - name: Commit changes
+              run: git commit -m "$VERSION"
+
+            - name: Build assets
+              if: steps.prepare.outputs.has-dist-script == '1'
+              working-directory: ${{ inputs.dist-dir }}
+              run: DIST_VERSION="$VERSION" pnpm dist
+
+            - name: Upload release assets & signatures
+              if: inputs.asset-path
+              uses: ./.action-repo/.github/actions/upload-release-assets
+              with:
+                  gpg-fingerprint: ${{ inputs.gpg-fingerprint }}
+                  upload-url: ${{ steps.draft-release.outputs.upload_url }}
+                  asset-path: ${{ inputs.dist-dir }}/${{ inputs.asset-path }}
+
+            - name: Create signed tag
+              if: inputs.gpg-fingerprint
+              run: |
+                  GIT_COMMITTER_EMAIL="$SIGNING_ID" GPG_TTY=$(tty) git tag -u "$SIGNING_ID" -m "Release $VERSION" "$VERSION"
+              env:
+                  SIGNING_ID: ${{ steps.gpg.outputs.email }}
+
+            - name: Generate & upload tarball signature
+              if: inputs.gpg-fingerprint
+              uses: ./.action-repo/.github/actions/sign-release-tarball
+              with:
+                  gpg-fingerprint: ${{ inputs.gpg-fingerprint }}
+                  upload-url: ${{ steps.draft-release.outputs.upload_url }}
+
+            # We defer pushing changes until after the release assets are built,
+            # signed & uploaded to improve the atomicity of this action.
+            - name: Push changes to staging
+              run: |
+                  git push origin staging $TAG
+                  git reset --hard
+              env:
+                  TAG: ${{ inputs.gpg-fingerprint && env.VERSION || '' }}
+
+            - name: Validate tarball signature
+              if: inputs.gpg-fingerprint
+              run: |
+                  wget https://github.com/$GITHUB_REPOSITORY/archive/refs/tags/$VERSION.tar.gz
+                  gpg --verify "$VERSION.tar.gz.asc" "$VERSION.tar.gz"
+
+            - name: Validate release has expected assets
+              if: inputs.expected-asset-count
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+              env:
+                  RELEASE_ID: ${{ steps.draft-release.outputs.id }}
+                  EXPECTED_ASSET_COUNT: ${{ inputs.expected-asset-count }}
+              with:
+                  retries: 3
+                  script: |
+                      const { RELEASE_ID: release_id, EXPECTED_ASSET_COUNT } = process.env;
+                      const { owner, repo } = context.repo;
+
+                      const { data: release } = await github.rest.repos.getRelease({
+                          owner,
+                          repo,
+                          release_id,
+                      });
+
+                      if (release.assets.length !== parseInt(EXPECTED_ASSET_COUNT, 10)) {
+                          core.setFailed(`Found ${release.assets.length} assets but expected ${EXPECTED_ASSET_COUNT}`);
+                      }
+
+            - name: Merge to master
+              if: inputs.final
+              run: |
+                  git checkout master
+                  git merge -X theirs staging
+                  git push origin master
+
+            - name: Publish release
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+              env:
+                  RELEASE_ID: ${{ steps.draft-release.outputs.id }}
+                  FINAL: ${{ inputs.final }}
+              with:
+                  retries: 3
+                  github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
+                  script: |
+                      const { RELEASE_ID: release_id, RELEASE_NOTES, VERSION, FINAL } = process.env;
+                      const { owner, repo } = context.repo;
+
+                      const opts = {
+                          owner,
+                          repo,
+                          release_id,
+                          tag_name: VERSION,
+                          name: VERSION,
+                          draft: false,
+                          body: RELEASE_NOTES,
+                      };
+
+                      if (FINAL == "true") {
+                          opts.prerelease = false;
+                          opts.make_latest = true;
+                      }
+
+                      github.rest.repos.updateRelease(opts);
+
+    npm:
+        name: Publish to npm
+        needs: release
+        if: inputs.npm
+        uses: matrix-org/matrix-js-sdk/.github/workflows/release-npm.yml@develop # zizmor: ignore[unpinned-uses]
+        with:
+            dir: ${{ inputs.dist-dir }}
+        permissions:
+            contents: read
+            id-token: write
+
+    post-release:
+        name: Post release steps
+        needs: release
+        runs-on: ubuntu-24.04
+        permissions:
+            issues: write
+        steps:
+            - id: repository
+              run: echo "REPO=${GITHUB_REPOSITORY#*/}" >> $GITHUB_OUTPUT
+
+            - name: Advance release blocker labels
+              uses: garganshu/github-label-updater@3770d15ebfed2fe2cb06a241047bc340f774a7d1 # v1.0.0
+              with:
+                  owner: ${{ github.repository_owner }}
+                  repo: ${{ steps.repository.outputs.REPO }}
+                  token: ${{ secrets.GITHUB_TOKEN }}
+                  filter-labels: X-Upcoming-Release-Blocker
+                  remove-labels: X-Upcoming-Release-Blocker
+                  add-labels: X-Release-Blocker
+
+    #            - name: Wait for master->develop gitflow merge
+    #              if: inputs.final
+    #              uses: t3chguy/wait-on-check-action@18541021811b56544d90e0f073401c2b99e249d6 # fork
+    #              with:
+    #                  ref: master
+    #                  repo-token: ${{ secrets.GITHUB_TOKEN }}
+    #                  wait-interval: 10
+    #                  check-name: merge
+    #                  allowed-conclusions: success
@@ -1,41 +1,53 @@
-# Must only be called from `release#published` triggers
 name: Publish to npm
 on:
    workflow_call:
-        secrets:
-            NPM_TOKEN:
-                required: true
+        inputs:
+            dir:
+                description: The directory to release
+                type: string
+                default: "."
+        outputs:
+            id:
+                description: "The npm package@version string we published"
+                value: ${{ jobs.npm.outputs.id }}
+permissions: {}
 jobs:
    npm:
        name: Publish to npm
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
+        permissions:
+            contents: read
+            id-token: write
+        outputs:
+            id: ${{ steps.npm-publish.outputs.id }}
        steps:
            - name: 🧮 Checkout code
-              uses: actions/checkout@v3
-
-            - name: 🔧 Yarn cache
-              uses: actions/setup-node@v3
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
              with:
-                  cache: "yarn"
+                  ref: staging
+                  persist-credentials: false
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - name: 🔧 pnpm cache
+              uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  cache: "pnpm"
                  registry-url: "https://registry.npmjs.org"
+                  node-version-file: ${{ inputs.dir }}/package.json
+
+            # Ensure npm 11.5.1 or later is installed
+            - name: Update npm
+              run: npm install -g npm@latest

            - name: 🔨 Install dependencies
-              run: "yarn install --frozen-lockfile"
+              run: "pnpm install --frozen-lockfile"

            - name: 🚀 Publish to npm
              id: npm-publish
-              uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939 # v1
-              with:
-                  token: ${{ secrets.NPM_TOKEN }}
-                  access: public
-                  tag: next
-
-            - name: 🎖️ Add `latest` dist-tag to final releases
-              if: github.event.release.prerelease == false
+              working-directory: ${{ inputs.dir }}
              run: |
-                  package=$(cat package.json | jq -er .name)
-                  npm dist-tag add "$package@$release" latest
+                  npm publish --provenance --access public --tag "$TAG"
+                  release=$(jq -r '"\(.name)@\(.version)"' package.json)
+                  echo "id=$release" >> $GITHUB_OUTPUT
              env:
-                  # JS-DevTools/npm-publish overrides `NODE_AUTH_TOKEN` with `INPUT_TOKEN` in .npmrc
-                  INPUT_TOKEN: ${{ secrets.NPM_TOKEN }}
-                  release: ${{ steps.npm-publish.outputs.version }}
+                  TAG: ${{ contains(steps.npm-publish.outputs.id, '-rc.') && 'next' || 'latest' }}
@@ -1,59 +1,116 @@
 name: Release Process
 on:
-    release:
-        types: [published]
-concurrency: ${{ github.workflow }}-${{ github.ref }}
+    workflow_dispatch:
+        inputs:
+            mode:
+                description: What type of release
+                required: true
+                default: rc
+                type: choice
+                options:
+                    - rc
+                    - final
+            docs:
+                description: Publish docs
+                required: true
+                type: boolean
+                default: true
+            npm:
+                description: Publish to npm
+                required: true
+                type: boolean
+                default: true
+concurrency: ${{ github.workflow }}
+permissions: {} # No permissions required
 jobs:
-    jsdoc:
+    release:
+        uses: matrix-org/matrix-js-sdk/.github/workflows/release-make.yml@develop # zizmor: ignore[unpinned-uses,secrets-inherit]
+        permissions:
+            contents: write
+            issues: write
+            pull-requests: read
+            id-token: write
+        secrets: inherit
+        with:
+            final: ${{ inputs.mode == 'final' }}
+            npm: ${{ inputs.npm }}
+
+    bump-downstreams:
+        name: Update npm dependency in downstream projects
+        needs: release
+        runs-on: ubuntu-24.04
+        strategy:
+            matrix:
+                include:
+                    - repo: element-hq/element-web
+                      path: apps/web
+        steps:
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+              with:
+                  repository: ${{ matrix.repo }}
+                  ref: staging
+                  token: ${{ secrets.ELEMENT_BOT_TOKEN }}
+                  persist-credentials: true
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  cache: "pnpm"
+                  node-version: "lts/*"
+
+            - name: Bump dependency
+              env:
+                  DEPENDENCY: ${{ needs.release.outputs.npm-id }}
+                  DIR: ${{ matrix.path }}
+              run: |
+                  git config --global user.email "releases@riot.im"
+                  git config --global user.name "RiotRobot"
+                  pnpm add -C "$DIR" "$DEPENDENCY" --save-exact
+                  git add "$DIR"/package.json pnpm-lock.yaml
+                  git commit -am"Upgrade dependency to $DEPENDENCY"
+                  git push origin staging
+
+    docs:
        name: Publish Documentation
-        runs-on: ubuntu-latest
+        needs: release
+        if: inputs.docs
+        runs-on: ubuntu-24.04
        steps:
            - name: 🧮 Checkout code
-              uses: actions/checkout@v3
-
-            - name: 🔧 Yarn cache
-              uses: actions/setup-node@v3
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
              with:
-                  cache: "yarn"
+                  persist-credentials: false
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - name: 🔧 pnpm cache
+              uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  cache: "pnpm"
+                  node-version-file: package.json

            - name: 🔨 Install dependencies
-              run: "yarn install --frozen-lockfile"
+              run: "pnpm install --frozen-lockfile"

-            - name: 📖 Generate JSDoc
-              run: "yarn gendoc"
+            - name: 📖 Generate docs
+              run: pnpm gendoc

-            - name: 📋 Copy to temp
-              run: |
-                  cp -a "./_docs" "$RUNNER_TEMP/"
-
-            - name: 🧮 Checkout gh-pages
-              uses: actions/checkout@v3
+            - name: Upload artifact
+              uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5
              with:
-                  ref: gh-pages
+                  path: _docs

-            - name: 🔪 Prepare
-              env:
-                  GITHUB_REF_NAME: ${{ github.ref_name }}
-              run: |
-                  VERSION="${GITHUB_REF_NAME#v}"
-                  [ ! -e "$VERSION" ] || rm -r $VERSION
-                  cp -r $RUNNER_TEMP/_docs/ $VERSION
-
-                  # Add the new directory to the index if it isn't there already
-                  if ! grep -q ">Version $VERSION</a>" index.html; then
-                    perl -i -pe 'BEGIN {$rel=shift} $_ =~ /^<\/ul>/ && print
-                      "<li><a href=\"${rel}/index.html\">Version ${rel}</a></li>\n"' "$VERSION" index.html
-                  fi
-
-            - name: 🚀 Deploy
-              uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3
-              with:
-                  github_token: ${{ secrets.GITHUB_TOKEN }}
-                  keep_files: true
-                  publish_dir: .
-
-    npm:
-        name: Publish
-        uses: matrix-org/matrix-js-sdk/.github/workflows/release-npm.yml@develop
-        secrets:
-            NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+    docs-deploy:
+        environment:
+            name: github-pages
+            url: ${{ steps.deployment.outputs.page_url }}
+        runs-on: ubuntu-24.04
+        needs: docs
+        # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+        permissions:
+            contents: read
+            pages: write
+            id-token: write
+        steps:
+            - name: Deploy to GitHub Pages
+              id: deployment
+              uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5
@@ -5,19 +5,33 @@ on:
        secrets:
            SONAR_TOKEN:
                required: true
-        inputs:
-            extra_args:
-                type: string
+            # No longer used
+            ELEMENT_BOT_TOKEN:
                required: false
-                description: "Extra args to pass to SonarCloud"
+        inputs:
+            sharded:
+                type: boolean
+                required: false
+                description: "Whether to combine multiple LCOV and sonar-report files in coverage artifact"
+            version-pkg-json-dir:
+                type: string
+                default: "."
+                description: "Relative path of the directory containing package.json with the `version` to use."
+permissions: {}
 jobs:
    sonarqube:
-        runs-on: ubuntu-latest
-        if: github.event.workflow_run.conclusion == 'success'
+        runs-on: ubuntu-24.04
+        if: |
+            github.event.workflow_run.conclusion == 'success' &&
+            github.event.workflow_run.event != 'merge_group'
+        permissions:
+            actions: read
+            statuses: write
+            id-token: write # sonar
        steps:
            # We create the status here and then update it to success/failure in the `report` stage
-            # This provides an easy link to this workflow_run from the PR before Cypress is done.
-            - uses: Sibz/github-status-action@faaa4d96fecf273bd762985e0e7f9f933c774918 # v1
+            # This provides an easy link to this workflow_run from the PR before Sonarcloud is done.
+            - uses: guibranco/github-status-action-v2@9bfa8773cdbdc6c185747fd43cd7faa9d7c32f09
              with:
                  authToken: ${{ secrets.GITHUB_TOKEN }}
                  state: pending
@@ -25,24 +39,60 @@ jobs:
                  sha: ${{ github.event.workflow_run.head_sha }}
                  target_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}

+            - name: "🧮 Checkout code"
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+              with:
+                  repository: ${{ github.event.workflow_run.head_repository.full_name }}
+                  ref: ${{ github.event.workflow_run.head_branch }} # checkout commit that triggered this workflow
+                  fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
+                  persist-credentials: false
+
+            - name: 📥 Download artifact
+              uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+              if: ${{ !inputs.sharded }}
+              with:
+                  github-token: ${{ secrets.GITHUB_TOKEN }}
+                  run-id: ${{ github.event.workflow_run.id }}
+                  name: coverage
+                  path: coverage
+            - name: 📥 Download sharded artifacts
+              uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+              if: inputs.sharded
+              with:
+                  github-token: ${{ secrets.GITHUB_TOKEN }}
+                  run-id: ${{ github.event.workflow_run.id }}
+                  pattern: coverage-*
+                  path: coverage
+            - name: Check coverage artifact
+              run: |
+                  if [ ! -d coverage ]; then
+                      echo "Coverage not found. Exiting with failure."
+                      exit 1
+                  fi
+
+            - id: extra_args
+              run: |
+                  coverage=$(find coverage -type f -name '*lcov.info' -printf '%h/%f,' | tr -d '\r\n' | sed 's/,$//g')
+                  echo "sonar.javascript.lcov.reportPaths=$coverage" >> sonar-project.properties
+                  reports=$(find coverage -type f -name '*sonar-report*.xml' -printf '%h/%f,' | tr -d '\r\n' | sed 's/,$//g')
+                  echo "sonar.testExecutionReportPaths=$reports" >> sonar-project.properties
+
            - name: "🩻 SonarCloud Scan"
              id: sonarcloud
-              uses: matrix-org/sonarcloud-workflow-action@v2.3
+              uses: matrix-org/sonarcloud-workflow-action@13968a27c924fa19b1dacbce6ca3ff217daa775b
              # workflow_run fails report against the develop commit always, we don't want that for PRs
              continue-on-error: ${{ github.event.workflow_run.head_branch != 'develop' }}
              with:
+                  skip_checkout: true
                  repository: ${{ github.event.workflow_run.head_repository.full_name }}
                  is_pr: ${{ github.event.workflow_run.event == 'pull_request' }}
-                  version_cmd: "cat package.json | jq -r .version"
+                  skip_coverage_label: Z-Skip-Coverage
+                  version_cmd: "cat ${{ inputs.version-pkg-json-dir }}/package.json | jq -r .version"
                  branch: ${{ github.event.workflow_run.head_branch }}
                  revision: ${{ github.event.workflow_run.head_sha }}
                  token: ${{ secrets.SONAR_TOKEN }}
-                  coverage_run_id: ${{ github.event.workflow_run.id }}
-                  coverage_workflow_name: tests.yml
-                  coverage_extract_path: coverage
-                  extra_args: ${{ inputs.extra_args }}

-            - uses: Sibz/github-status-action@faaa4d96fecf273bd762985e0e7f9f933c774918 # v1
+            - uses: guibranco/github-status-action-v2@9bfa8773cdbdc6c185747fd43cd7faa9d7c32f09
              if: always()
              with:
                  authToken: ${{ secrets.GITHUB_TOKEN }}
@@ -1,45 +1,26 @@
 name: SonarQube
 on:
-    workflow_run:
+    # Privilege escalation necessary to call upon SonarCloud
+    # 🚨 We must not execute any checked out code here.
+    workflow_run: # zizmor: ignore[dangerous-triggers]
        workflows: ["Tests"]
        types:
            - completed
 concurrency:
    group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch }}
    cancel-in-progress: true
+permissions: {}
 jobs:
-    # This is a workaround for https://github.com/SonarSource/SonarJS/issues/578
-    prepare:
-        name: Prepare
-        if: github.event.workflow_run.event != 'merge_group'
-        runs-on: ubuntu-latest
-        outputs:
-            reportPaths: ${{ steps.extra_args.outputs.reportPaths }}
-            testExecutionReportPaths: ${{ steps.extra_args.outputs.testExecutionReportPaths }}
-        steps:
-            # There's a 'download artifact' action, but it hasn't been updated for the workflow_run action
-            # (https://github.com/actions/download-artifact/issues/60) so instead we get this mess:
-            - name: 📥 Download artifact
-              uses: dawidd6/action-download-artifact@5e780fc7bbd0cac69fc73271ed86edf5dcb72d67 # v2
-              with:
-                  workflow: tests.yaml
-                  run_id: ${{ github.event.workflow_run.id }}
-                  name: coverage
-                  path: coverage
-
-            - id: extra_args
-              run: |
-                  coverage=$(find coverage -type f -name '*lcov.info' | tr '\n' ',' | sed 's/,$//g')
-                  echo "reportPaths=$coverage" >> $GITHUB_OUTPUT
-                  reports=$(find coverage -type f -name 'jest-sonar-report*.xml' | tr '\n' ',' | sed 's/,$//g')
-                  echo "testExecutionReportPaths=$reports" >> $GITHUB_OUTPUT
-
    sonarqube:
        name: 🩻 SonarQube
-        if: github.event.workflow_run.event != 'merge_group'
-        needs: prepare
-        uses: matrix-org/matrix-js-sdk/.github/workflows/sonarcloud.yml@develop
+        if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event != 'merge_group'
+        permissions:
+            actions: read
+            statuses: write
+            id-token: write # sonar
+        uses: matrix-org/matrix-js-sdk/.github/workflows/sonarcloud.yml@develop # zizmor: ignore[unpinned-uses]
        secrets:
            SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+            ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
        with:
-            extra_args: -Dsonar.javascript.lcov.reportPaths=${{ needs.prepare.outputs.reportPaths }} -Dsonar.testExecutionReportPaths=${{ needs.prepare.outputs.testExecutionReportPaths }}
+            sharded: true
@@ -8,69 +8,192 @@ on:
 concurrency:
    group: ${{ github.workflow }}-${{ github.ref }}
    cancel-in-progress: true
+permissions: {} # No permissions needed
 jobs:
    ts_lint:
        name: "Typescript Syntax Check"
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
        steps:
-            - uses: actions/checkout@v3
-
-            - uses: actions/setup-node@v3
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
              with:
-                  cache: "yarn"
+                  persist-credentials: false
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  cache: "pnpm"
+                  node-version-file: package.json

            - name: Install Deps
-              run: "yarn install"
+              run: "pnpm install"

            - name: Typecheck
-              run: "yarn run lint:types"
-
-            - name: Switch js-sdk to release mode
-              run: |
-                  scripts/switch_package_to_release.js
-                  yarn install
-                  yarn run build:compile
-                  yarn run build:types
-
-            - name: Typecheck (release mode)
-              run: "yarn run lint:types"
+              run: "pnpm run lint:types"

    js_lint:
        name: "ESLint"
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
        steps:
-            - uses: actions/checkout@v3
-
-            - uses: actions/setup-node@v3
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
              with:
-                  cache: "yarn"
+                  persist-credentials: false
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  cache: "pnpm"
+                  node-version-file: package.json

            - name: Install Deps
-              run: "yarn install"
+              run: "pnpm install"

            - name: Run Linter
-              run: "yarn run lint:js"
+              run: "pnpm run lint:js"
+
+    node_example_lint:
+        name: "Node.js example"
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+              with:
+                  persist-credentials: false
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  cache: "pnpm"
+                  node-version-file: package.json
+
+            - name: Install Deps
+              run: "pnpm install"
+
+            - name: Build Types
+              run: "pnpm build:types"
+
+            - name: Install Example Deps
+              run: "npm install"
+              working-directory: "examples/node"
+
+            - name: Check Syntax
+              run: "node --check app.js"
+              working-directory: "examples/node"
+
+            - name: Typecheck
+              run: "npx tsc"
+              working-directory: "examples/node"
+
+    workflow_lint:
+        name: "Workflow Lint"
+        runs-on: ubuntu-24.04
+        permissions:
+            security-events: write
+        steps:
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+              with:
+                  persist-credentials: false
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  cache: "pnpm"
+                  node-version-file: package.json
+
+            - name: Install Deps
+              run: "pnpm install --frozen-lockfile"
+
+            - name: Run Linter
+              run: "pnpm lint:workflows"
+
+            - name: Run zizmor
+              uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3

    docs:
        name: "JSDoc Checker"
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
        steps:
-            - uses: actions/checkout@v3
-
-            - uses: actions/setup-node@v3
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
              with:
-                  cache: "yarn"
+                  persist-credentials: false
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  cache: "pnpm"
+                  node-version-file: package.json

            - name: Install Deps
-              run: "yarn install"
+              run: "pnpm install"

            - name: Generate Docs
-              run: "yarn run gendoc --treatWarningsAsErrors"
+              run: "pnpm run gendoc --treatWarningsAsErrors --suppressCommentWarningsInDeclarationFiles"

            - name: Upload Artifact
-              uses: actions/upload-artifact@v3
+              uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
              with:
                  name: docs
                  path: _docs
                  # We'll only use this in a workflow_run, then we're done with it
                  retention-days: 1
+
+    analyse_dead_code:
+        name: "Analyse Dead Code"
+        runs-on: ubuntu-24.04
+        steps:
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+              with:
+                  persist-credentials: false
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  cache: "pnpm"
+                  node-version-file: package.json
+
+            - name: Install Deps
+              run: "pnpm install --frozen-lockfile"
+
+            - name: Run linter
+              run: "pnpm run lint:knip"
+
+    element-web:
+        name: Downstream tsc element-web
+        if: github.event_name == 'merge_group'
+        runs-on: ubuntu-24.04
+        steps:
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+              with:
+                  repository: element-hq/element-web
+                  persist-credentials: false
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  cache: "pnpm"
+                  node-version: "lts/*"
+
+            - name: Install Dependencies
+              run: "./scripts/layered.sh"
+              env:
+                  # tell layered.sh to check out the right sha of the JS-SDK
+                  JS_SDK_GITHUB_BASE_REF: ${{ github.sha }}
+
+            - name: Typecheck
+              working-directory: apps/web
+              run: "pnpm run lint:types"
+
+    # Workflow consolidation job
+    done:
+        needs:
+            - ts_lint
+            - js_lint
+            - node_example_lint
+            - workflow_lint
+            - docs
+            - analyse_dead_code
+            - element-web
+        name: Static Analysis
+        runs-on: ubuntu-24.04
+        if: always()
+        steps:
+            - if: contains(needs.*.result , 'failure') || contains(needs.*.result, 'cancelled')
+              run: exit 1
@@ -0,0 +1,22 @@
+name: Sync labels
+on:
+    workflow_dispatch: {}
+    schedule:
+        - cron: "0 1 * * *" # 1am every day
+    push:
+        branches:
+            - develop
+        paths:
+            - .github/labels.yml
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
+jobs:
+    sync-labels:
+        uses: element-hq/element-meta/.github/workflows/sync-labels.yml@7f2f93fb9b52ece7a0998f60e64862aa203c1746
+        with:
+            LABELS: |
+                element-hq/element-meta
+                .github/labels.yml
+            DELETE: true
+            WET: true
+        secrets:
+            ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
@@ -10,79 +10,115 @@ concurrency:
    cancel-in-progress: true
 env:
    ENABLE_COVERAGE: ${{ github.event_name != 'merge_group' }}
+permissions: {} # No permissions required
 jobs:
-    jest:
-        name: "Jest [${{ matrix.specs }}] (Node ${{ matrix.node }})"
-        runs-on: ubuntu-latest
+    test:
+        name: "Vitest [${{ matrix.specs }}] (Node ${{ matrix.node == '*' && 'latest' || matrix.node }})"
+        runs-on: ubuntu-24.04
        timeout-minutes: 10
        strategy:
            matrix:
-                specs: [browserify, integ, unit]
-                node: [16, 18, latest]
+                specs: [integ, unit]
+                node: ["lts/*", 22]
        steps:
            - name: Checkout code
-              uses: actions/checkout@v3
-
-            - name: Setup Node
-              uses: actions/setup-node@v3
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
              with:
-                  cache: "yarn"
+                  persist-credentials: false
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - name: Setup Node
+              id: setupNode
+              uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  cache: "pnpm"
                  node-version: ${{ matrix.node }}

            - name: Install dependencies
-              run: "yarn install"
-
-            - name: Build
-              if: matrix.specs == 'browserify'
-              run: "yarn build"
+              run: "pnpm install"

            - name: Get number of CPU cores
              id: cpu-cores
-              uses: SimenB/github-actions-cpu-cores@410541432439795d30db6501fb1d8178eb41e502 # v1
+              uses: SimenB/github-actions-cpu-cores@97ba232459a8e02ff6121db9362b09661c875ab8 # v2

            - name: Run tests
              run: |
-                  yarn test \
-                      --coverage=${{ env.ENABLE_COVERAGE }} \
-                      --ci \
-                      --max-workers ${{ steps.cpu-cores.outputs.count }} \
+                  pnpm test \
+                      --coverage=${ENABLE_COVERAGE} \
+                      --maxWorkers ${NUM_WORKERS} \
                      ./spec/${{ matrix.specs }}
              env:
-                  JEST_SONAR_UNIQUE_OUTPUT_NAME: true
+                  SHARD: ${{ matrix.specs }}
+                  NUM_WORKERS: ${{ steps.cpu-cores.outputs.count }}

            - name: Move coverage files into place
              if: env.ENABLE_COVERAGE == 'true'
-              run: mv coverage/lcov.info coverage/${{ matrix.node }}-${{ matrix.specs }}.lcov.info
+              run: mv coverage/lcov.info coverage/${NODE_VERSION}-${{ matrix.specs }}.lcov.info
+              env:
+                  NODE_VERSION: ${{ steps.setupNode.outputs.node-version }}

            - name: Upload Artifact
              if: env.ENABLE_COVERAGE == 'true'
-              uses: actions/upload-artifact@v3
+              uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
              with:
-                  name: coverage
+                  name: coverage-${{ matrix.specs }}-${{ matrix.node == 'lts/*' && 'lts' || matrix.node }}
                  path: |
                      coverage
                      !coverage/lcov-report

-    matrix-react-sdk:
-        name: Downstream test matrix-react-sdk
+    # Dummy completion job to simplify branch protections
+    complete:
+        name: Tests
+        needs: test
+        if: always()
+        runs-on: ubuntu-24.04
+        steps:
+            - if: needs.test.result != 'skipped' && needs.test.result != 'success'
+              run: exit 1
+
+    element-web:
+        name: Downstream test element-web
        if: github.event_name == 'merge_group'
-        uses: matrix-org/matrix-react-sdk/.github/workflows/tests.yml@develop
+        uses: element-hq/element-web/.github/workflows/tests.yml@develop # zizmor: ignore[unpinned-uses]
+        permissions:
+            statuses: write
        with:
            disable_coverage: true
            matrix-js-sdk-sha: ${{ github.sha }}

+    complement-crypto:
+        name: "Run Complement Crypto tests"
+        if: github.event_name == 'merge_group'
+        permissions: read-all # zizmor: ignore[excessive-permissions]
+        uses: matrix-org/complement-crypto/.github/workflows/single_sdk_tests.yml@main # zizmor: ignore[unpinned-uses]
+        with:
+            use_js_sdk: "."
+
+    # we need this so the job is reported properly when run in a merge queue
+    downstream-complement-crypto:
+        name: Downstream Complement Crypto tests
+        runs-on: ubuntu-24.04
+        if: always()
+        needs:
+            - complement-crypto
+        steps:
+            - if: needs.complement-crypto.result != 'skipped' && needs.complement-crypto.result != 'success'
+              run: exit 1
+
    # Hook for branch protection to skip downstream testing outside of merge queues
    # and skip sonarcloud coverage within merge queues
    downstream:
        name: Downstream tests
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
        if: always()
        needs:
-            - matrix-react-sdk
+            - element-web
+        permissions:
+            statuses: write
        steps:
            - name: Skip SonarCloud on merge queues
              if: env.ENABLE_COVERAGE == 'false'
-              uses: Sibz/github-status-action@faaa4d96fecf273bd762985e0e7f9f933c774918 # v1
+              uses: guibranco/github-status-action-v2@9bfa8773cdbdc6c185747fd43cd7faa9d7c32f09
              with:
                  authToken: ${{ secrets.GITHUB_TOKEN }}
                  state: success
@@ -91,5 +127,5 @@ jobs:
                  sha: ${{ github.sha }}
                  target_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}

-            - if: needs.matrix-react-sdk.result != 'skipped' && needs.matrix-react-sdk.result != 'success'
+            - if: needs.element-web.result != 'skipped' && needs.element-web.result != 'success'
              run: exit 1
@@ -0,0 +1,14 @@
+name: Move new issues into Issue triage board
+
+on:
+    issues:
+        types: [opened]
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
+jobs:
+    automate-project-columns-next:
+        runs-on: ubuntu-24.04
+        steps:
+            - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
+              with:
+                  project-url: https://github.com/orgs/element-hq/projects/120
+                  github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
@@ -0,0 +1,11 @@
+name: Move labelled issues to correct projects
+
+on:
+    issues:
+        types: [labeled]
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
+jobs:
+    call-triage-labelled:
+        uses: element-hq/element-web/.github/workflows/triage-labelled.yml@6339bcda15c71d209303b18a06a9b1c021220bf9
+        secrets:
+            ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
@@ -0,0 +1,22 @@
+name: Close stale PRs
+on:
+    workflow_dispatch: {}
+    schedule:
+        - cron: "30 1 * * *"
+permissions: {}
+jobs:
+    close:
+        runs-on: ubuntu-24.04
+        permissions:
+            actions: write
+            issues: write
+            pull-requests: write
+        steps:
+            - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10
+              with:
+                  operations-per-run: 250
+                  days-before-issue-stale: -1
+                  days-before-issue-close: -1
+                  days-before-pr-stale: 180
+                  days-before-pr-close: 0
+                  close-pr-message: "This PR has been automatically closed because it has been stale for 180 days. If you wish to continue working on this PR, please ping a maintainer to reopen it."
@@ -1,38 +0,0 @@
-name: Upgrade Dependencies
-on:
-    workflow_dispatch: {}
-    workflow_call:
-        secrets:
-            ELEMENT_BOT_TOKEN:
-                required: true
-jobs:
-    upgrade:
-        runs-on: ubuntu-latest
-        steps:
-            - uses: actions/checkout@v3
-
-            - uses: actions/setup-node@v3
-              with:
-                  cache: "yarn"
-
-            - name: Upgrade
-              run: yarn upgrade && yarn install
-
-            - name: Create Pull Request
-              id: cpr
-              uses: peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54 # v4
-              with:
-                  token: ${{ secrets.ELEMENT_BOT_TOKEN }}
-                  branch: actions/upgrade-deps
-                  delete-branch: true
-                  title: Upgrade dependencies
-                  labels: |
-                      Dependencies
-                      T-Task
-
-            - name: Enable automerge
-              run: gh pr merge --merge --auto "$PR_NUMBER"
-              if: steps.cpr.outputs.pull-request-operation == 'created'
-              env:
-                  GH_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
-                  PR_NUMBER: ${{ steps.cpr.outputs.pull-request-number }}
@@ -13,8 +13,7 @@ out
 /dist
 /lib

-# version file and tarball created by `npm pack` / `yarn pack`
-/git-revision.txt
+# tarball created by `npm pack` / `yarn pack`
 /matrix-js-sdk-*.tgz

 .vscode
@@ -0,0 +1,3 @@
+#!/usr/bin/env sh
+
+npx lint-staged
@@ -0,0 +1,4 @@
+{
+    "*.(ts|tsx)": ["eslint --fix", "prettier --write"],
+    "*.(py|md|yaml)": ["prettier --write"]
+}
@@ -3,6 +3,7 @@

 /.npmrc
 /*.log
+pnpm-lock.yaml
 package-lock.json
 .lock-wscript
 build/Release
@@ -24,3 +25,7 @@ out

 # This file is owned, parsed, and generated by allchange, which doesn't comply with prettier
 /CHANGELOG.md
+
+# These files are also autogenerated
+/spec/test-utils/test-data/index.ts
+/spec/test-utils/test_indexeddb_cryptostore_dump/dump.json
@@ -1,3 +1,241 @@
 # Contributing code to matrix-js-sdk

-matrix-js-sdk follows the same pattern as https://github.com/vector-im/element-web/blob/develop/CONTRIBUTING.md
+Everyone is welcome to contribute code to matrix-js-sdk, provided that they are
+willing to license their contributions under the same license as the project
+itself. We follow a simple 'inbound=outbound' model for contributions: the act
+of submitting an 'inbound' contribution means that the contributor agrees to
+license the code under the same terms as the project's overall 'outbound'
+license - in this case, Apache Software License v2 (see
+[LICENSE](LICENSE)).
+
+## How to contribute
+
+The preferred and easiest way to contribute changes to the project is to fork
+it on github, and then create a pull request to ask us to pull your changes
+into our repo (https://help.github.com/articles/using-pull-requests/)
+
+We use GitHub's pull request workflow to review the contribution, and either
+ask you to make any refinements needed or merge it and make them ourselves.
+
+Your PR should have a title that describes what change is being made. This
+is used for the text in the Changelog entry by default (see below), so a good
+title will tell a user succinctly what change is being made. "Fix bug where
+cows had five legs" and, "Add support for miniature horses" are examples of good
+titles. Don't include an issue number here: that belongs in the description.
+Definitely don't use the GitHub default of "Update file.ts".
+
+As for your PR description, it should include these things:
+
+- References to any bugs fixed by the change (in GitHub's `Fixes` notation)
+- Describe the why and what is changing in the PR description so it's easy for
+  onlookers and reviewers to onboard and context switch. This information is
+  also helpful when we come back to look at this in 6 months and ask "why did
+  we do it like that?" we have a chance of finding out.
+    - Why didn't it work before? Why does it work now? What use cases does it
+      unlock?
+    - If you find yourself adding information on how the code works or why you
+      chose to do it the way you did, make sure this information is instead
+      written as comments in the code itself.
+    - Sometimes a PR can change considerably as it is developed. In this case,
+      the description should be updated to reflect the most recent state of
+      the PR. (It can be helpful to retain the old content under a suitable
+      heading, for additional context.)
+- Include a step-by-step testing strategy so that a reviewer can check out the
+  code locally and easily get to the point of testing your change.
+- Add comments to the diff for the reviewer that might help them to understand
+  why the change is necessary or how they might better understand and review it.
+
+### Changelogs
+
+There's no need to manually add Changelog entries: we use information in the
+pull request to populate the information that goes into the changelogs our
+users see, both for Element Web itself and other projects on which it is based.
+This is picked up from both labels on the pull request and the `Notes:`
+annotation in the description. By default, the PR title will be used for the
+changelog entry, but you can specify more options, as follows.
+
+To add a longer, more detailed description of the change for the changelog:
+
+_Fix llama herding bug_
+
+```
+Notes: Fix a bug (https://github.com/matrix-org/notaproject/issues/123) where the 'Herd' button would not herd more than 8 Llamas if the moon was in the waxing gibbous phase
+```
+
+For some PRs, it's not useful to have an entry in the user-facing changelog (this is
+the default for PRs labelled with `T-Task`):
+
+_Remove outdated comment from `Ungulates.ts`_
+
+```
+Notes: none
+```
+
+Sometimes, you're fixing a bug in a downstream project, in which case you want
+an entry in that project's changelog. You can do that too:
+
+_Fix another herding bug_
+
+```
+Notes: Fix a bug where the `herd()` function would only work on Tuesdays
+element-web notes: Fix a bug where the 'Herd' button only worked on Tuesdays
+```
+
+This example is for Element Web. You can specify:
+
+- element-web
+- element-desktop
+
+If your PR introduces a breaking change, use the `Notes` section in the same
+way, additionally adding the `X-Breaking-Change` label (see below). There's no need
+to specify in the notes that it's a breaking change - this will be added
+automatically based on the label - but remember to tell the developer how to
+migrate:
+
+_Remove legacy class_
+
+```
+Notes: Remove legacy `Camelopard` class. `Giraffe` should be used instead.
+```
+
+Other metadata can be added using labels.
+
+- `X-Breaking-Change`: A breaking change - adding this label will mean the change causes a _major_ version bump.
+- `T-Enhancement`: A new feature - adding this label will mean the change causes a _minor_ version bump.
+- `T-Defect`: A bug fix (in either code or docs).
+- `T-Task`: No user-facing changes, eg. code comments, CI fixes, refactors or tests. Won't have a changelog entry unless you specify one.
+
+If you don't have permission to add labels, your PR reviewer(s) can work with you
+to add them: ask in the PR description or comments.
+
+We use continuous integration, and all pull requests get automatically tested:
+if your change breaks the build, then the PR will show that there are failed
+checks, so please check back after a few minutes.
+
+## Tests
+
+Your PR should include tests.
+
+For new user facing features in `matrix-js-sdk`, you
+must include comprehensive unit tests written in Vitest.
+The existing tests can be found under `spec/unit`
+
+It's good practice to write tests alongside the code as it ensures the code is testable from
+the start, and gives you a fast feedback loop while you're developing the
+functionality. Unit tests are necessary even for bug fixes.
+
+When writing unit tests, please aim for a high level of test coverage
+for new code - 80% or greater. If you cannot achieve that, please document
+why it's not possible in your PR.
+
+Tests validate that your change works as intended and also document
+concisely what is being changed. Ideally, your new tests fail
+prior to your change, and succeed once it has been applied. You may
+find this simpler to achieve if you write the tests first.
+
+If you're spiking some code that's experimental and not being used to support
+production features, exceptions can be made to requirements for tests.
+Note that tests will still be required in order to ship the feature, and it's
+strongly encouraged to think about tests early in the process, as adding
+tests later will become progressively more difficult.
+
+If you're not sure how to approach writing tests for your change, ask for help
+in [#element-dev](https://matrix.to/#/#element-dev:matrix.org).
+
+## Code style
+
+Code style is documented in [code_style.md](./code_style.md).
+Contributors are encouraged to it and follow the principles set out there.
+
+Please ensure your changes match the cosmetic style of the existing project,
+and **_never_** mix cosmetic and functional changes in the same commit, as it
+makes it horribly hard to review otherwise.
+
+## Sign off
+
+In order to have a concrete record that your contribution is intentional
+and you agree to license it under the same terms as the project's license, we've
+adopted the same lightweight approach that the Linux Kernel
+(https://www.kernel.org/doc/html/latest/process/submitting-patches.html), Docker
+(https://github.com/docker/docker/blob/master/CONTRIBUTING.md), and many other
+projects use: the DCO (Developer Certificate of Origin:
+http://developercertificate.org/). This is a simple declaration that you wrote
+the contribution or otherwise have the right to contribute it to Matrix:
+
+```
+Developer Certificate of Origin
+Version 1.1
+
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+660 York Street, Suite 102,
+San Francisco, CA 94110 USA
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+    have the right to submit it under the open source license
+    indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+    of my knowledge, is covered under an appropriate open source
+    license and I have the right under that license to submit that
+    work with modifications, whether created in whole or in part
+    by me, under the same open source license (unless I am
+    permitted to submit under a different license), as indicated
+    in the file; or
+
+(c) The contribution was provided directly to me by some other
+    person who certified (a), (b) or (c) and I have not modified
+    it.
+
+(d) I understand and agree that this project and the contribution
+    are public and that a record of the contribution (including all
+    personal information I submit with it, including my sign-off) is
+    maintained indefinitely and may be redistributed consistent with
+    this project or the open source license(s) involved.
+```
+
+If you agree to this for your contribution, then all that's needed is to
+include the line in your commit or pull request comment:
+
+```
+Signed-off-by: Your Name <your@email.example.org>
+```
+
+We accept contributions under a legally identifiable name, such as your name on
+government documentation or common-law names (names claimed by legitimate usage
+or repute). Unfortunately, we cannot accept anonymous contributions at this
+time.
+
+Git allows you to add this signoff automatically when using the `-s` flag to
+`git commit`, which uses the name and email set in your `user.name` and
+`user.email` git configs.
+
+If you forgot to sign off your commits before making your pull request and are
+on Git 2.17+ you can mass signoff using rebase:
+
+```
+git rebase --signoff origin/develop
+```
+
+# Review expectations
+
+See https://github.com/vector-im/element-meta/wiki/Review-process
+
+# Merge Strategy
+
+The preferred method for merging pull requests is squash merging to keep the
+commit history trim, but it is up to the discretion of the team member merging
+the change. We do not support rebase merges due to `allchange` being unable to
+handle them. When merging make sure to leave the default commit title, or
+at least leave the PR number at the end in brackets like by default.
+When stacking pull requests, you may wish to do the following:
+
+1. Branch from develop to your branch (branch1), push commits onto it and open a pull request
+2. Branch from your base branch (branch1) to your work branch (branch2), push commits and open a pull request configuring the base to be branch1, saying in the description that it is based on your other PR.
+3. Merge the first PR using a merge commit otherwise your stacked PR will need a rebase. Github will automatically adjust the base branch of your other PR to be develop.
@@ -11,6 +11,24 @@
 This is the [Matrix](https://matrix.org) Client-Server SDK for JavaScript and TypeScript. This SDK can be run in a
 browser or in Node.js.

+---
+
+<picture>
+  <source srcset="contrib/element-logo-light.png" media="(prefers-color-scheme: dark)">
+  <source srcset="contrib/element-logo-dark.png" media="(prefers-color-scheme: light)">
+  <img src="contrib/element-logo-fallback.png" alt="Element logo">
+</picture>
+
+<br>
+
+Development and maintenance is proudly sponsored by [Element](https://element.io). Element uses the SDK in their flagship [web](https://github.com/element-hq/element-web) and [desktop](https://github.com/element-hq/element-desktop) clients.
+
+The SDK is also the basis for multiple Matrix projects and we welcome contributions from all.
+
+---
+
+#### Minimum Matrix server version: v1.1
+
 The Matrix specification is constantly evolving - while this SDK aims for maximum backwards compatibility, it only
 guarantees that a feature will be supported for at least 4 spec releases. For example, if a feature the js-sdk supports
 is removed in v1.4 then the feature is _eligible_ for removal from the SDK when v1.8 is released. This SDK has no
@@ -19,30 +37,14 @@ endpoints from before Matrix 1.1, for example.

 # Quickstart

-## In a browser
+> [!IMPORTANT]
+> Servers may require or use authenticated endpoints for media (images, files, avatars, etc). See the
+> [Authenticated Media](#authenticated-media) section for information on how to enable support for this.

-Download the browser version from
-https://github.com/matrix-org/matrix-js-sdk/releases/latest and add that as a
-`<script>` to your page. There will be a global variable `matrixcs`
-attached to `window` through which you can access the SDK. See below for how to
-include libolm to enable end-to-end-encryption.
+Using `pnpm` instead of `npm` is recommended. Please see the pnpm [install
+guide](https://pnpm.io/installation#using-corepack) if you do not have it already.

-The browser bundle supports recent versions of browsers. Typically this is ES2015
-or `> 0.5%, last 2 versions, Firefox ESR, not dead` if using
-[browserlists](https://github.com/browserslist/browserslist).
-
-Please check [the working browser example](examples/browser) for more information.
-
-## In Node.js
-
-Ensure you have the latest LTS version of Node.js installed.
-This library relies on `fetch` which is available in Node from v18.0.0 - it should work fine also with polyfills.
-If you wish to use a ponyfill or adapter of some sort then pass it as `fetchFn` to the MatrixClient constructor options.
-
-Using `yarn` instead of `npm` is recommended. Please see the Yarn [install guide](https://classic.yarnpkg.com/en/docs/install)
-if you do not have it already.
-
-`yarn add matrix-js-sdk`
+`pnpm add matrix-js-sdk`

 ```javascript
 import * as sdk from "matrix-js-sdk";
@@ -52,8 +54,8 @@ client.publicRooms(function (err, data) {
 });
 ```

-See below for how to include libolm to enable end-to-end-encryption. Please check
-[the Node.js terminal app](examples/node) for a more complex example.
+See [below](#end-to-end-encryption-support) for how to enable end-to-end-encryption, or check
+[the Node.js terminal app](https://github.com/matrix-org/matrix-js-sdk/tree/develop/examples/node) for a more complex example.

