Remove dependency on uuid (#5297 )

Update dependency vite to v8 (#5295 )
* Update dependency vite to v8 * Update lockfile --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Michael Telatynski <7t3chguy@gmail.com>
2026-04-23 09:53:18 +00:00 · 2026-04-22 16:16:29 +00:00 · 2026-04-22 09:10:39 +00:00 · 2026-04-21 14:38:05 +00:00 · 2026-04-21 13:58:22 +00:00 · 2026-04-21 12:37:38 +00:00
501 changed files with 132471 additions and 55028 deletions
@@ -1,22 +0,0 @@
-{
-    "sourceMaps": true,
-    "presets": [
-        [
-            "@babel/preset-env",
-            {
-                "targets": {
-                    "node": 10
-                },
-                "modules": "commonjs"
-            }
-        ],
-        "@babel/preset-typescript"
-    ],
-    "plugins": [
-        "@babel/plugin-proposal-numeric-separator",
-        "@babel/plugin-proposal-class-properties",
-        "@babel/plugin-proposal-object-rest-spread",
-        "@babel/plugin-syntax-dynamic-import",
-        "@babel/plugin-transform-runtime"
-    ]
-}
@@ -0,0 +1 @@
+_docs
@@ -1,6 +1,6 @@
 module.exports = {
-    plugins: ["matrix-org", "import", "jsdoc"],
-    extends: ["plugin:matrix-org/babel", "plugin:matrix-org/jest", "plugin:import/typescript"],
+    plugins: ["matrix-org", "import", "jsdoc", "n", "@vitest"],
+    extends: ["plugin:matrix-org/babel", "plugin:import/typescript"],
    parserOptions: {
        project: ["./tsconfig.json"],
    },
@@ -49,6 +49,26 @@ module.exports = {
            },
        ],

+        "no-restricted-properties": [
+            "error",
+            {
+                object: "window",
+                property: "setImmediate",
+                message: "Use setTimeout instead.",
+            },
+        ],
+        "no-restricted-globals": [
+            "error",
+            {
+                name: "setImmediate",
+                message: "Use setTimeout instead.",
+            },
+            {
+                name: "global",
+                message: "Use globalThis instead.",
+            },
+        ],
+
        "import/no-restricted-paths": [
            "error",
            {
@@ -63,17 +83,6 @@ module.exports = {
                ],
            },
        ],
-        // Disabled tests are a reality for now but as soon as all of the xits are
-        // eliminated, we should enforce this.
-        "jest/no-disabled-tests": "off",
-        // Also treat "oldBackendOnly" as a test function.
-        // Used in some crypto tests.
-        "jest/no-standalone-expect": [
-            "error",
-            {
-                additionalTestBlockFunctions: ["beforeAll", "beforeEach", "oldBackendOnly", "newBackendOnly"],
-            },
-        ],
    },
    overrides: [
        {
@@ -92,10 +101,13 @@ module.exports = {
                "@typescript-eslint/ban-ts-comment": "off",
                // We're okay with assertion errors when we ask for them
                "@typescript-eslint/no-non-null-assertion": "off",
-
-                // The non-TypeScript rule produces false positives
-                "func-call-spacing": "off",
-                "@typescript-eslint/func-call-spacing": ["error"],
+                "@typescript-eslint/no-empty-object-type": [
+                    "error",
+                    {
+                        // We do this sometimes to brand interfaces
+                        allowInterfaces: "with-single-extends",
+                    },
+                ],

                "quotes": "off",
                // We use a `logger` intermediary module
@@ -103,11 +115,8 @@ module.exports = {
            },
        },
        {
-            // We don't need amazing docs in our spec files
            files: ["src/**/*.ts"],
            rules: {
-                "tsdoc/syntax": "error",
-                // We use some select jsdoc rules as the tsdoc linter has only one rule
                "jsdoc/no-types": "error",
                "jsdoc/empty-tags": "error",
                "jsdoc/check-property-names": "error",
@@ -115,14 +124,61 @@ module.exports = {
                // These need a bit more work before we can enable
                // "jsdoc/check-param-names": "error",
                // "jsdoc/check-indentation": "error",
+                // Ensure .ts extension on imports outside of tests
+                "n/file-extension-in-import": [
+                    "error",
+                    "always",
+                    {
+                        tryExtensions: [".ts"],
+                    },
+                ],
+                "no-extra-boolean-cast": "error",
            },
        },
        {
            files: ["spec/**/*.ts"],
+            extends: ["plugin:@vitest/legacy-recommended"],
            rules: {
                // We don't need super strict typing in test utilities
                "@typescript-eslint/explicit-function-return-type": "off",
                "@typescript-eslint/explicit-member-accessibility": "off",
+                "@typescript-eslint/no-empty-object-type": "off",
+
+                // Disabled tests are a reality for now but as soon as all of the xits are
+                // eliminated, we should enforce this.
+                "@vitest/no-disabled-tests": "off",
+                // Used in some crypto tests.
+                "@vitest/no-standalone-expect": [
+                    "error",
+                    {
+                        additionalTestBlockFunctions: ["beforeAll", "beforeEach"],
+                    },
+                ],
+                "@vitest/expect-expect": [
+                    "error",
+                    {
+                        assertFunctionNames: [
+                            "expect",
+                            "expectDevices",
+                            "assert.isTrue",
+                            "assert.isFalse",
+                            "passwordTest",
+                            "compareHeaders",
+                            "doTest",
+                        ],
+                    },
+                ],
+            },
+        },
+        {
+            // Enable stricter promise rules for the MatrixRTC codebase
+            files: ["src/matrixrtc/**/*.ts", "spec/unit/matrixrtc/*.ts"],
+            rules: {
+                // Encourage proper usage of Promises:
+                "@typescript-eslint/no-floating-promises": "error",
+                "@typescript-eslint/no-misused-promises": "error",
+                "@typescript-eslint/require-await": "error",
+                "@typescript-eslint/await-thenable": "error",
            },
        },
    ],
@@ -1,8 +1,17 @@
-*                         @matrix-org/element-web
-/.github/workflows/**     @matrix-org/element-web-app-team
-/package.json             @matrix-org/element-web-app-team
-/yarn.lock                @matrix-org/element-web-app-team
+*                         @matrix-org/element-web-reviewers
+/.github/workflows/**     @matrix-org/element-web-team
+/package.json             @matrix-org/element-web-team
+/pnpm-lock.yaml           @matrix-org/element-web-team
+/scripts/**               @matrix-org/element-web-team
 /src/webrtc               @matrix-org/element-call-reviewers
 /src/matrixrtc               @matrix-org/element-call-reviewers
 /spec/*/webrtc            @matrix-org/element-call-reviewers
 /spec/*/matrixrtc            @matrix-org/element-call-reviewers
+
+/src/crypto-api           @matrix-org/element-crypto-web-reviewers
+/src/crypto               @matrix-org/element-crypto-web-reviewers
+/src/rust-crypto          @matrix-org/element-crypto-web-reviewers
+/spec/integ/crypto        @matrix-org/element-crypto-web-reviewers
+/spec/unit/crypto.spec.ts @matrix-org/element-crypto-web-reviewers
+/spec/unit/crypto         @matrix-org/element-crypto-web-reviewers
+/spec/unit/rust-crypto    @matrix-org/element-crypto-web-reviewers
@@ -2,12 +2,7 @@

 ## Checklist

-   [ ] Tests written for new code (and old code if feasible)
-   [ ] Linter and other CI checks pass
-   [ ] Sign-off given on the changes (see [CONTRIBUTING.md](https://github.com/matrix-org/matrix-js-sdk/blob/develop/CONTRIBUTING.md))
-
-<!--
-If you would like to specify text for the changelog entry other than your PR title, add the following:
-
-Notes: Add super cool feature
-->
+- [ ] Tests written for new code (and old code if feasible).
+- [ ] New or updated `public`/`exported` symbols have accurate [TSDoc](https://tsdoc.org/) documentation.
+- [ ] Linter and other CI checks pass.
+- [ ] Sign-off given on the changes (see [CONTRIBUTING.md](https://github.com/matrix-org/matrix-js-sdk/blob/develop/CONTRIBUTING.md)).
@@ -22,7 +22,7 @@ runs:

        - name: Upload tarball signature
          if: ${{ inputs.upload-url }}
-          uses: shogo82148/actions-upload-release-asset@dccd6d23e64fd6a746dce6814c0bde0a04886085 # v1
+          uses: shogo82148/actions-upload-release-asset@96bc1f0cb850b65efd58a6b5eaa0a69f88d38077 # v1
          with:
              upload_url: ${{ inputs.upload-url }}
              asset_path: ${{ env.VERSION }}.tar.gz.asc
@@ -29,13 +29,13 @@ runs:

        - name: Upload asset signatures
          if: inputs.gpg-fingerprint
-          uses: shogo82148/actions-upload-release-asset@dccd6d23e64fd6a746dce6814c0bde0a04886085 # v1
+          uses: shogo82148/actions-upload-release-asset@96bc1f0cb850b65efd58a6b5eaa0a69f88d38077 # v1
          with:
              upload_url: ${{ inputs.upload-url }}
              asset_path: ${{ inputs.asset-path }}.asc

        - name: Upload assets
-          uses: shogo82148/actions-upload-release-asset@dccd6d23e64fd6a746dce6814c0bde0a04886085 # v1
+          uses: shogo82148/actions-upload-release-asset@96bc1f0cb850b65efd58a6b5eaa0a69f88d38077 # v1
          with:
              upload_url: ${{ inputs.upload-url }}
              asset_path: ${{ inputs.asset-path }}
@@ -0,0 +1,46 @@
+- name: "A-Element-R"
+  description: "Issues affecting the port of Element's crypto layer to Rust"
+  color: "bfd4f2"
+- name: "A-Packaging"
+  description: "Packaging, signing, releasing"
+  color: "bfd4f2"
+- name: "A-Technical-Debt"
+  color: "bfd4f2"
+- name: "A-Testing"
+  description: "Testing, code coverage, etc."
+  color: "bfd4f2"
+- name: "backport staging"
+  description: "Label to automatically backport PR to staging branch"
+  color: "B60205"
+- name: "Dependencies"
+  description: "Pull requests that update a dependency file"
+  color: "0366d6"
+- name: "Easy"
+  color: "5dc9f7"
+- name: "Sponsored"
+  color: "ffc8f4"
+- name: "T-Deprecation"
+  description: "A pull request that makes something deprecated"
+  color: "98e6ae"
+- name: "T-Other"
+  description: "Questions, user support, anything else"
+  color: "98e6ae"
+- name: "X-Blocked"
+  color: "ff7979"
+- name: "X-Breaking-Change"
+  color: "ff7979"
+- name: "X-Reverted"
+  description: "PR has been reverted"
+  color: "F68AA3"
+- name: "X-Upcoming-Release-Blocker"
+  description: "This does not affect the current release cycle but will affect the next one"
+  color: "e99695"
+- name: "Z-Community-PR"
+  description: "Issue is solved by a community member's PR"
+  color: "ededed"
+- name: "Z-Flaky-Test"
+  description: "A test is raising false alarms"
+  color: "ededed"
+- name: "Z-Skip-Coverage"
+  description: "Skip SonarQube coverage for this PR"
+  color: "ededed"
@@ -22,10 +22,14 @@ version-resolver:
 exclude-labels:
    - "T-Task"
    - "X-Reverted"
+    - "backport staging"
 exclude-contributors:
    - "RiotRobot"
 template: |
    $CHANGES
+#no-changes-template: ""
 prerelease: true
 prerelease-identifier: rc
 include-pre-releases: false
+stable-ref: master
+staging-ref: staging
@@ -1,16 +1,20 @@
 name: Backport
 on:
-    pull_request_target:
+    # Privilege escalation necessary to enable backporting PRs from forks
+    # 🚨 We must not execute any checked out code here.
+    pull_request_target: # zizmor: ignore[dangerous-triggers]
        types:
            - closed
            - labeled
        branches:
            - develop

+permissions: {} # We use ELEMENT_BOT_TOKEN instead
+
 jobs:
    backport:
        name: Backport
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
        # Only react to merged PRs for security reasons.
        # See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target.
        if: >
@@ -1,58 +0,0 @@
-# Triggers after the "Downstream artifacts" build has finished, to run the
-# cypress tests (with access to repo secrets)
-
-name: matrix-react-sdk Cypress End to End Tests
-on:
-    workflow_run:
-        workflows: ["Build downstream artifacts"]
-        types:
-            - completed
-
-concurrency:
-    group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.run_id }}
-    cancel-in-progress: ${{ github.event.workflow_run.event == 'pull_request' }}
-
-jobs:
-    cypress:
-        name: Cypress
-
-        # We only want to run the cypress tests on merge queue to prevent regressions
-        # from creeping in. They take a long time to run and consume 4 concurrent runners.
-        if: github.event.workflow_run.event == 'merge_group'
-
-        uses: matrix-org/matrix-react-sdk/.github/workflows/cypress.yaml@f6ef476f7905cc2b1f060f1a360b482e7546e682
-        permissions:
-            actions: read
-            issues: read
-            statuses: write
-            pull-requests: read
-        secrets:
-            # secrets are not automatically shared with called workflows, so share the cypress dashboard key, and the Kiwi login details
-            CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }}
-            TCMS_USERNAME: ${{ secrets.TCMS_USERNAME }}
-            TCMS_PASSWORD: ${{ secrets.TCMS_PASSWORD }}
-        with:
-            react-sdk-repository: matrix-org/matrix-react-sdk
-
-    # We want to make the cypress tests a required check for the merge queue.
-    #
-    # Unfortunately, github doesn't distinguish between "checks needed for branch
-    # protection" (ie, the things that must pass before the PR will even be added
-    # to the merge queue) and "checks needed in the merge queue". We just have to add
-    # the check to the branch protection list.
-    #
-    # Ergo, if we know we're not going to run the cypress tests, we need to add a
-    # passing status check manually.
-    mark_skipped:
-        if: github.event.workflow_run.event != 'merge_group'
-        permissions:
-            statuses: write
-        runs-on: ubuntu-latest
-        steps:
-            - uses: Sibz/github-status-action@650dd1a882a76dbbbc4576fb5974b8d22f29847f # v1.1.6
-              with:
-                  authToken: "${{ secrets.GITHUB_TOKEN }}"
-                  state: success
-                  description: Cypress skipped
-                  context: "${{ github.workflow }} / cypress"
-                  sha: "${{ github.event.workflow_run.head_sha }}"
@@ -1,28 +1,31 @@
 name: Deploy documentation PR preview

 on:
-    workflow_run:
+    # Privilege escalation necessary to publish to Netlify
+    # 🚨 We must not execute any checked out code here.
+    workflow_run: # zizmor: ignore[dangerous-triggers]
        workflows: ["Static Analysis"]
        types:
            - completed
-
+permissions: {}
 jobs:
    netlify:
        if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request'
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
+        permissions:
+            actions: read
+            deployments: write
        steps:
-            # There's a 'download artifact' action, but it hasn't been updated for the workflow_run action
-            # (https://github.com/actions/download-artifact/issues/60) so instead we get this mess:
            - name: 📥 Download artifact
-              uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # v2
+              uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
              with:
-                  workflow: static_analysis.yml
-                  run_id: ${{ github.event.workflow_run.id }}
+                  github-token: ${{ secrets.GITHUB_TOKEN }}
+                  run-id: ${{ github.event.workflow_run.id }}
                  name: docs
                  path: docs

            - name: 📤 Deploy to Netlify
-              uses: matrix-org/netlify-pr-preview@v2
+              uses: matrix-org/netlify-pr-preview@9805cd123fc9a7e421e35340a05e1ebc5dee46b5 # v3
              with:
                  path: docs
                  owner: ${{ github.event.workflow_run.head_repository.owner.login }}
@@ -1,26 +0,0 @@
-name: Build downstream artifacts
-on:
-    merge_group:
-        types: [checks_requested]
-
-    pull_request: {}
-
-    # For now at least, we don't run this or the cypress-tests against pushes
-    # to develop or master.
-    #
-    # Note that if we later choose to do so, we'll need to find a way to stop
-    # the results in Cypress Cloud from clobbering those from the 'develop'
-    # branch of matrix-react-sdk.
-    #
-    #push:
-    #    branches: [develop, master]
-concurrency:
-    group: ${{ github.workflow }}-${{ github.ref }}
-    cancel-in-progress: true
-jobs:
-    build-element-web:
-        name: Build element-web
-        uses: matrix-org/matrix-react-sdk/.github/workflows/element-web.yaml@v3.84.1
-        with:
-            matrix-js-sdk-sha: ${{ github.sha }}
-            react-sdk-repository: matrix-org/matrix-react-sdk
@@ -0,0 +1,34 @@
+# Triggers after the "Downstream artifacts" build has finished, to run the
+# element-web playwright tests (with access to repo secrets)
+
+name: Element Web End to End Tests
+on:
+    merge_group:
+        types: [checks_requested]
+
+    pull_request: {}
+
+    # For now at least, we don't run this or the downstream-end-to-end-tests against pushes
+    # to develop or master.
+    #
+    #push:
+    #    branches: [develop, master]
+permissions: {} # No permissions required
+concurrency:
+    group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.run_id }}
+    cancel-in-progress: ${{ github.event.workflow_run.event == 'pull_request' }}
+
+jobs:
+    playwright:
+        name: Playwright
+        uses: element-hq/element-web/.github/workflows/build-and-test.yaml@develop # zizmor: ignore[unpinned-uses]
+        permissions:
+            actions: read
+            issues: read
+            pull-requests: read
+            contents: read
+        with:
+            matrix-js-sdk-sha: ${{ github.sha }}
+            # We only want to run the playwright tests on merge queue to prevent regressions
+            # from creeping in. They take a long time to run and consume multiple concurrent runners.
+            skip: ${{ github.event_name != 'merge_group' }}
@@ -3,6 +3,7 @@ on:
    push:
        branches: [develop]
 concurrency: ${{ github.workflow }}-${{ github.ref }}
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
    notify-downstream:
        # Only respect triggers from our develop branch, ignore that of forks
@@ -12,15 +13,13 @@ jobs:
            fail-fast: false
            matrix:
                include:
-                    - repo: vector-im/element-web
+                    - repo: element-hq/element-web
                      event: element-web-notify
-                    - repo: matrix-org/matrix-react-sdk
-                      event: upstream-sdk-notify

-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
        steps:
-            - name: Notify matrix-react-sdk repo that a new SDK build is on develop so it can CI against it
-              uses: peter-evans/repository-dispatch@bf47d102fdb849e755b0b0023ea3e81a44b6f570 # v2
+            - name: Notify element-web repo that a new SDK build is on develop so it can CI against it
+              uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4
              with:
                  token: ${{ secrets.ELEMENT_BOT_TOKEN }}
                  repository: ${{ matrix.repo }}
@@ -1,6 +1,9 @@
 name: Pull Request
 on:
-    pull_request_target:
+    # Privilege escalation necessary access members of the review teams
+    # 🚨 We must not execute any checked out code here, and be careful around use of user-controlled inputs.
+    # FIXME: only `community-prs` job needs this privilege, so it should be in its own workflow file.
+    pull_request_target: # zizmor: ignore[dangerous-triggers]
        types: [opened, edited, labeled, unlabeled, synchronize]
    merge_group:
        types: [checks_requested]
@@ -9,25 +12,33 @@ on:
            ELEMENT_BOT_TOKEN:
                required: true
 concurrency: ${{ github.workflow }}-${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
    changelog:
        name: Preview Changelog
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
        steps:
-            - uses: matrix-org/allchange@main
+            - uses: mheap/github-action-required-labels@0ac283b4e65c1fb28ce6079dea5546ceca98ccbe # v5
              if: github.event_name != 'merge_group'
              with:
-                  ghToken: ${{ secrets.GITHUB_TOKEN }}
-                  requireLabel: true
+                  labels: |
+                      X-Breaking-Change
+                      T-Deprecation
+                      T-Enhancement
+                      T-Defect
+                      T-Task
+                      Dependencies
+                  mode: minimum
+                  count: 1

    prevent-blocked:
        name: Prevent Blocked
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
        permissions:
            pull-requests: read
        steps:
            - name: Add notice
-              uses: actions/github-script@v7
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
              if: contains(github.event.pull_request.labels.*.name, 'X-Blocked')
              with:
                  script: |
@@ -35,11 +46,14 @@ jobs:

    community-prs:
        name: Label Community PRs
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
        if: github.event.action == 'opened'
+        permissions:
+            pull-requests: write
        steps:
            - name: Check membership
-              uses: tspascoal/get-user-teams-membership@ba78054988f58bea69b7c6136d563236f8ed2fc0 # v3
+              if: github.event.pull_request.user.login != 'renovate[bot]' && github.event.pull_request.user.login != 'dependabot[bot]'
+              uses: tspascoal/get-user-teams-membership@57e9f42acd78f4d0f496b3be4368fc5f62696662 # v3
              id: teams
              with:
                  username: ${{ github.event.pull_request.user.login }}
@@ -48,8 +62,8 @@ jobs:
                  GITHUB_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}

            - name: Add label
-              if: ${{ steps.teams.outputs.isTeamMember == 'false' }}
-              uses: actions/github-script@v7
+              if: steps.teams.outputs.isTeamMember == 'false'
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
              with:
                  script: |
                      github.rest.issues.addLabels({
@@ -61,14 +75,16 @@ jobs:

    close-if-fork-develop:
        name: Forbid develop branch fork contributions
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
+        permissions:
+            pull-requests: write
        if: >
            github.event.action == 'opened' &&
            github.event.pull_request.head.ref == 'develop' &&
            github.event.pull_request.head.repo.full_name != github.repository
        steps:
            - name: Close pull request
-              uses: actions/github-script@v7
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
              with:
                  script: |
                      github.rest.issues.createComment({
@@ -0,0 +1,38 @@
+name: Release Sanity checks
+on:
+    workflow_call:
+        secrets:
+            ELEMENT_BOT_TOKEN:
+                required: false
+        inputs:
+            repository:
+                type: string
+                required: false
+                default: ${{ github.repository }}
+                description: "The repository (in form owner/repo) to check for release blockers"
+
+permissions: {}
+jobs:
+    checks:
+        name: Sanity checks
+        runs-on: ubuntu-24.04
+        steps:
+            - name: Check for X-Release-Blocker label on any open issues or PRs
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+              env:
+                  REPO: ${{ inputs.repository }}
+              with:
+                  github-token: ${{ secrets.ELEMENT_BOT_TOKEN || secrets.GITHUB_TOKEN }}
+                  script: |
+                      const { REPO } = process.env;
+                      const { data } = await github.rest.search.issuesAndPullRequests({
+                          q: `repo:${REPO} label:X-Release-Blocker is:open`,
+                          per_page: 50,
+                      });
+
+                      if (data.total_count) {
+                          data.items.forEach(item => {
+                              core.error(`Release blocker: ${item.html_url}`);
+                          });
+                          core.setFailed(`Found release blockers!`);
+                      }
@@ -0,0 +1,94 @@
+# Workflow used by other workflows to generate draft releases.
+name: Release Drafter Reusable
+on:
+    workflow_call:
+        inputs:
+            include-changes:
+                description: Project to include changelog entries from in this release.
+                type: string
+                required: false
+concurrency: release-drafter-action
+permissions: {}
+jobs:
+    draft:
+        runs-on: ubuntu-24.04
+        permissions:
+            contents: write
+        steps:
+            - name: 🧮 Checkout code
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+              with:
+                  ref: staging
+                  fetch-depth: 0
+                  persist-credentials: false
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  node-version-file: package.json
+                  cache: "pnpm"
+
+            - name: Install Deps
+              run: "pnpm install --frozen-lockfile"
+
+            - uses: t3chguy/release-drafter@105e541c2c3d857f032bd522c0764694758fabad
+              id: draft-release
+              env:
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+              with:
+                  disable-autolabeler: true
+
+            - name: Get actions scripts
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+              with:
+                  repository: matrix-org/matrix-js-sdk
+                  persist-credentials: false
+                  path: .action-repo
+                  sparse-checkout: |
+                      .github/actions
+                      scripts/release
+
+            - name: Ingest upstream changes
+              if: inputs.include-changes
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
+              env:
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                  RELEASE_ID: ${{ steps.draft-release.outputs.id }}
+                  DEPENDENCY: ${{ inputs.include-changes }}
+                  VERSION: ${{ steps.draft-release.outputs.tag_name }}
+              with:
+                  retries: 3
+                  script: |
+                      const { RELEASE_ID: releaseId, DEPENDENCY, VERSION } = process.env;
+                      const { owner, repo } = context.repo;
+                      const script = require("./.action-repo/scripts/release/merge-release-notes.cjs");
+
+                      let deps = [];
+                      if (DEPENDENCY.includes("/")) {
+                          deps.push(DEPENDENCY.replace("$VERSION", VERSION))
+                      } else {
+                          const fromVersion = JSON.parse((await github.request(`https://raw.githubusercontent.com/${owner}/${repo}/master/package.json`)).data).dependencies[DEPENDENCY];
+                          const toVersion = require("./package.json").dependencies[DEPENDENCY];
+
+                          if (toVersion.endsWith("#develop")) {
+                              core.warning(`${DEPENDENCY} will be kept at ${fromVersion}`, { title: "Develop dependency found" });
+                          } else {
+                              deps.push([DEPENDENCY, fromVersion, toVersion]);
+                          }
+                      }
+
+                      if (deps.length) {
+                          const notes = await script({
+                              github,
+                              releaseId,
+                              dependencies: deps,
+                          });
+
+                          await github.rest.repos.updateRelease({
+                              owner,
+                              repo,
+                              release_id: releaseId,
+                              body: notes,
+                              tag_name: VERSION,
+                          });
+                      }
@@ -1,21 +1,16 @@
+# Generates the draft release for the js-sdk
+# Normally triggered whenever anything is merged to the staging branch, but
+# also has a workflow dispatch trigger in case it needs running manually due
+# to failures / workflow updates etc.
 name: Release Drafter
 on:
    push:
        branches: [staging]
-    workflow_dispatch:
-        inputs:
-            previous-version:
-                description: What release to use as a base for release note purposes
-                required: false
-                type: string
+    workflow_dispatch: {}
 concurrency: ${{ github.workflow }}
+permissions: {}
 jobs:
    draft:
-        runs-on: ubuntu-latest
-        steps:
-            - uses: release-drafter/release-drafter@e64b19c4c46173209ed9f2e5a2f4ca7de89a0e86 # v5
-              env:
-                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-              with:
-                  disable-autolabeler: true
-                  previous-version: ${{ inputs.previous-version }}
+        permissions:
+            contents: write
+        uses: matrix-org/matrix-js-sdk/.github/workflows/release-drafter-workflow.yml@develop # zizmor: ignore[unpinned-uses]
@@ -12,18 +12,25 @@ on:
                description: List of dependencies to reset.
                type: string
                required: false
+            dir:
+                description: The directory to release
+                type: string
+                default: "."
 concurrency: ${{ github.workflow }}
+permissions: {} # Uses ELEMENT_BOT_TOKEN
 jobs:
    merge:
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
        steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
              with:
+                  # We will be pushing to this branch and want the CI to run after we do so we cannot use the GITHUB_TOKEN
                  token: ${{ secrets.ELEMENT_BOT_TOKEN }}
                  fetch-depth: 0
+                  persist-credentials: true

            - name: Get actions scripts
-              uses: actions/checkout@v4
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
              with:
                  repository: matrix-org/matrix-js-sdk
                  persist-credentials: false
@@ -31,12 +38,14 @@ jobs:
                  sparse-checkout: |
                      scripts/release

-            - uses: actions/setup-node@v4
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
              with:
-                  cache: "yarn"
+                  cache: "pnpm"
+                  node-version-file: package.json

            - name: Install Deps
-              run: "yarn install --frozen-lockfile"
+              run: "pnpm install --frozen-lockfile"

            - name: Set up git
              run: |
@@ -48,11 +57,9 @@ jobs:
                  git checkout develop
                  git merge -X ours master

-            - name: Run post-merge-master script to revert package.json fields
-              run: ./.action-repo/scripts/release/post-merge-master.sh
-
            - name: Reset dependencies
              if: inputs.dependencies
+              working-directory: ${{ inputs.dir }}
              run: |
                  while IFS= read -r PACKAGE; do
                      [ -z "$PACKAGE" ] && continue
@@ -60,26 +67,25 @@ jobs:
                      CURRENT_VERSION=$(cat package.json | jq -r .dependencies[\"$PACKAGE\"])
                      echo "Current $PACKAGE version is $CURRENT_VERSION"

-                      if [ "$CURRENT_VERSION" == "null" ]
+                      if [[ "$CURRENT_VERSION" == "null" ]]
                      then
                          echo "Unable to find $PACKAGE in package.json"
                          exit 1
                      fi

-                      if [ "$CURRENT_VERSION" == "develop" ]
+                      if [[ "$CURRENT_VERSION" == *"#develop" ]]
                      then
                          echo "Not updating dependency $PACKAGE"
                          continue
                      fi

-                      echo "Resetting $1 to develop branch..."
-                      yarn add "github:matrix-org/$PACKAGE#develop"
+                      echo "Resetting $PACKAGE to develop branch..."
+                      pnpm add "github:matrix-org/$PACKAGE#develop"
                      git add -u
                      git commit -m "Reset $PACKAGE back to develop branch"
                  done <<< "$DEPENDENCIES"
              env:
                  DEPENDENCIES: ${{ inputs.dependencies }}
-                  FINAL: ${{ inputs.final }}

            - name: Push changes
              run: git push origin develop
@@ -4,8 +4,6 @@ on:
        secrets:
            ELEMENT_BOT_TOKEN:
                required: true
-            NPM_TOKEN:
-                required: false
            GPG_PASSPHRASE:
                required: false
            GPG_PRIVATE_KEY:
@@ -20,16 +18,6 @@ on:
                description: Publish to npm
                type: boolean
                default: false
-            dependencies:
-                description: |
-                    List of dependencies to update in `npm-dep=version` format.
-                    `version` can be `"current"` to leave it at the current version.
-                type: string
-                required: false
-            include-changes:
-                description: Project to include changelog entries from in this release.
-                type: string
-                required: false
            gpg-fingerprint:
                description: Fingerprint of the GPG key to use for signing the git tag and assets, if any.
                type: string
@@ -38,44 +26,70 @@ on:
                description: |
                    The path to the asset you want to upload, if any. You can use glob patterns here.
                    Will be GPG signed and an `.asc` file included in the release artifacts if `gpg-fingerprint` is set.
+                    Relative to `dir`.
                type: string
                required: false
            expected-asset-count:
                description: The number of expected assets, including signatures, excluding generated zip & tarball.
                type: number
                required: false
+            dist-dir:
+                description: The directory to release
+                type: string
+                default: "."
+            version-dirs:
+                description: Directories in which to update package.json `version` field
+                type: string
+                required: false
+        outputs:
+            npm-id:
+                description: "The npm package@version string we published"
+                value: ${{ jobs.npm.outputs.id }}
+permissions: {}
 jobs:
+    checks:
+        name: Sanity checks
+        permissions:
+            issues: read
+            pull-requests: read
+        uses: matrix-org/matrix-js-sdk/.github/workflows/release-checks.yml@develop # zizmor: ignore[unpinned-uses]
+
    release:
        name: Release
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
        environment: Release
+        needs: checks
+        permissions:
+            contents: write
        steps:
            - name: Load GPG key
              id: gpg
              if: inputs.gpg-fingerprint
-              uses: crazy-max/ghaction-import-gpg@82a020f1f7f605c65dd2449b392a52c3fcfef7ef # v6
+              uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7
              with:
                  gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
                  passphrase: ${{ secrets.GPG_PASSPHRASE }}
                  fingerprint: ${{ inputs.gpg-fingerprint }}

            - name: Get draft release
-              id: release
-              uses: cardinalby/git-get-release-action@cedef2faf69cb7c55b285bad07688d04430b7ada # v1
+              id: draft-release
+              uses: cardinalby/git-get-release-action@5172c3a026600b1d459b117738c605fabc9e4e44 # 1.2.5
              env:
                  GITHUB_TOKEN: ${{ github.token }}
              with:
                  draft: true
                  latest: true

-            - uses: actions/checkout@v4
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
              with:
                  ref: staging
+                  # We will be pushing to this branch and want the CI to run after we do so we cannot use the GITHUB_TOKEN
                  token: ${{ secrets.ELEMENT_BOT_TOKEN }}
                  fetch-depth: 0
+                  persist-credentials: true

            - name: Get actions scripts
-              uses: actions/checkout@v4
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
              with:
                  repository: matrix-org/matrix-js-sdk
                  persist-credentials: false
@@ -86,27 +100,22 @@ jobs:

            - name: Prepare variables
              id: prepare
+              working-directory: ${{ inputs.dist-dir }}
              run: |
                  echo "VERSION=$VERSION" >> $GITHUB_ENV
-                  {
-                      echo "RELEASE_NOTES<<EOF"
-                      echo "$BODY"
-                      echo "EOF"
-                  } >> $GITHUB_ENV

                  HAS_DIST=0
                  jq -e .scripts.dist package.json >/dev/null 2>&1 && HAS_DIST=1
                  echo "has-dist-script=$HAS_DIST" >> $GITHUB_OUTPUT
              env:
-                  BODY: ${{ steps.release.outputs.body }}
-                  VERSION: ${{ steps.release.outputs.tag_name }}
+                  VERSION: ${{ steps.draft-release.outputs.tag_name }}

            - name: Finalise version
              if: inputs.final
              run: echo "VERSION=$(echo $VERSION | cut -d- -f1)" >> $GITHUB_ENV

            - name: Check version number not in use
-              uses: actions/github-script@v7
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
              with:
                  script: |
                      const { VERSION } = process.env;
@@ -125,82 +134,38 @@ jobs:
                  git config --global user.email "releases@riot.im"
                  git config --global user.name "RiotRobot"

-            - uses: actions/setup-node@v4
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
              with:
-                  cache: "yarn"
+                  cache: "pnpm"
+                  node-version-file: ${{ inputs.dist-dir }}/package.json

            - name: Install dependencies
-              run: "yarn install --frozen-lockfile"
+              run: "pnpm install --frozen-lockfile"

-            - name: Update dependencies
-              id: update-dependencies
-              if: inputs.dependencies
-              run: |
-                  UPDATED=()
-                  while IFS= read -r DEPENDENCY; do
-                      [ -z "$DEPENDENCY" ] && continue
-                      IFS="=" read -r PACKAGE UPDATE_VERSION <<< "$DEPENDENCY"
-
-                      CURRENT_VERSION=$(cat package.json | jq -r .dependencies[\"$PACKAGE\"])
-                      echo "Current $PACKAGE version is $CURRENT_VERSION"
-
-                      if [ "$CURRENT_VERSION" == "null" ]
-                      then
-                          echo "Unable to find $PACKAGE in package.json"
-                          exit 1
-                      fi
-
-                      if [ "$UPDATE_VERSION" == "current" ] || [ "$UPDATE_VERSION" == "$CURRENT_VERSION" ]
-                      then
-                          echo "Not updating dependency $PACKAGE"
-                          continue
-                      fi
-
-                      echo "Upgrading $PACKAGE to $UPDATE_VERSION..."
-                      yarn upgrade "$PACKAGE@$UPDATE_VERSION" --exact
-                      git add -u
-                      git commit -m "Upgrade $PACKAGE to $UPDATE_VERSION"
-                      UPDATED+=("$PACKAGE")
-                  done <<< "$DEPENDENCIES"
-
-                  JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${UPDATED[@]}")
-                  echo "updated=$JSON" >> $GITHUB_OUTPUT
-              env:
-                  DEPENDENCIES: ${{ inputs.dependencies }}
-
-            - name: Prevent develop dependencies
-              if: inputs.dependencies
+            - name: Handle develop dependencies
+              working-directory: ${{ inputs.dist-dir }}
              run: |
                  ret=0
-                  cat package.json | jq '.dependencies[]' | grep -q '#develop' || ret=$?
-                  if [ "$ret" -eq 0 ]; then
-                      echo "package.json contains develop dependencies. Refusing to release."
-                      exit
-                  fi
+                  cat package.json | jq -r '.dependencies | to_entries | .[] | "\(.key) \(.value)"' | grep '#develop$' | while read -r dep ; do
+                      IFS=" "
+                      PACKAGE=${dep[0]}
+                      VERSION=${dep[1]}

-            - name: Bump package.json version
-              run: yarn version --no-git-tag-version --new-version "${VERSION#v}"
+                      echo "::warning title=Develop dependency found::$DEPENDENCY will be kept at $VERSION"
+                      pnpm add "$PACKAGE@$VERSION" --save-exact
+                      git add -u
+                      git commit -m "Keep $PACKAGE at $VERSION"
+                  done

-            - name: Ingest upstream changes
-              if: |
-                  inputs.include-changes &&
-                  (!inputs.dependencies || contains(fromJSON(steps.update-dependencies.outputs.updated), inputs.include-changes))
-              uses: actions/github-script@v7
+            - name: Bump package.json versions
+              run: |
+                  for DIR in $DIRS; do
+                      pnpm version -C "$DIR" --no-git-tag-version "${VERSION#v}"
+                      git add "$DIR"/package.json
+                  done
              env:
-                  RELEASE_ID: ${{ steps.release.outputs.id }}
-                  DEPENDENCY: ${{ inputs.include-changes }}
-              with:
-                  retries: 3
-                  script: |
-                      const { RELEASE_ID: releaseId, DEPENDENCY, VERSION } = process.env;
-                      const { owner, repo } = context.repo;
-                      const script = require("./.action-repo/scripts/release/merge-release-notes.js");
-                      const notes = await script({
-                          github,
-                          releaseId,
-                          dependencies: [DEPENDENCY.replace("$VERSION", VERSION)],
-                      });
-                      core.exportVariable("RELEASE_NOTES", notes);
+                  DIRS: ${{ inputs.version-dirs || inputs.dist-dir }}

            - name: Add to CHANGELOG.md
              if: inputs.final
@@ -219,26 +184,24 @@ jobs:
                  cat CHANGELOG.md.old >> CHANGELOG.md
                  rm CHANGELOG.md.old
                  git add CHANGELOG.md
-
-            - name: Run pre-release script to update package.json fields
-              run: |
-                  ./.action-repo/scripts/release/pre-release.sh
-                  git add package.json
+              env:
+                  RELEASE_NOTES: ${{ steps.draft-release.outputs.body }}

            - name: Commit changes
              run: git commit -m "$VERSION"

            - name: Build assets
              if: steps.prepare.outputs.has-dist-script == '1'
-              run: DIST_VERSION="$VERSION" yarn dist
+              working-directory: ${{ inputs.dist-dir }}
+              run: DIST_VERSION="$VERSION" pnpm dist

            - name: Upload release assets & signatures
              if: inputs.asset-path
              uses: ./.action-repo/.github/actions/upload-release-assets
              with:
                  gpg-fingerprint: ${{ inputs.gpg-fingerprint }}
-                  upload-url: ${{ steps.release.outputs.upload_url }}
-                  asset-path: ${{ inputs.asset-path }}
+                  upload-url: ${{ steps.draft-release.outputs.upload_url }}
+                  asset-path: ${{ inputs.dist-dir }}/${{ inputs.asset-path }}

            - name: Create signed tag
              if: inputs.gpg-fingerprint
@@ -252,7 +215,7 @@ jobs:
              uses: ./.action-repo/.github/actions/sign-release-tarball
              with:
                  gpg-fingerprint: ${{ inputs.gpg-fingerprint }}
-                  upload-url: ${{ steps.release.outputs.upload_url }}
+                  upload-url: ${{ steps.draft-release.outputs.upload_url }}

            # We defer pushing changes until after the release assets are built,
            # signed & uploaded to improve the atomicity of this action.
@@ -271,9 +234,9 @@ jobs:

            - name: Validate release has expected assets
              if: inputs.expected-asset-count
-              uses: actions/github-script@v7
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
              env:
-                  RELEASE_ID: ${{ steps.release.outputs.id }}
+                  RELEASE_ID: ${{ steps.draft-release.outputs.id }}
                  EXPECTED_ASSET_COUNT: ${{ inputs.expected-asset-count }}
              with:
                  retries: 3
@@ -299,9 +262,9 @@ jobs:
                  git push origin master

            - name: Publish release
-              uses: actions/github-script@v7
+              uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
              env:
-                  RELEASE_ID: ${{ steps.release.outputs.id }}
+                  RELEASE_ID: ${{ steps.draft-release.outputs.id }}
                  FINAL: ${{ inputs.final }}
              with:
                  retries: 3
@@ -331,19 +294,25 @@ jobs:
        name: Publish to npm
        needs: release
        if: inputs.npm
-        uses: matrix-org/matrix-js-sdk/.github/workflows/release-npm.yml@develop
-        secrets:
-            NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+        uses: matrix-org/matrix-js-sdk/.github/workflows/release-npm.yml@develop # zizmor: ignore[unpinned-uses]
+        with:
+            dir: ${{ inputs.dist-dir }}
+        permissions:
+            contents: read
+            id-token: write

-    update-labels:
-        name: Advance release blocker labels
+    post-release:
+        name: Post release steps
        needs: release
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
+        permissions:
+            issues: write
        steps:
            - id: repository
              run: echo "REPO=${GITHUB_REPOSITORY#*/}" >> $GITHUB_OUTPUT

-            - uses: garganshu/github-label-updater@3770d15ebfed2fe2cb06a241047bc340f774a7d1 # v1.0.0
+            - name: Advance release blocker labels
+              uses: garganshu/github-label-updater@3770d15ebfed2fe2cb06a241047bc340f774a7d1 # v1.0.0
              with:
                  owner: ${{ github.repository_owner }}
                  repo: ${{ steps.repository.outputs.REPO }}
@@ -351,3 +320,13 @@ jobs:
                  filter-labels: X-Upcoming-Release-Blocker
                  remove-labels: X-Upcoming-Release-Blocker
                  add-labels: X-Release-Blocker
+
+    #            - name: Wait for master->develop gitflow merge
+    #              if: inputs.final
+    #              uses: t3chguy/wait-on-check-action@18541021811b56544d90e0f073401c2b99e249d6 # fork
+    #              with:
+    #                  ref: master
+    #                  repo-token: ${{ secrets.GITHUB_TOKEN }}
+    #                  wait-interval: 10
+    #                  check-name: merge
+    #                  allowed-conclusions: success
@@ -1,40 +1,53 @@
 name: Publish to npm
 on:
    workflow_call:
-        secrets:
-            NPM_TOKEN:
-                required: true
+        inputs:
+            dir:
+                description: The directory to release
+                type: string
+                default: "."
+        outputs:
+            id:
+                description: "The npm package@version string we published"
+                value: ${{ jobs.npm.outputs.id }}
+permissions: {}
 jobs:
    npm:
        name: Publish to npm
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
+        permissions:
+            contents: read
+            id-token: write
+        outputs:
+            id: ${{ steps.npm-publish.outputs.id }}
        steps:
            - name: 🧮 Checkout code
-              uses: actions/checkout@v4
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
              with:
                  ref: staging
+                  persist-credentials: false