 To start the client:

@@ -64,7 +66,7 @@ await client.startClient({ initialSyncLimit: 10 });
 You can perform a call to `/sync` to get the current state of the client:

 ```javascript
-client.once("sync", function (state, prevState, res) {
+client.once(ClientEvent.sync, function (state, prevState, res) {
    if (state === "PREPARED") {
        console.log("prepared");
    } else {
@@ -89,7 +91,7 @@ client.sendEvent("roomId", "m.room.message", content, "", (err, res) => {
 To listen for message events:

 ```javascript
-client.on("Room.timeline", function (event, room, toStartOfTimeline) {
+client.on(RoomEvent.Timeline, function (event, room, toStartOfTimeline) {
    if (event.getType() !== "m.room.message") {
        return; // only use messages
    }
@@ -107,55 +109,83 @@ Object.keys(client.store.rooms).forEach((roomId) => {
 });
 ```

+## Authenticated media
+
+Servers supporting [MSC3916](https://github.com/matrix-org/matrix-spec-proposals/pull/3916) (Matrix 1.11) will require clients, like
+yours, to include an `Authorization` header when `/download`ing or `/thumbnail`ing media. For NodeJS environments this
+may be as easy as the following code snippet, though web browsers may need to use [Service Workers](https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API)
+to append the header when using the endpoints in `<img />` elements and similar.
+
+```javascript
+const downloadUrl = client.mxcUrlToHttp(
+    /*mxcUrl=*/ "mxc://example.org/abc123", // the MXC URI to download/thumbnail, typically from an event or profile
+    /*width=*/ undefined, // part of the thumbnail API. Use as required.
+    /*height=*/ undefined, // part of the thumbnail API. Use as required.
+    /*resizeMethod=*/ undefined, // part of the thumbnail API. Use as required.
+    /*allowDirectLinks=*/ false, // should generally be left `false`.
+    /*allowRedirects=*/ true, // implied supported with authentication
+    /*useAuthentication=*/ true, // the flag we're after in this example
+);
+const img = await fetch(downloadUrl, {
+    headers: {
+        Authorization: `Bearer ${client.getAccessToken()}`,
+    },
+});
+// Do something with `img`.
+```
+
+> [!WARNING]
+> In future the js-sdk will _only_ return authentication-required URLs, mandating population of the `Authorization` header.
+
 ## What does this SDK do?

 This SDK provides a full object model around the Matrix Client-Server API and emits
 events for incoming data and state changes. Aside from wrapping the HTTP API, it:

-   Handles syncing (via `/initialSync` and `/events`)
-   Handles the generation of "friendly" room and member names.
-   Handles historical `RoomMember` information (e.g. display names).
-   Manages room member state across multiple events (e.g. it handles typing, power
-    levels and membership changes).
-   Exposes high-level objects like `Rooms`, `RoomState`, `RoomMembers` and `Users`
-    which can be listened to for things like name changes, new messages, membership
-    changes, presence changes, and more.
-   Handle "local echo" of messages sent using the SDK. This means that messages
-    that have just been sent will appear in the timeline as 'sending', until it
-    completes. This is beneficial because it prevents there being a gap between
-    hitting the send button and having the "remote echo" arrive.
-   Mark messages which failed to send as not sent.
-   Automatically retry requests to send messages due to network errors.
-   Automatically retry requests to send messages due to rate limiting errors.
-   Handle queueing of messages.
-   Handles pagination.
-   Handle assigning push actions for events.
-   Handles room initial sync on accepting invites.
-   Handles WebRTC calling.
-
-Later versions of the SDK will:
-
-   Expose a `RoomSummary` which would be suitable for a recents page.
-   Provide different pluggable storage layers (e.g. local storage, database-backed)
+- Handles syncing (via `/sync`)
+- Handles the generation of "friendly" room and member names.
+- Handles historical `RoomMember` information (e.g. display names).
+- Manages room member state across multiple events (e.g. it handles typing, power
+  levels and membership changes).
+- Exposes high-level objects like `Rooms`, `RoomState`, `RoomMembers` and `Users`
+  which can be listened to for things like name changes, new messages, membership
+  changes, presence changes, and more.
+- Handle "local echo" of messages sent using the SDK. This means that messages
+  that have just been sent will appear in the timeline as 'sending', until it
+  completes. This is beneficial because it prevents there being a gap between
+  hitting the send button and having the "remote echo" arrive.
+- Mark messages which failed to send as not sent.
+- Automatically retry requests to send messages due to network errors.
+- Automatically retry requests to send messages due to rate limiting errors.
+- Handle queueing of messages.
+- Handles pagination.
+- Handle assigning push actions for events.
+- Handles room initial sync on accepting invites.
+- Handles WebRTC calling.

 # Usage

-## Conventions
+## Supported platforms

-### Emitted events
+`matrix-js-sdk` can be used in either Node.js applications (ensure you have the latest LTS version of Node.js installed),
+or in browser applications, via a bundler such as Webpack or Vite.

-The SDK will emit events using an `EventEmitter`. It also
-emits object models (e.g. `Rooms`, `RoomMembers`) when they
-are updated.
+You can also use the sdk with [Deno](https://deno.land/) (`import npm:matrix-js-sdk`) but its not officially supported.
+
+## Emitted events
+
+The SDK raises notifications to the application using
+[`EventEmitter`s](https://nodejs.org/api/events.html#class-eventemitter). The `MatrixClient` itself
+implements `EventEmitter`, as do many of the high-level abstractions such as `Room` and `RoomMember`.

 ```javascript
 // Listen for low-level MatrixEvents
-client.on("event", function (event) {
+client.on(ClientEvent.Event, function (event) {
    console.log(event.getType());
 });

 // Listen for typing changes
-client.on("RoomMember.typing", function (event, member) {
+client.on(RoomMemberEvent.Typing, function (event, member) {
    if (member.typing) {
        console.log(member.name + " is typing...");
    } else {
@@ -167,41 +197,22 @@ client.on("RoomMember.typing", function (event, member) {
 client.startClient();
 ```

-### Promises and Callbacks
+## Entry points

-Most of the methods in the SDK are asynchronous: they do not directly return a
-result, but instead return a [Promise](http://documentup.com/kriskowal/q/)
-which will be fulfilled in the future.
+As well as the primary entry point (`matrix-js-sdk`), there are several other entry points which may be useful:

-The typical usage is something like:
-
-```javascript
-  matrixClient.someMethod(arg1, arg2).then(function(result) {
-    ...
-  });
-```
-
-Alternatively, if you have a Node.js-style `callback(err, result)` function,
-you can pass the result of the promise into it with something like:
-
-```javascript
-matrixClient.someMethod(arg1, arg2).nodeify(callback);
-```
-
-The main thing to note is that it is problematic to discard the result of a
-promise-returning function, as that will cause exceptions to go unobserved.
-
-Methods which return a promise show this in their documentation.
-
-Many methods in the SDK support _both_ Node.js-style callbacks _and_ Promises,
-via an optional `callback` argument. The callback support is now deprecated:
-new methods do not include a `callback` argument, and in the future it may be
-removed from existing methods.
+| Entry point                    | Description                                                                                         |
+| ------------------------------ | --------------------------------------------------------------------------------------------------- |
+| `matrix-js-sdk`                | Primary entry point. High-level functionality, and lots of historical clutter in need of a cleanup. |
+| `matrix-js-sdk/lib/crypto-api` | Cryptography functionality.                                                                         |
+| `matrix-js-sdk/lib/types`      | Low-level types, reflecting data structures defined in the Matrix spec.                             |
+| `matrix-js-sdk/lib/testing`    | Test utilities, which may be useful in test code but should not be used in production code.         |
+| `matrix-js-sdk/lib/utils/*.js` | A set of modules exporting standalone functions (and their types).                                  |

 ## Examples

 This section provides some useful code snippets which demonstrate the
-core functionality of the SDK. These examples assume the SDK is setup like this:
+core functionality of the SDK. These examples assume the SDK is set up like this:

 ```javascript
 import * as sdk from "matrix-js-sdk";
@@ -217,10 +228,10 @@ const matrixClient = sdk.createClient({
 ### Automatically join rooms when invited

 ```javascript
-matrixClient.on("RoomMember.membership", function (event, member) {
-    if (member.membership === "invite" && member.userId === myUserId) {
-        matrixClient.joinRoom(member.roomId).then(function () {
-            console.log("Auto-joined %s", member.roomId);
+matrixClient.on(RoomEvent.MyMembership, function (room, membership, prevMembership) {
+    if (membership === KnownMembership.Invite) {
+        matrixClient.joinRoom(room.roomId).then(function () {
+            console.log("Auto-joined %s", room.roomId);
        });
    }
 });
@@ -231,7 +242,7 @@ matrixClient.startClient();
 ### Print out messages for all rooms

 ```javascript
-matrixClient.on("Room.timeline", function (event, room, toStartOfTimeline) {
+matrixClient.on(RoomEvent.Timeline, function (event, room, toStartOfTimeline) {
    if (toStartOfTimeline) {
        return; // don't print paginated results
    }
@@ -263,7 +274,7 @@ Output:
 ### Print out membership lists whenever they are changed

 ```javascript
-matrixClient.on("RoomState.members", function (event, state, member) {
+matrixClient.on(RoomStateEvent.Members, function (event, state, member) {
    const room = matrixClient.getRoom(state.roomId);
    if (!room) {
        return;
@@ -299,8 +310,8 @@ This SDK uses [Typedoc](https://typedoc.org/guides/doccomments) doc comments. Yo
 host the API reference from the source files like this:

 ```
-  $ yarn gendoc
-  $ cd _docs
+  $ pnpm gendoc
+  $ cd docs
  $ python -m http.server 8005
 ```

@@ -308,41 +319,131 @@ Then visit `http://localhost:8005` to see the API docs.

 # End-to-end encryption support

-The SDK supports end-to-end encryption via the Olm and Megolm protocols, using
-[libolm](https://gitlab.matrix.org/matrix-org/olm). It is left up to the
-application to make libolm available, via the `Olm` global.
+`matrix-js-sdk`'s end-to-end encryption support is based on the [WebAssembly bindings](https://github.com/matrix-org/matrix-rust-sdk-crypto-wasm) of the Rust [matrix-sdk-crypto](https://github.com/matrix-org/matrix-rust-sdk/tree/main/crates/matrix-sdk-crypto) library.

-It is also necessary to call `await matrixClient.initCrypto()` after creating a new
-`MatrixClient` (but **before** calling `matrixClient.startClient()`) to
-initialise the crypto layer.
+## Initialization

-If the `Olm` global is not available, the SDK will show a warning, as shown
-below; `initCrypto()` will also fail.
+To initialize the end-to-end encryption support in the matrix client:

-```
-Unable to load crypto module: crypto will be disabled: Error: global.Olm is not defined
+```javascript
+// Create a new matrix client
+const matrixClient = sdk.createClient({
+    baseUrl: "http://localhost:8008",
+    accessToken: myAccessToken,
+    userId: myUserId,
+});
+
+// Initialize to enable end-to-end encryption support.
+await matrixClient.initRustCrypto();
 ```

-If the crypto layer is not (successfully) initialised, the SDK will continue to
-work for unencrypted rooms, but it will not support the E2E parts of the Matrix
-specification.
+Note that by default it will attempt to use the Indexed DB provided by the browser as a crypto store. If running outside the browser, you will need to pass [an options object](https://matrix-org.github.io/matrix-js-sdk/classes/matrix.MatrixClient.html#initrustcrypto) which includes `useIndexedDB: false`, to use an ephemeral in-memory store instead. Note that without a persistent store, you'll need to create a new device on the server side (with [`MatrixClient.loginRequest`](https://matrix-org.github.io/matrix-js-sdk/classes/matrix.MatrixClient.html#loginrequest)) each time your application starts.

-To provide the Olm library in a browser application:
+After calling `initRustCrypto`, you can obtain a reference to the [`CryptoApi`](https://matrix-org.github.io/matrix-js-sdk/interfaces/crypto_api.CryptoApi.html) interface, which is the main entry point for end-to-end encryption, by calling [`MatrixClient.getCrypto`](https://matrix-org.github.io/matrix-js-sdk/classes/matrix.MatrixClient.html#getCrypto).

-   download the transpiled libolm (from https://packages.matrix.org/npm/olm/).
-   load `olm.js` as a `<script>` _before_ `browser-matrix.js`.
+**WARNING**: the cryptography stack is not thread-safe. Having multiple `MatrixClient` instances connected to the same Indexed DB will cause data corruption and decryption failures. The application layer is responsible for ensuring that only one `MatrixClient` issue is instantiated at a time.

-To provide the Olm library in a node.js application:
+## Secret storage

-   `yarn add https://packages.matrix.org/npm/olm/olm-3.1.4.tgz`
-    (replace the URL with the latest version you want to use from
-    https://packages.matrix.org/npm/olm/)
-   `global.Olm = require('olm');` _before_ loading `matrix-js-sdk`.
+You should normally set up [secret storage](https://spec.matrix.org/v1.12/client-server-api/#secret-storage) before using the end-to-end encryption. To do this, call [`CryptoApi.bootstrapSecretStorage`](https://matrix-org.github.io/matrix-js-sdk/interfaces/crypto_api.CryptoApi.html#bootstrapSecretStorage).
+`bootstrapSecretStorage` can be called unconditionally: it will only set up the secret storage if it is not already set up (unless you use the `setupNewSecretStorage` parameter).

-If you want to package Olm as dependency for your node.js application, you can
-use `yarn add https://packages.matrix.org/npm/olm/olm-3.1.4.tgz`. If your
-application also works without e2e crypto enabled, add `--optional` to mark it
-as an optional dependency.
+```javascript
+const matrixClient = sdk.createClient({
+    ...,
+    cryptoCallbacks: {
+        getSecretStorageKey: async (keys) => {
+            // This function should prompt the user to enter their secret storage key.
+            return mySecretStorageKeys;
+        },
+    },
+});
+
+matrixClient.getCrypto().bootstrapSecretStorage({
+    // This function will be called if a new secret storage key (aka recovery key) is needed.
+    // You should prompt the user to save the key somewhere, because they will need it to unlock secret storage in future.
+    createSecretStorageKey: async () => {
+        return mySecretStorageKey;
+    },
+});
+```
+
+The example above will create a new secret storage key if secret storage was not previously set up.
+The secret storage data will be encrypted using the secret storage key returned in [`createSecretStorageKey`](https://matrix-org.github.io/matrix-js-sdk/interfaces/crypto_api.CreateSecretStorageOpts.html#createSecretStorageKey).
+
+We recommend that you prompt the user to re-enter this key when [`CryptoCallbacks.getSecretStorageKey`](https://matrix-org.github.io/matrix-js-sdk/interfaces/crypto_api.CryptoCallbacks.html#getSecretStorageKey) is called (when the secret storage access is needed).
+
+## Set up cross-signing
+
+To set up cross-signing to verify devices and other users, call
+[`CryptoApi.bootstrapCrossSigning`](https://matrix-org.github.io/matrix-js-sdk/interfaces/crypto_api.CryptoApi.html#bootstrapCrossSigning):
+
+```javascript
+matrixClient.getCrypto().bootstrapCrossSigning({
+    authUploadDeviceSigningKeys: async (makeRequest) => {
+        return makeRequest(authDict);
+    },
+});
+```
+
+The [`authUploadDeviceSigningKeys`](https://matrix-org.github.io/matrix-js-sdk/interfaces/crypto_api.BootstrapCrossSigningOpts.html#authUploadDeviceSigningKeys)
+callback is required in order to upload newly-generated public cross-signing keys to the server.
+
+## Key backup
+
+If the user doesn't already have a [key backup](https://spec.matrix.org/v1.12/client-server-api/#server-side-key-backups) you should create one:
+
+```javascript
+// Check if we have a key backup.
+// If checkKeyBackupAndEnable returns null, there is no key backup.
+const hasKeyBackup = (await matrixClient.getCrypto().checkKeyBackupAndEnable()) !== null;
+
+// Create the key backup
+await matrixClient.getCrypto().resetKeyBackup();
+```
+
+## Verify a new device
+
+Once the cross-signing is set up on one of your devices, you can verify another device with two methods:
+
+1. Use `CryptoApi.bootstrapCrossSigning`.
+
+    `bootstrapCrossSigning` will call the [CryptoCallbacks.getSecretStorageKey](https://matrix-org.github.io/matrix-js-sdk/interfaces/crypto_api.CryptoCallbacks.html#getSecretStorageKey) callback. The device is verified with the private cross-signing keys fetched from the secret storage.
+
+2. Request an interactive verification against existing devices, by calling [CryptoApi.requestOwnUserVerification](https://matrix-org.github.io/matrix-js-sdk/interfaces/crypto_api.CryptoApi.html#requestOwnUserVerification).
+
+## Migrating from the legacy crypto stack to Rust crypto
+
+If your application previously used the legacy crypto stack, (i.e, it called `MatrixClient.initLegacyCrypto()`), you will
+need to migrate existing devices to the Rust crypto stack.
+
+This migration happens automatically when you call `initRustCrypto()` instead of `initLegacyCrypto()`,
+but you need to provide the legacy [`cryptoStore`](https://matrix-org.github.io/matrix-js-sdk/interfaces/matrix.ICreateClientOpts.html#cryptoStore) and [`pickleKey`](https://matrix-org.github.io/matrix-js-sdk/interfaces/matrix.ICreateClientOpts.html#pickleKey) to [`createClient`](https://matrix-org.github.io/matrix-js-sdk/functions/matrix.createClient.html):
+
+```javascript
+// You should provide the legacy crypto store and the pickle key to the matrix client in order to migrate the data.
+const matrixClient = sdk.createClient({
+    cryptoStore: myCryptoStore,
+    pickleKey: myPickleKey,
+    baseUrl: "http://localhost:8008",
+    accessToken: myAccessToken,
+    userId: myUserId,
+});
+
+// The migration will be done automatically when you call `initRustCrypto`.
+await matrixClient.initRustCrypto();
+```
+
+To follow the migration progress, you can listen to the [`CryptoEvent.LegacyCryptoStoreMigrationProgress`](https://matrix-org.github.io/matrix-js-sdk/enums/crypto_api.CryptoEvent.html#LegacyCryptoStoreMigrationProgress) event:
+
+```javascript
+// When progress === total === -1, the migration is finished.
+matrixClient.on(CryptoEvent.LegacyCryptoStoreMigrationProgress, (progress, total) => {
+    ...
+});
+```
+
+The Rust crypto stack is not supported in a lot of deprecated methods of [`MatrixClient`](https://matrix-org.github.io/matrix-js-sdk/classes/matrix.MatrixClient.html). If you use them, you should migrate to the [`CryptoApi`](https://matrix-org.github.io/matrix-js-sdk/interfaces/crypto_api.CryptoApi.html). Also, the legacy `MatrixClient.crypto` object is not available any more: you should use `MatrixClient.getCrypto()` instead.

 # Contributing

@@ -352,28 +453,25 @@ want to use this SDK, skip this section._
 First, you need to pull in the right build tools:

 ```
- $ yarn install
+ $ pnpm install
 ```

 ## Building

-To build a browser version from scratch when developing::
+To build a browser version from scratch when developing:

 ```
- $ yarn build
+ $ pnpm build
 ```

-To run tests (Jest):
+To run tests:

 ```
- $ yarn test
+ $ pnpm test
 ```

-> **Note**
-> The `sync-browserify.spec.ts` requires a browser build (`yarn build`) in order to pass
-
 To run linting:

 ```
- $ yarn lint
+ $ pnpm lint
 ```
@@ -0,0 +1,45 @@
+module.exports = {
+    sourceMaps: true,
+    presets: [
+        [
+            "@babel/preset-env",
+            {
+                targets: {
+                    esmodules: true,
+                },
+                modules: false,
+            },
+        ],
+        [
+            "@babel/preset-typescript",
+            {
+                rewriteImportExtensions: true,
+            },
+        ],
+    ],
+    plugins: [
+        ["@babel/plugin-proposal-decorators", { version: "2023-11" }],
+        "@babel/plugin-transform-numeric-separator",
+        "@babel/plugin-transform-class-properties",
+        "@babel/plugin-transform-object-rest-spread",
+        "@babel/plugin-syntax-dynamic-import",
+        "@babel/plugin-transform-runtime",
+        [
+            "search-and-replace",
+            {
+                // Since rewriteImportExtensions doesn't work on dynamic imports (yet), we need to manually replace
+                // the dynamic rust-crypto import.
+                // (see https://github.com/babel/babel/issues/16750)
+                rules:
+                    process.env.NODE_ENV !== "test"
+                        ? [
+                              {
+                                  search: "./rust-crypto/index.ts",
+                                  replace: "./rust-crypto/index.js",
+                              },
+                          ]
+                        : [],
+            },
+        ],
+    ],
+};
@@ -0,0 +1,284 @@
+## Guiding principles
+
+1. We want the lint rules to feel natural for most team members. No one should have to think too much
+   about the linter.
+2. We want to stay relatively close to [industry standards](https://google.github.io/styleguide/tsguide.html)
+   to make onboarding easier.
+3. We describe what good code looks like rather than point out bad examples. We do this to avoid
+   excessively punishing people for writing code which fails the linter.
+4. When something isn't covered by the style guide, we come up with a reasonable rule rather than
+   claim that it "passes the linter". We update the style guide and linter accordingly.
+5. While we aim to improve readability, understanding, and other aspects of the code, we deliberately
+   do not let solely our personal preferences drive decisions.
+6. We aim to have an understandable guide.
+
+## Coding practices
+
+1. Lint rules enforce decisions made by this guide. The lint rules and this guide are kept in
+   perfect sync.
+2. Commit messages are descriptive for the changes. When the project supports squash merging,
+   only the squashed commit needs to have a descriptive message.
+3. When there is disagreement with a code style approved by the linter, a PR is opened against
+   the lint rules rather than making exceptions on the responsible code PR.
+4. Rules which are intentionally broken (via eslint-ignore, @ts-ignore, etc) have a comment
+   included in the immediate vicinity for why. Determination of whether this is valid applies at
+   code review time.
+5. When editing a file, nearby code is updated to meet the modern standards. "Nearby" is subjective,
+   but should be whatever is reasonable at review time. Such an example might be to update the
+   class's code style, but not the file's.
+    1. These changes should be minor enough to include in the same commit without affecting a code
+       reviewer's job.
+
+## All code
+
+Unless otherwise specified, the following applies to all code:
+
+1. Files must be formatted with Prettier.
+2. 120 character limit per line. Match existing code in the file if it is using a lower guide.
+3. A tab/indentation is 4 spaces.
+4. Newlines are Unix.
+5. A file has a single empty line at the end.
+6. Lines are trimmed of all excess whitespace, including blank lines.
+7. Long lines are broken up for readability.
+
+## TypeScript / JavaScript
+
+1. Write TypeScript. Turn JavaScript into TypeScript when working in the area.
+2. Use [TSDoc](https://tsdoc.org/) to document your code. See [Comments](#comments) below.
+3. Use named exports.
+4. Use semicolons for block/line termination.
+    1. Except when defining interfaces, classes, and non-arrow functions specifically.
+5. When a statement's body is a single line, it must be written without curly braces, so long as the body is placed on
+   the same line as the statement.
+
+    ```typescript
+    if (x) doThing();
+    ```
+
+6. Blocks for `if`, `for`, `switch` and so on must have a space surrounding the condition, but not
+   within the condition.
+
+    ```typescript
+    if (x) {
+        doThing();
+    }
+    ```
+
+7. lowerCamelCase is used for function and variable naming.
+8. UpperCamelCase is used for general naming.
+9. Interface names should not be marked with an uppercase `I`.
+10. One variable declaration per line.
+11. If a variable is not receiving a value on declaration, its type must be defined.
+
+    ```typescript
+    let errorMessage: string;
+    ```
+
+12. Objects can use shorthand declarations, including mixing of types.
+
+    ```typescript
+    {
+        room,
+        prop: this.prop,
+    }
+    // ... or ...
+    { room, prop: this.prop }
+    ```
+
+13. Object keys should always be non-strings when possible.
+
+    ```typescript
+    {
+        property: "value",
+        "m.unavoidable": true,
+        [EventType.RoomMessage]: true,
+    }
+    ```
+
+14. If a variable's type should be boolean, make sure it really is one.
+
+    ```typescript
+    const isRealUser = !!userId && ...; // good
+    const isRealUser = Boolean(userId) && Boolean(userName); // also good
+    const isRealUser = Boolean(userId) && isReal; // also good (where isReal is another boolean variable)
+    const isRealUser = Boolean(userId && userName); // also fine
+    const isRealUser = Boolean(userId || userName); // good: same as &&
+    const isRealUser = userId && ...;   // bad: isRealUser is userId's type, not a boolean
+
+    if (userId) // fine: userId is evaluated for truthiness, not stored as a boolean
+    ```
+
+15. Use `switch` statements when checking against more than a few enum-like values.
+16. Use `const` for constants, `let` for mutability.
+17. Describe types exhaustively (ensure noImplictAny would pass).
+    1. Notable exceptions are arrow functions used as parameters, when a void return type is
+       obvious, and when declaring and assigning a variable in the same line.
+18. Declare member visibility (public/private/protected).
+19. Private members are private and not prefixed unless required for naming conflicts.
+    1. Convention is to use an underscore or the word "internal" to denote conflicted member names.
+    2. "Conflicted" typically refers to a getter which wants the same name as the underlying variable.
+20. Prefer readonly members over getters backed by a variable, unless an internal setter is required.
+21. Prefer Interfaces for object definitions, and types for parameter-value-only declarations.
+    1. Note that an explicit type is optional if not expected to be used outside of the function call,
+       unlike in this example:
+
+        ```typescript
+        interface MyObject {
+            hasString: boolean;
+        }
+
+        type Options = MyObject | string;
+
+        function doThing(arg: Options) {
+            // ...
+        }
+        ```
+
+22. Variables/properties which are `public static` should also be `readonly` when possible.
+23. Interface and type properties are terminated with semicolons, not commas.
+24. Prefer arrow formatting when declaring functions for interfaces/types:
+
+    ```typescript
+    interface Test {
+        myCallback: (arg: string) => Promise<void>;
+    }
+    ```
+
+25. Prefer a type definition over an inline type. For example, define an interface.
+26. Always prefer to add types or declare a type over the use of `any`. Prefer inferred types
+    when they are not `any`.
+    1. When using `any`, a comment explaining why must be present.
+27. `import` should be used instead of `require`, as `require` does not have types.
+28. Export only what can be reused.
+29. Prefer a type like `X | null` instead of truly optional parameters.
+    1. A notable exception is when the likelihood of a bug is minimal, such as when a function
+       takes an argument that is more often not required than required. An example where the
+       `?` operator is inappropriate is when taking a room ID: typically the caller should
+       supply the room ID if it knows it, otherwise deliberately acknowledge that it doesn't
+       have one with `null`.
+
+        ```typescript
+        function doThingWithRoom(
+            thing: string,
+            room: string | null, // require the caller to specify
+        ) {
+            // ...
+        }
+        ```
+
+30. There should be approximately one interface, class, or enum per file unless the file is named
+    "types.ts", "global.d.ts", or ends with "-types.ts".
+    1. The file name should match the interface, class, or enum name.
+31. Bulk functions can be declared in a single file, though named as "foo-utils.ts" or "utils/foo.ts".
+32. Imports are grouped by external module imports first, then by internal imports.
+33. File ordering is not strict, but should generally follow this sequence:
+    1. Licence header
+    2. Imports
+    3. Constants
+    4. Enums
+    5. Interfaces
+    6. Functions
+    7. Classes
+        1. Public/protected/private static properties
+        2. Public/protected/private properties
+        3. Constructors
+        4. Public/protected/private getters & setters
+        5. Protected and abstract functions
+        6. Public/private functions
+        7. Public/protected/private static functions
+34. Variable names should be noticeably unique from their types. For example, "str: string" instead
+    of "string: string".
+35. Use double quotes to enclose strings. You may use single quotes if the string contains double quotes.
+
+    ```typescript
+    const example1 = "simple string";
+    const example2 = 'string containing "double quotes"';
+    ```
+
+36. Prefer async-await to promise-chaining
+
+    ```typescript
+    async function () {
+        const result = await anotherAsyncFunction();
+        // ...
+    }
+    ```
+
+37. Avoid functions whose fundamental behaviour varies with different parameter types.
+    Multiple return types are fine, but if the function's behaviour is going to change significantly,
+    have two separate functions. For example, `SDKConfig.get()` with a string param which returns the
+    type according to the param given is ok, but `SDKConfig.get()` with no args returning the whole
+    config object would not be: this should just be a separate function.
+
+## Tests
+
+1. Tests must be written in TypeScript.
+2. Mocks are declared below imports, but above everything else.
+3. Use the following convention template:
+
+    ```typescript
+    // Describe the class, component, or file name.
+    describe("FooComponent", () => {
+        // all test inspecific variables go here
+
+        beforeEach(() => {
+            // exclude if not used.
+        });
+
+        afterEach(() => {
+            // exclude if not used.
+        });
+
+        // Use "it should..." terminology
+        it("should call the correct API", async () => {
+            // test-specific variables go here
+            // function calls/state changes go here
+            // expectations go here
+        });
+    });
+
+    // If the file being tested is a utility class:
+    describe("foo-utils", () => {
+        describe("firstUtilFunction", () => {
+            it("should...", async () => {
+                // ...
+            });
+        });
+
+        describe("secondUtilFunction", () => {
+            it("should...", async () => {
+                // ...
+            });
+        });
+    });
+    ```
+
+## Comments
+
+1. As a general principle: be liberal with comments. This applies to all files: stylesheets as well as
+   JavaScript/TypeScript.
+
+    Good comments not only help future readers understand and maintain the code; they can also encourage good design
+    by clearly setting out how different parts of the codebase interact where that would otherwise be implicit and
+    subject to interpretation.
+
+2. Aim to document all types, methods, class properties, functions, etc, with [TSDoc](https://tsdoc.org/) doc comments.
+   This is _especially_ important for public interfaces in `matrix-js-sdk`, but is good practice in general.
+
+    Even very simple interfaces can often benefit from a doc-comment, both as a matter of consistency, and because simple
+    interfaces have a habit of becoming more complex over time.
+
+3. Inside a function, there is no need to comment every line, but consider:
+    - before a particular multiline section of code within the function, give an overview of what it does,
+      to make it easier for a reader to follow the flow through the function as a whole.
+    - if it is anything less than obvious, explain _why_ we are doing a particular operation, with particular emphasis
+      on how this function interacts with other parts of the codebase.
+
+4. When making changes to existing code, authors are expected to read existing comments and make any necessary changes
+   to ensure they remain accurate.
+
+5. Reviewers are encouraged to consider whether more comments would be useful, and to ask the author to add them.
+
+    It is natural for an author to feel that the code they have just written is "obvious" and that comments would be
+    redundant, whereas in reality it would take some time for reader unfamiliar with the code to understand it. A
+    reviewer is well-placed to make a more objective judgement.
@@ -0,0 +1,8 @@
+# Summary
+
+- [Introduction](../README.md)
+
+# Deep dive
+
+- [Storage notes](storage-notes.md)
+- [Unverified devices](warning-on-unverified-devices.md)
@@ -20,19 +20,19 @@ blurrier.

 When we are low on disk space overall or near the group limit / origin quota:

-   Chrome
-    -   Log database may fail to start with AbortError
-    -   IndexedDB fails to start for crypto: AbortError in connect from
-        indexeddb-store-worker
-    -   When near the quota, QuotaExceededError is used more consistently
-   Firefox
-    -   The first error will be QuotaExceededError
-    -   Future write attempts will fail with various errors when space is low,
-        including nonsense like "InvalidStateError: A mutation operation was
-        attempted on a database that did not allow mutations."
-    -   Once you start getting errors, the DB is effectively wedged in read-only
-        mode
-    -   Can revive access if you reopen the DB
+- Chrome
+    - Log database may fail to start with AbortError
+    - IndexedDB fails to start for crypto: AbortError in connect from
+      indexeddb-store-worker
+    - When near the quota, QuotaExceededError is used more consistently
+- Firefox
+    - The first error will be QuotaExceededError
+    - Future write attempts will fail with various errors when space is low,
+      including nonsense like "InvalidStateError: A mutation operation was
+      attempted on a database that did not allow mutations."
+    - Once you start getting errors, the DB is effectively wedged in read-only
+      mode
+    - Can revive access if you reopen the DB

 ## Cache Eviction

@@ -41,9 +41,9 @@ limited by a single quota, in practice, browsers appear to handle `localStorage`
 separately from the others, so it has a separate quota limit and isn't evicted
 when low on space.

-   Chrome, Firefox
-    -   IndexedDB for origin deleted
-    -   Local Storage remains in place
+- Chrome, Firefox
+    - IndexedDB for origin deleted
+    - Local Storage remains in place

 ## Persistent Storage

@@ -51,20 +51,20 @@ Storage Standard offers a `navigator.storage.persist` API that can be used to
 request persistent storage that won't be deleted by the browser because of low
 space.

-   Chrome
-    -   Chrome 75 seems to grant this without any prompt based on [interaction
-        criteria](https://developers.google.com/web/updates/2016/06/persistent-storage)
-   Firefox
-    -   Firefox 67 shows a prompt to grant
-    -   Reverting persistent seems to require revoking permission _and_ clearing
-        site data
+- Chrome
+    - Chrome 75 seems to grant this without any prompt based on [interaction
+      criteria](https://developers.google.com/web/updates/2016/06/persistent-storage)
+- Firefox
+    - Firefox 67 shows a prompt to grant
+    - Reverting persistent seems to require revoking permission _and_ clearing
+      site data

 ## Storage Estimation

 Storage Standard offers a `navigator.storage.estimate` API to get some clue of
 how much space remains.

-   Chrome, Firefox
-    -   Can run this at any time to request an estimate of space remaining
-   Firefox
-    -   Returns `0` for `usage` if a site is persisted
+- Chrome, Firefox
+    - Can run this at any time to request an estimate of space remaining
+- Firefox
+    - Returns `0` for `usage` if a site is persisted
@@ -0,0 +1,29 @@
+Random notes from Matthew on the two possible approaches for warning users about unexpected
+unverified devices popping up in their rooms....
+
+# Original idea...
+
+Warn when an existing user adds an unknown device to a room.
+
+Warn when a user joins the room with unverified or unknown devices.
+
+Warn when you initial sync if the room has any unverified devices in it.
+^ this is good enough if we're doing local storage.
+OR, better:
+Warn when you initial sync if the room has any new undefined devices since you were last there.
+=> This means persisting the rooms that devices are in, across initial syncs.
+
+# Updated idea...
+
+Warn when the user tries to send a message:
+
+- If the room has unverified devices which the user has not yet been told about in the context of this room
+  ...or in the context of this user? currently all verification is per-user, not per-room.
+  ...this should be good enough.
+
+- so track whether we have warned the user or not about unverified devices - blocked, unverified, verified, unverified_warned.
+  throw an error when trying to encrypt if there are pure unverified devices there
+  app will have to search for the devices which are pure unverified to warn about them - have to do this from MembersList anyway?
+    - or megolm could warn which devices are causing the problems.
+
+Why do we wait to establish outbound sessions? It just makes a horrible pause when we first try to send a message... but could otherwise unnecessarily consume resources?
@@ -1,31 +0,0 @@
-Random notes from Matthew on the two possible approaches for warning users about unexpected
-unverified devices popping up in their rooms....
-
-Original idea...
-================
-
-Warn when an existing user adds an unknown device to a room.
-
-Warn when a user joins the room with unverified or unknown devices.
-
-Warn when you initial sync if the room has any unverified devices in it.
- ^ this is good enough if we're doing local storage.
- OR, better:
-Warn when you initial sync if the room has any new undefined devices since you were last there.
- => This means persisting the rooms that devices are in, across initial syncs.
-
-
-Updated idea...
-===============
-
-Warn when the user tries to send a message:
-  - If the room has unverified devices which the user has not yet been told about in the context of this room
-    ...or in the context of this user?  currently all verification is per-user, not per-room.
-    ...this should be good enough.
-
-  - so track whether we have warned the user or not about unverified devices - blocked, unverified, verified, unverified_warned.
-    throw an error when trying to encrypt if there are pure unverified devices there
-    app will have to search for the devices which are pure unverified to warn about them - have to do this from MembersList anyway?
-      - or megolm could warn which devices are causing the problems.
-
-Why do we wait to establish outbound sessions?  It just makes a horrible pause when we first try to send a message... but could otherwise unnecessarily consume resources?
@@ -1,10 +0,0 @@
-To try it out, **you must build the SDK first** and then host this folder:
-
-```
- $ yarn install
- $ yarn build
- $ cd examples/browser
- $ python -m http.server 8003
-```
-
-Then visit `http://localhost:8003`.
@@ -1,9 +0,0 @@
-console.log("Loading browser sdk");
-
-var client = matrixcs.createClient({ baseUrl: "https://matrix.org" });
-client.publicRooms().then(function (data) {
-    console.log("data %s [...]", JSON.stringify(data).substring(0, 100));
-    console.log("Congratulations! The SDK is working on the browser!");
-    var result = document.getElementById("result");
-    result.innerHTML = "<p>The SDK appears to be working correctly.</p>";
-});
@@ -1,17 +0,0 @@
-<html lang="en">
-    <head>
-        <title>Test</title>
-        <meta charset="utf-8" />
-        <link rel="icon" href="data:," />
-        <script src="lib/matrix.js"></script>
-        <script src="browserTest.js"></script>
-    </head>
-    <body>
-        Sanity Testing (check the console) : This example is here to make sure that the SDK works inside a browser. It
-        simply does a GET /publicRooms on matrix.org
-        <br />
-        You should see a message confirming that the SDK works below:
-        <br />
-        <div id="result"></div>
-    </body>
-</html>
@@ -1 +0,0 @@
-../../../dist/browser-matrix.js
@@ -1,2 +0,0 @@
-olm.js
-olm.wasm
@@ -1 +0,0 @@
-../../../dist/browser-matrix.js
@@ -1,60 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-    <head>
-        <meta charset="UTF-8" />
-        <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-        <meta http-equiv="X-UA-Compatible" content="ie=edge" />
-        <title>Test Crypto in Browser</title>
-        <script src="lib/olm.js"></script>
-        <script src="lib/matrix.js"></script>
-    </head>
-    <body>
-        <h1>Testing export/import of Olm devices in the browser</h1>
-        <ul>
-            <li>Make sure you built the current version of the Matrix JS SDK (<code>yarn build</code>)</li>
-            <li>
-                copy <code>olm.js</code> and <code>olm.wasm</code> from a recent release of Olm (was tested with version
-                3.1.4) in directory <code>lib/</code>
-            </li>
-            <li>start a local Matrix homeserver (on port 8008, or change the port in the code)</li>
-            <li>Serve this HTML file (e.g. <code>python3 -m http.server</code>) and go to it through your browser</li>
-            <li>
-                in the JS console, do:
-                <pre>
-aliceMatrixClient = await newMatrixClient("alice-"+randomHex());
-await aliceMatrixClient.exportDevice();
-await aliceMatrixClient.getAccessToken();
-            </pre
-                >
-            </li>
-            <li>
-                copy the result of <code>exportDevice</code> and <code>getAccessToken</code> somewhere (<strong
-                    >not</strong
-                >
-                in a JS variable as it will be destroyed when you refresh the page)
-            </li>
-            <li><strong>refresh the page (F5)</strong> to make sure the client is destroyed</li>
-            <li>
-                Do the following, replacing <code>ALICE_ID</code>
-                with the user ID of Alice (you can find it in the exported data)
-                <pre>
-bobMatrixClient = await newMatrixClient("bob-"+randomHex());
-roomId = await bobMatrixClient.createEncryptedRoom([ALICE_ID]);
-await bobMatrixClient.sendTextMessage('Hi Alice!', roomId);
-            </pre
-                >
-            </li>
-            <li>Again, <strong>refresh the page (F5)</strong>. You may want to clear your console as well.</li>
-            <li>
-                Now do the following, using the exported data and the access token you saved previously:
-                <pre>
-aliceMatrixClient = await importMatrixClient(EXPORTED_DATA, ACCESS_TOKEN);
-            </pre
-                >
-            </li>
-            <li>You should see the message sent by Bob printed in the console.</li>
-        </ul>
-
-        <script src="olm-device-export-import.js"></script>
-    </body>
-</html>
@@ -1,105 +0,0 @@
-if (!Olm) {
-    console.error("global.Olm does not seem to be present." + " Did you forget to add olm in the lib/ directory?");
-}
-
-const BASE_URL = "http://localhost:8008";
-const ROOM_CRYPTO_CONFIG = { algorithm: "m.megolm.v1.aes-sha2" };
-const PASSWORD = "password";
-
-// useful to create new usernames
-window.randomHex = () => Math.floor(Math.random() * 10 ** 6).toString(16);
-
-window.newMatrixClient = async function (username) {
-    const registrationClient = matrixcs.createClient(BASE_URL);
-
-    const userRegisterResult = await registrationClient.register(username, PASSWORD, null, { type: "m.login.dummy" });
-
-    const matrixClient = matrixcs.createClient({
-        baseUrl: BASE_URL,
-        userId: userRegisterResult.user_id,
-        accessToken: userRegisterResult.access_token,
-        deviceId: userRegisterResult.device_id,
-        sessionStore: new matrixcs.WebStorageSessionStore(window.localStorage),
-        cryptoStore: new matrixcs.MemoryCryptoStore(),
-    });
-
-    extendMatrixClient(matrixClient);
-
-    await matrixClient.initCrypto();
-    await matrixClient.startClient();
-    return matrixClient;
-};
-
-window.importMatrixClient = async function (exportedDevice, accessToken) {
-    const matrixClient = matrixcs.createClient({
-        baseUrl: BASE_URL,
-        deviceToImport: exportedDevice,
-        accessToken,
-        sessionStore: new matrixcs.WebStorageSessionStore(window.localStorage),
-        cryptoStore: new matrixcs.MemoryCryptoStore(),
-    });
-
-    extendMatrixClient(matrixClient);
-
-    await matrixClient.initCrypto();
-    await matrixClient.startClient();
-    return matrixClient;
-};
-
-function extendMatrixClient(matrixClient) {
-    // automatic join
-    matrixClient.on("RoomMember.membership", async (event, member) => {
-        if (member.membership === "invite" && member.userId === matrixClient.getUserId()) {
-            await matrixClient.joinRoom(member.roomId);
-            // setting up of room encryption seems to be triggered automatically
-            // but if we don't wait for it the first messages we send are unencrypted
-            await matrixClient.setRoomEncryption(member.roomId, { algorithm: "m.megolm.v1.aes-sha2" });
-        }
-    });
-
-    matrixClient.onDecryptedMessage = (message) => {
-        console.log("Got encrypted message: ", message);
-    };
-
-    matrixClient.on("Event.decrypted", (event) => {
-        if (event.getType() === "m.room.message") {
-            matrixClient.onDecryptedMessage(event.getContent().body);
-        } else {
-            console.log("decrypted an event of type", event.getType());
-            console.log(event);
-        }
-    });
-
-    matrixClient.createEncryptedRoom = async function (usersToInvite) {
-        const { room_id: roomId } = await this.createRoom({
-            visibility: "private",
-            invite: usersToInvite,
-        });
-
-        // matrixClient.setRoomEncryption() only updates local state
-        // but does not send anything to the server
-        // (see https://github.com/matrix-org/matrix-js-sdk/issues/905)
-        // so we do it ourselves with 'sendStateEvent'
-        await this.sendStateEvent(roomId, "m.room.encryption", ROOM_CRYPTO_CONFIG);
-        await this.setRoomEncryption(roomId, ROOM_CRYPTO_CONFIG);
-
-        // Marking all devices as verified
-        let room = this.getRoom(roomId);
-        let members = (await room.getEncryptionTargetMembers()).map((x) => x["userId"]);
-        let memberkeys = await this.downloadKeys(members);
-        for (const userId in memberkeys) {
-            for (const deviceId in memberkeys[userId]) {
-                await this.setDeviceVerified(userId, deviceId);
-            }
-        }
-
-        return roomId;
-    };
-
-    matrixClient.sendTextMessage = async function (message, roomId) {
-        return matrixClient.sendMessage(roomId, {
-            body: message,
-            msgtype: "m.text",
-        });
-    };
-}
@@ -1,9 +1,15 @@
+import clc from "cli-color";
+import fs from "fs";
+import readline from "readline";
+import sdk, { ClientEvent, EventType, MsgType, RoomEvent } from "matrix-js-sdk";
+import { KnownMembership } from "matrix-js-sdk/lib/@types/membership.js";
+
+var myHomeServer = "http://localhost:8008";
 var myUserId = "@example:localhost";
 var myAccessToken = "QGV4YW1wbGU6bG9jYWxob3N0.qPEvLuYfNBjxikiCjP";
-var sdk = require("matrix-js-sdk");
-var clc = require("cli-color");
+
 var matrixClient = sdk.createClient({
-    baseUrl: "http://localhost:8008",
+    baseUrl: myHomeServer,
    accessToken: myAccessToken,
    userId: myUserId,
 });
@@ -15,7 +21,6 @@ var numMessagesToShow = 20;

 // Reading from stdin
 var CLEAR_CONSOLE = "\x1B[2J";
-var readline = require("readline");
 var rl = readline.createInterface({
    input: process.stdin,
    output: process.stdout,
@@ -89,20 +94,14 @@ rl.on("line", function (line) {
            );
        } else if (line.indexOf("/file ") === 0) {
            var filename = line.split(" ")[1].trim();
-            var stream = fs.createReadStream(filename);
-            matrixClient
-                .uploadContent({
-                    stream: stream,
-                    name: filename,
-                })
-                .then(function (url) {
-                    var content = {
-                        msgtype: "m.file",
-                        body: filename,
-                        url: JSON.parse(url).content_uri,
-                    };
-                    matrixClient.sendMessage(viewingRoom.roomId, content);
+            let buffer = fs.readFileSync("./your_file_name");
+            matrixClient.uploadContent(new Blob([buffer])).then(function (response) {
+                matrixClient.sendMessage(viewingRoom.roomId, {
+                    msgtype: MsgType.File,
+                    body: filename,
+                    url: response.content_uri,
                });
+            });
        } else {
            matrixClient.sendTextMessage(viewingRoom.roomId, line).finally(function () {
                printMessages();
@@ -115,7 +114,7 @@ rl.on("line", function (line) {
        if (line.indexOf("/join ") === 0) {
            var roomIndex = line.split(" ")[1];
            viewingRoom = roomList[roomIndex];
-            if (viewingRoom.getMember(myUserId).membership === "invite") {
+            if (viewingRoom.getMember(myUserId).membership === KnownMembership.Invite) {
                // join the room first
                matrixClient.joinRoom(viewingRoom.roomId).then(
                    function (room) {
@@ -138,7 +137,7 @@ rl.on("line", function (line) {
 // ==== END User input

 // show the room list after syncing.
-matrixClient.on("sync", function (state, prevState, data) {
+matrixClient.on(ClientEvent.Sync, function (state, prevState, data) {
    switch (state) {
        case "PREPARED":
            setRoomList();
@@ -149,7 +148,7 @@ matrixClient.on("sync", function (state, prevState, data) {
    }
 });

-matrixClient.on("Room", function () {
+matrixClient.on(ClientEvent.Room, function () {
    setRoomList();
    if (!viewingRoom) {
        printRoomList();
@@ -158,11 +157,11 @@ matrixClient.on("Room", function () {
 });

 // print incoming messages.
-matrixClient.on("Room.timeline", function (event, room, toStartOfTimeline) {
+matrixClient.on(RoomEvent.Timeline, function (event, room, toStartOfTimeline) {
    if (toStartOfTimeline) {
        return; // don't print paginated results
    }
-    if (!viewingRoom || viewingRoom.roomId !== room.roomId) {
+    if (!viewingRoom || viewingRoom.roomId !== room?.roomId) {
        return; // not viewing a room or viewing the wrong room.
    }
    printLine(event);
@@ -305,7 +304,7 @@ function printRoomInfo(room) {
    print(eTypeHeader + sendHeader + contentHeader);
    print(new Array(100).join("-"));
    eventMap.keys().forEach(function (eventType) {
-        if (eventType === "m.room.member") {
+        if (eventType === EventType.RoomMember) {
            return;
        } // use /members instead.
        var eventEventMap = eventMap.get(eventType);
@@ -343,7 +342,7 @@ function printLine(event) {
        name = name.slice(0, maxNameWidth - 1) + "\u2026";
    }

-    if (event.getType() === "m.room.message") {
+    if (event.getType() === EventType.RoomMessage) {
        body = event.getContent().body;
    } else if (event.isState()) {
        var stateName = event.getType();
@@ -381,7 +380,7 @@ function print(str, formatter) {
        }
        console.log.apply(console.log, newArgs);
    } else {
-        console.log.apply(console.log, arguments);
+        console.log.apply(console.log, [...arguments]);
    }
 }

@@ -394,4 +393,4 @@ function fixWidth(str, len) {
    return str;
 }

-matrixClient.startClient(numMessagesToShow); // messages for each room.
+matrixClient.startClient({ initialSyncLimit: numMessagesToShow });
@@ -3,12 +3,18 @@
    "version": "0.0.0",
    "description": "",
    "main": "app.js",
-    "scripts": {
-        "preinstall": "npm install ../.."
-    },
    "author": "",
    "license": "Apache 2.0",
+    "type": "module",
    "dependencies": {
-        "cli-color": "^1.0.0"
+        "cli-color": "^1.0.0",
+        "matrix-js-sdk": "^34.5.0"
+    },
+    "devDependencies": {
+        "@types/cli-color": "^2.0.6",
+        "typescript": "^5.6.2"
+    },
+    "engines": {
+        "node": ">=20.0.0"
    }
 }
@@ -0,0 +1,14 @@
+{
+    "compilerOptions": {
+        "target": "es2022",
+        "module": "commonjs",
+        "esModuleInterop": true,
+        "noImplicitAny": false,
+        "noEmit": true,
+        "skipLibCheck": true,
+        "allowJs": true,
+        "checkJs": true,
+        "strict": true
+    },
+    "include": ["app.js"]
+}
@@ -21,4 +21,4 @@ export PATH="$rootdir/node_modules/.bin:$PATH"

 # now run our checks
 cd "$tmpdir"
-yarn lint
+pnpm lint
@@ -1,39 +0,0 @@
-/* Copyright 2023 The Matrix.org Foundation C.I.C.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-import type { Config } from "jest";
-import { env } from "process";
-
-const config: Config = {
-    testEnvironment: "node",
-    testMatch: ["<rootDir>/spec/**/*.spec.{js,ts}"],
-    setupFilesAfterEnv: ["<rootDir>/spec/setupTests.ts"],
-    collectCoverageFrom: ["<rootDir>/src/**/*.{js,ts}"],
-    coverageReporters: ["text-summary", "lcov"],
-    testResultsProcessor: "@casualbot/jest-sonar-reporter",
-};
-
-// if we're running under GHA, enable the GHA reporter
-if (env["GITHUB_ACTIONS"] !== undefined) {
-    const reporters: Config["reporters"] = [["github-actions", { silent: false }], "summary"];
-
-    // if we're running against the develop branch, also enable the slow test reporter
-    if (env["GITHUB_REF"] == "refs/heads/develop") {
-        reporters.push("<rootDir>/spec/slowReporter.js");
-    }
-    config.reporters = reporters;
-}
-
-export default config;
@@ -0,0 +1,42 @@
+import { KnipConfig } from "knip";
+
+// Specify this as knip loads config files which may conditionally add reporters, e.g. `vitest-sonar-reporter'
+process.env.GITHUB_ACTIONS = "1";
+
+export default {
+    entry: [
+        "src/index.ts",
+        "src/types.ts",
+        "src/browser-index.ts",
+        "src/indexeddb-worker.ts",
+        "src/crypto-api/index.ts",
+        "src/testing.ts",
+        "src/matrix.ts",
+        "src/utils.ts", // not really an entrypoint but we have deprecated `defer` there
+        "scripts/**",
+        "spec/**",
+        // XXX: these should be re-exported by one of the supported exports
+        "src/matrixrtc/index.ts",
+        "src/sliding-sync.ts",
+        "src/webrtc/groupCall.ts",
+        "src/webrtc/stats/media/mediaTrackStats.ts",
+        "src/rendezvous/RendezvousChannel.ts",
+    ],
+    project: ["**/*.{js,ts}"],
+    ignore: ["examples/**"],
+    ignoreDependencies: [
+        // Required for `action-validator`
+        "@action-validator/*",
+        // Used for git pre-commit hooks
+        "husky",
+        // Used in script which only runs in environment with `@octokit/rest` installed
+        "@octokit/rest",
+    ],
+    ignoreBinaries: [
+        // Used when available by reusable workflow `.github/workflows/release-make.yml`
+        "dist",
+    ],
+    ignoreExportsUsedInFile: true,
+    includeEntryExports: false,
+    exclude: ["enumMembers"],
+} satisfies KnipConfig;
@@ -1,48 +1,41 @@
 {
    "name": "matrix-js-sdk",
-    "version": "25.0.0-rc.1",
+    "version": "41.3.0",
    "description": "Matrix Client-Server SDK for Javascript",
    "engines": {
-        "node": ">=16.0.0"
+        "node": ">=22.0.0"
    },
    "scripts": {
-        "prepublishOnly": "yarn build",
-        "start": "echo THIS IS FOR LEGACY PURPOSES ONLY. && babel src -w -s -d lib --verbose --extensions \".ts,.js\"",
-        "dist": "echo 'This is for the release script so it can make assets (browser bundle).' && yarn build",
-        "clean": "rimraf lib dist",
-        "build": "yarn build:dev && yarn build:compile-browser && yarn build:minify-browser",
-        "build:dev": "yarn clean && git rev-parse HEAD > git-revision.txt && yarn build:compile && yarn build:types",
+        "prepare": "pnpm build",
+        "start": "echo THIS IS FOR LEGACY PURPOSES ONLY. && babel --delete-dir-on-start src -w -s -d lib --verbose --extensions \".ts,.js\"",
+        "build": "pnpm build:compile && pnpm build:types",
        "build:types": "tsc -p tsconfig-build.json --emitDeclarationOnly",
-        "build:compile": "babel -d lib --verbose --extensions \".ts,.js\" src",
-        "build:compile-browser": "mkdir dist && BROWSERIFYSWAP_ENV='no-rust-crypto' browserify -d src/browser-index.ts -p [ tsify -p ./tsconfig-build.json ] | exorcist dist/browser-matrix.js.map > dist/browser-matrix.js",
-        "build:minify-browser": "terser dist/browser-matrix.js --compress --mangle --source-map --output dist/browser-matrix.min.js",
+        "build:compile": "babel --delete-dir-on-start -d lib --verbose --extensions \".ts,.js\" src",
        "gendoc": "typedoc",
-        "lint": "yarn lint:types && yarn lint:js",
+        "lint": "pnpm lint:types && pnpm lint:js && pnpm lint:workflows",
        "lint:js": "eslint --max-warnings 0 src spec && prettier --check .",
-        "lint:js-fix": "prettier --loglevel=warn --write . && eslint --fix src spec",
+        "lint:js-fix": "prettier --log-level=warn --write . && eslint --fix src spec",
        "lint:types": "tsc --noEmit",
-        "test": "jest",
-        "test:watch": "jest --watch",
-        "coverage": "yarn test --coverage"
+        "lint:workflows": "find .github/workflows -type f \\( -iname '*.yaml' -o -iname '*.yml' \\) | xargs -I {} sh -c 'echo \"Linting {}\"; action-validator \"{}\"'",
+        "lint:knip": "knip",
+        "test": "vitest run",
+        "test:watch": "vitest watch",
+        "coverage": "pnpm test --coverage"
    },
    "repository": {
        "type": "git",
-        "url": "https://github.com/matrix-org/matrix-js-sdk"
+        "url": "git+https://github.com/matrix-org/matrix-js-sdk.git"
    },
    "keywords": [
        "matrix-org"
    ],
+    "type": "module",
    "main": "./lib/index.js",
    "browser": "./lib/browser-index.js",
-    "matrix_src_main": "./src/index.ts",
-    "matrix_src_browser": "./src/browser-index.ts",
-    "matrix_lib_main": "./lib/index.js",
-    "matrix_lib_browser": "./lib/browser-index.js",
-    "matrix_lib_typings": "./lib/index.d.ts",
+    "typings": "./lib/index.d.ts",
    "author": "matrix.org",
    "license": "Apache-2.0",
    "files": [
-        "dist",
        "lib",
        "src",
        "git-revision.txt",
@@ -55,104 +48,91 @@
    ],
    "dependencies": {
        "@babel/runtime": "^7.12.5",
-        "@matrix-org/matrix-sdk-crypto-js": "^0.1.0-alpha.6",
+        "@matrix-org/matrix-sdk-crypto-wasm": "^18.1.0",
        "another-json": "^0.2.0",
-        "bs58": "^5.0.0",
+        "bs58": "^6.0.0",
        "content-type": "^1.0.4",
-        "loglevel": "^1.7.1",
+        "jwt-decode": "^4.0.0",
+        "loglevel": "^1.9.2",
        "matrix-events-sdk": "0.0.1",
-        "matrix-widget-api": "^1.3.1",
-        "p-retry": "4",
-        "sdp-transform": "^2.14.1",
-        "unhomoglyph": "^1.0.6",
-        "uuid": "9"
+        "matrix-widget-api": "^1.16.1",
+        "oidc-client-ts": "^3.0.1",
+        "p-retry": "8",
+        "sdp-transform": "^3.0.0",
+        "unhomoglyph": "^1.0.6"
    },
    "devDependencies": {
+        "@action-validator/cli": "^0.6.0",
+        "@action-validator/core": "^0.6.0",
        "@babel/cli": "^7.12.10",
        "@babel/core": "^7.12.10",
        "@babel/eslint-parser": "^7.12.10",
        "@babel/eslint-plugin": "^7.12.10",
-        "@babel/plugin-proposal-class-properties": "^7.12.1",
-        "@babel/plugin-proposal-numeric-separator": "^7.12.7",
-        "@babel/plugin-proposal-object-rest-spread": "^7.12.1",
+        "@babel/plugin-proposal-decorators": "^7.25.9",
        "@babel/plugin-syntax-dynamic-import": "^7.8.3",
+        "@babel/plugin-transform-class-properties": "^7.12.1",
+        "@babel/plugin-transform-numeric-separator": "^7.12.7",
+        "@babel/plugin-transform-object-rest-spread": "^7.12.1",
        "@babel/plugin-transform-runtime": "^7.12.10",
        "@babel/preset-env": "^7.12.11",
        "@babel/preset-typescript": "^7.12.7",
-        "@babel/register": "^7.12.10",
-        "@casualbot/jest-sonar-reporter": "^2.2.5",
-        "@matrix-org/olm": "https://gitlab.matrix.org/api/v4/projects/27/packages/npm/@matrix-org/olm/-/@matrix-org/olm-3.2.14.tgz",
-        "@types/bs58": "^4.0.1",
+        "@fetch-mock/vitest": "^0.2.18",
+        "@matrix-org/olm": "3.2.15",
+        "@peculiar/webcrypto": "^1.4.5",
+        "@stylistic/eslint-plugin": "^5.0.0",
        "@types/content-type": "^1.1.5",
        "@types/debug": "^4.1.7",
-        "@types/domexception": "^4.0.0",
-        "@types/jest": "^29.0.0",
-        "@types/node": "18",
+        "@types/node": "22",
        "@types/sdp-transform": "^2.4.5",
-        "@types/uuid": "9",
-        "@typescript-eslint/eslint-plugin": "^5.45.0",
-        "@typescript-eslint/parser": "^5.45.0",
-        "allchange": "^1.0.6",
-        "babel-jest": "^29.0.0",
-        "babelify": "^10.0.0",
-        "better-docs": "^2.4.0-beta.9",
-        "browserify": "^17.0.0",
-        "browserify-swap": "^0.2.2",
+        "@typescript-eslint/eslint-plugin": "^8.0.0",
+        "@typescript-eslint/parser": "^8.0.0",
+        "@vitest/coverage-v8": "^4.0.17",
+        "@vitest/eslint-plugin": "^1.6.6",
+        "@vitest/ui": "^4.0.17",
+        "babel-plugin-search-and-replace": "^1.1.1",
        "debug": "^4.3.4",
-        "docdash": "^2.0.0",
-        "domexception": "^4.0.0",
-        "eslint": "8.37.0",
+        "eslint": "8.57.1",
        "eslint-config-google": "^0.14.0",
-        "eslint-config-prettier": "^8.5.0",
-        "eslint-import-resolver-typescript": "^3.5.1",
+        "eslint-config-prettier": "^10.0.0",
+        "eslint-import-resolver-typescript": "^4.0.0",
        "eslint-plugin-import": "^2.26.0",
-        "eslint-plugin-jest": "^27.1.6",
-        "eslint-plugin-jsdoc": "^40.0.0",
-        "eslint-plugin-matrix-org": "^1.0.0",
-        "eslint-plugin-tsdoc": "^0.2.17",
-        "eslint-plugin-unicorn": "^46.0.0",
-        "exorcist": "^2.0.0",
-        "fake-indexeddb": "^4.0.0",
-        "fetch-mock-jest": "^1.5.1",
-        "jest": "^29.0.0",
-        "jest-environment-jsdom": "^29.0.0",
-        "jest-localstorage-mock": "^2.4.6",
-        "jest-mock": "^29.0.0",
+        "eslint-plugin-jsdoc": "^62.0.0",
+        "eslint-plugin-matrix-org": "^3.0.0",
+        "eslint-plugin-n": "^14.0.0",
+        "eslint-plugin-tsdoc": "^0.5.0",
+        "eslint-plugin-unicorn": "^56.0.0",
+        "fake-indexeddb": "^5.0.2",
+        "fetch-mock": "^12.6.0",
+        "happy-dom": "^20.1.0",
+        "husky": "^9.0.0",
+        "knip": "^6.0.0",
+        "lint-staged": "^16.0.0",
        "matrix-mock-request": "^2.5.0",
-        "prettier": "2.8.7",
-        "rimraf": "^4.0.0",
-        "terser": "^5.5.1",
-        "ts-node": "^10.9.1",
-        "tsify": "^5.0.2",
-        "typedoc": "^0.23.20",
-        "typedoc-plugin-mdn-links": "^3.0.3",
-        "typedoc-plugin-missing-exports": "^1.0.0",
-        "typescript": "^5.0.0"
+        "prettier": "3.8.3",
+        "typedoc": "^0.28.1",
+        "typedoc-plugin-coverage": "^4.0.0",
+        "typedoc-plugin-mdn-links": "^5.0.0",
+        "typedoc-plugin-missing-exports": "^4.0.0",
+        "typescript": "^6.0.0",
+        "vitest": "^4.0.17",
+        "vitest-sonar-reporter": "^3.0.0"
    },
-    "@casualbot/jest-sonar-reporter": {
-        "outputDirectory": "coverage",
-        "outputName": "jest-sonar-report.xml",
-        "relativePaths": true
-    },
-    "browserify": {
-        "transform": [
-            "browserify-swap",
-            [
-                "babelify",
-                {
-                    "sourceMaps": "inline",
-                    "presets": [
-                        "@babel/preset-env",
-                        "@babel/preset-typescript"
-                    ]
-                }
-            ]
-        ]
-    },
-    "browserify-swap": {
-        "no-rust-crypto": {
-            "src/rust-crypto/index.ts$": "./src/rust-crypto/browserify-index.ts"
+    "pnpm": {
+        "peerDependencyRules": {
+            "allowedVersions": {
+                "eslint": "8"
+            }
+        },
+        "allowedDeprecatedVersions": {
+            "eslint": "8"
+        },
+        "overrides": {
+            "expect": "30.3.0",
+            "flatted@<=3.4.1": "^3.4.2",
+            "picomatch@>=4.0.0 <4.0.4": "^4.0.4",
+            "yaml@>=2.0.0 <2.8.3": "^2.8.3",
+            "vite": "8.0.8"
        }
    },
-    "typings": "./lib/index.d.ts"
+    "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319"
 }
@@ -0,0 +1 @@
+nodeLinker: hoisted
@@ -1,37 +0,0 @@
-#!/bin/bash
-#
-# Script to perform a post-release steps of matrix-js-sdk.
-#
-# Requires:
-#   jq; install from your distribution's package manager (https://stedolan.github.io/jq/)
-
-set -e
-
-jq --version > /dev/null || (echo "jq is required: please install it"; kill $$)
-
-if [ "$(git branch -lr | grep origin/develop -c)" -ge 1 ]; then
-    # When merging to develop, we need revert the `main` and `typings` fields if we adjusted them previously.
-    for i in main typings browser
-    do
-        # If a `lib` prefixed value is present, it means we adjusted the field
-        # earlier at publish time, so we should revert it now.
-        if [ "$(jq -r ".matrix_lib_$i" package.json)" != "null" ]; then
-            # If there's a `src` prefixed value, use that, otherwise delete.
-            # This is used to delete the `typings` field and reset `main` back
-            # to the TypeScript source.
-            src_value=$(jq -r ".matrix_src_$i" package.json)
-            if [ "$src_value" != "null" ]; then
-                jq ".$i = .matrix_src_$i" package.json > package.json.new && mv package.json.new package.json && yarn prettier --write package.json
-            else
-                jq "del(.$i)" package.json > package.json.new && mv package.json.new package.json && yarn prettier --write package.json
-            fi
-        fi
-    done
-
-    if [ -n "$(git ls-files --modified package.json)" ]; then
-        echo "Committing develop package.json"
-        git commit package.json -m "Resetting package fields for development"
-    fi
-
-    git push origin develop
-fi
@@ -1,357 +0,0 @@
-#!/bin/bash
-#
-# Script to perform a release of matrix-js-sdk and downstream projects.
-#
-# Requires:
-#   jq; install from your distribution's package manager (https://stedolan.github.io/jq/)
-#   hub; install via brew (macOS) or source/pre-compiled binaries (debian) (https://github.com/github/hub) - Tested on v2.2.9
-#   yarn; install via brew (macOS) or similar (https://yarnpkg.com/docs/install/)
-#
-# Note: this script is also used to release matrix-react-sdk, element-web, and element-desktop.
-
-set -e
-
-jq --version > /dev/null || (echo "jq is required: please install it"; kill $$)
-if [[ $(command -v hub) ]] && [[ $(hub --version) =~ hub[[:space:]]version[[:space:]]([0-9]*).([0-9]*) ]]; then
-    HUB_VERSION_MAJOR=${BASH_REMATCH[1]}
-    HUB_VERSION_MINOR=${BASH_REMATCH[2]}
-    if [[ $HUB_VERSION_MAJOR -lt 2 ]] || [[ $HUB_VERSION_MAJOR -eq 2 && $HUB_VERSION_MINOR -lt 5 ]]; then
-        echo "hub version 2.5 is required, you have $HUB_VERSION_MAJOR.$HUB_VERSION_MINOR installed"
-        exit
-    fi
-else
-    echo "hub is required: please install it"
-    exit
-fi
-yarn --version > /dev/null || (echo "yarn is required: please install it"; kill $$)
-
-USAGE="$0 [-x] [-c changelog_file] vX.Y.Z"
-
-help() {
-    cat <<EOF
-$USAGE
-
-    -c changelog_file:  specify name of file containing changelog
-    -x:                 skip updating the changelog
-EOF
-}
-
-if ! git diff-index --quiet --cached HEAD; then
-    echo "this git checkout has staged (uncommitted) changes. Refusing to release."
-    exit
-fi
-
-if ! git diff-files --quiet; then
-    echo "this git checkout has uncommitted changes. Refusing to release."
-    exit
-fi
-
-skip_changelog=
-changelog_file="CHANGELOG.md"
-while getopts hc:x f; do
-    case $f in
-        h)
-            help
-            exit 0
-            ;;
-        c)
-            changelog_file="$OPTARG"
-            ;;
-        x)
-            skip_changelog=1
-            ;;
-    esac
-done
-shift $(expr $OPTIND - 1)
-
-if [ $# -ne 1 ]; then
-    echo "Usage: $USAGE" >&2
-    exit 1
-fi
-
-function check_dependency {
-    local depver=$(cat package.json | jq -r .dependencies[\"$1\"])
-    if [ "$depver" == "null" ]; then return 0; fi
-
-    echo "Checking version of $1..."
-    local latestver=$(yarn info -s "$1" dist-tags.next)
-    if [ "$depver" != "$latestver" ]
-    then
-        echo "The latest version of $1 is $latestver but package.json depends on $depver."
-        echo -n "Type 'u' to auto-upgrade, 'c' to continue anyway, or 'a' to abort:"
-        read resp
-        if [ "$resp" != "u" ] && [ "$resp" != "c" ]
-        then
-            echo "Aborting."
-            exit 1
-        fi
-        if [ "$resp" == "u" ]
-        then
-            echo "Upgrading $1 to $latestver..."
-            yarn add -E "$1@$latestver"
-            git add -u
-            git commit -m "Upgrade $1 to $latestver"
-        fi
-    fi
-}
-
-function reset_dependency {
-    local depver=$(cat package.json | jq -r .dependencies[\"$1\"])
-    if [ "$depver" == "null" ]; then return 0; fi
-
-    echo "Resetting $1 to develop branch..."
-    yarn add "github:matrix-org/$1#develop"
-    git add -u
-    git commit -m "Reset $1 back to develop branch"
-}
-
-has_subprojects=0
-if [ -f release_config.yaml ]; then
-    subprojects=$(cat release_config.yaml | python -c "import yaml; import sys; print(' '.join(list(yaml.load(sys.stdin)['subprojects'].keys())))" 2> /dev/null)
-    if [ "$?" -eq 0 ]; then
-        has_subprojects=1
-        echo "Checking subprojects for upgrades"
-        for proj in $subprojects; do
-            check_dependency "$proj"
-        done
-    fi
-fi
-
-ret=0
-cat package.json | jq '.dependencies[]' | grep -q '#develop' || ret=$?
-if [ "$ret" -eq 0 ]; then
-    echo "package.json contains develop dependencies. Refusing to release."
-    exit
-fi
-
-# We use Git branch / commit dependencies for some packages, and Yarn seems
-# to have a hard time getting that right. See also
-# https://github.com/yarnpkg/yarn/issues/4734. As a workaround, we clean the
-# global cache here to ensure we get the right thing.
-yarn cache clean
-# Ensure all dependencies are updated
-yarn install --ignore-scripts --frozen-lockfile
-
-# ignore leading v on release
-release="${1#v}"
-tag="v${release}"
-
-prerelease=0
-# We check if this build is a prerelease by looking to
-# see if the version has a hyphen in it. Crude,
-# but semver doesn't support postreleases so anything
-# with a hyphen is a prerelease.
-echo $release | grep -q '-' && prerelease=1
-
-if [ $prerelease -eq 1 ]; then
-    echo Making a PRE-RELEASE
-else
-    read -p "Making a FINAL RELEASE, press enter to continue " REPLY
-fi
-
-rel_branch=$(git symbolic-ref --short HEAD)
-
-if [ -z "$skip_changelog" ]; then
-    echo "Generating changelog"
-    yarn run allchange "$release"
-    read -p "Edit $changelog_file manually, or press enter to continue " REPLY
-
-    if [ -n "$(git ls-files --modified $changelog_file)" ]; then
-        echo "Committing updated changelog"
-        git commit "$changelog_file" -m "Prepare changelog for $tag"
-    fi
-fi
-latest_changes=$(mktemp)
-cat "${changelog_file}" | "$(dirname "$0")/scripts/changelog_head.py" > "${latest_changes}"
-
-set -x
-
-# Bump package.json and build the dist
-echo "yarn version"
-# yarn version will automatically commit its modification
-# and make a release tag. We don't want it to create the tag
-# because it can only sign with the default key, but we can
-# only turn off both of these behaviours, so we have to
-# manually commit the result.
-yarn version --no-git-tag-version --new-version "$release"
-
-# For the published and dist versions of the package, we copy the
-# `matrix_lib_main` and `matrix_lib_typings` fields to `main` and `typings` (if
-# they exist). This small bit of gymnastics allows us to use the TypeScript
-# source directly for development without needing to build before linting or
-# testing.
-for i in main typings browser
-do
-    lib_value=$(jq -r ".matrix_lib_$i" package.json)
-    if [ "$lib_value" != "null" ]; then
-        jq ".$i = .matrix_lib_$i" package.json > package.json.new && mv package.json.new package.json && yarn prettier --write package.json
-    fi
-done
-
-# commit yarn.lock if it exists, is versioned, and is modified
-if [[ -f yarn.lock && $(git status --porcelain yarn.lock | grep '^ M') ]];
-then
-    pkglock='yarn.lock'
-else
-    pkglock=''
-fi
-git commit package.json $pkglock -m "$tag"
-
-
-# figure out if we should be signing this release
-signing_id=
-if [ -f release_config.yaml ]; then
-    result=$(cat release_config.yaml | python -c "import yaml; import sys; print(yaml.load(sys.stdin)['signing_id'])" 2> /dev/null || true)
-    if [ "$?" -eq 0 ]; then
-        signing_id=$result
-    fi
-fi
-
-
-# If there is a 'dist' script in the package.json,
-# run it in a separate checkout of the project, then
-# upload any files in the 'dist' directory as release
-# assets.
-# We make a completely separate checkout to be sure
-# we're using released versions of the dependencies
-# (rather than whatever we're pulling in from yarn link)
-assets=''
-dodist=0
-jq -e .scripts.dist package.json 2> /dev/null || dodist=$?
-if [ $dodist -eq 0 ]; then
-    projdir=$(pwd)
-    builddir=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir')
-    echo "Building distribution copy in $builddir"
-    pushd "$builddir"
-    git clone "$projdir" .
-    git checkout "$rel_branch"
-    yarn install --frozen-lockfile
-    # We haven't tagged yet, so tell the dist script what version
-    # it's building
-    DIST_VERSION="$tag" yarn dist
-
-    popd
-
-    for i in "$builddir"/dist/*; do
-        assets="$assets -a $i"
-        if [ -n "$signing_id" ]
-        then
-            gpg -u "$signing_id" --armor --output "$i".asc --detach-sig "$i"
-            assets="$assets -a $i.asc"
-        fi
-    done
-fi
-
-if [ -n "$signing_id" ]; then
-    # make a signed tag
-    # gnupg seems to fail to get the right tty device unless we set it here
-    GIT_COMMITTER_EMAIL="$signing_id" GPG_TTY=$(tty) git tag -u "$signing_id" -F "${latest_changes}" "$tag"
-else
-    git tag -a -F "${latest_changes}" "$tag"
-fi
-
-# push the tag and the release branch
-git push origin "$rel_branch" "$tag"
-
-if [ -n "$signing_id" ]; then
-    # make a signature for the source tarball.
-    #
-    # github will make us a tarball from the tag - we want to create a
-    # signature for it, which means that first of all we need to check that
-    # it's correct.
-    #
-    # we can't deterministically build exactly the same tarball, due to
-    # differences in gzip implementation - but we *can* build the same tar - so
-    # the easiest way to check the validity of the tarball from git is to unzip
-    # it and compare it with our own idea of what the tar should look like.
-
-    # This uses git archive which seems to be what github uses. Specifically,
-    # the header fields are set in the same way: same file mode, uid & gid
-    # both zero and mtime set to the timestamp of the commit that the tag
-    # references. Also note that this puts the commit into the tar headers
-    # and can be extracted with gunzip -c foo.tar.gz | git get-tar-commit-id
-
-    # the name of the sig file we want to create
-    source_sigfile="${tag}-src.tar.gz.asc"
-
-    tarfile="$tag.tar.gz"
-    gh_project_url=$(git remote get-url origin |
-                            sed -e 's#^git@github\.com:#https://github.com/#' \
-                                -e 's#^git\+ssh://git@github\.com/#https://github.com/#' \
-                                -e 's/\.git$//')
-    project_name="${gh_project_url##*/}"
-    curl -L "${gh_project_url}/archive/${tarfile}" -o "${tarfile}"
-
-    # unzip it and compare it with the tar we would generate
-    if ! cmp --silent <(gunzip -c $tarfile) \
-         <(git archive --format tar --prefix="${project_name}-${release}/" "$tag"); then
-
-        # we don't bail out here, because really it's more likely that our comparison
-        # screwed up and it's super annoying to abort the script at this point.
-        cat >&2 <<EOF
-!!!!!!!!!!!!!!!!!
-!!!! WARNING !!!!
-
-Mismatch between our own tarfile and that generated by github: not signing
-source tarball.
-
-To resolve, determine if $tarfile is correct, and if so sign it with gpg and
-attach it to the release as $source_sigfile.
-
-!!!!!!!!!!!!!!!!!
-EOF
-    else
-        gpg -u "$signing_id" --armor --output "$source_sigfile" --detach-sig "$tarfile"
-        assets="$assets -a $source_sigfile"
-    fi
-fi
-
-hubflags=''
-if [ $prerelease -eq 1 ]; then
-    hubflags='-p'
-fi
-
-release_text=$(mktemp)
-echo "$tag" > "${release_text}"
-echo >> "${release_text}"
-cat "${latest_changes}" >> "${release_text}"
-hub release create $hubflags $assets -F "${release_text}" "$tag"
-
-if [ $dodist -eq 0 ]; then
-    rm -rf "$builddir"
-fi
-rm "${release_text}"
-rm "${latest_changes}"
-
-# if it is a pre-release, leave it on the release branch for now.
-if [ $prerelease -eq 1 ]; then
-    git checkout "$rel_branch"
-    exit 0
-fi
-
-# merge release branch to master
-echo "updating master branch"
-git checkout master
-git pull
-git merge "$rel_branch" --no-edit
-
-# push master to github
-git push origin master
-
-# finally, merge master back onto develop (if it exists)
-if [ "$(git branch -lr | grep origin/develop -c)" -ge 1 ]; then
-    git checkout develop
-    git pull
-    git merge master --no-edit
-    git push origin develop
-fi
-
-[ -x ./post-release.sh ] && ./post-release.sh
-
-if [ $has_subprojects -eq 1 ] && [ $prerelease -eq 0 ]; then
-    echo "Resetting subprojects to develop"
-    for proj in $subprojects; do
-        reset_dependency "$proj"
-    done
-    git push origin develop
-fi
@@ -15,4 +15,4 @@ for line in sys.stdin:
            break
        found_first_header = True
    elif not re.match(r"^=+$", line) and len(line) > 0:
-        print line
+        print(line)
@@ -0,0 +1,165 @@
+#!/usr/bin/env node
+
+const fs = require("fs");
+
+async function listReleases(github, owner, repo) {
+    const response = await github.rest.repos.listReleases({
+        owner,
+        repo,
+        per_page: 100,
+    });
+    // Filters out draft releases
+    return response.data.filter((release) => !release.draft);
+}
+
+// Dependency can be a tuple of dependency, from version, to version, in which case a list of releases in that range (to inclusive) will be returned
+// Or it can be a string in the form accepted by `getRelease`
+async function getReleases(github, dependency) {
+    if (Array.isArray(dependency)) {
+        const [dep, fromVersion, toVersion] = dependency;
+        const upstreamPackageJson = getDependencyPackageJson(dep);
+        const [owner, repo] = upstreamPackageJson.repository.url.split("/").slice(-2);
+
+        const unfilteredReleases = await listReleases(github, owner, repo);
+        // Only include non-draft & non-prerelease releases, unless the to-release is a pre-release, include that one
+        const releases = unfilteredReleases.filter(
+            (release) => !release.prerelease || release.tag_name === `v${toVersion}`,
+        );
+
+        const fromVersionIndex = releases.findIndex((release) => release.tag_name === `v${fromVersion}`);
+        const toVersionIndex = releases.findIndex((release) => release.tag_name === `v${toVersion}`);
+
+        return releases.slice(toVersionIndex, fromVersionIndex);
+    }
+
+    return [await getRelease(github, dependency)];
+}
+
+// Dependency can be the name of an entry in package.json, in which case the owner, repo & version will be looked up in its own package.json
+// Or it can be a string in the form owner/repo@tag - in this case the tag is used exactly to find the release
+// Or it can be a string in the form owner/repo~tag - in this case the latest tag in the same major.minor.patch set is used to find the release
+async function getRelease(github, dependency) {
+    let owner;
+    let repo;
+    let tag;
+
+    if (dependency.includes("/")) {
+        let rest;
+        [owner, rest] = dependency.split("/");
+
+        if (dependency.includes("@")) {
+            [repo, tag] = rest.split("@");
+        } else if (dependency.includes("~")) {
+            [repo, tag] = rest.split("~");
+
+            if (tag.includes("-rc.")) {
+                // If the tag is an RC, find the latest matching RC in the set
+                try {
+                    const releases = await listReleases(github, owner, repo);
+                    const baseVersion = tag.split("-rc.")[0];
+                    const release = releases.find((release) => release.tag_name.startsWith(baseVersion));
+                    if (release) return release;
+                } catch (e) {
+                    // Fall back to getReleaseByTag
+                }
+            }
+        }
+    } else {
+        const upstreamPackageJson = getDependencyPackageJson(dependency);
+        [owner, repo] = upstreamPackageJson.repository.url.split("/").slice(-2);
+        tag = `v${upstreamPackageJson.version}`;
+    }
+
+    const response = await github.rest.repos.getReleaseByTag({
+        owner,
+        repo,
+        tag,
+    });
+    return response.data;
+}
+
+function getDependencyPackageJson(dependency) {
+    return JSON.parse(fs.readFileSync(`./node_modules/${dependency}/package.json`, "utf8"));
+}
+
+const HEADING_PREFIX = "## ";
+
+const categories = [
+    "🔒 SECURITY FIXES",
+    "🚨 BREAKING CHANGESd",
+    "🦖 Deprecations",
+    "✨ Features",
+    "🐛 Bug Fixes",
+    "🧰 Maintenance",
+];
+
+const parseReleaseNotes = (body, sections) => {
+    let heading = null;
+    for (const line of body.split("\n")) {
+        const trimmed = line.trim();
+        if (trimmed.startsWith(HEADING_PREFIX)) {
+            heading = trimmed.slice(HEADING_PREFIX.length);
+            if (!categories.includes(heading)) heading = null;
+            continue;
+        }
+        if (heading && trimmed) {
+            sections[heading].push(trimmed);
+        }
+    }
+};
+
+const main = async ({ github, releaseId, dependencies }) => {
+    const { GITHUB_REPOSITORY } = process.env;
+    const [owner, repo] = GITHUB_REPOSITORY.split("/");
+
+    const { data: release } = await github.rest.repos.getRelease({
+        owner,
+        repo,
+        release_id: releaseId,
+    });
+
+    const sections = Object.fromEntries(categories.map((cat) => [cat, []]));
+    parseReleaseNotes(release.body, sections);
+    for (const dependency of dependencies) {
+        const releases = await getReleases(github, dependency);
+        for (const release of releases) {
+            parseReleaseNotes(release.body, sections);
+        }
+    }
+
+    const intro = release.body.split(HEADING_PREFIX, 2)[0].trim();
+
+    let output = "";
+    if (intro) {
+        output = intro + "\n\n";
+    }
+
+    for (const section in sections) {
+        const lines = sections[section];
+        if (!lines.length) continue;
+        output += HEADING_PREFIX + section + "\n\n";
+        output += lines.join("\n");
+        output += "\n\n";
+    }
+
+    return output;
+};
+
+// This is just for testing locally
+// Needs environment variables GITHUB_TOKEN & GITHUB_REPOSITORY
+if (require.main === module) {
+    const { Octokit } = require("@octokit/rest");
+    const github = new Octokit({ auth: process.env.GITHUB_TOKEN });
+    if (process.argv.length < 4) {
+        // eslint-disable-next-line no-console
+        console.error("Usage: node merge-release-notes.js owner/repo:release_id npm-package-name ...");
+        process.exit(1);
+    }
+    const [releaseId, ...dependencies] = process.argv.slice(2);
+    main({ github, releaseId, dependencies }).then((output) => {
+        // eslint-disable-next-line no-console
+        console.log(output);
+    });
+}
+
+module.exports = main;
@@ -1,17 +0,0 @@
-#!/usr/bin/env node
-
-const fsProm = require("fs/promises");
-
-const PKGJSON = "package.json";
-
-async function main() {
-    const pkgJson = JSON.parse(await fsProm.readFile(PKGJSON, "utf8"));
-    for (const field of ["main", "typings"]) {
-        if (pkgJson["matrix_lib_" + field] !== undefined) {
-            pkgJson[field] = pkgJson["matrix_lib_" + field];
-        }
-    }
-    await fsProm.writeFile(PKGJSON, JSON.stringify(pkgJson, null, 2));
-}
-
-main();
@@ -11,6 +11,6 @@ sonar.exclusions=docs,examples,git-hooks
 sonar.typescript.tsconfigPath=./tsconfig.json
 sonar.javascript.lcov.reportPaths=coverage/lcov.info
 sonar.coverage.exclusions=spec/**/*
-sonar.testExecutionReportPaths=coverage/jest-sonar-report.xml
+sonar.testExecutionReportPaths=coverage/sonar-report.xml

 sonar.lang.patterns.ts=**/*.ts,**/*.tsx
@@ -17,31 +17,29 @@ limitations under the License.
 */

 // `expect` is allowed in helper functions which are called within `test`/`it` blocks
-/* eslint-disable jest/no-standalone-expect */
-
-// load olm before the sdk if possible
-import "./olm-loader";
+/* eslint-disable @vitest/no-standalone-expect */

 import MockHttpBackend from "matrix-mock-request";

 import type { IDeviceKeys, IOneTimeKey } from "../src/@types/crypto";
 import type { IE2EKeyReceiver } from "./test-utils/E2EKeyReceiver";
-import { LocalStorageCryptoStore } from "../src/crypto/store/localStorage-crypto-store";
 import { logger } from "../src/logger";
 import { syncPromise } from "./test-utils/test-utils";
-import { createClient, IStartClientOpts } from "../src/matrix";
-import { ICreateClientOpts, IDownloadKeyResult, MatrixClient, PendingEventOrdering } from "../src/client";
-import { MockStorageApi } from "./MockStorageApi";
-import { encodeUri } from "../src/utils";
-import { IKeyBackupSession } from "../src/crypto/keybackup";
-import { IKeysUploadResponse, IUploadKeysRequest } from "../src/client";
-import { ISyncResponder } from "./test-utils/SyncResponder";
+import { createClient, type IStartClientOpts } from "../src/matrix";
+import {
+    type ICreateClientOpts,
+    type IDownloadKeyResult,
+    type MatrixClient,
+    PendingEventOrdering,
+} from "../src/client";
+import { type IKeysUploadResponse, type IUploadKeysRequest } from "../src/client";
+import { type ISyncResponder } from "./test-utils/SyncResponder";

 /**
 * Wrapper for a MockStorageApi, MockHttpBackend and MatrixClient
 *
 * @deprecated Avoid using this; it is tied too tightly to matrix-mock-request and is generally inconvenient to use.
- *    Instead, construct a MatrixClient manually, use fetch-mock-jest to intercept the HTTP requests, and
+ *    Instead, construct a MatrixClient manually, use fetch-mock to intercept the HTTP requests, and
 *    use things like {@link E2EKeyReceiver} and {@link SyncResponder} to manage the requests.
 */
 export class TestClient implements IE2EKeyReceiver, ISyncResponder {
@@ -57,10 +55,6 @@ export class TestClient implements IE2EKeyReceiver, ISyncResponder {
        sessionStoreBackend?: Storage,
        options?: Partial<ICreateClientOpts>,
    ) {
-        if (sessionStoreBackend === undefined) {
-            sessionStoreBackend = new MockStorageApi() as unknown as Storage;
-        }
-
        this.httpBackend = new MockHttpBackend();

        const fullOptions: ICreateClientOpts = {
@@ -68,13 +62,9 @@ export class TestClient implements IE2EKeyReceiver, ISyncResponder {
            userId: userId,
            accessToken: accessToken,
            deviceId: deviceId,
-            fetchFn: this.httpBackend.fetchFn as typeof global.fetch,
+            fetchFn: this.httpBackend.fetchFn as typeof globalThis.fetch,
            ...options,
        };
-        if (!fullOptions.cryptoStore) {
-            // expose this so the tests can get to it
-            fullOptions.cryptoStore = new LocalStorageCryptoStore(sessionStoreBackend);
-        }
        this.client = createClient(fullOptions);

        this.deviceKeys = null;
@@ -92,7 +82,7 @@ export class TestClient implements IE2EKeyReceiver, ISyncResponder {
        logger.log(this + ": starting");
        this.httpBackend.when("GET", "/versions").respond(200, {
            // we have tests that rely on support for lazy-loading members
-            versions: ["r0.5.0"],
+            versions: ["v1.1"],
        });
        this.httpBackend.when("GET", "/pushrules").respond(200, {});
        this.httpBackend.when("POST", "/filter").respond(200, { filter_id: "fid" });
@@ -214,21 +204,6 @@ export class TestClient implements IE2EKeyReceiver, ISyncResponder {
        });
    }