-            - name: 🔧 Yarn cache
-              uses: actions/setup-node@v4
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - name: 🔧 pnpm cache
+              uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
              with:
-                  cache: "yarn"
+                  cache: "pnpm"
                  registry-url: "https://registry.npmjs.org"
+                  node-version-file: ${{ inputs.dir }}/package.json
+
+            # Ensure npm 11.5.1 or later is installed
+            - name: Update npm
+              run: npm install -g npm@latest

            - name: 🔨 Install dependencies
-              run: "yarn install --frozen-lockfile"
+              run: "pnpm install --frozen-lockfile"

            - name: 🚀 Publish to npm
              id: npm-publish
-              uses: JS-DevTools/npm-publish@4b07b26a2f6e0a51846e1870223e545bae91c552 # v3.0.1
-              with:
-                  token: ${{ secrets.NPM_TOKEN }}
-                  access: public
-                  tag: next
-                  ignore-scripts: false
-
-            - name: 🎖️ Add `latest` dist-tag to final releases
-              if: steps.npm-publish.outputs.id && !contains(steps.npm-publish.outputs.id, '-rc.')
-              run: npm dist-tag add "$release" latest
+              working-directory: ${{ inputs.dir }}
+              run: |
+                  npm publish --provenance --access public --tag "$TAG"
+                  release=$(jq -r '"\(.name)@\(.version)"' package.json)
+                  echo "id=$release" >> $GITHUB_OUTPUT
              env:
-                  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-                  release: ${{ steps.npm-publish.outputs.id }}
+                  TAG: ${{ contains(steps.npm-publish.outputs.id, '-rc.') && 'next' || 'latest' }}
@@ -21,56 +21,96 @@ on:
                type: boolean
                default: true
 concurrency: ${{ github.workflow }}
+permissions: {} # No permissions required
 jobs:
    release:
-        uses: matrix-org/matrix-js-sdk/.github/workflows/release-make.yml@develop
+        uses: matrix-org/matrix-js-sdk/.github/workflows/release-make.yml@develop # zizmor: ignore[unpinned-uses,secrets-inherit]
+        permissions:
+            contents: write
+            issues: write
+            pull-requests: read
+            id-token: write
        secrets: inherit
        with:
            final: ${{ inputs.mode == 'final' }}
            npm: ${{ inputs.npm }}

+    bump-downstreams:
+        name: Update npm dependency in downstream projects
+        needs: release
+        runs-on: ubuntu-24.04
+        strategy:
+            matrix:
+                include:
+                    - repo: element-hq/element-web
+                      path: apps/web
+        steps:
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+              with:
+                  repository: ${{ matrix.repo }}
+                  ref: staging
+                  token: ${{ secrets.ELEMENT_BOT_TOKEN }}
+                  persist-credentials: true
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  cache: "pnpm"
+                  node-version: "lts/*"
+
+            - name: Bump dependency
+              env:
+                  DEPENDENCY: ${{ needs.release.outputs.npm-id }}
+                  DIR: ${{ matrix.path }}
+              run: |
+                  git config --global user.email "releases@riot.im"
+                  git config --global user.name "RiotRobot"
+                  pnpm add -C "$DIR" "$DEPENDENCY" --save-exact
+                  git add "$DIR"/package.json pnpm-lock.yaml
+                  git commit -am"Upgrade dependency to $DEPENDENCY"
+                  git push origin staging
+
    docs:
        name: Publish Documentation
        needs: release
        if: inputs.docs
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
        steps:
            - name: 🧮 Checkout code
-              uses: actions/checkout@v4
-
-            - name: 🧮 Checkout gh-pages
-              uses: actions/checkout@v4
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
              with:
-                  ref: gh-pages
-                  path: _docs
+                  persist-credentials: false

-            - name: 🔧 Yarn cache
-              uses: actions/setup-node@v4
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - name: 🔧 pnpm cache
+              uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
              with:
-                  cache: "yarn"
+                  cache: "pnpm"
+                  node-version-file: package.json

            - name: 🔨 Install dependencies
-              run: "yarn install --frozen-lockfile"
-
-            - name: 🔨 Install symlinks
-              run: |
-                  sudo apt-get update
-                  sudo apt-get install -y symlinks
+              run: "pnpm install --frozen-lockfile"

            - name: 📖 Generate docs
-              run: |
-                  yarn tpv purge --yes --out _docs --stale --major 10
-                  yarn gendoc
-                  symlinks -rc _docs
+              run: pnpm gendoc

-            - name: 🔨 Set up git
-              run: |
-                  git config --global user.email "releases@riot.im"
-                  git config --global user.name "RiotRobot"
+            - name: Upload artifact
+              uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5
+              with:
+                  path: _docs

-            - name: 🚀 Deploy
-              run: |
-                  git add . --all
-                  git commit -m "Update docs"
-                  git push
-              working-directory: _docs
+    docs-deploy:
+        environment:
+            name: github-pages
+            url: ${{ steps.deployment.outputs.page_url }}
+        runs-on: ubuntu-24.04
+        needs: docs
+        # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+        permissions:
+            contents: read
+            pages: write
+            id-token: write
+        steps:
+            - name: Deploy to GitHub Pages
+              id: deployment
+              uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5
@@ -5,19 +5,33 @@ on:
        secrets:
            SONAR_TOKEN:
                required: true
-        inputs:
-            extra_args:
-                type: string
+            # No longer used
+            ELEMENT_BOT_TOKEN:
                required: false
-                description: "Extra args to pass to SonarCloud"
+        inputs:
+            sharded:
+                type: boolean
+                required: false
+                description: "Whether to combine multiple LCOV and sonar-report files in coverage artifact"
+            version-pkg-json-dir:
+                type: string
+                default: "."
+                description: "Relative path of the directory containing package.json with the `version` to use."
+permissions: {}
 jobs:
    sonarqube:
-        runs-on: ubuntu-latest
-        if: github.event.workflow_run.conclusion == 'success'
+        runs-on: ubuntu-24.04
+        if: |
+            github.event.workflow_run.conclusion == 'success' &&
+            github.event.workflow_run.event != 'merge_group'
+        permissions:
+            actions: read
+            statuses: write
+            id-token: write # sonar
        steps:
            # We create the status here and then update it to success/failure in the `report` stage
-            # This provides an easy link to this workflow_run from the PR before Cypress is done.
-            - uses: Sibz/github-status-action@faaa4d96fecf273bd762985e0e7f9f933c774918 # v1
+            # This provides an easy link to this workflow_run from the PR before Sonarcloud is done.
+            - uses: guibranco/github-status-action-v2@9bfa8773cdbdc6c185747fd43cd7faa9d7c32f09
              with:
                  authToken: ${{ secrets.GITHUB_TOKEN }}
                  state: pending
@@ -25,24 +39,60 @@ jobs:
                  sha: ${{ github.event.workflow_run.head_sha }}
                  target_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}

+            - name: "🧮 Checkout code"
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+              with:
+                  repository: ${{ github.event.workflow_run.head_repository.full_name }}
+                  ref: ${{ github.event.workflow_run.head_branch }} # checkout commit that triggered this workflow
+                  fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
+                  persist-credentials: false
+
+            - name: 📥 Download artifact
+              uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+              if: ${{ !inputs.sharded }}
+              with:
+                  github-token: ${{ secrets.GITHUB_TOKEN }}
+                  run-id: ${{ github.event.workflow_run.id }}
+                  name: coverage
+                  path: coverage
+            - name: 📥 Download sharded artifacts
+              uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+              if: inputs.sharded
+              with:
+                  github-token: ${{ secrets.GITHUB_TOKEN }}
+                  run-id: ${{ github.event.workflow_run.id }}
+                  pattern: coverage-*
+                  path: coverage
+            - name: Check coverage artifact
+              run: |
+                  if [ ! -d coverage ]; then
+                      echo "Coverage not found. Exiting with failure."
+                      exit 1
+                  fi
+
+            - id: extra_args
+              run: |
+                  coverage=$(find coverage -type f -name '*lcov.info' -printf '%h/%f,' | tr -d '\r\n' | sed 's/,$//g')
+                  echo "sonar.javascript.lcov.reportPaths=$coverage" >> sonar-project.properties
+                  reports=$(find coverage -type f -name '*sonar-report*.xml' -printf '%h/%f,' | tr -d '\r\n' | sed 's/,$//g')
+                  echo "sonar.testExecutionReportPaths=$reports" >> sonar-project.properties
+
            - name: "🩻 SonarCloud Scan"
              id: sonarcloud
-              uses: matrix-org/sonarcloud-workflow-action@v2.7
+              uses: matrix-org/sonarcloud-workflow-action@13968a27c924fa19b1dacbce6ca3ff217daa775b
              # workflow_run fails report against the develop commit always, we don't want that for PRs
              continue-on-error: ${{ github.event.workflow_run.head_branch != 'develop' }}
              with:
+                  skip_checkout: true
                  repository: ${{ github.event.workflow_run.head_repository.full_name }}
                  is_pr: ${{ github.event.workflow_run.event == 'pull_request' }}
-                  version_cmd: "cat package.json | jq -r .version"
+                  skip_coverage_label: Z-Skip-Coverage
+                  version_cmd: "cat ${{ inputs.version-pkg-json-dir }}/package.json | jq -r .version"
                  branch: ${{ github.event.workflow_run.head_branch }}
                  revision: ${{ github.event.workflow_run.head_sha }}
                  token: ${{ secrets.SONAR_TOKEN }}
-                  coverage_run_id: ${{ github.event.workflow_run.id }}
-                  coverage_workflow_name: tests.yml
-                  coverage_extract_path: coverage
-                  extra_args: ${{ inputs.extra_args }}

-            - uses: Sibz/github-status-action@faaa4d96fecf273bd762985e0e7f9f933c774918 # v1
+            - uses: guibranco/github-status-action-v2@9bfa8773cdbdc6c185747fd43cd7faa9d7c32f09
              if: always()
              with:
                  authToken: ${{ secrets.GITHUB_TOKEN }}
@@ -1,45 +1,26 @@
 name: SonarQube
 on:
-    workflow_run:
+    # Privilege escalation necessary to call upon SonarCloud
+    # 🚨 We must not execute any checked out code here.
+    workflow_run: # zizmor: ignore[dangerous-triggers]
        workflows: ["Tests"]
        types:
            - completed
 concurrency:
    group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch }}
    cancel-in-progress: true
+permissions: {}
 jobs:
-    # This is a workaround for https://github.com/SonarSource/SonarJS/issues/578
-    prepare:
-        name: Prepare
-        if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event != 'merge_group'
-        runs-on: ubuntu-latest
-        outputs:
-            reportPaths: ${{ steps.extra_args.outputs.reportPaths }}
-            testExecutionReportPaths: ${{ steps.extra_args.outputs.testExecutionReportPaths }}
-        steps:
-            # There's a 'download artifact' action, but it hasn't been updated for the workflow_run action
-            # (https://github.com/actions/download-artifact/issues/60) so instead we get this mess:
-            - name: 📥 Download artifact
-              uses: dawidd6/action-download-artifact@246dbf436b23d7c49e21a7ab8204ca9ecd1fe615 # v2
-              with:
-                  workflow: tests.yaml
-                  run_id: ${{ github.event.workflow_run.id }}
-                  name: coverage
-                  path: coverage
-
-            - id: extra_args
-              run: |
-                  coverage=$(find coverage -type f -name '*lcov.info' | tr '\n' ',' | sed 's/,$//g')
-                  echo "reportPaths=$coverage" >> $GITHUB_OUTPUT
-                  reports=$(find coverage -type f -name 'jest-sonar-report*.xml' | tr '\n' ',' | sed 's/,$//g')
-                  echo "testExecutionReportPaths=$reports" >> $GITHUB_OUTPUT
-
    sonarqube:
        name: 🩻 SonarQube
        if: github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event != 'merge_group'
-        needs: prepare
-        uses: matrix-org/matrix-js-sdk/.github/workflows/sonarcloud.yml@develop
+        permissions:
+            actions: read
+            statuses: write
+            id-token: write # sonar
+        uses: matrix-org/matrix-js-sdk/.github/workflows/sonarcloud.yml@develop # zizmor: ignore[unpinned-uses]
        secrets:
            SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+            ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
        with:
-            extra_args: -Dsonar.javascript.lcov.reportPaths=${{ needs.prepare.outputs.reportPaths }} -Dsonar.testExecutionReportPaths=${{ needs.prepare.outputs.testExecutionReportPaths }}
+            sharded: true
@@ -8,92 +8,192 @@ on:
 concurrency:
    group: ${{ github.workflow }}-${{ github.ref }}
    cancel-in-progress: true
+permissions: {} # No permissions needed
 jobs:
    ts_lint:
        name: "Typescript Syntax Check"
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
        steps:
-            - uses: actions/checkout@v4
-
-            - uses: actions/setup-node@v4
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
              with:
-                  cache: "yarn"
+                  persist-credentials: false
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  cache: "pnpm"
+                  node-version-file: package.json

            - name: Install Deps
-              run: "yarn install"
+              run: "pnpm install"

            - name: Typecheck
-              run: "yarn run lint:types"
-
-            - name: Switch js-sdk to release mode
-              run: |
-                  scripts/switch_package_to_release.js
-                  yarn install
-                  yarn run build:compile
-                  yarn run build:types
-
-            - name: Typecheck (release mode)
-              run: "yarn run lint:types"
+              run: "pnpm run lint:types"

    js_lint:
        name: "ESLint"
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
        steps:
-            - uses: actions/checkout@v4
-
-            - uses: actions/setup-node@v4
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
              with:
-                  cache: "yarn"
+                  persist-credentials: false
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  cache: "pnpm"
+                  node-version-file: package.json

            - name: Install Deps
-              run: "yarn install"
+              run: "pnpm install"

            - name: Run Linter
-              run: "yarn run lint:js"
+              run: "pnpm run lint:js"
+
+    node_example_lint:
+        name: "Node.js example"
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+              with:
+                  persist-credentials: false
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  cache: "pnpm"
+                  node-version-file: package.json
+
+            - name: Install Deps
+              run: "pnpm install"
+
+            - name: Build Types
+              run: "pnpm build:types"
+
+            - name: Install Example Deps
+              run: "npm install"
+              working-directory: "examples/node"
+
+            - name: Check Syntax
+              run: "node --check app.js"
+              working-directory: "examples/node"
+
+            - name: Typecheck
+              run: "npx tsc"
+              working-directory: "examples/node"

    workflow_lint:
        name: "Workflow Lint"
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
+        permissions:
+            security-events: write
        steps:
-            - uses: actions/checkout@v4
-
-            - uses: actions/setup-node@v4
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
              with:
-                  cache: "yarn"
+                  persist-credentials: false
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  cache: "pnpm"
+                  node-version-file: package.json

            - name: Install Deps
-              run: "yarn install --frozen-lockfile"
+              run: "pnpm install --frozen-lockfile"

            - name: Run Linter
-              run: "yarn lint:workflows"
+              run: "pnpm lint:workflows"
+
+            - name: Run zizmor
+              uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3

    docs:
        name: "JSDoc Checker"
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
        steps:
-            - uses: actions/checkout@v4
-
-            - uses: actions/setup-node@v4
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
              with:
-                  cache: "yarn"
+                  persist-credentials: false
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  cache: "pnpm"
+                  node-version-file: package.json

            - name: Install Deps
-              run: "yarn install"
+              run: "pnpm install"

            - name: Generate Docs
-              run: "yarn run gendoc --treatWarningsAsErrors"
-
-            # Upload artifact duplicates symlink contents so we do this to save 75% space
-            - name: Flatten symlink and write _redirects
-              run: |
-                  find _docs -mindepth 1 -maxdepth 1 ! -type f ! -name stable -printf '/%f/* /stable/:splat\n' > _docs/_redirects
-                  find _docs -mindepth 1 -maxdepth 1 -type l -delete
-                  find _docs -mindepth 1 -maxdepth 1 -type d -execdir mv {} stable \; -quit
+              run: "pnpm run gendoc --treatWarningsAsErrors --suppressCommentWarningsInDeclarationFiles"

            - name: Upload Artifact
-              uses: actions/upload-artifact@v3
+              uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
              with:
                  name: docs
                  path: _docs
                  # We'll only use this in a workflow_run, then we're done with it
                  retention-days: 1
+
+    analyse_dead_code:
+        name: "Analyse Dead Code"
+        runs-on: ubuntu-24.04
+        steps:
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+              with:
+                  persist-credentials: false
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  cache: "pnpm"
+                  node-version-file: package.json
+
+            - name: Install Deps
+              run: "pnpm install --frozen-lockfile"
+
+            - name: Run linter
+              run: "pnpm run lint:knip"
+
+    element-web:
+        name: Downstream tsc element-web
+        if: github.event_name == 'merge_group'
+        runs-on: ubuntu-24.04
+        steps:
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+              with:
+                  repository: element-hq/element-web
+                  persist-credentials: false
+
+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+            - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+              with:
+                  cache: "pnpm"
+                  node-version: "lts/*"
+
+            - name: Install Dependencies
+              run: "./scripts/layered.sh"
+              env:
+                  # tell layered.sh to check out the right sha of the JS-SDK
+                  JS_SDK_GITHUB_BASE_REF: ${{ github.sha }}
+
+            - name: Typecheck
+              working-directory: apps/web
+              run: "pnpm run lint:types"
+
+    # Workflow consolidation job
+    done:
+        needs:
+            - ts_lint
+            - js_lint
+            - node_example_lint
+            - workflow_lint
+            - docs
+            - analyse_dead_code
+            - element-web
+        name: Static Analysis
+        runs-on: ubuntu-24.04
+        if: always()
+        steps:
+            - if: contains(needs.*.result , 'failure') || contains(needs.*.result, 'cancelled')
+              run: exit 1
@@ -0,0 +1,22 @@
+name: Sync labels
+on:
+    workflow_dispatch: {}
+    schedule:
+        - cron: "0 1 * * *" # 1am every day
+    push:
+        branches:
+            - develop
+        paths:
+            - .github/labels.yml
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
+jobs:
+    sync-labels:
+        uses: element-hq/element-meta/.github/workflows/sync-labels.yml@7f2f93fb9b52ece7a0998f60e64862aa203c1746
+        with:
+            LABELS: |
+                element-hq/element-meta
+                .github/labels.yml
+            DELETE: true
+            WET: true
+        secrets:
+            ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
@@ -10,28 +10,32 @@ concurrency:
    cancel-in-progress: true
 env:
    ENABLE_COVERAGE: ${{ github.event_name != 'merge_group' }}
+permissions: {} # No permissions required
 jobs:
-    jest:
-        name: "Jest [${{ matrix.specs }}] (Node ${{ matrix.node == '*' && 'latest' || matrix.node }})"
-        runs-on: ubuntu-latest
+    test:
+        name: "Vitest [${{ matrix.specs }}] (Node ${{ matrix.node == '*' && 'latest' || matrix.node }})"
+        runs-on: ubuntu-24.04
        timeout-minutes: 10
        strategy:
            matrix:
                specs: [integ, unit]
-                node: [18, "lts/*", 21]
+                node: ["lts/*", 22]
        steps:
            - name: Checkout code
-              uses: actions/checkout@v4
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+              with:
+                  persist-credentials: false

+            - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
            - name: Setup Node
              id: setupNode
-              uses: actions/setup-node@v4
+              uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
              with:
-                  cache: "yarn"
+                  cache: "pnpm"
                  node-version: ${{ matrix.node }}

            - name: Install dependencies
-              run: "yarn install"
+              run: "pnpm install"

            - name: Get number of CPU cores
              id: cpu-cores
@@ -39,50 +43,82 @@ jobs:

            - name: Run tests
              run: |
-                  yarn test \
-                      --coverage=${{ env.ENABLE_COVERAGE }} \
-                      --ci \
-                      --max-workers ${{ steps.cpu-cores.outputs.count }} \
+                  pnpm test \
+                      --coverage=${ENABLE_COVERAGE} \
+                      --maxWorkers ${NUM_WORKERS} \
                      ./spec/${{ matrix.specs }}
              env:
-                  JEST_SONAR_UNIQUE_OUTPUT_NAME: true
-
-                  # tell jest to use coloured output
-                  FORCE_COLOR: true
+                  SHARD: ${{ matrix.specs }}
+                  NUM_WORKERS: ${{ steps.cpu-cores.outputs.count }}

            - name: Move coverage files into place
              if: env.ENABLE_COVERAGE == 'true'
-              run: mv coverage/lcov.info coverage/${{ steps.setupNode.output.node-version }}-${{ matrix.specs }}.lcov.info
+              run: mv coverage/lcov.info coverage/${NODE_VERSION}-${{ matrix.specs }}.lcov.info
+              env:
+                  NODE_VERSION: ${{ steps.setupNode.outputs.node-version }}

            - name: Upload Artifact
              if: env.ENABLE_COVERAGE == 'true'
-              uses: actions/upload-artifact@v3
+              uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
              with:
-                  name: coverage
+                  name: coverage-${{ matrix.specs }}-${{ matrix.node == 'lts/*' && 'lts' || matrix.node }}
                  path: |
                      coverage
                      !coverage/lcov-report

-    matrix-react-sdk:
-        name: Downstream test matrix-react-sdk
+    # Dummy completion job to simplify branch protections
+    complete:
+        name: Tests
+        needs: test
+        if: always()
+        runs-on: ubuntu-24.04
+        steps:
+            - if: needs.test.result != 'skipped' && needs.test.result != 'success'
+              run: exit 1
+
+    element-web:
+        name: Downstream test element-web
        if: github.event_name == 'merge_group'
-        uses: matrix-org/matrix-react-sdk/.github/workflows/tests.yml@develop
+        uses: element-hq/element-web/.github/workflows/tests.yml@develop # zizmor: ignore[unpinned-uses]
+        permissions:
+            statuses: write
        with:
            disable_coverage: true
            matrix-js-sdk-sha: ${{ github.sha }}

+    complement-crypto:
+        name: "Run Complement Crypto tests"
+        if: github.event_name == 'merge_group'
+        permissions: read-all # zizmor: ignore[excessive-permissions]
+        uses: matrix-org/complement-crypto/.github/workflows/single_sdk_tests.yml@main # zizmor: ignore[unpinned-uses]
+        with:
+            use_js_sdk: "."
+
+    # we need this so the job is reported properly when run in a merge queue
+    downstream-complement-crypto:
+        name: Downstream Complement Crypto tests
+        runs-on: ubuntu-24.04
+        if: always()
+        needs:
+            - complement-crypto
+        steps:
+            - if: needs.complement-crypto.result != 'skipped' && needs.complement-crypto.result != 'success'
+              run: exit 1
+
    # Hook for branch protection to skip downstream testing outside of merge queues
    # and skip sonarcloud coverage within merge queues
    downstream:
        name: Downstream tests
-        runs-on: ubuntu-latest
+        runs-on: ubuntu-24.04
        if: always()
        needs:
-            - matrix-react-sdk
+            - element-web
+        permissions:
+            statuses: write
        steps:
            - name: Skip SonarCloud on merge queues
              if: env.ENABLE_COVERAGE == 'false'
-              uses: Sibz/github-status-action@faaa4d96fecf273bd762985e0e7f9f933c774918 # v1
+              uses: guibranco/github-status-action-v2@9bfa8773cdbdc6c185747fd43cd7faa9d7c32f09
              with:
                  authToken: ${{ secrets.GITHUB_TOKEN }}
                  state: success
@@ -91,5 +127,5 @@ jobs:
                  sha: ${{ github.sha }}
                  target_url: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}

-            - if: needs.matrix-react-sdk.result != 'skipped' && needs.matrix-react-sdk.result != 'success'
+            - if: needs.element-web.result != 'skipped' && needs.element-web.result != 'success'
              run: exit 1
@@ -0,0 +1,14 @@
+name: Move new issues into Issue triage board
+
+on:
+    issues:
+        types: [opened]
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
+jobs:
+    automate-project-columns-next:
+        runs-on: ubuntu-24.04
+        steps:
+            - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
+              with:
+                  project-url: https://github.com/orgs/element-hq/projects/120
+                  github-token: ${{ secrets.ELEMENT_BOT_TOKEN }}
@@ -3,9 +3,9 @@ name: Move labelled issues to correct projects
 on:
    issues:
        types: [labeled]
-
+permissions: {} # We use ELEMENT_BOT_TOKEN instead
 jobs:
    call-triage-labelled:
-        uses: vector-im/element-web/.github/workflows/triage-labelled.yml@develop
+        uses: element-hq/element-web/.github/workflows/triage-labelled.yml@6339bcda15c71d209303b18a06a9b1c021220bf9
        secrets:
            ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
@@ -0,0 +1,22 @@
+name: Close stale PRs
+on:
+    workflow_dispatch: {}
+    schedule:
+        - cron: "30 1 * * *"
+permissions: {}
+jobs:
+    close:
+        runs-on: ubuntu-24.04
+        permissions:
+            actions: write
+            issues: write
+            pull-requests: write
+        steps:
+            - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10
+              with:
+                  operations-per-run: 250
+                  days-before-issue-stale: -1
+                  days-before-issue-close: -1
+                  days-before-pr-stale: 180
+                  days-before-pr-close: 0
+                  close-pr-message: "This PR has been automatically closed because it has been stale for 180 days. If you wish to continue working on this PR, please ping a maintainer to reopen it."
@@ -13,8 +13,7 @@ out
 /dist
 /lib

-# version file and tarball created by `npm pack` / `yarn pack`
-/git-revision.txt
+# tarball created by `npm pack` / `yarn pack`
 /matrix-js-sdk-*.tgz

 .vscode
@@ -1,4 +1,3 @@
 #!/usr/bin/env sh
-. "$(dirname "$0")/_/husky.sh"

 npx lint-staged
@@ -3,6 +3,7 @@

 /.npmrc
 /*.log
+pnpm-lock.yaml
 package-lock.json
 .lock-wscript
 build/Release
@@ -25,5 +26,6 @@ out
 # This file is owned, parsed, and generated by allchange, which doesn't comply with prettier
 /CHANGELOG.md

-# This file is also autogenerated
+# These files are also autogenerated
 /spec/test-utils/test-data/index.ts
+/spec/test-utils/test_indexeddb_cryptostore_dump/dump.json
@@ -1,3 +1,241 @@
 # Contributing code to matrix-js-sdk

-matrix-js-sdk follows the same pattern as https://github.com/vector-im/element-web/blob/develop/CONTRIBUTING.md
+Everyone is welcome to contribute code to matrix-js-sdk, provided that they are
+willing to license their contributions under the same license as the project
+itself. We follow a simple 'inbound=outbound' model for contributions: the act
+of submitting an 'inbound' contribution means that the contributor agrees to
+license the code under the same terms as the project's overall 'outbound'
+license - in this case, Apache Software License v2 (see
+[LICENSE](LICENSE)).
+
+## How to contribute
+
+The preferred and easiest way to contribute changes to the project is to fork
+it on github, and then create a pull request to ask us to pull your changes
+into our repo (https://help.github.com/articles/using-pull-requests/)
+
+We use GitHub's pull request workflow to review the contribution, and either
+ask you to make any refinements needed or merge it and make them ourselves.
+
+Your PR should have a title that describes what change is being made. This
+is used for the text in the Changelog entry by default (see below), so a good
+title will tell a user succinctly what change is being made. "Fix bug where
+cows had five legs" and, "Add support for miniature horses" are examples of good
+titles. Don't include an issue number here: that belongs in the description.
+Definitely don't use the GitHub default of "Update file.ts".
+
+As for your PR description, it should include these things:
+
+- References to any bugs fixed by the change (in GitHub's `Fixes` notation)
+- Describe the why and what is changing in the PR description so it's easy for
+  onlookers and reviewers to onboard and context switch. This information is
+  also helpful when we come back to look at this in 6 months and ask "why did
+  we do it like that?" we have a chance of finding out.
+    - Why didn't it work before? Why does it work now? What use cases does it
+      unlock?
+    - If you find yourself adding information on how the code works or why you
+      chose to do it the way you did, make sure this information is instead
+      written as comments in the code itself.
+    - Sometimes a PR can change considerably as it is developed. In this case,
+      the description should be updated to reflect the most recent state of
+      the PR. (It can be helpful to retain the old content under a suitable
+      heading, for additional context.)
+- Include a step-by-step testing strategy so that a reviewer can check out the
+  code locally and easily get to the point of testing your change.
+- Add comments to the diff for the reviewer that might help them to understand
+  why the change is necessary or how they might better understand and review it.
+
+### Changelogs
+
+There's no need to manually add Changelog entries: we use information in the
+pull request to populate the information that goes into the changelogs our
+users see, both for Element Web itself and other projects on which it is based.
+This is picked up from both labels on the pull request and the `Notes:`
+annotation in the description. By default, the PR title will be used for the
+changelog entry, but you can specify more options, as follows.
+
+To add a longer, more detailed description of the change for the changelog:
+
+_Fix llama herding bug_
+
+```
+Notes: Fix a bug (https://github.com/matrix-org/notaproject/issues/123) where the 'Herd' button would not herd more than 8 Llamas if the moon was in the waxing gibbous phase
+```
+
+For some PRs, it's not useful to have an entry in the user-facing changelog (this is
+the default for PRs labelled with `T-Task`):
+
+_Remove outdated comment from `Ungulates.ts`_
+
+```
+Notes: none
+```
+
+Sometimes, you're fixing a bug in a downstream project, in which case you want
+an entry in that project's changelog. You can do that too:
+
+_Fix another herding bug_
+
+```
+Notes: Fix a bug where the `herd()` function would only work on Tuesdays
+element-web notes: Fix a bug where the 'Herd' button only worked on Tuesdays
+```
+
+This example is for Element Web. You can specify:
+
+- element-web
+- element-desktop
+
+If your PR introduces a breaking change, use the `Notes` section in the same
+way, additionally adding the `X-Breaking-Change` label (see below). There's no need
+to specify in the notes that it's a breaking change - this will be added
+automatically based on the label - but remember to tell the developer how to
+migrate:
+
+_Remove legacy class_
+
+```
+Notes: Remove legacy `Camelopard` class. `Giraffe` should be used instead.
+```
+
+Other metadata can be added using labels.
+
+- `X-Breaking-Change`: A breaking change - adding this label will mean the change causes a _major_ version bump.
+- `T-Enhancement`: A new feature - adding this label will mean the change causes a _minor_ version bump.
+- `T-Defect`: A bug fix (in either code or docs).
+- `T-Task`: No user-facing changes, eg. code comments, CI fixes, refactors or tests. Won't have a changelog entry unless you specify one.
+
+If you don't have permission to add labels, your PR reviewer(s) can work with you
+to add them: ask in the PR description or comments.
+
+We use continuous integration, and all pull requests get automatically tested:
+if your change breaks the build, then the PR will show that there are failed
+checks, so please check back after a few minutes.
+
+## Tests
+
+Your PR should include tests.
+
+For new user facing features in `matrix-js-sdk`, you
+must include comprehensive unit tests written in Vitest.
+The existing tests can be found under `spec/unit`
+
+It's good practice to write tests alongside the code as it ensures the code is testable from
+the start, and gives you a fast feedback loop while you're developing the
+functionality. Unit tests are necessary even for bug fixes.
+
+When writing unit tests, please aim for a high level of test coverage
+for new code - 80% or greater. If you cannot achieve that, please document
+why it's not possible in your PR.
+
+Tests validate that your change works as intended and also document
+concisely what is being changed. Ideally, your new tests fail
+prior to your change, and succeed once it has been applied. You may
+find this simpler to achieve if you write the tests first.
+
+If you're spiking some code that's experimental and not being used to support
+production features, exceptions can be made to requirements for tests.
+Note that tests will still be required in order to ship the feature, and it's
+strongly encouraged to think about tests early in the process, as adding
+tests later will become progressively more difficult.
+
+If you're not sure how to approach writing tests for your change, ask for help
+in [#element-dev](https://matrix.to/#/#element-dev:matrix.org).
+
+## Code style
+
+Code style is documented in [code_style.md](./code_style.md).
+Contributors are encouraged to it and follow the principles set out there.
+
+Please ensure your changes match the cosmetic style of the existing project,
+and **_never_** mix cosmetic and functional changes in the same commit, as it
+makes it horribly hard to review otherwise.
+
+## Sign off
+
+In order to have a concrete record that your contribution is intentional
+and you agree to license it under the same terms as the project's license, we've
+adopted the same lightweight approach that the Linux Kernel
+(https://www.kernel.org/doc/html/latest/process/submitting-patches.html), Docker
+(https://github.com/docker/docker/blob/master/CONTRIBUTING.md), and many other
+projects use: the DCO (Developer Certificate of Origin:
+http://developercertificate.org/). This is a simple declaration that you wrote
+the contribution or otherwise have the right to contribute it to Matrix:
+
+```
+Developer Certificate of Origin
+Version 1.1
+
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+660 York Street, Suite 102,
+San Francisco, CA 94110 USA
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+    have the right to submit it under the open source license
+    indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+    of my knowledge, is covered under an appropriate open source
+    license and I have the right under that license to submit that
+    work with modifications, whether created in whole or in part
+    by me, under the same open source license (unless I am
+    permitted to submit under a different license), as indicated
+    in the file; or
+
+(c) The contribution was provided directly to me by some other
+    person who certified (a), (b) or (c) and I have not modified
+    it.
+
+(d) I understand and agree that this project and the contribution
+    are public and that a record of the contribution (including all
+    personal information I submit with it, including my sign-off) is
+    maintained indefinitely and may be redistributed consistent with
+    this project or the open source license(s) involved.
+```
+
+If you agree to this for your contribution, then all that's needed is to
+include the line in your commit or pull request comment:
+
+```
+Signed-off-by: Your Name <your@email.example.org>
+```
+
+We accept contributions under a legally identifiable name, such as your name on
+government documentation or common-law names (names claimed by legitimate usage
+or repute). Unfortunately, we cannot accept anonymous contributions at this
+time.
+
+Git allows you to add this signoff automatically when using the `-s` flag to
+`git commit`, which uses the name and email set in your `user.name` and
+`user.email` git configs.
+
+If you forgot to sign off your commits before making your pull request and are
+on Git 2.17+ you can mass signoff using rebase:
+
+```
+git rebase --signoff origin/develop
+```
+
+# Review expectations
+
+See https://github.com/vector-im/element-meta/wiki/Review-process
+
+# Merge Strategy
+
+The preferred method for merging pull requests is squash merging to keep the
+commit history trim, but it is up to the discretion of the team member merging
+the change. We do not support rebase merges due to `allchange` being unable to
+handle them. When merging make sure to leave the default commit title, or
+at least leave the PR number at the end in brackets like by default.
+When stacking pull requests, you may wish to do the following:
+
+1. Branch from develop to your branch (branch1), push commits onto it and open a pull request
+2. Branch from your base branch (branch1) to your work branch (branch2), push commits and open a pull request configuring the base to be branch1, saying in the description that it is based on your other PR.
+3. Merge the first PR using a merge commit otherwise your stacked PR will need a rebase. Github will automatically adjust the base branch of your other PR to be develop.
@@ -11,6 +11,22 @@
 This is the [Matrix](https://matrix.org) Client-Server SDK for JavaScript and TypeScript. This SDK can be run in a
 browser or in Node.js.

+---
+
+<picture>
+  <source srcset="contrib/element-logo-light.png" media="(prefers-color-scheme: dark)">
+  <source srcset="contrib/element-logo-dark.png" media="(prefers-color-scheme: light)">
+  <img src="contrib/element-logo-fallback.png" alt="Element logo">
+</picture>
+
+<br>
+
+Development and maintenance is proudly sponsored by [Element](https://element.io). Element uses the SDK in their flagship [web](https://github.com/element-hq/element-web) and [desktop](https://github.com/element-hq/element-desktop) clients.
+
+The SDK is also the basis for multiple Matrix projects and we welcome contributions from all.
+
+---
+
 #### Minimum Matrix server version: v1.1

 The Matrix specification is constantly evolving - while this SDK aims for maximum backwards compatibility, it only
@@ -21,20 +37,14 @@ endpoints from before Matrix 1.1, for example.

 # Quickstart

-## In a browser
+> [!IMPORTANT]
+> Servers may require or use authenticated endpoints for media (images, files, avatars, etc). See the
+> [Authenticated Media](#authenticated-media) section for information on how to enable support for this.

-### Note, the browserify build has been removed. Please use a bundler like webpack or vite instead.
+Using `pnpm` instead of `npm` is recommended. Please see the pnpm [install
+guide](https://pnpm.io/installation#using-corepack) if you do not have it already.

-## In Node.js
-
-Ensure you have the latest LTS version of Node.js installed.
-This library relies on `fetch` which is available in Node from v18.0.0 - it should work fine also with polyfills.
-If you wish to use a ponyfill or adapter of some sort then pass it as `fetchFn` to the MatrixClient constructor options.
-
-Using `yarn` instead of `npm` is recommended. Please see the Yarn [install guide](https://classic.yarnpkg.com/en/docs/install)
-if you do not have it already.
-
-`yarn add matrix-js-sdk`
+`pnpm add matrix-js-sdk`

 ```javascript
 import * as sdk from "matrix-js-sdk";
@@ -44,10 +54,8 @@ client.publicRooms(function (err, data) {
 });
 ```

-See below for how to include libolm to enable end-to-end-encryption. Please check
-[the Node.js terminal app](examples/node) for a more complex example.
-
-You can also use the sdk with [Deno](https://deno.land/) (`import npm:matrix-js-sdk`) but its not officialy supported.
+See [below](#end-to-end-encryption-support) for how to enable end-to-end-encryption, or check
+[the Node.js terminal app](https://github.com/matrix-org/matrix-js-sdk/tree/develop/examples/node) for a more complex example.

 To start the client:

@@ -58,7 +66,7 @@ await client.startClient({ initialSyncLimit: 10 });
 You can perform a call to `/sync` to get the current state of the client:

 ```javascript
-client.once("sync", function (state, prevState, res) {
+client.once(ClientEvent.sync, function (state, prevState, res) {
    if (state === "PREPARED") {
        console.log("prepared");
    } else {
@@ -83,7 +91,7 @@ client.sendEvent("roomId", "m.room.message", content, "", (err, res) => {
 To listen for message events:

 ```javascript
-client.on("Room.timeline", function (event, room, toStartOfTimeline) {
+client.on(RoomEvent.Timeline, function (event, room, toStartOfTimeline) {
    if (event.getType() !== "m.room.message") {
        return; // only use messages
    }
@@ -101,55 +109,83 @@ Object.keys(client.store.rooms).forEach((roomId) => {
 });
 ```

+## Authenticated media
+
+Servers supporting [MSC3916](https://github.com/matrix-org/matrix-spec-proposals/pull/3916) (Matrix 1.11) will require clients, like
+yours, to include an `Authorization` header when `/download`ing or `/thumbnail`ing media. For NodeJS environments this
+may be as easy as the following code snippet, though web browsers may need to use [Service Workers](https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API)
+to append the header when using the endpoints in `<img />` elements and similar.
+
+```javascript
+const downloadUrl = client.mxcUrlToHttp(
+    /*mxcUrl=*/ "mxc://example.org/abc123", // the MXC URI to download/thumbnail, typically from an event or profile
+    /*width=*/ undefined, // part of the thumbnail API. Use as required.
+    /*height=*/ undefined, // part of the thumbnail API. Use as required.
+    /*resizeMethod=*/ undefined, // part of the thumbnail API. Use as required.
+    /*allowDirectLinks=*/ false, // should generally be left `false`.
+    /*allowRedirects=*/ true, // implied supported with authentication
+    /*useAuthentication=*/ true, // the flag we're after in this example
+);
+const img = await fetch(downloadUrl, {
+    headers: {
+        Authorization: `Bearer ${client.getAccessToken()}`,
+    },
+});
+// Do something with `img`.
+```
+
+> [!WARNING]
+> In future the js-sdk will _only_ return authentication-required URLs, mandating population of the `Authorization` header.
+
 ## What does this SDK do?

 This SDK provides a full object model around the Matrix Client-Server API and emits
 events for incoming data and state changes. Aside from wrapping the HTTP API, it:

-   Handles syncing (via `/initialSync` and `/events`)
-   Handles the generation of "friendly" room and member names.
-   Handles historical `RoomMember` information (e.g. display names).
-   Manages room member state across multiple events (e.g. it handles typing, power
-    levels and membership changes).
-   Exposes high-level objects like `Rooms`, `RoomState`, `RoomMembers` and `Users`
-    which can be listened to for things like name changes, new messages, membership
-    changes, presence changes, and more.
-   Handle "local echo" of messages sent using the SDK. This means that messages
-    that have just been sent will appear in the timeline as 'sending', until it
-    completes. This is beneficial because it prevents there being a gap between
-    hitting the send button and having the "remote echo" arrive.
-   Mark messages which failed to send as not sent.
-   Automatically retry requests to send messages due to network errors.
-   Automatically retry requests to send messages due to rate limiting errors.
-   Handle queueing of messages.
-   Handles pagination.
-   Handle assigning push actions for events.
-   Handles room initial sync on accepting invites.
-   Handles WebRTC calling.
-
-Later versions of the SDK will:
-
-   Expose a `RoomSummary` which would be suitable for a recents page.
-   Provide different pluggable storage layers (e.g. local storage, database-backed)
+- Handles syncing (via `/sync`)
+- Handles the generation of "friendly" room and member names.
+- Handles historical `RoomMember` information (e.g. display names).
+- Manages room member state across multiple events (e.g. it handles typing, power
+  levels and membership changes).
+- Exposes high-level objects like `Rooms`, `RoomState`, `RoomMembers` and `Users`
+  which can be listened to for things like name changes, new messages, membership
+  changes, presence changes, and more.
+- Handle "local echo" of messages sent using the SDK. This means that messages
+  that have just been sent will appear in the timeline as 'sending', until it
+  completes. This is beneficial because it prevents there being a gap between
+  hitting the send button and having the "remote echo" arrive.
+- Mark messages which failed to send as not sent.
+- Automatically retry requests to send messages due to network errors.
+- Automatically retry requests to send messages due to rate limiting errors.
+- Handle queueing of messages.
+- Handles pagination.
+- Handle assigning push actions for events.
+- Handles room initial sync on accepting invites.
+- Handles WebRTC calling.

 # Usage

-## Conventions
+## Supported platforms

-### Emitted events
+`matrix-js-sdk` can be used in either Node.js applications (ensure you have the latest LTS version of Node.js installed),
+or in browser applications, via a bundler such as Webpack or Vite.

-The SDK will emit events using an `EventEmitter`. It also
-emits object models (e.g. `Rooms`, `RoomMembers`) when they
-are updated.
+You can also use the sdk with [Deno](https://deno.land/) (`import npm:matrix-js-sdk`) but its not officially supported.
+
+## Emitted events
+
+The SDK raises notifications to the application using
+[`EventEmitter`s](https://nodejs.org/api/events.html#class-eventemitter). The `MatrixClient` itself
+implements `EventEmitter`, as do many of the high-level abstractions such as `Room` and `RoomMember`.