-    /**
-     * Set up expectations that the client will query key backups for a particular session
-     */
-    public expectKeyBackupQuery(roomId: string, sessionId: string, status: number, response: IKeyBackupSession) {
-        this.httpBackend
-            .when(
-                "GET",
-                encodeUri("/room_keys/keys/$roomId/$sessionId", {
-                    $roomId: roomId,
-                    $sessionId: sessionId,
-                }),
-            )
-            .respond(status, response);
-    }
-
    /**
     * get the uploaded curve25519 device key
     *
@@ -1,34 +0,0 @@
-/*
-Copyright 2020 The Matrix.org Foundation C.I.C.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-import "../../dist/browser-matrix"; // uses browser-matrix instead of the src
-import type { default as BrowserMatrix } from "../../src/browser-index";
-
-// stub for browser-matrix browserify tests
-// @ts-ignore
-global.XMLHttpRequest = jest.fn();
-
-afterAll(() => {
-    // clean up XMLHttpRequest mock
-    // @ts-ignore
-    global.XMLHttpRequest = undefined;
-});
-
-// Akin to spec/setupTests.ts - but that won't affect the browser-matrix bundle
-global.matrixcs = {
-    ...global.matrixcs,
-    timeoutSignal: () => new AbortController().signal,
-} as typeof BrowserMatrix;
@@ -1,92 +0,0 @@
-/*
-Copyright 2020 The Matrix.org Foundation C.I.C.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-import HttpBackend from "matrix-mock-request";
-
-import "./setupTests"; // uses browser-matrix instead of the src
-import type { MatrixClient } from "../../src";
-
-const USER_ID = "@user:test.server";
-const DEVICE_ID = "device_id";
-const ACCESS_TOKEN = "access_token";
-const ROOM_ID = "!room_id:server.test";
-
-describe("Browserify Test", function () {
-    let client: MatrixClient;
-    let httpBackend: HttpBackend;
-
-    beforeEach(() => {
-        httpBackend = new HttpBackend();
-        client = new global.matrixcs.MatrixClient({
-            baseUrl: "http://test.server",
-            userId: USER_ID,
-            accessToken: ACCESS_TOKEN,
-            deviceId: DEVICE_ID,
-            fetchFn: httpBackend.fetchFn as typeof global.fetch,
-        });
-
-        httpBackend.when("GET", "/versions").respond(200, {});
-        httpBackend.when("GET", "/pushrules").respond(200, {});
-        httpBackend.when("POST", "/filter").respond(200, { filter_id: "fid" });
-    });
-
-    afterEach(async () => {
-        client.stopClient();
-        client.http.abort();
-        httpBackend.verifyNoOutstandingRequests();
-        httpBackend.verifyNoOutstandingExpectation();
-        await httpBackend.stop();
-    });
-
-    it("Sync", async () => {
-        const event = {
-            type: "m.room.member",
-            room_id: ROOM_ID,
-            content: {
-                membership: "join",
-                name: "Displayname",
-            },
-            event_id: "$foobar",
-        };
-
-        const syncData = {
-            next_batch: "batch1",
-            rooms: {
-                join: {
-                    [ROOM_ID]: {
-                        timeline: {
-                            events: [event],
-                            limited: false,
-                        },
-                    },
-                },
-            },
-        };
-
-        httpBackend.when("GET", "/sync").respond(200, syncData);
-        httpBackend.when("GET", "/sync").respond(200, syncData);
-
-        const syncPromise = new Promise((r) => client.once(global.matrixcs.ClientEvent.Sync, r));
-        const unexpectedErrorFn = jest.fn();
-        client.once(global.matrixcs.ClientEvent.SyncUnexpectedError, unexpectedErrorFn);
-
-        client.startClient();
-
-        await httpBackend.flushAllExpected();
-        await syncPromise;
-        expect(unexpectedErrorFn).not.toHaveBeenCalled();
-    }, 20000); // additional timeout as this test can take quite a while
-});
@@ -0,0 +1,485 @@
+/*
+Copyright 2023 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import fetchMock from "@fetch-mock/vitest";
+import "fake-indexeddb/auto";
+import { IDBFactory } from "fake-indexeddb";
+import debug from "debug";
+
+import { syncPromise } from "../../test-utils/test-utils";
+import { type AuthDict, createClient, DebugLogger, type MatrixClient } from "../../../src";
+import { mockInitialApiRequests, mockSetupCrossSigningRequests } from "../../test-utils/mockEndpoints";
+import encryptAESSecretStorageItem from "../../../src/utils/encryptAESSecretStorageItem.ts";
+import { type CryptoCallbacks, CrossSigningKey } from "../../../src/crypto-api";
+import { SECRET_STORAGE_ALGORITHM_V1_AES } from "../../../src/secret-storage";
+import { type ISyncResponder, SyncResponder } from "../../test-utils/SyncResponder";
+import { E2EKeyReceiver } from "../../test-utils/E2EKeyReceiver";
+import {
+    MASTER_CROSS_SIGNING_PRIVATE_KEY_BASE64,
+    SELF_CROSS_SIGNING_PRIVATE_KEY_BASE64,
+    SELF_CROSS_SIGNING_PUBLIC_KEY_BASE64,
+    SIGNED_CROSS_SIGNING_KEYS_DATA,
+    SIGNED_TEST_DEVICE_DATA,
+    USER_CROSS_SIGNING_PRIVATE_KEY_BASE64,
+} from "../../test-utils/test-data";
+import * as testData from "../../test-utils/test-data";
+import { E2EKeyResponder } from "../../test-utils/E2EKeyResponder";
+import { AccountDataAccumulator } from "../../test-utils/AccountDataAccumulator";
+import { CryptoEvent } from "../../../src/crypto-api";
+
+afterEach(() => {
+    // reset fake-indexeddb after each test, to make sure we don't leak connections
+    // cf https://github.com/dumbmatter/fakeIndexedDB#wipingresetting-the-indexeddb-for-a-fresh-state
+    // eslint-disable-next-line no-global-assign
+    indexedDB = new IDBFactory();
+});
+
+const TEST_USER_ID = "@alice:localhost";
+const TEST_DEVICE_ID = "xzcvb";
+
+/**
+ * Integration tests for cross-signing functionality.
+ *
+ * These tests work by intercepting HTTP requests via fetch-mock rather than mocking out bits of the client, so as
+ * to provide the most effective integration tests possible.
+ */
+describe("cross-signing", () => {
+    let aliceClient: MatrixClient;
+
+    /** an object which intercepts `/sync` requests from {@link #aliceClient} */
+    let syncResponder: ISyncResponder;
+
+    /** an object which intercepts `/keys/query` requests on the test homeserver */
+    let e2eKeyResponder: E2EKeyResponder;
+
+    // Encryption key used to encrypt cross signing keys
+    const encryptionKey = new Uint8Array(32);
+
+    /**
+     * Create the {@link CryptoCallbacks}
+     */
+    function createCryptoCallbacks(): CryptoCallbacks {
+        return {
+            getSecretStorageKey: (keys, name) => {
+                return Promise.resolve<[string, Uint8Array<ArrayBuffer>]>(["key_id", encryptionKey]);
+            },
+        };
+    }
+
+    beforeEach(
+        async () => {
+            // anything that we don't have a specific matcher for silently returns a 404
+            fetchMock.catch(404);
+
+            const homeserverUrl = "https://alice-server.com";
+            aliceClient = createClient({
+                baseUrl: homeserverUrl,
+                userId: TEST_USER_ID,
+                accessToken: "akjgkrgjs",
+                deviceId: TEST_DEVICE_ID,
+                cryptoCallbacks: createCryptoCallbacks(),
+                logger: new DebugLogger(debug(`matrix-js-sdk:cross-signing`)),
+            });
+
+            syncResponder = new SyncResponder(homeserverUrl);
+            e2eKeyResponder = new E2EKeyResponder(homeserverUrl);
+            /** an object which intercepts `/keys/upload` requests on the test homeserver */
+            new E2EKeyReceiver(homeserverUrl);
+
+            // Silence warnings from the backup manager
+            fetchMock.getOnce(new URL("/_matrix/client/v3/room_keys/version", homeserverUrl).toString(), {
+                status: 404,
+                body: { errcode: "M_NOT_FOUND" },
+            });
+
+            await aliceClient.initRustCrypto();
+        },
+        /* it can take a while to initialise the crypto library on the first pass, so bump up the timeout. */
+        10000,
+    );
+
+    afterEach(async () => {
+        aliceClient.stopClient();
+    });
+
+    /**
+     * Create cross-signing keys and publish the keys
+     *
+     * @param authDict - The parameters to as the `auth` dict in the key upload request.
+     * @see https://spec.matrix.org/v1.6/client-server-api/#authentication-types
+     */
+    async function bootstrapCrossSigning(authDict: AuthDict): Promise<void> {
+        await aliceClient.getCrypto()?.bootstrapCrossSigning({
+            authUploadDeviceSigningKeys: (makeRequest) => makeRequest(authDict).then(() => undefined),
+        });
+    }
+
+    describe("bootstrapCrossSigning (before initialsync completes)", () => {
+        it("publishes keys if none were yet published", async () => {
+            mockSetupCrossSigningRequests();
+
+            // provide a UIA callback, so that the cross-signing keys are uploaded
+            const authDict = { type: "test" };
+            await bootstrapCrossSigning(authDict);
+
+            // check that the cross-signing keys have been uploaded
+            expect(fetchMock.callHistory.called("upload-cross-signing-keys")).toBeTruthy();
+            const keysOpts = fetchMock.callHistory.lastCall("upload-cross-signing-keys")!.options;
+            const keysBody = JSON.parse(keysOpts!.body as string);
+            expect(keysBody.auth).toEqual(authDict); // check uia dict was passed
+            // there should be a key of each type
+            // master key is signed by the device
+            expect(keysBody).toHaveProperty(["master_key", "signatures", TEST_USER_ID, `ed25519:${TEST_DEVICE_ID}`]);
+            const masterKeyId = Object.keys(keysBody.master_key.keys)[0];
+            // ssk and usk are signed by the master key
+            expect(keysBody).toHaveProperty(["self_signing_key", "signatures", TEST_USER_ID, masterKeyId]);
+            expect(keysBody).toHaveProperty(["user_signing_key", "signatures", TEST_USER_ID, masterKeyId]);
+            const sskId = Object.keys(keysBody.self_signing_key.keys)[0];
+
+            // check the publish call
+            expect(fetchMock.callHistory.called("upload-sigs")).toBeTruthy();
+            const sigsOpts = fetchMock.callHistory.lastCall("upload-sigs")!.options;
+            const body = JSON.parse(sigsOpts!.body as string);
+            // there should be a signature for our device, by our self-signing key.
+            expect(body).toHaveProperty([TEST_USER_ID, TEST_DEVICE_ID, "signatures", TEST_USER_ID, sskId]);
+        });
+
+        it("get cross signing keys from secret storage and import them", async () => {
+            // Return public cross signing keys
+            e2eKeyResponder.addCrossSigningData(SIGNED_CROSS_SIGNING_KEYS_DATA);
+
+            mockInitialApiRequests(aliceClient.getHomeserverUrl());
+
+            // Encrypt the private keys and return them in the /sync response as if they are in Secret Storage
+            const masterKey = await encryptAESSecretStorageItem(
+                MASTER_CROSS_SIGNING_PRIVATE_KEY_BASE64,
+                encryptionKey,
+                "m.cross_signing.master",
+            );
+            const selfSigningKey = await encryptAESSecretStorageItem(
+                SELF_CROSS_SIGNING_PRIVATE_KEY_BASE64,
+                encryptionKey,
+                "m.cross_signing.self_signing",
+            );
+            const userSigningKey = await encryptAESSecretStorageItem(
+                USER_CROSS_SIGNING_PRIVATE_KEY_BASE64,
+                encryptionKey,
+                "m.cross_signing.user_signing",
+            );
+
+            syncResponder.sendOrQueueSyncResponse({
+                next_batch: 1,
+                account_data: {
+                    events: [
+                        {
+                            type: "m.cross_signing.master",
+                            content: {
+                                encrypted: {
+                                    key_id: masterKey,
+                                },
+                            },
+                        },
+                        {
+                            type: "m.cross_signing.self_signing",
+                            content: {
+                                encrypted: {
+                                    key_id: selfSigningKey,
+                                },
+                            },
+                        },
+                        {
+                            type: "m.cross_signing.user_signing",
+                            content: {
+                                encrypted: {
+                                    key_id: userSigningKey,
+                                },
+                            },
+                        },
+                        {
+                            type: "m.secret_storage.key.key_id",
+                            content: {
+                                key: "key_id",
+                                algorithm: SECRET_STORAGE_ALGORITHM_V1_AES,
+                            },
+                        },
+                    ],
+                },
+            });
+            await aliceClient.startClient();
+            await syncPromise(aliceClient);
+
+            // we expect the UserTrustStatusChanged event to be fired after the cross signing keys import
+            const userTrustStatusChangedPromise = new Promise<string>((resolve) =>
+                aliceClient.on(CryptoEvent.UserTrustStatusChanged, resolve),
+            );
+
+            const authDict = { type: "test" };
+            await bootstrapCrossSigning(authDict);
+
+            // Check if the UserTrustStatusChanged event was fired
+            expect(await userTrustStatusChangedPromise).toBe(aliceClient.getUserId());
+
+            // Expect the signature to be uploaded
+            expect(fetchMock.callHistory.called("upload-sigs")).toBeTruthy();
+            const sigsOpts = fetchMock.callHistory.lastCall("upload-sigs")!.options;
+            const body = JSON.parse(sigsOpts!.body as string);
+            // the device should have a signature with the public self cross signing keys.
+            expect(body).toHaveProperty([
+                TEST_USER_ID,
+                TEST_DEVICE_ID,
+                "signatures",
+                TEST_USER_ID,
+                `ed25519:${SELF_CROSS_SIGNING_PUBLIC_KEY_BASE64}`,
+            ]);
+        });
+
+        it("can bootstrapCrossSigning twice", async () => {
+            mockSetupCrossSigningRequests();
+
+            const authDict = { type: "test" };
+            await bootstrapCrossSigning(authDict);
+
+            // a second call should do nothing except GET requests
+            fetchMock.mockClear();
+            await bootstrapCrossSigning(authDict);
+            expect(fetchMock).toHaveFetchedTimes(0, "unmatched");
+        });
+
+        it("will upload existing cross-signing keys to an established secret storage", async () => {
+            // This rather obscure codepath covers the case that:
+            //   - 4S is set up and working
+            //   - our device has private cross-signing keys, but has not published them to 4S
+            //
+            // To arrange that, we call `bootstrapCrossSigning` on our main device, and then (pretend to) set up 4S from
+            // a *different* device. Then, when we call `bootstrapCrossSigning` again, it should do the honours.
+
+            const accountDataAccumulator = new AccountDataAccumulator(syncResponder);
+            accountDataAccumulator.interceptGetAccountData();
+
+            const authDict = { type: "test" };
+            await bootstrapCrossSigning(authDict);
+
+            // Pretend that another device has uploaded a 4S key
+            accountDataAccumulator.accountDataEvents.set("m.secret_storage.default_key", { key: "key_id" });
+            accountDataAccumulator.accountDataEvents.set("m.secret_storage.key.key_id", {
+                key: "keykeykey",
+                algorithm: SECRET_STORAGE_ALGORITHM_V1_AES,
+            });
+
+            // Prepare for the cross-signing keys
+            const p = accountDataAccumulator.waitForAccountData("m.cross_signing.master");
+
+            await bootstrapCrossSigning(authDict);
+            await p;
+
+            // The cross-signing keys should have been uploaded
+            expect(accountDataAccumulator.accountDataEvents.has("m.cross_signing.master")).toBeTruthy();
+            expect(accountDataAccumulator.accountDataEvents.has("m.cross_signing.self_signing")).toBeTruthy();
+            expect(accountDataAccumulator.accountDataEvents.has("m.cross_signing.user_signing")).toBeTruthy();
+        });
+    });
+
+    describe("getCrossSigningStatus()", () => {
+        it("should return correct values without bootstrapping cross-signing", async () => {
+            mockSetupCrossSigningRequests();
+
+            const crossSigningStatus = await aliceClient.getCrypto()!.getCrossSigningStatus();
+
+            // Expect the cross signing keys to be unavailable
+            expect(crossSigningStatus).toStrictEqual({
+                publicKeysOnDevice: false,
+                privateKeysInSecretStorage: false,
+                privateKeysCachedLocally: { masterKey: false, userSigningKey: false, selfSigningKey: false },
+            });
+        });
+
+        it("should return correct values after bootstrapping cross-signing", async () => {
+            mockSetupCrossSigningRequests();
+
+            // provide a UIA callback, so that the cross-signing keys are uploaded
+            const authDict = { type: "test" };
+            await bootstrapCrossSigning(authDict);
+
+            const crossSigningStatus = await aliceClient.getCrypto()!.getCrossSigningStatus();
+
+            // Expect the cross signing keys to be available
+            expect(crossSigningStatus).toStrictEqual({
+                publicKeysOnDevice: true,
+                privateKeysInSecretStorage: false,
+                privateKeysCachedLocally: { masterKey: true, userSigningKey: true, selfSigningKey: true },
+            });
+        });
+    });
+
+    describe("isCrossSigningReady()", () => {
+        it("should return false if cross-signing is not bootstrapped", async () => {
+            mockSetupCrossSigningRequests();
+
+            const isCrossSigningReady = await aliceClient.getCrypto()!.isCrossSigningReady();
+
+            expect(isCrossSigningReady).toBeFalsy();
+        });
+
+        it("should return true after bootstrapping cross-signing", async () => {
+            mockSetupCrossSigningRequests();
+            await bootstrapCrossSigning({ type: "test" });
+
+            const isCrossSigningReady = await aliceClient.getCrypto()!.isCrossSigningReady();
+
+            expect(isCrossSigningReady).toBeTruthy();
+        });
+
+        it("should return false if identity is not trusted, even if the secrets are in 4S", async () => {
+            e2eKeyResponder.addCrossSigningData(SIGNED_CROSS_SIGNING_KEYS_DATA);
+
+            // Complete initial sync, to get the 4S account_data events stored
+            mockInitialApiRequests(aliceClient.getHomeserverUrl());
+
+            // For this test we need to have a well-formed 4S setup.
+            const mockSecretInfo = {
+                encrypted: {
+                    // Don't care about the actual values here, just need to be present for validation
+                    KeyId: {
+                        iv: "IVIVIVIVIVIVIV",
+                        ciphertext: "CIPHERTEXTB64",
+                        mac: "MACMACMAC",
+                    },
+                },
+            };
+            syncResponder.sendOrQueueSyncResponse({
+                next_batch: 1,
+                account_data: {
+                    events: [
+                        {
+                            type: "m.secret_storage.key.KeyId",
+                            content: {
+                                algorithm: "m.secret_storage.v1.aes-hmac-sha2",
+                                // iv and mac not relevant for this test
+                            },
+                        },
+                        {
+                            type: "m.secret_storage.default_key",
+                            content: {
+                                key: "KeyId",
+                            },
+                        },
+                        {
+                            type: "m.cross_signing.master",
+                            content: mockSecretInfo,
+                        },
+                        {
+                            type: "m.cross_signing.user_signing",
+                            content: mockSecretInfo,
+                        },
+                        {
+                            type: "m.cross_signing.self_signing",
+                            content: mockSecretInfo,
+                        },
+                    ],
+                },
+            });
+            await aliceClient.startClient();
+            await syncPromise(aliceClient);
+
+            // Sanity: ensure that the secrets are in 4S
+            const status = await aliceClient.getCrypto()!.getCrossSigningStatus();
+            expect(status.privateKeysInSecretStorage).toBeTruthy();
+
+            const isCrossSigningReady = await aliceClient.getCrypto()!.isCrossSigningReady();
+
+            expect(isCrossSigningReady).toBeFalsy();
+        }, 10000);
+    });
+
+    describe("getCrossSigningKeyId", () => {
+        /**
+         * Intercept /keys/device_signing/upload request and return the cross signing keys
+         * https://spec.matrix.org/v1.7/client-server-api/#post_matrixclientv3keysdevice_signingupload
+         *
+         * @returns the cross signing keys
+         */
+        function awaitCrossSigningKeysUpload() {
+            return new Promise<any>((resolve) => {
+                fetchMock.modifyRoute("upload-cross-signing-keys", {
+                    response: (callLog) => {
+                        const content = JSON.parse(callLog.options.body as string);
+                        resolve(content);
+                        return {};
+                    },
+                });
+            });
+        }
+
+        it("should return the cross signing key id for each cross signing key", async () => {
+            mockSetupCrossSigningRequests();
+
+            // Intercept cross signing keys upload
+            const crossSigningKeysPromise = awaitCrossSigningKeysUpload();
+
+            // provide a UIA callback, so that the cross-signing keys are uploaded
+            const authDict = { type: "test" };
+            await bootstrapCrossSigning(authDict);
+            // Get the cross signing keys
+            const crossSigningKeys = await crossSigningKeysPromise;
+
+            const getPubKey = (crossSigningKey: any) => Object.values(crossSigningKey!.keys)[0];
+
+            const masterKeyId = await aliceClient.getCrypto()!.getCrossSigningKeyId();
+            expect(masterKeyId).toBe(getPubKey(crossSigningKeys.master_key));
+
+            const selfSigningKeyId = await aliceClient.getCrypto()!.getCrossSigningKeyId(CrossSigningKey.SelfSigning);
+            expect(selfSigningKeyId).toBe(getPubKey(crossSigningKeys.self_signing_key));
+
+            const userSigningKeyId = await aliceClient.getCrypto()!.getCrossSigningKeyId(CrossSigningKey.UserSigning);
+            expect(userSigningKeyId).toBe(getPubKey(crossSigningKeys.user_signing_key));
+        });
+    });
+
+    describe("crossSignDevice", () => {
+        beforeEach(async () => {
+            // make sure that there is another device which we can sign
+            e2eKeyResponder.addDeviceKeys(SIGNED_TEST_DEVICE_DATA);
+
+            // Complete initialsync, to get the outgoing requests going
+            mockInitialApiRequests(aliceClient.getHomeserverUrl());
+            syncResponder.sendOrQueueSyncResponse({ next_batch: 1 });
+            await aliceClient.startClient();
+            await syncPromise(aliceClient);
+
+            const devices = await aliceClient.getCrypto()!.getUserDeviceInfo([aliceClient.getSafeUserId()]);
+            expect(devices.get(aliceClient.getSafeUserId())!.has(testData.TEST_DEVICE_ID)).toBeTruthy();
+        });
+
+        it("fails for an unknown device", async () => {
+            await expect(aliceClient.getCrypto()!.crossSignDevice("unknown")).rejects.toThrow("Unknown device");
+        });
+
+        it("cross-signs the device", async () => {
+            mockSetupCrossSigningRequests();
+            await aliceClient.getCrypto()!.bootstrapCrossSigning({});
+
+            fetchMock.mockClear();
+            await aliceClient.getCrypto()!.crossSignDevice(testData.TEST_DEVICE_ID);
+
+            // check that a sig for the device was uploaded
+            const calls = fetchMock.callHistory.calls("upload-sigs");
+            expect(calls.length).toEqual(1);
+            const body = JSON.parse(calls[0].options!.body as string);
+            const deviceSig = body[aliceClient.getSafeUserId()][testData.TEST_DEVICE_ID];
+            expect(deviceSig).toHaveProperty("signatures");
+        });
+    });
+});
@@ -0,0 +1,239 @@
+/*
+Copyright 2024 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import "fake-indexeddb/auto";
+import fetchMock from "@fetch-mock/vitest";
+import { type CallLog } from "fetch-mock";
+import debug from "debug";
+
+import { ClientEvent, createClient, DebugLogger, type MatrixClient, MatrixEvent } from "../../../src";
+import { CryptoEvent } from "../../../src/crypto-api/index";
+import { type RustCrypto } from "../../../src/rust-crypto/rust-crypto";
+import { type AddSecretStorageKeyOpts } from "../../../src/secret-storage";
+import { E2EKeyReceiver } from "../../test-utils/E2EKeyReceiver";
+import { E2EKeyResponder } from "../../test-utils/E2EKeyResponder";
+import { emitPromise, EventCounter } from "../../test-utils/test-utils";
+
+describe("Device dehydration", () => {
+    it("should rehydrate and dehydrate a device", async () => {
+        vi.useFakeTimers();
+
+        const matrixClient = createClient({
+            baseUrl: "http://test.server",
+            userId: "@alice:localhost",
+            deviceId: "aliceDevice",
+            cryptoCallbacks: {
+                getSecretStorageKey: async (keys: any, name: string) => {
+                    return [[...Object.keys(keys.keys)][0], new Uint8Array(32)];
+                },
+            },
+            logger: new DebugLogger(debug(`matrix-js-sdk:dehydration`)),
+        });
+
+        await initializeSecretStorage(matrixClient, "@alice:localhost", "http://test.server");
+
+        const creationEventCounter = new EventCounter(matrixClient, CryptoEvent.DehydratedDeviceCreated);
+        const dehydrationKeyCachedEventCounter = new EventCounter(matrixClient, CryptoEvent.DehydrationKeyCached);
+        const rehydrationStartedCounter = new EventCounter(matrixClient, CryptoEvent.RehydrationStarted);
+        const rehydrationCompletedCounter = new EventCounter(matrixClient, CryptoEvent.RehydrationCompleted);
+        const rehydrationProgressCounter = new EventCounter(matrixClient, CryptoEvent.RehydrationProgress);
+
+        // count the number of times the dehydration key gets set
+        let setDehydrationCount = 0;
+        matrixClient.on(ClientEvent.AccountData, (event: MatrixEvent) => {
+            if (event.getType() === "org.matrix.msc3814") {
+                setDehydrationCount++;
+            }
+        });
+
+        const crypto = matrixClient.getCrypto()!;
+
+        // start dehydration -- we start with no dehydrated device, and we
+        // store the dehydrated device that we create
+        fetchMock.get(
+            "path:/_matrix/client/unstable/org.matrix.msc3814.v1/dehydrated_device",
+            {
+                status: 404,
+                body: {
+                    errcode: "M_NOT_FOUND",
+                    error: "Not found",
+                },
+            },
+            { name: "get-dehydrated-device" },
+        );
+        let dehydratedDeviceBody: any;
+        let dehydrationCount = 0;
+        let resolveDehydrationPromise: () => void;
+        fetchMock.put(
+            "path:/_matrix/client/unstable/org.matrix.msc3814.v1/dehydrated_device",
+            (callLog) => {
+                dehydratedDeviceBody = JSON.parse(callLog.options.body as string);
+                dehydrationCount++;
+                if (resolveDehydrationPromise) {
+                    resolveDehydrationPromise();
+                }
+                return {};
+            },
+            { name: "put-dehydrated-device" },
+        );
+        await crypto.startDehydration();
+
+        expect(dehydrationCount).toEqual(1);
+        expect(creationEventCounter.counter).toEqual(1);
+        expect(dehydrationKeyCachedEventCounter.counter).toEqual(1);
+
+        // a week later, we should have created another dehydrated device
+        const dehydrationPromise = new Promise<void>((resolve, reject) => {
+            resolveDehydrationPromise = resolve;
+        });
+        vi.advanceTimersByTime(7 * 24 * 60 * 60 * 1000);
+        await dehydrationPromise;
+
+        expect(dehydrationKeyCachedEventCounter.counter).toEqual(1);
+        expect(dehydrationCount).toEqual(2);
+        expect(creationEventCounter.counter).toEqual(2);
+
+        // restart dehydration -- rehydrate the device that we created above,
+        // and create a new dehydrated device.  We also set `createNewKey`, so
+        // a new dehydration key will be set
+        fetchMock.modifyRoute("get-dehydrated-device", {
+            response: {
+                device_id: dehydratedDeviceBody.device_id,
+                device_data: dehydratedDeviceBody.device_data,
+            },
+        });
+        const eventsResponse = vi.fn((callLog: CallLog) => {
+            // rehydrating should make two calls to the /events endpoint.
+            // The first time will return a single event, and the second
+            // time will return no events (which will signal to the
+            // rehydration function that it can stop)
+            const body = JSON.parse(callLog.options.body as string);
+            const nextBatch = body.next_batch ?? "0";
+            const events = nextBatch === "0" ? [{ sender: "@alice:localhost", type: "m.dummy", content: {} }] : [];
+            return {
+                events,
+                next_batch: nextBatch + "1",
+            };
+        });
+        fetchMock.post(
+            `path:/_matrix/client/unstable/org.matrix.msc3814.v1/dehydrated_device/${encodeURIComponent(dehydratedDeviceBody.device_id)}/events`,
+            eventsResponse,
+        );
+        await crypto.startDehydration(true);
+        expect(dehydrationCount).toEqual(3);
+
+        expect(setDehydrationCount).toEqual(2);
+        expect(eventsResponse.mock.calls).toHaveLength(2);
+
+        expect(rehydrationStartedCounter.counter).toEqual(1);
+        expect(rehydrationCompletedCounter.counter).toEqual(1);
+        expect(creationEventCounter.counter).toEqual(3);
+        expect(rehydrationProgressCounter.counter).toEqual(1);
+        expect(dehydrationKeyCachedEventCounter.counter).toEqual(2);
+
+        // test that if we get an error when we try to rotate, it emits an event
+        fetchMock.modifyRoute("put-dehydrated-device", {
+            response: {
+                status: 500,
+                body: {
+                    errcode: "M_UNKNOWN",
+                    error: "Unknown error",
+                },
+            },
+        });
+        const rotationErrorEventPromise = emitPromise(matrixClient, CryptoEvent.DehydratedDeviceRotationError);
+        vi.advanceTimersByTime(7 * 24 * 60 * 60 * 1000);
+        await rotationErrorEventPromise;
+
+        // Restart dehydration, but return an error for GET /dehydrated_device so that rehydration fails.
+        fetchMock.modifyRoute("get-dehydrated-device", {
+            response: {
+                status: 500,
+                body: {
+                    errcode: "M_UNKNOWN",
+                    error: "Unknown error",
+                },
+            },
+        });
+        fetchMock.modifyRoute("put-dehydrated-device", { response: { body: {} } });
+        const rehydrationErrorEventPromise = emitPromise(matrixClient, CryptoEvent.RehydrationError);
+        await crypto.startDehydration(true);
+        await rehydrationErrorEventPromise;
+
+        matrixClient.stopClient();
+    });
+});
+
+/** create a new secret storage and cross-signing keys */
+async function initializeSecretStorage(
+    matrixClient: MatrixClient,
+    userId: string,
+    homeserverUrl: string,
+): Promise<void> {
+    fetchMock.get("path:/_matrix/client/v3/room_keys/version", {
+        status: 404,
+        body: {
+            errcode: "M_NOT_FOUND",
+            error: "Not found",
+        },
+    });
+    const e2eKeyReceiver = new E2EKeyReceiver(homeserverUrl);
+    const e2eKeyResponder = new E2EKeyResponder(homeserverUrl);
+    e2eKeyResponder.addKeyReceiver(userId, e2eKeyReceiver);
+    const accountData: Map<string, object> = new Map();
+    fetchMock.get("glob:http://*/_matrix/client/v3/user/*/account_data/*", (callLog) => {
+        const name = callLog.url.split("/").pop()!;
+        const value = accountData.get(name);
+        if (value) {
+            return value;
+        } else {
+            return {
+                status: 404,
+                body: {
+                    errcode: "M_NOT_FOUND",
+                    error: "Not found",
+                },
+            };
+        }
+    });
+    fetchMock.put("glob:http://*/_matrix/client/v3/user/*/account_data/*", (callLog) => {
+        const name = callLog.url.split("/").pop()!;
+        const value = JSON.parse(callLog.options.body as string);
+        accountData.set(name, value);
+        matrixClient.emit(ClientEvent.AccountData, new MatrixEvent({ type: name, content: value }));
+        return {};
+    });
+
+    await matrixClient.initRustCrypto();
+    const crypto = matrixClient.getCrypto()! as RustCrypto;
+    // we need to process a sync so that the OlmMachine will upload keys
+    await crypto.preprocessToDeviceMessages([]);
+    await crypto.onSyncCompleted({});
+
+    // create initial secret storage
+    async function createSecretStorageKey() {
+        return {
+            keyInfo: {} as AddSecretStorageKeyOpts,
+            privateKey: new Uint8Array(32),
+        };
+    }
+    await matrixClient.getCrypto()!.bootstrapCrossSigning({ setupNewCrossSigning: true });
+    await matrixClient.getCrypto()!.bootstrapSecretStorage({
+        createSecretStorageKey,
+        setupNewSecretStorage: true,
+        setupNewKeyBackup: false,
+    });
+}
@@ -0,0 +1,547 @@
+/*
+Copyright 2016-2023 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import Olm from "@matrix-org/olm";
+import anotherjson from "another-json";
+import fetchMock from "@fetch-mock/vitest";
+import { type RouteResponse } from "fetch-mock";
+
+import {
+    type IContent,
+    type IDeviceKeys,
+    type IDownloadKeyResult,
+    type IEvent,
+    type Keys,
+    type MatrixClient,
+    type SigningKeys,
+} from "../../../src";
+import { type IE2EKeyReceiver } from "../../test-utils/E2EKeyReceiver";
+import { type ISyncResponder } from "../../test-utils/SyncResponder";
+import { syncPromise } from "../../test-utils/test-utils";
+import { type KeyBackupInfo } from "../../../src/crypto-api";
+import { logger } from "../../../src/logger";
+
+/**
+ * @module
+ *
+ * A set of utilities for creating Olm accounts and sessions, and encrypting/decrypting with Olm/Megolm.
+ */
+
+/** Create an Olm Account object */
+export async function createOlmAccount(): Promise<Olm.Account> {
+    await Olm.init();
+    const testOlmAccount = new Olm.Account();
+    testOlmAccount.create();
+    return testOlmAccount;
+}
+
+/**
+ * Get the device keys for the test Olm Account
+ *
+ * @param olmAccount - Test olm account
+ * @param userId - The user ID to present the keys as belonging to
+ */
+export function getTestOlmAccountKeys(olmAccount: Olm.Account, userId: string, deviceId: string): IDeviceKeys {
+    const testE2eKeys = JSON.parse(olmAccount.identity_keys());
+    const testDeviceKeys: IDeviceKeys = {
+        algorithms: ["m.olm.v1.curve25519-aes-sha2", "m.megolm.v1.aes-sha2"],
+        device_id: deviceId,
+        keys: {
+            [`curve25519:${deviceId}`]: testE2eKeys.curve25519,
+            [`ed25519:${deviceId}`]: testE2eKeys.ed25519,
+        },
+        user_id: userId,
+    };
+
+    const j = anotherjson.stringify(testDeviceKeys);
+    const sig = olmAccount.sign(j);
+    testDeviceKeys.signatures = { [userId]: { [`ed25519:${deviceId}`]: sig } };
+    return testDeviceKeys;
+}
+
+/**
+ * Bootstrap cross signing for the given Olm account.
+ *
+ * Will generate the cross signing keys and sign them with the master key, and returns the `IDownloadKeyResult`
+ * that can be directly fed into a test e2eKeyResponder.
+ *
+ * The cross-signing keys are randomly generated, similar to how the olm account keys are generated. There may not
+ * be any value in using static vectors, as the device keys change at every test run.
+ *
+ * If some `KeyBackupInfo` are provided, the `auth_data` of each backup info will be signed with the
+ * master key, meaning the backups will be then trusted after verification.
+ *
+ * @param olmAccount - The Olm account object to use for signing the device keys.
+ * @param userId - The user ID to associate with the device keys.
+ * @param deviceId - The device ID to associate with the device keys.
+ * @param keyBackupInfo - Optional key backup infos to sign with the master key.
+ * @returns A valid keys/query response that can be fed into a test e2eKeyResponder.
+ */
+export function bootstrapCrossSigningTestOlmAccount(
+    olmAccount: Olm.Account,
+    userId: string,
+    deviceId: string,
+    keyBackupInfo: KeyBackupInfo[] = [],
+): Partial<IDownloadKeyResult> {
+    const olmAliceMSK = new Olm.PkSigning();
+    const masterPrivkey = olmAliceMSK.generate_seed();
+    const masterPubkey = olmAliceMSK.init_with_seed(masterPrivkey);
+
+    const olmAliceUSK = new Olm.PkSigning();
+    const userPrivkey = olmAliceUSK.generate_seed();
+    const userPubkey = olmAliceUSK.init_with_seed(userPrivkey);
+
+    const olmAliceSSK = new Olm.PkSigning();
+    const sskPrivkey = olmAliceSSK.generate_seed();
+    const sskPubkey = olmAliceSSK.init_with_seed(sskPrivkey);
+
+    const mskInfo: Keys = {
+        user_id: userId,
+        usage: ["master"],
+        keys: {
+            ["ed25519:" + masterPubkey]: masterPubkey,
+        },
+    };
+
+    const sskInfo: Partial<SigningKeys> = {
+        user_id: userId,
+        usage: ["self_signing"],
+        keys: {
+            ["ed25519:" + sskPubkey]: sskPubkey,
+        },
+    };
+    // sign the ssk with the msk
+    const sskSig = olmAliceMSK.sign(anotherjson.stringify(sskInfo));
+    sskInfo.signatures = {
+        [userId]: {
+            ["ed25519:" + masterPubkey]: sskSig,
+        },
+    };
+
+    const uskInfo: Partial<SigningKeys> = {
+        user_id: userId,
+        usage: ["user_signing"],
+        keys: {
+            ["ed25519:" + userPubkey]: userPubkey,
+        },
+    };
+
+    // sign the usk with the msk
+    const uskSig = olmAliceMSK.sign(anotherjson.stringify(uskInfo));
+    uskInfo.signatures = {
+        [userId]: {
+            ["ed25519:" + masterPubkey]: uskSig,
+        },
+    };
+
+    // get the device keys and sign them with the ssk (the device is then cross signed)
+    const deviceKeys = getTestOlmAccountKeys(olmAccount, userId, deviceId);
+
+    const copy = Object.assign({}, deviceKeys);
+    delete copy.signatures;
+    const crossSignature = olmAliceSSK.sign(anotherjson.stringify(copy));
+
+    // add the signature
+    deviceKeys.signatures![userId]["ed25519:" + sskPubkey] = crossSignature;
+
+    // if we have some key backup info, sign them with the msk
+    keyBackupInfo.forEach((info) => {
+        const unsignedAuthData = Object.assign({}, info.auth_data);
+        delete unsignedAuthData.signatures;
+        const backupSignature = olmAliceMSK.sign(anotherjson.stringify(unsignedAuthData));
+
+        info.auth_data.signatures = {
+            [userId]: {
+                ["ed25519:" + masterPubkey]: backupSignature,
+            },
+        };
+    });
+
+    // clean the olm resources as we don't need them anymore
+    olmAliceMSK.free();
+    olmAliceSSK.free();
+    olmAliceUSK.free();
+
+    return {
+        master_keys: { [userId]: mskInfo },
+        user_signing_keys: { [userId]: uskInfo as SigningKeys },
+        self_signing_keys: { [userId]: sskInfo as SigningKeys },
+        device_keys: { [userId]: { [deviceId]: deviceKeys } },
+    };
+}
+
+/** start an Olm session with a given recipient */
+export async function createOlmSession(
+    olmAccount: Olm.Account,
+    recipientTestClient: IE2EKeyReceiver,
+): Promise<Olm.Session> {
+    const keys = await recipientTestClient.awaitOneTimeKeyUpload();
+    const otkId = Object.keys(keys)[0];
+    const otk = keys[otkId];
+
+    const session = new Olm.Session();
+    session.create_outbound(olmAccount, recipientTestClient.getDeviceKey(), otk.key);
+    return session;
+}
+
+// IToDeviceEvent isn't exported by src/sync-accumulator.ts
+export interface ToDeviceEvent {
+    content: IContent;
+    sender: string;
+    type: string;
+}
+
+/** encrypt an event with an existing olm session */
+export function encryptOlmEvent(opts: {
+    /** the sender's user id */
+    sender?: string;
+    /** the sender's curve25519 key */
+    senderKey: string;
+    /** the sender's ed25519 key */
+    senderSigningKey: string;
+    /** the olm session to use for encryption */
+    p2pSession: Olm.Session;
+    /** the recipient's user id */
+    recipient: string;
+    /** the recipient's curve25519 key */
+    recipientCurve25519Key: string;
+    /** the recipient's ed25519 key */
+    recipientEd25519Key: string;
+    /** the payload of the message */
+    plaincontent?: object;
+    /** the event type of the payload */
+    plaintype?: string;
+}): ToDeviceEvent {
+    expect(opts.senderKey).toBeTruthy();
+    expect(opts.p2pSession).toBeTruthy();
+    expect(opts.recipient).toBeTruthy();
+
+    const plaintext = {
+        content: opts.plaincontent || {},
+        recipient: opts.recipient,
+        recipient_keys: {
+            ed25519: opts.recipientEd25519Key,
+        },
+        keys: {
+            ed25519: opts.senderSigningKey,
+        },
+        sender: opts.sender || "@bob:xyz",
+        type: opts.plaintype || "m.test",
+    };
+
+    return {
+        content: {
+            algorithm: "m.olm.v1.curve25519-aes-sha2",
+            ciphertext: {
+                [opts.recipientCurve25519Key]: opts.p2pSession.encrypt(JSON.stringify(plaintext)),
+            },
+            sender_key: opts.senderKey,
+        },
+        sender: opts.sender || "@bob:xyz",
+        type: "m.room.encrypted",
+    };
+}
+
+// encrypt an event with megolm
+export function encryptMegolmEvent(opts: {
+    senderKey: string;
+    groupSession: Olm.OutboundGroupSession;
+    plaintext?: Partial<IEvent>;
+    room_id?: string;
+}): IEvent {
+    expect(opts.senderKey).toBeTruthy();
+    expect(opts.groupSession).toBeTruthy();
+
+    const plaintext = opts.plaintext || {};
+    if (!plaintext.content) {
+        plaintext.content = {
+            body: "42",
+            msgtype: "m.text",
+        };
+    }
+    if (!plaintext.type) {
+        plaintext.type = "m.room.message";
+    }
+    if (!plaintext.room_id) {
+        expect(opts.room_id).toBeTruthy();
+        plaintext.room_id = opts.room_id;
+    }
+    return encryptMegolmEventRawPlainText({
+        senderKey: opts.senderKey,
+        groupSession: opts.groupSession,
+        plaintext,
+    });
+}
+
+export function encryptMegolmEventRawPlainText(opts: {
+    senderKey: string;
+    groupSession: Olm.OutboundGroupSession;
+    plaintext: Partial<IEvent>;
+    origin_server_ts?: number;
+}): IEvent {
+    return {
+        event_id: "$test_megolm_event_" + Math.random(),
+        sender: opts.plaintext.sender ?? "@not_the_real_sender:example.com",
+        origin_server_ts: opts.plaintext.origin_server_ts ?? 1672944778000,
+        content: {
+            algorithm: "m.megolm.v1.aes-sha2",
+            ciphertext: opts.groupSession.encrypt(JSON.stringify(opts.plaintext)),
+            device_id: "testDevice",
+            sender_key: opts.senderKey,
+            session_id: opts.groupSession.session_id(),
+        },
+        type: "m.room.encrypted",
+        unsigned: {},
+        state_key: opts.plaintext.hasOwnProperty("state_key")
+            ? `${opts.plaintext.type}:${opts.plaintext.state_key}`
+            : undefined,
+    };
+}
+
+/** build an encrypted room_key event to share a group session, using an existing olm session */
+export function encryptGroupSessionKey(opts: {
+    /** recipient's user id */
+    recipient: string;
+    /** the recipient's curve25519 key */
+    recipientCurve25519Key: string;
+    /** the recipient's ed25519 key */
+    recipientEd25519Key: string;
+    /** sender's olm account */
+    olmAccount: Olm.Account;
+    /** sender's olm session with the recipient */
+    p2pSession: Olm.Session;
+    groupSession: Olm.OutboundGroupSession;
+    room_id?: string;
+}): ToDeviceEvent {
+    const senderKeys = JSON.parse(opts.olmAccount.identity_keys());
+    return encryptOlmEvent({
+        senderKey: senderKeys.curve25519,
+        senderSigningKey: senderKeys.ed25519,
+        recipient: opts.recipient,
+        recipientCurve25519Key: opts.recipientCurve25519Key,
+        recipientEd25519Key: opts.recipientEd25519Key,
+        p2pSession: opts.p2pSession,
+        plaincontent: {
+            algorithm: "m.megolm.v1.aes-sha2",
+            room_id: opts.room_id,
+            session_id: opts.groupSession.session_id(),
+            session_key: opts.groupSession.session_key(),
+        },
+        plaintype: "m.room_key",
+    });
+}
+
+/**
+ * Test utility to correctly encrypt a secret send event to a test device using the provided p2p session.
+ *
+ * @param opts - the options for the secret send event
+ * @returns the to-device event, ready to be returned in a sync response for the test device.
+ */
+export function encryptSecretSend(opts: {
+    /** the sender's user id */
+    sender: string;
+    /** recipient's user id */
+    recipient: string;
+    /** the recipient's curve25519 key */
+    recipientCurve25519Key: string;
+    /** the recipient's ed25519 key */
+    recipientEd25519Key: string;
+    /** sender's olm account */
+    olmAccount: Olm.Account;
+    /** sender's olm session with the recipient */
+    p2pSession: Olm.Session;
+    /** The requestId of the secret request that this secret send is replying. */
+    requestId: string;
+    /** The secret value */
+    secret: string;
+}): ToDeviceEvent {
+    const senderKeys = JSON.parse(opts.olmAccount.identity_keys());
+    return encryptOlmEvent({
+        sender: opts.sender,
+        senderKey: senderKeys.curve25519,
+        senderSigningKey: senderKeys.ed25519,
+        recipient: opts.recipient,
+        recipientCurve25519Key: opts.recipientCurve25519Key,
+        recipientEd25519Key: opts.recipientEd25519Key,
+        p2pSession: opts.p2pSession,
+        plaincontent: {
+            request_id: opts.requestId,
+            secret: opts.secret,
+        },
+        plaintype: "m.secret.send",
+    });
+}
+
+/**
+ * Establish an Olm Session with the test user
+ *
+ * Waits for the test user to upload their keys, then sends a /sync response with a to-device message which will
+ * establish an Olm session.
+ *
+ * @param testClient - the MatrixClient under test, which we expect to upload account keys, and to make a
+ *    /sync request which we will respond to.
+ * @param keyReceiver - an IE2EKeyReceiver which will intercept the /keys/upload request from the client under test
+ * @param syncResponder - an ISyncResponder which will intercept /sync requests from the client under test
+ * @param peerOlmAccount: an OlmAccount which will be used to initiate the Olm session.
+ */
+export async function establishOlmSession(
+    testClient: MatrixClient,
+    keyReceiver: IE2EKeyReceiver,
+    syncResponder: ISyncResponder,
+    peerOlmAccount: Olm.Account,
+): Promise<Olm.Session> {
+    const peerE2EKeys = JSON.parse(peerOlmAccount.identity_keys());
+    const p2pSession = await createOlmSession(peerOlmAccount, keyReceiver);
+    const olmEvent = encryptOlmEvent({
+        senderKey: peerE2EKeys.curve25519,
+        senderSigningKey: peerE2EKeys.ed25519,
+        recipient: testClient.getUserId()!,
+        recipientCurve25519Key: keyReceiver.getDeviceKey(),
+        recipientEd25519Key: keyReceiver.getSigningKey(),
+        p2pSession: p2pSession,
+    });
+    syncResponder.sendOrQueueSyncResponse({
+        next_batch: 1,
+        to_device: { events: [olmEvent] },
+    });
+    await syncPromise(testClient);
+    return p2pSession;
+}
+
+/**
+ * Expect that the client shares keys with the given recipient
+ *
+ * Waits for an HTTP request to send the encrypted m.room_key to-device message; decrypts it and uses it
+ * to establish an Olm InboundGroupSession.
+ *
+ * @param recipientUserID - the user id of the expected recipient
+ *
+ * @param recipientOlmAccount - Olm.Account for the recipient
+ *
+ * @param recipientOlmSession - an Olm.Session for the recipient, which must already have exchanged pre-key
+ *    messages with the sender. Alternatively, null, in which case we will expect a pre-key message.
+ *
+ * @returns the established inbound group session
+ */
+export async function expectSendRoomKey(
+    recipientUserID: string,
+    recipientOlmAccount: Olm.Account,
+    recipientOlmSession: Olm.Session | null = null,
+): Promise<Olm.InboundGroupSession> {
+    const testRecipientKey = JSON.parse(recipientOlmAccount.identity_keys())["curve25519"];
+
+    function onSendRoomKey(content: any): Olm.InboundGroupSession {
+        const m = content.messages[recipientUserID].DEVICE_ID;
+        const ct = m.ciphertext[testRecipientKey];
+
+        if (!recipientOlmSession) {
+            expect(ct.type).toEqual(0); // pre-key message
+            recipientOlmSession = new Olm.Session();
+            recipientOlmSession.create_inbound(recipientOlmAccount, ct.body);
+        } else {
+            expect(ct.type).toEqual(1); // regular message
+        }
+
+        const decrypted = JSON.parse(recipientOlmSession.decrypt(ct.type, ct.body));
+        expect(decrypted.type).toEqual("m.room_key");
+        const inboundGroupSession = new Olm.InboundGroupSession();
+        inboundGroupSession.create(decrypted.content.session_key);
+        return inboundGroupSession;
+    }
+    return await new Promise<Olm.InboundGroupSession>((resolve) => {
+        fetchMock.putOnce(new RegExp("/sendToDevice/m.room.encrypted/"), (callLog): RouteResponse => {
+            const content = JSON.parse(callLog.options.body as string);
+            resolve(onSendRoomKey(content));
+            return {};
+        });
+    });
+}
+
+/**
+ * Return the event received on rooms/{roomId}/send/m.room.encrypted endpoint.
+ * See https://spec.matrix.org/latest/client-server-api/#put_matrixclientv3roomsroomidsendeventtypetxnid
+ * @returns the content of the encrypted event
+ */
+export function expectEncryptedSendMessageEvent() {
+    return new Promise<IContent>((resolve) => {
+        fetchMock.putOnce(new RegExp("/send/m.room.encrypted/"), (callLog) => {
+            const content = JSON.parse(callLog.options.body as string);
+            resolve(content);
+            return { event_id: "$event_id" };
+        });
+    });
+}
+
+/**
+ * Return the event received on rooms/{roomId}/state/m.room.encrypted/{stateKey} endpoint.
+ * See https://spec.matrix.org/latest/client-server-api/#put_matrixclientv3roomsroomidstateeventtypestatekey
+ * @returns the content of the encrypted event
+ */
+function expectEncryptedSendStateEvent() {
+    return new Promise<IContent>((resolve) => {
+        fetchMock.putOnce(new RegExp("/state/m.room.encrypted/"), (callLog) => {
+            const content = JSON.parse(callLog.options.body as string);
+            resolve(content);
+            return { event_id: "$event_id" };
+        });
+    });
+}
+
+/**
+ * Expect that the client sends an encrypted message event
+ *
+ * Waits for an HTTP request to send an encrypted message in the test room.
+ *
+ * @param inboundGroupSessionPromise - a promise for an Olm InboundGroupSession, which will
+ *    be used to decrypt the event. We will wait for this to resolve once the HTTP request has been processed.
+ *
+ * @returns The content of the successfully-decrypted event
+ */
+export async function expectSendMegolmMessageEvent(
+    inboundGroupSessionPromise: Promise<Olm.InboundGroupSession>,
+): Promise<Partial<IEvent>> {
+    const encryptedMessageContent = await expectEncryptedSendMessageEvent();
+
+    // In some of the tests, the room key is sent *after* the actual event, so we may need to wait for it now.
+    const inboundGroupSession = await inboundGroupSessionPromise;
+
+    const r: any = inboundGroupSession.decrypt(encryptedMessageContent!.ciphertext);
+    logger.log("Decrypted received megolm message", r);
+    return JSON.parse(r.plaintext);
+}
+
+/**
+ * Expect that the client sends an encrypted state event
+ *
+ * Waits for an HTTP request to send an encrypted state event in the test room.
+ *
+ * @param inboundGroupSessionPromise - a promise for an Olm InboundGroupSession, which will
+ *    be used to decrypt the event. We will wait for this to resolve once the HTTP request has been processed.
+ *
+ * @returns The content of the successfully-decrypted state event
+ */
+export async function expectSendMegolmStateEvent(
+    inboundGroupSessionPromise: Promise<Olm.InboundGroupSession>,
+): Promise<Partial<IEvent>> {
+    const encryptedStateContent = await expectEncryptedSendStateEvent();
+
+    // In some of the tests, the room key is sent *after* the actual event, so we may need to wait for it now.
+    const inboundGroupSession = await inboundGroupSessionPromise;
+
+    const r: any = inboundGroupSession.decrypt(encryptedStateContent!.ciphertext);
+    logger.log("Decrypted received megolm state event", r);
+    return JSON.parse(r.plaintext);
+}
@@ -0,0 +1,511 @@
+/*
+Copyright 2022 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import "fake-indexeddb/auto";
+import { IDBFactory } from "fake-indexeddb";
+import fetchMock from "@fetch-mock/vitest";
+
+import { createClient, IndexedDBCryptoStore } from "../../../src";
+import { populateStore } from "../../test-utils/test_indexeddb_cryptostore_dump";
+import { MSK_NOT_CACHED_DATASET } from "../../test-utils/test_indexeddb_cryptostore_dump/no_cached_msk_dump";
+import { IDENTITY_NOT_TRUSTED_DATASET } from "../../test-utils/test_indexeddb_cryptostore_dump/unverified";
+import { FULL_ACCOUNT_DATASET } from "../../test-utils/test_indexeddb_cryptostore_dump/full_account";
+import { EMPTY_ACCOUNT_DATASET } from "../../test-utils/test_indexeddb_cryptostore_dump/empty_account";
+import { CryptoEvent } from "../../../src/crypto-api";
+
+vi.setConfig({ testTimeout: 15000 });
+
+afterEach(() => {
+    // reset fake-indexeddb after each test, to make sure we don't leak connections
+    // cf https://github.com/dumbmatter/fakeIndexedDB#wipingresetting-the-indexeddb-for-a-fresh-state
+    // eslint-disable-next-line no-global-assign
+    indexedDB = new IDBFactory();
+});
+
+describe("MatrixClient.initRustCrypto", () => {
+    it("should raise if userId or deviceId is unknown", async () => {
+        const unknownUserClient = createClient({
+            baseUrl: "http://test.server",
+            deviceId: "aliceDevice",
+        });
+        await expect(() => unknownUserClient.initRustCrypto()).rejects.toThrow("unknown userId");
+
+        const unknownDeviceClient = createClient({
+            baseUrl: "http://test.server",
+            userId: "@alice:test",
+        });
+        await expect(() => unknownDeviceClient.initRustCrypto()).rejects.toThrow("unknown deviceId");
+    });
+
+    it("should create the indexed db", async () => {
+        const matrixClient = createClient({
+            baseUrl: "http://test.server",
+            userId: "@alice:localhost",
+            deviceId: "aliceDevice",
+        });
+
+        // No databases.
+        expect(await indexedDB.databases()).toHaveLength(0);
+
+        await matrixClient.initRustCrypto();
+
+        // should have an indexed db now
+        const databaseNames = (await indexedDB.databases()).map((db) => db.name);
+        expect(databaseNames).toEqual(expect.arrayContaining(["matrix-js-sdk::matrix-sdk-crypto"]));
+    });
+
+    it("should create the indexed db with a custom prefix", async () => {
+        const matrixClient = createClient({
+            baseUrl: "http://test.server",
+            userId: "@alice:localhost",
+            deviceId: "aliceDevice",
+        });
+
+        // No databases.
+        expect(await indexedDB.databases()).toHaveLength(0);
+
+        await matrixClient.initRustCrypto({ cryptoDatabasePrefix: "my-prefix" });
+
+        // should have an indexed db now
+        const databaseNames = (await indexedDB.databases()).map((db) => db.name);
+        expect(databaseNames).toEqual(expect.arrayContaining(["my-prefix::matrix-sdk-crypto"]));
+    });
+
+    it("should create the meta db if given a storageKey", async () => {
+        const matrixClient = createClient({
+            baseUrl: "http://test.server",
+            userId: "@alice:localhost",
+            deviceId: "aliceDevice",
+        });
+
+        // No databases.
+        expect(await indexedDB.databases()).toHaveLength(0);
+
+        await matrixClient.initRustCrypto({ storageKey: new Uint8Array(32) });
+
+        // should have two indexed dbs now
+        const databaseNames = (await indexedDB.databases()).map((db) => db.name);
+        expect(databaseNames).toEqual(
+            expect.arrayContaining(["matrix-js-sdk::matrix-sdk-crypto", "matrix-js-sdk::matrix-sdk-crypto-meta"]),
+        );
+    });
+
+    it("should create the meta db if given a storagePassword", async () => {
+        const matrixClient = createClient({
+            baseUrl: "http://test.server",
+            userId: "@alice:localhost",
+            deviceId: "aliceDevice",
+        });
+
+        // No databases.
+        expect(await indexedDB.databases()).toHaveLength(0);
+
+        await matrixClient.initRustCrypto({ storagePassword: "the cow is on the moon" });
+
+        // should have two indexed dbs now
+        const databaseNames = (await indexedDB.databases()).map((db) => db.name);
+        expect(databaseNames).toEqual(
+            expect.arrayContaining(["matrix-js-sdk::matrix-sdk-crypto", "matrix-js-sdk::matrix-sdk-crypto-meta"]),
+        );
+    });
+
+    // eslint-disable-next-line @vitest/expect-expect
+    it("should ignore a second call", async () => {
+        const matrixClient = createClient({
+            baseUrl: "http://test.server",
+            userId: "@alice:localhost",
+            deviceId: "aliceDevice",
+        });
+
+        await matrixClient.initRustCrypto();
+        await matrixClient.initRustCrypto();
+    });
+
+    describe("Libolm Migration", () => {
+        it("should migrate from libolm", async () => {
+            fetchMock.get("path:/_matrix/client/v3/room_keys/version", FULL_ACCOUNT_DATASET.backupResponse);
+
+            fetchMock.post("path:/_matrix/client/v3/keys/query", FULL_ACCOUNT_DATASET.keyQueryResponse);
+
+            const testStoreName = "test-store";
+            await populateStore(testStoreName, FULL_ACCOUNT_DATASET.dumpPath);
+            const cryptoStore = new IndexedDBCryptoStore(indexedDB, testStoreName);
+
+            const matrixClient = createClient({
+                baseUrl: "http://test.server",
+                userId: FULL_ACCOUNT_DATASET.userId,
+                deviceId: FULL_ACCOUNT_DATASET.deviceId,
+                cryptoStore,
+                pickleKey: FULL_ACCOUNT_DATASET.pickleKey,
+            });
+
+            const progressListener = vi.fn();
+            matrixClient.addListener(CryptoEvent.LegacyCryptoStoreMigrationProgress, progressListener);
+
+            await matrixClient.initRustCrypto();
+
+            const verificationStatus = await matrixClient
+                .getCrypto()!
+                .getDeviceVerificationStatus(FULL_ACCOUNT_DATASET.userId, FULL_ACCOUNT_DATASET.deviceId);
+
+            // Check that the current device and identity trust is migrated correctly just after migration
+            expect(verificationStatus).toBeDefined();
+            expect(verificationStatus!.crossSigningVerified).toEqual(true);
+            expect(verificationStatus!.signedByOwner).toEqual(true);
+
+            // Do some basic checks on the imported data
+            const deviceKeys = await matrixClient.getCrypto()!.getOwnDeviceKeys();
+            expect(deviceKeys.curve25519).toEqual("LKv0bKbc0EC4h0jknbemv3QalEkeYvuNeUXVRgVVTTU");
+            expect(deviceKeys.ed25519).toEqual("qK70DEqIXq7T+UU3v/al47Ab4JkMEBLpNrTBMbS5rrw");
+
+            expect(await matrixClient.getCrypto()!.getActiveSessionBackupVersion()).toEqual("7");
+
+            expect(await matrixClient.getCrypto()!.isEncryptionEnabledInRoom("!CWLUCoEWXSFyTCOtfL:matrix.org")).toBe(
+                true,
+            );
+
+            // check the progress callback
+            expect(progressListener.mock.calls.length).toBeGreaterThan(50);
+
+            // The first call should have progress == 0
+            const [firstProgress, totalSteps] = progressListener.mock.calls[0];
+            expect(totalSteps).toBeGreaterThan(3000);
+            expect(firstProgress).toEqual(0);
+
+            for (let i = 1; i < progressListener.mock.calls.length - 1; i++) {
+                const [progress, total] = progressListener.mock.calls[i];
+                expect(total).toEqual(totalSteps);
+                expect(progress).toBeGreaterThan(progressListener.mock.calls[i - 1][0]);
+                expect(progress).toBeLessThanOrEqual(totalSteps);
+            }
+
+            // The final call should have progress == total == -1
+            expect(progressListener).toHaveBeenLastCalledWith(-1, -1);
+        }, 60000);
+
+        describe("Private key backup migration", () => {
+            it("should not migrate the backup private key if backup has changed", async () => {
+                // Here we have a new backup server side, and the migrated account has the previous backup key.
+                fetchMock.get("path:/_matrix/client/v3/room_keys/version", MSK_NOT_CACHED_DATASET.newBackupResponse);
+
+                fetchMock.post("path:/_matrix/client/v3/keys/query", MSK_NOT_CACHED_DATASET.keyQueryResponse);
+
+                await populateStore("test-store", MSK_NOT_CACHED_DATASET.dumpPath);
+                const cryptoStore = new IndexedDBCryptoStore(indexedDB, "test-store");
+
+                const matrixClient = createClient({
+                    baseUrl: "http://test.server",
+                    userId: MSK_NOT_CACHED_DATASET.userId,
+                    deviceId: MSK_NOT_CACHED_DATASET.deviceId,
+                    cryptoStore,
+                    pickleKey: MSK_NOT_CACHED_DATASET.pickleKey,
+                });
+
+                await matrixClient.initRustCrypto();
+
+                const privateBackupKey = await matrixClient.getCrypto()?.getSessionBackupPrivateKey();
+                expect(privateBackupKey).toBeNull();
+            });
+
+            it("should not migrate the backup private key if backup has unknown algorithm", async () => {
+                // Here we have a new backup server side, and the migrated account has the previous backup key.
+                const backupResponse = {
+                    ...MSK_NOT_CACHED_DATASET.backupResponse,
+                    algorithm: "m.megolm_backup.v8",
+                };
+                fetchMock.get("path:/_matrix/client/v3/room_keys/version", backupResponse);
+
+                fetchMock.post("path:/_matrix/client/v3/keys/query", MSK_NOT_CACHED_DATASET.keyQueryResponse);
+
+                await populateStore("test-store", MSK_NOT_CACHED_DATASET.dumpPath);
+                const cryptoStore = new IndexedDBCryptoStore(indexedDB, "test-store");
+
+                const matrixClient = createClient({
+                    baseUrl: "http://test.server",
+                    userId: MSK_NOT_CACHED_DATASET.userId,
+                    deviceId: MSK_NOT_CACHED_DATASET.deviceId,
+                    cryptoStore,
+                    pickleKey: MSK_NOT_CACHED_DATASET.pickleKey,
+                });
+
+                await matrixClient.initRustCrypto();
+
+                const privateBackupKey = await matrixClient.getCrypto()?.getSessionBackupPrivateKey();
+                expect(privateBackupKey).toBeNull();
+            });
+
+            it("should not migrate the backup private key if the backup has been deleted", async () => {
+                // The old backup has been deleted server side.
+                fetchMock.get("path:/_matrix/client/v3/room_keys/version", {
+                    status: 404,
+                    body: {
+                        errcode: "M_NOT_FOUND",
+                        error: "No backup found",
+                    },
+                });
+
+                fetchMock.post("path:/_matrix/client/v3/keys/query", MSK_NOT_CACHED_DATASET.keyQueryResponse);
+
+                await populateStore("test-store", MSK_NOT_CACHED_DATASET.dumpPath);
+                const cryptoStore = new IndexedDBCryptoStore(indexedDB, "test-store");
+
+                const matrixClient = createClient({
+                    baseUrl: "http://test.server",
+                    userId: MSK_NOT_CACHED_DATASET.userId,
+                    deviceId: MSK_NOT_CACHED_DATASET.deviceId,
+                    cryptoStore,
+                    pickleKey: MSK_NOT_CACHED_DATASET.pickleKey,
+                });
+
+                await matrixClient.initRustCrypto();
+
+                const privateBackupKey = await matrixClient.getCrypto()?.getSessionBackupPrivateKey();
+                expect(privateBackupKey).toBeNull();
+            });
+
+            it("should migrate the backup private key if the backup matches", async () => {
+                // The old backup has been deleted server side.
+                fetchMock.get("path:/_matrix/client/v3/room_keys/version", MSK_NOT_CACHED_DATASET.backupResponse);
+
+                fetchMock.post("path:/_matrix/client/v3/keys/query", MSK_NOT_CACHED_DATASET.keyQueryResponse);
+
+                await populateStore("test-store", MSK_NOT_CACHED_DATASET.dumpPath);
+                const cryptoStore = new IndexedDBCryptoStore(indexedDB, "test-store");
+
+                const matrixClient = createClient({
+                    baseUrl: "http://test.server",
+                    userId: MSK_NOT_CACHED_DATASET.userId,
+                    deviceId: MSK_NOT_CACHED_DATASET.deviceId,
+                    cryptoStore,
+                    pickleKey: MSK_NOT_CACHED_DATASET.pickleKey,
+                });
+
+                await matrixClient.initRustCrypto();
+
+                const privateBackupKey = await matrixClient.getCrypto()?.getSessionBackupPrivateKey();
+                expect(privateBackupKey).toBeDefined();
+            });
+        });
+
+        it("should not migrate if account data is missing", async () => {
+            // See https://github.com/element-hq/element-web/issues/27447
+
+            // Given we have an almost-empty legacy account in the database
+            fetchMock.get("path:/_matrix/client/v3/room_keys/version", {
+                status: 404,
+                body: { errcode: "M_NOT_FOUND", error: "No backup found" },
+            });
+            fetchMock.post("path:/_matrix/client/v3/keys/query", EMPTY_ACCOUNT_DATASET.keyQueryResponse);
+
+            const testStoreName = "test-store";
+            await populateStore(testStoreName, EMPTY_ACCOUNT_DATASET.dumpPath);
+            const cryptoStore = new IndexedDBCryptoStore(indexedDB, testStoreName);
+
+            const matrixClient = createClient({
+                baseUrl: "http://test.server",
+                userId: EMPTY_ACCOUNT_DATASET.userId,
+                deviceId: EMPTY_ACCOUNT_DATASET.deviceId,
+                cryptoStore,
+                pickleKey: EMPTY_ACCOUNT_DATASET.pickleKey,
+            });
+
+            // When we start Rust crypto, potentially triggering an upgrade
+            const progressListener = vi.fn();
+            matrixClient.addListener(CryptoEvent.LegacyCryptoStoreMigrationProgress, progressListener);
+
+            await matrixClient.initRustCrypto();
+
+            // Then no error occurs, and no upgrade happens
+            expect(progressListener.mock.calls.length).toBe(0);
+        }, 60000);
+
+        describe("Legacy trust migration", () => {
+            async function populateAndStartLegacyCryptoStore(dumpPath: string): Promise<IndexedDBCryptoStore> {
+                const testStoreName = "test-store";
+                await populateStore(testStoreName, dumpPath);
+                const cryptoStore = new IndexedDBCryptoStore(indexedDB, testStoreName);
+                await cryptoStore.startup();
+                return cryptoStore;
+            }
+
+            it("should not revert to untrusted if legacy was trusted but msk not in cache, big account", async () => {
+                fetchMock.get("path:/_matrix/client/v3/room_keys/version", {
+                    status: 404,
+                    body: {
+                        errcode: "M_NOT_FOUND",
+                        error: "No backup found",
+                    },
+                });
+
+                fetchMock.post("path:/_matrix/client/v3/keys/query", FULL_ACCOUNT_DATASET.keyQueryResponse);
+
+                const cryptoStore = await populateAndStartLegacyCryptoStore(FULL_ACCOUNT_DATASET.dumpPath);
+
+                // Remove the master key from the cache
+                await cryptoStore.doTxn("readwrite", [IndexedDBCryptoStore.STORE_ACCOUNT], (txn) => {
+                    const objectStore = txn.objectStore("account");
+                    objectStore.delete(`ssss_cache:master`);
+                });
+
+                const matrixClient = createClient({
+                    baseUrl: "http://test.server",
+                    userId: FULL_ACCOUNT_DATASET.userId,
+                    deviceId: FULL_ACCOUNT_DATASET.deviceId,
+                    cryptoStore,
+                    pickleKey: FULL_ACCOUNT_DATASET.pickleKey,
+                });
+
+                await matrixClient.initRustCrypto();
+
+                const verificationStatus = await matrixClient
+                    .getCrypto()!
+                    .getUserVerificationStatus(FULL_ACCOUNT_DATASET.userId);
+
+                expect(verificationStatus.isCrossSigningVerified()).toBe(true);
+            }, 60000);
+
+            it("should not revert to untrusted if legacy was trusted but msk not in cache", async () => {
+                fetchMock.get("path:/_matrix/client/v3/room_keys/version", MSK_NOT_CACHED_DATASET.backupResponse);
+
+                fetchMock.post("path:/_matrix/client/v3/keys/query", MSK_NOT_CACHED_DATASET.keyQueryResponse);
+
+                const cryptoStore = await populateAndStartLegacyCryptoStore(MSK_NOT_CACHED_DATASET.dumpPath);
+
+                const matrixClient = createClient({
+                    baseUrl: "http://test.server",
+                    userId: MSK_NOT_CACHED_DATASET.userId,
+                    deviceId: MSK_NOT_CACHED_DATASET.deviceId,
+                    cryptoStore,
+                    pickleKey: MSK_NOT_CACHED_DATASET.pickleKey,
+                });
+
+                await matrixClient.initRustCrypto();
+
+                const verificationStatus = await matrixClient
+                    .getCrypto()!
+                    .getUserVerificationStatus("@migration:localhost");
+
+                expect(verificationStatus.isCrossSigningVerified()).toBe(true);
+            });
+
+            it("should not migrate local trust if key has changed", async () => {
+                fetchMock.get("path:/_matrix/client/v3/room_keys/version", MSK_NOT_CACHED_DATASET.backupResponse);
+
+                fetchMock.post("path:/_matrix/client/v3/keys/query", MSK_NOT_CACHED_DATASET.rotatedKeyQueryResponse);
+
+                const cryptoStore = await populateAndStartLegacyCryptoStore(MSK_NOT_CACHED_DATASET.dumpPath);
+
+                const matrixClient = createClient({
+                    baseUrl: "http://test.server",
+                    userId: MSK_NOT_CACHED_DATASET.userId,
+                    deviceId: MSK_NOT_CACHED_DATASET.deviceId,
+                    cryptoStore,
+                    pickleKey: MSK_NOT_CACHED_DATASET.pickleKey,
+                });
+
+                await matrixClient.initRustCrypto();
+
+                const verificationStatus = await matrixClient
+                    .getCrypto()!
+                    .getUserVerificationStatus("@migration:localhost");
+
+                expect(verificationStatus.isCrossSigningVerified()).toBe(false);
+            });
+
+            it("should not migrate local trust if was not trusted in legacy", async () => {
+                // Just 404 here for the test
+                fetchMock.get("path:/_matrix/client/v3/room_keys/version", {
+                    status: 404,
+                    body: {
+                        errcode: "M_NOT_FOUND",
+                        error: "No backup found",
+                    },
+                });
+
+                fetchMock.post("path:/_matrix/client/v3/keys/query", IDENTITY_NOT_TRUSTED_DATASET.keyQueryResponse);
+
+                const cryptoStore = await populateAndStartLegacyCryptoStore(IDENTITY_NOT_TRUSTED_DATASET.dumpPath);
+
+                const matrixClient = createClient({
+                    baseUrl: "http://test.server",
+                    userId: IDENTITY_NOT_TRUSTED_DATASET.userId,
+                    deviceId: IDENTITY_NOT_TRUSTED_DATASET.deviceId,
+                    cryptoStore,
+                    pickleKey: IDENTITY_NOT_TRUSTED_DATASET.pickleKey,
+                });
+
+                await matrixClient.initRustCrypto();
+
+                const verificationStatus = await matrixClient
+                    .getCrypto()!
+                    .getUserVerificationStatus("@untrusted:localhost");
+
+                expect(verificationStatus.isCrossSigningVerified()).toBe(false);
+            });
+        });
+    });
+});
+
+describe("MatrixClient.clearStores", () => {
+    it("should clear the indexeddbs", async () => {
+        const matrixClient = createClient({
+            baseUrl: "http://test.server",
+            userId: "@alice:localhost",
+            deviceId: "aliceDevice",
+        });
+
+        await matrixClient.initRustCrypto({ storagePassword: "testKey" });
+        expect(await indexedDB.databases()).toHaveLength(2);
+        await matrixClient.stopClient();
+
+        await matrixClient.clearStores();
+        expect(await indexedDB.databases()).toHaveLength(0);
+    });
+
+    // eslint-disable-next-line @vitest/expect-expect
+    it("should not fail in environments without indexedDB", async () => {
+        // eslint-disable-next-line no-global-assign
+        indexedDB = undefined!;
+        const matrixClient = createClient({
+            baseUrl: "http://test.server",
+            userId: "@alice:localhost",
+            deviceId: "aliceDevice",
+        });
+
+        await matrixClient.stopClient();
+
+        await matrixClient.clearStores();
+        // No error thrown in clearStores
+    });
+
+    it("should clear the indexeddbs with a custom prefix", async () => {
+        const matrixClient = createClient({
+            baseUrl: "http://test.server",
+            userId: "@alice:localhost",
+            deviceId: "aliceDevice",
+        });
+
+        // No databases.
+        expect(await indexedDB.databases()).toHaveLength(0);
+
+        await matrixClient.initRustCrypto({ cryptoDatabasePrefix: "my-prefix" });
+        expect(await indexedDB.databases()).toHaveLength(1);
+        await matrixClient.stopClient();
+
+        await matrixClient.clearStores({ cryptoDatabasePrefix: "my-prefix" });
+        expect(await indexedDB.databases()).toHaveLength(0);
+    });
+});
@@ -0,0 +1,221 @@
+/*
+Copyright 2025 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import anotherjson from "another-json";
+import fetchMock from "@fetch-mock/vitest";
+import "fake-indexeddb/auto";
+import Olm from "@matrix-org/olm";
+
+import * as testUtils from "../../test-utils/test-utils";
+import { getSyncResponse, syncPromise } from "../../test-utils/test-utils";
+import { TEST_ROOM_ID as ROOM_ID } from "../../test-utils/test-data";
+import { logger } from "../../../src/logger";
+import {
+    createClient,
+    HistoryVisibility,
+    PendingEventOrdering,
+    type IStartClientOpts,
+    type MatrixClient,
+} from "../../../src/matrix";
+import { E2EKeyReceiver } from "../../test-utils/E2EKeyReceiver";
+import { E2EKeyResponder } from "../../test-utils/E2EKeyResponder";
+import { type ISyncResponder, SyncResponder } from "../../test-utils/SyncResponder";
+import {
+    createOlmAccount,
+    createOlmSession,
+    encryptGroupSessionKey,
+    encryptMegolmEvent,
+    getTestOlmAccountKeys,
+    expectSendRoomKey,
+    expectSendMegolmStateEvent,
+} from "./olm-utils";
+import { mockInitialApiRequests } from "../../test-utils/mockEndpoints";
+
+describe("Encrypted State Events", () => {
+    let testOlmAccount = {} as unknown as Olm.Account;
+    let testSenderKey = "";
+
+    /** the MatrixClient under test */
+    let aliceClient: MatrixClient;
+
+    /** an object which intercepts `/keys/upload` requests from {@link #aliceClient} to catch the uploaded keys */
+    let keyReceiver: E2EKeyReceiver;
+
+    /** an object which intercepts `/sync` requests from {@link #aliceClient} */
+    let syncResponder: ISyncResponder;
+
+    async function startClientAndAwaitFirstSync(opts: IStartClientOpts = {}): Promise<void> {
+        logger.log(aliceClient.getUserId() + ": starting");
+
+        mockInitialApiRequests(aliceClient.getHomeserverUrl());
+
+        // we let the client do a very basic initial sync, which it needs before
+        // it will upload one-time keys.
+        syncResponder.sendOrQueueSyncResponse({ next_batch: 1 });
+
+        aliceClient.startClient({
+            // set this so that we can get hold of failed events
+            pendingEventOrdering: PendingEventOrdering.Detached,
+            ...opts,
+        });
+
+        await syncPromise(aliceClient);
+        logger.log(aliceClient.getUserId() + ": started");
+    }
+
+    beforeEach(async () => {
+        fetchMock.catch(404);
+
+        const homeserverUrl = "https://alice-server.com";
+        aliceClient = createClient({
+            baseUrl: homeserverUrl,
+            userId: "@alice:localhost",
+            accessToken: "akjgkrgjs",
+            deviceId: "xzcvb",
+            logger: logger.getChild("aliceClient"),
+            enableEncryptedStateEvents: true,
+        });
+
+        keyReceiver = new E2EKeyReceiver(homeserverUrl);
+        syncResponder = new SyncResponder(homeserverUrl);
+
+        await aliceClient.initRustCrypto();
+
+        // create a test olm device which we will use to communicate with alice. We use libolm to implement this.
+        testOlmAccount = await createOlmAccount();
+        const testE2eKeys = JSON.parse(testOlmAccount.identity_keys());
+        testSenderKey = testE2eKeys.curve25519;
+    }, 10000);
+
+    afterEach(async () => {
+        aliceClient.stopClient();
+    });
+
+    function expectAliceKeyQuery(response: any) {
+        fetchMock.postOnce(new RegExp("/keys/query"), (callLog) => response);
+    }
+
+    function expectAliceKeyClaim(response: any) {
+        fetchMock.postOnce(new RegExp("/keys/claim"), response);
+    }
+
+    function getTestKeysClaimResponse(userId: string) {
+        testOlmAccount.generate_one_time_keys(1);
+        const testOneTimeKeys = JSON.parse(testOlmAccount.one_time_keys());
+        testOlmAccount.mark_keys_as_published();
+
+        const keyId = Object.keys(testOneTimeKeys.curve25519)[0];
+        const oneTimeKey: string = testOneTimeKeys.curve25519[keyId];
+        const unsignedKeyResult = { key: oneTimeKey };
+        const j = anotherjson.stringify(unsignedKeyResult);
+        const sig = testOlmAccount.sign(j);
+        const keyResult = {
+            ...unsignedKeyResult,
+            signatures: { [userId]: { "ed25519:DEVICE_ID": sig } },
+        };
+
+        return {
+            one_time_keys: { [userId]: { DEVICE_ID: { ["signed_curve25519:" + keyId]: keyResult } } },
+            failures: {},
+        };
+    }
+
+    it("Should receive an encrypted state event", async () => {
+        expectAliceKeyQuery({ device_keys: { "@alice:localhost": {} }, failures: {} });
+        await startClientAndAwaitFirstSync();
+
+        const p2pSession = await createOlmSession(testOlmAccount, keyReceiver);
+        const groupSession = new Olm.OutboundGroupSession();
+        groupSession.create();
+
+        // make the room_key event
+        const roomKeyEncrypted = encryptGroupSessionKey({
+            recipient: aliceClient.getUserId()!,
+            recipientCurve25519Key: keyReceiver.getDeviceKey(),
+            recipientEd25519Key: keyReceiver.getSigningKey(),
+            olmAccount: testOlmAccount,
+            p2pSession: p2pSession,
+            groupSession: groupSession,
+            room_id: ROOM_ID,
+        });
+
+        // encrypt a state event with the group session
+        const eventEncrypted = encryptMegolmEvent({
+            senderKey: testSenderKey,
+            groupSession: groupSession,
+            room_id: ROOM_ID,
+            plaintext: {
+                type: "m.room.topic",
+                state_key: "",
+                content: {
+                    topic: "Secret!",
+                },
+            },
+        });
+
+        // Alice gets both the events in a single sync
+        const syncResponse = {
+            next_batch: 1,
+            to_device: {
+                events: [roomKeyEncrypted],
+            },
+            rooms: {
+                join: {
+                    [ROOM_ID]: { timeline: { events: [eventEncrypted] } },
+                },
+            },
+        };
+
+        syncResponder.sendOrQueueSyncResponse(syncResponse);
+        await syncPromise(aliceClient);
+
+        const room = aliceClient.getRoom(ROOM_ID)!;
+        const event = room.getLiveTimeline().getEvents()[0];
+        expect(event.isEncrypted()).toBe(true);
+
+        // it probably won't be decrypted yet, because it takes a while to process the olm keys
+        const decryptedEvent = await testUtils.awaitDecryption(event, { waitOnDecryptionFailure: true });
+        expect(decryptedEvent.getContent().topic).toEqual("Secret!");
+    });
+
+    // eslint-disable-next-line @vitest/expect-expect
+    it("Should send an encrypted state event", async () => {
+        const homeserverUrl = aliceClient.getHomeserverUrl();
+        const keyResponder = new E2EKeyResponder(homeserverUrl);
+        keyResponder.addKeyReceiver("@alice:localhost", keyReceiver);
+
+        const testDeviceKeys = getTestOlmAccountKeys(testOlmAccount, "@bob:xyz", "DEVICE_ID");
+        keyResponder.addDeviceKeys(testDeviceKeys);
+
+        await startClientAndAwaitFirstSync();
+
+        // Alice shares a room with Bob
+        syncResponder.sendOrQueueSyncResponse(getSyncResponse(["@bob:xyz"], HistoryVisibility.Joined, ROOM_ID, true));
+        await syncPromise(aliceClient);
+
+        // ... and claim one of Bob's OTKs ...
+        expectAliceKeyClaim(getTestKeysClaimResponse("@bob:xyz"));
+
+        // ... and send an m.room.topic message
+        const inboundGroupSessionPromise = expectSendRoomKey("@bob:xyz", testOlmAccount);
+
+        // Finally, send the message, and expect to get an `m.room.encrypted` event that we can decrypt.
+        await Promise.all([
+            aliceClient.setRoomTopic(ROOM_ID, "Secret!"),
+            expectSendMegolmStateEvent(inboundGroupSessionPromise),
+        ]);
+    });
+});
@@ -0,0 +1,268 @@
+/*
+Copyright 2024 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import fetchMock from "@fetch-mock/vitest";
+import "fake-indexeddb/auto";
+import { IDBFactory } from "fake-indexeddb";
+import Olm from "@matrix-org/olm";
+
+import { getSyncResponse, syncPromise } from "../../test-utils/test-utils";
+import {
+    ClientEvent,
+    createClient,
+    type IToDeviceEvent,
+    type MatrixClient,
+    type MatrixEvent,
+    type ReceivedToDeviceMessage,
+} from "../../../src";
+import * as testData from "../../test-utils/test-data";
+import { E2EKeyResponder } from "../../test-utils/E2EKeyResponder";
+import { SyncResponder } from "../../test-utils/SyncResponder";
+import { E2EKeyReceiver } from "../../test-utils/E2EKeyReceiver";
+import { encryptOlmEvent, establishOlmSession, getTestOlmAccountKeys } from "./olm-utils.ts";
+
+afterEach(() => {
+    // reset fake-indexeddb after each test, to make sure we don't leak connections
+    // cf https://github.com/dumbmatter/fakeIndexedDB#wipingresetting-the-indexeddb-for-a-fresh-state
+    // eslint-disable-next-line no-global-assign
+    indexedDB = new IDBFactory();
+});
+
+/**
+ * Integration tests for to-device messages functionality.
+ *
+ * These tests work by intercepting HTTP requests via fetch-mock rather than mocking out bits of the client, so as
+ * to provide the most effective integration tests possible.
+ */
+describe("to-device-messages", () => {
+    let aliceClient: MatrixClient;
+
+    /** an object which intercepts `/keys/query` requests on the test homeserver */
+    let e2eKeyResponder: E2EKeyResponder;
+    let e2eKeyReceiver: E2EKeyReceiver;
+    let syncResponder: SyncResponder;
+
+    beforeEach(
+        async () => {
+            // anything that we don't have a specific matcher for silently returns a 404
+            fetchMock.catch(404);
+
+            const homeserverUrl = "https://server.com";
+            aliceClient = createClient({
+                baseUrl: homeserverUrl,
+                userId: testData.TEST_USER_ID,
+                accessToken: "akjgkrgjsalice",
+                deviceId: testData.TEST_DEVICE_ID,
+            });
+
+            e2eKeyResponder = new E2EKeyResponder(homeserverUrl);
+            e2eKeyReceiver = new E2EKeyReceiver(homeserverUrl);
+            syncResponder = new SyncResponder(homeserverUrl);
+
+            // add bob as known user
+            syncResponder.sendOrQueueSyncResponse(getSyncResponse([testData.BOB_TEST_USER_ID]));
+
+            // Silence warnings from the backup manager
+            fetchMock.getOnce(new URL("/_matrix/client/v3/room_keys/version", homeserverUrl).toString(), {
+                status: 404,
+                body: { errcode: "M_NOT_FOUND" },
+            });
+
+            fetchMock.get(new URL("/_matrix/client/v3/pushrules/", homeserverUrl).toString(), {});
+            fetchMock.get(new URL("/_matrix/client/versions/", homeserverUrl).toString(), {});
+            fetchMock.post(
+                new URL(
+                    `/_matrix/client/v3/user/${encodeURIComponent(testData.TEST_USER_ID)}/filter`,
+                    homeserverUrl,
+                ).toString(),
+                { filter_id: "fid" },
+            );
+
+            await aliceClient.initRustCrypto();
+        },
+        /* it can take a while to initialise the crypto library on the first pass, so bump up the timeout. */
+        10000,
+    );
+
+    afterEach(async () => {
+        aliceClient.stopClient();
+    });
+
+    describe("encryptToDeviceMessages", () => {
+        it("returns empty batch for device that is not known", async () => {
+            await aliceClient.startClient();
+
+            const toDeviceBatch = await aliceClient
+                .getCrypto()
+                ?.encryptToDeviceMessages(
+                    "m.test.event",
+                    [{ userId: testData.BOB_TEST_USER_ID, deviceId: testData.BOB_TEST_DEVICE_ID }],
+                    {
+                        some: "content",
+                    },
+                );
+
+            expect(toDeviceBatch).toBeDefined();
+            const { batch, eventType } = toDeviceBatch!;
+            expect(eventType).toBe("m.room.encrypted");
+            expect(batch.length).toBe(0);
+        });
+
+        it("returns encrypted batch for known device", async () => {
+            await aliceClient.startClient();
+            e2eKeyResponder.addDeviceKeys(testData.BOB_SIGNED_TEST_DEVICE_DATA);
+            fetchMock.post("express:/_matrix/client/v3/keys/claim", () => ({
+                one_time_keys: testData.BOB_ONE_TIME_KEYS,
+            }));
+            await syncPromise(aliceClient);
+
+            const toDeviceBatch = await aliceClient
+                .getCrypto()
+                ?.encryptToDeviceMessages(
+                    "m.test.event",
+                    [{ userId: testData.BOB_TEST_USER_ID, deviceId: testData.BOB_TEST_DEVICE_ID }],
+                    {
+                        some: "content",
+                    },
+                );
+
+            expect(toDeviceBatch?.batch.length).toBe(1);
+            expect(toDeviceBatch?.eventType).toBe("m.room.encrypted");
+            const { deviceId, payload, userId } = toDeviceBatch!.batch[0];
+            expect(deviceId).toBe(testData.BOB_TEST_DEVICE_ID);
+            expect(userId).toBe(testData.BOB_TEST_USER_ID);
+            expect(payload.algorithm).toBe("m.olm.v1.curve25519-aes-sha2");
+            expect(payload.sender_key).toEqual(expect.any(String));
+            expect(payload.ciphertext).toEqual(
+                expect.objectContaining({
+                    [testData.BOB_SIGNED_TEST_DEVICE_DATA.keys[`curve25519:${testData.BOB_TEST_DEVICE_ID}`]]: {
+                        body: expect.any(String),
+                        type: 0,
+                    },
+                }),
+            );
+
+            // for future: check that bob's device can decrypt the ciphertext?
+        });
+    });
+
+    describe("receive to-device-messages", () => {
+        it("Should receive decrypted to-device message via ClientEvent", async () => {
+            // create a test olm device which we will use to communicate with alice. We use libolm to implement this.
+            await Olm.init();
+            const testOlmAccount = new Olm.Account();
+            testOlmAccount.create();
+
+            const testDeviceKeys = getTestOlmAccountKeys(testOlmAccount, "@bob:xyz", "DEVICE_ID");
+            e2eKeyResponder.addDeviceKeys(testDeviceKeys);
+
+            await aliceClient.startClient();
+            await syncPromise(aliceClient);
+
+            syncResponder.sendOrQueueSyncResponse(getSyncResponse(["@bob:xyz"]));
+            await syncPromise(aliceClient);
+
+            const p2pSession = await establishOlmSession(aliceClient, e2eKeyReceiver, syncResponder, testOlmAccount);
+
+            const toDeviceEvent = encryptOlmEvent({
+                sender: "@bob:xyz",
+                senderKey: testDeviceKeys.keys[`curve25519:DEVICE_ID`],
+                senderSigningKey: testDeviceKeys.keys[`ed25519:DEVICE_ID`],
+                p2pSession: p2pSession,
+                recipient: aliceClient.getUserId()!,
+                recipientCurve25519Key: e2eKeyReceiver.getDeviceKey(),
+                recipientEd25519Key: e2eKeyReceiver.getSigningKey(),
+                plaincontent: {
+                    body: "foo",
+                },
+                plaintype: "m.test.type",
+            });
+
+            const processedToDeviceResolver: PromiseWithResolvers<ReceivedToDeviceMessage> = Promise.withResolvers();
+
+            aliceClient.on(ClientEvent.ReceivedToDeviceMessage, (payload) => {
+                processedToDeviceResolver.resolve(payload);
+            });
+
+            const oldToDeviceResolver: PromiseWithResolvers<MatrixEvent> = Promise.withResolvers();
+
+            aliceClient.on(ClientEvent.ToDeviceEvent, (event) => {
+                oldToDeviceResolver.resolve(event);
+            });
+
+            expect(toDeviceEvent.type).toBe("m.room.encrypted");
+
+            syncResponder.sendOrQueueSyncResponse({ to_device: { events: [toDeviceEvent] } });
+            await syncPromise(aliceClient);
+
+            const { message, encryptionInfo } = await processedToDeviceResolver.promise;
+
+            expect(message.type).toBe("m.test.type");
+            expect(message.content["body"]).toBe("foo");
+
+            expect(encryptionInfo).not.toBeNull();
+            expect(encryptionInfo!.senderVerified).toBe(false);
+            expect(encryptionInfo!.sender).toBe("@bob:xyz");
+            expect(encryptionInfo!.senderDevice).toBe("DEVICE_ID");
+
+            const oldFormat = await oldToDeviceResolver.promise;
+            expect(oldFormat.isEncrypted()).toBe(true);
+            expect(oldFormat.getType()).toBe("m.test.type");
+            expect(oldFormat.getContent()["body"]).toBe("foo");
+        });
+
+        it("Should receive clear to-device message via ClientEvent", async () => {
+            await aliceClient.startClient();
+            await syncPromise(aliceClient);
+
+            const toDeviceEvent: IToDeviceEvent = {
+                sender: "@bob:xyz",
+                type: "m.test.type",
+                content: {
+                    body: "foo",
+                },
+            };
+
+            const processedToDeviceResolver: PromiseWithResolvers<ReceivedToDeviceMessage> = Promise.withResolvers();
+
+            aliceClient.on(ClientEvent.ReceivedToDeviceMessage, (payload) => {
+                processedToDeviceResolver.resolve(payload);
+            });
+
+            const oldToDeviceResolver: PromiseWithResolvers<MatrixEvent> = Promise.withResolvers();
+
+            aliceClient.on(ClientEvent.ToDeviceEvent, (event) => {
+                oldToDeviceResolver.resolve(event);
+            });
+
+            syncResponder.sendOrQueueSyncResponse({ to_device: { events: [toDeviceEvent] } });
+            await syncPromise(aliceClient);
+
+            const { message, encryptionInfo } = await processedToDeviceResolver.promise;
+
+            expect(message.type).toBe("m.test.type");
+            expect(message.content["body"]).toBe("foo");
+
+            // When the message is not encrypted, we don't have the encryptionInfo.
+            expect(encryptionInfo).toBeNull();
+
+            const oldFormat = await oldToDeviceResolver.promise;
+            expect(oldFormat.isEncrypted()).toBe(false);
+            expect(oldFormat.getType()).toBe("m.test.type");
+            expect(oldFormat.getContent()["body"]).toBe("foo");
+        });
+    });
+});
@@ -1,405 +0,0 @@
-/*
-Copyright 2017 Vector Creations Ltd
-Copyright 2018 New Vector Ltd
-Copyright 2019 The Matrix.org Foundation C.I.C.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-import { TestClient } from "../TestClient";
-import * as testUtils from "../test-utils/test-utils";
-import { logger } from "../../src/logger";
-
-const ROOM_ID = "!room:id";
-
-/**
- * get a /sync response which contains a single e2e room (ROOM_ID), with the
- * members given
- *
- * @returns sync response
- */
-function getSyncResponse(roomMembers: string[]) {
-    const stateEvents = [
-        testUtils.mkEvent({
-            type: "m.room.encryption",
-            skey: "",
-            content: {
-                algorithm: "m.megolm.v1.aes-sha2",
-            },
-        }),
-    ];
-
-    Array.prototype.push.apply(
-        stateEvents,
-        roomMembers.map((m) =>
-            testUtils.mkMembership({
-                mship: "join",
-                sender: m,
-            }),
-        ),
-    );
-
-    const syncResponse = {
-        next_batch: 1,
-        rooms: {
-            join: {
-                [ROOM_ID]: {
-                    state: {
-                        events: stateEvents,
-                    },
-                },
-            },
-        },
-    };
-
-    return syncResponse;
-}
-
-describe("DeviceList management:", function () {
-    if (!global.Olm) {
-        logger.warn("not running deviceList tests: Olm not present");
-        return;
-    }
-
-    let aliceTestClient: TestClient;
-    let sessionStoreBackend: Storage;
-
-    async function createTestClient() {
-        const testClient = new TestClient("@alice:localhost", "xzcvb", "akjgkrgjs", sessionStoreBackend);
-        await testClient.client.initCrypto();
-        return testClient;
-    }
-
-    beforeEach(async function () {
-        // we create our own sessionStoreBackend so that we can use it for
-        // another TestClient.
-        sessionStoreBackend = new testUtils.MockStorageApi();
-
-        aliceTestClient = await createTestClient();
-    });
-
-    afterEach(function () {
-        return aliceTestClient.stop();
-    });
-
-    it("Alice shouldn't do a second /query for non-e2e-capable devices", function () {
-        aliceTestClient.expectKeyQuery({
-            device_keys: { "@alice:localhost": {} },
-            failures: {},
-        });
-        return aliceTestClient
-            .start()
-            .then(function () {
-                const syncResponse = getSyncResponse(["@bob:xyz"]);
-                aliceTestClient.httpBackend.when("GET", "/sync").respond(200, syncResponse);
-
-                return aliceTestClient.flushSync();
-            })
-            .then(function () {
-                logger.log("Forcing alice to download our device keys");
-
-                aliceTestClient.httpBackend.when("POST", "/keys/query").respond(200, {
-                    device_keys: {
-                        "@bob:xyz": {},
-                    },
-                });
-
-                return Promise.all([
-                    aliceTestClient.client.downloadKeys(["@bob:xyz"]),
-                    aliceTestClient.httpBackend.flush("/keys/query", 1),
-                ]);
-            })
-            .then(function () {
-                logger.log("Telling alice to send a megolm message");
-
-                aliceTestClient.httpBackend.when("PUT", "/send/").respond(200, {
-                    event_id: "$event_id",
-                });
-
-                return Promise.all([
-                    aliceTestClient.client.sendTextMessage(ROOM_ID, "test"),
-
-                    // the crypto stuff can take a while, so give the requests a whole second.
-                    aliceTestClient.httpBackend.flushAllExpected({
-                        timeout: 1000,
-                    }),
-                ]);
-            });
-    });
-
-    it.skip("We should not get confused by out-of-order device query responses", () => {
-        // https://github.com/vector-im/element-web/issues/3126
-        aliceTestClient.expectKeyQuery({
-            device_keys: { "@alice:localhost": {} },
-            failures: {},
-        });
-        return aliceTestClient
-            .start()
-            .then(() => {
-                aliceTestClient.httpBackend
-                    .when("GET", "/sync")
-                    .respond(200, getSyncResponse(["@bob:xyz", "@chris:abc"]));
-                return aliceTestClient.flushSync();
-            })
-            .then(() => {
-                // to make sure the initial device queries are flushed out, we
-                // attempt to send a message.
-
-                aliceTestClient.httpBackend.when("POST", "/keys/query").respond(200, {
-                    device_keys: {
-                        "@bob:xyz": {},
-                        "@chris:abc": {},
-                    },
-                });
-
-                aliceTestClient.httpBackend.when("PUT", "/send/").respond(200, { event_id: "$event1" });
-
-                return Promise.all([
-                    aliceTestClient.client.sendTextMessage(ROOM_ID, "test"),
-                    aliceTestClient.httpBackend
-                        .flush("/keys/query", 1)
-                        .then(() => aliceTestClient.httpBackend.flush("/send/", 1)),
-                    aliceTestClient.client.crypto!.deviceList.saveIfDirty(),
-                ]);
-            })
-            .then(() => {
-                // @ts-ignore accessing a protected field
-                aliceTestClient.client.cryptoStore!.getEndToEndDeviceData(null, (data) => {
-                    expect(data!.syncToken).toEqual(1);
-                });
-
-                // invalidate bob's and chris's device lists in separate syncs
-                aliceTestClient.httpBackend.when("GET", "/sync").respond(200, {
-                    next_batch: "2",
-                    device_lists: {
-                        changed: ["@bob:xyz"],
-                    },
-                });
-                aliceTestClient.httpBackend.when("GET", "/sync").respond(200, {
-                    next_batch: "3",
-                    device_lists: {
-                        changed: ["@chris:abc"],
-                    },
-                });
-                // flush both syncs
-                return aliceTestClient.flushSync().then(() => {
-                    return aliceTestClient.flushSync();
-                });
-            })
-            .then(() => {
-                // check that we don't yet have a request for chris's devices.
-                aliceTestClient.httpBackend
-                    .when("POST", "/keys/query", {
-                        device_keys: {
-                            "@chris:abc": {},
-                        },
-                        token: "3",
-                    })
-                    .respond(200, {
-                        device_keys: { "@chris:abc": {} },
-                    });
-                return aliceTestClient.httpBackend.flush("/keys/query", 1);
-            })
-            .then((flushed) => {
-                expect(flushed).toEqual(0);
-                return aliceTestClient.client.crypto!.deviceList.saveIfDirty();
-            })
-            .then(() => {
-                // @ts-ignore accessing a protected field
-                aliceTestClient.client.cryptoStore!.getEndToEndDeviceData(null, (data) => {
-                    const bobStat = data!.trackingStatus["@bob:xyz"];
-                    if (bobStat != 1 && bobStat != 2) {
-                        throw new Error("Unexpected status for bob: wanted 1 or 2, got " + bobStat);
-                    }
-                    const chrisStat = data!.trackingStatus["@chris:abc"];
-                    if (chrisStat != 1 && chrisStat != 2) {
-                        throw new Error("Unexpected status for chris: wanted 1 or 2, got " + chrisStat);
-                    }
-                });
-
-                // now add an expectation for a query for bob's devices, and let
-                // it complete.
-                aliceTestClient.httpBackend
-                    .when("POST", "/keys/query", {
-                        device_keys: {
-                            "@bob:xyz": {},
-                        },
-                        token: "2",
-                    })
-                    .respond(200, {
-                        device_keys: { "@bob:xyz": {} },
-                    });
-                return aliceTestClient.httpBackend.flush("/keys/query", 1);
-            })
-            .then((flushed) => {
-                expect(flushed).toEqual(1);
-
-                // wait for the client to stop processing the response
-                return aliceTestClient.client.downloadKeys(["@bob:xyz"]);
-            })
-            .then(() => {
-                return aliceTestClient.client.crypto!.deviceList.saveIfDirty();
-            })
-            .then(() => {
-                // @ts-ignore accessing a protected field
-                aliceTestClient.client.cryptoStore!.getEndToEndDeviceData(null, (data) => {
-                    const bobStat = data!.trackingStatus["@bob:xyz"];
-                    expect(bobStat).toEqual(3);
-                    const chrisStat = data!.trackingStatus["@chris:abc"];
-                    if (chrisStat != 1 && chrisStat != 2) {
-                        throw new Error("Unexpected status for chris: wanted 1 or 2, got " + bobStat);
-                    }
-                });
-
-                // now let the query for chris's devices complete.
-                return aliceTestClient.httpBackend.flush("/keys/query", 1);
-            })
-            .then((flushed) => {
-                expect(flushed).toEqual(1);
-
-                // wait for the client to stop processing the response
-                return aliceTestClient.client.downloadKeys(["@chris:abc"]);
-            })
-            .then(() => {
-                return aliceTestClient.client.crypto!.deviceList.saveIfDirty();
-            })
-            .then(() => {
-                // @ts-ignore accessing a protected field
-                aliceTestClient.client.cryptoStore!.getEndToEndDeviceData(null, (data) => {
-                    const bobStat = data!.trackingStatus["@bob:xyz"];
-                    const chrisStat = data!.trackingStatus["@bob:xyz"];
-
-                    expect(bobStat).toEqual(3);
-                    expect(chrisStat).toEqual(3);
-                    expect(data!.syncToken).toEqual(3);
-                });
-            });
-    });
-
-    // https://github.com/vector-im/element-web/issues/4983
-    describe("Alice should know she has stale device lists", () => {
-        beforeEach(async function () {
-            await aliceTestClient.start();
-
-            aliceTestClient.httpBackend.when("GET", "/sync").respond(200, getSyncResponse(["@bob:xyz"]));
-            await aliceTestClient.flushSync();
-
-            aliceTestClient.httpBackend.when("POST", "/keys/query").respond(200, {
-                device_keys: {
-                    "@bob:xyz": {},
-                },
-            });
-            await aliceTestClient.httpBackend.flush("/keys/query", 1);
-            await aliceTestClient.client.crypto!.deviceList.saveIfDirty();
-
-            // @ts-ignore accessing a protected field
-            aliceTestClient.client.cryptoStore!.getEndToEndDeviceData(null, (data) => {
-                const bobStat = data!.trackingStatus["@bob:xyz"];
-
-                // Alice should be tracking bob's device list
-                expect(bobStat).toBeGreaterThan(0);
-            });
-        });
-
-        it("when Bob leaves", async function () {
-            aliceTestClient.httpBackend.when("GET", "/sync").respond(200, {
-                next_batch: 2,
-                device_lists: {
-                    left: ["@bob:xyz"],
-                },
-                rooms: {
-                    join: {
-                        [ROOM_ID]: {
-                            timeline: {
-                                events: [
-                                    testUtils.mkMembership({
-                                        mship: "leave",
-                                        sender: "@bob:xyz",
-                                    }),
-                                ],
-                            },
-                        },
-                    },
-                },
-            });
-
-            await aliceTestClient.flushSync();
-            await aliceTestClient.client.crypto!.deviceList.saveIfDirty();
-
-            // @ts-ignore accessing a protected field
-            aliceTestClient.client.cryptoStore!.getEndToEndDeviceData(null, (data) => {
-                const bobStat = data!.trackingStatus["@bob:xyz"];
-
-                // Alice should have marked bob's device list as untracked
-                expect(bobStat).toEqual(0);
-            });
-        });
-
-        it("when Alice leaves", async function () {
-            aliceTestClient.httpBackend.when("GET", "/sync").respond(200, {
-                next_batch: 2,
-                device_lists: {
-                    left: ["@bob:xyz"],
-                },
-                rooms: {
-                    leave: {
-                        [ROOM_ID]: {
-                            timeline: {
-                                events: [
-                                    testUtils.mkMembership({
-                                        mship: "leave",
-                                        sender: "@bob:xyz",
-                                    }),
-                                ],
-                            },
-                        },
-                    },
-                },
-            });
-
-            await aliceTestClient.flushSync();
-            await aliceTestClient.client.crypto!.deviceList.saveIfDirty();
-
-            // @ts-ignore accessing a protected field
-            aliceTestClient.client.cryptoStore!.getEndToEndDeviceData(null, (data) => {
-                const bobStat = data!.trackingStatus["@bob:xyz"];
-
-                // Alice should have marked bob's device list as untracked
-                expect(bobStat).toEqual(0);
-            });
-        });
-
-        it("when Bob leaves whilst Alice is offline", async function () {
-            aliceTestClient.stop();
-
-            const anotherTestClient = await createTestClient();
-
-            try {
-                await anotherTestClient.start();
-                anotherTestClient.httpBackend.when("GET", "/sync").respond(200, getSyncResponse([]));
-                await anotherTestClient.flushSync();
-                await anotherTestClient.client?.crypto?.deviceList?.saveIfDirty();
-
-                // @ts-ignore accessing private property
-                anotherTestClient.client.cryptoStore.getEndToEndDeviceData(null, (data) => {
-                    const bobStat = data!.trackingStatus["@bob:xyz"];
-
-                    // Alice should have marked bob's device list as untracked
-                    expect(bobStat).toEqual(0);
-                });
-            } finally {
-                anotherTestClient.stop();
-            }
-        });
-    });
-});
@@ -14,13 +14,12 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-import HttpBackend from "matrix-mock-request";
-
+import type HttpBackend from "matrix-mock-request";
 import {
    ClientEvent,
    HttpApiEvent,
-    IEvent,
-    MatrixClient,
+    type IEvent,
+    type MatrixClient,
    RoomEvent,
    RoomMemberEvent,
    RoomStateEvent,
@@ -28,6 +27,7 @@ import {
 } from "../../src";
 import * as utils from "../test-utils/test-utils";
 import { TestClient } from "../TestClient";
+import { KnownMembership } from "../../src/@types/membership";