 ```javascript
 // Listen for low-level MatrixEvents
-client.on("event", function (event) {
+client.on(ClientEvent.Event, function (event) {
    console.log(event.getType());
 });

 // Listen for typing changes
-client.on("RoomMember.typing", function (event, member) {
+client.on(RoomMemberEvent.Typing, function (event, member) {
    if (member.typing) {
        console.log(member.name + " is typing...");
    } else {
@@ -161,41 +197,22 @@ client.on("RoomMember.typing", function (event, member) {
 client.startClient();
 ```

-### Promises and Callbacks
+## Entry points

-Most of the methods in the SDK are asynchronous: they do not directly return a
-result, but instead return a [Promise](http://documentup.com/kriskowal/q/)
-which will be fulfilled in the future.
+As well as the primary entry point (`matrix-js-sdk`), there are several other entry points which may be useful:

-The typical usage is something like:
-
-```javascript
-  matrixClient.someMethod(arg1, arg2).then(function(result) {
-    ...
-  });
-```
-
-Alternatively, if you have a Node.js-style `callback(err, result)` function,
-you can pass the result of the promise into it with something like:
-
-```javascript
-matrixClient.someMethod(arg1, arg2).nodeify(callback);
-```
-
-The main thing to note is that it is problematic to discard the result of a
-promise-returning function, as that will cause exceptions to go unobserved.
-
-Methods which return a promise show this in their documentation.
-
-Many methods in the SDK support _both_ Node.js-style callbacks _and_ Promises,
-via an optional `callback` argument. The callback support is now deprecated:
-new methods do not include a `callback` argument, and in the future it may be
-removed from existing methods.
+| Entry point                    | Description                                                                                         |
+| ------------------------------ | --------------------------------------------------------------------------------------------------- |
+| `matrix-js-sdk`                | Primary entry point. High-level functionality, and lots of historical clutter in need of a cleanup. |
+| `matrix-js-sdk/lib/crypto-api` | Cryptography functionality.                                                                         |
+| `matrix-js-sdk/lib/types`      | Low-level types, reflecting data structures defined in the Matrix spec.                             |
+| `matrix-js-sdk/lib/testing`    | Test utilities, which may be useful in test code but should not be used in production code.         |
+| `matrix-js-sdk/lib/utils/*.js` | A set of modules exporting standalone functions (and their types).                                  |

 ## Examples

 This section provides some useful code snippets which demonstrate the
-core functionality of the SDK. These examples assume the SDK is setup like this:
+core functionality of the SDK. These examples assume the SDK is set up like this:

 ```javascript
 import * as sdk from "matrix-js-sdk";
@@ -211,10 +228,10 @@ const matrixClient = sdk.createClient({
 ### Automatically join rooms when invited

 ```javascript
-matrixClient.on("RoomMember.membership", function (event, member) {
-    if (member.membership === "invite" && member.userId === myUserId) {
-        matrixClient.joinRoom(member.roomId).then(function () {
-            console.log("Auto-joined %s", member.roomId);
+matrixClient.on(RoomEvent.MyMembership, function (room, membership, prevMembership) {
+    if (membership === KnownMembership.Invite) {
+        matrixClient.joinRoom(room.roomId).then(function () {
+            console.log("Auto-joined %s", room.roomId);
        });
    }
 });
@@ -225,7 +242,7 @@ matrixClient.startClient();
 ### Print out messages for all rooms

 ```javascript
-matrixClient.on("Room.timeline", function (event, room, toStartOfTimeline) {
+matrixClient.on(RoomEvent.Timeline, function (event, room, toStartOfTimeline) {
    if (toStartOfTimeline) {
        return; // don't print paginated results
    }
@@ -257,7 +274,7 @@ Output:
 ### Print out membership lists whenever they are changed

 ```javascript
-matrixClient.on("RoomState.members", function (event, state, member) {
+matrixClient.on(RoomStateEvent.Members, function (event, state, member) {
    const room = matrixClient.getRoom(state.roomId);
    if (!room) {
        return;
@@ -293,8 +310,8 @@ This SDK uses [Typedoc](https://typedoc.org/guides/doccomments) doc comments. Yo
 host the API reference from the source files like this:

 ```
-  $ yarn gendoc
-  $ cd _docs
+  $ pnpm gendoc
+  $ cd docs
  $ python -m http.server 8005
 ```

@@ -302,41 +319,131 @@ Then visit `http://localhost:8005` to see the API docs.

 # End-to-end encryption support

-The SDK supports end-to-end encryption via the Olm and Megolm protocols, using
-[libolm](https://gitlab.matrix.org/matrix-org/olm). It is left up to the
-application to make libolm available, via the `Olm` global.
+`matrix-js-sdk`'s end-to-end encryption support is based on the [WebAssembly bindings](https://github.com/matrix-org/matrix-rust-sdk-crypto-wasm) of the Rust [matrix-sdk-crypto](https://github.com/matrix-org/matrix-rust-sdk/tree/main/crates/matrix-sdk-crypto) library.

-It is also necessary to call `await matrixClient.initCrypto()` after creating a new
-`MatrixClient` (but **before** calling `matrixClient.startClient()`) to
-initialise the crypto layer.
+## Initialization

-If the `Olm` global is not available, the SDK will show a warning, as shown
-below; `initCrypto()` will also fail.
+To initialize the end-to-end encryption support in the matrix client:

-```
-Unable to load crypto module: crypto will be disabled: Error: global.Olm is not defined
+```javascript
+// Create a new matrix client
+const matrixClient = sdk.createClient({
+    baseUrl: "http://localhost:8008",
+    accessToken: myAccessToken,
+    userId: myUserId,
+});
+
+// Initialize to enable end-to-end encryption support.
+await matrixClient.initRustCrypto();
 ```

-If the crypto layer is not (successfully) initialised, the SDK will continue to
-work for unencrypted rooms, but it will not support the E2E parts of the Matrix
-specification.
+Note that by default it will attempt to use the Indexed DB provided by the browser as a crypto store. If running outside the browser, you will need to pass [an options object](https://matrix-org.github.io/matrix-js-sdk/classes/matrix.MatrixClient.html#initrustcrypto) which includes `useIndexedDB: false`, to use an ephemeral in-memory store instead. Note that without a persistent store, you'll need to create a new device on the server side (with [`MatrixClient.loginRequest`](https://matrix-org.github.io/matrix-js-sdk/classes/matrix.MatrixClient.html#loginrequest)) each time your application starts.

-To provide the Olm library in a browser application:
+After calling `initRustCrypto`, you can obtain a reference to the [`CryptoApi`](https://matrix-org.github.io/matrix-js-sdk/interfaces/crypto_api.CryptoApi.html) interface, which is the main entry point for end-to-end encryption, by calling [`MatrixClient.getCrypto`](https://matrix-org.github.io/matrix-js-sdk/classes/matrix.MatrixClient.html#getCrypto).

-   download the transpiled libolm (from https://packages.matrix.org/npm/olm/).
-   load `olm.js` as a `<script>` _before_ `browser-matrix.js`.
+**WARNING**: the cryptography stack is not thread-safe. Having multiple `MatrixClient` instances connected to the same Indexed DB will cause data corruption and decryption failures. The application layer is responsible for ensuring that only one `MatrixClient` issue is instantiated at a time.

-To provide the Olm library in a node.js application:
+## Secret storage

-   `yarn add https://packages.matrix.org/npm/olm/olm-3.1.4.tgz`
-    (replace the URL with the latest version you want to use from
-    https://packages.matrix.org/npm/olm/)
-   `global.Olm = require('olm');` _before_ loading `matrix-js-sdk`.
+You should normally set up [secret storage](https://spec.matrix.org/v1.12/client-server-api/#secret-storage) before using the end-to-end encryption. To do this, call [`CryptoApi.bootstrapSecretStorage`](https://matrix-org.github.io/matrix-js-sdk/interfaces/crypto_api.CryptoApi.html#bootstrapSecretStorage).
+`bootstrapSecretStorage` can be called unconditionally: it will only set up the secret storage if it is not already set up (unless you use the `setupNewSecretStorage` parameter).

-If you want to package Olm as dependency for your node.js application, you can
-use `yarn add https://packages.matrix.org/npm/olm/olm-3.1.4.tgz`. If your
-application also works without e2e crypto enabled, add `--optional` to mark it
-as an optional dependency.
+```javascript
+const matrixClient = sdk.createClient({
+    ...,
+    cryptoCallbacks: {
+        getSecretStorageKey: async (keys) => {
+            // This function should prompt the user to enter their secret storage key.
+            return mySecretStorageKeys;
+        },
+    },
+});
+
+matrixClient.getCrypto().bootstrapSecretStorage({
+    // This function will be called if a new secret storage key (aka recovery key) is needed.
+    // You should prompt the user to save the key somewhere, because they will need it to unlock secret storage in future.
+    createSecretStorageKey: async () => {
+        return mySecretStorageKey;
+    },
+});
+```
+
+The example above will create a new secret storage key if secret storage was not previously set up.
+The secret storage data will be encrypted using the secret storage key returned in [`createSecretStorageKey`](https://matrix-org.github.io/matrix-js-sdk/interfaces/crypto_api.CreateSecretStorageOpts.html#createSecretStorageKey).
+
+We recommend that you prompt the user to re-enter this key when [`CryptoCallbacks.getSecretStorageKey`](https://matrix-org.github.io/matrix-js-sdk/interfaces/crypto_api.CryptoCallbacks.html#getSecretStorageKey) is called (when the secret storage access is needed).
+
+## Set up cross-signing
+
+To set up cross-signing to verify devices and other users, call
+[`CryptoApi.bootstrapCrossSigning`](https://matrix-org.github.io/matrix-js-sdk/interfaces/crypto_api.CryptoApi.html#bootstrapCrossSigning):
+
+```javascript
+matrixClient.getCrypto().bootstrapCrossSigning({
+    authUploadDeviceSigningKeys: async (makeRequest) => {
+        return makeRequest(authDict);
+    },
+});
+```
+
+The [`authUploadDeviceSigningKeys`](https://matrix-org.github.io/matrix-js-sdk/interfaces/crypto_api.BootstrapCrossSigningOpts.html#authUploadDeviceSigningKeys)
+callback is required in order to upload newly-generated public cross-signing keys to the server.
+
+## Key backup
+
+If the user doesn't already have a [key backup](https://spec.matrix.org/v1.12/client-server-api/#server-side-key-backups) you should create one:
+
+```javascript
+// Check if we have a key backup.
+// If checkKeyBackupAndEnable returns null, there is no key backup.
+const hasKeyBackup = (await matrixClient.getCrypto().checkKeyBackupAndEnable()) !== null;
+
+// Create the key backup
+await matrixClient.getCrypto().resetKeyBackup();
+```
+
+## Verify a new device
+
+Once the cross-signing is set up on one of your devices, you can verify another device with two methods:
+
+1. Use `CryptoApi.bootstrapCrossSigning`.
+
+    `bootstrapCrossSigning` will call the [CryptoCallbacks.getSecretStorageKey](https://matrix-org.github.io/matrix-js-sdk/interfaces/crypto_api.CryptoCallbacks.html#getSecretStorageKey) callback. The device is verified with the private cross-signing keys fetched from the secret storage.
+
+2. Request an interactive verification against existing devices, by calling [CryptoApi.requestOwnUserVerification](https://matrix-org.github.io/matrix-js-sdk/interfaces/crypto_api.CryptoApi.html#requestOwnUserVerification).
+
+## Migrating from the legacy crypto stack to Rust crypto
+
+If your application previously used the legacy crypto stack, (i.e, it called `MatrixClient.initLegacyCrypto()`), you will
+need to migrate existing devices to the Rust crypto stack.
+
+This migration happens automatically when you call `initRustCrypto()` instead of `initLegacyCrypto()`,
+but you need to provide the legacy [`cryptoStore`](https://matrix-org.github.io/matrix-js-sdk/interfaces/matrix.ICreateClientOpts.html#cryptoStore) and [`pickleKey`](https://matrix-org.github.io/matrix-js-sdk/interfaces/matrix.ICreateClientOpts.html#pickleKey) to [`createClient`](https://matrix-org.github.io/matrix-js-sdk/functions/matrix.createClient.html):
+
+```javascript
+// You should provide the legacy crypto store and the pickle key to the matrix client in order to migrate the data.
+const matrixClient = sdk.createClient({
+    cryptoStore: myCryptoStore,
+    pickleKey: myPickleKey,
+    baseUrl: "http://localhost:8008",
+    accessToken: myAccessToken,
+    userId: myUserId,
+});
+
+// The migration will be done automatically when you call `initRustCrypto`.
+await matrixClient.initRustCrypto();
+```
+
+To follow the migration progress, you can listen to the [`CryptoEvent.LegacyCryptoStoreMigrationProgress`](https://matrix-org.github.io/matrix-js-sdk/enums/crypto_api.CryptoEvent.html#LegacyCryptoStoreMigrationProgress) event:
+
+```javascript
+// When progress === total === -1, the migration is finished.
+matrixClient.on(CryptoEvent.LegacyCryptoStoreMigrationProgress, (progress, total) => {
+    ...
+});
+```
+
+The Rust crypto stack is not supported in a lot of deprecated methods of [`MatrixClient`](https://matrix-org.github.io/matrix-js-sdk/classes/matrix.MatrixClient.html). If you use them, you should migrate to the [`CryptoApi`](https://matrix-org.github.io/matrix-js-sdk/interfaces/crypto_api.CryptoApi.html). Also, the legacy `MatrixClient.crypto` object is not available any more: you should use `MatrixClient.getCrypto()` instead.

 # Contributing

@@ -346,7 +453,7 @@ want to use this SDK, skip this section._
 First, you need to pull in the right build tools:

 ```
- $ yarn install
+ $ pnpm install
 ```

 ## Building
@@ -354,17 +461,17 @@ First, you need to pull in the right build tools:
 To build a browser version from scratch when developing:

 ```
- $ yarn build
+ $ pnpm build
 ```

-To run tests (Jest):
+To run tests:

 ```
- $ yarn test
+ $ pnpm test
 ```

 To run linting:

 ```
- $ yarn lint
+ $ pnpm lint
 ```
@@ -0,0 +1,45 @@
+module.exports = {
+    sourceMaps: true,
+    presets: [
+        [
+            "@babel/preset-env",
+            {
+                targets: {
+                    esmodules: true,
+                },
+                modules: false,
+            },
+        ],
+        [
+            "@babel/preset-typescript",
+            {
+                rewriteImportExtensions: true,
+            },
+        ],
+    ],
+    plugins: [
+        ["@babel/plugin-proposal-decorators", { version: "2023-11" }],
+        "@babel/plugin-transform-numeric-separator",
+        "@babel/plugin-transform-class-properties",
+        "@babel/plugin-transform-object-rest-spread",
+        "@babel/plugin-syntax-dynamic-import",
+        "@babel/plugin-transform-runtime",
+        [
+            "search-and-replace",
+            {
+                // Since rewriteImportExtensions doesn't work on dynamic imports (yet), we need to manually replace
+                // the dynamic rust-crypto import.
+                // (see https://github.com/babel/babel/issues/16750)
+                rules:
+                    process.env.NODE_ENV !== "test"
+                        ? [
+                              {
+                                  search: "./rust-crypto/index.ts",
+                                  replace: "./rust-crypto/index.js",
+                              },
+                          ]
+                        : [],
+            },
+        ],
+    ],
+};
@@ -0,0 +1,284 @@
+## Guiding principles
+
+1. We want the lint rules to feel natural for most team members. No one should have to think too much
+   about the linter.
+2. We want to stay relatively close to [industry standards](https://google.github.io/styleguide/tsguide.html)
+   to make onboarding easier.
+3. We describe what good code looks like rather than point out bad examples. We do this to avoid
+   excessively punishing people for writing code which fails the linter.
+4. When something isn't covered by the style guide, we come up with a reasonable rule rather than
+   claim that it "passes the linter". We update the style guide and linter accordingly.
+5. While we aim to improve readability, understanding, and other aspects of the code, we deliberately
+   do not let solely our personal preferences drive decisions.
+6. We aim to have an understandable guide.
+
+## Coding practices
+
+1. Lint rules enforce decisions made by this guide. The lint rules and this guide are kept in
+   perfect sync.
+2. Commit messages are descriptive for the changes. When the project supports squash merging,
+   only the squashed commit needs to have a descriptive message.
+3. When there is disagreement with a code style approved by the linter, a PR is opened against
+   the lint rules rather than making exceptions on the responsible code PR.
+4. Rules which are intentionally broken (via eslint-ignore, @ts-ignore, etc) have a comment
+   included in the immediate vicinity for why. Determination of whether this is valid applies at
+   code review time.
+5. When editing a file, nearby code is updated to meet the modern standards. "Nearby" is subjective,
+   but should be whatever is reasonable at review time. Such an example might be to update the
+   class's code style, but not the file's.
+    1. These changes should be minor enough to include in the same commit without affecting a code
+       reviewer's job.
+
+## All code
+
+Unless otherwise specified, the following applies to all code:
+
+1. Files must be formatted with Prettier.
+2. 120 character limit per line. Match existing code in the file if it is using a lower guide.
+3. A tab/indentation is 4 spaces.
+4. Newlines are Unix.
+5. A file has a single empty line at the end.
+6. Lines are trimmed of all excess whitespace, including blank lines.
+7. Long lines are broken up for readability.
+
+## TypeScript / JavaScript
+
+1. Write TypeScript. Turn JavaScript into TypeScript when working in the area.
+2. Use [TSDoc](https://tsdoc.org/) to document your code. See [Comments](#comments) below.
+3. Use named exports.
+4. Use semicolons for block/line termination.
+    1. Except when defining interfaces, classes, and non-arrow functions specifically.
+5. When a statement's body is a single line, it must be written without curly braces, so long as the body is placed on
+   the same line as the statement.
+
+    ```typescript
+    if (x) doThing();
+    ```
+
+6. Blocks for `if`, `for`, `switch` and so on must have a space surrounding the condition, but not
+   within the condition.
+
+    ```typescript
+    if (x) {
+        doThing();
+    }
+    ```
+
+7. lowerCamelCase is used for function and variable naming.
+8. UpperCamelCase is used for general naming.
+9. Interface names should not be marked with an uppercase `I`.
+10. One variable declaration per line.
+11. If a variable is not receiving a value on declaration, its type must be defined.
+
+    ```typescript
+    let errorMessage: string;
+    ```
+
+12. Objects can use shorthand declarations, including mixing of types.
+
+    ```typescript
+    {
+        room,
+        prop: this.prop,
+    }
+    // ... or ...
+    { room, prop: this.prop }
+    ```
+
+13. Object keys should always be non-strings when possible.
+
+    ```typescript
+    {
+        property: "value",
+        "m.unavoidable": true,
+        [EventType.RoomMessage]: true,
+    }
+    ```
+
+14. If a variable's type should be boolean, make sure it really is one.
+
+    ```typescript
+    const isRealUser = !!userId && ...; // good
+    const isRealUser = Boolean(userId) && Boolean(userName); // also good
+    const isRealUser = Boolean(userId) && isReal; // also good (where isReal is another boolean variable)
+    const isRealUser = Boolean(userId && userName); // also fine
+    const isRealUser = Boolean(userId || userName); // good: same as &&
+    const isRealUser = userId && ...;   // bad: isRealUser is userId's type, not a boolean
+
+    if (userId) // fine: userId is evaluated for truthiness, not stored as a boolean
+    ```
+
+15. Use `switch` statements when checking against more than a few enum-like values.
+16. Use `const` for constants, `let` for mutability.
+17. Describe types exhaustively (ensure noImplictAny would pass).
+    1. Notable exceptions are arrow functions used as parameters, when a void return type is
+       obvious, and when declaring and assigning a variable in the same line.
+18. Declare member visibility (public/private/protected).
+19. Private members are private and not prefixed unless required for naming conflicts.
+    1. Convention is to use an underscore or the word "internal" to denote conflicted member names.
+    2. "Conflicted" typically refers to a getter which wants the same name as the underlying variable.
+20. Prefer readonly members over getters backed by a variable, unless an internal setter is required.
+21. Prefer Interfaces for object definitions, and types for parameter-value-only declarations.
+    1. Note that an explicit type is optional if not expected to be used outside of the function call,
+       unlike in this example:
+
+        ```typescript
+        interface MyObject {
+            hasString: boolean;
+        }
+
+        type Options = MyObject | string;
+
+        function doThing(arg: Options) {
+            // ...
+        }
+        ```
+
+22. Variables/properties which are `public static` should also be `readonly` when possible.
+23. Interface and type properties are terminated with semicolons, not commas.
+24. Prefer arrow formatting when declaring functions for interfaces/types:
+
+    ```typescript
+    interface Test {
+        myCallback: (arg: string) => Promise<void>;
+    }
+    ```
+
+25. Prefer a type definition over an inline type. For example, define an interface.
+26. Always prefer to add types or declare a type over the use of `any`. Prefer inferred types
+    when they are not `any`.
+    1. When using `any`, a comment explaining why must be present.
+27. `import` should be used instead of `require`, as `require` does not have types.
+28. Export only what can be reused.
+29. Prefer a type like `X | null` instead of truly optional parameters.
+    1. A notable exception is when the likelihood of a bug is minimal, such as when a function
+       takes an argument that is more often not required than required. An example where the
+       `?` operator is inappropriate is when taking a room ID: typically the caller should
+       supply the room ID if it knows it, otherwise deliberately acknowledge that it doesn't
+       have one with `null`.
+
+        ```typescript
+        function doThingWithRoom(
+            thing: string,
+            room: string | null, // require the caller to specify
+        ) {
+            // ...
+        }
+        ```
+
+30. There should be approximately one interface, class, or enum per file unless the file is named
+    "types.ts", "global.d.ts", or ends with "-types.ts".
+    1. The file name should match the interface, class, or enum name.
+31. Bulk functions can be declared in a single file, though named as "foo-utils.ts" or "utils/foo.ts".
+32. Imports are grouped by external module imports first, then by internal imports.
+33. File ordering is not strict, but should generally follow this sequence:
+    1. Licence header
+    2. Imports
+    3. Constants
+    4. Enums
+    5. Interfaces
+    6. Functions
+    7. Classes
+        1. Public/protected/private static properties
+        2. Public/protected/private properties
+        3. Constructors
+        4. Public/protected/private getters & setters
+        5. Protected and abstract functions
+        6. Public/private functions
+        7. Public/protected/private static functions
+34. Variable names should be noticeably unique from their types. For example, "str: string" instead
+    of "string: string".
+35. Use double quotes to enclose strings. You may use single quotes if the string contains double quotes.
+
+    ```typescript
+    const example1 = "simple string";
+    const example2 = 'string containing "double quotes"';
+    ```
+
+36. Prefer async-await to promise-chaining
+
+    ```typescript
+    async function () {
+        const result = await anotherAsyncFunction();
+        // ...
+    }
+    ```
+
+37. Avoid functions whose fundamental behaviour varies with different parameter types.
+    Multiple return types are fine, but if the function's behaviour is going to change significantly,
+    have two separate functions. For example, `SDKConfig.get()` with a string param which returns the
+    type according to the param given is ok, but `SDKConfig.get()` with no args returning the whole
+    config object would not be: this should just be a separate function.
+
+## Tests
+
+1. Tests must be written in TypeScript.
+2. Mocks are declared below imports, but above everything else.
+3. Use the following convention template:
+
+    ```typescript
+    // Describe the class, component, or file name.
+    describe("FooComponent", () => {
+        // all test inspecific variables go here
+
+        beforeEach(() => {
+            // exclude if not used.
+        });
+
+        afterEach(() => {
+            // exclude if not used.
+        });
+
+        // Use "it should..." terminology
+        it("should call the correct API", async () => {
+            // test-specific variables go here
+            // function calls/state changes go here
+            // expectations go here
+        });
+    });
+
+    // If the file being tested is a utility class:
+    describe("foo-utils", () => {
+        describe("firstUtilFunction", () => {
+            it("should...", async () => {
+                // ...
+            });
+        });
+
+        describe("secondUtilFunction", () => {
+            it("should...", async () => {
+                // ...
+            });
+        });
+    });
+    ```
+
+## Comments
+
+1. As a general principle: be liberal with comments. This applies to all files: stylesheets as well as
+   JavaScript/TypeScript.
+
+    Good comments not only help future readers understand and maintain the code; they can also encourage good design
+    by clearly setting out how different parts of the codebase interact where that would otherwise be implicit and
+    subject to interpretation.
+
+2. Aim to document all types, methods, class properties, functions, etc, with [TSDoc](https://tsdoc.org/) doc comments.
+   This is _especially_ important for public interfaces in `matrix-js-sdk`, but is good practice in general.
+
+    Even very simple interfaces can often benefit from a doc-comment, both as a matter of consistency, and because simple
+    interfaces have a habit of becoming more complex over time.
+
+3. Inside a function, there is no need to comment every line, but consider:
+    - before a particular multiline section of code within the function, give an overview of what it does,
+      to make it easier for a reader to follow the flow through the function as a whole.
+    - if it is anything less than obvious, explain _why_ we are doing a particular operation, with particular emphasis
+      on how this function interacts with other parts of the codebase.
+
+4. When making changes to existing code, authors are expected to read existing comments and make any necessary changes
+   to ensure they remain accurate.
+
+5. Reviewers are encouraged to consider whether more comments would be useful, and to ask the author to add them.
+
+    It is natural for an author to feel that the code they have just written is "obvious" and that comments would be
+    redundant, whereas in reality it would take some time for reader unfamiliar with the code to understand it. A
+    reviewer is well-placed to make a more objective judgement.
@@ -1,9 +1,8 @@
 # Summary

-   [Introduction](../README.md)
+- [Introduction](../README.md)

 # Deep dive

-   [Release Process](release.md)
-   [Storage notes](storage-notes.md)
-   [Unverified devices](warning-on-unverified-devices.md)
+- [Storage notes](storage-notes.md)
+- [Unverified devices](warning-on-unverified-devices.md)
@@ -1,24 +0,0 @@
-# Release Process
-
-## Hotfix and off-cycle releases
-
-1. Prepare the `staging` branch by using the backport automation and manually merging
-2. Go to [Releasing](#Releasing)
-
-## Release candidates
-
-1. Prepare the `staging` branch by running the [branch cut automation](https://github.com/vector-im/element-web/actions/workflows/release_prepare.yml)
-2. Go to [Releasing](#Releasing)
-
-## Releasing
-
-1. Open the [Releases page](https://github.com/matrix-org/matrix-js-sdk/releases) and inspect the draft release there
-2. Make any modifications to the release notes and tag/version as required
-3. Run [workflow](https://github.com/matrix-org/matrix-js-sdk/actions/workflows/release.yml) with the type set appropriately
-
-## Artifacts
-
-Releasing the Matrix JS SDK has just two artifacts:
-
-   Package published to [npm](https://github.com/matrix-org/matrix-js-sdk)
-   Docs published to [Github Pages](https://matrix-org.github.io/matrix-js-sdk/)
@@ -20,19 +20,19 @@ blurrier.

 When we are low on disk space overall or near the group limit / origin quota:

-   Chrome
-    -   Log database may fail to start with AbortError
-    -   IndexedDB fails to start for crypto: AbortError in connect from
-        indexeddb-store-worker
-    -   When near the quota, QuotaExceededError is used more consistently
-   Firefox
-    -   The first error will be QuotaExceededError
-    -   Future write attempts will fail with various errors when space is low,
-        including nonsense like "InvalidStateError: A mutation operation was
-        attempted on a database that did not allow mutations."
-    -   Once you start getting errors, the DB is effectively wedged in read-only
-        mode
-    -   Can revive access if you reopen the DB
+- Chrome
+    - Log database may fail to start with AbortError
+    - IndexedDB fails to start for crypto: AbortError in connect from
+      indexeddb-store-worker
+    - When near the quota, QuotaExceededError is used more consistently
+- Firefox
+    - The first error will be QuotaExceededError
+    - Future write attempts will fail with various errors when space is low,
+      including nonsense like "InvalidStateError: A mutation operation was
+      attempted on a database that did not allow mutations."
+    - Once you start getting errors, the DB is effectively wedged in read-only
+      mode
+    - Can revive access if you reopen the DB

 ## Cache Eviction

@@ -41,9 +41,9 @@ limited by a single quota, in practice, browsers appear to handle `localStorage`
 separately from the others, so it has a separate quota limit and isn't evicted
 when low on space.

-   Chrome, Firefox
-    -   IndexedDB for origin deleted
-    -   Local Storage remains in place
+- Chrome, Firefox
+    - IndexedDB for origin deleted
+    - Local Storage remains in place

 ## Persistent Storage

@@ -51,20 +51,20 @@ Storage Standard offers a `navigator.storage.persist` API that can be used to
 request persistent storage that won't be deleted by the browser because of low
 space.

-   Chrome
-    -   Chrome 75 seems to grant this without any prompt based on [interaction
-        criteria](https://developers.google.com/web/updates/2016/06/persistent-storage)
-   Firefox
-    -   Firefox 67 shows a prompt to grant
-    -   Reverting persistent seems to require revoking permission _and_ clearing
-        site data
+- Chrome
+    - Chrome 75 seems to grant this without any prompt based on [interaction
+      criteria](https://developers.google.com/web/updates/2016/06/persistent-storage)
+- Firefox
+    - Firefox 67 shows a prompt to grant
+    - Reverting persistent seems to require revoking permission _and_ clearing
+      site data

 ## Storage Estimation

 Storage Standard offers a `navigator.storage.estimate` API to get some clue of
 how much space remains.

-   Chrome, Firefox
-    -   Can run this at any time to request an estimate of space remaining
-   Firefox
-    -   Returns `0` for `usage` if a site is persisted
+- Chrome, Firefox
+    - Can run this at any time to request an estimate of space remaining
+- Firefox
+    - Returns `0` for `usage` if a site is persisted
@@ -17,13 +17,13 @@ Warn when you initial sync if the room has any new undefined devices since you w

 Warn when the user tries to send a message:

-   If the room has unverified devices which the user has not yet been told about in the context of this room
-    ...or in the context of this user? currently all verification is per-user, not per-room.
-    ...this should be good enough.
+- If the room has unverified devices which the user has not yet been told about in the context of this room
+  ...or in the context of this user? currently all verification is per-user, not per-room.
+  ...this should be good enough.

-   so track whether we have warned the user or not about unverified devices - blocked, unverified, verified, unverified_warned.
-    throw an error when trying to encrypt if there are pure unverified devices there
-    app will have to search for the devices which are pure unverified to warn about them - have to do this from MembersList anyway?
-    -   or megolm could warn which devices are causing the problems.
+- so track whether we have warned the user or not about unverified devices - blocked, unverified, verified, unverified_warned.
+  throw an error when trying to encrypt if there are pure unverified devices there
+  app will have to search for the devices which are pure unverified to warn about them - have to do this from MembersList anyway?
+    - or megolm could warn which devices are causing the problems.

 Why do we wait to establish outbound sessions? It just makes a horrible pause when we first try to send a message... but could otherwise unnecessarily consume resources?
@@ -1,9 +1,15 @@
+import clc from "cli-color";
+import fs from "fs";
+import readline from "readline";
+import sdk, { ClientEvent, EventType, MsgType, RoomEvent } from "matrix-js-sdk";
+import { KnownMembership } from "matrix-js-sdk/lib/@types/membership.js";
+
+var myHomeServer = "http://localhost:8008";
 var myUserId = "@example:localhost";
 var myAccessToken = "QGV4YW1wbGU6bG9jYWxob3N0.qPEvLuYfNBjxikiCjP";
-var sdk = require("matrix-js-sdk");
-var clc = require("cli-color");
+
 var matrixClient = sdk.createClient({
-    baseUrl: "http://localhost:8008",
+    baseUrl: myHomeServer,
    accessToken: myAccessToken,
    userId: myUserId,
 });
@@ -15,7 +21,6 @@ var numMessagesToShow = 20;

 // Reading from stdin
 var CLEAR_CONSOLE = "\x1B[2J";
-var readline = require("readline");
 var rl = readline.createInterface({
    input: process.stdin,
    output: process.stdout,
@@ -89,20 +94,14 @@ rl.on("line", function (line) {
            );
        } else if (line.indexOf("/file ") === 0) {
            var filename = line.split(" ")[1].trim();
-            var stream = fs.createReadStream(filename);
-            matrixClient
-                .uploadContent({
-                    stream: stream,
-                    name: filename,
-                })
-                .then(function (url) {
-                    var content = {
-                        msgtype: "m.file",
-                        body: filename,
-                        url: JSON.parse(url).content_uri,
-                    };
-                    matrixClient.sendMessage(viewingRoom.roomId, content);
+            let buffer = fs.readFileSync("./your_file_name");
+            matrixClient.uploadContent(new Blob([buffer])).then(function (response) {
+                matrixClient.sendMessage(viewingRoom.roomId, {
+                    msgtype: MsgType.File,
+                    body: filename,
+                    url: response.content_uri,
                });
+            });
        } else {
            matrixClient.sendTextMessage(viewingRoom.roomId, line).finally(function () {
                printMessages();
@@ -115,7 +114,7 @@ rl.on("line", function (line) {
        if (line.indexOf("/join ") === 0) {
            var roomIndex = line.split(" ")[1];
            viewingRoom = roomList[roomIndex];
-            if (viewingRoom.getMember(myUserId).membership === "invite") {
+            if (viewingRoom.getMember(myUserId).membership === KnownMembership.Invite) {
                // join the room first
                matrixClient.joinRoom(viewingRoom.roomId).then(
                    function (room) {
@@ -138,7 +137,7 @@ rl.on("line", function (line) {
 // ==== END User input

 // show the room list after syncing.
-matrixClient.on("sync", function (state, prevState, data) {
+matrixClient.on(ClientEvent.Sync, function (state, prevState, data) {
    switch (state) {
        case "PREPARED":
            setRoomList();
@@ -149,7 +148,7 @@ matrixClient.on("sync", function (state, prevState, data) {
    }
 });

-matrixClient.on("Room", function () {
+matrixClient.on(ClientEvent.Room, function () {
    setRoomList();
    if (!viewingRoom) {
        printRoomList();
@@ -158,11 +157,11 @@ matrixClient.on("Room", function () {
 });

 // print incoming messages.
-matrixClient.on("Room.timeline", function (event, room, toStartOfTimeline) {
+matrixClient.on(RoomEvent.Timeline, function (event, room, toStartOfTimeline) {
    if (toStartOfTimeline) {
        return; // don't print paginated results
    }
-    if (!viewingRoom || viewingRoom.roomId !== room.roomId) {
+    if (!viewingRoom || viewingRoom.roomId !== room?.roomId) {
        return; // not viewing a room or viewing the wrong room.
    }
    printLine(event);
@@ -305,7 +304,7 @@ function printRoomInfo(room) {
    print(eTypeHeader + sendHeader + contentHeader);
    print(new Array(100).join("-"));
    eventMap.keys().forEach(function (eventType) {
-        if (eventType === "m.room.member") {
+        if (eventType === EventType.RoomMember) {
            return;
        } // use /members instead.
        var eventEventMap = eventMap.get(eventType);
@@ -343,7 +342,7 @@ function printLine(event) {
        name = name.slice(0, maxNameWidth - 1) + "\u2026";
    }

-    if (event.getType() === "m.room.message") {
+    if (event.getType() === EventType.RoomMessage) {
        body = event.getContent().body;
    } else if (event.isState()) {
        var stateName = event.getType();
@@ -381,7 +380,7 @@ function print(str, formatter) {
        }
        console.log.apply(console.log, newArgs);
    } else {
-        console.log.apply(console.log, arguments);
+        console.log.apply(console.log, [...arguments]);
    }
 }

@@ -394,4 +393,4 @@ function fixWidth(str, len) {
    return str;
 }

-matrixClient.startClient(numMessagesToShow); // messages for each room.
+matrixClient.startClient({ initialSyncLimit: numMessagesToShow });
@@ -3,12 +3,18 @@
    "version": "0.0.0",
    "description": "",
    "main": "app.js",
-    "scripts": {
-        "preinstall": "npm install ../.."
-    },
    "author": "",
    "license": "Apache 2.0",
+    "type": "module",
    "dependencies": {
-        "cli-color": "^1.0.0"
+        "cli-color": "^1.0.0",
+        "matrix-js-sdk": "^34.5.0"
+    },
+    "devDependencies": {
+        "@types/cli-color": "^2.0.6",
+        "typescript": "^5.6.2"
+    },
+    "engines": {
+        "node": ">=20.0.0"
    }
 }
@@ -0,0 +1,14 @@
+{
+    "compilerOptions": {
+        "target": "es2022",
+        "module": "commonjs",
+        "esModuleInterop": true,
+        "noImplicitAny": false,
+        "noEmit": true,
+        "skipLibCheck": true,
+        "allowJs": true,
+        "checkJs": true,
+        "strict": true
+    },
+    "include": ["app.js"]
+}
@@ -21,4 +21,4 @@ export PATH="$rootdir/node_modules/.bin:$PATH"