 describe("MatrixClient events", function () {
    const selfUserId = "@alice:localhost";
@@ -85,16 +85,14 @@ describe("MatrixClient events", function () {
                            events: [
                                utils.mkMembership({
                                    room: "!erufh:bar",
-                                    mship: "join",
+                                    mship: KnownMembership.Join,
                                    user: "@foo:bar",
                                }),
                                utils.mkEvent({
                                    type: "m.room.create",
                                    room: "!erufh:bar",
                                    user: "@foo:bar",
-                                    content: {
-                                        creator: "@foo:bar",
-                                    },
+                                    content: {},
                                }),
                            ],
                        },
@@ -196,6 +194,37 @@ describe("MatrixClient events", function () {
            expect(fired).toBe(true);
        });

+        it("should emit User events when presence data is absent in first sync", async () => {
+            const MODIFIED_SYNC_DATA: any = structuredClone(SYNC_DATA);
+            delete MODIFIED_SYNC_DATA["presence"];
+            const MODIFIED_NEXT_SYNC_DATA: any = structuredClone(NEXT_SYNC_DATA);
+            MODIFIED_NEXT_SYNC_DATA.presence = {
+                events: [
+                    utils.mkPresence({
+                        user: "@foo:bar",
+                        name: "Foo Bar",
+                        presence: "online",
+                    }),
+                ],
+            };
+            httpBackend!.when("GET", "/sync").respond(200, MODIFIED_SYNC_DATA);
+            httpBackend!.when("GET", "/sync").respond(200, MODIFIED_NEXT_SYNC_DATA);
+            let fired = false;
+            client!.on(UserEvent.Presence, function (event, user) {
+                fired = true;
+                expect(user).toBeTruthy();
+                expect(event).toBeTruthy();
+                if (!user || !event) {
+                    return;
+                }
+                expect(event.event).toEqual(MODIFIED_NEXT_SYNC_DATA.presence.events[0]);
+                expect(user.presence).toEqual(MODIFIED_NEXT_SYNC_DATA.presence.events[0]?.content?.presence);
+            });
+            client!.startClient();
+            await httpBackend!.flushAllExpected();
+            expect(fired).toBe(true);
+        });
+
        it("should emit Room events", function () {
            httpBackend!.when("GET", "/sync").respond(200, SYNC_DATA);
            httpBackend!.when("GET", "/sync").respond(200, NEXT_SYNC_DATA);
@@ -243,7 +272,7 @@ describe("MatrixClient events", function () {
                membersInvokeCount++;
                expect(member.roomId).toEqual("!erufh:bar");
                expect(member.userId).toEqual("@foo:bar");
-                expect(member.membership).toEqual("join");
+                expect(member.membership).toEqual(KnownMembership.Join);
            });
            client!.on(RoomStateEvent.NewMember, function (event, state, member) {
                newMemberInvokeCount++;
@@ -281,7 +310,7 @@ describe("MatrixClient events", function () {
            });
            client!.on(RoomMemberEvent.Membership, function (event, member) {
                membershipInvokeCount++;
-                expect(member.membership).toEqual("join");
+                expect(member.membership).toEqual(KnownMembership.Join);
            });

            client!.startClient();
@@ -21,18 +21,22 @@ import {
    EventStatus,
    EventTimeline,
    EventTimelineSet,
+    EventType,
    Filter,
-    IEvent,
-    MatrixClient,
+    type IEvent,
+    type MatrixClient,
    MatrixEvent,
    PendingEventOrdering,
+    RelationType,
    Room,
 } from "../../src/matrix";
 import { logger } from "../../src/logger";
-import { encodeParams, encodeUri, QueryDict, replaceParam } from "../../src/utils";
+import { encodeParams, encodeUri, type QueryDict, replaceParam } from "../../src/utils";
 import { TestClient } from "../TestClient";
-import { FeatureSupport, Thread, THREAD_RELATION_TYPE, ThreadEvent } from "../../src/models/thread";
+import { FeatureSupport, Thread, ThreadEvent } from "../../src/models/thread";
 import { emitPromise } from "../test-utils/test-utils";
+import { Feature, ServerSupport } from "../../src/feature";
+import { KnownMembership } from "../../src/@types/membership";

 const userId = "@alice:localhost";
 const userName = "Alice";
@@ -60,7 +64,7 @@ const buildRelationPaginationQuery = (params: QueryDict): string => {

 const USER_MEMBERSHIP_EVENT = utils.mkMembership({
    room: roomId,
-    mship: "join",
+    mship: KnownMembership.Join,
    user: userId,
    name: userName,
    event: false,
@@ -95,7 +99,7 @@ const INITIAL_SYNC_DATA = {
                    events: [
                        withoutRoomId(ROOM_NAME_EVENT),
                        utils.mkMembership({
-                            mship: "join",
+                            mship: KnownMembership.Join,
                            user: otherUserId,
                            name: "Bob",
                            event: false,
@@ -104,9 +108,7 @@ const INITIAL_SYNC_DATA = {
                        utils.mkEvent({
                            type: "m.room.create",
                            user: userId,
-                            content: {
-                                creator: userId,
-                            },
+                            content: {},
                            event: false,
                        }),
                    ],
@@ -204,7 +206,7 @@ function startClient(httpBackend: HttpBackend, client: MatrixClient) {
    httpBackend.when("POST", "/filter").respond(200, { filter_id: "fid" });
    httpBackend.when("GET", "/sync").respond(200, INITIAL_SYNC_DATA);

-    client.startClient();
+    client.startClient({ threadSupport: true });

    // set up a promise which will resolve once the client is initialised
    const prom = new Promise<void>((resolve) => {
@@ -245,7 +247,7 @@ describe("getEventTimeline support", function () {
        return startClient(httpBackend, client).then(function () {
            const room = client.getRoom(roomId)!;
            const timelineSet = room!.getTimelineSets()[0];
-            expect(client.getEventTimeline(timelineSet, "event")).rejects.toBeTruthy();
+            return expect(client.getEventTimeline(timelineSet, "event")).rejects.toBeTruthy();
        });
    });

@@ -257,7 +259,18 @@ describe("getEventTimeline support", function () {
        return startClient(httpBackend, client).then(() => {
            const room = client.getRoom(roomId)!;
            const timelineSet = room!.getTimelineSets()[0];
-            expect(client.getEventTimeline(timelineSet, "event")).rejects.toBeFalsy();
+            httpBackend.when("GET", `/rooms/${encodeURIComponent(roomId)}/context/event`).respond(200, () => ({
+                event: {
+                    event_id: "event",
+                },
+                events_after: [],
+                events_before: [],
+                state: [],
+            }));
+            return Promise.all([
+                expect(client.getEventTimeline(timelineSet, "event")).resolves.toBeTruthy(),
+                httpBackend.flushAllExpected(),
+            ]);
        });
    });

@@ -268,7 +281,7 @@ describe("getEventTimeline support", function () {

        return startClient(httpBackend, client).then(function () {
            const timelineSet = new EventTimelineSet(undefined);
-            expect(client.getEventTimeline(timelineSet, "event")).rejects.toBeTruthy();
+            return expect(client.getEventTimeline(timelineSet, "event")).rejects.toBeTruthy();
        });
    });

@@ -601,25 +614,12 @@ describe("MatrixClient event timelines", function () {
                    return THREAD_ROOT;
                });

-            httpBackend
-                .when("GET", "/rooms/!foo%3Abar/event/" + encodeURIComponent(THREAD_ROOT.event_id!))
-                .respond(200, function () {
-                    return THREAD_ROOT;
-                });
-            httpBackend
-                .when("GET", "/rooms/!foo%3Abar/event/" + encodeURIComponent(THREAD_ROOT.event_id!))
-                .respond(200, function () {
-                    return THREAD_ROOT;
-                });
-
            httpBackend
                .when(
                    "GET",
                    "/rooms/!foo%3Abar/relations/" +
                        encodeURIComponent(THREAD_ROOT.event_id!) +
-                        "/" +
-                        encodeURIComponent(THREAD_RELATION_TYPE.name) +
-                        buildRelationPaginationQuery({ dir: Direction.Backward, limit: 1 }),
+                        buildRelationPaginationQuery({ dir: Direction.Backward }),
                )
                .respond(200, function () {
                    return {
@@ -631,12 +631,6 @@ describe("MatrixClient event timelines", function () {
            const thread = room.createThread(THREAD_ROOT.event_id!, undefined, [], false);
            await httpBackend.flushAllExpected();
            const timelineSet = thread.timelineSet;
-            httpBackend
-                .when("GET", "/rooms/!foo%3Abar/event/" + encodeURIComponent(THREAD_ROOT.event_id!))
-                .respond(200, function () {
-                    return THREAD_ROOT;
-                });
-            await flushHttp(emitPromise(thread, ThreadEvent.Update));

            const timeline = await client.getEventTimeline(timelineSet, THREAD_REPLY.event_id!);

@@ -678,7 +672,7 @@ describe("MatrixClient event timelines", function () {
            expect(timeline!.getEvents().find((e) => e.getId() === THREAD_ROOT.event_id!)).toBeTruthy();
        });

-        it("should return undefined when event is not in the thread that the given timelineSet is representing", () => {
+        it("should return null when event is not in the thread that the given timelineSet is representing", () => {
            // @ts-ignore
            client.clientOpts.threadSupport = true;
            Thread.setServerSideSupport(FeatureSupport.Experimental);
@@ -702,12 +696,12 @@ describe("MatrixClient event timelines", function () {
                });

            return Promise.all([
-                expect(client.getEventTimeline(timelineSet, EVENTS[0].event_id!)).resolves.toBeUndefined(),
+                expect(client.getEventTimeline(timelineSet, EVENTS[0].event_id!)).resolves.toBeNull(),
                httpBackend.flushAllExpected(),
            ]);
        });

-        it("should return undefined when event is within a thread but timelineSet is not", () => {
+        it("should return null when event is within a thread but timelineSet is not", () => {
            // @ts-ignore
            client.clientOpts.threadSupport = true;
            Thread.setServerSideSupport(FeatureSupport.Experimental);
@@ -729,7 +723,7 @@ describe("MatrixClient event timelines", function () {
                });

            return Promise.all([
-                expect(client.getEventTimeline(timelineSet, THREAD_REPLY.event_id!)).resolves.toBeUndefined(),
+                expect(client.getEventTimeline(timelineSet, THREAD_REPLY.event_id!)).resolves.toBeNull(),
                httpBackend.flushAllExpected(),
            ]);
        });
@@ -787,7 +781,18 @@ describe("MatrixClient event timelines", function () {
            return startClient(httpBackend, client).then(() => {
                const room = client.getRoom(roomId)!;
                const timelineSet = room.getTimelineSets()[0];
-                expect(client.getLatestTimeline(timelineSet)).rejects.toBeFalsy();
+                httpBackend.when("GET", `/rooms/${encodeURIComponent(roomId)}/context/event`).respond(200, () => ({
+                    event: {
+                        event_id: "event",
+                    },
+                    events_after: [],
+                    events_before: [],
+                    state: [],
+                }));
+                return Promise.all([
+                    expect(client.getEventTimeline(timelineSet, "event")).resolves.toBeTruthy(),
+                    httpBackend.flushAllExpected(),
+                ]);
            });
        });

@@ -1139,21 +1144,126 @@ describe("MatrixClient event timelines", function () {

        const prom = emitPromise(room, ThreadEvent.Update);
        // Assume we're seeing the reply while loading backlog
-        room.addLiveEvents([THREAD_REPLY2]);
+        await room.addLiveEvents([THREAD_REPLY2], { addToState: false });
        httpBackend
            .when(
                "GET",
-                "/_matrix/client/v1/rooms/!foo%3Abar/relations/" +
-                    encodeURIComponent(THREAD_ROOT_UPDATED.event_id!) +
-                    "/" +
-                    encodeURIComponent(THREAD_RELATION_TYPE.name),
+                "/_matrix/client/v1/rooms/!foo%3Abar/relations/" + encodeURIComponent(THREAD_ROOT_UPDATED.event_id!),
            )
            .respond(200, {
                chunk: [THREAD_REPLY3.event, THREAD_REPLY2.event, THREAD_REPLY],
            });
        await flushHttp(prom);
        // but while loading the metadata, a new reply has arrived
-        room.addLiveEvents([THREAD_REPLY3]);
+        await room.addLiveEvents([THREAD_REPLY3], { addToState: false });
+        const thread = room.getThread(THREAD_ROOT_UPDATED.event_id!)!;
+        // then the events should still be all in the right order
+        expect(thread.events.map((it) => it.getId())).toEqual([
+            THREAD_ROOT.event_id,
+            THREAD_REPLY.event_id,
+            THREAD_REPLY2.getId(),
+            THREAD_REPLY3.getId(),
+        ]);
+    });
+
+    it("should ensure thread events don't get reordered with recursive relations", async () => {
+        // Test data for a second reply to the first thread
+        const THREAD_REPLY2 = utils.mkEvent({
+            room: roomId,
+            user: userId,
+            type: "m.room.message",
+            content: {
+                "body": "thread reply 2",
+                "msgtype": "m.text",
+                "m.relates_to": {
+                    // We can't use the const here because we change server support mode for test
+                    rel_type: "io.element.thread",
+                    event_id: THREAD_ROOT.event_id,
+                },
+            },
+            event: true,
+        });
+        THREAD_REPLY2.localTimestamp += 1000;
+        const THREAD_ROOT_REACTION = utils.mkEvent({
+            event: true,
+            type: EventType.Reaction,
+            user: userId,
+            room: roomId,
+            content: {
+                "m.relates_to": {
+                    rel_type: RelationType.Annotation,
+                    event_id: THREAD_ROOT.event_id!,
+                    key: Math.random().toString(),
+                },
+            },
+        });
+        THREAD_ROOT_REACTION.localTimestamp += 2000;
+
+        // Test data for a second reply to the first thread
+        const THREAD_REPLY3 = utils.mkEvent({
+            room: roomId,
+            user: userId,
+            type: "m.room.message",
+            content: {
+                "body": "thread reply 3",
+                "msgtype": "m.text",
+                "m.relates_to": {
+                    // We can't use the const here because we change server support mode for test
+                    rel_type: "io.element.thread",
+                    event_id: THREAD_ROOT.event_id,
+                },
+            },
+            event: true,
+        });
+        THREAD_REPLY3.localTimestamp += 3000;
+
+        // Test data for the first thread, with the second reply
+        const THREAD_ROOT_UPDATED = {
+            ...THREAD_ROOT,
+            unsigned: {
+                ...THREAD_ROOT.unsigned,
+                "m.relations": {
+                    ...THREAD_ROOT.unsigned!["m.relations"],
+                    "io.element.thread": {
+                        ...THREAD_ROOT.unsigned!["m.relations"]!["io.element.thread"],
+                        count: 3,
+                        latest_event: THREAD_REPLY3.event,
+                    },
+                },
+            },
+        };
+
+        // @ts-ignore
+        client.clientOpts.threadSupport = true;
+        client.canSupport.set(Feature.RelationsRecursion, ServerSupport.Stable);
+        Thread.setServerSideSupport(FeatureSupport.Stable);
+        Thread.setServerSideListSupport(FeatureSupport.Stable);
+        Thread.setServerSideFwdPaginationSupport(FeatureSupport.Stable);
+
+        client.fetchRoomEvent = () => Promise.resolve(THREAD_ROOT_UPDATED);
+
+        await client.stopClient(); // we don't need the client to be syncing at this time
+        const room = client.getRoom(roomId)!;
+
+        const prom = emitPromise(room, ThreadEvent.Update);
+        // Assume we're seeing the reply while loading backlog
+        await room.addLiveEvents([THREAD_REPLY2], { addToState: false });
+        httpBackend
+            .when(
+                "GET",
+                "/_matrix/client/v1/rooms/!foo%3Abar/relations/" +
+                    encodeURIComponent(THREAD_ROOT_UPDATED.event_id!) +
+                    buildRelationPaginationQuery({
+                        dir: Direction.Backward,
+                        recurse: true,
+                    }),
+            )
+            .respond(200, {
+                chunk: [THREAD_REPLY3.event, THREAD_ROOT_REACTION, THREAD_REPLY2.event, THREAD_REPLY],
+            });
+        await flushHttp(prom);
+        // but while loading the metadata, a new reply has arrived
+        await room.addLiveEvents([THREAD_REPLY3], { addToState: false });
        const thread = room.getThread(THREAD_ROOT_UPDATED.event_id!)!;
        // then the events should still be all in the right order
        expect(thread.events.map((it) => it.getId())).toEqual([
@@ -1199,16 +1309,12 @@ describe("MatrixClient event timelines", function () {
        function respondToThread(root: Partial<IEvent>, replies: Partial<IEvent>[]): ExpectedHttpRequest {
            const request = httpBackend.when(
                "GET",
-                "/_matrix/client/v1/rooms/!foo%3Abar/relations/" +
-                    encodeURIComponent(root.event_id!) +
-                    "/" +
-                    encodeURIComponent(THREAD_RELATION_TYPE.name) +
-                    "?dir=b&limit=1",
+                "/_matrix/client/v1/rooms/!foo%3Abar/relations/" + encodeURIComponent(root.event_id!) + "?dir=b",
            );
            request.respond(200, function () {
                return {
                    original_event: root,
-                    chunk: [replies],
+                    chunk: replies,
                    // no next batch as this is the oldest end of the timeline
                };
            });
@@ -1218,7 +1324,7 @@ describe("MatrixClient event timelines", function () {
        function respondToContext(event: Partial<IEvent> = THREAD_ROOT): ExpectedHttpRequest {
            const request = httpBackend.when(
                "GET",
-                encodeUri("/_matrix/client/r0/rooms/$roomId/context/$eventId", {
+                encodeUri("/_matrix/client/v3/rooms/$roomId/context/$eventId", {
                    $roomId: roomId,
                    $eventId: event.event_id!,
                }),
@@ -1236,7 +1342,7 @@ describe("MatrixClient event timelines", function () {
        function respondToEvent(event: Partial<IEvent> = THREAD_ROOT): ExpectedHttpRequest {
            const request = httpBackend.when(
                "GET",
-                encodeUri("/_matrix/client/r0/rooms/$roomId/event/$eventId", {
+                encodeUri("/_matrix/client/v3/rooms/$roomId/event/$eventId", {
                    $roomId: roomId,
                    $eventId: event.event_id!,
                }),
@@ -1247,7 +1353,7 @@ describe("MatrixClient event timelines", function () {
        function respondToMessagesRequest(): ExpectedHttpRequest {
            const request = httpBackend.when(
                "GET",
-                encodeUri("/_matrix/client/r0/rooms/$roomId/messages", {
+                encodeUri("/_matrix/client/v3/rooms/$roomId/messages", {
                    $roomId: roomId,
                }),
            );
@@ -1338,7 +1444,7 @@ describe("MatrixClient event timelines", function () {
                expect(room.getPendingEvents()).toHaveLength(1);
            });

-            it("should handle thread updates by reordering the thread list", async () => {
+            it("should handle new thread replies by reordering the thread list", async () => {
                // Test data for a second thread
                const THREAD2_ROOT = utils.mkEvent({
                    room: roomId,
@@ -1365,7 +1471,7 @@ describe("MatrixClient event timelines", function () {
                    user: userId,
                    type: "m.room.message",
                    content: {
-                        "body": "thread reply",
+                        "body": "thread2 reply",
                        "msgtype": "m.text",
                        "m.relates_to": {
                            // We can't use the const here because we change server support mode for test
@@ -1385,7 +1491,7 @@ describe("MatrixClient event timelines", function () {
                    user: userId,
                    type: "m.room.message",
                    content: {
-                        "body": "thread reply",
+                        "body": "thread reply2",
                        "msgtype": "m.text",
                        "m.relates_to": {
                            // We can't use the const here because we change server support mode for test
@@ -1395,7 +1501,8 @@ describe("MatrixClient event timelines", function () {
                    },
                    event: true,
                });
-                THREAD_REPLY2.localTimestamp += 1000;
+                // this has to come after THREAD_REPLY which hasn't been instantiated by us
+                THREAD_REPLY2.localTimestamp += 10000000;

                // Test data for the first thread, with the second reply
                const THREAD_ROOT_UPDATED = {
@@ -1434,6 +1541,129 @@ describe("MatrixClient event timelines", function () {
                expect(timelineSets).not.toBeNull();
                respondToThreads(threadsResponse);
                respondToThreads(threadsResponse);
+                respondToEvent(THREAD2_ROOT);
+                respondToThread(THREAD2_ROOT, [THREAD2_REPLY]);
+                await flushHttp(room.fetchRoomThreads());
+                const threadIds = room.getThreads().map((thread) => thread.id);
+                expect(threadIds).toContain(THREAD_ROOT.event_id);
+                expect(threadIds).toContain(THREAD2_ROOT.event_id);
+                const [allThreads] = timelineSets!;
+                const timeline = allThreads.getLiveTimeline()!;
+                // Test threads are in chronological order (first thread should be first because it has a more recent reply)
+                expect(timeline.getEvents().map((it) => it.event.event_id)).toEqual([
+                    THREAD_ROOT.event_id,
+                    THREAD2_ROOT.event_id,
+                ]);
+
+                // Test adding a second event to the first thread
+                const thread = room.getThread(THREAD_ROOT.event_id!)!;
+                thread.initialEventsFetched = true;
+                const prom = emitPromise(room, ThreadEvent.NewReply);
+                respondToEvent(THREAD_ROOT_UPDATED);
+                await room.addLiveEvents([THREAD_REPLY2], { addToState: false });
+                await httpBackend.flushAllExpected();
+                await prom;
+                expect(thread.length).toBe(2);
+                // Test threads are in chronological order
+                expect(timeline!.getEvents().map((it) => it.event.event_id)).toEqual([
+                    THREAD2_ROOT.event_id,
+                    THREAD_ROOT.event_id,
+                ]);
+            });
+
+            it("should not reorder the thread list on other thread updates", async () => {
+                // Test data for a second thread
+                const THREAD2_ROOT = utils.mkEvent({
+                    room: roomId,
+                    user: userId,
+                    type: "m.room.message",
+                    content: {
+                        body: "thread root",
+                        msgtype: "m.text",
+                    },
+                    unsigned: {
+                        "m.relations": {
+                            "io.element.thread": {
+                                //"latest_event": undefined,
+                                count: 1,
+                                current_user_participated: true,
+                            },
+                        },
+                    },
+                    event: false,
+                });
+
+                const THREAD2_REPLY = utils.mkEvent({
+                    room: roomId,
+                    user: userId,
+                    type: "m.room.message",
+                    content: {
+                        "body": "thread2 reply",
+                        "msgtype": "m.text",
+                        "m.relates_to": {
+                            // We can't use the const here because we change server support mode for test
+                            rel_type: "io.element.thread",
+                            event_id: THREAD_ROOT.event_id,
+                        },
+                    },
+                    event: false,
+                });
+
+                // @ts-ignore we know this is a defined path for THREAD ROOT
+                THREAD2_ROOT.unsigned["m.relations"]["io.element.thread"].latest_event = THREAD2_REPLY;
+
+                const THREAD_REPLY_REACTION = utils.mkEvent({
+                    room: roomId,
+                    user: userId,
+                    type: "m.reaction",
+                    content: {
+                        "m.relates_to": {
+                            rel_type: RelationType.Annotation,
+                            event_id: THREAD_REPLY.event_id,
+                            key: "🪿",
+                        },
+                    },
+                    event: true,
+                });
+                THREAD_REPLY_REACTION.localTimestamp += 1000;
+
+                // Modified thread root event containing latest thread reply in its unsigned
+                const THREAD_ROOT_UPDATED = {
+                    ...THREAD_ROOT,
+                    unsigned: {
+                        ...THREAD_ROOT.unsigned,
+                        "m.relations": {
+                            ...THREAD_ROOT.unsigned!["m.relations"],
+                            "io.element.thread": {
+                                ...THREAD_ROOT.unsigned!["m.relations"]!["io.element.thread"],
+                                count: 1,
+                                latest_event: THREAD_REPLY,
+                            },
+                        },
+                    },
+                };
+
+                // Response with test data for the thread list request
+                const threadsResponse = {
+                    chunk: [THREAD2_ROOT, THREAD_ROOT],
+                    state: [],
+                    next_batch: RANDOM_TOKEN as string | null,
+                };
+
+                // @ts-ignore
+                client.clientOpts.threadSupport = true;
+                Thread.setServerSideSupport(FeatureSupport.Stable);
+                Thread.setServerSideListSupport(FeatureSupport.Stable);
+                Thread.setServerSideFwdPaginationSupport(FeatureSupport.Stable);
+
+                await client.stopClient(); // we don't need the client to be syncing at this time
+                const room = client.getRoom(roomId)!;
+
+                // Set up room threads
+                const timelineSets = await room!.createThreadsTimelineSets();
+                expect(timelineSets).not.toBeNull();
+                respondToThreads(threadsResponse);
+                respondToThreads(threadsResponse);
                respondToEvent(THREAD_ROOT);
                respondToEvent(THREAD2_ROOT);
                respondToThread(THREAD_ROOT, [THREAD_REPLY]);
@@ -1453,19 +1683,16 @@ describe("MatrixClient event timelines", function () {
                // Test adding a second event to the first thread
                const thread = room.getThread(THREAD_ROOT.event_id!)!;
                thread.initialEventsFetched = true;
-                const prom = emitPromise(room, ThreadEvent.NewReply);
+                const prom = emitPromise(room, ThreadEvent.Update);
                respondToEvent(THREAD_ROOT_UPDATED);
-                respondToEvent(THREAD_ROOT_UPDATED);
-                respondToEvent(THREAD_ROOT_UPDATED);
-                respondToEvent(THREAD2_ROOT);
-                room.addLiveEvents([THREAD_REPLY2]);
+                await room.addLiveEvents([THREAD_REPLY_REACTION], { addToState: false });
                await httpBackend.flushAllExpected();
                await prom;
-                expect(thread.length).toBe(2);
-                // Test threads are in chronological order
+                expect(thread.length).toBe(1); // reactions don't count towards the length of a thread
+                // Test thread order is unchanged
                expect(timeline!.getEvents().map((it) => it.event.event_id)).toEqual([
-                    THREAD2_ROOT.event_id,
                    THREAD_ROOT.event_id,
+                    THREAD2_ROOT.event_id,
                ]);
            });
        });
@@ -1695,7 +1922,7 @@ describe("MatrixClient event timelines", function () {

        // a state event, followed by a redaction thereof
        const event = utils.mkMembership({
-            mship: "join",
+            mship: KnownMembership.Join,
            user: otherUserId,
        });
        const redaction = utils.mkEvent({
@@ -1772,11 +1999,6 @@ describe("MatrixClient event timelines", function () {
                    },
                },
            });
-            httpBackend
-                .when("GET", "/rooms/!foo%3Abar/event/" + encodeURIComponent(THREAD_ROOT.event_id!))
-                .respond(200, function () {
-                    return THREAD_ROOT;
-                });
            httpBackend
                .when("GET", "/rooms/!foo%3Abar/event/" + encodeURIComponent(THREAD_ROOT.event_id!))
                .respond(200, function () {
@@ -1787,9 +2009,7 @@ describe("MatrixClient event timelines", function () {
                    "GET",
                    "/_matrix/client/v1/rooms/!foo%3Abar/relations/" +
                        encodeURIComponent(THREAD_ROOT.event_id!) +
-                        "/" +
-                        encodeURIComponent(THREAD_RELATION_TYPE.name) +
-                        buildRelationPaginationQuery({ dir: Direction.Backward, limit: 1 }),
+                        buildRelationPaginationQuery({ dir: Direction.Backward }),
                )
                .respond(200, function () {
                    return {
@@ -1803,73 +2023,7 @@ describe("MatrixClient event timelines", function () {
            expect(thread.initialEventsFetched).toBeTruthy();
            const timelineSet = thread.timelineSet;

-            httpBackend
-                .when("GET", "/rooms/!foo%3Abar/event/" + encodeURIComponent(THREAD_ROOT.event_id!))
-                .respond(200, function () {
-                    return THREAD_ROOT;
-                });
-            httpBackend
-                .when("GET", "/rooms/!foo%3Abar/event/" + encodeURIComponent(THREAD_ROOT.event_id!))
-                .respond(200, function () {
-                    return THREAD_ROOT;
-                });
-            httpBackend
-                .when("GET", "/rooms/!foo%3Abar/event/" + encodeURIComponent(THREAD_ROOT.event_id!))
-                .respond(200, function () {
-                    return THREAD_ROOT;
-                });
-            httpBackend
-                .when("GET", "/rooms/!foo%3Abar/event/" + encodeURIComponent(THREAD_ROOT.event_id!))
-                .respond(200, function () {
-                    return THREAD_ROOT;
-                });
-            httpBackend
-                .when("GET", "/rooms/!foo%3Abar/event/" + encodeURIComponent(THREAD_ROOT.event_id!))
-                .respond(200, function () {
-                    return THREAD_ROOT;
-                });
-            httpBackend
-                .when("GET", "/rooms/!foo%3Abar/context/" + encodeURIComponent(THREAD_ROOT.event_id!))
-                .respond(200, function () {
-                    return {
-                        start: "start_token",
-                        events_before: [],
-                        event: THREAD_ROOT,
-                        events_after: [],
-                        end: "end_token",
-                        state: [],
-                    };
-                });
-            httpBackend
-                .when(
-                    "GET",
-                    "/_matrix/client/v1/rooms/!foo%3Abar/relations/" +
-                        encodeURIComponent(THREAD_ROOT.event_id!) +
-                        "/" +
-                        encodeURIComponent(THREAD_RELATION_TYPE.name) +
-                        buildRelationPaginationQuery({ dir: Direction.Backward, from: "start_token" }),
-                )
-                .respond(200, function () {
-                    return {
-                        chunk: [],
-                    };
-                });
-            httpBackend
-                .when(
-                    "GET",
-                    "/_matrix/client/v1/rooms/!foo%3Abar/relations/" +
-                        encodeURIComponent(THREAD_ROOT.event_id!) +
-                        "/" +
-                        encodeURIComponent(THREAD_RELATION_TYPE.name) +
-                        buildRelationPaginationQuery({ dir: Direction.Forward, from: "end_token" }),
-                )
-                .respond(200, function () {
-                    return {
-                        chunk: [THREAD_REPLY],
-                    };
-                });
-
-            const timeline = await flushHttp(client.getEventTimeline(timelineSet, THREAD_ROOT.event_id!));
+            const timeline = await client.getEventTimeline(timelineSet, THREAD_ROOT.event_id!);

            httpBackend.when("GET", "/sync").respond(200, {
                next_batch: "s_5_5",
@@ -1890,6 +2044,7 @@ describe("MatrixClient event timelines", function () {
            expect(timeline!.getEvents()[1]!.event).toEqual(THREAD_REPLY);
        }

+        // eslint-disable-next-line @vitest/expect-expect
        it("in stable mode", async () => {
            // @ts-ignore
            client.clientOpts.threadSupport = true;
@@ -5,7 +5,8 @@ import { ClientEvent, MatrixClient } from "../../src/matrix";
 import { MatrixScheduler } from "../../src/scheduler";
 import { MemoryStore } from "../../src/store/memory";
 import { MatrixError } from "../../src/http-api";
-import { IStore } from "../../src/store";
+import { type IStore } from "../../src/store";
+import { KnownMembership } from "../../src/@types/membership";

 describe("MatrixClient opts", function () {
    const baseUrl = "http://localhost.or.something";
@@ -43,13 +44,13 @@ describe("MatrixClient opts", function () {
                            }),
                            utils.mkMembership({
                                room: roomId,
-                                mship: "join",
+                                mship: KnownMembership.Join,
                                user: userB,
                                name: "Bob",
                            }),
                            utils.mkMembership({
                                room: roomId,
-                                mship: "join",
+                                mship: KnownMembership.Join,
                                user: userId,
                                name: "Alice",
                            }),
@@ -57,9 +58,7 @@ describe("MatrixClient opts", function () {
                                type: "m.room.create",
                                room: roomId,
                                user: userId,
-                                content: {
-                                    creator: userId,
-                                },
+                                content: {},
                            }),
                        ],
                    },
@@ -81,7 +80,7 @@ describe("MatrixClient opts", function () {
        let client: MatrixClient;
        beforeEach(function () {
            client = new MatrixClient({
-                fetchFn: httpBackend.fetchFn as typeof global.fetch,
+                fetchFn: httpBackend.fetchFn as typeof globalThis.fetch,
                store: undefined,
                baseUrl: baseUrl,
                userId: userId,
@@ -136,7 +135,7 @@ describe("MatrixClient opts", function () {
        let client: MatrixClient;
        beforeEach(function () {
            client = new MatrixClient({
-                fetchFn: httpBackend.fetchFn as typeof global.fetch,
+                fetchFn: httpBackend.fetchFn as typeof globalThis.fetch,
                store: new MemoryStore() as IStore,
                baseUrl: baseUrl,
                userId: userId,
@@ -160,7 +159,7 @@ describe("MatrixClient opts", function () {

            await expect(
                Promise.all([client.sendTextMessage("!foo:bar", "a body", "txn1"), httpBackend.flush("/txn1", 1)]),
-            ).rejects.toThrow("MatrixError: [500] Unknown message");
+            ).rejects.toThrow("MatrixError: [500] Ruh roh");
        });

        it("shouldn't queue events", async () => {
@@ -206,4 +205,109 @@ describe("MatrixClient opts", function () {
            expect(res.event_id).toEqual("foo");
        });
    });
+
+    describe("with opts.queryParams", function () {
+        let client: MatrixClient;
+        let httpBackend: HttpBackend;
+        const userId = "@rsb-tbg:localhost";
+
+        beforeEach(function () {
+            httpBackend = new HttpBackend();
+            client = new MatrixClient({
+                fetchFn: httpBackend.fetchFn as typeof globalThis.fetch,
+                store: new MemoryStore() as IStore,
+                baseUrl: baseUrl,
+                userId: userId,
+                accessToken: accessToken,
+                queryParams: { user_id: userId },
+            });
+        });
+
+        afterEach(function () {
+            client.stopClient();
+            httpBackend.verifyNoOutstandingExpectation();
+            return httpBackend.stop();
+        });
+
+        it("should include queryParams in matrix server requests", async () => {
+            const eventId = "$test:event";
+            httpBackend
+                .when("PUT", "/txn1")
+                .check((req) => {
+                    expect(req.path).toContain(`user_id=${encodeURIComponent(userId)}`);
+                    return true;
+                })
+                .respond(200, {
+                    event_id: eventId,
+                });
+
+            const [res] = await Promise.all([
+                client.sendTextMessage("!foo:bar", "test message", "txn1"),
+                httpBackend.flush("/txn1", 1),
+            ]);
+
+            expect(res.event_id).toEqual(eventId);
+        });
+
+        it("should include queryParams in sync requests", async () => {
+            httpBackend
+                .when("GET", "/versions")
+                .check((req) => {
+                    expect(req.path).toContain(`user_id=${encodeURIComponent(userId)}`);
+                    return true;
+                })
+                .respond(200, {});
+
+            httpBackend
+                .when("GET", "/pushrules")
+                .check((req) => {
+                    expect(req.path).toContain(`user_id=${encodeURIComponent(userId)}`);
+                    return true;
+                })
+                .respond(200, {});
+
+            httpBackend
+                .when("POST", "/filter")
+                .check((req) => {
+                    expect(req.path).toContain(`user_id=${encodeURIComponent(userId)}`);
+                    return true;
+                })
+                .respond(200, { filter_id: "foo" });
+
+            httpBackend
+                .when("GET", "/sync")
+                .check((req) => {
+                    expect(req.path).toContain(`user_id=${encodeURIComponent(userId)}`);
+                    return true;
+                })
+                .respond(200, syncData);
+
+            client.startClient();
+            await httpBackend.flush("/versions", 1);
+            await httpBackend.flush("/pushrules", 1);
+            await httpBackend.flush("/filter", 1);
+            await Promise.all([httpBackend.flush("/sync", 1), utils.syncPromise(client)]);
+        });
+
+        it("should merge queryParams with request-specific params", async () => {
+            const eventId = "$test:event";
+            httpBackend
+                .when("PUT", "/txn1")
+                .check((req) => {
+                    // Should contain both global queryParams and request-specific params
+                    expect(req.path).toContain(`user_id=${encodeURIComponent(userId)}`);
+                    return true;
+                })
+                .respond(200, {
+                    event_id: eventId,
+                });
+
+            const [res] = await Promise.all([
+                client.sendTextMessage("!foo:bar", "test message", "txn1"),
+                httpBackend.flush("/txn1", 1),
+            ]);
+
+            expect(res.event_id).toEqual(eventId);
+        });
+    });
 });
@@ -15,9 +15,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-import HttpBackend from "matrix-mock-request";
-
-import { Direction, MatrixClient, MatrixScheduler } from "../../src/matrix";
+import type HttpBackend from "matrix-mock-request";
+import { Direction, type MatrixClient, MatrixScheduler } from "../../src/matrix";
 import { TestClient } from "../TestClient";

 describe("MatrixClient relations", () => {
@@ -14,9 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-import HttpBackend from "matrix-mock-request";
-
-import { EventStatus, RoomEvent, MatrixClient, MatrixScheduler } from "../../src/matrix";
+import type HttpBackend from "matrix-mock-request";
+import { EventStatus, type MatrixClient, MatrixScheduler, MsgType, RoomEvent } from "../../src/matrix";
 import { Room } from "../../src/models/room";
 import { TestClient } from "../TestClient";

@@ -60,7 +59,7 @@ describe("MatrixClient retrying", function () {
        // send a couple of events; the second will be queued
        const p1 = client!
            .sendMessage(roomId, {
-                msgtype: "m.text",
+                msgtype: MsgType.Text,
                body: "m1",
            })
            .then(
@@ -77,7 +76,7 @@ describe("MatrixClient retrying", function () {
        // never gets resolved.
        // https://github.com/matrix-org/matrix-js-sdk/issues/496
        client!.sendMessage(roomId, {
-            msgtype: "m.text",
+            msgtype: MsgType.Text,
            body: "m2",
        });

@@ -14,22 +14,22 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-import HttpBackend from "matrix-mock-request";
-
+import type HttpBackend from "matrix-mock-request";
 import * as utils from "../test-utils/test-utils";
 import { EventStatus } from "../../src/models/event";
 import {
    MatrixError,
    ClientEvent,
-    IEvent,
-    MatrixClient,
+    type IEvent,
+    type MatrixClient,
    RoomEvent,
-    ISyncResponse,
-    IMinimalEvent,
-    IRoomEvent,
-    Room,
+    type ISyncResponse,
+    type IMinimalEvent,
+    type IRoomEvent,
+    type Room,
 } from "../../src";
 import { TestClient } from "../TestClient";
+import { KnownMembership } from "../../src/@types/membership";

 describe("MatrixClient room timelines", function () {
    const userId = "@alice:localhost";
@@ -42,7 +42,7 @@ describe("MatrixClient room timelines", function () {

    const USER_MEMBERSHIP_EVENT = utils.mkMembership({
        room: roomId,
-        mship: "join",
+        mship: KnownMembership.Join,
        user: userId,
        name: userName,
    });
@@ -76,7 +76,7 @@ describe("MatrixClient room timelines", function () {
                            ROOM_NAME_EVENT,
                            utils.mkMembership({
                                room: roomId,
-                                mship: "join",
+                                mship: KnownMembership.Join,
                                user: otherUserId,
                                name: "Bob",
                            }),
@@ -85,9 +85,7 @@ describe("MatrixClient room timelines", function () {
                                type: "m.room.create",
                                room: roomId,
                                user: userId,
-                                content: {
-                                    creator: userId,
-                                },
+                                content: {},
                            }),
                        ],
                    },
@@ -318,7 +316,7 @@ describe("MatrixClient room timelines", function () {

            // make an m.room.member event for alice's join
            const joinMshipEvent = utils.mkMembership({
-                mship: "join",
+                mship: KnownMembership.Join,
                user: userId,
                room: roomId,
                name: "Old Alice",
@@ -328,16 +326,16 @@ describe("MatrixClient room timelines", function () {
            // make an m.room.member event with prev_content for alice's nick
            // change
            const oldMshipEvent = utils.mkMembership({
-                mship: "join",
+                mship: KnownMembership.Join,
                user: userId,
                room: roomId,
                name: userName,
                url: "mxc://some/url",
            });
-            oldMshipEvent.prev_content = {
+            oldMshipEvent.unsigned!.prev_content = {
                displayname: "Old Alice",
                avatar_url: undefined,
-                membership: "join",
+                membership: KnownMembership.Join,
            };

            // set the list of events to return on scrollback (/messages)
@@ -489,7 +487,7 @@ describe("MatrixClient room timelines", function () {
                utils.mkMembership({
                    user: userId,
                    room: roomId,
-                    mship: "join",
+                    mship: KnownMembership.Join,
                    name: "New Name",
                }),
                utils.mkMessage({ user: userId, room: roomId }),
@@ -556,13 +554,13 @@ describe("MatrixClient room timelines", function () {
                utils.mkMembership({
                    user: userC,
                    room: roomId,
-                    mship: "join",
+                    mship: KnownMembership.Join,
                    name: "C",
                }),
                utils.mkMembership({
                    user: userC,
                    room: roomId,
-                    mship: "invite",
+                    mship: KnownMembership.Invite,
                    skey: userD,
                }),
            ];
@@ -573,9 +571,9 @@ describe("MatrixClient room timelines", function () {
                return Promise.all([httpBackend!.flush("/sync", 1), utils.syncPromise(client!)]).then(function () {
                    expect(room.currentState.getMembers().length).toEqual(4);
                    expect(room.currentState.getMember(userC)!.name).toEqual("C");
-                    expect(room.currentState.getMember(userC)!.membership).toEqual("join");
+                    expect(room.currentState.getMember(userC)!.membership).toEqual(KnownMembership.Join);
                    expect(room.currentState.getMember(userD)!.name).toEqual(userD);
-                    expect(room.currentState.getMember(userD)!.membership).toEqual("invite");
+                    expect(room.currentState.getMember(userD)!.membership).toEqual(KnownMembership.Invite);
                });
            });
        });
@@ -600,9 +598,9 @@ describe("MatrixClient room timelines", function () {
                    expect(room.timeline[0].event).toEqual(eventData[0]);
                    expect(room.currentState.getMembers().length).toEqual(2);
                    expect(room.currentState.getMember(userId)!.name).toEqual(userName);
-                    expect(room.currentState.getMember(userId)!.membership).toEqual("join");
+                    expect(room.currentState.getMember(userId)!.membership).toEqual(KnownMembership.Join);
                    expect(room.currentState.getMember(otherUserId)!.name).toEqual("Bob");
-                    expect(room.currentState.getMember(otherUserId)!.membership).toEqual("join");
+                    expect(room.currentState.getMember(otherUserId)!.membership).toEqual(KnownMembership.Join);
                });
            });
        });
@@ -722,7 +720,7 @@ describe("MatrixClient room timelines", function () {
                    } else {
                        reject(new Error("TestError: Timed out while waiting for `RoomEvent.TimelineReset` to fire."));
                    }
-                }, 4000 /* FIXME: Is there a way to reference the current timeout of this test in Jest? */);
+                }, 4000 /* FIXME: Is there a way to reference the current timeout of this test in Vitest? */);

                room.on(RoomEvent.TimelineReset, async () => {
                    try {
@@ -0,0 +1,161 @@
+/*
+Copyright 2023 Holi Moli GmbH
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import "fake-indexeddb/auto";
+import fetchMock from "@fetch-mock/vitest";
+
+import { type MatrixClient, ClientEvent, createClient, SyncState } from "../../src";
+
+const makeQueryablePromise = <T = void>(promise: Promise<T>) => {
+    let resolved = false;
+    let rejected = false;
+
+    // Observe the promise, saving the fulfillment in a closure scope.
+    const newPromise = promise.then(
+        (value) => {
+            resolved = true;
+            return value;
+        },
+        (error) => {
+            rejected = true;
+            throw error;
+        },
+    );
+    const isFulfilled = () => {
+        return resolved || rejected;
+    };
+    const isResolved = () => {
+        return resolved;
+    };
+    const isRejected = () => {
+        return rejected;
+    };
+    return { promise: newPromise, isFulfilled, isResolved, isRejected };
+};
+
+const queryablePromise = <T = void>() => {
+    let resolve!: (value: T | PromiseLike<T>) => void;
+    let reject!: (reason?: any) => void;
+
+    const promise = makeQueryablePromise<T>(
+        new Promise<T>((_resolve, _reject) => {
+            resolve = _resolve;
+            reject = _reject;
+        }),
+    );
+
+    return { resolve, reject, ...promise };
+};
+
+describe("MatrixClient syncing errors", () => {
+    const selfUserId = "@alice:localhost";
+    const selfAccessToken = "aseukfgwef";
+    const unknownTokenErrorData = {
+        status: 401,
+        body: {
+            errcode: "M_UNKNOWN_TOKEN",
+            error: "Invalid access token passed.",
+            soft_logout: false,
+        },
+    };
+    let client: MatrixClient | undefined;
+
+    beforeEach(() => {
+        client = createClient({
+            baseUrl: "http://tocal.test.server",
+            userId: selfUserId,
+            accessToken: selfAccessToken,
+            deviceId: "myDevice",
+        });
+    });
+
+    it("should retry, until errors are solved.", async () => {
+        vi.useFakeTimers();
+        fetchMock
+            .getOnce("end:versions", {}) // first version check without credentials needs to succeed
+            .getOnce("end:versions", 429) // second version check fails with 429 triggering another retry
+            .get("end:versions", {}) // further version checks succeed
+            .getOnce("end:pushrules/", 429) // first pushrules check fails starting retry
+            .get("end:pushrules/", {}) // further pushrules check succeed
+            .catch({}); // all other calls succeed
+
+        const syncEvents = Array.from({ length: 5 }, queryablePromise<SyncState>);
+
+        client!.on(ClientEvent.Sync, (state: SyncState, lastState: SyncState | null) => {
+            let i = 0;
+            for (; i < syncEvents.length && syncEvents[i].isFulfilled(); i++) {
+                // find index of first unfulfilled promise
+            }
+            syncEvents[i].resolve(state);
+        });
+
+        await client!.startClient();
+        expect(await syncEvents[0].promise).toBe(SyncState.Error);
+        vi.advanceTimersByTime(60 * 1000); // this will skip forward to trigger the keepAlive/sync
+        expect(await syncEvents[1].promise).toBe(SyncState.Error);
+        vi.advanceTimersByTime(60 * 1000); // this will skip forward to trigger the keepAlive/sync
+        expect(await syncEvents[2].promise).toBe(SyncState.Prepared);
+        vi.advanceTimersByTime(60 * 1000); // this will skip forward to trigger the keepAlive/sync
+        expect(await syncEvents[3].promise).toBe(SyncState.Syncing);
+        vi.advanceTimersByTime(60 * 1000); // this will skip forward to trigger the keepAlive/sync
+        expect(await syncEvents[4].promise).toBe(SyncState.Syncing);
+    });
+
+    it("should stop sync keep alive when client is stopped.", async () => {
+        vi.useFakeTimers();
+        fetchMock
+            .get("end:capabilities", {})
+            .getOnce("end:versions", {}) // first version check without credentials needs to succeed
+            .get("end:versions", unknownTokenErrorData) // further version checks fails with 401
+            .get("end:pushrules/", 401) // fails with 401 without an error. This does happen in practice e.g. with Synapse
+            .post("end:logout", unknownTokenErrorData) // just to keep up a consistent scenario. Does not have a real effect for this testcase
+            .post("end:filter", 401); // just to keep up a consistent scenario. Does not have a real effect for this testcase
+
+        const firstSyncEvent = queryablePromise<SyncState>();
+        const secondSyncEvent = queryablePromise<SyncState>();
+        client!.on(ClientEvent.Sync, (state: SyncState, lastState: SyncState | null) => {
+            if (firstSyncEvent.isFulfilled()) secondSyncEvent.resolve(state);
+            firstSyncEvent.resolve(state);
+        });
+
+        await client!.startClient();
+        const logoutDone = queryablePromise();
+        client!
+            .logout(true)
+            .then(() => {
+                logoutDone.resolve();
+            })
+            .catch((e) => {
+                logoutDone.resolve();
+            });
+
+        const syntState = await firstSyncEvent.promise;
+        expect(syntState).toBe(SyncState.Error);
+        vi.runAllTimers(); // this will skip forward to trigger the keepAlive
+
+        vi.useRealTimers(); // we need real timer for the setTimout below to work
+
+        const timeoutPromise = makeQueryablePromise(new Promise<void>((res) => setTimeout(res, 1)));
+
+        await Promise.race([secondSyncEvent.promise, timeoutPromise.promise]);
+        // when syncing stopped, then the secondSyncEvent will never happen and the promise will not be resolved,
+        /// so the timeoutPromise will be resolved instead
+        expect(timeoutPromise.isFulfilled()).toBe(true);
+        expect(secondSyncEvent.isFulfilled()).toBe(false);
+
+        await logoutDone.promise; // wait for the logout to finish to prevent processing and logging after the test is done.
+    });
+});
@@ -16,44 +16,82 @@ limitations under the License.

 import "fake-indexeddb/auto";

-import HttpBackend from "matrix-mock-request";
-
+import type HttpBackend from "matrix-mock-request";
 import {
    Category,
    ClientEvent,
    EventType,
-    ISyncResponse,
-    MatrixClient,
+    type ISyncResponse,
+    type MatrixClient,
    MatrixEvent,
    NotificationCountType,
    RelationType,
    Room,
+    fixNotificationCountOnDecryption,
 } from "../../src";
 import { TestClient } from "../TestClient";
 import { ReceiptType } from "../../src/@types/read_receipts";
 import { mkThread } from "../test-utils/thread";
 import { SyncState } from "../../src/sync";
+import { KnownMembership } from "../../src/@types/membership";
+
+const userA = "@alice:localhost";
+const userB = "@bob:localhost";
+const selfUserId = userA;
+const selfAccessToken = "aseukfgwef";
+
+function setupTestClient(): [MatrixClient, HttpBackend] {
+    const testClient = new TestClient(selfUserId, "DEVICE", selfAccessToken);
+    const httpBackend = testClient.httpBackend;
+    const client = testClient.client;
+    httpBackend!.when("GET", "/versions").respond(200, {});
+    httpBackend!.when("GET", "/pushrules").respond(200, {});
+    httpBackend!.when("POST", "/filter").respond(200, { filter_id: "a filter id" });
+    return [client, httpBackend];
+}
+
+describe("Notification count fixing", () => {
+    let client: MatrixClient | undefined;
+
+    beforeEach(() => {
+        [client] = setupTestClient();
+    });
+
+    it("doesn't increment notification count for events that can't be found in a room", async () => {
+        const roomId = "!room:localhost";
+
+        client!.startClient({ threadSupport: true });
+        const room = new Room(roomId, client!, selfUserId);
+        vi.spyOn(client!, "getRoom").mockImplementation((id) => (id === roomId ? room : null));
+
+        const event = new MatrixEvent({
+            room_id: roomId,
+            type: "m.reaction",
+            event_id: "$foo",
+            content: {
+                "m.relates_to": {
+                    rel_type: RelationType.Annotation,
+                    event_id: "$foo",
+                    key: "x",
+                },
+            },
+        });
+
+        vi.spyOn(event, "getPushActions").mockReturnValue({
+            notify: true,
+            tweaks: {},
+        });
+
+        fixNotificationCountOnDecryption(client!, event);
+
+        expect(room.getUnreadNotificationCount(NotificationCountType.Total)).toBe(0);
+    });
+});

 describe("MatrixClient syncing", () => {
-    const userA = "@alice:localhost";
-    const userB = "@bob:localhost";
-
-    const selfUserId = userA;
-    const selfAccessToken = "aseukfgwef";
-
    let client: MatrixClient | undefined;
    let httpBackend: HttpBackend | undefined;

-    const setupTestClient = (): [MatrixClient, HttpBackend] => {
-        const testClient = new TestClient(selfUserId, "DEVICE", selfAccessToken);
-        const httpBackend = testClient.httpBackend;
-        const client = testClient.client;
-        httpBackend!.when("GET", "/versions").respond(200, {});
-        httpBackend!.when("GET", "/pushrules").respond(200, {});
-        httpBackend!.when("POST", "/filter").respond(200, { filter_id: "a filter id" });
-        return [client, httpBackend];
-    };
-
    beforeEach(() => {
        [client, httpBackend] = setupTestClient();
    });
@@ -85,11 +123,11 @@ describe("MatrixClient syncing", () => {
        ]);

        const room = new Room(roomId, client!, selfUserId);
-        jest.spyOn(client!, "getRoom").mockImplementation((id) => (id === roomId ? room : null));
+        vi.spyOn(client!, "getRoom").mockImplementation((id) => (id === roomId ? room : null));

        const thread = mkThread({ room, client: client!, authorId: selfUserId, participantUserIds: [selfUserId] });
        const threadReply = thread.events.at(-1)!;
-        room.addLiveEvents([thread.rootEvent]);
+        await room.addLiveEvents([thread.rootEvent], { addToState: false });

        // Initialize read receipt datastructure before testing the reaction
        room.addReceiptToStructure(thread.rootEvent.getId()!, ReceiptType.Read, selfUserId, { ts: 1 }, false);
@@ -105,7 +143,7 @@ describe("MatrixClient syncing", () => {

        const reactionEventId = `$9-${Math.random()}-${Math.random()}`;
        let lastEvent: MatrixEvent | null = null;
-        jest.spyOn(client! as any, "sendEventHttpRequest").mockImplementation((event) => {
+        vi.spyOn(client! as any, "sendEventHttpRequest").mockImplementation((event) => {
            lastEvent = event as MatrixEvent;
            return { event_id: reactionEventId };
        });
@@ -113,7 +151,7 @@ describe("MatrixClient syncing", () => {
        await client!.sendEvent(roomId, EventType.Reaction, {
            "m.relates_to": {
                rel_type: RelationType.Annotation,
-                event_id: threadReply.getId(),
+                event_id: threadReply.getId()!,
                key: "",
            },
        });
@@ -157,7 +195,7 @@ describe("MatrixClient syncing", () => {
                })
                .respond(200, syncData);

-            client!.store.getSavedSyncToken = jest.fn().mockResolvedValue("this-is-a-token");
+            client!.store.getSavedSyncToken = vi.fn().mockResolvedValue("this-is-a-token");
            client!.startClient({ initialSyncLimit: 1 });

            await httpBackend!.flushAllExpected();
@@ -179,7 +217,6 @@ describe("MatrixClient syncing", () => {
                            events: [
                                {
                                    content: {
-                                        creator: userB,
                                        room_version: "9",
                                    },
                                    origin_server_ts: 1,
@@ -192,7 +229,7 @@ describe("MatrixClient syncing", () => {
                                    content: {
                                        avatar_url: "",
                                        displayname: userB,
-                                        membership: "join",
+                                        membership: KnownMembership.Join,
                                    },
                                    origin_server_ts: 2,
                                    sender: userB,
@@ -233,7 +270,7 @@ describe("MatrixClient syncing", () => {
                                },
                                {
                                    content: {
-                                        join_rule: "invite",
+                                        join_rule: KnownMembership.Invite,
                                    },
                                    origin_server_ts: 4,
                                    sender: userB,
@@ -279,7 +316,7 @@ describe("MatrixClient syncing", () => {
                                        avatar_url: "",
                                        displayname: userA,
                                        is_direct: true,
-                                        membership: "invite",
+                                        membership: KnownMembership.Invite,
                                    },
                                    origin_server_ts: 8,
                                    sender: userB,
@@ -301,7 +338,7 @@ describe("MatrixClient syncing", () => {
                                    content: {
                                        avatar_url: "",
                                        displayname: userA,
-                                        membership: "join",
+                                        membership: KnownMembership.Join,
                                    },
                                    origin_server_ts: 10,
                                    sender: userA,
@@ -377,6 +414,7 @@ describe("MatrixClient syncing", () => {
                },
                [Category.Leave]: {},
                [Category.Invite]: {},
+                [Category.Knock]: {},
            },
        };
    }
@@ -1,170 +0,0 @@
-/*
-Copyright 2022 The Matrix.org Foundation C.I.C.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-import { Account } from "@matrix-org/olm";
-
-import { logger } from "../../src/logger";
-import { decodeRecoveryKey } from "../../src/crypto/recoverykey";
-import { IKeyBackupInfo, IKeyBackupSession } from "../../src/crypto/keybackup";
-import { TestClient } from "../TestClient";
-import { IEvent } from "../../src";
-import { MatrixEvent, MatrixEventEvent } from "../../src/models/event";
-
-const ROOM_ID = "!ROOM:ID";
-
-const SESSION_ID = "o+21hSjP+mgEmcfdslPsQdvzWnkdt0Wyo00Kp++R8Kc";
-
-const ENCRYPTED_EVENT: Partial<IEvent> = {
-    type: "m.room.encrypted",
-    content: {
-        algorithm: "m.megolm.v1.aes-sha2",
-        sender_key: "SENDER_CURVE25519",
-        session_id: SESSION_ID,
-        ciphertext:
-            "AwgAEjD+VwXZ7PoGPRS/H4kwpAsMp/g+WPvJVtPEKE8fmM9IcT/N" +
-            "CiwPb8PehecDKP0cjm1XO88k6Bw3D17aGiBHr5iBoP7oSw8CXULXAMTkBl" +
-            "mkufRQq2+d0Giy1s4/Cg5n13jSVrSb2q7VTSv1ZHAFjUCsLSfR0gxqcQs",
-    },
-    room_id: "!ROOM:ID",
-    event_id: "$event1",
-    origin_server_ts: 1507753886000,
-};
-
-const CURVE25519_KEY_BACKUP_DATA: IKeyBackupSession = {
-    first_message_index: 0,
-    forwarded_count: 0,
-    is_verified: false,
-    session_data: {
-        ciphertext:
-            "2z2M7CZ+azAiTHN1oFzZ3smAFFt+LEOYY6h3QO3XXGdw" +
-            "6YpNn/gpHDO6I/rgj1zNd4FoTmzcQgvKdU8kN20u5BWRHxaHTZ" +
-            "Slne5RxE6vUdREsBgZePglBNyG0AogR/PVdcrv/v18Y6rLM5O9" +
-            "SELmwbV63uV9Kuu/misMxoqbuqEdG7uujyaEKtjlQsJ5MGPQOy" +
-            "Syw7XrnesSwF6XWRMxcPGRV0xZr3s9PI350Wve3EncjRgJ9IGF" +
-            "ru1bcptMqfXgPZkOyGvrphHoFfoK7nY3xMEHUiaTRfRIjq8HNV" +
-            "4o8QY1qmWGnxNBQgOlL8MZlykjg3ULmQ3DtFfQPj/YYGS3jzxv" +
-            "C+EBjaafmsg+52CTeK3Rswu72PX450BnSZ1i3If4xWAUKvjTpe" +
-            "Ug5aDLqttOv1pITolTJDw5W/SD+b5rjEKg1CFCHGEGE9wwV3Nf" +
-            "QHVCQL+dfpd7Or0poy4dqKMAi3g0o3Tg7edIF8d5rREmxaALPy" +
-            "iie8PHD8mj/5Y0GLqrac4CD6+Mop7eUTzVovprjg",
-        mac: "5lxYBHQU80M",
-        ephemeral: "/Bn0A4UMFwJaDDvh0aEk1XZj3k1IfgCxgFY9P9a0b14",
-    },
-};
-
-const CURVE25519_BACKUP_INFO: IKeyBackupInfo = {
-    algorithm: "m.megolm_backup.v1.curve25519-aes-sha2",
-    version: "1",
-    auth_data: {
-        public_key: "hSDwCYkwp1R0i33ctD73Wg2/Og0mOBr066SpjqqbTmo",
-    },
-};
-
-const RECOVERY_KEY = "EsTc LW2K PGiF wKEA 3As5 g5c4 BXwk qeeJ ZJV8 Q9fu gUMN UE4d";
-
-/**
- * start an Olm session with a given recipient
- */
-function createOlmSession(olmAccount: Olm.Account, recipientTestClient: TestClient): Promise<Olm.Session> {
-    return recipientTestClient.awaitOneTimeKeyUpload().then((keys) => {
-        const otkId = Object.keys(keys)[0];
-        const otk = keys[otkId];
-
-        const session = new global.Olm.Session();
-        session.create_outbound(olmAccount, recipientTestClient.getDeviceKey(), otk.key);
-        return session;
-    });
-}
-
-describe("megolm key backups", function () {
-    if (!global.Olm) {
-        logger.warn("not running megolm tests: Olm not present");
-        return;
-    }
-    const Olm = global.Olm;
-    let testOlmAccount: Olm.Account;
-    let aliceTestClient: TestClient;
-
-    const setupTestClient = (): [Account, TestClient] => {
-        const aliceTestClient = new TestClient("@alice:localhost", "xzcvb", "akjgkrgjs");
-        const testOlmAccount = new Olm.Account();
-        testOlmAccount!.create();
-
-        return [testOlmAccount, aliceTestClient];
-    };
-
-    beforeAll(function () {
-        return Olm.init();
-    });
-
-    beforeEach(async function () {
-        [testOlmAccount, aliceTestClient] = setupTestClient();
-        await aliceTestClient!.client.initCrypto();
-        aliceTestClient!.client.crypto!.backupManager.backupInfo = CURVE25519_BACKUP_INFO;
-    });
-
-    afterEach(function () {
-        return aliceTestClient!.stop();
-    });
-
-    it("Alice checks key backups when receiving a message she can't decrypt", function () {
-        const syncResponse = {
-            next_batch: 1,
-            rooms: {
-                join: {
-                    [ROOM_ID]: {
-                        timeline: {
-                            events: [ENCRYPTED_EVENT],
-                        },
-                    },
-                },
-            },
-        };
-
-        return aliceTestClient!
-            .start()
-            .then(() => {
-                return createOlmSession(testOlmAccount, aliceTestClient);
-            })
-            .then(() => {
-                const privkey = decodeRecoveryKey(RECOVERY_KEY);
-                return aliceTestClient!.client!.crypto!.storeSessionBackupPrivateKey(privkey);
-            })
-            .then(() => {
-                aliceTestClient!.httpBackend.when("GET", "/sync").respond(200, syncResponse);
-                aliceTestClient!.expectKeyBackupQuery(ROOM_ID, SESSION_ID, 200, CURVE25519_KEY_BACKUP_DATA);
-                return aliceTestClient!.httpBackend.flushAllExpected();
-            })
-            .then(function (): Promise<MatrixEvent> {
-                const room = aliceTestClient!.client.getRoom(ROOM_ID)!;
-                const event = room.getLiveTimeline().getEvents()[0];
-
-                if (event.getContent()) {
-                    return Promise.resolve(event);
-                }
-
-                return new Promise((resolve, reject) => {
-                    event.once(MatrixEventEvent.Decrypted, (ev) => {
-                        logger.log(`${Date.now()} event ${event.getId()} now decrypted`);
-                        resolve(ev);
-                    });
-                });
-            })
-            .then((event) => {
-                expect(event.getContent()).toEqual("testytest");
-            });
-    });
-});
@@ -1,692 +0,0 @@
-/*
-Copyright 2016 OpenMarket Ltd
-Copyright 2017 Vector Creations Ltd
-Copyright 2018 New Vector Ltd
-Copyright 2019 The Matrix.org Foundation C.I.C.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-/* This file consists of a set of integration tests which try to simulate
- * communication via an Olm-encrypted room between two users, Alice and Bob.
- *
- * Note that megolm (group) conversation is not tested here.
- *
- * See also `crypto.spec.js`.
- */
-
-// load olm before the sdk if possible
-import "../olm-loader";
-
-import type { Session } from "@matrix-org/olm";
-import type { IDeviceKeys, IOneTimeKey } from "../../src/@types/crypto";
-import { logger } from "../../src/logger";
-import * as testUtils from "../test-utils/test-utils";
-import { TestClient } from "../TestClient";
-import { CRYPTO_ENABLED, IClaimKeysRequest, IQueryKeysRequest, IUploadKeysRequest } from "../../src/client";
-import { ClientEvent, IContent, ISendEventResponse, MatrixClient, MatrixEvent } from "../../src/matrix";
-import { DeviceInfo } from "../../src/crypto/deviceinfo";
-
-let aliTestClient: TestClient;
-const roomId = "!room:localhost";
-const aliUserId = "@ali:localhost";
-const aliDeviceId = "zxcvb";
-const aliAccessToken = "aseukfgwef";
-let bobTestClient: TestClient;
-const bobUserId = "@bob:localhost";
-const bobDeviceId = "bvcxz";
-const bobAccessToken = "fewgfkuesa";
-let aliMessages: IContent[];
-let bobMessages: IContent[];
-
-type OlmPayload = ReturnType<Session["encrypt"]>;
-
-async function bobUploadsDeviceKeys(): Promise<void> {
-    bobTestClient.expectDeviceKeyUpload();
-    await bobTestClient.httpBackend.flushAllExpected();
-    expect(Object.keys(bobTestClient.deviceKeys!).length).not.toEqual(0);
-}
-
-/**
- * Set an expectation that querier will query uploader's keys; then flush the http request.
- *
- * @returns resolves once the http request has completed.
- */
-function expectQueryKeys(querier: TestClient, uploader: TestClient): Promise<number> {
-    // can't query keys before bob has uploaded them
-    expect(uploader.deviceKeys).toBeTruthy();
-
-    const uploaderKeys: Record<string, IDeviceKeys> = {};
-    uploaderKeys[uploader.deviceId!] = uploader.deviceKeys!;
-    querier.httpBackend.when("POST", "/keys/query").respond(200, function (_path, content: IQueryKeysRequest) {
-        expect(content.device_keys![uploader.userId!]).toEqual([]);
-        const result: Record<string, Record<string, IDeviceKeys>> = {};
-        result[uploader.userId!] = uploaderKeys;
-        return { device_keys: result };
-    });
-    return querier.httpBackend.flush("/keys/query", 1);
-}
-const expectAliQueryKeys = () => expectQueryKeys(aliTestClient, bobTestClient);
-const expectBobQueryKeys = () => expectQueryKeys(bobTestClient, aliTestClient);
-
-/**
- * Set an expectation that ali will claim one of bob's keys; then flush the http request.
- *
- * @returns resolves once the http request has completed.
- */
-async function expectAliClaimKeys(): Promise<void> {
-    const keys = await bobTestClient.awaitOneTimeKeyUpload();
-    aliTestClient.httpBackend.when("POST", "/keys/claim").respond(200, function (_path, content: IClaimKeysRequest) {
-        const claimType = content.one_time_keys![bobUserId][bobDeviceId];
-        expect(claimType).toEqual("signed_curve25519");
-        let keyId = "";
-        for (keyId in keys) {
-            if (bobTestClient.oneTimeKeys!.hasOwnProperty(keyId)) {
-                if (keyId.indexOf(claimType + ":") === 0) {
-                    break;
-                }
-            }
-        }
-        const result: Record<string, Record<string, Record<string, IOneTimeKey>>> = {};
-        result[bobUserId] = {};
-        result[bobUserId][bobDeviceId] = {};
-        result[bobUserId][bobDeviceId][keyId] = keys[keyId];
-        return { one_time_keys: result };
-    });
-    // it can take a while to process the key query, so give it some extra
-    // time, and make sure the claim actually happens rather than ploughing on
-    // confusingly.
-    const r = await aliTestClient.httpBackend.flush("/keys/claim", 1, 500);
-    expect(r).toEqual(1);
-}
-
-async function aliDownloadsKeys(): Promise<void> {
-    // can't query keys before bob has uploaded them
-    expect(bobTestClient.getSigningKey()).toBeTruthy();
-
-    const p1 = async () => {
-        await aliTestClient.client.downloadKeys([bobUserId]);
-        const devices = aliTestClient.client.getStoredDevicesForUser(bobUserId);
-        expect(devices.length).toEqual(1);
-        expect(devices[0].deviceId).toEqual("bvcxz");
-    };
-    const p2 = expectAliQueryKeys;
-
-    // check that the localStorage is updated as we expect (not sure this is
-    // an integration test, but meh)
-    await Promise.all([p1(), p2()]);
-    await aliTestClient.client.crypto!.deviceList.saveIfDirty();
-    // @ts-ignore - protected
-    aliTestClient.client.cryptoStore.getEndToEndDeviceData(null, (data) => {
-        const devices = data!.devices[bobUserId]!;
-        expect(devices[bobDeviceId].keys).toEqual(bobTestClient.deviceKeys!.keys);
-        expect(devices[bobDeviceId].verified).toBe(DeviceInfo.DeviceVerification.UNVERIFIED);
-    });
-}
-
-async function clientEnablesEncryption(client: MatrixClient): Promise<void> {
-    await client.setRoomEncryption(roomId, {
-        algorithm: "m.olm.v1.curve25519-aes-sha2",
-    });
-    expect(client.isRoomEncrypted(roomId)).toBeTruthy();
-}
-const aliEnablesEncryption = () => clientEnablesEncryption(aliTestClient.client);
-const bobEnablesEncryption = () => clientEnablesEncryption(bobTestClient.client);
-
-/**
- * Ali sends a message, first claiming e2e keys. Set the expectations and
- * check the results.
- *
- * @returns which resolves to the ciphertext for Bob's device.
- */
-async function aliSendsFirstMessage(): Promise<OlmPayload> {
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    const [_, ciphertext] = await Promise.all([
-        sendMessage(aliTestClient.client),
-        expectAliQueryKeys().then(expectAliClaimKeys).then(expectAliSendMessageRequest),
-    ]);
-    return ciphertext;
-}
-
-/**
- * Ali sends a message without first claiming e2e keys. Set the expectations
- * and check the results.
- *
- * @returns which resolves to the ciphertext for Bob's device.
- */
-async function aliSendsMessage(): Promise<OlmPayload> {
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    const [_, ciphertext] = await Promise.all([sendMessage(aliTestClient.client), expectAliSendMessageRequest()]);
-    return ciphertext;
-}
-
-/**
- * Bob sends a message, first querying (but not claiming) e2e keys. Set the
- * expectations and check the results.
- *
- * @returns which resolves to the ciphertext for Ali's device.
- */
-async function bobSendsReplyMessage(): Promise<OlmPayload> {
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    const [_, ciphertext] = await Promise.all([
-        sendMessage(bobTestClient.client),
-        expectBobQueryKeys().then(expectBobSendMessageRequest),
-    ]);
-    return ciphertext;
-}
-
-/**
- * Set an expectation that Ali will send a message, and flush the request
- *
- * @returns which resolves to the ciphertext for Bob's device.
- */
-async function expectAliSendMessageRequest(): Promise<OlmPayload> {
-    const content = await expectSendMessageRequest(aliTestClient.httpBackend);
-    aliMessages.push(content);
-    expect(Object.keys(content.ciphertext)).toEqual([bobTestClient.getDeviceKey()]);
-    const ciphertext = content.ciphertext[bobTestClient.getDeviceKey()];
-    expect(ciphertext).toBeTruthy();
-    return ciphertext;
-}
-
-/**
- * Set an expectation that Bob will send a message, and flush the request
- *
- * @returns which resolves to the ciphertext for Bob's device.
- */
-async function expectBobSendMessageRequest(): Promise<OlmPayload> {
-    const content = await expectSendMessageRequest(bobTestClient.httpBackend);
-    bobMessages.push(content);
-    const aliKeyId = "curve25519:" + aliDeviceId;
-    const aliDeviceCurve25519Key = aliTestClient.deviceKeys!.keys[aliKeyId];
-    expect(Object.keys(content.ciphertext)).toEqual([aliDeviceCurve25519Key]);
-    const ciphertext = content.ciphertext[aliDeviceCurve25519Key];
-    expect(ciphertext).toBeTruthy();
-    return ciphertext;
-}
-
-function sendMessage(client: MatrixClient): Promise<ISendEventResponse> {
-    return client.sendMessage(roomId, { msgtype: "m.text", body: "Hello, World" });
-}
-
-async function expectSendMessageRequest(httpBackend: TestClient["httpBackend"]): Promise<IContent> {
-    const path = "/send/m.room.encrypted/";
-    const prom = new Promise<IContent>((resolve) => {
-        httpBackend.when("PUT", path).respond(200, function (_path, content) {
-            resolve(content);
-            return {
-                event_id: "asdfgh",
-            };
-        });
-    });
-
-    // it can take a while to process the key query
-    await httpBackend.flush(path, 1);
-    return prom;
-}
-
-function aliRecvMessage(): Promise<void> {
-    const message = bobMessages.shift()!;
-    return recvMessage(aliTestClient.httpBackend, aliTestClient.client, bobUserId, message);
-}
-
-function bobRecvMessage(): Promise<void> {
-    const message = aliMessages.shift()!;
-    return recvMessage(bobTestClient.httpBackend, bobTestClient.client, aliUserId, message);
-}
-
-async function recvMessage(
-    httpBackend: TestClient["httpBackend"],
-    client: MatrixClient,
-    sender: string,
-    message: IContent,
-): Promise<void> {
-    const syncData = {
-        next_batch: "x",
-        rooms: {
-            join: {
-                [roomId]: {
-                    timeline: {
-                        events: [
-                            testUtils.mkEvent({
-                                type: "m.room.encrypted",
-                                room: roomId,
-                                content: message,
-                                sender: sender,
-                            }),
-                        ],
-                    },
-                },
-            },
-        },
-    };
-    httpBackend.when("GET", "/sync").respond(200, syncData);
-
-    const eventPromise = new Promise<MatrixEvent>((resolve) => {
-        const onEvent = function (event: MatrixEvent) {
-            // ignore the m.room.member events
-            if (event.getType() == "m.room.member") {
-                return;
-            }
-            logger.log(client.credentials.userId + " received event", event);
-
-            client.removeListener(ClientEvent.Event, onEvent);
-            resolve(event);
-        };
-        client.on(ClientEvent.Event, onEvent);
-    });
-
-    await httpBackend.flushAllExpected();
-
-    const preDecryptionEvent = await eventPromise;
-    expect(preDecryptionEvent.isEncrypted()).toBeTruthy();
-    // it may still be being decrypted
-    const event = await testUtils.awaitDecryption(preDecryptionEvent);
-    expect(event.getType()).toEqual("m.room.message");
-    expect(event.getContent()).toMatchObject({
-        msgtype: "m.text",
-        body: "Hello, World",
-    });
-    expect(event.isEncrypted()).toBeTruthy();
-}
-
-/**
- * Send an initial sync response to the client (which just includes the member
- * list for our test room).
- *
- * @returns which resolves when the sync has been flushed.
- */
-function firstSync(testClient: TestClient): Promise<void> {
-    // send a sync response including our test room.
-    const syncData = {
-        next_batch: "x",
-        rooms: {
-            join: {
-                [roomId]: {
-                    state: {
-                        events: [
-                            testUtils.mkMembership({
-                                mship: "join",
-                                user: aliUserId,
-                            }),
-                            testUtils.mkMembership({
-                                mship: "join",
-                                user: bobUserId,
-                            }),
-                        ],
-                    },
-                    timeline: {
-                        events: [],
-                    },
-                },
-            },
-        },
-    };
-
-    testClient.httpBackend.when("GET", "/sync").respond(200, syncData);
-    return testClient.flushSync();
-}
-
-describe("MatrixClient crypto", () => {
-    if (!CRYPTO_ENABLED) {
-        return;
-    }
-
-    beforeEach(async () => {
-        aliTestClient = new TestClient(aliUserId, aliDeviceId, aliAccessToken);
-        await aliTestClient.client.initCrypto();
-
-        bobTestClient = new TestClient(bobUserId, bobDeviceId, bobAccessToken);
-        await bobTestClient.client.initCrypto();
-
-        aliMessages = [];
-        bobMessages = [];
-    });
-
-    afterEach(() => {
-        aliTestClient.httpBackend.verifyNoOutstandingExpectation();
-        bobTestClient.httpBackend.verifyNoOutstandingExpectation();
-
-        return Promise.all([aliTestClient.stop(), bobTestClient.stop()]);
-    });
-
-    it("Bob uploads device keys", bobUploadsDeviceKeys);
-
-    it("handles failures to upload device keys", async () => {
-        // since device keys are uploaded asynchronously, there's not really much to do here other than fail the
-        // upload.
-        bobTestClient.httpBackend.when("POST", "/keys/upload").fail(0, new Error("bleh"));
-        await bobTestClient.httpBackend.flushAllExpected();
-    });
-
-    it("Ali downloads Bobs device keys", async () => {
-        await bobUploadsDeviceKeys();
-        await aliDownloadsKeys();
-    });
-
-    it("Ali gets keys with an invalid signature", async () => {
-        await bobUploadsDeviceKeys();
-        // tamper bob's keys
-        const bobDeviceKeys = bobTestClient.deviceKeys!;
-        expect(bobDeviceKeys.keys["curve25519:" + bobDeviceId]).toBeTruthy();
-        bobDeviceKeys.keys["curve25519:" + bobDeviceId] += "abc";
-        await Promise.all([aliTestClient.client.downloadKeys([bobUserId]), expectAliQueryKeys()]);
-        const devices = aliTestClient.client.getStoredDevicesForUser(bobUserId);
-        // should get an empty list
-        expect(devices).toEqual([]);
-    });
-
-    it("Ali gets keys with an incorrect userId", async () => {
-        const eveUserId = "@eve:localhost";
-
-        const bobDeviceKeys = {
-            algorithms: ["m.olm.v1.curve25519-aes-sha2", "m.megolm.v1.aes-sha2"],
-            device_id: "bvcxz",
-            keys: {
-                "ed25519:bvcxz": "pYuWKMCVuaDLRTM/eWuB8OlXEb61gZhfLVJ+Y54tl0Q",
-                "curve25519:bvcxz": "7Gni0loo/nzF0nFp9847RbhElGewzwUXHPrljjBGPTQ",
-            },
-            user_id: "@eve:localhost",
-            signatures: {
-                "@eve:localhost": {
-                    "ed25519:bvcxz":
-                        "CliUPZ7dyVPBxvhSA1d+X+LYa5b2AYdjcTwG" + "0stXcIxjaJNemQqtdgwKDtBFl3pN2I13SEijRDCf1A8bYiQMDg",
-                },
-            },
-        };
-
-        const bobKeys: Record<string, typeof bobDeviceKeys> = {};
-        bobKeys[bobDeviceId] = bobDeviceKeys;
-        aliTestClient.httpBackend.when("POST", "/keys/query").respond(200, { device_keys: { [bobUserId]: bobKeys } });
-
-        await Promise.all([
-            aliTestClient.client.downloadKeys([bobUserId, eveUserId]),
-            aliTestClient.httpBackend.flush("/keys/query", 1),
-        ]);
-        const [bobDevices, eveDevices] = await Promise.all([
-            aliTestClient.client.getStoredDevicesForUser(bobUserId),
-            aliTestClient.client.getStoredDevicesForUser(eveUserId),
-        ]);
-        // should get an empty list
-        expect(bobDevices).toEqual([]);
-        expect(eveDevices).toEqual([]);
-    });
-
-    it("Ali gets keys with an incorrect deviceId", async () => {
-        const bobDeviceKeys = {
-            algorithms: ["m.olm.v1.curve25519-aes-sha2", "m.megolm.v1.aes-sha2"],
-            device_id: "bad_device",
-            keys: {
-                "ed25519:bad_device": "e8XlY5V8x2yJcwa5xpSzeC/QVOrU+D5qBgyTK0ko+f0",
-                "curve25519:bad_device": "YxuuLG/4L5xGeP8XPl5h0d7DzyYVcof7J7do+OXz0xc",
-            },
-            user_id: "@bob:localhost",
-            signatures: {
-                "@bob:localhost": {
-                    "ed25519:bad_device":
-                        "fEFTq67RaSoIEVBJ8DtmRovbwUBKJ0A" + "me9m9PDzM9azPUwZ38Xvf6vv1A7W1PSafH4z3Y2ORIyEnZgHaNby3CQ",
-                },
-            },
-        };
-
-        const bobKeys: Record<string, typeof bobDeviceKeys> = {};
-        bobKeys[bobDeviceId] = bobDeviceKeys;
-        aliTestClient.httpBackend.when("POST", "/keys/query").respond(200, { device_keys: { [bobUserId]: bobKeys } });
-
-        await Promise.all([
-            aliTestClient.client.downloadKeys([bobUserId]),
-            aliTestClient.httpBackend.flush("/keys/query", 1),
-        ]);
-        const devices = aliTestClient.client.getStoredDevicesForUser(bobUserId);
-        // should get an empty list
-        expect(devices).toEqual([]);
-    });
-
-    it("Bob starts his client and uploads device keys and one-time keys", async () => {
-        await bobTestClient.start();
-        const keys = await bobTestClient.awaitOneTimeKeyUpload();
-        expect(Object.keys(keys).length).toEqual(5);
-        expect(Object.keys(bobTestClient.deviceKeys!).length).not.toEqual(0);
-    });
-
-    it("Ali sends a message", async () => {
-        aliTestClient.expectKeyQuery({ device_keys: { [aliUserId]: {} }, failures: {} });
-        await aliTestClient.start();
-        await bobTestClient.start();
-        await firstSync(aliTestClient);
-        await aliEnablesEncryption();
-        await aliSendsFirstMessage();
-    });
-
-    it("Bob receives a message", async () => {
-        aliTestClient.expectKeyQuery({ device_keys: { [aliUserId]: {} }, failures: {} });
-        await aliTestClient.start();
-        await bobTestClient.start();
-        bobTestClient.client.crypto!.deviceList.downloadKeys = () => Promise.resolve(new Map());
-        await firstSync(aliTestClient);
-        await aliEnablesEncryption();
-        await aliSendsFirstMessage();
-        await bobRecvMessage();
-    });
-
-    it("Bob receives a message with a bogus sender", async () => {
-        aliTestClient.expectKeyQuery({ device_keys: { [aliUserId]: {} }, failures: {} });
-        await aliTestClient.start();
-        await bobTestClient.start();
-        bobTestClient.client.crypto!.deviceList.downloadKeys = () => Promise.resolve(new Map());
-        await firstSync(aliTestClient);
-        await aliEnablesEncryption();
-        await aliSendsFirstMessage();
-        const message = aliMessages.shift()!;
-        const syncData = {
-            next_batch: "x",
-            rooms: {
-                join: {
-                    [roomId]: {
-                        timeline: {
-                            events: [
-                                testUtils.mkEvent({
-                                    type: "m.room.encrypted",
-                                    room: roomId,
-                                    content: message,
-                                    sender: "@bogus:sender",
-                                }),
-                            ],
-                        },
-                    },
-                },
-            },
-        };
-        bobTestClient.httpBackend.when("GET", "/sync").respond(200, syncData);
-
-        const eventPromise = new Promise<MatrixEvent>((resolve) => {
-            const onEvent = function (event: MatrixEvent) {
-                logger.log(bobUserId + " received event", event);
-                resolve(event);
-            };
-            bobTestClient.client.once(ClientEvent.Event, onEvent);
-        });
-        await bobTestClient.httpBackend.flushAllExpected();
-        const preDecryptionEvent = await eventPromise;
-        expect(preDecryptionEvent.isEncrypted()).toBeTruthy();
-        // it may still be being decrypted
-        const event = await testUtils.awaitDecryption(preDecryptionEvent);
-        expect(event.getType()).toEqual("m.room.message");
-        expect(event.getContent().msgtype).toEqual("m.bad.encrypted");
-    });
-
-    it("Ali blocks Bob's device", async () => {
-        aliTestClient.expectKeyQuery({ device_keys: { [aliUserId]: {} }, failures: {} });
-        await aliTestClient.start();
-        await bobTestClient.start();
-        await firstSync(aliTestClient);
-        await aliEnablesEncryption();
-        await aliDownloadsKeys();
-        aliTestClient.client.setDeviceBlocked(bobUserId, bobDeviceId, true);
-        const p1 = sendMessage(aliTestClient.client);
-        const p2 = expectSendMessageRequest(aliTestClient.httpBackend).then(function (sentContent) {
-            // no unblocked devices, so the ciphertext should be empty
-            expect(sentContent.ciphertext).toEqual({});
-        });
-        await Promise.all([p1, p2]);
-    });
-
-    it("Bob receives two pre-key messages", async () => {
-        aliTestClient.expectKeyQuery({ device_keys: { [aliUserId]: {} }, failures: {} });
-        await aliTestClient.start();
-        await bobTestClient.start();
-        bobTestClient.client.crypto!.deviceList.downloadKeys = () => Promise.resolve(new Map());
-        await firstSync(aliTestClient);
-        await aliEnablesEncryption();
-        await aliSendsFirstMessage();
-        await bobRecvMessage();
-        await aliSendsMessage();
-        await bobRecvMessage();
-    });
-
-    it("Bob replies to the message", async () => {
-        aliTestClient.expectKeyQuery({ device_keys: { [aliUserId]: {} }, failures: {} });
-        bobTestClient.expectKeyQuery({ device_keys: { [bobUserId]: {} }, failures: {} });
-        await aliTestClient.start();
-        await bobTestClient.start();
-        await firstSync(aliTestClient);
-        await firstSync(bobTestClient);
-        await aliEnablesEncryption();
-        await aliSendsFirstMessage();
-        bobTestClient.httpBackend.when("POST", "/keys/query").respond(200, {});
-        await bobRecvMessage();
-        await bobEnablesEncryption();
-        const ciphertext = await bobSendsReplyMessage();
-        expect(ciphertext.type).toEqual(1);
-        await aliRecvMessage();
-    });
-
-    it("Ali does a key query when encryption is enabled", async () => {
-        // enabling encryption in the room should make alice download devices
-        // for both members.
-        aliTestClient.expectKeyQuery({ device_keys: { [aliUserId]: {} }, failures: {} });
-        await aliTestClient.start();
-        await firstSync(aliTestClient);
-        const syncData = {
-            next_batch: "2",
-            rooms: {
-                join: {
-                    [roomId]: {
-                        state: {
-                            events: [
-                                testUtils.mkEvent({
-                                    type: "m.room.encryption",
-                                    skey: "",
-                                    content: {
-                                        algorithm: "m.olm.v1.curve25519-aes-sha2",
-                                    },
-                                }),
-                            ],
-                        },
-                    },
-                },
-            },
-        };
-
-        aliTestClient.httpBackend.when("GET", "/sync").respond(200, syncData);
-        await aliTestClient.httpBackend.flush("/sync", 1);
-        aliTestClient.expectKeyQuery({
-            device_keys: {
-                [bobUserId]: {},
-            },
-            failures: {},
-        });
-        await aliTestClient.httpBackend.flushAllExpected();
-    });
-
-    it("Upload new oneTimeKeys based on a /sync request - no count-asking", async () => {
-        // Send a response which causes a key upload
-        const httpBackend = aliTestClient.httpBackend;
-        const syncDataEmpty = {
-            next_batch: "a",
-            device_one_time_keys_count: {
-                signed_curve25519: 0,
-            },
-        };
-
-        // enqueue expectations:
-        // * Sync with empty one_time_keys => upload keys
-
-        logger.log(aliTestClient + ": starting");
-        httpBackend.when("GET", "/versions").respond(200, {});
-        httpBackend.when("GET", "/pushrules").respond(200, {});
-        httpBackend.when("POST", "/filter").respond(200, { filter_id: "fid" });
-        aliTestClient.expectDeviceKeyUpload();
-
-        // we let the client do a very basic initial sync, which it needs before
-        // it will upload one-time keys.
-        httpBackend.when("GET", "/sync").respond(200, syncDataEmpty);
-
-        await Promise.all([aliTestClient.client.startClient({}), httpBackend.flushAllExpected()]);
-        logger.log(aliTestClient + ": started");
-        httpBackend.when("POST", "/keys/upload").respond(200, (_path, content: IUploadKeysRequest) => {
-            expect(content.one_time_keys).toBeTruthy();
-            expect(content.one_time_keys).not.toEqual({});
-            expect(Object.keys(content.one_time_keys!).length).toBeGreaterThanOrEqual(1);
-            // cancel futher calls by telling the client
-            // we have more than we need
-            return {
-                one_time_key_counts: {
-                    signed_curve25519: 70,
-                },
-            };
-        });
-        await httpBackend.flushAllExpected();
-    });
-
-    it("Checks for outgoing room key requests for a given event's session", async () => {
-        const eventA0 = new MatrixEvent({
-            sender: "@bob:example.com",
-            room_id: "!someroom",
-            content: {
-                algorithm: "m.megolm.v1.aes-sha2",
-                session_id: "sessionid",
-                sender_key: "senderkey",
-            },
-        });
-        const eventA1 = new MatrixEvent({
-            sender: "@bob:example.com",
-            room_id: "!someroom",
-            content: {
-                algorithm: "m.megolm.v1.aes-sha2",
-                session_id: "sessionid",
-                sender_key: "senderkey",
-            },
-        });
-        const eventB = new MatrixEvent({
-            sender: "@bob:example.com",
-            room_id: "!someroom",
-            content: {
-                algorithm: "m.megolm.v1.aes-sha2",
-                session_id: "othersessionid",
-                sender_key: "senderkey",
-            },
-        });
-        const nonEncryptedEvent = new MatrixEvent({
-            sender: "@bob:example.com",
-            room_id: "!someroom",
-            content: {},
-        });
-
-        aliTestClient.client.crypto?.onSyncCompleted({});
-        await aliTestClient.client.cancelAndResendEventRoomKeyRequest(eventA0);
-        expect(await aliTestClient.client.getOutgoingRoomKeyRequest(eventA1)).not.toBeNull();
-        expect(await aliTestClient.client.getOutgoingRoomKeyRequest(eventB)).toBeNull();
-        expect(await aliTestClient.client.getOutgoingRoomKeyRequest(nonEncryptedEvent)).toBeNull();
-    });
-});
@@ -0,0 +1,348 @@
+/*
+Copyright 2024 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import { QrCodeData, QrCodeIntent } from "@matrix-org/matrix-sdk-crypto-wasm";
+import fetchMock from "@fetch-mock/vitest";
+
+import {
+    MSC4108FailureReason,
+    MSC4108RendezvousSession,
+    MSC4108SecureChannel,
+    MSC4108SignInWithQR,
+    PayloadType,
+    RendezvousError,
+} from "../../../src/rendezvous";
+import {
+    ClientPrefix,
+    DEVICE_CODE_SCOPE,
+    type IHttpOpts,
+    type IMyDevice,
+    type MatrixClient,
+    MatrixError,
+    MatrixHttpApi,
+} from "../../../src";
+import { makeDelegatedAuthConfig } from "../../test-utils/oidc";
+
+function makeMockClient(opts: { userId: string; deviceId: string; msc4108Enabled: boolean }): MatrixClient {
+    const baseUrl = "https://example.com";
+    const crypto = {
+        exportSecretsForQrLogin: vi.fn(),
+    };
+    const client = {
+        doesServerSupportUnstableFeature(feature: string) {
+            return Promise.resolve(opts.msc4108Enabled && feature === "org.matrix.msc4108");
+        },
+        getUserId() {
+            return opts.userId;
+        },
+        getDeviceId() {
+            return opts.deviceId;
+        },
+        baseUrl,
+        getDomain: () => "example.com",
+        getDevice: vi.fn(),
+        getCrypto: vi.fn(() => crypto),
+        getAuthMetadata: vi.fn().mockResolvedValue(makeDelegatedAuthConfig("https://issuer/", [DEVICE_CODE_SCOPE])),
+    } as unknown as MatrixClient;
+    client.http = new MatrixHttpApi<IHttpOpts & { onlyData: true }>(client, {
+        baseUrl: client.baseUrl,
+        prefix: ClientPrefix.Unstable,
+        onlyData: true,
+    });
+    return client;
+}
+
+describe("MSC4108SignInWithQR", () => {
+    beforeEach(() => {
+        fetchMock.get("https://issuer/jwks", {
+            status: 200,
+            headers: {
+                "Content-Type": "application/json",
+            },
+            keys: [],
+        });
+    });
+
+    const url = "https://fallbackserver/rz/123";
+    const deviceId = "DEADB33F";
+    const verificationUri = "https://example.com/verify";
+    const verificationUriComplete = "https://example.com/verify/complete";
+
+    it("should generate qr code data as expected", async () => {
+        const session = new MSC4108RendezvousSession({
+            url,
+        });
+        const channel = new MSC4108SecureChannel(session);
+        const login = new MSC4108SignInWithQR(channel, false);
+
+        await login.generateCode();
+        const code = login.code;
+        expect(code).toHaveLength(71);
+        const text = new TextDecoder().decode(code);
+        expect(text.startsWith("MATRIX")).toBeTruthy();
+        expect(text.endsWith(url)).toBeTruthy();
+
+        // Assert that the code is stable
+        await login.generateCode();
+        expect(login.code).toEqual(code);
+    });
+
+    describe("should be able to connect as a reciprocating device", () => {
+        let client: MatrixClient;
+        let ourLogin: MSC4108SignInWithQR;
+        let opponentLogin: MSC4108SignInWithQR;
+
+        beforeEach(async () => {
+            let ourData = Promise.withResolvers<string>();
+            let opponentData = Promise.withResolvers<string>();
+
+            const ourMockSession = {
+                send: vi.fn(async (newData) => {
+                    ourData.resolve(newData);
+                }),
+                receive: vi.fn(() => {
+                    const prom = opponentData.promise;
+                    prom.then(() => {
+                        opponentData = Promise.withResolvers();
+                    });
+                    return prom;
+                }),
+                url,
+                cancelled: false,
+                cancel: () => {
+                    // @ts-ignore
+                    ourMockSession.cancelled = true;
+                    ourData.resolve("");
+                },
+            } as unknown as MSC4108RendezvousSession;
+            const opponentMockSession = {
+                send: vi.fn(async (newData) => {
+                    opponentData.resolve(newData);
+                }),
+                receive: vi.fn(() => {
+                    const prom = ourData.promise;
+                    prom.then(() => {
+                        ourData = Promise.withResolvers();
+                    });
+                    return prom;
+                }),
+                url,
+            } as unknown as MSC4108RendezvousSession;
+
+            client = makeMockClient({ userId: "@alice:example.com", deviceId: "alice", msc4108Enabled: true });
+
+            const ourChannel = new MSC4108SecureChannel(ourMockSession);
+            const qrCodeData = QrCodeData.fromBytes(
+                await ourChannel.generateCode(QrCodeIntent.Reciprocate, client.getDomain()!),
+            );
+            const opponentChannel = new MSC4108SecureChannel(opponentMockSession, qrCodeData.publicKey);
+
+            ourLogin = new MSC4108SignInWithQR(ourChannel, true, client);
+            opponentLogin = new MSC4108SignInWithQR(opponentChannel, false);
+        });
+
+        it("should be able to connect with opponent and share server name & check code", async () => {
+            await Promise.all([
+                expect(ourLogin.negotiateProtocols()).resolves.toEqual({}),
+                expect(opponentLogin.negotiateProtocols()).resolves.toEqual({ serverName: client.getDomain() }),
+            ]);
+
+            expect(ourLogin.checkCode).toBe(opponentLogin.checkCode);
+        });
+
+        it("should be able to connect with opponent and share verificationUri", async () => {
+            await Promise.all([ourLogin.negotiateProtocols(), opponentLogin.negotiateProtocols()]);
+
+            vi.mocked(client.getDevice).mockRejectedValue(new MatrixError({ errcode: "M_NOT_FOUND" }, 404));
+
+            await Promise.all([
+                expect(ourLogin.deviceAuthorizationGrant()).resolves.toEqual({
+                    verificationUri: verificationUriComplete,
+                }),
+                // We don't have the new device side of this flow implemented at this time so mock it
+                // @ts-ignore
+                opponentLogin.send({
+                    type: PayloadType.Protocol,
+                    protocol: "device_authorization_grant",
+                    device_authorization_grant: {
+                        verification_uri: verificationUri,
+                        verification_uri_complete: verificationUriComplete,
+                    },
+                    device_id: deviceId,
+                }),
+            ]);
+        });
+
+        it("should abort if device already exists", async () => {
+            await Promise.all([ourLogin.negotiateProtocols(), opponentLogin.negotiateProtocols()]);
+
+            vi.mocked(client.getDevice).mockResolvedValue({} as IMyDevice);
+
+            await Promise.all([
+                expect(ourLogin.deviceAuthorizationGrant()).rejects.toThrow("Specified device ID already exists"),
+                // We don't have the new device side of this flow implemented at this time so mock it
+                // @ts-ignore
+                opponentLogin.send({
+                    type: PayloadType.Protocol,
+                    protocol: "device_authorization_grant",
+                    device_authorization_grant: {
+                        verification_uri: verificationUri,
+                    },
+                    device_id: deviceId,
+                }),
+            ]);
+        });
+
+        it("should abort on unsupported protocol", async () => {
+            await Promise.all([ourLogin.negotiateProtocols(), opponentLogin.negotiateProtocols()]);
+
+            await Promise.all([
+                expect(ourLogin.deviceAuthorizationGrant()).rejects.toThrow(
+                    "Received a request for an unsupported protocol",
+                ),
+                // We don't have the new device side of this flow implemented at this time so mock it
+                // @ts-ignore
+                opponentLogin.send({
+                    type: PayloadType.Protocol,
+                    protocol: "device_authorization_grant_v2",
+                    device_authorization_grant: {
+                        verification_uri: verificationUri,
+                    },
+                    device_id: deviceId,
+                }),
+            ]);
+        });
+
+        it("should be able to connect with opponent and share secrets", async () => {
+            await Promise.all([ourLogin.negotiateProtocols(), opponentLogin.negotiateProtocols()]);
+
+            // We don't have the new device side of this flow implemented at this time so mock it
+            // @ts-ignore
+            ourLogin.expectingNewDeviceId = "DEADB33F";
+
+            const ourProm = ourLogin.shareSecrets();
+
+            // Consume the ProtocolAccepted message which would normally be handled by step 4 which we do not have here
+            // @ts-ignore
+            await opponentLogin.receive();
+
+            vi.mocked(client.getDevice).mockResolvedValue({} as IMyDevice);
+
+            const secrets = {
+                cross_signing: { master_key: "mk", user_signing_key: "usk", self_signing_key: "ssk" },
+            };
+            client.getCrypto()!.exportSecretsBundle = vi.fn().mockResolvedValue(secrets);
+
+            const payload = {
+                secrets: expect.objectContaining(secrets),
+            };
+            await Promise.all([
+                expect(ourProm).resolves.toEqual(payload),
+                expect(opponentLogin.shareSecrets()).resolves.toEqual(payload),
+            ]);
+        });
+
+        it("should abort if device doesn't come up by timeout", async () => {
+            vi.spyOn(globalThis, "setTimeout").mockImplementation((fn) => {
+                fn();
+                // TODO: mock timers properly
+                return -1 as any;
+            });
+            vi.spyOn(Date, "now").mockImplementation(() => {
+                return 12345678 + vi.mocked(setTimeout).mock.calls.length * 1000;
+            });
+
+            await Promise.all([ourLogin.negotiateProtocols(), opponentLogin.negotiateProtocols()]);
+
+            // We don't have the new device side of this flow implemented at this time so mock it
+            // @ts-ignore
+            ourLogin.expectingNewDeviceId = "DEADB33F";
+
+            // @ts-ignore
+            await opponentLogin.send({
+                type: PayloadType.Success,
+            });
+            vi.mocked(client.getDevice).mockRejectedValue(new MatrixError({ errcode: "M_NOT_FOUND" }, 404));
+
+            const ourProm = ourLogin.shareSecrets();
+            await expect(ourProm).rejects.toThrow("New device not found");
+        });
+
+        it("should abort on unexpected errors", async () => {
+            await Promise.all([ourLogin.negotiateProtocols(), opponentLogin.negotiateProtocols()]);
+
+            // We don't have the new device side of this flow implemented at this time so mock it
+            // @ts-ignore
+            ourLogin.expectingNewDeviceId = "DEADB33F";
+
+            // @ts-ignore
+            await opponentLogin.send({
+                type: PayloadType.Success,
+            });
+            vi.mocked(client.getDevice).mockRejectedValue(
+                new MatrixError({ errcode: "M_UNKNOWN", error: "The message" }, 500),
+            );
+
+            await expect(ourLogin.shareSecrets()).rejects.toThrow("The message");
+        });
+
+        it("should abort on declined login", async () => {
+            await Promise.all([ourLogin.negotiateProtocols(), opponentLogin.negotiateProtocols()]);
+
+            await ourLogin.declineLoginOnExistingDevice();
+            await expect(opponentLogin.shareSecrets()).rejects.toThrow(
+                new RendezvousError("Failed", MSC4108FailureReason.UserCancelled),
+            );
+        });
+
+        it("should not send secrets if user cancels", async () => {
+            vi.spyOn(globalThis, "setTimeout").mockImplementation((fn) => {
+                fn();
+                // TODO: mock timers properly
+                return -1 as any;
+            });
+
+            await Promise.all([ourLogin.negotiateProtocols(), opponentLogin.negotiateProtocols()]);
+
+            // We don't have the new device side of this flow implemented at this time so mock it
+            // @ts-ignore
+            ourLogin.expectingNewDeviceId = "DEADB33F";
+
+            const ourProm = ourLogin.shareSecrets();
+            const opponentProm = opponentLogin.shareSecrets();
+
+            // Consume the ProtocolAccepted message which would normally be handled by step 4 which we do not have here
+            // @ts-ignore
+            await opponentLogin.receive();
+
+            const deviceResolvers = Promise.withResolvers<IMyDevice>();
+            vi.mocked(client.getDevice).mockReturnValue(deviceResolvers.promise);
+
+            ourLogin.cancel(MSC4108FailureReason.UserCancelled).catch(() => {});
+            deviceResolvers.resolve({} as IMyDevice);
+
+            const secrets = {
+                cross_signing: { master_key: "mk", user_signing_key: "usk", self_signing_key: "ssk" },
+            };
+            client.getCrypto()!.exportSecretsBundle = vi.fn().mockResolvedValue(secrets);
+
+            await Promise.all([
+                expect(ourProm).rejects.toThrow("User cancelled"),
+                expect(opponentProm).rejects.toThrow("Unexpected message received"),
+            ]);
+        });
+    });
+});
@@ -1,90 +0,0 @@
-/*
-Copyright 2022 The Matrix.org Foundation C.I.C.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-import "fake-indexeddb/auto";
-import { IDBFactory } from "fake-indexeddb";
-
-import { createClient } from "../../src";
-
-afterEach(() => {
-    // reset fake-indexeddb after each test, to make sure we don't leak connections
-    // cf https://github.com/dumbmatter/fakeIndexedDB#wipingresetting-the-indexeddb-for-a-fresh-state
-    // eslint-disable-next-line no-global-assign
-    indexedDB = new IDBFactory();
-});
-
-describe("MatrixClient.initRustCrypto", () => {
-    it("should raise if userId or deviceId is unknown", async () => {
-        const unknownUserClient = createClient({
-            baseUrl: "http://test.server",
-            deviceId: "aliceDevice",
-        });
-        await expect(() => unknownUserClient.initRustCrypto()).rejects.toThrow("unknown userId");
-
-        const unknownDeviceClient = createClient({
-            baseUrl: "http://test.server",
-            userId: "@alice:test",
-        });
-        await expect(() => unknownDeviceClient.initRustCrypto()).rejects.toThrow("unknown deviceId");
-    });
-
-    it("should create the indexed dbs", async () => {
-        const matrixClient = createClient({
-            baseUrl: "http://test.server",
-            userId: "@alice:localhost",
-            deviceId: "aliceDevice",
-        });
-
-        // No databases.
-        expect(await indexedDB.databases()).toHaveLength(0);
-
-        await matrixClient.initRustCrypto();
-
-        // should have two dbs now
-        const databaseNames = (await indexedDB.databases()).map((db) => db.name);
-        expect(databaseNames).toEqual(
-            expect.arrayContaining(["matrix-js-sdk::matrix-sdk-crypto", "matrix-js-sdk::matrix-sdk-crypto-meta"]),
-        );
-    });
-
-    it("should ignore a second call", async () => {
-        const matrixClient = createClient({
-            baseUrl: "http://test.server",
-            userId: "@alice:localhost",
-            deviceId: "aliceDevice",
-        });
-
-        await matrixClient.initRustCrypto();
-        await matrixClient.initRustCrypto();
-    });
-});
-
-describe("MatrixClient.clearStores", () => {
-    it("should clear the indexeddbs", async () => {
-        const matrixClient = createClient({
-            baseUrl: "http://test.server",
-            userId: "@alice:localhost",
-            deviceId: "aliceDevice",
-        });
-
-        await matrixClient.initRustCrypto();
-        expect(await indexedDB.databases()).toHaveLength(2);
-        await matrixClient.stopClient();
-
-        await matrixClient.clearStores();
-        expect(await indexedDB.databases()).toHaveLength(0);
-    });
-});
@@ -15,54 +15,70 @@ limitations under the License.
 */