 # now run our checks
 cd "$tmpdir"
-yarn lint
+pnpm lint
@@ -1,47 +0,0 @@
-/* Copyright 2023 The Matrix.org Foundation C.I.C.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-import type { Config } from "jest";
-import { env } from "process";
-
-const config: Config = {
-    testEnvironment: "node",
-    testMatch: ["<rootDir>/spec/**/*.spec.{js,ts}"],
-    setupFilesAfterEnv: ["<rootDir>/spec/setupTests.ts"],
-    collectCoverageFrom: ["<rootDir>/src/**/*.{js,ts}"],
-    coverageReporters: ["text-summary", "lcov"],
-    testResultsProcessor: "@casualbot/jest-sonar-reporter",
-
-    // Always print out a summary if there are any failing tests. Normally
-    // a summary is only printed if there are more than 20 test *suites*.
-    reporters: [["default", { summaryThreshold: 0 }]],
-};
-
-// if we're running under GHA, enable the GHA reporter
-if (env["GITHUB_ACTIONS"] !== undefined) {
-    const reporters: Config["reporters"] = [
-        ["github-actions", { silent: false }],
-        // as above: always show a summary if there were any failing tests.
-        ["summary", { summaryThreshold: 0 }],
-    ];
-
-    // if we're running against the develop branch, also enable the slow test reporter
-    if (env["GITHUB_REF"] == "refs/heads/develop") {
-        reporters.push("<rootDir>/spec/slowReporter.js");
-    }
-    config.reporters = reporters;
-}
-
-export default config;
@@ -0,0 +1,42 @@
+import { KnipConfig } from "knip";
+
+// Specify this as knip loads config files which may conditionally add reporters, e.g. `vitest-sonar-reporter'
+process.env.GITHUB_ACTIONS = "1";
+
+export default {
+    entry: [
+        "src/index.ts",
+        "src/types.ts",
+        "src/browser-index.ts",
+        "src/indexeddb-worker.ts",
+        "src/crypto-api/index.ts",
+        "src/testing.ts",
+        "src/matrix.ts",
+        "src/utils.ts", // not really an entrypoint but we have deprecated `defer` there
+        "scripts/**",
+        "spec/**",
+        // XXX: these should be re-exported by one of the supported exports
+        "src/matrixrtc/index.ts",
+        "src/sliding-sync.ts",
+        "src/webrtc/groupCall.ts",
+        "src/webrtc/stats/media/mediaTrackStats.ts",
+        "src/rendezvous/RendezvousChannel.ts",
+    ],
+    project: ["**/*.{js,ts}"],
+    ignore: ["examples/**"],
+    ignoreDependencies: [
+        // Required for `action-validator`
+        "@action-validator/*",
+        // Used for git pre-commit hooks
+        "husky",
+        // Used in script which only runs in environment with `@octokit/rest` installed
+        "@octokit/rest",
+    ],
+    ignoreBinaries: [
+        // Used when available by reusable workflow `.github/workflows/release-make.yml`
+        "dist",
+    ],
+    ignoreExportsUsedInFile: true,
+    includeEntryExports: false,
+    exclude: ["enumMembers"],
+} satisfies KnipConfig;
@@ -1,42 +1,38 @@
 {
    "name": "matrix-js-sdk",
-    "version": "30.2.0",
+    "version": "41.3.0",
    "description": "Matrix Client-Server SDK for Javascript",
    "engines": {
-        "node": ">=18.0.0"
+        "node": ">=22.0.0"
    },
    "scripts": {
-        "prepublishOnly": "yarn build",
-        "start": "echo THIS IS FOR LEGACY PURPOSES ONLY. && babel src -w -s -d lib --verbose --extensions \".ts,.js\"",
-        "clean": "rimraf lib",
-        "build": "yarn build:dev",
-        "build:dev": "yarn clean && git rev-parse HEAD > git-revision.txt && yarn build:compile && yarn build:types",
+        "prepare": "pnpm build",
+        "start": "echo THIS IS FOR LEGACY PURPOSES ONLY. && babel --delete-dir-on-start src -w -s -d lib --verbose --extensions \".ts,.js\"",
+        "build": "pnpm build:compile && pnpm build:types",
        "build:types": "tsc -p tsconfig-build.json --emitDeclarationOnly",
-        "build:compile": "babel -d lib --verbose --extensions \".ts,.js\" src",
+        "build:compile": "babel --delete-dir-on-start -d lib --verbose --extensions \".ts,.js\" src",
        "gendoc": "typedoc",
-        "lint": "yarn lint:types && yarn lint:js && yarn lint:workflows",
+        "lint": "pnpm lint:types && pnpm lint:js && pnpm lint:workflows",
        "lint:js": "eslint --max-warnings 0 src spec && prettier --check .",
-        "lint:js-fix": "prettier --loglevel=warn --write . && eslint --fix src spec",
+        "lint:js-fix": "prettier --log-level=warn --write . && eslint --fix src spec",
        "lint:types": "tsc --noEmit",
        "lint:workflows": "find .github/workflows -type f \\( -iname '*.yaml' -o -iname '*.yml' \\) | xargs -I {} sh -c 'echo \"Linting {}\"; action-validator \"{}\"'",
-        "test": "jest",
-        "test:watch": "jest --watch",
-        "coverage": "yarn test --coverage"
+        "lint:knip": "knip",
+        "test": "vitest run",
+        "test:watch": "vitest watch",
+        "coverage": "pnpm test --coverage"
    },
    "repository": {
        "type": "git",
-        "url": "https://github.com/matrix-org/matrix-js-sdk"
+        "url": "git+https://github.com/matrix-org/matrix-js-sdk.git"
    },
    "keywords": [
        "matrix-org"
    ],
+    "type": "module",
    "main": "./lib/index.js",
    "browser": "./lib/browser-index.js",
-    "matrix_src_main": "./src/index.ts",
-    "matrix_src_browser": "./src/browser-index.ts",
-    "matrix_lib_main": "./lib/index.js",
-    "matrix_lib_browser": "./lib/browser-index.js",
-    "matrix_lib_typings": "./lib/index.d.ts",
+    "typings": "./lib/index.d.ts",
    "author": "matrix.org",
    "license": "Apache-2.0",
    "files": [
@@ -52,86 +48,91 @@
    ],
    "dependencies": {
        "@babel/runtime": "^7.12.5",
-        "@matrix-org/matrix-sdk-crypto-wasm": "^3.1.0",
+        "@matrix-org/matrix-sdk-crypto-wasm": "^18.1.0",
        "another-json": "^0.2.0",
-        "bs58": "^5.0.0",
+        "bs58": "^6.0.0",
        "content-type": "^1.0.4",
-        "jwt-decode": "^3.1.2",
-        "loglevel": "^1.7.1",
+        "jwt-decode": "^4.0.0",
+        "loglevel": "^1.9.2",
        "matrix-events-sdk": "0.0.1",
-        "matrix-widget-api": "^1.6.0",
-        "oidc-client-ts": "^2.2.4",
-        "p-retry": "4",
-        "sdp-transform": "^2.14.1",
-        "unhomoglyph": "^1.0.6",
-        "uuid": "9"
+        "matrix-widget-api": "^1.16.1",
+        "oidc-client-ts": "^3.0.1",
+        "p-retry": "8",
+        "sdp-transform": "^3.0.0",
+        "unhomoglyph": "^1.0.6"
    },
    "devDependencies": {
-        "@action-validator/cli": "^0.5.3",
-        "@action-validator/core": "^0.5.3",
+        "@action-validator/cli": "^0.6.0",
+        "@action-validator/core": "^0.6.0",
        "@babel/cli": "^7.12.10",
        "@babel/core": "^7.12.10",
        "@babel/eslint-parser": "^7.12.10",
        "@babel/eslint-plugin": "^7.12.10",
-        "@babel/plugin-proposal-class-properties": "^7.12.1",
-        "@babel/plugin-proposal-numeric-separator": "^7.12.7",
-        "@babel/plugin-proposal-object-rest-spread": "^7.12.1",
+        "@babel/plugin-proposal-decorators": "^7.25.9",
        "@babel/plugin-syntax-dynamic-import": "^7.8.3",
+        "@babel/plugin-transform-class-properties": "^7.12.1",
+        "@babel/plugin-transform-numeric-separator": "^7.12.7",
+        "@babel/plugin-transform-object-rest-spread": "^7.12.1",
        "@babel/plugin-transform-runtime": "^7.12.10",
        "@babel/preset-env": "^7.12.11",
        "@babel/preset-typescript": "^7.12.7",
-        "@babel/register": "^7.12.10",
-        "@casualbot/jest-sonar-reporter": "2.2.7",
+        "@fetch-mock/vitest": "^0.2.18",
        "@matrix-org/olm": "3.2.15",
-        "@types/bs58": "^4.0.1",
+        "@peculiar/webcrypto": "^1.4.5",
+        "@stylistic/eslint-plugin": "^5.0.0",
        "@types/content-type": "^1.1.5",
        "@types/debug": "^4.1.7",
-        "@types/domexception": "^4.0.0",
-        "@types/jest": "^29.0.0",
-        "@types/node": "18",
+        "@types/node": "22",
        "@types/sdp-transform": "^2.4.5",
-        "@types/uuid": "9",
-        "@typescript-eslint/eslint-plugin": "^5.45.0",
-        "@typescript-eslint/parser": "^5.45.0",
-        "allchange": "^1.0.6",
-        "babel-jest": "^29.0.0",
+        "@typescript-eslint/eslint-plugin": "^8.0.0",
+        "@typescript-eslint/parser": "^8.0.0",
+        "@vitest/coverage-v8": "^4.0.17",
+        "@vitest/eslint-plugin": "^1.6.6",
+        "@vitest/ui": "^4.0.17",
+        "babel-plugin-search-and-replace": "^1.1.1",
        "debug": "^4.3.4",
-        "domexception": "^4.0.0",
-        "eslint": "8.53.0",
+        "eslint": "8.57.1",
        "eslint-config-google": "^0.14.0",
-        "eslint-config-prettier": "^9.0.0",
-        "eslint-import-resolver-typescript": "^3.5.1",
+        "eslint-config-prettier": "^10.0.0",
+        "eslint-import-resolver-typescript": "^4.0.0",
        "eslint-plugin-import": "^2.26.0",
-        "eslint-plugin-jest": "^27.1.6",
-        "eslint-plugin-jsdoc": "^46.0.0",
-        "eslint-plugin-matrix-org": "^1.0.0",
-        "eslint-plugin-tsdoc": "^0.2.17",
-        "eslint-plugin-unicorn": "^49.0.0",
-        "fake-indexeddb": "^5.0.0",
-        "fetch-mock": "9.11.0",
-        "fetch-mock-jest": "^1.5.1",
-        "husky": "^8.0.3",
-        "jest": "^29.0.0",
-        "jest-environment-jsdom": "^29.0.0",
-        "jest-localstorage-mock": "^2.4.6",
-        "jest-mock": "^29.0.0",
-        "lint-staged": "^15.0.2",
+        "eslint-plugin-jsdoc": "^62.0.0",
+        "eslint-plugin-matrix-org": "^3.0.0",
+        "eslint-plugin-n": "^14.0.0",
+        "eslint-plugin-tsdoc": "^0.5.0",
+        "eslint-plugin-unicorn": "^56.0.0",
+        "fake-indexeddb": "^5.0.2",
+        "fetch-mock": "^12.6.0",
+        "happy-dom": "^20.1.0",
+        "husky": "^9.0.0",
+        "knip": "^6.0.0",
+        "lint-staged": "^16.0.0",
        "matrix-mock-request": "^2.5.0",
-        "prettier": "2.8.8",
-        "rimraf": "^5.0.0",
-        "ts-node": "^10.9.1",
-        "typedoc": "^0.24.0",
-        "typedoc-plugin-coverage": "^2.1.0",
-        "typedoc-plugin-mdn-links": "^3.0.3",
-        "typedoc-plugin-missing-exports": "^2.0.0",
-        "typedoc-plugin-versions": "^0.2.3",
-        "typedoc-plugin-versions-cli": "^0.1.12",
-        "typescript": "^5.0.0"
+        "prettier": "3.8.3",
+        "typedoc": "^0.28.1",
+        "typedoc-plugin-coverage": "^4.0.0",
+        "typedoc-plugin-mdn-links": "^5.0.0",
+        "typedoc-plugin-missing-exports": "^4.0.0",
+        "typescript": "^6.0.0",
+        "vitest": "^4.0.17",
+        "vitest-sonar-reporter": "^3.0.0"
    },
-    "@casualbot/jest-sonar-reporter": {
-        "outputDirectory": "coverage",
-        "outputName": "jest-sonar-report.xml",
-        "relativePaths": true
+    "pnpm": {
+        "peerDependencyRules": {
+            "allowedVersions": {
+                "eslint": "8"
+            }
+        },
+        "allowedDeprecatedVersions": {
+            "eslint": "8"
+        },
+        "overrides": {
+            "expect": "30.3.0",
+            "flatted@<=3.4.1": "^3.4.2",
+            "picomatch@>=4.0.0 <4.0.4": "^4.0.4",
+            "yaml@>=2.0.0 <2.8.3": "^2.8.3",
+            "vite": "8.0.8"
+        }
    },
-    "typings": "./lib/index.d.ts"
+    "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319"
 }
@@ -0,0 +1 @@
+nodeLinker: hoisted
@@ -1,15 +0,0 @@
-#!/bin/bash
-#
-# Script to perform a post-release steps of matrix-js-sdk.
-#
-# Requires:
-#   jq; install from your distribution's package manager (https://stedolan.github.io/jq/)
-
-set -e
-
-jq --version > /dev/null || (echo "jq is required: please install it"; kill $$)
-
-if [ "$(git branch -lr | grep origin/develop -c)" -ge 1 ]; then
-    "$(dirname "$0")/scripts/release/post-merge-master.sh"
-    git push origin develop
-fi
@@ -1,346 +0,0 @@
-#!/bin/bash
-#
-# Script to perform a release of matrix-js-sdk and downstream projects.
-#
-# Requires:
-#   jq; install from your distribution's package manager (https://stedolan.github.io/jq/)
-#   hub; install via brew (macOS) or source/pre-compiled binaries (debian) (https://github.com/github/hub) - Tested on v2.2.9
-#   yarn; install via brew (macOS) or similar (https://yarnpkg.com/docs/install/)
-#
-# Note: this script is also used to release matrix-react-sdk, element-web, and element-desktop.
-
-set -e
-
-jq --version > /dev/null || (echo "jq is required: please install it"; kill $$)
-if [[ $(command -v hub) ]] && [[ $(hub --version) =~ hub[[:space:]]version[[:space:]]([0-9]*).([0-9]*) ]]; then
-    HUB_VERSION_MAJOR=${BASH_REMATCH[1]}
-    HUB_VERSION_MINOR=${BASH_REMATCH[2]}
-    if [[ $HUB_VERSION_MAJOR -lt 2 ]] || [[ $HUB_VERSION_MAJOR -eq 2 && $HUB_VERSION_MINOR -lt 5 ]]; then
-        echo "hub version 2.5 is required, you have $HUB_VERSION_MAJOR.$HUB_VERSION_MINOR installed"
-        exit
-    fi
-else
-    echo "hub is required: please install it"
-    exit
-fi
-yarn --version > /dev/null || (echo "yarn is required: please install it"; kill $$)
-
-USAGE="$0 [-x] [-c changelog_file] vX.Y.Z"
-
-help() {
-    cat <<EOF
-$USAGE
-
-    -c changelog_file:  specify name of file containing changelog
-    -x:                 skip updating the changelog
-EOF
-}
-
-if ! git diff-index --quiet --cached HEAD; then
-    echo "this git checkout has staged (uncommitted) changes. Refusing to release."
-    exit
-fi
-
-if ! git diff-files --quiet; then
-    echo "this git checkout has uncommitted changes. Refusing to release."
-    exit
-fi
-
-skip_changelog=
-changelog_file="CHANGELOG.md"
-while getopts hc:x f; do
-    case $f in
-        h)
-            help
-            exit 0
-            ;;
-        c)
-            changelog_file="$OPTARG"
-            ;;
-        x)
-            skip_changelog=1
-            ;;
-    esac
-done
-shift $(expr $OPTIND - 1)
-
-if [ $# -ne 1 ]; then
-    echo "Usage: $USAGE" >&2
-    exit 1
-fi
-
-function check_dependency {
-    local depver=$(cat package.json | jq -r .dependencies[\"$1\"])
-    if [ "$depver" == "null" ]; then return 0; fi
-
-    echo "Checking version of $1..."
-    local latestver=$(yarn info -s "$1" dist-tags.next)
-    if [ "$depver" != "$latestver" ]
-    then
-        echo "The latest version of $1 is $latestver but package.json depends on $depver."
-        echo -n "Type 'u' to auto-upgrade, 'c' to continue anyway, or 'a' to abort:"
-        read resp
-        if [ "$resp" != "u" ] && [ "$resp" != "c" ]
-        then
-            echo "Aborting."
-            exit 1
-        fi
-        if [ "$resp" == "u" ]
-        then
-            echo "Upgrading $1 to $latestver..."
-            yarn add -E "$1@$latestver"
-            git add -u
-            git commit -m "Upgrade $1 to $latestver"
-        fi
-    fi
-}
-
-function reset_dependency {
-    local depver=$(cat package.json | jq -r .dependencies[\"$1\"])
-    if [ "$depver" == "null" ]; then return 0; fi
-
-    echo "Resetting $1 to develop branch..."
-    yarn add "github:matrix-org/$1#develop"
-    git add -u
-    git commit -m "Reset $1 back to develop branch"
-}
-
-has_subprojects=0
-if [ -f release_config.yaml ]; then
-    subprojects=$(cat release_config.yaml | python -c "import yaml; import sys; print(' '.join(list(yaml.load(sys.stdin)['subprojects'].keys())))" 2> /dev/null)
-    if [ "$?" -eq 0 ]; then
-        has_subprojects=1
-        echo "Checking subprojects for upgrades"
-        for proj in $subprojects; do
-            check_dependency "$proj"
-        done
-    fi
-fi
-
-ret=0
-cat package.json | jq '.dependencies[]' | grep -q '#develop' || ret=$?
-if [ "$ret" -eq 0 ]; then
-    echo "package.json contains develop dependencies. Refusing to release."
-    exit
-fi
-
-# We use Git branch / commit dependencies for some packages, and Yarn seems
-# to have a hard time getting that right. See also
-# https://github.com/yarnpkg/yarn/issues/4734. As a workaround, we clean the
-# global cache here to ensure we get the right thing.
-yarn cache clean
-# Ensure all dependencies are updated
-yarn install --ignore-scripts --frozen-lockfile
-
-# ignore leading v on release
-release="${1#v}"
-tag="v${release}"
-
-prerelease=0
-# We check if this build is a prerelease by looking to
-# see if the version has a hyphen in it. Crude,
-# but semver doesn't support postreleases so anything
-# with a hyphen is a prerelease.
-echo $release | grep -q '-' && prerelease=1
-
-if [ $prerelease -eq 1 ]; then
-    echo Making a PRE-RELEASE
-else
-    read -p "Making a FINAL RELEASE, press enter to continue " REPLY
-fi
-
-rel_branch=$(git symbolic-ref --short HEAD)
-
-if [ -z "$skip_changelog" ]; then
-    echo "Generating changelog"
-    yarn run allchange "$release"
-    read -p "Edit $changelog_file manually, or press enter to continue " REPLY
-
-    if [ -n "$(git ls-files --modified $changelog_file)" ]; then
-        echo "Committing updated changelog"
-        git commit "$changelog_file" -m "Prepare changelog for $tag"
-    fi
-fi
-latest_changes=$(mktemp)
-cat "${changelog_file}" | "$(dirname "$0")/scripts/changelog_head.py" > "${latest_changes}"
-
-set -x
-
-# Bump package.json and build the dist
-echo "yarn version"
-# yarn version will automatically commit its modification
-# and make a release tag. We don't want it to create the tag
-# because it can only sign with the default key, but we can
-# only turn off both of these behaviours, so we have to
-# manually commit the result.
-yarn version --no-git-tag-version --new-version "$release"
-
-"$(dirname "$0")/scripts/release/pre-release.sh"
-
-# commit yarn.lock if it exists, is versioned, and is modified
-if [[ -f yarn.lock && $(git status --porcelain yarn.lock | grep '^ M') ]];
-then
-    pkglock='yarn.lock'
-else
-    pkglock=''
-fi
-git commit package.json $pkglock -m "$tag"
-
-
-# figure out if we should be signing this release
-signing_id=
-if [ -f release_config.yaml ]; then
-    result=$(cat release_config.yaml | python -c "import yaml; import sys; print(yaml.load(sys.stdin)['signing_id'])" 2> /dev/null || true)
-    if [ "$?" -eq 0 ]; then
-        signing_id=$result
-    fi
-fi
-
-
-# If there is a 'dist' script in the package.json,
-# run it in a separate checkout of the project, then
-# upload any files in the 'dist' directory as release
-# assets.
-# We make a completely separate checkout to be sure
-# we're using released versions of the dependencies
-# (rather than whatever we're pulling in from yarn link)
-assets=''
-dodist=0
-jq -e .scripts.dist package.json 2> /dev/null || dodist=$?
-if [ $dodist -eq 0 ]; then
-    projdir=$(pwd)
-    builddir=$(mktemp -d 2>/dev/null || mktemp -d -t 'mytmpdir')
-    echo "Building distribution copy in $builddir"
-    pushd "$builddir"
-    git clone "$projdir" .
-    git checkout "$rel_branch"
-    yarn install --frozen-lockfile
-    # We haven't tagged yet, so tell the dist script what version
-    # it's building
-    DIST_VERSION="$tag" yarn dist
-
-    popd
-
-    for i in "$builddir"/dist/*; do
-        assets="$assets -a $i"
-        if [ -n "$signing_id" ]
-        then
-            gpg -u "$signing_id" --armor --output "$i".asc --detach-sig "$i"
-            assets="$assets -a $i.asc"
-        fi
-    done
-fi
-
-if [ -n "$signing_id" ]; then
-    # make a signed tag
-    # gnupg seems to fail to get the right tty device unless we set it here
-    GIT_COMMITTER_EMAIL="$signing_id" GPG_TTY=$(tty) git tag -u "$signing_id" -F "${latest_changes}" "$tag"
-else
-    git tag -a -F "${latest_changes}" "$tag"
-fi
-
-# push the tag and the release branch
-git push origin "$rel_branch" "$tag"
-
-if [ -n "$signing_id" ]; then
-    # make a signature for the source tarball.
-    #
-    # github will make us a tarball from the tag - we want to create a
-    # signature for it, which means that first of all we need to check that
-    # it's correct.
-    #
-    # we can't deterministically build exactly the same tarball, due to
-    # differences in gzip implementation - but we *can* build the same tar - so
-    # the easiest way to check the validity of the tarball from git is to unzip
-    # it and compare it with our own idea of what the tar should look like.
-
-    # This uses git archive which seems to be what github uses. Specifically,
-    # the header fields are set in the same way: same file mode, uid & gid
-    # both zero and mtime set to the timestamp of the commit that the tag
-    # references. Also note that this puts the commit into the tar headers
-    # and can be extracted with gunzip -c foo.tar.gz | git get-tar-commit-id
-
-    # the name of the sig file we want to create
-    source_sigfile="${tag}-src.tar.gz.asc"
-
-    tarfile="$tag.tar.gz"
-    gh_project_url=$(git remote get-url origin |
-                            sed -e 's#^git@github\.com:#https://github.com/#' \
-                                -e 's#^git\+ssh://git@github\.com/#https://github.com/#' \
-                                -e 's/\.git$//')
-    project_name="${gh_project_url##*/}"
-    curl -L "${gh_project_url}/archive/${tarfile}" -o "${tarfile}"
-
-    # unzip it and compare it with the tar we would generate
-    if ! cmp --silent <(gunzip -c $tarfile) \
-         <(git archive --format tar --prefix="${project_name}-${release}/" "$tag"); then
-
-        # we don't bail out here, because really it's more likely that our comparison
-        # screwed up and it's super annoying to abort the script at this point.
-        cat >&2 <<EOF
-!!!!!!!!!!!!!!!!!
-!!!! WARNING !!!!
-
-Mismatch between our own tarfile and that generated by github: not signing
-source tarball.
-
-To resolve, determine if $tarfile is correct, and if so sign it with gpg and
-attach it to the release as $source_sigfile.
-
-!!!!!!!!!!!!!!!!!
-EOF
-    else
-        gpg -u "$signing_id" --armor --output "$source_sigfile" --detach-sig "$tarfile"
-        assets="$assets -a $source_sigfile"
-    fi
-fi
-
-hubflags=''
-if [ $prerelease -eq 1 ]; then
-    hubflags='-p'
-fi
-
-release_text=$(mktemp)
-echo "$tag" > "${release_text}"
-echo >> "${release_text}"
-cat "${latest_changes}" >> "${release_text}"
-hub release create $hubflags $assets -F "${release_text}" "$tag"
-
-if [ $dodist -eq 0 ]; then
-    rm -rf "$builddir"
-fi
-rm "${release_text}"
-rm "${latest_changes}"
-
-# if it is a pre-release, leave it on the release branch for now.
-if [ $prerelease -eq 1 ]; then
-    git checkout "$rel_branch"
-    exit 0
-fi
-
-# merge release branch to master
-echo "updating master branch"
-git checkout master
-git pull
-git merge "$rel_branch" --no-edit
-
-# push master to github
-git push origin master
-
-# finally, merge master back onto develop (if it exists)
-if [ "$(git branch -lr | grep origin/develop -c)" -ge 1 ]; then
-    git checkout develop
-    git pull
-    git merge master --no-edit
-    git push origin develop
-fi
-
-[ -x ./post-release.sh ] && ./post-release.sh
-
-if [ $has_subprojects -eq 1 ] && [ $prerelease -eq 0 ]; then
-    echo "Resetting subprojects to develop"
-    for proj in $subprojects; do
-        reset_dependency "$proj"
-    done
-    git push origin develop
-fi
@@ -0,0 +1,165 @@
+#!/usr/bin/env node
+
+const fs = require("fs");
+
+async function listReleases(github, owner, repo) {
+    const response = await github.rest.repos.listReleases({
+        owner,
+        repo,
+        per_page: 100,
+    });
+    // Filters out draft releases
+    return response.data.filter((release) => !release.draft);
+}
+
+// Dependency can be a tuple of dependency, from version, to version, in which case a list of releases in that range (to inclusive) will be returned
+// Or it can be a string in the form accepted by `getRelease`
+async function getReleases(github, dependency) {
+    if (Array.isArray(dependency)) {
+        const [dep, fromVersion, toVersion] = dependency;
+        const upstreamPackageJson = getDependencyPackageJson(dep);
+        const [owner, repo] = upstreamPackageJson.repository.url.split("/").slice(-2);
+
+        const unfilteredReleases = await listReleases(github, owner, repo);
+        // Only include non-draft & non-prerelease releases, unless the to-release is a pre-release, include that one
+        const releases = unfilteredReleases.filter(
+            (release) => !release.prerelease || release.tag_name === `v${toVersion}`,
+        );
+
+        const fromVersionIndex = releases.findIndex((release) => release.tag_name === `v${fromVersion}`);
+        const toVersionIndex = releases.findIndex((release) => release.tag_name === `v${toVersion}`);
+
+        return releases.slice(toVersionIndex, fromVersionIndex);
+    }
+
+    return [await getRelease(github, dependency)];
+}
+
+// Dependency can be the name of an entry in package.json, in which case the owner, repo & version will be looked up in its own package.json
+// Or it can be a string in the form owner/repo@tag - in this case the tag is used exactly to find the release
+// Or it can be a string in the form owner/repo~tag - in this case the latest tag in the same major.minor.patch set is used to find the release
+async function getRelease(github, dependency) {
+    let owner;
+    let repo;
+    let tag;
+
+    if (dependency.includes("/")) {
+        let rest;
+        [owner, rest] = dependency.split("/");
+
+        if (dependency.includes("@")) {
+            [repo, tag] = rest.split("@");
+        } else if (dependency.includes("~")) {
+            [repo, tag] = rest.split("~");
+
+            if (tag.includes("-rc.")) {
+                // If the tag is an RC, find the latest matching RC in the set
+                try {
+                    const releases = await listReleases(github, owner, repo);
+                    const baseVersion = tag.split("-rc.")[0];
+                    const release = releases.find((release) => release.tag_name.startsWith(baseVersion));
+                    if (release) return release;
+                } catch (e) {
+                    // Fall back to getReleaseByTag
+                }
+            }
+        }
+    } else {
+        const upstreamPackageJson = getDependencyPackageJson(dependency);
+        [owner, repo] = upstreamPackageJson.repository.url.split("/").slice(-2);
+        tag = `v${upstreamPackageJson.version}`;
+    }
+
+    const response = await github.rest.repos.getReleaseByTag({
+        owner,
+        repo,
+        tag,
+    });
+    return response.data;
+}
+
+function getDependencyPackageJson(dependency) {
+    return JSON.parse(fs.readFileSync(`./node_modules/${dependency}/package.json`, "utf8"));
+}
+
+const HEADING_PREFIX = "## ";
+
+const categories = [
+    "🔒 SECURITY FIXES",
+    "🚨 BREAKING CHANGESd",
+    "🦖 Deprecations",
+    "✨ Features",
+    "🐛 Bug Fixes",
+    "🧰 Maintenance",
+];
+
+const parseReleaseNotes = (body, sections) => {
+    let heading = null;
+    for (const line of body.split("\n")) {
+        const trimmed = line.trim();
+        if (trimmed.startsWith(HEADING_PREFIX)) {
+            heading = trimmed.slice(HEADING_PREFIX.length);
+            if (!categories.includes(heading)) heading = null;
+            continue;
+        }
+        if (heading && trimmed) {
+            sections[heading].push(trimmed);
+        }
+    }
+};
+
+const main = async ({ github, releaseId, dependencies }) => {
+    const { GITHUB_REPOSITORY } = process.env;
+    const [owner, repo] = GITHUB_REPOSITORY.split("/");
+
+    const { data: release } = await github.rest.repos.getRelease({
+        owner,
+        repo,
+        release_id: releaseId,
+    });
+
+    const sections = Object.fromEntries(categories.map((cat) => [cat, []]));
+    parseReleaseNotes(release.body, sections);
+    for (const dependency of dependencies) {
+        const releases = await getReleases(github, dependency);
+        for (const release of releases) {
+            parseReleaseNotes(release.body, sections);
+        }
+    }
+
+    const intro = release.body.split(HEADING_PREFIX, 2)[0].trim();
+
+    let output = "";
+    if (intro) {
+        output = intro + "\n\n";
+    }
+
+    for (const section in sections) {
+        const lines = sections[section];
+        if (!lines.length) continue;
+        output += HEADING_PREFIX + section + "\n\n";
+        output += lines.join("\n");
+        output += "\n\n";
+    }
+
+    return output;
+};
+
+// This is just for testing locally
+// Needs environment variables GITHUB_TOKEN & GITHUB_REPOSITORY
+if (require.main === module) {
+    const { Octokit } = require("@octokit/rest");
+    const github = new Octokit({ auth: process.env.GITHUB_TOKEN });
+    if (process.argv.length < 4) {
+        // eslint-disable-next-line no-console
+        console.error("Usage: node merge-release-notes.js owner/repo:release_id npm-package-name ...");
+        process.exit(1);
+    }
+    const [releaseId, ...dependencies] = process.argv.slice(2);
+    main({ github, releaseId, dependencies }).then((output) => {
+        // eslint-disable-next-line no-console
+        console.log(output);
+    });
+}
+
+module.exports = main;
@@ -1,104 +0,0 @@
-#!/usr/bin/env node
-
-const fs = require("fs");
-
-async function getRelease(github, dependency) {
-    let owner;
-    let repo;
-    let tag;
-    if (dependency.includes("/") && dependency.includes("@")) {
-        owner = dependency.split("/")[0];
-        repo = dependency.split("/")[1].split("@")[0];
-        tag = dependency.split("@")[1];
-    } else {
-        const upstreamPackageJson = JSON.parse(fs.readFileSync(`./node_modules/${dependency}/package.json`, "utf8"));
-        [owner, repo] = upstreamPackageJson.repository.url.split("/").slice(-2);
-        tag = `v${upstreamPackageJson.version}`;
-    }
-
-    const response = await github.rest.repos.getReleaseByTag({
-        owner,
-        repo,
-        tag,
-    });
-    return response.data;
-}
-
-const HEADING_PREFIX = "## ";
-
-const main = async ({ github, releaseId, dependencies }) => {
-    const { GITHUB_REPOSITORY } = process.env;
-    const [owner, repo] = GITHUB_REPOSITORY.split("/");
-
-    const sections = new Map();
-    let heading = null;
-    for (const dependency of dependencies) {
-        const release = await getRelease(github, dependency);
-        for (const line of release.body.split("\n")) {
-            if (line.startsWith(HEADING_PREFIX)) {
-                heading = line.trim();
-                sections.set(heading, []);
-                continue;
-            }
-            if (heading && line) {
-                sections.get(heading).push(line.trim());
-            }
-        }
-    }
-
-    const { data: release } = await github.rest.repos.getRelease({
-        owner,
-        repo,
-        release_id: releaseId,
-    });
-
-    const headings = ["🚨 BREAKING CHANGES", "🦖 Deprecations", "✨ Features", "🐛 Bug Fixes", "🧰 Maintenance"].map(
-        (h) => HEADING_PREFIX + h,
-    );
-
-    heading = null;
-    const output = [];
-    for (const line of [...release.body.split("\n"), null]) {
-        if (line === null || line.startsWith(HEADING_PREFIX)) {
-            // If we have a heading, and it's not the first in the list of pending headings, output the section.
-            // If we're processing the last line (null) then output all remaining sections.
-            while (headings.length > 0 && (line === null || (heading && headings[0] !== heading))) {
-                const heading = headings.shift();
-                if (sections.has(heading)) {
-                    output.push(heading);
-                    output.push(...sections.get(heading));
-                }
-            }
-
-            if (heading && sections.has(heading)) {
-                const lastIsBlank = !output.at(-1)?.trim();
-                if (lastIsBlank) output.pop();
-                output.push(...sections.get(heading));
-                if (lastIsBlank) output.push("");
-            }
-            heading = line;
-        }
-        output.push(line);
-    }
-
-    return output.join("\n");
-};
-
-// This is just for testing locally
-// Needs environment variables GITHUB_TOKEN & GITHUB_REPOSITORY
-if (require.main === module) {
-    const { Octokit } = require("@octokit/rest");
-    const github = new Octokit({ auth: process.env.GITHUB_TOKEN });
-    if (process.argv.length < 4) {
-        // eslint-disable-next-line no-console
-        console.error("Usage: node merge-release-notes.js owner/repo:release_id npm-package-name ...");
-        process.exit(1);
-    }
-    const [releaseId, ...dependencies] = process.argv.slice(2);
-    main({ github, releaseId, dependencies }).then((output) => {
-        // eslint-disable-next-line no-console
-        console.log(output);
-    });
-}
-
-module.exports = main;
@@ -1,22 +0,0 @@
-#!/bin/bash
-
-# When merging to develop, we need revert the `main` and `typings` fields if we adjusted them previously.
-for i in main typings browser
-do
-    # If a `lib` prefixed value is present, it means we adjusted the field earlier at publish time, so we should revert it now.
-    if [ "$(jq -r ".matrix_lib_$i" package.json)" != "null" ]; then
-        # If there's a `src` prefixed value, use that, otherwise delete.
-        # This is used to delete the `typings` field and reset `main` back to the TypeScript source.
-        src_value=$(jq -r ".matrix_src_$i" package.json)
-        if [ "$src_value" != "null" ]; then
-            jq ".$i = .matrix_src_$i" package.json > package.json.new && mv package.json.new package.json && yarn prettier --write package.json
-        else
-            jq "del(.$i)" package.json > package.json.new && mv package.json.new package.json && yarn prettier --write package.json
-        fi
-    fi
-done
-
-if [ -n "$(git ls-files --modified package.json)" ]; then
-    echo "Committing develop package.json"
-    git commit package.json -m "Resetting package fields for development"
-fi
@@ -1,14 +0,0 @@
-#!/bin/bash
-
-# For the published and dist versions of the package,
-# we copy the `matrix_lib_main` and `matrix_lib_typings` fields to `main` and `typings` (if they exist).
-# This small bit of gymnastics allows us to use the TypeScript source directly for development without
-# needing to build before linting or testing.
-
-for i in main typings browser
-do
-    lib_value=$(jq -r ".matrix_lib_$i" package.json)
-    if [ "$lib_value" != "null" ]; then
-        jq ".$i = .matrix_lib_$i" package.json > package.json.new && mv package.json.new package.json && yarn prettier --write package.json
-    fi
-done
@@ -1,17 +0,0 @@
-#!/usr/bin/env node
-
-const fsProm = require("fs/promises");
-
-const PKGJSON = "package.json";
-
-async function main() {
-    const pkgJson = JSON.parse(await fsProm.readFile(PKGJSON, "utf8"));
-    for (const field of ["main", "typings"]) {
-        if (pkgJson["matrix_lib_" + field] !== undefined) {
-            pkgJson[field] = pkgJson["matrix_lib_" + field];
-        }
-    }
-    await fsProm.writeFile(PKGJSON, JSON.stringify(pkgJson, null, 2));
-}
-
-main();
@@ -11,6 +11,6 @@ sonar.exclusions=docs,examples,git-hooks
 sonar.typescript.tsconfigPath=./tsconfig.json
 sonar.javascript.lcov.reportPaths=coverage/lcov.info
 sonar.coverage.exclusions=spec/**/*
-sonar.testExecutionReportPaths=coverage/jest-sonar-report.xml
+sonar.testExecutionReportPaths=coverage/sonar-report.xml

 sonar.lang.patterns.ts=**/*.ts,**/*.tsx
@@ -17,29 +17,29 @@ limitations under the License.
 */

 // `expect` is allowed in helper functions which are called within `test`/`it` blocks
-/* eslint-disable jest/no-standalone-expect */
-
-// load olm before the sdk if possible
-import "./olm-loader";
+/* eslint-disable @vitest/no-standalone-expect */

 import MockHttpBackend from "matrix-mock-request";

 import type { IDeviceKeys, IOneTimeKey } from "../src/@types/crypto";
 import type { IE2EKeyReceiver } from "./test-utils/E2EKeyReceiver";
-import { LocalStorageCryptoStore } from "../src/crypto/store/localStorage-crypto-store";
 import { logger } from "../src/logger";
 import { syncPromise } from "./test-utils/test-utils";
-import { createClient, IStartClientOpts } from "../src/matrix";
-import { ICreateClientOpts, IDownloadKeyResult, MatrixClient, PendingEventOrdering } from "../src/client";
-import { MockStorageApi } from "./MockStorageApi";
-import { IKeysUploadResponse, IUploadKeysRequest } from "../src/client";
-import { ISyncResponder } from "./test-utils/SyncResponder";
+import { createClient, type IStartClientOpts } from "../src/matrix";
+import {
+    type ICreateClientOpts,
+    type IDownloadKeyResult,
+    type MatrixClient,
+    PendingEventOrdering,
+} from "../src/client";
+import { type IKeysUploadResponse, type IUploadKeysRequest } from "../src/client";
+import { type ISyncResponder } from "./test-utils/SyncResponder";

 /**
 * Wrapper for a MockStorageApi, MockHttpBackend and MatrixClient
 *
 * @deprecated Avoid using this; it is tied too tightly to matrix-mock-request and is generally inconvenient to use.
- *    Instead, construct a MatrixClient manually, use fetch-mock-jest to intercept the HTTP requests, and
+ *    Instead, construct a MatrixClient manually, use fetch-mock to intercept the HTTP requests, and
 *    use things like {@link E2EKeyReceiver} and {@link SyncResponder} to manage the requests.
 */
 export class TestClient implements IE2EKeyReceiver, ISyncResponder {
@@ -55,10 +55,6 @@ export class TestClient implements IE2EKeyReceiver, ISyncResponder {
        sessionStoreBackend?: Storage,
        options?: Partial<ICreateClientOpts>,
    ) {
-        if (sessionStoreBackend === undefined) {
-            sessionStoreBackend = new MockStorageApi() as unknown as Storage;
-        }
-
        this.httpBackend = new MockHttpBackend();

        const fullOptions: ICreateClientOpts = {
@@ -66,13 +62,9 @@ export class TestClient implements IE2EKeyReceiver, ISyncResponder {
            userId: userId,
            accessToken: accessToken,
            deviceId: deviceId,
-            fetchFn: this.httpBackend.fetchFn as typeof global.fetch,
+            fetchFn: this.httpBackend.fetchFn as typeof globalThis.fetch,
            ...options,
        };
-        if (!fullOptions.cryptoStore) {
-            // expose this so the tests can get to it
-            fullOptions.cryptoStore = new LocalStorageCryptoStore(sessionStoreBackend);
-        }
        this.client = createClient(fullOptions);

        this.deviceKeys = null;
@@ -14,26 +14,31 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-import fetchMock from "fetch-mock-jest";
+import fetchMock from "@fetch-mock/vitest";
 import "fake-indexeddb/auto";
 import { IDBFactory } from "fake-indexeddb";
+import debug from "debug";

-import { CRYPTO_BACKENDS, InitCrypto, syncPromise } from "../../test-utils/test-utils";
-import { AuthDict, createClient, CryptoEvent, MatrixClient } from "../../../src";
+import { syncPromise } from "../../test-utils/test-utils";
+import { type AuthDict, createClient, DebugLogger, type MatrixClient } from "../../../src";
 import { mockInitialApiRequests, mockSetupCrossSigningRequests } from "../../test-utils/mockEndpoints";
-import { encryptAES } from "../../../src/crypto/aes";
-import { CryptoCallbacks, CrossSigningKey } from "../../../src/crypto-api";
+import encryptAESSecretStorageItem from "../../../src/utils/encryptAESSecretStorageItem.ts";
+import { type CryptoCallbacks, CrossSigningKey } from "../../../src/crypto-api";
 import { SECRET_STORAGE_ALGORITHM_V1_AES } from "../../../src/secret-storage";
-import { ISyncResponder, SyncResponder } from "../../test-utils/SyncResponder";
+import { type ISyncResponder, SyncResponder } from "../../test-utils/SyncResponder";
 import { E2EKeyReceiver } from "../../test-utils/E2EKeyReceiver";
 import {
    MASTER_CROSS_SIGNING_PRIVATE_KEY_BASE64,
    SELF_CROSS_SIGNING_PRIVATE_KEY_BASE64,
    SELF_CROSS_SIGNING_PUBLIC_KEY_BASE64,
    SIGNED_CROSS_SIGNING_KEYS_DATA,
+    SIGNED_TEST_DEVICE_DATA,
    USER_CROSS_SIGNING_PRIVATE_KEY_BASE64,
 } from "../../test-utils/test-data";
+import * as testData from "../../test-utils/test-data";
 import { E2EKeyResponder } from "../../test-utils/E2EKeyResponder";
+import { AccountDataAccumulator } from "../../test-utils/AccountDataAccumulator";
+import { CryptoEvent } from "../../../src/crypto-api";

 afterEach(() => {
    // reset fake-indexeddb after each test, to make sure we don't leak connections
@@ -51,11 +56,7 @@ const TEST_DEVICE_ID = "xzcvb";
 * These tests work by intercepting HTTP requests via fetch-mock rather than mocking out bits of the client, so as
 * to provide the most effective integration tests possible.
 */
-describe.each(Object.entries(CRYPTO_BACKENDS))("cross-signing (%s)", (backend: string, initCrypto: InitCrypto) => {
-    // newBackendOnly is the opposite to `oldBackendOnly`: it will skip the test if we are running against the legacy
-    // backend. Once we drop support for legacy crypto, it will go away.
-    const newBackendOnly = backend === "rust-sdk" ? test : test.skip;
-
+describe("cross-signing", () => {
    let aliceClient: MatrixClient;

    /** an object which intercepts `/sync` requests from {@link #aliceClient} */
@@ -73,36 +74,45 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("cross-signing (%s)", (backend: s
    function createCryptoCallbacks(): CryptoCallbacks {
        return {
            getSecretStorageKey: (keys, name) => {
-                return Promise.resolve<[string, Uint8Array]>(["key_id", encryptionKey]);
+                return Promise.resolve<[string, Uint8Array<ArrayBuffer>]>(["key_id", encryptionKey]);
            },
        };
    }

-    beforeEach(async () => {
-        // anything that we don't have a specific matcher for silently returns a 404
-        fetchMock.catch(404);
-        fetchMock.config.warnOnFallback = false;
+    beforeEach(
+        async () => {
+            // anything that we don't have a specific matcher for silently returns a 404
+            fetchMock.catch(404);

-        const homeserverUrl = "https://alice-server.com";
-        aliceClient = createClient({
-            baseUrl: homeserverUrl,
-            userId: TEST_USER_ID,
-            accessToken: "akjgkrgjs",
-            deviceId: TEST_DEVICE_ID,
-            cryptoCallbacks: createCryptoCallbacks(),
-        });
+            const homeserverUrl = "https://alice-server.com";
+            aliceClient = createClient({
+                baseUrl: homeserverUrl,
+                userId: TEST_USER_ID,
+                accessToken: "akjgkrgjs",
+                deviceId: TEST_DEVICE_ID,
+                cryptoCallbacks: createCryptoCallbacks(),
+                logger: new DebugLogger(debug(`matrix-js-sdk:cross-signing`)),
+            });

-        syncResponder = new SyncResponder(homeserverUrl);
-        e2eKeyResponder = new E2EKeyResponder(homeserverUrl);
-        /** an object which intercepts `/keys/upload` requests on the test homeserver */
-        new E2EKeyReceiver(homeserverUrl);
+            syncResponder = new SyncResponder(homeserverUrl);
+            e2eKeyResponder = new E2EKeyResponder(homeserverUrl);
+            /** an object which intercepts `/keys/upload` requests on the test homeserver */
+            new E2EKeyReceiver(homeserverUrl);

-        await initCrypto(aliceClient);
-    });
+            // Silence warnings from the backup manager
+            fetchMock.getOnce(new URL("/_matrix/client/v3/room_keys/version", homeserverUrl).toString(), {
+                status: 404,
+                body: { errcode: "M_NOT_FOUND" },
+            });
+
+            await aliceClient.initRustCrypto();
+        },
+        /* it can take a while to initialise the crypto library on the first pass, so bump up the timeout. */
+        10000,
+    );

    afterEach(async () => {
-        await aliceClient.stopClient();
-        fetchMock.mockReset();
+        aliceClient.stopClient();
    });

    /**
@@ -125,48 +135,46 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("cross-signing (%s)", (backend: s
            const authDict = { type: "test" };
            await bootstrapCrossSigning(authDict);

-            // check the cross-signing keys upload
-            expect(fetchMock.called("upload-keys")).toBeTruthy();
-            const [, keysOpts] = fetchMock.lastCall("upload-keys")!;
+            // check that the cross-signing keys have been uploaded
+            expect(fetchMock.callHistory.called("upload-cross-signing-keys")).toBeTruthy();
+            const keysOpts = fetchMock.callHistory.lastCall("upload-cross-signing-keys")!.options;
            const keysBody = JSON.parse(keysOpts!.body as string);
            expect(keysBody.auth).toEqual(authDict); // check uia dict was passed
            // there should be a key of each type
            // master key is signed by the device
-            expect(keysBody).toHaveProperty(`master_key.signatures.[${TEST_USER_ID}].[ed25519:${TEST_DEVICE_ID}]`);
+            expect(keysBody).toHaveProperty(["master_key", "signatures", TEST_USER_ID, `ed25519:${TEST_DEVICE_ID}`]);
            const masterKeyId = Object.keys(keysBody.master_key.keys)[0];
            // ssk and usk are signed by the master key
-            expect(keysBody).toHaveProperty(`self_signing_key.signatures.[${TEST_USER_ID}].[${masterKeyId}]`);
-            expect(keysBody).toHaveProperty(`user_signing_key.signatures.[${TEST_USER_ID}].[${masterKeyId}]`);
+            expect(keysBody).toHaveProperty(["self_signing_key", "signatures", TEST_USER_ID, masterKeyId]);
+            expect(keysBody).toHaveProperty(["user_signing_key", "signatures", TEST_USER_ID, masterKeyId]);
            const sskId = Object.keys(keysBody.self_signing_key.keys)[0];

            // check the publish call
-            expect(fetchMock.called("upload-sigs")).toBeTruthy();
-            const [, sigsOpts] = fetchMock.lastCall("upload-sigs")!;
+            expect(fetchMock.callHistory.called("upload-sigs")).toBeTruthy();
+            const sigsOpts = fetchMock.callHistory.lastCall("upload-sigs")!.options;
            const body = JSON.parse(sigsOpts!.body as string);
            // there should be a signature for our device, by our self-signing key.
-            expect(body).toHaveProperty(
-                `[${TEST_USER_ID}].[${TEST_DEVICE_ID}].signatures.[${TEST_USER_ID}].[${sskId}]`,
-            );
+            expect(body).toHaveProperty([TEST_USER_ID, TEST_DEVICE_ID, "signatures", TEST_USER_ID, sskId]);
        });

-        newBackendOnly("get cross signing keys from secret storage and import them", async () => {
+        it("get cross signing keys from secret storage and import them", async () => {
            // Return public cross signing keys
            e2eKeyResponder.addCrossSigningData(SIGNED_CROSS_SIGNING_KEYS_DATA);

            mockInitialApiRequests(aliceClient.getHomeserverUrl());

            // Encrypt the private keys and return them in the /sync response as if they are in Secret Storage
-            const masterKey = await encryptAES(
+            const masterKey = await encryptAESSecretStorageItem(
                MASTER_CROSS_SIGNING_PRIVATE_KEY_BASE64,
                encryptionKey,
                "m.cross_signing.master",
            );
-            const selfSigningKey = await encryptAES(
+            const selfSigningKey = await encryptAESSecretStorageItem(
                SELF_CROSS_SIGNING_PRIVATE_KEY_BASE64,
                encryptionKey,
                "m.cross_signing.self_signing",
            );
-            const userSigningKey = await encryptAES(
+            const userSigningKey = await encryptAESSecretStorageItem(
                USER_CROSS_SIGNING_PRIVATE_KEY_BASE64,
                encryptionKey,
                "m.cross_signing.user_signing",
@@ -213,9 +221,6 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("cross-signing (%s)", (backend: s
            await aliceClient.startClient();
            await syncPromise(aliceClient);

-            // we expect a request to upload signatures for our device ...
-            fetchMock.post({ url: "path:/_matrix/client/v3/keys/signatures/upload", name: "upload-sigs" }, {});
-
            // we expect the UserTrustStatusChanged event to be fired after the cross signing keys import
            const userTrustStatusChangedPromise = new Promise<string>((resolve) =>
                aliceClient.on(CryptoEvent.UserTrustStatusChanged, resolve),
@@ -228,13 +233,62 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("cross-signing (%s)", (backend: s
            expect(await userTrustStatusChangedPromise).toBe(aliceClient.getUserId());

            // Expect the signature to be uploaded
-            expect(fetchMock.called("upload-sigs")).toBeTruthy();
-            const [, sigsOpts] = fetchMock.lastCall("upload-sigs")!;
+            expect(fetchMock.callHistory.called("upload-sigs")).toBeTruthy();
+            const sigsOpts = fetchMock.callHistory.lastCall("upload-sigs")!.options;
            const body = JSON.parse(sigsOpts!.body as string);
            // the device should have a signature with the public self cross signing keys.
-            expect(body).toHaveProperty(
-                `[${TEST_USER_ID}].[${TEST_DEVICE_ID}].signatures.[${TEST_USER_ID}].[ed25519:${SELF_CROSS_SIGNING_PUBLIC_KEY_BASE64}]`,
-            );
+            expect(body).toHaveProperty([
+                TEST_USER_ID,
+                TEST_DEVICE_ID,
+                "signatures",
+                TEST_USER_ID,
+                `ed25519:${SELF_CROSS_SIGNING_PUBLIC_KEY_BASE64}`,
+            ]);
+        });
+
+        it("can bootstrapCrossSigning twice", async () => {
+            mockSetupCrossSigningRequests();
+
+            const authDict = { type: "test" };
+            await bootstrapCrossSigning(authDict);
+
+            // a second call should do nothing except GET requests
+            fetchMock.mockClear();
+            await bootstrapCrossSigning(authDict);
+            expect(fetchMock).toHaveFetchedTimes(0, "unmatched");
+        });
+
+        it("will upload existing cross-signing keys to an established secret storage", async () => {
+            // This rather obscure codepath covers the case that:
+            //   - 4S is set up and working
+            //   - our device has private cross-signing keys, but has not published them to 4S
+            //
+            // To arrange that, we call `bootstrapCrossSigning` on our main device, and then (pretend to) set up 4S from
+            // a *different* device. Then, when we call `bootstrapCrossSigning` again, it should do the honours.
+
+            const accountDataAccumulator = new AccountDataAccumulator(syncResponder);
+            accountDataAccumulator.interceptGetAccountData();
+
+            const authDict = { type: "test" };
+            await bootstrapCrossSigning(authDict);
+
+            // Pretend that another device has uploaded a 4S key
+            accountDataAccumulator.accountDataEvents.set("m.secret_storage.default_key", { key: "key_id" });
+            accountDataAccumulator.accountDataEvents.set("m.secret_storage.key.key_id", {
+                key: "keykeykey",
+                algorithm: SECRET_STORAGE_ALGORITHM_V1_AES,
+            });
+
+            // Prepare for the cross-signing keys
+            const p = accountDataAccumulator.waitForAccountData("m.cross_signing.master");
+
+            await bootstrapCrossSigning(authDict);
+            await p;
+
+            // The cross-signing keys should have been uploaded
+            expect(accountDataAccumulator.accountDataEvents.has("m.cross_signing.master")).toBeTruthy();
+            expect(accountDataAccumulator.accountDataEvents.has("m.cross_signing.self_signing")).toBeTruthy();
+            expect(accountDataAccumulator.accountDataEvents.has("m.cross_signing.user_signing")).toBeTruthy();
        });
    });

@@ -287,6 +341,67 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("cross-signing (%s)", (backend: s

            expect(isCrossSigningReady).toBeTruthy();
        });
+
+        it("should return false if identity is not trusted, even if the secrets are in 4S", async () => {
+            e2eKeyResponder.addCrossSigningData(SIGNED_CROSS_SIGNING_KEYS_DATA);
+
+            // Complete initial sync, to get the 4S account_data events stored
+            mockInitialApiRequests(aliceClient.getHomeserverUrl());
+
+            // For this test we need to have a well-formed 4S setup.
+            const mockSecretInfo = {
+                encrypted: {
+                    // Don't care about the actual values here, just need to be present for validation
+                    KeyId: {
+                        iv: "IVIVIVIVIVIVIV",
+                        ciphertext: "CIPHERTEXTB64",
+                        mac: "MACMACMAC",
+                    },
+                },
+            };
+            syncResponder.sendOrQueueSyncResponse({
+                next_batch: 1,
+                account_data: {
+                    events: [
+                        {
+                            type: "m.secret_storage.key.KeyId",
+                            content: {
+                                algorithm: "m.secret_storage.v1.aes-hmac-sha2",
+                                // iv and mac not relevant for this test
+                            },
+                        },
+                        {
+                            type: "m.secret_storage.default_key",
+                            content: {
+                                key: "KeyId",
+                            },
+                        },
+                        {
+                            type: "m.cross_signing.master",
+                            content: mockSecretInfo,
+                        },
+                        {
+                            type: "m.cross_signing.user_signing",
+                            content: mockSecretInfo,
+                        },
+                        {
+                            type: "m.cross_signing.self_signing",
+                            content: mockSecretInfo,
+                        },
+                    ],
+                },
+            });
+            await aliceClient.startClient();
+            await syncPromise(aliceClient);
+
+            // Sanity: ensure that the secrets are in 4S
+            const status = await aliceClient.getCrypto()!.getCrossSigningStatus();
+            expect(status.privateKeysInSecretStorage).toBeTruthy();
+
+            const isCrossSigningReady = await aliceClient.getCrypto()!.isCrossSigningReady();
+
+            expect(isCrossSigningReady).toBeFalsy();
+        }, 10000);
    });

    describe("getCrossSigningKeyId", () => {
@@ -298,20 +413,13 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("cross-signing (%s)", (backend: s
         */
        function awaitCrossSigningKeysUpload() {
            return new Promise<any>((resolve) => {
-                fetchMock.post(
-                    // legacy crypto uses /unstable/; /v3/ is correct
-                    {
-                        url: new RegExp("/_matrix/client/(unstable|v3)/keys/device_signing/upload"),
-                        name: "upload-keys",
-                    },
-                    (url, options) => {
-                        const content = JSON.parse(options.body as string);
+                fetchMock.modifyRoute("upload-cross-signing-keys", {
+                    response: (callLog) => {
+                        const content = JSON.parse(callLog.options.body as string);
                        resolve(content);
                        return {};
                    },
-                    // Override the routes define in `mockSetupCrossSigningRequests`
-                    { overwriteRoutes: true },
-                );
+                });
            });
        }

@@ -339,4 +447,39 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("cross-signing (%s)", (backend: s
            expect(userSigningKeyId).toBe(getPubKey(crossSigningKeys.user_signing_key));
        });
    });
+
+    describe("crossSignDevice", () => {
+        beforeEach(async () => {
+            // make sure that there is another device which we can sign
+            e2eKeyResponder.addDeviceKeys(SIGNED_TEST_DEVICE_DATA);
+
+            // Complete initialsync, to get the outgoing requests going
+            mockInitialApiRequests(aliceClient.getHomeserverUrl());
+            syncResponder.sendOrQueueSyncResponse({ next_batch: 1 });
+            await aliceClient.startClient();
+            await syncPromise(aliceClient);
+
+            const devices = await aliceClient.getCrypto()!.getUserDeviceInfo([aliceClient.getSafeUserId()]);
+            expect(devices.get(aliceClient.getSafeUserId())!.has(testData.TEST_DEVICE_ID)).toBeTruthy();
+        });
+
+        it("fails for an unknown device", async () => {
+            await expect(aliceClient.getCrypto()!.crossSignDevice("unknown")).rejects.toThrow("Unknown device");
+        });
+
+        it("cross-signs the device", async () => {
+            mockSetupCrossSigningRequests();
+            await aliceClient.getCrypto()!.bootstrapCrossSigning({});
+
+            fetchMock.mockClear();
+            await aliceClient.getCrypto()!.crossSignDevice(testData.TEST_DEVICE_ID);
+
+            // check that a sig for the device was uploaded
+            const calls = fetchMock.callHistory.calls("upload-sigs");
+            expect(calls.length).toEqual(1);
+            const body = JSON.parse(calls[0].options!.body as string);
+            const deviceSig = body[aliceClient.getSafeUserId()][testData.TEST_DEVICE_ID];
+            expect(deviceSig).toHaveProperty("signatures");
+        });
+    });
 });
@@ -0,0 +1,239 @@
+/*
+Copyright 2024 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import "fake-indexeddb/auto";
+import fetchMock from "@fetch-mock/vitest";
+import { type CallLog } from "fetch-mock";
+import debug from "debug";
+
+import { ClientEvent, createClient, DebugLogger, type MatrixClient, MatrixEvent } from "../../../src";
+import { CryptoEvent } from "../../../src/crypto-api/index";
+import { type RustCrypto } from "../../../src/rust-crypto/rust-crypto";
+import { type AddSecretStorageKeyOpts } from "../../../src/secret-storage";
+import { E2EKeyReceiver } from "../../test-utils/E2EKeyReceiver";
+import { E2EKeyResponder } from "../../test-utils/E2EKeyResponder";
+import { emitPromise, EventCounter } from "../../test-utils/test-utils";
+
+describe("Device dehydration", () => {
+    it("should rehydrate and dehydrate a device", async () => {
+        vi.useFakeTimers();
+
+        const matrixClient = createClient({
+            baseUrl: "http://test.server",
+            userId: "@alice:localhost",
+            deviceId: "aliceDevice",
+            cryptoCallbacks: {
+                getSecretStorageKey: async (keys: any, name: string) => {
+                    return [[...Object.keys(keys.keys)][0], new Uint8Array(32)];
+                },
+            },
+            logger: new DebugLogger(debug(`matrix-js-sdk:dehydration`)),
+        });
+
+        await initializeSecretStorage(matrixClient, "@alice:localhost", "http://test.server");
+
+        const creationEventCounter = new EventCounter(matrixClient, CryptoEvent.DehydratedDeviceCreated);
+        const dehydrationKeyCachedEventCounter = new EventCounter(matrixClient, CryptoEvent.DehydrationKeyCached);
+        const rehydrationStartedCounter = new EventCounter(matrixClient, CryptoEvent.RehydrationStarted);
+        const rehydrationCompletedCounter = new EventCounter(matrixClient, CryptoEvent.RehydrationCompleted);
+        const rehydrationProgressCounter = new EventCounter(matrixClient, CryptoEvent.RehydrationProgress);
+
+        // count the number of times the dehydration key gets set
+        let setDehydrationCount = 0;
+        matrixClient.on(ClientEvent.AccountData, (event: MatrixEvent) => {
+            if (event.getType() === "org.matrix.msc3814") {
+                setDehydrationCount++;
+            }
+        });
+
+        const crypto = matrixClient.getCrypto()!;
+
+        // start dehydration -- we start with no dehydrated device, and we
+        // store the dehydrated device that we create
+        fetchMock.get(
+            "path:/_matrix/client/unstable/org.matrix.msc3814.v1/dehydrated_device",
+            {
+                status: 404,
+                body: {
+                    errcode: "M_NOT_FOUND",
+                    error: "Not found",
+                },
+            },
+            { name: "get-dehydrated-device" },
+        );
+        let dehydratedDeviceBody: any;
+        let dehydrationCount = 0;
+        let resolveDehydrationPromise: () => void;
+        fetchMock.put(
+            "path:/_matrix/client/unstable/org.matrix.msc3814.v1/dehydrated_device",
+            (callLog) => {
+                dehydratedDeviceBody = JSON.parse(callLog.options.body as string);
+                dehydrationCount++;
+                if (resolveDehydrationPromise) {
+                    resolveDehydrationPromise();
+                }
+                return {};
+            },
+            { name: "put-dehydrated-device" },
+        );
+        await crypto.startDehydration();
+
+        expect(dehydrationCount).toEqual(1);
+        expect(creationEventCounter.counter).toEqual(1);
+        expect(dehydrationKeyCachedEventCounter.counter).toEqual(1);
+
+        // a week later, we should have created another dehydrated device
+        const dehydrationPromise = new Promise<void>((resolve, reject) => {
+            resolveDehydrationPromise = resolve;
+        });
+        vi.advanceTimersByTime(7 * 24 * 60 * 60 * 1000);
+        await dehydrationPromise;
+
+        expect(dehydrationKeyCachedEventCounter.counter).toEqual(1);
+        expect(dehydrationCount).toEqual(2);
+        expect(creationEventCounter.counter).toEqual(2);
+
+        // restart dehydration -- rehydrate the device that we created above,
+        // and create a new dehydrated device.  We also set `createNewKey`, so
+        // a new dehydration key will be set
+        fetchMock.modifyRoute("get-dehydrated-device", {
+            response: {
+                device_id: dehydratedDeviceBody.device_id,
+                device_data: dehydratedDeviceBody.device_data,
+            },
+        });
+        const eventsResponse = vi.fn((callLog: CallLog) => {
+            // rehydrating should make two calls to the /events endpoint.
+            // The first time will return a single event, and the second
+            // time will return no events (which will signal to the
+            // rehydration function that it can stop)
+            const body = JSON.parse(callLog.options.body as string);
+            const nextBatch = body.next_batch ?? "0";
+            const events = nextBatch === "0" ? [{ sender: "@alice:localhost", type: "m.dummy", content: {} }] : [];
+            return {
+                events,
+                next_batch: nextBatch + "1",
+            };
+        });
+        fetchMock.post(
+            `path:/_matrix/client/unstable/org.matrix.msc3814.v1/dehydrated_device/${encodeURIComponent(dehydratedDeviceBody.device_id)}/events`,
+            eventsResponse,
+        );
+        await crypto.startDehydration(true);
+        expect(dehydrationCount).toEqual(3);
+
+        expect(setDehydrationCount).toEqual(2);
+        expect(eventsResponse.mock.calls).toHaveLength(2);
+
+        expect(rehydrationStartedCounter.counter).toEqual(1);
+        expect(rehydrationCompletedCounter.counter).toEqual(1);
+        expect(creationEventCounter.counter).toEqual(3);
+        expect(rehydrationProgressCounter.counter).toEqual(1);
+        expect(dehydrationKeyCachedEventCounter.counter).toEqual(2);
+
+        // test that if we get an error when we try to rotate, it emits an event
+        fetchMock.modifyRoute("put-dehydrated-device", {
+            response: {
+                status: 500,
+                body: {
+                    errcode: "M_UNKNOWN",
+                    error: "Unknown error",
+                },
+            },
+        });
+        const rotationErrorEventPromise = emitPromise(matrixClient, CryptoEvent.DehydratedDeviceRotationError);
+        vi.advanceTimersByTime(7 * 24 * 60 * 60 * 1000);
+        await rotationErrorEventPromise;
+
+        // Restart dehydration, but return an error for GET /dehydrated_device so that rehydration fails.
+        fetchMock.modifyRoute("get-dehydrated-device", {
+            response: {
+                status: 500,
+                body: {
+                    errcode: "M_UNKNOWN",
+                    error: "Unknown error",
+                },
+            },
+        });
+        fetchMock.modifyRoute("put-dehydrated-device", { response: { body: {} } });
+        const rehydrationErrorEventPromise = emitPromise(matrixClient, CryptoEvent.RehydrationError);
+        await crypto.startDehydration(true);
+        await rehydrationErrorEventPromise;
+
+        matrixClient.stopClient();
+    });
+});
+
+/** create a new secret storage and cross-signing keys */
+async function initializeSecretStorage(
+    matrixClient: MatrixClient,
+    userId: string,
+    homeserverUrl: string,
+): Promise<void> {
+    fetchMock.get("path:/_matrix/client/v3/room_keys/version", {
+        status: 404,
+        body: {
+            errcode: "M_NOT_FOUND",
+            error: "Not found",
+        },
+    });
+    const e2eKeyReceiver = new E2EKeyReceiver(homeserverUrl);
+    const e2eKeyResponder = new E2EKeyResponder(homeserverUrl);
+    e2eKeyResponder.addKeyReceiver(userId, e2eKeyReceiver);
+    const accountData: Map<string, object> = new Map();
+    fetchMock.get("glob:http://*/_matrix/client/v3/user/*/account_data/*", (callLog) => {
+        const name = callLog.url.split("/").pop()!;
+        const value = accountData.get(name);
+        if (value) {
+            return value;
+        } else {
+            return {
+                status: 404,
+                body: {
+                    errcode: "M_NOT_FOUND",
+                    error: "Not found",
+                },
+            };
+        }
+    });
+    fetchMock.put("glob:http://*/_matrix/client/v3/user/*/account_data/*", (callLog) => {
+        const name = callLog.url.split("/").pop()!;
+        const value = JSON.parse(callLog.options.body as string);
+        accountData.set(name, value);
+        matrixClient.emit(ClientEvent.AccountData, new MatrixEvent({ type: name, content: value }));
+        return {};
+    });
+
+    await matrixClient.initRustCrypto();
+    const crypto = matrixClient.getCrypto()! as RustCrypto;
+    // we need to process a sync so that the OlmMachine will upload keys
+    await crypto.preprocessToDeviceMessages([]);
+    await crypto.onSyncCompleted({});
+
+    // create initial secret storage
+    async function createSecretStorageKey() {
+        return {
+            keyInfo: {} as AddSecretStorageKeyOpts,
+            privateKey: new Uint8Array(32),
+        };
+    }
+    await matrixClient.getCrypto()!.bootstrapCrossSigning({ setupNewCrossSigning: true });
+    await matrixClient.getCrypto()!.bootstrapSecretStorage({
+        createSecretStorageKey,
+        setupNewSecretStorage: true,
+        setupNewKeyBackup: false,
+    });
+}
@@ -1,692 +0,0 @@
-/*
-Copyright 2016 OpenMarket Ltd
-Copyright 2017 Vector Creations Ltd
-Copyright 2018 New Vector Ltd
-Copyright 2019 The Matrix.org Foundation C.I.C.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-/* This file consists of a set of integration tests which try to simulate
- * communication via an Olm-encrypted room between two users, Alice and Bob.
- *
- * Note that megolm (group) conversation is not tested here.
- *
- * See also `crypto.spec.js`.
- */
-
-// load olm before the sdk if possible
-import "../../olm-loader";
-
-import type { Session } from "@matrix-org/olm";
-import type { IDeviceKeys, IOneTimeKey } from "../../../src/@types/crypto";
-import { logger } from "../../../src/logger";
-import * as testUtils from "../../test-utils/test-utils";
-import { TestClient } from "../../TestClient";
-import { CRYPTO_ENABLED, IClaimKeysRequest, IQueryKeysRequest, IUploadKeysRequest } from "../../../src/client";
-import { ClientEvent, IContent, ISendEventResponse, MatrixClient, MatrixEvent } from "../../../src/matrix";
-import { DeviceInfo } from "../../../src/crypto/deviceinfo";
-
-let aliTestClient: TestClient;
-const roomId = "!room:localhost";
-const aliUserId = "@ali:localhost";
-const aliDeviceId = "zxcvb";
-const aliAccessToken = "aseukfgwef";
-let bobTestClient: TestClient;
-const bobUserId = "@bob:localhost";
-const bobDeviceId = "bvcxz";
-const bobAccessToken = "fewgfkuesa";
-let aliMessages: IContent[];
-let bobMessages: IContent[];
-
-type OlmPayload = ReturnType<Session["encrypt"]>;
-
-async function bobUploadsDeviceKeys(): Promise<void> {
-    bobTestClient.expectDeviceKeyUpload();
-    await bobTestClient.httpBackend.flushAllExpected();
-    expect(Object.keys(bobTestClient.deviceKeys!).length).not.toEqual(0);
-}
-
-/**
- * Set an expectation that querier will query uploader's keys; then flush the http request.
- *
- * @returns resolves once the http request has completed.
- */
-function expectQueryKeys(querier: TestClient, uploader: TestClient): Promise<number> {
-    // can't query keys before bob has uploaded them
-    expect(uploader.deviceKeys).toBeTruthy();
-
-    const uploaderKeys: Record<string, IDeviceKeys> = {};
-    uploaderKeys[uploader.deviceId!] = uploader.deviceKeys!;
-    querier.httpBackend.when("POST", "/keys/query").respond(200, function (_path, content: IQueryKeysRequest) {
-        expect(content.device_keys![uploader.userId!]).toEqual([]);
-        const result: Record<string, Record<string, IDeviceKeys>> = {};
-        result[uploader.userId!] = uploaderKeys;
-        return { device_keys: result };
-    });
-    return querier.httpBackend.flush("/keys/query", 1);
-}
-const expectAliQueryKeys = () => expectQueryKeys(aliTestClient, bobTestClient);
-const expectBobQueryKeys = () => expectQueryKeys(bobTestClient, aliTestClient);
-
-/**
- * Set an expectation that ali will claim one of bob's keys; then flush the http request.
- *
- * @returns resolves once the http request has completed.
- */
-async function expectAliClaimKeys(): Promise<void> {
-    const keys = await bobTestClient.awaitOneTimeKeyUpload();
-    aliTestClient.httpBackend.when("POST", "/keys/claim").respond(200, function (_path, content: IClaimKeysRequest) {
-        const claimType = content.one_time_keys![bobUserId][bobDeviceId];
-        expect(claimType).toEqual("signed_curve25519");
-        let keyId = "";
-        for (keyId in keys) {
-            if (bobTestClient.oneTimeKeys!.hasOwnProperty(keyId)) {
-                if (keyId.indexOf(claimType + ":") === 0) {
-                    break;
-                }
-            }
-        }
-        const result: Record<string, Record<string, Record<string, IOneTimeKey>>> = {};
-        result[bobUserId] = {};
-        result[bobUserId][bobDeviceId] = {};
-        result[bobUserId][bobDeviceId][keyId] = keys[keyId];
-        return { one_time_keys: result };
-    });
-    // it can take a while to process the key query, so give it some extra
-    // time, and make sure the claim actually happens rather than ploughing on
-    // confusingly.
-    const r = await aliTestClient.httpBackend.flush("/keys/claim", 1, 500);
-    expect(r).toEqual(1);
-}
-
-async function aliDownloadsKeys(): Promise<void> {
-    // can't query keys before bob has uploaded them
-    expect(bobTestClient.getSigningKey()).toBeTruthy();
-
-    const p1 = async () => {
-        await aliTestClient.client.downloadKeys([bobUserId]);
-        const devices = aliTestClient.client.getStoredDevicesForUser(bobUserId);
-        expect(devices.length).toEqual(1);
-        expect(devices[0].deviceId).toEqual("bvcxz");
-    };
-    const p2 = expectAliQueryKeys;
-
-    // check that the localStorage is updated as we expect (not sure this is
-    // an integration test, but meh)
-    await Promise.all([p1(), p2()]);
-    await aliTestClient.client.crypto!.deviceList.saveIfDirty();
-    // @ts-ignore - protected
-    aliTestClient.client.cryptoStore.getEndToEndDeviceData(null, (data) => {
-        const devices = data!.devices[bobUserId]!;
-        expect(devices[bobDeviceId].keys).toEqual(bobTestClient.deviceKeys!.keys);
-        expect(devices[bobDeviceId].verified).toBe(DeviceInfo.DeviceVerification.UNVERIFIED);
-    });
-}
-
-async function clientEnablesEncryption(client: MatrixClient): Promise<void> {
-    await client.setRoomEncryption(roomId, {
-        algorithm: "m.olm.v1.curve25519-aes-sha2",
-    });
-    expect(client.isRoomEncrypted(roomId)).toBeTruthy();
-}
-const aliEnablesEncryption = () => clientEnablesEncryption(aliTestClient.client);
-const bobEnablesEncryption = () => clientEnablesEncryption(bobTestClient.client);
-
-/**
- * Ali sends a message, first claiming e2e keys. Set the expectations and
- * check the results.
- *
- * @returns which resolves to the ciphertext for Bob's device.
- */
-async function aliSendsFirstMessage(): Promise<OlmPayload> {
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    const [_, ciphertext] = await Promise.all([
-        sendMessage(aliTestClient.client),
-        expectAliQueryKeys().then(expectAliClaimKeys).then(expectAliSendMessageRequest),
-    ]);
-    return ciphertext;
-}
-
-/**
- * Ali sends a message without first claiming e2e keys. Set the expectations
- * and check the results.
- *
- * @returns which resolves to the ciphertext for Bob's device.
- */
-async function aliSendsMessage(): Promise<OlmPayload> {
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    const [_, ciphertext] = await Promise.all([sendMessage(aliTestClient.client), expectAliSendMessageRequest()]);
-    return ciphertext;
-}
-
-/**
- * Bob sends a message, first querying (but not claiming) e2e keys. Set the
- * expectations and check the results.
- *
- * @returns which resolves to the ciphertext for Ali's device.
- */
-async function bobSendsReplyMessage(): Promise<OlmPayload> {
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    const [_, ciphertext] = await Promise.all([
-        sendMessage(bobTestClient.client),
-        expectBobQueryKeys().then(expectBobSendMessageRequest),
-    ]);
-    return ciphertext;
-}
-
-/**
- * Set an expectation that Ali will send a message, and flush the request
- *
- * @returns which resolves to the ciphertext for Bob's device.
- */
-async function expectAliSendMessageRequest(): Promise<OlmPayload> {
-    const content = await expectSendMessageRequest(aliTestClient.httpBackend);
-    aliMessages.push(content);
-    expect(Object.keys(content.ciphertext)).toEqual([bobTestClient.getDeviceKey()]);
-    const ciphertext = content.ciphertext[bobTestClient.getDeviceKey()];
-    expect(ciphertext).toBeTruthy();
-    return ciphertext;
-}
-
-/**
- * Set an expectation that Bob will send a message, and flush the request
- *
- * @returns which resolves to the ciphertext for Bob's device.
- */
-async function expectBobSendMessageRequest(): Promise<OlmPayload> {
-    const content = await expectSendMessageRequest(bobTestClient.httpBackend);
-    bobMessages.push(content);
-    const aliKeyId = "curve25519:" + aliDeviceId;
-    const aliDeviceCurve25519Key = aliTestClient.deviceKeys!.keys[aliKeyId];
-    expect(Object.keys(content.ciphertext)).toEqual([aliDeviceCurve25519Key]);
-    const ciphertext = content.ciphertext[aliDeviceCurve25519Key];
-    expect(ciphertext).toBeTruthy();
-    return ciphertext;
-}
-
-function sendMessage(client: MatrixClient): Promise<ISendEventResponse> {
-    return client.sendMessage(roomId, { msgtype: "m.text", body: "Hello, World" });
-}
-
-async function expectSendMessageRequest(httpBackend: TestClient["httpBackend"]): Promise<IContent> {
-    const path = "/send/m.room.encrypted/";
-    const prom = new Promise<IContent>((resolve) => {
-        httpBackend.when("PUT", path).respond(200, function (_path, content) {
-            resolve(content);
-            return {
-                event_id: "asdfgh",
-            };
-        });
-    });
-
-    // it can take a while to process the key query
-    await httpBackend.flush(path, 1);
-    return prom;
-}
-
-function aliRecvMessage(): Promise<void> {
-    const message = bobMessages.shift()!;
-    return recvMessage(aliTestClient.httpBackend, aliTestClient.client, bobUserId, message);
-}
-
-function bobRecvMessage(): Promise<void> {
-    const message = aliMessages.shift()!;
-    return recvMessage(bobTestClient.httpBackend, bobTestClient.client, aliUserId, message);
-}
-
-async function recvMessage(
-    httpBackend: TestClient["httpBackend"],
-    client: MatrixClient,
-    sender: string,
-    message: IContent,
-): Promise<void> {
-    const syncData = {
-        next_batch: "x",
-        rooms: {
-            join: {
-                [roomId]: {
-                    timeline: {
-                        events: [
-                            testUtils.mkEvent({
-                                type: "m.room.encrypted",
-                                room: roomId,
-                                content: message,
-                                sender: sender,
-                            }),
-                        ],
-                    },
-                },
-            },
-        },
-    };
-    httpBackend.when("GET", "/sync").respond(200, syncData);
-
-    const eventPromise = new Promise<MatrixEvent>((resolve) => {
-        const onEvent = function (event: MatrixEvent) {
-            // ignore the m.room.member events
-            if (event.getType() == "m.room.member") {
-                return;
-            }
-            logger.log(client.credentials.userId + " received event", event);
-
-            client.removeListener(ClientEvent.Event, onEvent);
-            resolve(event);
-        };
-        client.on(ClientEvent.Event, onEvent);
-    });
-
-    await httpBackend.flushAllExpected();
-
-    const preDecryptionEvent = await eventPromise;
-    expect(preDecryptionEvent.isEncrypted()).toBeTruthy();
-    // it may still be being decrypted
-    const event = await testUtils.awaitDecryption(preDecryptionEvent);
-    expect(event.getType()).toEqual("m.room.message");
-    expect(event.getContent()).toMatchObject({
-        msgtype: "m.text",
-        body: "Hello, World",
-    });
-    expect(event.isEncrypted()).toBeTruthy();
-}
-
-/**
- * Send an initial sync response to the client (which just includes the member
- * list for our test room).
- *
- * @returns which resolves when the sync has been flushed.
- */
-function firstSync(testClient: TestClient): Promise<void> {
-    // send a sync response including our test room.
-    const syncData = {
-        next_batch: "x",
-        rooms: {
-            join: {
-                [roomId]: {
-                    state: {
-                        events: [
-                            testUtils.mkMembership({
-                                mship: "join",
-                                user: aliUserId,
-                            }),
-                            testUtils.mkMembership({
-                                mship: "join",
-                                user: bobUserId,
-                            }),
-                        ],
-                    },
-                    timeline: {
-                        events: [],
-                    },
-                },
-            },
-        },
-    };
-
-    testClient.httpBackend.when("GET", "/sync").respond(200, syncData);
-    return testClient.flushSync();
-}
-
-describe("MatrixClient crypto", () => {
-    if (!CRYPTO_ENABLED) {
-        return;
-    }
-
-    beforeEach(async () => {
-        aliTestClient = new TestClient(aliUserId, aliDeviceId, aliAccessToken);
-        await aliTestClient.client.initCrypto();
-
-        bobTestClient = new TestClient(bobUserId, bobDeviceId, bobAccessToken);
-        await bobTestClient.client.initCrypto();
-
-        aliMessages = [];
-        bobMessages = [];
-    });
-
-    afterEach(() => {
-        aliTestClient.httpBackend.verifyNoOutstandingExpectation();
-        bobTestClient.httpBackend.verifyNoOutstandingExpectation();
-
-        return Promise.all([aliTestClient.stop(), bobTestClient.stop()]);
-    });
-
-    it("Bob uploads device keys", bobUploadsDeviceKeys);
-
-    it("handles failures to upload device keys", async () => {
-        // since device keys are uploaded asynchronously, there's not really much to do here other than fail the
-        // upload.
-        bobTestClient.httpBackend.when("POST", "/keys/upload").fail(0, new Error("bleh"));
-        await bobTestClient.httpBackend.flushAllExpected();
-    });
-
-    it("Ali downloads Bobs device keys", async () => {
-        await bobUploadsDeviceKeys();
-        await aliDownloadsKeys();
-    });
-
-    it("Ali gets keys with an invalid signature", async () => {
-        await bobUploadsDeviceKeys();
-        // tamper bob's keys
-        const bobDeviceKeys = bobTestClient.deviceKeys!;
-        expect(bobDeviceKeys.keys["curve25519:" + bobDeviceId]).toBeTruthy();
-        bobDeviceKeys.keys["curve25519:" + bobDeviceId] += "abc";
-        await Promise.all([aliTestClient.client.downloadKeys([bobUserId]), expectAliQueryKeys()]);
-        const devices = aliTestClient.client.getStoredDevicesForUser(bobUserId);
-        // should get an empty list
-        expect(devices).toEqual([]);
-    });
-
-    it("Ali gets keys with an incorrect userId", async () => {
-        const eveUserId = "@eve:localhost";
-
-        const bobDeviceKeys = {
-            algorithms: ["m.olm.v1.curve25519-aes-sha2", "m.megolm.v1.aes-sha2"],
-            device_id: "bvcxz",
-            keys: {
-                "ed25519:bvcxz": "pYuWKMCVuaDLRTM/eWuB8OlXEb61gZhfLVJ+Y54tl0Q",
-                "curve25519:bvcxz": "7Gni0loo/nzF0nFp9847RbhElGewzwUXHPrljjBGPTQ",
-            },
-            user_id: "@eve:localhost",
-            signatures: {
-                "@eve:localhost": {
-                    "ed25519:bvcxz":
-                        "CliUPZ7dyVPBxvhSA1d+X+LYa5b2AYdjcTwG" + "0stXcIxjaJNemQqtdgwKDtBFl3pN2I13SEijRDCf1A8bYiQMDg",
-                },
-            },
-        };
-
-        const bobKeys: Record<string, typeof bobDeviceKeys> = {};
-        bobKeys[bobDeviceId] = bobDeviceKeys;
-        aliTestClient.httpBackend.when("POST", "/keys/query").respond(200, { device_keys: { [bobUserId]: bobKeys } });
-
-        await Promise.all([
-            aliTestClient.client.downloadKeys([bobUserId, eveUserId]),
-            aliTestClient.httpBackend.flush("/keys/query", 1),
-        ]);
-        const [bobDevices, eveDevices] = await Promise.all([
-            aliTestClient.client.getStoredDevicesForUser(bobUserId),
-            aliTestClient.client.getStoredDevicesForUser(eveUserId),
-        ]);
-        // should get an empty list
-        expect(bobDevices).toEqual([]);
-        expect(eveDevices).toEqual([]);
-    });
-
-    it("Ali gets keys with an incorrect deviceId", async () => {
-        const bobDeviceKeys = {
-            algorithms: ["m.olm.v1.curve25519-aes-sha2", "m.megolm.v1.aes-sha2"],
-            device_id: "bad_device",
-            keys: {
-                "ed25519:bad_device": "e8XlY5V8x2yJcwa5xpSzeC/QVOrU+D5qBgyTK0ko+f0",
-                "curve25519:bad_device": "YxuuLG/4L5xGeP8XPl5h0d7DzyYVcof7J7do+OXz0xc",
-            },
-            user_id: "@bob:localhost",
-            signatures: {
-                "@bob:localhost": {
-                    "ed25519:bad_device":
-                        "fEFTq67RaSoIEVBJ8DtmRovbwUBKJ0A" + "me9m9PDzM9azPUwZ38Xvf6vv1A7W1PSafH4z3Y2ORIyEnZgHaNby3CQ",
-                },
-            },
-        };
-
-        const bobKeys: Record<string, typeof bobDeviceKeys> = {};
-        bobKeys[bobDeviceId] = bobDeviceKeys;
-        aliTestClient.httpBackend.when("POST", "/keys/query").respond(200, { device_keys: { [bobUserId]: bobKeys } });
-
-        await Promise.all([
-            aliTestClient.client.downloadKeys([bobUserId]),
-            aliTestClient.httpBackend.flush("/keys/query", 1),
-        ]);
-        const devices = aliTestClient.client.getStoredDevicesForUser(bobUserId);
-        // should get an empty list
-        expect(devices).toEqual([]);
-    });
-
-    it("Bob starts his client and uploads device keys and one-time keys", async () => {
-        await bobTestClient.start();
-        const keys = await bobTestClient.awaitOneTimeKeyUpload();
-        expect(Object.keys(keys).length).toEqual(5);
-        expect(Object.keys(bobTestClient.deviceKeys!).length).not.toEqual(0);
-    });
-
-    it("Ali sends a message", async () => {
-        aliTestClient.expectKeyQuery({ device_keys: { [aliUserId]: {} }, failures: {} });
-        await aliTestClient.start();
-        await bobTestClient.start();
-        await firstSync(aliTestClient);
-        await aliEnablesEncryption();
-        await aliSendsFirstMessage();
-    });
-
-    it("Bob receives a message", async () => {
-        aliTestClient.expectKeyQuery({ device_keys: { [aliUserId]: {} }, failures: {} });
-        await aliTestClient.start();
-        await bobTestClient.start();
-        bobTestClient.client.crypto!.deviceList.downloadKeys = () => Promise.resolve(new Map());
-        await firstSync(aliTestClient);
-        await aliEnablesEncryption();
-        await aliSendsFirstMessage();
-        await bobRecvMessage();
-    });
-
-    it("Bob receives a message with a bogus sender", async () => {
-        aliTestClient.expectKeyQuery({ device_keys: { [aliUserId]: {} }, failures: {} });
-        await aliTestClient.start();
-        await bobTestClient.start();
-        bobTestClient.client.crypto!.deviceList.downloadKeys = () => Promise.resolve(new Map());
-        await firstSync(aliTestClient);
-        await aliEnablesEncryption();
-        await aliSendsFirstMessage();
-        const message = aliMessages.shift()!;
-        const syncData = {
-            next_batch: "x",
-            rooms: {
-                join: {
-                    [roomId]: {
-                        timeline: {
-                            events: [
-                                testUtils.mkEvent({
-                                    type: "m.room.encrypted",
-                                    room: roomId,
-                                    content: message,
-                                    sender: "@bogus:sender",
-                                }),
-                            ],
-                        },
-                    },
-                },
-            },
-        };
-        bobTestClient.httpBackend.when("GET", "/sync").respond(200, syncData);
-
-        const eventPromise = new Promise<MatrixEvent>((resolve) => {
-            const onEvent = function (event: MatrixEvent) {
-                logger.log(bobUserId + " received event", event);
-                resolve(event);
-            };
-            bobTestClient.client.once(ClientEvent.Event, onEvent);
-        });
-        await bobTestClient.httpBackend.flushAllExpected();
-        const preDecryptionEvent = await eventPromise;
-        expect(preDecryptionEvent.isEncrypted()).toBeTruthy();
-        // it may still be being decrypted
-        const event = await testUtils.awaitDecryption(preDecryptionEvent);
-        expect(event.getType()).toEqual("m.room.message");
-        expect(event.getContent().msgtype).toEqual("m.bad.encrypted");
-    });
-
-    it("Ali blocks Bob's device", async () => {
-        aliTestClient.expectKeyQuery({ device_keys: { [aliUserId]: {} }, failures: {} });
-        await aliTestClient.start();
-        await bobTestClient.start();
-        await firstSync(aliTestClient);
-        await aliEnablesEncryption();
-        await aliDownloadsKeys();
-        aliTestClient.client.setDeviceBlocked(bobUserId, bobDeviceId, true);
-        const p1 = sendMessage(aliTestClient.client);
-        const p2 = expectSendMessageRequest(aliTestClient.httpBackend).then(function (sentContent) {
-            // no unblocked devices, so the ciphertext should be empty
-            expect(sentContent.ciphertext).toEqual({});
-        });
-        await Promise.all([p1, p2]);
-    });
-
-    it("Bob receives two pre-key messages", async () => {
-        aliTestClient.expectKeyQuery({ device_keys: { [aliUserId]: {} }, failures: {} });
-        await aliTestClient.start();
-        await bobTestClient.start();
-        bobTestClient.client.crypto!.deviceList.downloadKeys = () => Promise.resolve(new Map());
-        await firstSync(aliTestClient);
-        await aliEnablesEncryption();
-        await aliSendsFirstMessage();
-        await bobRecvMessage();
-        await aliSendsMessage();
-        await bobRecvMessage();
-    });
-
-    it("Bob replies to the message", async () => {
-        aliTestClient.expectKeyQuery({ device_keys: { [aliUserId]: {} }, failures: {} });
-        bobTestClient.expectKeyQuery({ device_keys: { [bobUserId]: {} }, failures: {} });
-        await aliTestClient.start();
-        await bobTestClient.start();
-        await firstSync(aliTestClient);
-        await firstSync(bobTestClient);
-        await aliEnablesEncryption();
-        await aliSendsFirstMessage();
-        bobTestClient.httpBackend.when("POST", "/keys/query").respond(200, {});
-        await bobRecvMessage();
-        await bobEnablesEncryption();
-        const ciphertext = await bobSendsReplyMessage();
-        expect(ciphertext.type).toEqual(1);
-        await aliRecvMessage();
-    });
-
-    it("Ali does a key query when encryption is enabled", async () => {
-        // enabling encryption in the room should make alice download devices
-        // for both members.
-        aliTestClient.expectKeyQuery({ device_keys: { [aliUserId]: {} }, failures: {} });
-        await aliTestClient.start();
-        await firstSync(aliTestClient);
-        const syncData = {
-            next_batch: "2",
-            rooms: {
-                join: {
-                    [roomId]: {
-                        state: {
-                            events: [
-                                testUtils.mkEvent({
-                                    type: "m.room.encryption",
-                                    skey: "",
-                                    content: {
-                                        algorithm: "m.olm.v1.curve25519-aes-sha2",
-                                    },
-                                }),
-                            ],
-                        },
-                    },
-                },
-            },
-        };
-
-        aliTestClient.httpBackend.when("GET", "/sync").respond(200, syncData);
-        await aliTestClient.httpBackend.flush("/sync", 1);
-        aliTestClient.expectKeyQuery({
-            device_keys: {
-                [bobUserId]: {},
-            },
-            failures: {},
-        });
-        await aliTestClient.httpBackend.flushAllExpected();
-    });
-
-    it("Upload new oneTimeKeys based on a /sync request - no count-asking", async () => {
-        // Send a response which causes a key upload
-        const httpBackend = aliTestClient.httpBackend;
-        const syncDataEmpty = {
-            next_batch: "a",
-            device_one_time_keys_count: {
-                signed_curve25519: 0,
-            },
-        };
-
-        // enqueue expectations:
-        // * Sync with empty one_time_keys => upload keys
-
-        logger.log(aliTestClient + ": starting");
-        httpBackend.when("GET", "/versions").respond(200, {});
-        httpBackend.when("GET", "/pushrules").respond(200, {});
-        httpBackend.when("POST", "/filter").respond(200, { filter_id: "fid" });
-        aliTestClient.expectDeviceKeyUpload();
-
-        // we let the client do a very basic initial sync, which it needs before
-        // it will upload one-time keys.
-        httpBackend.when("GET", "/sync").respond(200, syncDataEmpty);
-
-        await Promise.all([aliTestClient.client.startClient({}), httpBackend.flushAllExpected()]);
-        logger.log(aliTestClient + ": started");
-        httpBackend.when("POST", "/keys/upload").respond(200, (_path, content: IUploadKeysRequest) => {
-            expect(content.one_time_keys).toBeTruthy();
-            expect(content.one_time_keys).not.toEqual({});
-            expect(Object.keys(content.one_time_keys!).length).toBeGreaterThanOrEqual(1);
-            // cancel futher calls by telling the client
-            // we have more than we need
-            return {
-                one_time_key_counts: {
-                    signed_curve25519: 70,
-                },
-            };
-        });
-        await httpBackend.flushAllExpected();
-    });
-
-    it("Checks for outgoing room key requests for a given event's session", async () => {
-        const eventA0 = new MatrixEvent({
-            sender: "@bob:example.com",
-            room_id: "!someroom",
-            content: {
-                algorithm: "m.megolm.v1.aes-sha2",
-                session_id: "sessionid",
-                sender_key: "senderkey",
-            },
-        });
-        const eventA1 = new MatrixEvent({
-            sender: "@bob:example.com",
-            room_id: "!someroom",
-            content: {
-                algorithm: "m.megolm.v1.aes-sha2",
-                session_id: "sessionid",
-                sender_key: "senderkey",
-            },
-        });
-        const eventB = new MatrixEvent({
-            sender: "@bob:example.com",
-            room_id: "!someroom",
-            content: {
-                algorithm: "m.megolm.v1.aes-sha2",
-                session_id: "othersessionid",
-                sender_key: "senderkey",
-            },
-        });
-        const nonEncryptedEvent = new MatrixEvent({
-            sender: "@bob:example.com",
-            room_id: "!someroom",
-            content: {},
-        });
-
-        aliTestClient.client.crypto?.onSyncCompleted({});
-        await aliTestClient.client.cancelAndResendEventRoomKeyRequest(eventA0);
-        expect(await aliTestClient.client.getOutgoingRoomKeyRequest(eventA1)).not.toBeNull();
-        expect(await aliTestClient.client.getOutgoingRoomKeyRequest(eventB)).toBeNull();
-        expect(await aliTestClient.client.getOutgoingRoomKeyRequest(nonEncryptedEvent)).toBeNull();
-    });
-});
@@ -16,12 +16,23 @@ limitations under the License.