 // eslint-disable-next-line no-restricted-imports
-import MockHttpBackend from "matrix-mock-request";
 import { fail } from "assert";

-import { SlidingSync, SlidingSyncEvent, MSC3575RoomData, SlidingSyncState, Extension } from "../../src/sliding-sync";
-import { TestClient } from "../TestClient";
-import { IRoomEvent, IStateEvent } from "../../src/sync-accumulator";
+import type MockHttpBackend from "matrix-mock-request";
 import {
-    MatrixClient,
-    MatrixEvent,
+    SlidingSync,
+    SlidingSyncEvent,
+    type MSC3575RoomData,
+    SlidingSyncState,
+    type Extension,
+} from "../../src/sliding-sync";
+import { TestClient } from "../TestClient";
+import { type IContent, type IRoomEvent, type IStateEvent } from "../../src";
+import {
+    type MatrixClient,
+    type MatrixEvent,
    NotificationCountType,
    JoinRule,
    MatrixError,
    EventType,
-    IPushRules,
+    type IPushRules,
    PushRuleKind,
    TweakName,
    ClientEvent,
    RoomMemberEvent,
    RoomEvent,
-    Room,
-    IRoomTimelineData,
+    type Room,
+    type IRoomTimelineData,
 } from "../../src";
 import { SlidingSyncSdk } from "../../src/sliding-sync-sdk";
-import { SyncApiOptions, SyncState } from "../../src/sync";
-import { IStoredClientOpts } from "../../src/client";
+import { type SyncApiOptions, SyncState } from "../../src/sync";
+import { type IStoredClientOpts } from "../../src";
 import { logger } from "../../src/logger";
 import { emitPromise } from "../test-utils/test-utils";
+import { KnownMembership } from "../../src/@types/membership";
+import { type SyncCryptoCallbacks } from "../../src/common-crypto/CryptoBackend";
+
+declare module "../../src/@types/event" {
+    interface AccountDataEvents {
+        global_test: {};
+        tester: {};
+    }
+}

 describe("SlidingSyncSdk", () => {
    let client: MatrixClient | undefined;
    let httpBackend: MockHttpBackend | undefined;
    let sdk: SlidingSyncSdk | undefined;
    let mockSlidingSync: SlidingSync | undefined;
+    let syncCryptoCallback: SyncCryptoCallbacks | undefined;
    const selfUserId = "@alice:localhost";
    const selfAccessToken = "aseukfgwef";

    const mockifySlidingSync = (s: SlidingSync): SlidingSync => {
-        s.getListParams = jest.fn();
-        s.getListData = jest.fn();
-        s.getRoomSubscriptions = jest.fn();
-        s.modifyRoomSubscriptionInfo = jest.fn();
-        s.modifyRoomSubscriptions = jest.fn();
-        s.registerExtension = jest.fn();
-        s.setList = jest.fn();
-        s.setListRanges = jest.fn();
-        s.start = jest.fn();
-        s.stop = jest.fn();
-        s.resend = jest.fn();
+        s.getListParams = vi.fn();
+        s.getListData = vi.fn();
+        s.getRoomSubscriptions = vi.fn();
+        s.modifyRoomSubscriptionInfo = vi.fn();
+        s.modifyRoomSubscriptions = vi.fn();
+        s.registerExtension = vi.fn();
+        s.setList = vi.fn();
+        s.setListRanges = vi.fn();
+        s.start = vi.fn();
+        s.stop = vi.fn();
+        s.resend = vi.fn();
        return s;
    };

@@ -95,7 +111,7 @@ describe("SlidingSyncSdk", () => {
            expect(m.getType()).toEqual(want[i].type);
            expect(m.getSender()).toEqual(want[i].sender);
            expect(m.getId()).toEqual(want[i].event_id);
-            expect(m.getContent()).toEqual(want[i].content);
+            expect(m.getContent<IContent>()).toEqual(want[i].content);
            expect(m.getTs()).toEqual(want[i].origin_server_ts);
            if (want[i].unsigned) {
                expect(m.getUnsigned()).toEqual(want[i].unsigned);
@@ -110,17 +126,18 @@ describe("SlidingSyncSdk", () => {
    // assign client/httpBackend globals
    const setupClient = async (testOpts?: Partial<IStoredClientOpts & { withCrypto: boolean }>) => {
        testOpts = testOpts || {};
-        const syncOpts: SyncApiOptions = {};
+        const syncOpts: SyncApiOptions = { logger };
        const testClient = new TestClient(selfUserId, "DEVICE", selfAccessToken);
        httpBackend = testClient.httpBackend;
        client = testClient.client;
        mockSlidingSync = mockifySlidingSync(new SlidingSync("", new Map(), {}, client, 0));
        if (testOpts.withCrypto) {
            httpBackend!.when("GET", "/room_keys/version").respond(404, {});
-            await client!.initCrypto();
-            syncOpts.cryptoCallbacks = syncOpts.crypto = client!.crypto;
+            await client!.initRustCrypto({ useIndexedDB: false });
+            syncCryptoCallback = client!.getCrypto() as unknown as SyncCryptoCallbacks;
+            syncOpts.cryptoCallbacks = syncCryptoCallback;
        }
-        httpBackend!.when("GET", "/_matrix/client/r0/pushrules").respond(200, {});
+        httpBackend!.when("GET", "/_matrix/client/v3/pushrules").respond(200, {});
        sdk = new SlidingSyncSdk(mockSlidingSync, client, testOpts, syncOpts);
    };

@@ -133,7 +150,7 @@ describe("SlidingSyncSdk", () => {
    // find an extension on a SlidingSyncSdk instance
    const findExtension = (name: string): Extension<any, any> => {
        expect(mockSlidingSync!.registerExtension).toHaveBeenCalled();
-        const mockFn = mockSlidingSync!.registerExtension as jest.Mock;
+        const mockFn = vi.mocked(mockSlidingSync!.registerExtension);
        // find the extension
        for (let i = 0; i < mockFn.mock.calls.length; i++) {
            const calledExtension = mockFn.mock.calls[i][0] as Extension<any, any>;
@@ -187,8 +204,8 @@ describe("SlidingSyncSdk", () => {
                [roomA]: {
                    name: "A",
                    required_state: [
-                        mkOwnStateEvent(EventType.RoomCreate, { creator: selfUserId }, ""),
-                        mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                        mkOwnStateEvent(EventType.RoomCreate, {}, ""),
+                        mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                        mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
                        mkOwnStateEvent(EventType.RoomName, { name: "A" }, ""),
                    ],
@@ -202,8 +219,8 @@ describe("SlidingSyncSdk", () => {
                    name: "B",
                    required_state: [],
                    timeline: [
-                        mkOwnStateEvent(EventType.RoomCreate, { creator: selfUserId }, ""),
-                        mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                        mkOwnStateEvent(EventType.RoomCreate, {}, ""),
+                        mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                        mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
                        mkOwnEvent(EventType.RoomMessage, { body: "hello B" }),
                        mkOwnEvent(EventType.RoomMessage, { body: "world B" }),
@@ -214,8 +231,8 @@ describe("SlidingSyncSdk", () => {
                    name: "C",
                    required_state: [],
                    timeline: [
-                        mkOwnStateEvent(EventType.RoomCreate, { creator: selfUserId }, ""),
-                        mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                        mkOwnStateEvent(EventType.RoomCreate, {}, ""),
+                        mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                        mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
                        mkOwnEvent(EventType.RoomMessage, { body: "hello C" }),
                        mkOwnEvent(EventType.RoomMessage, { body: "world C" }),
@@ -227,8 +244,8 @@ describe("SlidingSyncSdk", () => {
                    name: "D",
                    required_state: [],
                    timeline: [
-                        mkOwnStateEvent(EventType.RoomCreate, { creator: selfUserId }, ""),
-                        mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                        mkOwnStateEvent(EventType.RoomCreate, {}, ""),
+                        mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                        mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
                        mkOwnEvent(EventType.RoomMessage, { body: "hello D" }),
                        mkOwnEvent(EventType.RoomMessage, { body: "world D" }),
@@ -243,7 +260,7 @@ describe("SlidingSyncSdk", () => {
                    invite_state: [
                        {
                            type: EventType.RoomMember,
-                            content: { membership: "invite" },
+                            content: { membership: KnownMembership.Invite },
                            state_key: selfUserId,
                            sender: "@bob:localhost",
                            event_id: "$room_e_invite",
@@ -263,8 +280,8 @@ describe("SlidingSyncSdk", () => {
                [roomF]: {
                    name: "#foo:localhost",
                    required_state: [
-                        mkOwnStateEvent(EventType.RoomCreate, { creator: selfUserId }, ""),
-                        mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                        mkOwnStateEvent(EventType.RoomCreate, {}, ""),
+                        mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                        mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
                        mkOwnStateEvent(EventType.RoomCanonicalAlias, { alias: "#foo:localhost" }, ""),
                        mkOwnStateEvent(EventType.RoomName, { name: "This should be ignored" }, ""),
@@ -279,8 +296,8 @@ describe("SlidingSyncSdk", () => {
                    name: "G",
                    required_state: [],
                    timeline: [
-                        mkOwnStateEvent(EventType.RoomCreate, { creator: selfUserId }, ""),
-                        mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                        mkOwnStateEvent(EventType.RoomCreate, {}, ""),
+                        mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                        mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
                    ],
                    joined_count: 5,
@@ -291,8 +308,8 @@ describe("SlidingSyncSdk", () => {
                    name: "H",
                    required_state: [],
                    timeline: [
-                        mkOwnStateEvent(EventType.RoomCreate, { creator: selfUserId }, ""),
-                        mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                        mkOwnStateEvent(EventType.RoomCreate, {}, ""),
+                        mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                        mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
                        mkOwnEvent(EventType.RoomMessage, { body: "live event" }),
                    ],
@@ -301,67 +318,57 @@ describe("SlidingSyncSdk", () => {
                },
            };

-            it("can be created with required_state and timeline", () => {
+            it("can be created with required_state and timeline", async () => {
                mockSlidingSync!.emit(SlidingSyncEvent.RoomData, roomA, data[roomA]);
+                await emitPromise(client!, ClientEvent.Room);
                const gotRoom = client!.getRoom(roomA);
-                expect(gotRoom).toBeDefined();
-                if (gotRoom == null) {
-                    return;
-                }
-                expect(gotRoom.name).toEqual(data[roomA].name);
-                expect(gotRoom.getMyMembership()).toEqual("join");
-                assertTimelineEvents(gotRoom.getLiveTimeline().getEvents().slice(-2), data[roomA].timeline);
+                expect(gotRoom).toBeTruthy();
+                expect(gotRoom!.name).toEqual(data[roomA].name);
+                expect(gotRoom!.getMyMembership()).toEqual(KnownMembership.Join);
+                assertTimelineEvents(gotRoom!.getLiveTimeline().getEvents().slice(-2), data[roomA].timeline);
            });

-            it("can be created with timeline only", () => {
+            it("can be created with timeline only", async () => {
                mockSlidingSync!.emit(SlidingSyncEvent.RoomData, roomB, data[roomB]);
+                await emitPromise(client!, ClientEvent.Room);
                const gotRoom = client!.getRoom(roomB);
-                expect(gotRoom).toBeDefined();
-                if (gotRoom == null) {
-                    return;
-                }
-                expect(gotRoom.name).toEqual(data[roomB].name);
-                expect(gotRoom.getMyMembership()).toEqual("join");
-                assertTimelineEvents(gotRoom.getLiveTimeline().getEvents().slice(-5), data[roomB].timeline);
+                expect(gotRoom).toBeTruthy();
+                expect(gotRoom!.name).toEqual(data[roomB].name);
+                expect(gotRoom!.getMyMembership()).toEqual(KnownMembership.Join);
+                assertTimelineEvents(gotRoom!.getLiveTimeline().getEvents().slice(-5), data[roomB].timeline);
            });

-            it("can be created with a highlight_count", () => {
+            it("can be created with a highlight_count", async () => {
                mockSlidingSync!.emit(SlidingSyncEvent.RoomData, roomC, data[roomC]);
+                await emitPromise(client!, ClientEvent.Room);
                const gotRoom = client!.getRoom(roomC);
-                expect(gotRoom).toBeDefined();
-                if (gotRoom == null) {
-                    return;
-                }
-                expect(gotRoom.getUnreadNotificationCount(NotificationCountType.Highlight)).toEqual(
+                expect(gotRoom).toBeTruthy();
+                expect(gotRoom!.getUnreadNotificationCount(NotificationCountType.Highlight)).toEqual(
                    data[roomC].highlight_count,
                );
            });

-            it("can be created with a notification_count", () => {
+            it("can be created with a notification_count", async () => {
                mockSlidingSync!.emit(SlidingSyncEvent.RoomData, roomD, data[roomD]);
+                await emitPromise(client!, ClientEvent.Room);
                const gotRoom = client!.getRoom(roomD);
-                expect(gotRoom).toBeDefined();
-                if (gotRoom == null) {
-                    return;
-                }
-                expect(gotRoom.getUnreadNotificationCount(NotificationCountType.Total)).toEqual(
+                expect(gotRoom).toBeTruthy();
+                expect(gotRoom!.getUnreadNotificationCount(NotificationCountType.Total)).toEqual(
                    data[roomD].notification_count,
                );
            });

-            it("can be created with an invited/joined_count", () => {
+            it("can be created with an invited/joined_count", async () => {
                mockSlidingSync!.emit(SlidingSyncEvent.RoomData, roomG, data[roomG]);
+                await emitPromise(client!, ClientEvent.Room);
                const gotRoom = client!.getRoom(roomG);
-                expect(gotRoom).toBeDefined();
-                if (gotRoom == null) {
-                    return;
-                }
-                expect(gotRoom.getInvitedMemberCount()).toEqual(data[roomG].invited_count);
-                expect(gotRoom.getJoinedMemberCount()).toEqual(data[roomG].joined_count);
+                expect(gotRoom).toBeTruthy();
+                expect(gotRoom!.getInvitedMemberCount()).toEqual(data[roomG].invited_count);
+                expect(gotRoom!.getJoinedMemberCount()).toEqual(data[roomG].joined_count);
            });

-            it("can be created with live events", () => {
-                let seenLiveEvent = false;
+            it("can be created with live events", async () => {
+                const seenLiveEventDeferred = Promise.withResolvers<boolean>();
                const listener = (
                    ev: MatrixEvent,
                    room?: Room,
@@ -371,43 +378,37 @@ describe("SlidingSyncSdk", () => {
                ) => {
                    if (timelineData?.liveEvent) {
                        assertTimelineEvents([ev], data[roomH].timeline.slice(-1));
-                        seenLiveEvent = true;
+                        seenLiveEventDeferred.resolve(true);
                    }
                };
                client!.on(RoomEvent.Timeline, listener);
                mockSlidingSync!.emit(SlidingSyncEvent.RoomData, roomH, data[roomH]);
+                await emitPromise(client!, ClientEvent.Room);
                client!.off(RoomEvent.Timeline, listener);
                const gotRoom = client!.getRoom(roomH);
-                expect(gotRoom).toBeDefined();
-                if (gotRoom == null) {
-                    return;
-                }
-                expect(gotRoom.name).toEqual(data[roomH].name);
-                expect(gotRoom.getMyMembership()).toEqual("join");
+                expect(gotRoom).toBeTruthy();
+                expect(gotRoom!.name).toEqual(data[roomH].name);
+                expect(gotRoom!.getMyMembership()).toEqual(KnownMembership.Join);
                // check the entire timeline is correct
-                assertTimelineEvents(gotRoom.getLiveTimeline().getEvents(), data[roomH].timeline);
-                expect(seenLiveEvent).toBe(true);
+                assertTimelineEvents(gotRoom!.getLiveTimeline().getEvents(), data[roomH].timeline);
+                await expect(seenLiveEventDeferred.promise).resolves.toBeTruthy();
            });

-            it("can be created with invite_state", () => {
+            it("can be created with invite_state", async () => {
                mockSlidingSync!.emit(SlidingSyncEvent.RoomData, roomE, data[roomE]);
+                await emitPromise(client!, ClientEvent.Room);
                const gotRoom = client!.getRoom(roomE);
-                expect(gotRoom).toBeDefined();
-                if (gotRoom == null) {
-                    return;
-                }
-                expect(gotRoom.getMyMembership()).toEqual("invite");
-                expect(gotRoom.currentState.getJoinRule()).toEqual(JoinRule.Invite);
+                expect(gotRoom).toBeTruthy();
+                expect(gotRoom!.getMyMembership()).toEqual(KnownMembership.Invite);
+                expect(gotRoom!.currentState.getJoinRule()).toEqual(JoinRule.Invite);
            });

-            it("uses the 'name' field to caluclate the room name", () => {
+            it("uses the 'name' field to caluclate the room name", async () => {
                mockSlidingSync!.emit(SlidingSyncEvent.RoomData, roomF, data[roomF]);
+                await emitPromise(client!, ClientEvent.Room);
                const gotRoom = client!.getRoom(roomF);
-                expect(gotRoom).toBeDefined();
-                if (gotRoom == null) {
-                    return;
-                }
-                expect(gotRoom.name).toEqual(data[roomF].name);
+                expect(gotRoom).toBeTruthy();
+                expect(gotRoom!.name).toEqual(data[roomF].name);
            });

            describe("updating", () => {
@@ -419,33 +420,33 @@ describe("SlidingSyncSdk", () => {
                        name: data[roomA].name,
                    });
                    const gotRoom = client!.getRoom(roomA);
-                    expect(gotRoom).toBeDefined();
+                    expect(gotRoom).toBeTruthy();
                    if (gotRoom == null) {
                        return;
                    }
                    const newTimeline = data[roomA].timeline;
                    newTimeline.push(newEvent);
-                    assertTimelineEvents(gotRoom.getLiveTimeline().getEvents().slice(-3), newTimeline);
+                    assertTimelineEvents(gotRoom!.getLiveTimeline().getEvents().slice(-3), newTimeline);
                });

                it("can update with a new required_state event", async () => {
                    let gotRoom = client!.getRoom(roomB);
-                    expect(gotRoom).toBeDefined();
+                    expect(gotRoom).toBeTruthy();
                    if (gotRoom == null) {
                        return;
                    }
-                    expect(gotRoom.getJoinRule()).toEqual(JoinRule.Invite); // default
+                    expect(gotRoom!.getJoinRule()).toEqual(JoinRule.Invite); // default
                    mockSlidingSync!.emit(SlidingSyncEvent.RoomData, roomB, {
                        required_state: [mkOwnStateEvent("m.room.join_rules", { join_rule: "restricted" }, "")],
                        timeline: [],
                        name: data[roomB].name,
                    });
                    gotRoom = client!.getRoom(roomB);
-                    expect(gotRoom).toBeDefined();
+                    expect(gotRoom).toBeTruthy();
                    if (gotRoom == null) {
                        return;
                    }
-                    expect(gotRoom.getJoinRule()).toEqual(JoinRule.Restricted);
+                    expect(gotRoom!.getJoinRule()).toEqual(JoinRule.Restricted);
                });

                it("can update with a new highlight_count", async () => {
@@ -456,11 +457,11 @@ describe("SlidingSyncSdk", () => {
                        highlight_count: 1,
                    });
                    const gotRoom = client!.getRoom(roomC);
-                    expect(gotRoom).toBeDefined();
+                    expect(gotRoom).toBeTruthy();
                    if (gotRoom == null) {
                        return;
                    }
-                    expect(gotRoom.getUnreadNotificationCount(NotificationCountType.Highlight)).toEqual(1);
+                    expect(gotRoom!.getUnreadNotificationCount(NotificationCountType.Highlight)).toEqual(1);
                });

                it("can update with a new notification_count", async () => {
@@ -471,11 +472,11 @@ describe("SlidingSyncSdk", () => {
                        notification_count: 1,
                    });
                    const gotRoom = client!.getRoom(roomD);
-                    expect(gotRoom).toBeDefined();
+                    expect(gotRoom).toBeTruthy();
                    if (gotRoom == null) {
                        return;
                    }
-                    expect(gotRoom.getUnreadNotificationCount(NotificationCountType.Total)).toEqual(1);
+                    expect(gotRoom!.getUnreadNotificationCount(NotificationCountType.Total)).toEqual(1);
                });

                it("can update with a new joined_count", () => {
@@ -486,11 +487,11 @@ describe("SlidingSyncSdk", () => {
                        joined_count: 1,
                    });
                    const gotRoom = client!.getRoom(roomG);
-                    expect(gotRoom).toBeDefined();
+                    expect(gotRoom).toBeTruthy();
                    if (gotRoom == null) {
                        return;
                    }
-                    expect(gotRoom.getJoinedMemberCount()).toEqual(1);
+                    expect(gotRoom!.getJoinedMemberCount()).toEqual(1);
                });

                // Regression test for a bug which caused the timeline entries to be out-of-order
@@ -512,7 +513,7 @@ describe("SlidingSyncSdk", () => {
                        initial: true, // e.g requested via room subscription
                    });
                    const gotRoom = client!.getRoom(roomA);
-                    expect(gotRoom).toBeDefined();
+                    expect(gotRoom).toBeTruthy();
                    if (gotRoom == null) {
                        return;
                    }
@@ -530,7 +531,7 @@ describe("SlidingSyncSdk", () => {
                    );

                    // we expect the timeline now to be oldTimeline (so the old events are in fact old)
-                    assertTimelineEvents(gotRoom.getLiveTimeline().getEvents(), oldTimeline);
+                    assertTimelineEvents(gotRoom!.getLiveTimeline().getEvents(), oldTimeline);
                });
            });
        });
@@ -615,20 +616,20 @@ describe("SlidingSyncSdk", () => {
            mockSlidingSync!.emit(SlidingSyncEvent.RoomData, roomId, {
                initial: true,
                name: "Room with Invite",
-                required_state: [],
-                timeline: [
-                    mkOwnStateEvent(EventType.RoomCreate, { creator: selfUserId }, ""),
-                    mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                required_state: [
+                    mkOwnStateEvent(EventType.RoomCreate, {}, ""),
+                    mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                    mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
-                    mkOwnStateEvent(EventType.RoomMember, { membership: "invite" }, invitee),
+                    mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Invite }, invitee),
                ],
+                timeline: [],
            });
            await httpBackend!.flush("/profile", 1, 1000);
            await emitPromise(client!, RoomMemberEvent.Name);
            const room = client!.getRoom(roomId)!;
-            expect(room).toBeDefined();
+            expect(room).toBeTruthy();
            const inviteeMember = room.getMember(invitee)!;
-            expect(inviteeMember).toBeDefined();
+            expect(inviteeMember).toBeTruthy();
            expect(inviteeMember.getMxcAvatarUrl()).toEqual(inviteeProfile.avatar_url);
            expect(inviteeMember.name).toEqual(inviteeProfile.displayname);
        });
@@ -647,43 +648,38 @@ describe("SlidingSyncSdk", () => {
            ext = findExtension("e2ee");
        });

-        afterAll(async () => {
-            // needed else we do some async operations in the background which can cause Jest to whine:
-            // "Cannot log after tests are done. Did you forget to wait for something async in your test?"
-            // Attempted to log "Saving device tracking data null"."
-            client!.crypto!.stop();
-        });
-
-        it("gets enabled on the initial request only", () => {
-            expect(ext.onRequest(true)).toEqual({
+        it("gets enabled all the time", async () => {
+            expect(await ext.onRequest(true)).toEqual({
+                enabled: true,
+            });
+            expect(await ext.onRequest(false)).toEqual({
                enabled: true,
            });
-            expect(ext.onRequest(false)).toEqual(undefined);
        });

        it("can update device lists", () => {
-            client!.crypto!.processDeviceLists = jest.fn();
+            syncCryptoCallback!.processDeviceLists = vi.fn();
            ext.onResponse({
                device_lists: {
                    changed: ["@alice:localhost"],
                    left: ["@bob:localhost"],
                },
            });
-            expect(client!.crypto!.processDeviceLists).toHaveBeenCalledWith({
+            expect(syncCryptoCallback!.processDeviceLists).toHaveBeenCalledWith({
                changed: ["@alice:localhost"],
                left: ["@bob:localhost"],
            });
        });

        it("can update OTK counts and unused fallback keys", () => {
-            client!.crypto!.processKeyCounts = jest.fn();
+            syncCryptoCallback!.processKeyCounts = vi.fn();
            ext.onResponse({
                device_one_time_keys_count: {
                    signed_curve25519: 42,
                },
                device_unused_fallback_key_types: ["signed_curve25519"],
            });
-            expect(client!.crypto!.processKeyCounts).toHaveBeenCalledWith({ signed_curve25519: 42 }, [
+            expect(syncCryptoCallback!.processKeyCounts).toHaveBeenCalledWith({ signed_curve25519: 42 }, [
                "signed_curve25519",
            ]);
        });
@@ -700,11 +696,13 @@ describe("SlidingSyncSdk", () => {
            ext = findExtension("account_data");
        });

-        it("gets enabled on the initial request only", () => {
-            expect(ext.onRequest(true)).toEqual({
+        it("gets enabled all the time", async () => {
+            expect(await ext.onRequest(true)).toEqual({
+                enabled: true,
+            });
+            expect(await ext.onRequest(false)).toEqual({
                enabled: true,
            });
-            expect(ext.onRequest(false)).toEqual(undefined);
        });

        it("processes global account data", async () => {
@@ -723,8 +721,8 @@ describe("SlidingSyncSdk", () => {
                ],
            });
            globalData = client!.getAccountData(globalType)!;
-            expect(globalData).toBeDefined();
-            expect(globalData.getContent()).toEqual(globalContent);
+            expect(globalData).toBeTruthy();
+            expect(globalData.getContent<IContent>()).toEqual(globalContent);
        });

        it("processes rooms account data", async () => {
@@ -733,8 +731,8 @@ describe("SlidingSyncSdk", () => {
                name: "Room with account data",
                required_state: [],
                timeline: [
-                    mkOwnStateEvent(EventType.RoomCreate, { creator: selfUserId }, ""),
-                    mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                    mkOwnStateEvent(EventType.RoomCreate, {}, ""),
+                    mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                    mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
                    mkOwnEvent(EventType.RoomMessage, { body: "hello" }),
                ],
@@ -744,6 +742,7 @@ describe("SlidingSyncSdk", () => {
                foo: "bar",
            };
            const roomType = "test";
+            await emitPromise(client!, ClientEvent.Room);
            ext.onResponse({
                rooms: {
                    [roomId]: [
@@ -755,10 +754,10 @@ describe("SlidingSyncSdk", () => {
                },
            });
            const room = client!.getRoom(roomId)!;
-            expect(room).toBeDefined();
+            expect(room).toBeTruthy();
            const event = room.getAccountData(roomType)!;
-            expect(event).toBeDefined();
-            expect(event.getContent()).toEqual(roomContent);
+            expect(event).toBeTruthy();
+            expect(event.getContent<IContent>()).toEqual(roomContent);
        });

        it("doesn't crash for unknown room account data", async () => {
@@ -827,8 +826,12 @@ describe("SlidingSyncSdk", () => {
            ext = findExtension("to_device");
        });

-        it("gets enabled with a limit on the initial request only", () => {
-            const reqJson: any = ext.onRequest(true);
+        it("gets enabled all the time", async () => {
+            let reqJson: any = await ext.onRequest(true);
+            expect(reqJson.enabled).toEqual(true);
+            expect(reqJson.limit).toBeGreaterThan(0);
+            expect(reqJson.since).toBeUndefined();
+            reqJson = await ext.onRequest(false);
            expect(reqJson.enabled).toEqual(true);
            expect(reqJson.limit).toBeGreaterThan(0);
            expect(reqJson.since).toBeUndefined();
@@ -839,11 +842,12 @@ describe("SlidingSyncSdk", () => {
                next_batch: "12345",
                events: [],
            });
-            expect(ext.onRequest(false)).toEqual({
+            expect(await ext.onRequest(false)).toMatchObject({
                since: "12345",
            });
        });

+        // eslint-disable-next-line @vitest/expect-expect
        it("can handle missing fields", async () => {
            ext.onResponse({
                next_batch: "23456",
@@ -858,7 +862,7 @@ describe("SlidingSyncSdk", () => {
            };
            let called = false;
            client!.once(ClientEvent.ToDeviceEvent, (ev) => {
-                expect(ev.getContent()).toEqual(toDeviceContent);
+                expect(ev.getContent<IContent>()).toEqual(toDeviceContent);
                expect(ev.getType()).toEqual(toDeviceType);
                called = true;
            });
@@ -923,28 +927,30 @@ describe("SlidingSyncSdk", () => {
            ext = findExtension("typing");
        });

-        it("gets enabled on the initial request only", () => {
-            expect(ext.onRequest(true)).toEqual({
+        it("gets enabled all the time", async () => {
+            expect(await ext.onRequest(true)).toEqual({
+                enabled: true,
+            });
+            expect(await ext.onRequest(false)).toEqual({
                enabled: true,
            });
-            expect(ext.onRequest(false)).toEqual(undefined);
        });

        it("processes typing notifications", async () => {
            const roomId = "!room:id";
            mockSlidingSync!.emit(SlidingSyncEvent.RoomData, roomId, {
                name: "Room with typing",
-                required_state: [],
-                timeline: [
-                    mkOwnStateEvent(EventType.RoomCreate, { creator: selfUserId }, ""),
-                    mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                required_state: [
+                    mkOwnStateEvent(EventType.RoomCreate, {}, ""),
+                    mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                    mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
-                    mkOwnEvent(EventType.RoomMessage, { body: "hello" }),
                ],
+                timeline: [mkOwnEvent(EventType.RoomMessage, { body: "hello" })],
                initial: true,
            });
+            await emitPromise(client!, ClientEvent.Room);
            const room = client!.getRoom(roomId)!;
-            expect(room).toBeDefined();
+            expect(room).toBeTruthy();
            expect(room.getMember(selfUserId)?.typing).toEqual(false);
            ext.onResponse({
                rooms: {
@@ -974,17 +980,16 @@ describe("SlidingSyncSdk", () => {
            const roomId = "!room:id";
            mockSlidingSync!.emit(SlidingSyncEvent.RoomData, roomId, {
                name: "Room with typing",
-                required_state: [],
-                timeline: [
-                    mkOwnStateEvent(EventType.RoomCreate, { creator: selfUserId }, ""),
-                    mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                required_state: [
+                    mkOwnStateEvent(EventType.RoomCreate, {}, ""),
+                    mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                    mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
-                    mkOwnEvent(EventType.RoomMessage, { body: "hello" }),
                ],
+                timeline: [mkOwnEvent(EventType.RoomMessage, { body: "hello" })],
                initial: true,
            });
            const room = client!.getRoom(roomId)!;
-            expect(room).toBeDefined();
+            expect(room).toBeTruthy();
            expect(room.getMember(selfUserId)?.typing).toEqual(false);
            ext.onResponse({
                rooms: {
@@ -1047,11 +1052,13 @@ describe("SlidingSyncSdk", () => {
            ext = findExtension("receipts");
        });

-        it("gets enabled on the initial request only", () => {
-            expect(ext.onRequest(true)).toEqual({
+        it("gets enabled all the time", async () => {
+            expect(await ext.onRequest(true)).toEqual({
+                enabled: true,
+            });
+            expect(await ext.onRequest(false)).toEqual({
                enabled: true,
            });
-            expect(ext.onRequest(false)).toEqual(undefined);
        });

        it("processes receipts", async () => {
@@ -1062,13 +1069,13 @@ describe("SlidingSyncSdk", () => {
                name: "Room with receipts",
                required_state: [],
                timeline: [
-                    mkOwnStateEvent(EventType.RoomCreate, { creator: selfUserId }, ""),
-                    mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                    mkOwnStateEvent(EventType.RoomCreate, {}, ""),
+                    mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                    mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
                    {
                        type: EventType.RoomMember,
                        state_key: alice,
-                        content: { membership: "join" },
+                        content: { membership: KnownMembership.Join },
                        sender: alice,
                        origin_server_ts: Date.now(),
                        event_id: "$alice",
@@ -1077,17 +1084,19 @@ describe("SlidingSyncSdk", () => {
                ],
                initial: true,
            });
+            await emitPromise(client!, ClientEvent.Room);
            const room = client!.getRoom(roomId)!;
-            expect(room).toBeDefined();
+            expect(room).toBeTruthy();
            expect(room.getReadReceiptForUserId(alice, true)).toBeNull();
            ext.onResponse(generateReceiptResponse(alice, roomId, lastEvent.event_id, "m.read", 1234567));
            const receipt = room.getReadReceiptForUserId(alice);
-            expect(receipt).toBeDefined();
+            expect(receipt).toBeTruthy();
            expect(receipt?.eventId).toEqual(lastEvent.event_id);
            expect(receipt?.data.ts).toEqual(1234567);
            expect(receipt?.data.thread_id).toBeFalsy();
        });

+        // eslint-disable-next-line @vitest/expect-expect
        it("gracefully handles missing rooms when receiving receipts", async () => {
            const roomId = "!room:id";
            const alice = "@alice:alice";
--- a/Show More
+++ b/Show More