 import Olm from "@matrix-org/olm";
 import anotherjson from "another-json";
+import fetchMock from "@fetch-mock/vitest";
+import { type RouteResponse } from "fetch-mock";

-import { IContent, IDeviceKeys, IDownloadKeyResult, IEvent, Keys, MatrixClient, SigningKeys } from "../../../src";
-import { IE2EKeyReceiver } from "../../test-utils/E2EKeyReceiver";
-import { ISyncResponder } from "../../test-utils/SyncResponder";
+import {
+    type IContent,
+    type IDeviceKeys,
+    type IDownloadKeyResult,
+    type IEvent,
+    type Keys,
+    type MatrixClient,
+    type SigningKeys,
+} from "../../../src";
+import { type IE2EKeyReceiver } from "../../test-utils/E2EKeyReceiver";
+import { type ISyncResponder } from "../../test-utils/SyncResponder";
 import { syncPromise } from "../../test-utils/test-utils";
-import { KeyBackupInfo } from "../../../src/crypto-api";
+import { type KeyBackupInfo } from "../../../src/crypto-api";
+import { logger } from "../../../src/logger";

 /**
 * @module
@@ -85,15 +96,15 @@ export function bootstrapCrossSigningTestOlmAccount(
    deviceId: string,
    keyBackupInfo: KeyBackupInfo[] = [],
 ): Partial<IDownloadKeyResult> {
-    const olmAliceMSK = new global.Olm.PkSigning();
+    const olmAliceMSK = new Olm.PkSigning();
    const masterPrivkey = olmAliceMSK.generate_seed();
    const masterPubkey = olmAliceMSK.init_with_seed(masterPrivkey);

-    const olmAliceUSK = new global.Olm.PkSigning();
+    const olmAliceUSK = new Olm.PkSigning();
    const userPrivkey = olmAliceUSK.generate_seed();
    const userPubkey = olmAliceUSK.init_with_seed(userPrivkey);

-    const olmAliceSSK = new global.Olm.PkSigning();
+    const olmAliceSSK = new Olm.PkSigning();
    const sskPrivkey = olmAliceSSK.generate_seed();
    const sskPubkey = olmAliceSSK.init_with_seed(sskPrivkey);

@@ -181,7 +192,7 @@ export async function createOlmSession(
    const otkId = Object.keys(keys)[0];
    const otk = keys[otkId];

-    const session = new global.Olm.Session();
+    const session = new Olm.Session();
    session.create_outbound(olmAccount, recipientTestClient.getDeviceKey(), otk.key);
    return session;
 }
@@ -294,6 +305,9 @@ export function encryptMegolmEventRawPlainText(opts: {
        },
        type: "m.room.encrypted",
        unsigned: {},
+        state_key: opts.plaintext.hasOwnProperty("state_key")
+            ? `${opts.plaintext.type}:${opts.plaintext.state_key}`
+            : undefined,
    };
 }

@@ -406,3 +420,128 @@ export async function establishOlmSession(
    await syncPromise(testClient);
    return p2pSession;
 }
+
+/**
+ * Expect that the client shares keys with the given recipient
+ *
+ * Waits for an HTTP request to send the encrypted m.room_key to-device message; decrypts it and uses it
+ * to establish an Olm InboundGroupSession.
+ *
+ * @param recipientUserID - the user id of the expected recipient
+ *
+ * @param recipientOlmAccount - Olm.Account for the recipient
+ *
+ * @param recipientOlmSession - an Olm.Session for the recipient, which must already have exchanged pre-key
+ *    messages with the sender. Alternatively, null, in which case we will expect a pre-key message.
+ *
+ * @returns the established inbound group session
+ */
+export async function expectSendRoomKey(
+    recipientUserID: string,
+    recipientOlmAccount: Olm.Account,
+    recipientOlmSession: Olm.Session | null = null,
+): Promise<Olm.InboundGroupSession> {
+    const testRecipientKey = JSON.parse(recipientOlmAccount.identity_keys())["curve25519"];
+
+    function onSendRoomKey(content: any): Olm.InboundGroupSession {
+        const m = content.messages[recipientUserID].DEVICE_ID;
+        const ct = m.ciphertext[testRecipientKey];
+
+        if (!recipientOlmSession) {
+            expect(ct.type).toEqual(0); // pre-key message
+            recipientOlmSession = new Olm.Session();
+            recipientOlmSession.create_inbound(recipientOlmAccount, ct.body);
+        } else {
+            expect(ct.type).toEqual(1); // regular message
+        }
+
+        const decrypted = JSON.parse(recipientOlmSession.decrypt(ct.type, ct.body));
+        expect(decrypted.type).toEqual("m.room_key");
+        const inboundGroupSession = new Olm.InboundGroupSession();
+        inboundGroupSession.create(decrypted.content.session_key);
+        return inboundGroupSession;
+    }
+    return await new Promise<Olm.InboundGroupSession>((resolve) => {
+        fetchMock.putOnce(new RegExp("/sendToDevice/m.room.encrypted/"), (callLog): RouteResponse => {
+            const content = JSON.parse(callLog.options.body as string);
+            resolve(onSendRoomKey(content));
+            return {};
+        });
+    });
+}
+
+/**
+ * Return the event received on rooms/{roomId}/send/m.room.encrypted endpoint.
+ * See https://spec.matrix.org/latest/client-server-api/#put_matrixclientv3roomsroomidsendeventtypetxnid
+ * @returns the content of the encrypted event
+ */
+export function expectEncryptedSendMessageEvent() {
+    return new Promise<IContent>((resolve) => {
+        fetchMock.putOnce(new RegExp("/send/m.room.encrypted/"), (callLog) => {
+            const content = JSON.parse(callLog.options.body as string);
+            resolve(content);
+            return { event_id: "$event_id" };
+        });
+    });
+}
+
+/**
+ * Return the event received on rooms/{roomId}/state/m.room.encrypted/{stateKey} endpoint.
+ * See https://spec.matrix.org/latest/client-server-api/#put_matrixclientv3roomsroomidstateeventtypestatekey
+ * @returns the content of the encrypted event
+ */
+function expectEncryptedSendStateEvent() {
+    return new Promise<IContent>((resolve) => {
+        fetchMock.putOnce(new RegExp("/state/m.room.encrypted/"), (callLog) => {
+            const content = JSON.parse(callLog.options.body as string);
+            resolve(content);
+            return { event_id: "$event_id" };
+        });
+    });
+}
+
+/**
+ * Expect that the client sends an encrypted message event
+ *
+ * Waits for an HTTP request to send an encrypted message in the test room.
+ *
+ * @param inboundGroupSessionPromise - a promise for an Olm InboundGroupSession, which will
+ *    be used to decrypt the event. We will wait for this to resolve once the HTTP request has been processed.
+ *
+ * @returns The content of the successfully-decrypted event
+ */
+export async function expectSendMegolmMessageEvent(
+    inboundGroupSessionPromise: Promise<Olm.InboundGroupSession>,
+): Promise<Partial<IEvent>> {
+    const encryptedMessageContent = await expectEncryptedSendMessageEvent();
+
+    // In some of the tests, the room key is sent *after* the actual event, so we may need to wait for it now.
+    const inboundGroupSession = await inboundGroupSessionPromise;
+
+    const r: any = inboundGroupSession.decrypt(encryptedMessageContent!.ciphertext);
+    logger.log("Decrypted received megolm message", r);
+    return JSON.parse(r.plaintext);
+}
+
+/**
+ * Expect that the client sends an encrypted state event
+ *
+ * Waits for an HTTP request to send an encrypted state event in the test room.
+ *
+ * @param inboundGroupSessionPromise - a promise for an Olm InboundGroupSession, which will
+ *    be used to decrypt the event. We will wait for this to resolve once the HTTP request has been processed.
+ *
+ * @returns The content of the successfully-decrypted state event
+ */
+export async function expectSendMegolmStateEvent(
+    inboundGroupSessionPromise: Promise<Olm.InboundGroupSession>,
+): Promise<Partial<IEvent>> {
+    const encryptedStateContent = await expectEncryptedSendStateEvent();
+
+    // In some of the tests, the room key is sent *after* the actual event, so we may need to wait for it now.
+    const inboundGroupSession = await inboundGroupSessionPromise;
+
+    const r: any = inboundGroupSession.decrypt(encryptedStateContent!.ciphertext);
+    logger.log("Decrypted received megolm state event", r);
+    return JSON.parse(r.plaintext);
+}
@@ -16,8 +16,17 @@ limitations under the License.

 import "fake-indexeddb/auto";
 import { IDBFactory } from "fake-indexeddb";
+import fetchMock from "@fetch-mock/vitest";

-import { createClient } from "../../../src";
+import { createClient, IndexedDBCryptoStore } from "../../../src";
+import { populateStore } from "../../test-utils/test_indexeddb_cryptostore_dump";
+import { MSK_NOT_CACHED_DATASET } from "../../test-utils/test_indexeddb_cryptostore_dump/no_cached_msk_dump";
+import { IDENTITY_NOT_TRUSTED_DATASET } from "../../test-utils/test_indexeddb_cryptostore_dump/unverified";
+import { FULL_ACCOUNT_DATASET } from "../../test-utils/test_indexeddb_cryptostore_dump/full_account";
+import { EMPTY_ACCOUNT_DATASET } from "../../test-utils/test_indexeddb_cryptostore_dump/empty_account";
+import { CryptoEvent } from "../../../src/crypto-api";
+
+vi.setConfig({ testTimeout: 15000 });

 afterEach(() => {
    // reset fake-indexeddb after each test, to make sure we don't leak connections
@@ -58,18 +67,34 @@ describe("MatrixClient.initRustCrypto", () => {
        expect(databaseNames).toEqual(expect.arrayContaining(["matrix-js-sdk::matrix-sdk-crypto"]));
    });

-    it("should create the meta db if given a pickleKey", async () => {
+    it("should create the indexed db with a custom prefix", async () => {
        const matrixClient = createClient({
            baseUrl: "http://test.server",
            userId: "@alice:localhost",
            deviceId: "aliceDevice",
-            pickleKey: "testKey",
        });

        // No databases.
        expect(await indexedDB.databases()).toHaveLength(0);

-        await matrixClient.initRustCrypto();
+        await matrixClient.initRustCrypto({ cryptoDatabasePrefix: "my-prefix" });
+
+        // should have an indexed db now
+        const databaseNames = (await indexedDB.databases()).map((db) => db.name);
+        expect(databaseNames).toEqual(expect.arrayContaining(["my-prefix::matrix-sdk-crypto"]));
+    });
+
+    it("should create the meta db if given a storageKey", async () => {
+        const matrixClient = createClient({
+            baseUrl: "http://test.server",
+            userId: "@alice:localhost",
+            deviceId: "aliceDevice",
+        });
+
+        // No databases.
+        expect(await indexedDB.databases()).toHaveLength(0);
+
+        await matrixClient.initRustCrypto({ storageKey: new Uint8Array(32) });

        // should have two indexed dbs now
        const databaseNames = (await indexedDB.databases()).map((db) => db.name);
@@ -78,6 +103,26 @@ describe("MatrixClient.initRustCrypto", () => {
        );
    });

+    it("should create the meta db if given a storagePassword", async () => {
+        const matrixClient = createClient({
+            baseUrl: "http://test.server",
+            userId: "@alice:localhost",
+            deviceId: "aliceDevice",
+        });
+
+        // No databases.
+        expect(await indexedDB.databases()).toHaveLength(0);
+
+        await matrixClient.initRustCrypto({ storagePassword: "the cow is on the moon" });
+
+        // should have two indexed dbs now
+        const databaseNames = (await indexedDB.databases()).map((db) => db.name);
+        expect(databaseNames).toEqual(
+            expect.arrayContaining(["matrix-js-sdk::matrix-sdk-crypto", "matrix-js-sdk::matrix-sdk-crypto-meta"]),
+        );
+    });
+
+    // eslint-disable-next-line @vitest/expect-expect
    it("should ignore a second call", async () => {
        const matrixClient = createClient({
            baseUrl: "http://test.server",
@@ -88,6 +133,330 @@ describe("MatrixClient.initRustCrypto", () => {
        await matrixClient.initRustCrypto();
        await matrixClient.initRustCrypto();
    });
+
+    describe("Libolm Migration", () => {
+        it("should migrate from libolm", async () => {
+            fetchMock.get("path:/_matrix/client/v3/room_keys/version", FULL_ACCOUNT_DATASET.backupResponse);
+
+            fetchMock.post("path:/_matrix/client/v3/keys/query", FULL_ACCOUNT_DATASET.keyQueryResponse);
+
+            const testStoreName = "test-store";
+            await populateStore(testStoreName, FULL_ACCOUNT_DATASET.dumpPath);
+            const cryptoStore = new IndexedDBCryptoStore(indexedDB, testStoreName);
+
+            const matrixClient = createClient({
+                baseUrl: "http://test.server",
+                userId: FULL_ACCOUNT_DATASET.userId,
+                deviceId: FULL_ACCOUNT_DATASET.deviceId,
+                cryptoStore,
+                pickleKey: FULL_ACCOUNT_DATASET.pickleKey,
+            });
+
+            const progressListener = vi.fn();
+            matrixClient.addListener(CryptoEvent.LegacyCryptoStoreMigrationProgress, progressListener);
+
+            await matrixClient.initRustCrypto();
+
+            const verificationStatus = await matrixClient
+                .getCrypto()!
+                .getDeviceVerificationStatus(FULL_ACCOUNT_DATASET.userId, FULL_ACCOUNT_DATASET.deviceId);
+
+            // Check that the current device and identity trust is migrated correctly just after migration
+            expect(verificationStatus).toBeDefined();
+            expect(verificationStatus!.crossSigningVerified).toEqual(true);
+            expect(verificationStatus!.signedByOwner).toEqual(true);
+
+            // Do some basic checks on the imported data
+            const deviceKeys = await matrixClient.getCrypto()!.getOwnDeviceKeys();
+            expect(deviceKeys.curve25519).toEqual("LKv0bKbc0EC4h0jknbemv3QalEkeYvuNeUXVRgVVTTU");
+            expect(deviceKeys.ed25519).toEqual("qK70DEqIXq7T+UU3v/al47Ab4JkMEBLpNrTBMbS5rrw");
+
+            expect(await matrixClient.getCrypto()!.getActiveSessionBackupVersion()).toEqual("7");
+
+            expect(await matrixClient.getCrypto()!.isEncryptionEnabledInRoom("!CWLUCoEWXSFyTCOtfL:matrix.org")).toBe(
+                true,
+            );
+
+            // check the progress callback
+            expect(progressListener.mock.calls.length).toBeGreaterThan(50);
+
+            // The first call should have progress == 0
+            const [firstProgress, totalSteps] = progressListener.mock.calls[0];
+            expect(totalSteps).toBeGreaterThan(3000);
+            expect(firstProgress).toEqual(0);
+
+            for (let i = 1; i < progressListener.mock.calls.length - 1; i++) {
+                const [progress, total] = progressListener.mock.calls[i];
+                expect(total).toEqual(totalSteps);
+                expect(progress).toBeGreaterThan(progressListener.mock.calls[i - 1][0]);
+                expect(progress).toBeLessThanOrEqual(totalSteps);
+            }
+
+            // The final call should have progress == total == -1
+            expect(progressListener).toHaveBeenLastCalledWith(-1, -1);
+        }, 60000);
+
+        describe("Private key backup migration", () => {
+            it("should not migrate the backup private key if backup has changed", async () => {
+                // Here we have a new backup server side, and the migrated account has the previous backup key.
+                fetchMock.get("path:/_matrix/client/v3/room_keys/version", MSK_NOT_CACHED_DATASET.newBackupResponse);
+
+                fetchMock.post("path:/_matrix/client/v3/keys/query", MSK_NOT_CACHED_DATASET.keyQueryResponse);
+
+                await populateStore("test-store", MSK_NOT_CACHED_DATASET.dumpPath);
+                const cryptoStore = new IndexedDBCryptoStore(indexedDB, "test-store");
+
+                const matrixClient = createClient({
+                    baseUrl: "http://test.server",
+                    userId: MSK_NOT_CACHED_DATASET.userId,
+                    deviceId: MSK_NOT_CACHED_DATASET.deviceId,
+                    cryptoStore,
+                    pickleKey: MSK_NOT_CACHED_DATASET.pickleKey,
+                });
+
+                await matrixClient.initRustCrypto();
+
+                const privateBackupKey = await matrixClient.getCrypto()?.getSessionBackupPrivateKey();
+                expect(privateBackupKey).toBeNull();
+            });
+
+            it("should not migrate the backup private key if backup has unknown algorithm", async () => {
+                // Here we have a new backup server side, and the migrated account has the previous backup key.
+                const backupResponse = {
+                    ...MSK_NOT_CACHED_DATASET.backupResponse,
+                    algorithm: "m.megolm_backup.v8",
+                };
+                fetchMock.get("path:/_matrix/client/v3/room_keys/version", backupResponse);
+
+                fetchMock.post("path:/_matrix/client/v3/keys/query", MSK_NOT_CACHED_DATASET.keyQueryResponse);
+
+                await populateStore("test-store", MSK_NOT_CACHED_DATASET.dumpPath);
+                const cryptoStore = new IndexedDBCryptoStore(indexedDB, "test-store");
+
+                const matrixClient = createClient({
+                    baseUrl: "http://test.server",
+                    userId: MSK_NOT_CACHED_DATASET.userId,
+                    deviceId: MSK_NOT_CACHED_DATASET.deviceId,
+                    cryptoStore,
+                    pickleKey: MSK_NOT_CACHED_DATASET.pickleKey,
+                });
+
+                await matrixClient.initRustCrypto();
+
+                const privateBackupKey = await matrixClient.getCrypto()?.getSessionBackupPrivateKey();
+                expect(privateBackupKey).toBeNull();
+            });
+
+            it("should not migrate the backup private key if the backup has been deleted", async () => {
+                // The old backup has been deleted server side.
+                fetchMock.get("path:/_matrix/client/v3/room_keys/version", {
+                    status: 404,
+                    body: {
+                        errcode: "M_NOT_FOUND",
+                        error: "No backup found",
+                    },
+                });
+
+                fetchMock.post("path:/_matrix/client/v3/keys/query", MSK_NOT_CACHED_DATASET.keyQueryResponse);
+
+                await populateStore("test-store", MSK_NOT_CACHED_DATASET.dumpPath);
+                const cryptoStore = new IndexedDBCryptoStore(indexedDB, "test-store");
+
+                const matrixClient = createClient({
+                    baseUrl: "http://test.server",
+                    userId: MSK_NOT_CACHED_DATASET.userId,
+                    deviceId: MSK_NOT_CACHED_DATASET.deviceId,
+                    cryptoStore,
+                    pickleKey: MSK_NOT_CACHED_DATASET.pickleKey,
+                });
+
+                await matrixClient.initRustCrypto();
+
+                const privateBackupKey = await matrixClient.getCrypto()?.getSessionBackupPrivateKey();
+                expect(privateBackupKey).toBeNull();
+            });
+
+            it("should migrate the backup private key if the backup matches", async () => {
+                // The old backup has been deleted server side.
+                fetchMock.get("path:/_matrix/client/v3/room_keys/version", MSK_NOT_CACHED_DATASET.backupResponse);
+
+                fetchMock.post("path:/_matrix/client/v3/keys/query", MSK_NOT_CACHED_DATASET.keyQueryResponse);
+
+                await populateStore("test-store", MSK_NOT_CACHED_DATASET.dumpPath);
+                const cryptoStore = new IndexedDBCryptoStore(indexedDB, "test-store");
+
+                const matrixClient = createClient({
+                    baseUrl: "http://test.server",
+                    userId: MSK_NOT_CACHED_DATASET.userId,
+                    deviceId: MSK_NOT_CACHED_DATASET.deviceId,
+                    cryptoStore,
+                    pickleKey: MSK_NOT_CACHED_DATASET.pickleKey,
+                });
+
+                await matrixClient.initRustCrypto();
+
+                const privateBackupKey = await matrixClient.getCrypto()?.getSessionBackupPrivateKey();
+                expect(privateBackupKey).toBeDefined();
+            });
+        });
+
+        it("should not migrate if account data is missing", async () => {
+            // See https://github.com/element-hq/element-web/issues/27447
+
+            // Given we have an almost-empty legacy account in the database
+            fetchMock.get("path:/_matrix/client/v3/room_keys/version", {
+                status: 404,
+                body: { errcode: "M_NOT_FOUND", error: "No backup found" },
+            });
+            fetchMock.post("path:/_matrix/client/v3/keys/query", EMPTY_ACCOUNT_DATASET.keyQueryResponse);
+
+            const testStoreName = "test-store";
+            await populateStore(testStoreName, EMPTY_ACCOUNT_DATASET.dumpPath);
+            const cryptoStore = new IndexedDBCryptoStore(indexedDB, testStoreName);
+
+            const matrixClient = createClient({
+                baseUrl: "http://test.server",
+                userId: EMPTY_ACCOUNT_DATASET.userId,
+                deviceId: EMPTY_ACCOUNT_DATASET.deviceId,
+                cryptoStore,
+                pickleKey: EMPTY_ACCOUNT_DATASET.pickleKey,
+            });
+
+            // When we start Rust crypto, potentially triggering an upgrade
+            const progressListener = vi.fn();
+            matrixClient.addListener(CryptoEvent.LegacyCryptoStoreMigrationProgress, progressListener);
+
+            await matrixClient.initRustCrypto();
+
+            // Then no error occurs, and no upgrade happens
+            expect(progressListener.mock.calls.length).toBe(0);
+        }, 60000);
+
+        describe("Legacy trust migration", () => {
+            async function populateAndStartLegacyCryptoStore(dumpPath: string): Promise<IndexedDBCryptoStore> {
+                const testStoreName = "test-store";
+                await populateStore(testStoreName, dumpPath);
+                const cryptoStore = new IndexedDBCryptoStore(indexedDB, testStoreName);
+                await cryptoStore.startup();
+                return cryptoStore;
+            }
+
+            it("should not revert to untrusted if legacy was trusted but msk not in cache, big account", async () => {
+                fetchMock.get("path:/_matrix/client/v3/room_keys/version", {
+                    status: 404,
+                    body: {
+                        errcode: "M_NOT_FOUND",
+                        error: "No backup found",
+                    },
+                });
+
+                fetchMock.post("path:/_matrix/client/v3/keys/query", FULL_ACCOUNT_DATASET.keyQueryResponse);
+
+                const cryptoStore = await populateAndStartLegacyCryptoStore(FULL_ACCOUNT_DATASET.dumpPath);
+
+                // Remove the master key from the cache
+                await cryptoStore.doTxn("readwrite", [IndexedDBCryptoStore.STORE_ACCOUNT], (txn) => {
+                    const objectStore = txn.objectStore("account");
+                    objectStore.delete(`ssss_cache:master`);
+                });
+
+                const matrixClient = createClient({
+                    baseUrl: "http://test.server",
+                    userId: FULL_ACCOUNT_DATASET.userId,
+                    deviceId: FULL_ACCOUNT_DATASET.deviceId,
+                    cryptoStore,
+                    pickleKey: FULL_ACCOUNT_DATASET.pickleKey,
+                });
+
+                await matrixClient.initRustCrypto();
+
+                const verificationStatus = await matrixClient
+                    .getCrypto()!
+                    .getUserVerificationStatus(FULL_ACCOUNT_DATASET.userId);
+
+                expect(verificationStatus.isCrossSigningVerified()).toBe(true);
+            }, 60000);
+
+            it("should not revert to untrusted if legacy was trusted but msk not in cache", async () => {
+                fetchMock.get("path:/_matrix/client/v3/room_keys/version", MSK_NOT_CACHED_DATASET.backupResponse);
+
+                fetchMock.post("path:/_matrix/client/v3/keys/query", MSK_NOT_CACHED_DATASET.keyQueryResponse);
+
+                const cryptoStore = await populateAndStartLegacyCryptoStore(MSK_NOT_CACHED_DATASET.dumpPath);
+
+                const matrixClient = createClient({
+                    baseUrl: "http://test.server",
+                    userId: MSK_NOT_CACHED_DATASET.userId,
+                    deviceId: MSK_NOT_CACHED_DATASET.deviceId,
+                    cryptoStore,
+                    pickleKey: MSK_NOT_CACHED_DATASET.pickleKey,
+                });
+
+                await matrixClient.initRustCrypto();
+
+                const verificationStatus = await matrixClient
+                    .getCrypto()!
+                    .getUserVerificationStatus("@migration:localhost");
+
+                expect(verificationStatus.isCrossSigningVerified()).toBe(true);
+            });
+
+            it("should not migrate local trust if key has changed", async () => {
+                fetchMock.get("path:/_matrix/client/v3/room_keys/version", MSK_NOT_CACHED_DATASET.backupResponse);
+
+                fetchMock.post("path:/_matrix/client/v3/keys/query", MSK_NOT_CACHED_DATASET.rotatedKeyQueryResponse);
+
+                const cryptoStore = await populateAndStartLegacyCryptoStore(MSK_NOT_CACHED_DATASET.dumpPath);
+
+                const matrixClient = createClient({
+                    baseUrl: "http://test.server",
+                    userId: MSK_NOT_CACHED_DATASET.userId,
+                    deviceId: MSK_NOT_CACHED_DATASET.deviceId,
+                    cryptoStore,
+                    pickleKey: MSK_NOT_CACHED_DATASET.pickleKey,
+                });
+
+                await matrixClient.initRustCrypto();
+
+                const verificationStatus = await matrixClient
+                    .getCrypto()!
+                    .getUserVerificationStatus("@migration:localhost");
+
+                expect(verificationStatus.isCrossSigningVerified()).toBe(false);
+            });
+
+            it("should not migrate local trust if was not trusted in legacy", async () => {
+                // Just 404 here for the test
+                fetchMock.get("path:/_matrix/client/v3/room_keys/version", {
+                    status: 404,
+                    body: {
+                        errcode: "M_NOT_FOUND",
+                        error: "No backup found",
+                    },
+                });
+
+                fetchMock.post("path:/_matrix/client/v3/keys/query", IDENTITY_NOT_TRUSTED_DATASET.keyQueryResponse);
+
+                const cryptoStore = await populateAndStartLegacyCryptoStore(IDENTITY_NOT_TRUSTED_DATASET.dumpPath);
+
+                const matrixClient = createClient({
+                    baseUrl: "http://test.server",
+                    userId: IDENTITY_NOT_TRUSTED_DATASET.userId,
+                    deviceId: IDENTITY_NOT_TRUSTED_DATASET.deviceId,
+                    cryptoStore,
+                    pickleKey: IDENTITY_NOT_TRUSTED_DATASET.pickleKey,
+                });
+
+                await matrixClient.initRustCrypto();
+
+                const verificationStatus = await matrixClient
+                    .getCrypto()!
+                    .getUserVerificationStatus("@untrusted:localhost");
+
+                expect(verificationStatus.isCrossSigningVerified()).toBe(false);
+            });
+        });
+    });
 });

 describe("MatrixClient.clearStores", () => {
@@ -96,10 +465,9 @@ describe("MatrixClient.clearStores", () => {
            baseUrl: "http://test.server",
            userId: "@alice:localhost",
            deviceId: "aliceDevice",
-            pickleKey: "testKey",
        });

-        await matrixClient.initRustCrypto();
+        await matrixClient.initRustCrypto({ storagePassword: "testKey" });
        expect(await indexedDB.databases()).toHaveLength(2);
        await matrixClient.stopClient();

@@ -107,6 +475,7 @@ describe("MatrixClient.clearStores", () => {
        expect(await indexedDB.databases()).toHaveLength(0);
    });

+    // eslint-disable-next-line @vitest/expect-expect
    it("should not fail in environments without indexedDB", async () => {
        // eslint-disable-next-line no-global-assign
        indexedDB = undefined!;
@@ -121,4 +490,22 @@ describe("MatrixClient.clearStores", () => {
        await matrixClient.clearStores();
        // No error thrown in clearStores
    });
+
+    it("should clear the indexeddbs with a custom prefix", async () => {
+        const matrixClient = createClient({
+            baseUrl: "http://test.server",
+            userId: "@alice:localhost",
+            deviceId: "aliceDevice",
+        });
+
+        // No databases.
+        expect(await indexedDB.databases()).toHaveLength(0);
+
+        await matrixClient.initRustCrypto({ cryptoDatabasePrefix: "my-prefix" });
+        expect(await indexedDB.databases()).toHaveLength(1);
+        await matrixClient.stopClient();
+
+        await matrixClient.clearStores({ cryptoDatabasePrefix: "my-prefix" });
+        expect(await indexedDB.databases()).toHaveLength(0);
+    });
 });
@@ -0,0 +1,221 @@
+/*
+Copyright 2025 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import anotherjson from "another-json";
+import fetchMock from "@fetch-mock/vitest";
+import "fake-indexeddb/auto";
+import Olm from "@matrix-org/olm";
+
+import * as testUtils from "../../test-utils/test-utils";
+import { getSyncResponse, syncPromise } from "../../test-utils/test-utils";
+import { TEST_ROOM_ID as ROOM_ID } from "../../test-utils/test-data";
+import { logger } from "../../../src/logger";
+import {
+    createClient,
+    HistoryVisibility,
+    PendingEventOrdering,
+    type IStartClientOpts,
+    type MatrixClient,
+} from "../../../src/matrix";
+import { E2EKeyReceiver } from "../../test-utils/E2EKeyReceiver";
+import { E2EKeyResponder } from "../../test-utils/E2EKeyResponder";
+import { type ISyncResponder, SyncResponder } from "../../test-utils/SyncResponder";
+import {
+    createOlmAccount,
+    createOlmSession,
+    encryptGroupSessionKey,
+    encryptMegolmEvent,
+    getTestOlmAccountKeys,
+    expectSendRoomKey,
+    expectSendMegolmStateEvent,
+} from "./olm-utils";
+import { mockInitialApiRequests } from "../../test-utils/mockEndpoints";
+
+describe("Encrypted State Events", () => {
+    let testOlmAccount = {} as unknown as Olm.Account;
+    let testSenderKey = "";
+
+    /** the MatrixClient under test */
+    let aliceClient: MatrixClient;
+
+    /** an object which intercepts `/keys/upload` requests from {@link #aliceClient} to catch the uploaded keys */
+    let keyReceiver: E2EKeyReceiver;
+
+    /** an object which intercepts `/sync` requests from {@link #aliceClient} */
+    let syncResponder: ISyncResponder;
+
+    async function startClientAndAwaitFirstSync(opts: IStartClientOpts = {}): Promise<void> {
+        logger.log(aliceClient.getUserId() + ": starting");
+
+        mockInitialApiRequests(aliceClient.getHomeserverUrl());
+
+        // we let the client do a very basic initial sync, which it needs before
+        // it will upload one-time keys.
+        syncResponder.sendOrQueueSyncResponse({ next_batch: 1 });
+
+        aliceClient.startClient({
+            // set this so that we can get hold of failed events
+            pendingEventOrdering: PendingEventOrdering.Detached,
+            ...opts,
+        });
+
+        await syncPromise(aliceClient);
+        logger.log(aliceClient.getUserId() + ": started");
+    }
+
+    beforeEach(async () => {
+        fetchMock.catch(404);
+
+        const homeserverUrl = "https://alice-server.com";
+        aliceClient = createClient({
+            baseUrl: homeserverUrl,
+            userId: "@alice:localhost",
+            accessToken: "akjgkrgjs",
+            deviceId: "xzcvb",
+            logger: logger.getChild("aliceClient"),
+            enableEncryptedStateEvents: true,
+        });
+
+        keyReceiver = new E2EKeyReceiver(homeserverUrl);
+        syncResponder = new SyncResponder(homeserverUrl);
+
+        await aliceClient.initRustCrypto();
+
+        // create a test olm device which we will use to communicate with alice. We use libolm to implement this.
+        testOlmAccount = await createOlmAccount();
+        const testE2eKeys = JSON.parse(testOlmAccount.identity_keys());
+        testSenderKey = testE2eKeys.curve25519;
+    }, 10000);
+
+    afterEach(async () => {
+        aliceClient.stopClient();
+    });
+
+    function expectAliceKeyQuery(response: any) {
+        fetchMock.postOnce(new RegExp("/keys/query"), (callLog) => response);
+    }
+
+    function expectAliceKeyClaim(response: any) {
+        fetchMock.postOnce(new RegExp("/keys/claim"), response);
+    }
+
+    function getTestKeysClaimResponse(userId: string) {
+        testOlmAccount.generate_one_time_keys(1);
+        const testOneTimeKeys = JSON.parse(testOlmAccount.one_time_keys());
+        testOlmAccount.mark_keys_as_published();
+
+        const keyId = Object.keys(testOneTimeKeys.curve25519)[0];
+        const oneTimeKey: string = testOneTimeKeys.curve25519[keyId];
+        const unsignedKeyResult = { key: oneTimeKey };
+        const j = anotherjson.stringify(unsignedKeyResult);
+        const sig = testOlmAccount.sign(j);
+        const keyResult = {
+            ...unsignedKeyResult,
+            signatures: { [userId]: { "ed25519:DEVICE_ID": sig } },
+        };
+
+        return {
+            one_time_keys: { [userId]: { DEVICE_ID: { ["signed_curve25519:" + keyId]: keyResult } } },
+            failures: {},
+        };
+    }
+
+    it("Should receive an encrypted state event", async () => {
+        expectAliceKeyQuery({ device_keys: { "@alice:localhost": {} }, failures: {} });
+        await startClientAndAwaitFirstSync();
+
+        const p2pSession = await createOlmSession(testOlmAccount, keyReceiver);
+        const groupSession = new Olm.OutboundGroupSession();
+        groupSession.create();
+
+        // make the room_key event
+        const roomKeyEncrypted = encryptGroupSessionKey({
+            recipient: aliceClient.getUserId()!,
+            recipientCurve25519Key: keyReceiver.getDeviceKey(),
+            recipientEd25519Key: keyReceiver.getSigningKey(),
+            olmAccount: testOlmAccount,
+            p2pSession: p2pSession,
+            groupSession: groupSession,
+            room_id: ROOM_ID,
+        });
+
+        // encrypt a state event with the group session
+        const eventEncrypted = encryptMegolmEvent({
+            senderKey: testSenderKey,
+            groupSession: groupSession,
+            room_id: ROOM_ID,
+            plaintext: {
+                type: "m.room.topic",
+                state_key: "",
+                content: {
+                    topic: "Secret!",
+                },
+            },
+        });
+
+        // Alice gets both the events in a single sync
+        const syncResponse = {
+            next_batch: 1,
+            to_device: {
+                events: [roomKeyEncrypted],
+            },
+            rooms: {
+                join: {
+                    [ROOM_ID]: { timeline: { events: [eventEncrypted] } },
+                },
+            },
+        };
+
+        syncResponder.sendOrQueueSyncResponse(syncResponse);
+        await syncPromise(aliceClient);
+
+        const room = aliceClient.getRoom(ROOM_ID)!;
+        const event = room.getLiveTimeline().getEvents()[0];
+        expect(event.isEncrypted()).toBe(true);
+
+        // it probably won't be decrypted yet, because it takes a while to process the olm keys
+        const decryptedEvent = await testUtils.awaitDecryption(event, { waitOnDecryptionFailure: true });
+        expect(decryptedEvent.getContent().topic).toEqual("Secret!");
+    });
+
+    // eslint-disable-next-line @vitest/expect-expect
+    it("Should send an encrypted state event", async () => {
+        const homeserverUrl = aliceClient.getHomeserverUrl();
+        const keyResponder = new E2EKeyResponder(homeserverUrl);
+        keyResponder.addKeyReceiver("@alice:localhost", keyReceiver);
+
+        const testDeviceKeys = getTestOlmAccountKeys(testOlmAccount, "@bob:xyz", "DEVICE_ID");
+        keyResponder.addDeviceKeys(testDeviceKeys);
+
+        await startClientAndAwaitFirstSync();
+
+        // Alice shares a room with Bob
+        syncResponder.sendOrQueueSyncResponse(getSyncResponse(["@bob:xyz"], HistoryVisibility.Joined, ROOM_ID, true));
+        await syncPromise(aliceClient);
+
+        // ... and claim one of Bob's OTKs ...
+        expectAliceKeyClaim(getTestKeysClaimResponse("@bob:xyz"));
+
+        // ... and send an m.room.topic message
+        const inboundGroupSessionPromise = expectSendRoomKey("@bob:xyz", testOlmAccount);
+
+        // Finally, send the message, and expect to get an `m.room.encrypted` event that we can decrypt.
+        await Promise.all([
+            aliceClient.setRoomTopic(ROOM_ID, "Secret!"),
+            expectSendMegolmStateEvent(inboundGroupSessionPromise),
+        ]);
+    });
+});
@@ -0,0 +1,268 @@
+/*
+Copyright 2024 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import fetchMock from "@fetch-mock/vitest";
+import "fake-indexeddb/auto";
+import { IDBFactory } from "fake-indexeddb";
+import Olm from "@matrix-org/olm";
+
+import { getSyncResponse, syncPromise } from "../../test-utils/test-utils";
+import {
+    ClientEvent,
+    createClient,
+    type IToDeviceEvent,
+    type MatrixClient,
+    type MatrixEvent,
+    type ReceivedToDeviceMessage,
+} from "../../../src";
+import * as testData from "../../test-utils/test-data";
+import { E2EKeyResponder } from "../../test-utils/E2EKeyResponder";
+import { SyncResponder } from "../../test-utils/SyncResponder";
+import { E2EKeyReceiver } from "../../test-utils/E2EKeyReceiver";
+import { encryptOlmEvent, establishOlmSession, getTestOlmAccountKeys } from "./olm-utils.ts";
+
+afterEach(() => {
+    // reset fake-indexeddb after each test, to make sure we don't leak connections
+    // cf https://github.com/dumbmatter/fakeIndexedDB#wipingresetting-the-indexeddb-for-a-fresh-state
+    // eslint-disable-next-line no-global-assign
+    indexedDB = new IDBFactory();
+});
+
+/**
+ * Integration tests for to-device messages functionality.
+ *
+ * These tests work by intercepting HTTP requests via fetch-mock rather than mocking out bits of the client, so as
+ * to provide the most effective integration tests possible.
+ */
+describe("to-device-messages", () => {
+    let aliceClient: MatrixClient;
+
+    /** an object which intercepts `/keys/query` requests on the test homeserver */
+    let e2eKeyResponder: E2EKeyResponder;
+    let e2eKeyReceiver: E2EKeyReceiver;
+    let syncResponder: SyncResponder;
+
+    beforeEach(
+        async () => {
+            // anything that we don't have a specific matcher for silently returns a 404
+            fetchMock.catch(404);
+
+            const homeserverUrl = "https://server.com";
+            aliceClient = createClient({
+                baseUrl: homeserverUrl,
+                userId: testData.TEST_USER_ID,
+                accessToken: "akjgkrgjsalice",
+                deviceId: testData.TEST_DEVICE_ID,
+            });
+
+            e2eKeyResponder = new E2EKeyResponder(homeserverUrl);
+            e2eKeyReceiver = new E2EKeyReceiver(homeserverUrl);
+            syncResponder = new SyncResponder(homeserverUrl);
+
+            // add bob as known user
+            syncResponder.sendOrQueueSyncResponse(getSyncResponse([testData.BOB_TEST_USER_ID]));
+
+            // Silence warnings from the backup manager
+            fetchMock.getOnce(new URL("/_matrix/client/v3/room_keys/version", homeserverUrl).toString(), {
+                status: 404,
+                body: { errcode: "M_NOT_FOUND" },
+            });
+
+            fetchMock.get(new URL("/_matrix/client/v3/pushrules/", homeserverUrl).toString(), {});
+            fetchMock.get(new URL("/_matrix/client/versions/", homeserverUrl).toString(), {});
+            fetchMock.post(
+                new URL(
+                    `/_matrix/client/v3/user/${encodeURIComponent(testData.TEST_USER_ID)}/filter`,
+                    homeserverUrl,
+                ).toString(),
+                { filter_id: "fid" },
+            );
+
+            await aliceClient.initRustCrypto();
+        },
+        /* it can take a while to initialise the crypto library on the first pass, so bump up the timeout. */
+        10000,
+    );
+
+    afterEach(async () => {
+        aliceClient.stopClient();
+    });
+
+    describe("encryptToDeviceMessages", () => {
+        it("returns empty batch for device that is not known", async () => {
+            await aliceClient.startClient();
+
+            const toDeviceBatch = await aliceClient
+                .getCrypto()
+                ?.encryptToDeviceMessages(
+                    "m.test.event",
+                    [{ userId: testData.BOB_TEST_USER_ID, deviceId: testData.BOB_TEST_DEVICE_ID }],
+                    {
+                        some: "content",
+                    },
+                );
+
+            expect(toDeviceBatch).toBeDefined();
+            const { batch, eventType } = toDeviceBatch!;
+            expect(eventType).toBe("m.room.encrypted");
+            expect(batch.length).toBe(0);
+        });
+
+        it("returns encrypted batch for known device", async () => {
+            await aliceClient.startClient();
+            e2eKeyResponder.addDeviceKeys(testData.BOB_SIGNED_TEST_DEVICE_DATA);
+            fetchMock.post("express:/_matrix/client/v3/keys/claim", () => ({
+                one_time_keys: testData.BOB_ONE_TIME_KEYS,
+            }));
+            await syncPromise(aliceClient);
+
+            const toDeviceBatch = await aliceClient
+                .getCrypto()
+                ?.encryptToDeviceMessages(
+                    "m.test.event",
+                    [{ userId: testData.BOB_TEST_USER_ID, deviceId: testData.BOB_TEST_DEVICE_ID }],
+                    {
+                        some: "content",
+                    },
+                );
+
+            expect(toDeviceBatch?.batch.length).toBe(1);
+            expect(toDeviceBatch?.eventType).toBe("m.room.encrypted");
+            const { deviceId, payload, userId } = toDeviceBatch!.batch[0];
+            expect(deviceId).toBe(testData.BOB_TEST_DEVICE_ID);
+            expect(userId).toBe(testData.BOB_TEST_USER_ID);
+            expect(payload.algorithm).toBe("m.olm.v1.curve25519-aes-sha2");
+            expect(payload.sender_key).toEqual(expect.any(String));
+            expect(payload.ciphertext).toEqual(
+                expect.objectContaining({
+                    [testData.BOB_SIGNED_TEST_DEVICE_DATA.keys[`curve25519:${testData.BOB_TEST_DEVICE_ID}`]]: {
+                        body: expect.any(String),
+                        type: 0,
+                    },
+                }),
+            );
+
+            // for future: check that bob's device can decrypt the ciphertext?
+        });
+    });
+
+    describe("receive to-device-messages", () => {
+        it("Should receive decrypted to-device message via ClientEvent", async () => {
+            // create a test olm device which we will use to communicate with alice. We use libolm to implement this.
+            await Olm.init();
+            const testOlmAccount = new Olm.Account();
+            testOlmAccount.create();
+
+            const testDeviceKeys = getTestOlmAccountKeys(testOlmAccount, "@bob:xyz", "DEVICE_ID");
+            e2eKeyResponder.addDeviceKeys(testDeviceKeys);
+
+            await aliceClient.startClient();
+            await syncPromise(aliceClient);
+
+            syncResponder.sendOrQueueSyncResponse(getSyncResponse(["@bob:xyz"]));
+            await syncPromise(aliceClient);
+
+            const p2pSession = await establishOlmSession(aliceClient, e2eKeyReceiver, syncResponder, testOlmAccount);
+
+            const toDeviceEvent = encryptOlmEvent({
+                sender: "@bob:xyz",
+                senderKey: testDeviceKeys.keys[`curve25519:DEVICE_ID`],
+                senderSigningKey: testDeviceKeys.keys[`ed25519:DEVICE_ID`],
+                p2pSession: p2pSession,
+                recipient: aliceClient.getUserId()!,
+                recipientCurve25519Key: e2eKeyReceiver.getDeviceKey(),
+                recipientEd25519Key: e2eKeyReceiver.getSigningKey(),
+                plaincontent: {
+                    body: "foo",
+                },
+                plaintype: "m.test.type",
+            });
+
+            const processedToDeviceResolver: PromiseWithResolvers<ReceivedToDeviceMessage> = Promise.withResolvers();
+
+            aliceClient.on(ClientEvent.ReceivedToDeviceMessage, (payload) => {
+                processedToDeviceResolver.resolve(payload);
+            });
+
+            const oldToDeviceResolver: PromiseWithResolvers<MatrixEvent> = Promise.withResolvers();
+
+            aliceClient.on(ClientEvent.ToDeviceEvent, (event) => {
+                oldToDeviceResolver.resolve(event);
+            });
+
+            expect(toDeviceEvent.type).toBe("m.room.encrypted");
+
+            syncResponder.sendOrQueueSyncResponse({ to_device: { events: [toDeviceEvent] } });
+            await syncPromise(aliceClient);
+
+            const { message, encryptionInfo } = await processedToDeviceResolver.promise;
+
+            expect(message.type).toBe("m.test.type");
+            expect(message.content["body"]).toBe("foo");
+
+            expect(encryptionInfo).not.toBeNull();
+            expect(encryptionInfo!.senderVerified).toBe(false);
+            expect(encryptionInfo!.sender).toBe("@bob:xyz");
+            expect(encryptionInfo!.senderDevice).toBe("DEVICE_ID");
+
+            const oldFormat = await oldToDeviceResolver.promise;
+            expect(oldFormat.isEncrypted()).toBe(true);
+            expect(oldFormat.getType()).toBe("m.test.type");
+            expect(oldFormat.getContent()["body"]).toBe("foo");
+        });
+
+        it("Should receive clear to-device message via ClientEvent", async () => {
+            await aliceClient.startClient();
+            await syncPromise(aliceClient);
+
+            const toDeviceEvent: IToDeviceEvent = {
+                sender: "@bob:xyz",
+                type: "m.test.type",
+                content: {
+                    body: "foo",
+                },
+            };
+
+            const processedToDeviceResolver: PromiseWithResolvers<ReceivedToDeviceMessage> = Promise.withResolvers();
+
+            aliceClient.on(ClientEvent.ReceivedToDeviceMessage, (payload) => {
+                processedToDeviceResolver.resolve(payload);
+            });
+
+            const oldToDeviceResolver: PromiseWithResolvers<MatrixEvent> = Promise.withResolvers();
+
+            aliceClient.on(ClientEvent.ToDeviceEvent, (event) => {
+                oldToDeviceResolver.resolve(event);
+            });
+
+            syncResponder.sendOrQueueSyncResponse({ to_device: { events: [toDeviceEvent] } });
+            await syncPromise(aliceClient);
+
+            const { message, encryptionInfo } = await processedToDeviceResolver.promise;
+
+            expect(message.type).toBe("m.test.type");
+            expect(message.content["body"]).toBe("foo");
+
+            // When the message is not encrypted, we don't have the encryptionInfo.
+            expect(encryptionInfo).toBeNull();
+
+            const oldFormat = await oldToDeviceResolver.promise;
+            expect(oldFormat.isEncrypted()).toBe(false);
+            expect(oldFormat.getType()).toBe("m.test.type");
+            expect(oldFormat.getContent()["body"]).toBe("foo");
+        });
+    });
+});
@@ -17,42 +17,37 @@ limitations under the License.
 import "fake-indexeddb/auto";

 import anotherjson from "another-json";
-import { MockResponse } from "fetch-mock";
-import fetchMock from "fetch-mock-jest";
+import debug from "debug";
+import fetchMock from "@fetch-mock/vitest";
+import { type RouteResponse } from "fetch-mock";
 import { IDBFactory } from "fake-indexeddb";
 import { createHash } from "crypto";
 import Olm from "@matrix-org/olm";

 import {
    createClient,
-    CryptoEvent,
+    DebugLogger,
    DeviceVerification,
-    IContent,
-    ICreateClientOpts,
-    IEvent,
-    MatrixClient,
+    type IContent,
+    type ICreateClientOpts,
+    type IEvent,
+    type MatrixClient,
+    MatrixError,
    MatrixEvent,
    MatrixEventEvent,
 } from "../../../src";
 import {
    canAcceptVerificationRequest,
-    ShowQrCodeCallbacks,
-    ShowSasCallbacks,
+    type ShowQrCodeCallbacks,
+    type ShowSasCallbacks,
    VerificationPhase,
-    VerificationRequest,
+    type VerificationRequest,
    VerificationRequestEvent,
-    Verifier,
+    type Verifier,
    VerifierEvent,
 } from "../../../src/crypto-api/verification";
-import { defer, escapeRegExp } from "../../../src/utils";
-import {
-    awaitDecryption,
-    CRYPTO_BACKENDS,
-    emitPromise,
-    getSyncResponse,
-    InitCrypto,
-    syncPromise,
-} from "../../test-utils/test-utils";
+import { escapeRegExp, sleep } from "../../../src/utils";
+import { awaitDecryption, emitPromise, getSyncResponse, syncPromise, waitFor } from "../../test-utils/test-utils";
 import { SyncResponder } from "../../test-utils/SyncResponder";
 import {
    BACKUP_DECRYPTION_KEY_BASE64,
@@ -78,26 +73,28 @@ import {
    encryptGroupSessionKey,
    encryptMegolmEvent,
    encryptSecretSend,
-    ToDeviceEvent,
+    getTestOlmAccountKeys,
+    type ToDeviceEvent,
 } from "./olm-utils";
-import { KeyBackupInfo } from "../../../src/crypto-api";
+import { type KeyBackupInfo, CryptoEvent } from "../../../src/crypto-api";
 import { encodeBase64 } from "../../../src/base64";

-// The verification flows use javascript timers to set timeouts. We tell jest to use mock timer implementations
-// to ensure that we don't end up with dangling timeouts.
-jest.useFakeTimers();
-
 beforeAll(async () => {
    // we use the libolm primitives in the test, so init the Olm library
-    await global.Olm.init();
+    await Olm.init();
 });

 // load the rust library. This can take a few seconds on a slow GH worker.
 beforeAll(async () => {
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
    const RustSdkCryptoJs = await require("@matrix-org/matrix-sdk-crypto-wasm");
    await RustSdkCryptoJs.initAsync();
 }, 10000);

+beforeEach(() => {
+    vi.useFakeTimers();
+});
+
 afterEach(() => {
    // reset fake-indexeddb after each test, to make sure we don't leak connections
    // cf https://github.com/dumbmatter/fakeIndexedDB#wipingresetting-the-indexeddb-for-a-fresh-state
@@ -114,12 +111,7 @@ const TEST_HOMESERVER_URL = "https://alice-server.com";
 * These tests work by intercepting HTTP requests via fetch-mock rather than mocking out bits of the client, so as
 * to provide the most effective integration tests possible.
 */
-// we test with both crypto stacks...
-describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: string, initCrypto: InitCrypto) => {
-    // newBackendOnly is the opposite to `oldBackendOnly`: it will skip the test if we are running against the legacy
-    // backend. Once we drop support for legacy crypto, it will go away.
-    const newBackendOnly = backend === "rust-sdk" ? test : test.skip;
-
+describe("verification", () => {
    /** the client under test */
    let aliceClient: MatrixClient;

@@ -135,7 +127,6 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
    beforeEach(async () => {
        // anything that we don't have a specific matcher for silently returns a 404
        fetchMock.catch(404);
-        fetchMock.config.warnOnFallback = false;

        e2eKeyReceiver = new E2EKeyReceiver(TEST_HOMESERVER_URL);
        e2eKeyResponder = new E2EKeyResponder(TEST_HOMESERVER_URL);
@@ -146,14 +137,12 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
    });

    afterEach(async () => {
-        if (aliceClient !== undefined) {
-            await aliceClient.stopClient();
-        }
+        aliceClient?.stopClient();

        // Allow in-flight things to complete before we tear down the test
-        await jest.runAllTimersAsync();
-
-        fetchMock.mockReset();
+        if (vi.isFakeTimers()) {
+            await vi.runAllTimersAsync();
+        }
    });

    describe("Outgoing verification requests for another device", () => {
@@ -161,11 +150,10 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            // pretend that we have another device, which we will verify
            e2eKeyResponder.addDeviceKeys(SIGNED_TEST_DEVICE_DATA);

-            fetchMock.put(
-                new RegExp(`/_matrix/client/(r0|v3)/sendToDevice/${escapeRegExp("m.secret.request")}`),
-                { ok: false, status: 404 },
-                { overwriteRoutes: true },
-            );
+            fetchMock.put(new RegExp(`/_matrix/client/(r0|v3)/sendToDevice/${escapeRegExp("m.secret.request")}`), {
+                ok: false,
+                status: 404,
+            });
        });

        // test with (1) the default verification method list, (2) a custom verification method list.
@@ -217,7 +205,7 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            expect(toDeviceMessage.from_device).toEqual(aliceClient.deviceId);
            expect(toDeviceMessage.transaction_id).toEqual(transactionId);
            if (methods !== undefined) {
-                // eslint-disable-next-line jest/no-conditional-expect
+                // eslint-disable-next-line @vitest/no-conditional-expect
                expect(new Set(toDeviceMessage.methods)).toEqual(new Set(methods));
            }

@@ -250,7 +238,7 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            const sendToDevicePromise = expectSendToDeviceMessage("m.key.verification.accept");
            const verificationPromise = verifier.verify();
            // advance the clock, because the devicelist likes to sleep for 5ms during key downloads
-            jest.advanceTimersByTime(10);
+            vi.advanceTimersByTime(10);

            requestBody = await sendToDevicePromise;
            toDeviceMessage = requestBody.messages[TEST_USER_ID][TEST_DEVICE_ID];
@@ -262,7 +250,7 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st

            // The dummy device makes up a curve25519 keypair and sends the public bit back in an `m.key.verification.key'
            // We use the Curve25519, HMAC and HKDF implementations in libolm, for now
-            const olmSAS = new global.Olm.SAS();
+            const olmSAS = new Olm.SAS();
            returnToDeviceMessageFromSync(buildSasKeyMessage(transactionId, olmSAS.get_pubkey()));

            // alice responds with a 'key' ...
@@ -328,7 +316,7 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            expect(request.otherPartySupportsMethod("m.sas.v1")).toBe(true);

            // advance the clock, because the devicelist likes to sleep for 5ms during key downloads
-            await jest.advanceTimersByTimeAsync(10);
+            await vi.advanceTimersByTimeAsync(10);

            // And now Alice starts a SAS verification
            let sendToDevicePromise = expectSendToDeviceMessage("m.key.verification.start");
@@ -356,7 +344,7 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st

            // The dummy device makes up a curve25519 keypair and uses the hash in an 'm.key.verification.accept'
            // We use the Curve25519, HMAC and HKDF implementations in libolm, for now
-            const olmSAS = new global.Olm.SAS();
+            const olmSAS = new Olm.SAS();
            const commitmentStr = olmSAS.get_pubkey() + anotherjson.stringify(toDeviceMessage);

            sendToDevicePromise = expectSendToDeviceMessage("m.key.verification.key");
@@ -429,9 +417,8 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
                expect(requests[0].transactionId).toEqual(transactionId);
            }

-            // legacy crypto picks devices individually; rust crypto uses a broadcast message
-            const toDeviceMessage =
-                requestBody.messages[TEST_USER_ID]["*"] ?? requestBody.messages[TEST_USER_ID][TEST_DEVICE_ID];
+            // rust crypto uses a broadcast message
+            const toDeviceMessage = requestBody.messages[TEST_USER_ID]["*"];
            expect(toDeviceMessage.from_device).toEqual(aliceClient.deviceId);
            expect(toDeviceMessage.transaction_id).toEqual(transactionId);
        });
@@ -471,21 +458,23 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            expect(request.phase).toEqual(VerificationPhase.Ready);

            // we should now have QR data we can display
-            const qrCodeBuffer = (await request.generateQRCode())!;
-            expect(qrCodeBuffer).toBeTruthy();
+            const rawQrCodeBuffer = (await request.generateQRCode())!;
+            expect(rawQrCodeBuffer).toBeTruthy();
+            const qrCodeBuffer = new Uint8Array(rawQrCodeBuffer);

+            const textDecoder = new TextDecoder();
            // https://spec.matrix.org/v1.7/client-server-api/#qr-code-format
-            expect(qrCodeBuffer.subarray(0, 6).toString("latin1")).toEqual("MATRIX");
-            expect(qrCodeBuffer.readUint8(6)).toEqual(0x02); // version
-            expect(qrCodeBuffer.readUint8(7)).toEqual(0x02); // mode
-            const txnIdLen = qrCodeBuffer.readUint16BE(8);
-            expect(qrCodeBuffer.subarray(10, 10 + txnIdLen).toString("utf-8")).toEqual(transactionId);
+            expect(textDecoder.decode(qrCodeBuffer.slice(0, 6))).toEqual("MATRIX");
+            expect(qrCodeBuffer[6]).toEqual(0x02); // version
+            expect(qrCodeBuffer[7]).toEqual(0x02); // mode
+            const txnIdLen = (qrCodeBuffer[8] << 8) + qrCodeBuffer[9];
+            expect(textDecoder.decode(qrCodeBuffer.slice(10, 10 + txnIdLen))).toEqual(transactionId);
            // Alice's device's public key comes next, but we have nothing to do with it here.
-            // const aliceDevicePubKey = qrCodeBuffer.subarray(10 + txnIdLen, 32 + 10 + txnIdLen);
-            expect(qrCodeBuffer.subarray(42 + txnIdLen, 32 + 42 + txnIdLen)).toEqual(
-                Buffer.from(MASTER_CROSS_SIGNING_PUBLIC_KEY_BASE64, "base64"),
+            // const aliceDevicePubKey = qrCodeBuffer.slice(10 + txnIdLen, 32 + 10 + txnIdLen);
+            expect(encodeUnpaddedBase64(qrCodeBuffer.slice(42 + txnIdLen, 32 + 42 + txnIdLen))).toEqual(
+                MASTER_CROSS_SIGNING_PUBLIC_KEY_BASE64,
            );
-            const sharedSecret = qrCodeBuffer.subarray(74 + txnIdLen);
+            const sharedSecret = qrCodeBuffer.slice(74 + txnIdLen);

            // we should still be "Ready" and have no verifier
            expect(request.phase).toEqual(VerificationPhase.Ready);
@@ -517,18 +506,12 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            reciprocateQRCodeCallbacks.confirm();
            await sendToDevicePromise;

-            // at this point, on legacy crypto, the master key is already marked as trusted, and the request is "Done".
-            // Rust crypto, on the other hand, waits for the 'done' to arrive from the other side.
+            // Rust crypto waits for the 'done' to arrive from the other side.
            if (request.phase === VerificationPhase.Done) {
-                // legacy crypto: we're all done
                const userVerificationStatus = await aliceClient.getCrypto()!.getUserVerificationStatus(TEST_USER_ID);
-                // eslint-disable-next-line jest/no-conditional-expect
+                // eslint-disable-next-line @vitest/no-conditional-expect
                expect(userVerificationStatus.isCrossSigningVerified()).toBeTruthy();
                await verificationPromise;
-            } else {
-                // rust crypto: still in flight
-                // eslint-disable-next-line jest/no-conditional-expect
-                expect(request.phase).toEqual(VerificationPhase.Started);
            }

            // the dummy device replies with its own 'done'
@@ -564,7 +547,7 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            expect(qrCodeBuffer).toBeUndefined();
        });

-        newBackendOnly("can verify another by scanning their QR code", async () => {
+        it("can verify another by scanning their QR code", async () => {
            aliceClient = await startTestClient();
            // we need cross-signing keys for a QR code verification
            e2eKeyResponder.addCrossSigningData(SIGNED_CROSS_SIGNING_KEYS_DATA);
@@ -649,7 +632,7 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            expect(request.verifier).toBeUndefined();

            // advance the clock, because the devicelist likes to sleep for 5ms during key downloads
-            await jest.advanceTimersByTimeAsync(10);
+            await vi.advanceTimersByTimeAsync(10);

            // ... but Alice wants to do an SAS verification
            const sendToDevicePromise = expectSendToDeviceMessage("m.key.verification.start");
@@ -694,7 +677,7 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            expect(request.verifier).toBeUndefined();

            // advance the clock, because the devicelist likes to sleep for 5ms during key downloads
-            await jest.advanceTimersByTimeAsync(10);
+            await vi.advanceTimersByTimeAsync(10);

            // ... but the dummy device wants to do an SAS verification
            returnToDeviceMessageFromSync(buildSasStartMessage(transactionId));
@@ -743,6 +726,37 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            expect(toDeviceMessage.transaction_id).toEqual(transactionId);
            expect(toDeviceMessage.code).toEqual("m.user");
            expect(request.phase).toEqual(VerificationPhase.Cancelled);
+            expect(request.cancellationCode).toEqual("m.user");
+            expect(request.cancellingUserId).toEqual("@alice:localhost");
+        });
+
+        it("does not include cancelled requests in the list of requests", async () => {
+            // Given Alice started a verification request
+            const [, request] = await Promise.all([
+                expectSendToDeviceMessage("m.key.verification.request"),
+                aliceClient.getCrypto()!.requestDeviceVerification(TEST_USER_ID, TEST_DEVICE_ID),
+            ]);
+            const transactionId = request.transactionId!;
+
+            returnToDeviceMessageFromSync(buildReadyMessage(transactionId, ["m.sas.v1"]));
+            await waitForVerificationRequestChanged(request);
+
+            // Sanity: the request is listed
+            const requestsBeforeCancel = aliceClient
+                .getCrypto()!
+                .getVerificationRequestsToDeviceInProgress(TEST_USER_ID);
+
+            expect(requestsBeforeCancel).toHaveLength(1);
+
+            // When Alice cancels it
+            await Promise.all([expectSendToDeviceMessage("m.key.verification.cancel"), request.cancel()]);
+
+            // Then it is no longer listed as in progress
+            const requestsAfterCancel = aliceClient
+                .getCrypto()!
+                .getVerificationRequestsToDeviceInProgress(TEST_USER_ID);
+
+            expect(requestsAfterCancel).toHaveLength(0);
        });

        it("can cancel during the SAS phase", async () => {
@@ -771,7 +785,7 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            const sendToDevicePromise = expectSendToDeviceMessage("m.key.verification.accept");
            const verificationPromise = verifier.verify();
            // advance the clock, because the devicelist likes to sleep for 5ms during key downloads
-            jest.advanceTimersByTime(10);
+            vi.advanceTimersByTime(10);
            await sendToDevicePromise;

            // now we unceremoniously cancel. We expect the verificatationPromise to reject.
@@ -801,7 +815,7 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            // we should now have QR data we can display
            const qrCodeBuffer = (await request.generateQRCode())!;
            expect(qrCodeBuffer).toBeTruthy();
-            const sharedSecret = qrCodeBuffer.subarray(74 + transactionId.length);
+            const sharedSecret = qrCodeBuffer.slice(74 + transactionId.length);

            // the dummy device "scans" the displayed QR code and acknowledges it with a "m.key.verification.start"
            returnToDeviceMessageFromSync(buildReciprocateStartMessage(transactionId, sharedSecret));
@@ -900,7 +914,6 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
    describe("Send verification request in DM", () => {
        beforeEach(async () => {
            aliceClient = await startTestClient();
-            aliceClient.setGlobalErrorOnUnknownDevices(false);

            e2eKeyResponder.addCrossSigningData(BOB_SIGNED_CROSS_SIGNING_KEYS_DATA);
            e2eKeyResponder.addDeviceKeys(BOB_SIGNED_TEST_DEVICE_DATA);
@@ -917,19 +930,16 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
        function awaitRoomMessageRequest(): Promise<IContent> {
            return new Promise((resolve) => {
                // Case of unencrypted message of the new crypto
-                fetchMock.put(
-                    "express:/_matrix/client/v3/rooms/:roomId/send/m.room.message/:txId",
-                    (url: string, options: RequestInit) => {
-                        resolve(JSON.parse(options.body as string));
-                        return { event_id: "$YUwRidLecu:example.com" };
-                    },
-                );
+                fetchMock.put("express:/_matrix/client/v3/rooms/:roomId/send/m.room.message/:txId", (callLog) => {
+                    resolve(JSON.parse(callLog.options.body as string));
+                    return { event_id: "$YUwRidLecu:example.com" };
+                });

                // Case of encrypted message of the old crypto
                fetchMock.put(
                    "express:/_matrix/client/v3/rooms/:roomId/send/m.room.encrypted/:txId",
-                    async (url: string, options: RequestInit) => {
-                        const encryptedMessage = JSON.parse(options.body as string);
+                    async (callLog) => {
+                        const encryptedMessage = JSON.parse(callLog.options.body as string);
                        const event = new MatrixEvent({
                            content: encryptedMessage,
                            type: "m.room.encrypted",
@@ -952,7 +962,7 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st

            // In `DeviceList#doQueuedQueries`, the key download response is processed every 5ms
            // 5ms by users, ie Bob and Alice
-            await jest.advanceTimersByTimeAsync(10);
+            await vi.advanceTimersByTimeAsync(10);

            const messageRequestPromise = awaitRoomMessageRequest();
            const verificationRequest = await aliceClient
@@ -983,9 +993,18 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            testOlmAccount.create();

            aliceClient = await startTestClient();
-            aliceClient.setGlobalErrorOnUnknownDevices(false);
            syncResponder.sendOrQueueSyncResponse(getSyncResponse([BOB_TEST_USER_ID]));
            await syncPromise(aliceClient);
+
+            // Rust crypto requires the sender's device keys before it accepts a
+            // verification request.
+            const crypto = aliceClient.getCrypto()!;
+
+            const bobDeviceKeys = getTestOlmAccountKeys(testOlmAccount, BOB_TEST_USER_ID, "BobDevice");
+            e2eKeyResponder.addDeviceKeys(bobDeviceKeys);
+            syncResponder.sendOrQueueSyncResponse({ device_lists: { changed: [BOB_TEST_USER_ID] } });
+            await syncPromise(aliceClient);
+            await crypto.getUserDeviceInfo([BOB_TEST_USER_ID]);
        });

        /**
@@ -1053,7 +1072,14 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
        });

        it("ignores old verification requests", async () => {
-            const eventHandler = jest.fn();
+            const debug = vi.fn();
+            const info = vi.fn();
+            const warn = vi.fn();
+
+            // @ts-ignore overriding RustCrypto's logger
+            aliceClient.getCrypto()!.logger = { debug, info, warn };
+
+            const eventHandler = vi.fn();
            aliceClient.on(CryptoEvent.VerificationRequestReceived, eventHandler);

            const verificationRequestEvent = createVerificationRequestEvent();
@@ -1067,6 +1093,16 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            const matrixEvent = room.getLiveTimeline().getEvents()[0];
            expect(matrixEvent.getId()).toEqual(verificationRequestEvent.event_id);

+            // Wait until the request has been processed. We use a real sleep()
+            // here to make sure any background async tasks are completed.
+            vi.useRealTimers();
+            await waitFor(async () => {
+                expect(info).toHaveBeenCalledWith(
+                    expect.stringMatching(/^Ignoring just-received verification request/),
+                );
+                sleep(100);
+            });
+
            // check that an event has not been raised, and that the request is not found
            expect(eventHandler).not.toHaveBeenCalled();
            expect(
@@ -1074,6 +1110,29 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            ).not.toBeDefined();
        });

+        it("ignores cancelled verification requests", async () => {
+            // Given a verification request exists
+            const event = createVerificationRequestEvent();
+            returnRoomMessageFromSync(TEST_ROOM_ID, event);
+
+            // Wait for the request to be received
+            await emitPromise(aliceClient, CryptoEvent.VerificationRequestReceived);
+
+            const request = aliceClient.getCrypto()!.findVerificationRequestDMInProgress(TEST_ROOM_ID, "@bob:xyz");
+
+            // When I cancel it
+            fetchMock.put("express:/_matrix/client/v3/rooms/:roomId/send/m.key.verification.cancel/:id", {
+                event_id: event.event_id,
+            });
+            await request!.cancel();
+            expect(request!.phase).toEqual(VerificationPhase.Cancelled);
+
+            // Then it is no longer found
+            expect(
+                aliceClient.getCrypto()!.findVerificationRequestDMInProgress(TEST_ROOM_ID, "@bob:xyz"),
+            ).not.toBeDefined();
+        });
+
        it("Plaintext verification request from Bob to Alice", async () => {
            // Add verification request from Bob to Alice in the DM between them
            returnRoomMessageFromSync(TEST_ROOM_ID, createVerificationRequestEvent());
@@ -1118,7 +1177,7 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            returnToDeviceMessageFromSync(toDeviceEvent);

            // advance the clock, because the devicelist likes to sleep for 5ms during key downloads
-            await jest.advanceTimersByTimeAsync(10);
+            await vi.advanceTimersByTimeAsync(10);

            // Wait for the request to be decrypted
            const request1 = await requestEventPromise;
@@ -1133,43 +1192,40 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            expect(request?.otherUserId).toBe("@bob:xyz");
        });

-        newBackendOnly(
-            "If the verification request is not decrypted within 5 minutes, the request is ignored",
-            async () => {
-                const p2pSession = await createOlmSession(testOlmAccount, e2eKeyReceiver);
-                const groupSession = new Olm.OutboundGroupSession();
-                groupSession.create();
+        it("If the verification request is not decrypted within 5 minutes, the request is ignored", async () => {
+            const p2pSession = await createOlmSession(testOlmAccount, e2eKeyReceiver);
+            const groupSession = new Olm.OutboundGroupSession();
+            groupSession.create();

-                // make the room_key event, but don't send it yet
-                const toDeviceEvent = encryptGroupSessionKeyForAlice(groupSession, p2pSession);
+            // make the room_key event, but don't send it yet
+            const toDeviceEvent = encryptGroupSessionKeyForAlice(groupSession, p2pSession);

-                // Add verification request from Bob to Alice in the DM between them
-                returnRoomMessageFromSync(TEST_ROOM_ID, createEncryptedVerificationRequest(groupSession));
+            // Add verification request from Bob to Alice in the DM between them
+            returnRoomMessageFromSync(TEST_ROOM_ID, createEncryptedVerificationRequest(groupSession));

-                // Wait for the sync response to be processed
-                await syncPromise(aliceClient);
+            // Wait for the sync response to be processed
+            await syncPromise(aliceClient);

-                const room = aliceClient.getRoom(TEST_ROOM_ID)!;
-                const matrixEvent = room.getLiveTimeline().getEvents()[0];
+            const room = aliceClient.getRoom(TEST_ROOM_ID)!;
+            const matrixEvent = room.getLiveTimeline().getEvents()[0];

-                // wait for a first attempt at decryption: should fail
-                await awaitDecryption(matrixEvent);
-                expect(matrixEvent.getContent().msgtype).toEqual("m.bad.encrypted");
+            // wait for a first attempt at decryption: should fail
+            await awaitDecryption(matrixEvent);
+            expect(matrixEvent.getContent().msgtype).toEqual("m.bad.encrypted");

-                // Advance time by 5mins, the verification request should be ignored after that
-                jest.advanceTimersByTime(5 * 60 * 1000);
+            // Advance time by 5mins, the verification request should be ignored after that
+            vi.advanceTimersByTime(5 * 60 * 1000);

-                // Send Bob the room keys
-                returnToDeviceMessageFromSync(toDeviceEvent);
+            // Send Bob the room keys
+            returnToDeviceMessageFromSync(toDeviceEvent);

-                // Wait for the message to be decrypted
-                await awaitDecryption(matrixEvent, { waitOnDecryptionFailure: true });
+            // Wait for the message to be decrypted
+            await awaitDecryption(matrixEvent, { waitOnDecryptionFailure: true });

-                const request = aliceClient.getCrypto()!.findVerificationRequestDMInProgress(TEST_ROOM_ID, "@bob:xyz");
-                // the request should not be present
-                expect(request).not.toBeDefined();
-            },
-        );
+            const request = aliceClient.getCrypto()!.findVerificationRequestDMInProgress(TEST_ROOM_ID, "@bob:xyz");
+            // the request should not be present
+            expect(request).not.toBeDefined();
+        });
    });

    describe("Secrets are gossiped after verification", () => {
@@ -1224,7 +1280,7 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            syncResponder.sendOrQueueSyncResponse(getSyncResponse([TEST_USER_ID]));
            await syncPromise(aliceClient);
            // DeviceList has a sleep(5) which we need to make happen
-            await jest.advanceTimersByTimeAsync(10);
+            await vi.advanceTimersByTimeAsync(10);

            // The client should now know about the olm device
            const devices = await aliceClient.getCrypto()!.getUserDeviceInfo([TEST_USER_ID]);
@@ -1236,12 +1292,11 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            testOlmAccount?.free();

            // Allow in-flight things to complete before we tear down the test
-            await jest.runAllTimersAsync();
-
-            fetchMock.mockReset();
+            await vi.runAllTimersAsync();
        });

-        newBackendOnly("Should request cross signing keys after verification", async () => {
+        // eslint-disable-next-line @vitest/expect-expect
+        it("Should request cross signing keys after verification", async () => {
            const requestPromises = mockSecretRequestAndGetPromises();

            await doInteractiveVerification();
@@ -1252,21 +1307,18 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            await requestPromises.get("m.cross_signing.self_signing");
        });

-        newBackendOnly("Should accept the backup decryption key gossip if valid", async () => {
+        it("Should accept the backup decryption key gossip if valid", async () => {
            const requestPromises = mockSecretRequestAndGetPromises();

            await doInteractiveVerification();

            const requestId = await requestPromises.get("m.megolm_backup.v1");

+            const keyBackupIsCached = emitPromise(aliceClient, CryptoEvent.KeyBackupDecryptionKeyCached);
+
            await sendBackupGossipAndExpectVersion(requestId!, BACKUP_DECRYPTION_KEY_BASE64, matchingBackupInfo);

-            // We are lacking a way to signal that the secret has been received, so we wait a bit..
-            jest.useRealTimers();
-            await new Promise((resolve) => {
-                setTimeout(resolve, 500);
-            });
-            jest.useFakeTimers();
+            await keyBackupIsCached;

            // the backup secret should be cached
            const cachedKey = await aliceClient.getCrypto()!.getSessionBackupPrivateKey();
@@ -1274,7 +1326,43 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            expect(encodeBase64(cachedKey!)).toEqual(BACKUP_DECRYPTION_KEY_BASE64);
        });

-        newBackendOnly("Should not accept the backup decryption key gossip if private key do not match", async () => {
+        it("Should not accept the backup decryption key gossip when there is no server-side key backup", async () => {
+            const requestPromises = mockSecretRequestAndGetPromises();
+
+            await doInteractiveVerification();
+
+            const requestId = await requestPromises.get("m.megolm_backup.v1");
+
+            await sendBackupGossipAndExpectVersion(
+                requestId!,
+                BACKUP_DECRYPTION_KEY_BASE64,
+                new MatrixError({ errcode: "M_NOT_FOUND", error: "No backup found" }, 404),
+            );
+
+            // the backup secret should not be cached
+            const cachedKey = await retrieveBackupPrivateKeyWithDelay();
+            expect(cachedKey).toBeNull();
+        });
+
+        it("Should not accept the backup decryption key gossip when server-side key backup request errors", async () => {
+            const requestPromises = mockSecretRequestAndGetPromises();
+
+            await doInteractiveVerification();
+
+            const requestId = await requestPromises.get("m.megolm_backup.v1");
+
+            await sendBackupGossipAndExpectVersion(
+                requestId!,
+                BACKUP_DECRYPTION_KEY_BASE64,
+                new Error("Network Error!"),
+            );
+
+            // the backup secret should not be cached
+            const cachedKey = await retrieveBackupPrivateKeyWithDelay();
+            expect(cachedKey).toBeNull();
+        });
+
+        it("Should not accept the backup decryption key gossip if private key do not match", async () => {
            const requestPromises = mockSecretRequestAndGetPromises();

            await doInteractiveVerification();
@@ -1283,43 +1371,12 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st

            await sendBackupGossipAndExpectVersion(requestId!, BACKUP_DECRYPTION_KEY_BASE64, nonMatchingBackupInfo);

-            // We are lacking a way to signal that the secret has been received, so we wait a bit..
-            jest.useRealTimers();
-            await new Promise((resolve) => {
-                setTimeout(resolve, 500);
-            });
-            jest.useFakeTimers();
-
            // the backup secret should not be cached
-            const cachedKey = await aliceClient.getCrypto()!.getSessionBackupPrivateKey();
+            const cachedKey = await retrieveBackupPrivateKeyWithDelay();
            expect(cachedKey).toBeNull();
        });

-        newBackendOnly("Should not accept the backup decryption key gossip if backup not trusted", async () => {
-            const requestPromises = mockSecretRequestAndGetPromises();
-
-            await doInteractiveVerification();
-
-            const requestId = await requestPromises.get("m.megolm_backup.v1");
-
-            const infoCopy = Object.assign({}, matchingBackupInfo);
-            delete infoCopy.auth_data.signatures;
-
-            await sendBackupGossipAndExpectVersion(requestId!, BACKUP_DECRYPTION_KEY_BASE64, infoCopy);
-
-            // We are lacking a way to signal that the secret has been received, so we wait a bit..
-            jest.useRealTimers();
-            await new Promise((resolve) => {
-                setTimeout(resolve, 500);
-            });
-            jest.useFakeTimers();
-
-            // the backup secret should not be cached
-            const cachedKey = await aliceClient.getCrypto()!.getSessionBackupPrivateKey();
-            expect(cachedKey).toBeNull();
-        });
-
-        newBackendOnly("Should not accept the backup decryption key gossip if backup algorithm unknown", async () => {
+        it("Should not accept the backup decryption key gossip if backup algorithm unknown", async () => {
            const requestPromises = mockSecretRequestAndGetPromises();

            await doInteractiveVerification();
@@ -1332,19 +1389,12 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
                unknownAlgorithmBackupInfo,
            );

-            // We are lacking a way to signal that the secret has been received, so we wait a bit..
-            jest.useRealTimers();
-            await new Promise((resolve) => {
-                setTimeout(resolve, 500);
-            });
-            jest.useFakeTimers();
-
            // the backup secret should not be cached
-            const cachedKey = await aliceClient.getCrypto()!.getSessionBackupPrivateKey();
+            const cachedKey = await retrieveBackupPrivateKeyWithDelay();
            expect(cachedKey).toBeNull();
        });

-        newBackendOnly("Should not accept an invalid backup decryption key", async () => {
+        it("Should not accept an invalid backup decryption key", async () => {
            const requestPromises = mockSecretRequestAndGetPromises();

            await doInteractiveVerification();
@@ -1353,26 +1403,38 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st

            await sendBackupGossipAndExpectVersion(requestId!, "InvalidSecret", matchingBackupInfo);

-            // We are lacking a way to signal that the secret has been received, so we wait a bit..
-            jest.useRealTimers();
-            await new Promise((resolve) => {
-                setTimeout(resolve, 500);
-            });
-            jest.useFakeTimers();
-
            // the backup secret should not be cached
-            const cachedKey = await aliceClient.getCrypto()!.getSessionBackupPrivateKey();
+            const cachedKey = await retrieveBackupPrivateKeyWithDelay();
            expect(cachedKey).toBeNull();
        });

+        /**
+         * Waits briefly for secrets to be gossipped, then fetches the backup private key from the crypto stack.
+         */
+        async function retrieveBackupPrivateKeyWithDelay(): Promise<Uint8Array | null> {
+            // We are lacking a way to signal that the secret has been received, so we wait a bit..
+            vi.useRealTimers();
+            await new Promise((resolve) => {
+                setTimeout(resolve, 500);
+            });
+            vi.useFakeTimers();
+
+            return aliceClient.getCrypto()!.getSessionBackupPrivateKey();
+        }
+
        /**
         * Common test setup for gossiping secrets.
         * Creates a peer to peer session, sends the secret, mockup the version API, send the secret back from sync, then await for the backup check.
+         *
+         * @param expectBackup - The result to be returned from the `/room_keys/version` request.
+         * - **KeyBackupInfo**: Indicates a successful request, where the response contains the key backup information (HTTP 200).
+         * - **MatrixError**: Represents an error response from the server, indicating an unsuccessful request (non-200 HTTP status).
+         * - **Error**: Indicates an error during the request process itself (e.g., network issues or unexpected failures).
         */
        async function sendBackupGossipAndExpectVersion(
            requestId: string,
            secret: string,
-            expectBackup: KeyBackupInfo,
+            expectBackup: KeyBackupInfo | MatrixError | Error,
        ) {
            const p2pSession = await createOlmSession(testOlmAccount, e2eKeyReceiver);

@@ -1388,16 +1450,21 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            });

            const expectBackupCheck = new Promise((resolve) => {
-                fetchMock.get(
-                    "express:/_matrix/client/v3/room_keys/version",
-                    (url, request) => {
-                        resolve(undefined);
-                        return expectBackup;
-                    },
-                    {
-                        overwriteRoutes: true,
-                    },
-                );
+                fetchMock.get("express:/_matrix/client/v3/room_keys/version", (callLog) => {
+                    resolve(undefined);
+                    if (expectBackup instanceof MatrixError) {
+                        return {
+                            status: expectBackup.httpStatus,
+                            body: expectBackup.data,
+                        };
+                    }
+
+                    if (expectBackup instanceof Error) {
+                        return Promise.reject(expectBackup);
+                    }
+
+                    return expectBackup;
+                });
            });

            fetchMock.get("express:/_matrix/client/v3/room_keys/keys", CURVE25519_KEY_BACKUP_DATA);
@@ -1464,9 +1531,10 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
            userId: TEST_USER_ID,
            accessToken: "akjgkrgjs",
            deviceId: "device_under_test",
+            logger: new DebugLogger(debug(`matrix-js-sdk:verification`)),
            ...opts,
        });
-        await initCrypto(client);
+        await client.initRustCrypto();
        await client.startClient();
        return client;
    }
@@ -1477,7 +1545,7 @@ describe.each(Object.entries(CRYPTO_BACKENDS))("verification (%s)", (backend: st
        // user will be one).
        syncResponder.sendOrQueueSyncResponse({});
        // DeviceList has a sleep(5) which we need to make happen
-        await jest.advanceTimersByTimeAsync(10);
+        await vi.advanceTimersByTimeAsync(10);

        // The client should now know about the dummy device
        const devices = await aliceClient.getCrypto()!.getUserDeviceInfo([TEST_USER_ID]);
@@ -1511,8 +1579,8 @@ function expectSendToDeviceMessage(msgtype: string): Promise<{ messages: any }>
    return new Promise((resolve) => {
        fetchMock.putOnce(
            new RegExp(`/_matrix/client/(r0|v3)/sendToDevice/${escapeRegExp(msgtype)}`),
-            (url: string, opts: RequestInit): MockResponse => {
-                resolve(JSON.parse(opts.body as string));
+            (callLog): RouteResponse => {
+                resolve(JSON.parse(callLog.options.body as string));
                return {};
            },
        );
@@ -1528,40 +1596,36 @@ function expectSendToDeviceMessage(msgtype: string): Promise<{ messages: any }>
 *  @returns a map of secret name to promise that will resolve (with the id of the secret request) when the secret is requested.
 */
 function mockSecretRequestAndGetPromises(): Map<string, Promise<string>> {
-    const mskRequestDefer = defer<string>();
-    const sskRequestDefer = defer<string>();
-    const uskRequestDefer = defer<string>();
-    const backupKeyRequestDefer = defer<string>();
+    const mskRequestResolvers = Promise.withResolvers<string>();
+    const sskRequestResolvers = Promise.withResolvers<string>();
+    const uskRequestResolvers = Promise.withResolvers<string>();
+    const backupKeyRequestResolvers = Promise.withResolvers<string>();

-    fetchMock.put(
-        new RegExp(`/_matrix/client/(r0|v3)/sendToDevice/m.secret.request`),
-        (url: string, opts: RequestInit): MockResponse => {
-            const messages = JSON.parse(opts.body as string).messages[TEST_USER_ID];
-            // rust crypto broadcasts to all devices, old crypto to a specific device, take the first one
-            const content = Object.values(messages)[0] as any;
-            if (content.action == "request") {
-                const name = content.name;
-                const requestId = content.request_id;
-                if (name == "m.cross_signing.user_signing") {
-                    uskRequestDefer.resolve(requestId);
-                } else if (name == "m.cross_signing.master") {
-                    mskRequestDefer.resolve(requestId);
-                } else if (name == "m.cross_signing.self_signing") {
-                    sskRequestDefer.resolve(requestId);
-                } else if (name == "m.megolm_backup.v1") {
-                    backupKeyRequestDefer.resolve(requestId);
-                }
+    fetchMock.put(new RegExp(`/_matrix/client/(r0|v3)/sendToDevice/m.secret.request`), (callLog): RouteResponse => {
+        const messages = JSON.parse(callLog.options.body as string).messages[TEST_USER_ID];
+        // rust crypto broadcasts to all devices, old crypto to a specific device, take the first one
+        const content = Object.values(messages)[0] as any;
+        if (content.action == "request") {
+            const name = content.name;
+            const requestId = content.request_id;
+            if (name == "m.cross_signing.user_signing") {
+                uskRequestResolvers.resolve(requestId);
+            } else if (name == "m.cross_signing.master") {
+                mskRequestResolvers.resolve(requestId);
+            } else if (name == "m.cross_signing.self_signing") {
+                sskRequestResolvers.resolve(requestId);
+            } else if (name == "m.megolm_backup.v1") {
+                backupKeyRequestResolvers.resolve(requestId);
            }
-            return {};
-        },
-        { overwriteRoutes: true },
-    );
+        }
+        return {};
+    });

    const promiseMap = new Map<string, Promise<string>>();
-    promiseMap.set("m.cross_signing.master", mskRequestDefer.promise);
-    promiseMap.set("m.cross_signing.self_signing", sskRequestDefer.promise);
-    promiseMap.set("m.cross_signing.user_signing", uskRequestDefer.promise);
-    promiseMap.set("m.megolm_backup.v1", backupKeyRequestDefer.promise);
+    promiseMap.set("m.cross_signing.master", mskRequestResolvers.promise);
+    promiseMap.set("m.cross_signing.self_signing", sskRequestResolvers.promise);
+    promiseMap.set("m.cross_signing.user_signing", uskRequestResolvers.promise);
+    promiseMap.set("m.megolm_backup.v1", backupKeyRequestResolvers.promise);
    return promiseMap;
 }

@@ -1592,7 +1656,7 @@ function sha256(commitmentStr: string): string {
    return encodeUnpaddedBase64(createHash("sha256").update(commitmentStr, "utf8").digest());
 }

-function encodeUnpaddedBase64(uint8Array: ArrayBuffer | Uint8Array): string {
+function encodeUnpaddedBase64(uint8Array: ArrayLike<number>): string {
    return Buffer.from(uint8Array).toString("base64").replace(/=+$/g, "");
 }

@@ -1626,7 +1690,7 @@ function buildReadyMessage(
 }

 /** build an m.key.verification.start to-device message suitable for the m.reciprocate.v1 flow, originating from the dummy device */
-function buildReciprocateStartMessage(transactionId: string, sharedSecret: Uint8Array) {
+function buildReciprocateStartMessage(transactionId: string, sharedSecret: ArrayLike<number>) {
    return {
        type: "m.key.verification.start",
        content: {
@@ -1722,7 +1786,7 @@ function buildQRCode(
    key2Base64: string,
    sharedSecret: string,
    mode = 0x02,
-): Uint8Array {
+): Uint8ClampedArray {
    // https://spec.matrix.org/v1.7/client-server-api/#qr-code-format

    const qrCodeBuffer = Buffer.alloc(150); // oversize
@@ -1738,5 +1802,5 @@ function buildQRCode(
    idx += qrCodeBuffer.write(sharedSecret, idx);

    // truncate to the right length
-    return qrCodeBuffer.subarray(0, idx);
+    return new Uint8ClampedArray(qrCodeBuffer.subarray(0, idx));
 }
@@ -1,405 +0,0 @@
-/*
-Copyright 2017 Vector Creations Ltd
-Copyright 2018 New Vector Ltd
-Copyright 2019 The Matrix.org Foundation C.I.C.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-import { TestClient } from "../TestClient";
-import * as testUtils from "../test-utils/test-utils";
-import { logger } from "../../src/logger";
-
-const ROOM_ID = "!room:id";
-
-/**
- * get a /sync response which contains a single e2e room (ROOM_ID), with the
- * members given
- *
- * @returns sync response
- */
-function getSyncResponse(roomMembers: string[]) {
-    const stateEvents = [
-        testUtils.mkEvent({
-            type: "m.room.encryption",
-            skey: "",
-            content: {
-                algorithm: "m.megolm.v1.aes-sha2",
-            },
-        }),
-    ];
-
-    Array.prototype.push.apply(
-        stateEvents,
-        roomMembers.map((m) =>
-            testUtils.mkMembership({
-                mship: "join",
-                sender: m,
-            }),
-        ),
-    );
-
-    const syncResponse = {
-        next_batch: 1,
-        rooms: {
-            join: {
-                [ROOM_ID]: {
-                    state: {
-                        events: stateEvents,
-                    },
-                },
-            },
-        },
-    };
-
-    return syncResponse;
-}
-
-describe("DeviceList management:", function () {
-    if (!global.Olm) {
-        logger.warn("not running deviceList tests: Olm not present");
-        return;
-    }
-
-    let aliceTestClient: TestClient;
-    let sessionStoreBackend: Storage;
-
-    async function createTestClient() {
-        const testClient = new TestClient("@alice:localhost", "xzcvb", "akjgkrgjs", sessionStoreBackend);
-        await testClient.client.initCrypto();
-        return testClient;
-    }
-
-    beforeEach(async function () {
-        // we create our own sessionStoreBackend so that we can use it for
-        // another TestClient.
-        sessionStoreBackend = new testUtils.MockStorageApi();
-
-        aliceTestClient = await createTestClient();
-    });
-
-    afterEach(function () {
-        return aliceTestClient.stop();
-    });
-
-    it("Alice shouldn't do a second /query for non-e2e-capable devices", function () {
-        aliceTestClient.expectKeyQuery({
-            device_keys: { "@alice:localhost": {} },
-            failures: {},
-        });
-        return aliceTestClient
-            .start()
-            .then(function () {
-                const syncResponse = getSyncResponse(["@bob:xyz"]);
-                aliceTestClient.httpBackend.when("GET", "/sync").respond(200, syncResponse);
-
-                return aliceTestClient.flushSync();
-            })
-            .then(function () {
-                logger.log("Forcing alice to download our device keys");
-
-                aliceTestClient.httpBackend.when("POST", "/keys/query").respond(200, {
-                    device_keys: {
-                        "@bob:xyz": {},
-                    },
-                });
-
-                return Promise.all([
-                    aliceTestClient.client.downloadKeys(["@bob:xyz"]),
-                    aliceTestClient.httpBackend.flush("/keys/query", 1),
-                ]);
-            })
-            .then(function () {
-                logger.log("Telling alice to send a megolm message");
-
-                aliceTestClient.httpBackend.when("PUT", "/send/").respond(200, {
-                    event_id: "$event_id",
-                });
-
-                return Promise.all([
-                    aliceTestClient.client.sendTextMessage(ROOM_ID, "test"),
-
-                    // the crypto stuff can take a while, so give the requests a whole second.
-                    aliceTestClient.httpBackend.flushAllExpected({
-                        timeout: 1000,
-                    }),
-                ]);
-            });
-    });
-
-    it.skip("We should not get confused by out-of-order device query responses", () => {
-        // https://github.com/vector-im/element-web/issues/3126
-        aliceTestClient.expectKeyQuery({
-            device_keys: { "@alice:localhost": {} },
-            failures: {},
-        });
-        return aliceTestClient
-            .start()
-            .then(() => {
-                aliceTestClient.httpBackend
-                    .when("GET", "/sync")
-                    .respond(200, getSyncResponse(["@bob:xyz", "@chris:abc"]));
-                return aliceTestClient.flushSync();
-            })
-            .then(() => {
-                // to make sure the initial device queries are flushed out, we
-                // attempt to send a message.
-
-                aliceTestClient.httpBackend.when("POST", "/keys/query").respond(200, {
-                    device_keys: {
-                        "@bob:xyz": {},
-                        "@chris:abc": {},
-                    },
-                });
-
-                aliceTestClient.httpBackend.when("PUT", "/send/").respond(200, { event_id: "$event1" });
-
-                return Promise.all([
-                    aliceTestClient.client.sendTextMessage(ROOM_ID, "test"),
-                    aliceTestClient.httpBackend
-                        .flush("/keys/query", 1)
-                        .then(() => aliceTestClient.httpBackend.flush("/send/", 1)),
-                    aliceTestClient.client.crypto!.deviceList.saveIfDirty(),
-                ]);
-            })
-            .then(() => {
-                // @ts-ignore accessing a protected field
-                aliceTestClient.client.cryptoStore!.getEndToEndDeviceData(null, (data) => {
-                    expect(data!.syncToken).toEqual(1);
-                });
-
-                // invalidate bob's and chris's device lists in separate syncs
-                aliceTestClient.httpBackend.when("GET", "/sync").respond(200, {
-                    next_batch: "2",
-                    device_lists: {
-                        changed: ["@bob:xyz"],
-                    },
-                });
-                aliceTestClient.httpBackend.when("GET", "/sync").respond(200, {
-                    next_batch: "3",
-                    device_lists: {
-                        changed: ["@chris:abc"],
-                    },
-                });
-                // flush both syncs
-                return aliceTestClient.flushSync().then(() => {
-                    return aliceTestClient.flushSync();
-                });
-            })
-            .then(() => {
-                // check that we don't yet have a request for chris's devices.
-                aliceTestClient.httpBackend
-                    .when("POST", "/keys/query", {
-                        device_keys: {
-                            "@chris:abc": {},
-                        },
-                        token: "3",
-                    })
-                    .respond(200, {
-                        device_keys: { "@chris:abc": {} },
-                    });
-                return aliceTestClient.httpBackend.flush("/keys/query", 1);
-            })
-            .then((flushed) => {
-                expect(flushed).toEqual(0);
-                return aliceTestClient.client.crypto!.deviceList.saveIfDirty();
-            })
-            .then(() => {
-                // @ts-ignore accessing a protected field
-                aliceTestClient.client.cryptoStore!.getEndToEndDeviceData(null, (data) => {
-                    const bobStat = data!.trackingStatus["@bob:xyz"];
-                    if (bobStat != 1 && bobStat != 2) {
-                        throw new Error("Unexpected status for bob: wanted 1 or 2, got " + bobStat);
-                    }
-                    const chrisStat = data!.trackingStatus["@chris:abc"];
-                    if (chrisStat != 1 && chrisStat != 2) {
-                        throw new Error("Unexpected status for chris: wanted 1 or 2, got " + chrisStat);
-                    }
-                });
-
-                // now add an expectation for a query for bob's devices, and let
-                // it complete.
-                aliceTestClient.httpBackend
-                    .when("POST", "/keys/query", {
-                        device_keys: {
-                            "@bob:xyz": {},
-                        },
-                        token: "2",
-                    })
-                    .respond(200, {
-                        device_keys: { "@bob:xyz": {} },
-                    });
-                return aliceTestClient.httpBackend.flush("/keys/query", 1);
-            })
-            .then((flushed) => {
-                expect(flushed).toEqual(1);
-
-                // wait for the client to stop processing the response
-                return aliceTestClient.client.downloadKeys(["@bob:xyz"]);
-            })
-            .then(() => {
-                return aliceTestClient.client.crypto!.deviceList.saveIfDirty();
-            })
-            .then(() => {
-                // @ts-ignore accessing a protected field
-                aliceTestClient.client.cryptoStore!.getEndToEndDeviceData(null, (data) => {
-                    const bobStat = data!.trackingStatus["@bob:xyz"];
-                    expect(bobStat).toEqual(3);
-                    const chrisStat = data!.trackingStatus["@chris:abc"];
-                    if (chrisStat != 1 && chrisStat != 2) {
-                        throw new Error("Unexpected status for chris: wanted 1 or 2, got " + bobStat);
-                    }
-                });
-
-                // now let the query for chris's devices complete.
-                return aliceTestClient.httpBackend.flush("/keys/query", 1);
-            })
-            .then((flushed) => {
-                expect(flushed).toEqual(1);
-
-                // wait for the client to stop processing the response
-                return aliceTestClient.client.downloadKeys(["@chris:abc"]);
-            })
-            .then(() => {
-                return aliceTestClient.client.crypto!.deviceList.saveIfDirty();
-            })
-            .then(() => {
-                // @ts-ignore accessing a protected field
-                aliceTestClient.client.cryptoStore!.getEndToEndDeviceData(null, (data) => {
-                    const bobStat = data!.trackingStatus["@bob:xyz"];
-                    const chrisStat = data!.trackingStatus["@bob:xyz"];
-
-                    expect(bobStat).toEqual(3);
-                    expect(chrisStat).toEqual(3);
-                    expect(data!.syncToken).toEqual(3);
-                });
-            });
-    });
-
-    // https://github.com/vector-im/element-web/issues/4983
-    describe("Alice should know she has stale device lists", () => {
-        beforeEach(async function () {
-            await aliceTestClient.start();
-
-            aliceTestClient.httpBackend.when("GET", "/sync").respond(200, getSyncResponse(["@bob:xyz"]));
-            await aliceTestClient.flushSync();
-
-            aliceTestClient.httpBackend.when("POST", "/keys/query").respond(200, {
-                device_keys: {
-                    "@bob:xyz": {},
-                },
-            });
-            await aliceTestClient.httpBackend.flush("/keys/query", 1);
-            await aliceTestClient.client.crypto!.deviceList.saveIfDirty();
-
-            // @ts-ignore accessing a protected field
-            aliceTestClient.client.cryptoStore!.getEndToEndDeviceData(null, (data) => {
-                const bobStat = data!.trackingStatus["@bob:xyz"];
-
-                // Alice should be tracking bob's device list
-                expect(bobStat).toBeGreaterThan(0);
-            });
-        });
-
-        it("when Bob leaves", async function () {
-            aliceTestClient.httpBackend.when("GET", "/sync").respond(200, {
-                next_batch: 2,
-                device_lists: {
-                    left: ["@bob:xyz"],
-                },
-                rooms: {
-                    join: {
-                        [ROOM_ID]: {
-                            timeline: {
-                                events: [
-                                    testUtils.mkMembership({
-                                        mship: "leave",
-                                        sender: "@bob:xyz",
-                                    }),
-                                ],
-                            },
-                        },
-                    },
-                },
-            });
-
-            await aliceTestClient.flushSync();
-            await aliceTestClient.client.crypto!.deviceList.saveIfDirty();
-
-            // @ts-ignore accessing a protected field
-            aliceTestClient.client.cryptoStore!.getEndToEndDeviceData(null, (data) => {
-                const bobStat = data!.trackingStatus["@bob:xyz"];
-
-                // Alice should have marked bob's device list as untracked
-                expect(bobStat).toEqual(0);
-            });
-        });
-
-        it("when Alice leaves", async function () {
-            aliceTestClient.httpBackend.when("GET", "/sync").respond(200, {
-                next_batch: 2,
-                device_lists: {
-                    left: ["@bob:xyz"],
-                },
-                rooms: {
-                    leave: {
-                        [ROOM_ID]: {
-                            timeline: {
-                                events: [
-                                    testUtils.mkMembership({
-                                        mship: "leave",
-                                        sender: "@bob:xyz",
-                                    }),
-                                ],
-                            },
-                        },
-                    },
-                },
-            });
-
-            await aliceTestClient.flushSync();
-            await aliceTestClient.client.crypto!.deviceList.saveIfDirty();
-
-            // @ts-ignore accessing a protected field
-            aliceTestClient.client.cryptoStore!.getEndToEndDeviceData(null, (data) => {
-                const bobStat = data!.trackingStatus["@bob:xyz"];
-
-                // Alice should have marked bob's device list as untracked
-                expect(bobStat).toEqual(0);
-            });
-        });
-
-        it("when Bob leaves whilst Alice is offline", async function () {
-            aliceTestClient.stop();
-
-            const anotherTestClient = await createTestClient();
-
-            try {
-                await anotherTestClient.start();
-                anotherTestClient.httpBackend.when("GET", "/sync").respond(200, getSyncResponse([]));
-                await anotherTestClient.flushSync();
-                await anotherTestClient.client?.crypto?.deviceList?.saveIfDirty();
-
-                // @ts-ignore accessing private property
-                anotherTestClient.client.cryptoStore.getEndToEndDeviceData(null, (data) => {
-                    const bobStat = data!.trackingStatus["@bob:xyz"];
-
-                    // Alice should have marked bob's device list as untracked
-                    expect(bobStat).toEqual(0);
-                });
-            } finally {
-                anotherTestClient.stop();
-            }
-        });
-    });
-});
@@ -14,13 +14,12 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-import HttpBackend from "matrix-mock-request";
-
+import type HttpBackend from "matrix-mock-request";
 import {
    ClientEvent,
    HttpApiEvent,
-    IEvent,
-    MatrixClient,
+    type IEvent,
+    type MatrixClient,
    RoomEvent,
    RoomMemberEvent,
    RoomStateEvent,
@@ -28,6 +27,7 @@ import {
 } from "../../src";
 import * as utils from "../test-utils/test-utils";
 import { TestClient } from "../TestClient";
+import { KnownMembership } from "../../src/@types/membership";

 describe("MatrixClient events", function () {
    const selfUserId = "@alice:localhost";
@@ -85,7 +85,7 @@ describe("MatrixClient events", function () {
                            events: [
                                utils.mkMembership({
                                    room: "!erufh:bar",
-                                    mship: "join",
+                                    mship: KnownMembership.Join,
                                    user: "@foo:bar",
                                }),
                                utils.mkEvent({
@@ -272,7 +272,7 @@ describe("MatrixClient events", function () {
                membersInvokeCount++;
                expect(member.roomId).toEqual("!erufh:bar");
                expect(member.userId).toEqual("@foo:bar");
-                expect(member.membership).toEqual("join");
+                expect(member.membership).toEqual(KnownMembership.Join);
            });
            client!.on(RoomStateEvent.NewMember, function (event, state, member) {
                newMemberInvokeCount++;
@@ -310,7 +310,7 @@ describe("MatrixClient events", function () {
            });
            client!.on(RoomMemberEvent.Membership, function (event, member) {
                membershipInvokeCount++;
-                expect(member.membership).toEqual("join");
+                expect(member.membership).toEqual(KnownMembership.Join);
            });

            client!.startClient();
@@ -23,19 +23,20 @@ import {
    EventTimelineSet,
    EventType,
    Filter,
-    IEvent,
-    MatrixClient,
+    type IEvent,
+    type MatrixClient,
    MatrixEvent,
    PendingEventOrdering,
    RelationType,
    Room,
 } from "../../src/matrix";
 import { logger } from "../../src/logger";
-import { encodeParams, encodeUri, QueryDict, replaceParam } from "../../src/utils";
+import { encodeParams, encodeUri, type QueryDict, replaceParam } from "../../src/utils";
 import { TestClient } from "../TestClient";
-import { FeatureSupport, Thread, THREAD_RELATION_TYPE, ThreadEvent } from "../../src/models/thread";
+import { FeatureSupport, Thread, ThreadEvent } from "../../src/models/thread";
 import { emitPromise } from "../test-utils/test-utils";
 import { Feature, ServerSupport } from "../../src/feature";
+import { KnownMembership } from "../../src/@types/membership";

 const userId = "@alice:localhost";
 const userName = "Alice";
@@ -63,7 +64,7 @@ const buildRelationPaginationQuery = (params: QueryDict): string => {

 const USER_MEMBERSHIP_EVENT = utils.mkMembership({
    room: roomId,
-    mship: "join",
+    mship: KnownMembership.Join,
    user: userId,
    name: userName,
    event: false,
@@ -98,7 +99,7 @@ const INITIAL_SYNC_DATA = {
                    events: [
                        withoutRoomId(ROOM_NAME_EVENT),
                        utils.mkMembership({
-                            mship: "join",
+                            mship: KnownMembership.Join,
                            user: otherUserId,
                            name: "Bob",
                            event: false,
@@ -607,11 +608,6 @@ describe("MatrixClient event timelines", function () {
            await client.stopClient(); // we don't need the client to be syncing at this time
            const room = client.getRoom(roomId)!;

-            httpBackend
-                .when("GET", "/rooms/!foo%3Abar/event/" + encodeURIComponent(THREAD_ROOT.event_id!))
-                .respond(200, function () {
-                    return THREAD_ROOT;
-                });
            httpBackend
                .when("GET", "/rooms/!foo%3Abar/event/" + encodeURIComponent(THREAD_ROOT.event_id!))
                .respond(200, function () {
@@ -623,9 +619,7 @@ describe("MatrixClient event timelines", function () {
                    "GET",
                    "/rooms/!foo%3Abar/relations/" +
                        encodeURIComponent(THREAD_ROOT.event_id!) +
-                        "/" +
-                        encodeURIComponent(THREAD_RELATION_TYPE.name) +
-                        buildRelationPaginationQuery({ dir: Direction.Backward, limit: 1 }),
+                        buildRelationPaginationQuery({ dir: Direction.Backward }),
                )
                .respond(200, function () {
                    return {
@@ -678,7 +672,7 @@ describe("MatrixClient event timelines", function () {
            expect(timeline!.getEvents().find((e) => e.getId() === THREAD_ROOT.event_id!)).toBeTruthy();
        });

-        it("should return undefined when event is not in the thread that the given timelineSet is representing", () => {
+        it("should return null when event is not in the thread that the given timelineSet is representing", () => {
            // @ts-ignore
            client.clientOpts.threadSupport = true;
            Thread.setServerSideSupport(FeatureSupport.Experimental);
@@ -702,12 +696,12 @@ describe("MatrixClient event timelines", function () {
                });

            return Promise.all([
-                expect(client.getEventTimeline(timelineSet, EVENTS[0].event_id!)).resolves.toBeUndefined(),
+                expect(client.getEventTimeline(timelineSet, EVENTS[0].event_id!)).resolves.toBeNull(),
                httpBackend.flushAllExpected(),
            ]);
        });

-        it("should return undefined when event is within a thread but timelineSet is not", () => {
+        it("should return null when event is within a thread but timelineSet is not", () => {
            // @ts-ignore
            client.clientOpts.threadSupport = true;
            Thread.setServerSideSupport(FeatureSupport.Experimental);
@@ -729,7 +723,7 @@ describe("MatrixClient event timelines", function () {
                });

            return Promise.all([
-                expect(client.getEventTimeline(timelineSet, THREAD_REPLY.event_id!)).resolves.toBeUndefined(),
+                expect(client.getEventTimeline(timelineSet, THREAD_REPLY.event_id!)).resolves.toBeNull(),
                httpBackend.flushAllExpected(),
            ]);
        });
@@ -1150,21 +1144,18 @@ describe("MatrixClient event timelines", function () {

        const prom = emitPromise(room, ThreadEvent.Update);
        // Assume we're seeing the reply while loading backlog
-        await room.addLiveEvents([THREAD_REPLY2]);
+        await room.addLiveEvents([THREAD_REPLY2], { addToState: false });
        httpBackend
            .when(
                "GET",
-                "/_matrix/client/v1/rooms/!foo%3Abar/relations/" +
-                    encodeURIComponent(THREAD_ROOT_UPDATED.event_id!) +
-                    "/" +
-                    encodeURIComponent(THREAD_RELATION_TYPE.name),
+                "/_matrix/client/v1/rooms/!foo%3Abar/relations/" + encodeURIComponent(THREAD_ROOT_UPDATED.event_id!),
            )
            .respond(200, {
                chunk: [THREAD_REPLY3.event, THREAD_REPLY2.event, THREAD_REPLY],
            });
        await flushHttp(prom);
        // but while loading the metadata, a new reply has arrived
-        await room.addLiveEvents([THREAD_REPLY3]);
+        await room.addLiveEvents([THREAD_REPLY3], { addToState: false });
        const thread = room.getThread(THREAD_ROOT_UPDATED.event_id!)!;
        // then the events should still be all in the right order
        expect(thread.events.map((it) => it.getId())).toEqual([
@@ -1256,17 +1247,14 @@ describe("MatrixClient event timelines", function () {

        const prom = emitPromise(room, ThreadEvent.Update);
        // Assume we're seeing the reply while loading backlog
-        await room.addLiveEvents([THREAD_REPLY2]);
+        await room.addLiveEvents([THREAD_REPLY2], { addToState: false });
        httpBackend
            .when(
                "GET",
                "/_matrix/client/v1/rooms/!foo%3Abar/relations/" +
                    encodeURIComponent(THREAD_ROOT_UPDATED.event_id!) +
-                    "/" +
-                    encodeURIComponent(THREAD_RELATION_TYPE.name) +
                    buildRelationPaginationQuery({
                        dir: Direction.Backward,
-                        limit: 3,
                        recurse: true,
                    }),
            )
@@ -1275,7 +1263,7 @@ describe("MatrixClient event timelines", function () {
            });
        await flushHttp(prom);
        // but while loading the metadata, a new reply has arrived
-        await room.addLiveEvents([THREAD_REPLY3]);
+        await room.addLiveEvents([THREAD_REPLY3], { addToState: false });
        const thread = room.getThread(THREAD_ROOT_UPDATED.event_id!)!;
        // then the events should still be all in the right order
        expect(thread.events.map((it) => it.getId())).toEqual([
@@ -1321,11 +1309,7 @@ describe("MatrixClient event timelines", function () {
        function respondToThread(root: Partial<IEvent>, replies: Partial<IEvent>[]): ExpectedHttpRequest {
            const request = httpBackend.when(
                "GET",
-                "/_matrix/client/v1/rooms/!foo%3Abar/relations/" +
-                    encodeURIComponent(root.event_id!) +
-                    "/" +
-                    encodeURIComponent(THREAD_RELATION_TYPE.name) +
-                    "?dir=b&limit=1",
+                "/_matrix/client/v1/rooms/!foo%3Abar/relations/" + encodeURIComponent(root.event_id!) + "?dir=b",
            );
            request.respond(200, function () {
                return {
@@ -1557,9 +1541,7 @@ describe("MatrixClient event timelines", function () {
                expect(timelineSets).not.toBeNull();
                respondToThreads(threadsResponse);
                respondToThreads(threadsResponse);
-                respondToEvent(THREAD_ROOT);
                respondToEvent(THREAD2_ROOT);
-                respondToThread(THREAD_ROOT, [THREAD_REPLY]);
                respondToThread(THREAD2_ROOT, [THREAD2_REPLY]);
                await flushHttp(room.fetchRoomThreads());
                const threadIds = room.getThreads().map((thread) => thread.id);
@@ -1567,7 +1549,7 @@ describe("MatrixClient event timelines", function () {
                expect(threadIds).toContain(THREAD2_ROOT.event_id);
                const [allThreads] = timelineSets!;
                const timeline = allThreads.getLiveTimeline()!;
-                // Test threads are in chronological order
+                // Test threads are in chronological order (first thread should be first because it has a more recent reply)
                expect(timeline.getEvents().map((it) => it.event.event_id)).toEqual([
                    THREAD_ROOT.event_id,
                    THREAD2_ROOT.event_id,
@@ -1578,8 +1560,7 @@ describe("MatrixClient event timelines", function () {
                thread.initialEventsFetched = true;
                const prom = emitPromise(room, ThreadEvent.NewReply);
                respondToEvent(THREAD_ROOT_UPDATED);
-                respondToEvent(THREAD2_ROOT);
-                await room.addLiveEvents([THREAD_REPLY2]);
+                await room.addLiveEvents([THREAD_REPLY2], { addToState: false });
                await httpBackend.flushAllExpected();
                await prom;
                expect(thread.length).toBe(2);
@@ -1655,7 +1636,7 @@ describe("MatrixClient event timelines", function () {
                            ...THREAD_ROOT.unsigned!["m.relations"],
                            "io.element.thread": {
                                ...THREAD_ROOT.unsigned!["m.relations"]!["io.element.thread"],
-                                count: 2,
+                                count: 1,
                                latest_event: THREAD_REPLY,
                            },
                        },
@@ -1704,8 +1685,7 @@ describe("MatrixClient event timelines", function () {
                thread.initialEventsFetched = true;
                const prom = emitPromise(room, ThreadEvent.Update);
                respondToEvent(THREAD_ROOT_UPDATED);
-                respondToEvent(THREAD2_ROOT);
-                await room.addLiveEvents([THREAD_REPLY_REACTION]);
+                await room.addLiveEvents([THREAD_REPLY_REACTION], { addToState: false });
                await httpBackend.flushAllExpected();
                await prom;
                expect(thread.length).toBe(1); // reactions don't count towards the length of a thread
@@ -1942,7 +1922,7 @@ describe("MatrixClient event timelines", function () {

        // a state event, followed by a redaction thereof
        const event = utils.mkMembership({
-            mship: "join",
+            mship: KnownMembership.Join,
            user: otherUserId,
        });
        const redaction = utils.mkEvent({
@@ -2019,11 +1999,6 @@ describe("MatrixClient event timelines", function () {
                    },
                },
            });
-            httpBackend
-                .when("GET", "/rooms/!foo%3Abar/event/" + encodeURIComponent(THREAD_ROOT.event_id!))
-                .respond(200, function () {
-                    return THREAD_ROOT;
-                });
            httpBackend
                .when("GET", "/rooms/!foo%3Abar/event/" + encodeURIComponent(THREAD_ROOT.event_id!))
                .respond(200, function () {
@@ -2034,9 +2009,7 @@ describe("MatrixClient event timelines", function () {
                    "GET",
                    "/_matrix/client/v1/rooms/!foo%3Abar/relations/" +
                        encodeURIComponent(THREAD_ROOT.event_id!) +
-                        "/" +
-                        encodeURIComponent(THREAD_RELATION_TYPE.name) +
-                        buildRelationPaginationQuery({ dir: Direction.Backward, limit: 1 }),
+                        buildRelationPaginationQuery({ dir: Direction.Backward }),
                )
                .respond(200, function () {
                    return {
@@ -2071,6 +2044,7 @@ describe("MatrixClient event timelines", function () {
            expect(timeline!.getEvents()[1]!.event).toEqual(THREAD_REPLY);
        }

+        // eslint-disable-next-line @vitest/expect-expect
        it("in stable mode", async () => {
            // @ts-ignore
            client.clientOpts.threadSupport = true;
@@ -13,20 +13,28 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-import HttpBackend from "matrix-mock-request";
-import { Mocked } from "jest-mock";

+import type HttpBackend from "matrix-mock-request";
 import * as utils from "../test-utils/test-utils";
-import { CRYPTO_ENABLED, IStoredClientOpts, MatrixClient } from "../../src/client";
+import { type IStoredClientOpts, MatrixClient } from "../../src/client";
 import { MatrixEvent } from "../../src/models/event";
-import { Filter, KnockRoomOpts, MemoryStore, Method, Room, SERVICE_TYPES } from "../../src/matrix";
+import {
+    Filter,
+    JoinRule,
+    type KnockRoomOpts,
+    MemoryStore,
+    Method,
+    Room,
+    type RoomSummary,
+    SERVICE_TYPES,
+} from "../../src/matrix";
 import { TestClient } from "../TestClient";
 import { THREAD_RELATION_TYPE } from "../../src/models/thread";
-import { IFilterDefinition } from "../../src/filter";
-import { ISearchResults } from "../../src/@types/search";
-import { IStore } from "../../src/store";
-import { CryptoBackend } from "../../src/common-crypto/CryptoBackend";
+import { type IFilterDefinition } from "../../src/filter";
+import { type ISearchResults } from "../../src/@types/search";
+import { type IStore } from "../../src/store";
 import { SetPresence } from "../../src/sync";
+import { KnownMembership } from "../../src/@types/membership";

 describe("MatrixClient", function () {
    const userId = "@alice:localhost";
@@ -149,6 +157,30 @@ describe("MatrixClient", function () {
        });
    });

+    describe("mediaConfig", function () {
+        it("should get media config on unauthenticated media call", async () => {
+            httpBackend.when("GET", "/_matrix/media/v3/config").respond(200, '{"m.upload.size": 50000000}', true);
+
+            const prom = client.getMediaConfig();
+
+            httpBackend.flushAllExpected();
+
+            expect((await prom)["m.upload.size"]).toEqual(50000000);
+        });
+
+        it("should get media config on authenticated media call", async () => {
+            httpBackend
+                .when("GET", "/_matrix/client/v1/media/config")
+                .respond(200, '{"m.upload.size": 50000000}', true);
+
+            const prom = client.getMediaConfig(true);
+
+            httpBackend.flushAllExpected();
+
+            expect((await prom)["m.upload.size"]).toEqual(50000000);
+        });
+    });
+
    describe("joinRoom", function () {
        it("should no-op given the ID of a room you've already joined", async () => {
            const roomId = "!foo:bar";
@@ -158,14 +190,17 @@ describe("MatrixClient", function () {
                    type: "test",
                    content: {},
                });
-            room.addLiveEvents([
-                utils.mkMembership({
-                    user: userId,
-                    room: roomId,
-                    mship: "join",
-                    event: true,
-                }),
-            ]);
+            room.addLiveEvents(
+                [
+                    utils.mkMembership({
+                        user: userId,
+                        room: roomId,
+                        mship: KnownMembership.Join,
+                        event: true,
+                    }),
+                ],
+                { addToState: true },
+            );
            httpBackend.verifyNoOutstandingRequests();
            store.storeRoom(room);

@@ -178,14 +213,17 @@ describe("MatrixClient", function () {
            const roomId = "!roomId:server";
            const roomAlias = "#my-fancy-room:server";
            const room = new Room(roomId, client, userId);
-            room.addLiveEvents([
-                utils.mkMembership({
-                    user: userId,
-                    room: roomId,
-                    mship: "join",
-                    event: true,
-                }),
-            ]);
+            room.addLiveEvents(
+                [
+                    utils.mkMembership({
+                        user: userId,
+                        room: roomId,
+                        mship: KnownMembership.Join,
+                        event: true,
+                    }),
+                ],
+                { addToState: true },
+            );
            store.storeRoom(room);

            // The method makes a request to resolve the alias
@@ -229,6 +267,59 @@ describe("MatrixClient", function () {
        });
    });

+    describe("invite", function () {
+        it("should send request to /invite", async () => {
+            const roomId = "!roomId:server";
+            const userId = "@user:server";
+
+            httpBackend
+                .when("POST", `/rooms/${encodeURIComponent(roomId)}/invite`)
+                .check((request) => {
+                    expect(request.data).toEqual({ user_id: userId });
+                })
+                .respond(200, {});
+
+            const prom = client.invite(roomId, userId);
+            await httpBackend.flushAllExpected();
+            await prom;
+            httpBackend.verifyNoOutstandingExpectation();
+        });
+
+        it("accepts a stringy reason argument", async () => {
+            const roomId = "!roomId:server";
+            const userId = "@user:server";
+
+            httpBackend
+                .when("POST", `/rooms/${encodeURIComponent(roomId)}/invite`)
+                .check((request) => {
+                    expect(request.data).toEqual({ user_id: userId, reason: "testreason" });
+                })
+                .respond(200, {});
+
+            const prom = client.invite(roomId, userId, "testreason");
+            await httpBackend.flushAllExpected();
+            await prom;
+            httpBackend.verifyNoOutstandingExpectation();
+        });
+
+        it("accepts an options object with a reason", async () => {
+            const roomId = "!roomId:server";
+            const userId = "@user:server";
+
+            httpBackend
+                .when("POST", `/rooms/${encodeURIComponent(roomId)}/invite`)
+                .check((request) => {
+                    expect(request.data).toEqual({ user_id: userId, reason: "testreason" });
+                })
+                .respond(200, {});
+
+            const prom = client.invite(roomId, userId, { reason: "testreason" });
+            await httpBackend.flushAllExpected();
+            await prom;
+            httpBackend.verifyNoOutstandingExpectation();
+        });
+    });
+
    describe("knockRoom", function () {
        const roomId = "!some-room-id:example.org";
        const reason = "some reason";
@@ -247,7 +338,7 @@ describe("MatrixClient", function () {
                .when("POST", "/knock/" + encodeURIComponent(roomId))
                .check((request) => {
                    expect(request.data).toEqual({ reason: opts.reason });
-                    expect(request.queryParams).toEqual({ server_name: opts.viaServers });
+                    expect(request.queryParams).toEqual({ server_name: opts.viaServers, via: opts.viaServers });
                })
                .respond(200, { room_id: roomId });

@@ -256,6 +347,7 @@ describe("MatrixClient", function () {
            expect((await prom).room_id).toBe(roomId);
        });

+        // eslint-disable-next-line @vitest/expect-expect
        it("should no-op if you've already knocked a room", function () {
            const room = new Room(roomId, client, userId);

@@ -265,14 +357,17 @@ describe("MatrixClient", function () {
                    content: {},
                });

-            room.addLiveEvents([
-                utils.mkMembership({
-                    user: userId,
-                    room: roomId,
-                    mship: "knock",
-                    event: true,
-                }),
-            ]);
+            room.addLiveEvents(
+                [
+                    utils.mkMembership({
+                        user: userId,
+                        room: roomId,
+                        mship: KnownMembership.Knock,
+                        event: true,
+                    }),
+                ],
+                { addToState: true },
+            );

            httpBackend.verifyNoOutstandingRequests();
            store.storeRoom(room);
@@ -286,23 +381,16 @@ describe("MatrixClient", function () {
                [
                    403,
                    { errcode: "M_FORBIDDEN", error: "You don't have permission to knock" },
-                    "[M_FORBIDDEN: MatrixError: [403] You don't have permission to knock]",
-                ],
-                [
-                    500,
-                    { errcode: "INTERNAL_SERVER_ERROR" },
-                    "[INTERNAL_SERVER_ERROR: MatrixError: [500] Unknown message]",
+                    "MatrixError: [403] You don't have permission to knock",
                ],
+                [500, { errcode: "INTERNAL_SERVER_ERROR" }, "MatrixError: [500] Unknown message"],
            ];

            it.each(testCases)("should handle %s error", async (code, { errcode, error }, snapshot) => {
                httpBackend.when("POST", "/knock/" + encodeURIComponent(roomId)).respond(code, { errcode, error });

                const prom = client.knockRoom(roomId);
-                await Promise.all([
-                    httpBackend.flushAllExpected(),
-                    expect(prom).rejects.toMatchInlineSnapshot(snapshot),
-                ]);
+                await Promise.all([httpBackend.flushAllExpected(), expect(prom).rejects.toThrow(snapshot)]);
            });
        });
    });
@@ -625,126 +713,6 @@ describe("MatrixClient", function () {
        });
    });

-    describe("downloadKeys", function () {
-        if (!CRYPTO_ENABLED) {
-            return;
-        }
-
-        beforeEach(function () {
-            // running initCrypto should trigger a key upload
-            httpBackend.when("POST", "/keys/upload").respond(200, {});
-            return Promise.all([client.initCrypto(), httpBackend.flush("/keys/upload", 1)]);
-        });
-
-        afterEach(() => {
-            client.stopClient();
-        });
-
-        it("should do an HTTP request and then store the keys", function () {
-            const ed25519key = "7wG2lzAqbjcyEkOP7O4gU7ItYcn+chKzh5sT/5r2l78";
-            // ed25519key = client.getDeviceEd25519Key();
-            const borisKeys = {
-                dev1: {
-                    algorithms: ["1"],
-                    device_id: "dev1",
-                    keys: { "ed25519:dev1": ed25519key },
-                    signatures: {
-                        boris: {
-                            "ed25519:dev1":
-                                "RAhmbNDq1efK3hCpBzZDsKoGSsrHUxb25NW5/WbEV9R" +
-                                "JVwLdP032mg5QsKt/pBDUGtggBcnk43n3nBWlA88WAw",
-                        },
-                    },
-                    unsigned: { abc: "def" },
-                    user_id: "boris",
-                },
-            };
-            const chazKeys = {
-                dev2: {
-                    algorithms: ["2"],
-                    device_id: "dev2",
-                    keys: { "ed25519:dev2": ed25519key },
-                    signatures: {
-                        chaz: {
-                            "ed25519:dev2":
-                                "FwslH/Q7EYSb7swDJbNB5PSzcbEO1xRRBF1riuijqvL" +
-                                "EkrK9/XVN8jl4h7thGuRITQ01siBQnNmMK9t45QfcCQ",
-                        },
-                    },
-                    unsigned: { ghi: "def" },
-                    user_id: "chaz",
-                },
-            };
-
-            /*
-            function sign(o) {
-                var anotherjson = require('another-json');
-                var b = JSON.parse(JSON.stringify(o));
-                delete(b.signatures);
-                delete(b.unsigned);
-                return client.crypto.olmDevice.sign(anotherjson.stringify(b));
-            };
-
-            logger.log("Ed25519: " + ed25519key);
-            logger.log("boris:", sign(borisKeys.dev1));
-            logger.log("chaz:", sign(chazKeys.dev2));
-            */
-
-            httpBackend
-                .when("POST", "/keys/query")
-                .check(function (req) {
-                    expect(req.data).toEqual({
-                        device_keys: {
-                            boris: [],
-                            chaz: [],
-                        },
-                    });
-                })
-                .respond(200, {
-                    device_keys: {
-                        boris: borisKeys,
-                        chaz: chazKeys,
-                    },
-                });
-
-            const prom = client.downloadKeys(["boris", "chaz"]).then(function (res) {
-                assertObjectContains(res.get("boris")!.get("dev1")!, {
-                    verified: 0, // DeviceVerification.UNVERIFIED
-                    keys: { "ed25519:dev1": ed25519key },
-                    algorithms: ["1"],
-                    unsigned: { abc: "def" },
-                });
-
-                assertObjectContains(res.get("chaz")!.get("dev2")!, {
-                    verified: 0, // DeviceVerification.UNVERIFIED
-                    keys: { "ed25519:dev2": ed25519key },
-                    algorithms: ["2"],
-                    unsigned: { ghi: "def" },
-                });
-            });
-
-            httpBackend.flush("");
-            return prom;
-        });
-    });
-
-    describe("deleteDevice", function () {
-        const auth = { identifier: 1 };
-        it("should pass through an auth dict", function () {
-            httpBackend
-                .when("DELETE", "/_matrix/client/v3/devices/my_device")
-                .check(function (req) {
-                    expect(req.data).toEqual({ auth: auth });
-                })
-                .respond(200);
-
-            const prom = client.deleteDevice("my_device", auth);
-
-            httpBackend.flush("");
-            return prom;
-        });
-    });
-
    describe("partitionThreadedEvents", function () {
        let room: Room;
        beforeEach(() => {
@@ -1224,7 +1192,7 @@ describe("MatrixClient", function () {
    describe("logout", () => {
        it("should abort pending requests when called with stopClient=true", async () => {
            httpBackend.when("POST", "/logout").respond(200, {});
-            const fn = jest.fn();
+            const fn = vi.fn();
            client.http.request(Method.Get, "/test").catch(fn);
            client.logout(true);
            await httpBackend.flush(undefined);
@@ -1283,18 +1251,109 @@ describe("MatrixClient", function () {
    });

    describe("getCapabilities", () => {
-        it("should cache by default", async () => {
+        it("should return cached capabilities if present", async () => {
+            const capsObject = {
+                "m.change_password": false,
+            };
+
+            httpBackend!.when("GET", "/versions").respond(200, {});
+            httpBackend!.when("GET", "/pushrules").respond(200, {});
+            httpBackend!.when("POST", "/filter").respond(200, { filter_id: "a filter id" });
            httpBackend.when("GET", "/capabilities").respond(200, {
-                capabilities: {
-                    "m.change_password": false,
-                },
+                capabilities: capsObject,
            });
-            const prom = httpBackend.flushAllExpected();
-            const capabilities1 = await client.getCapabilities();
-            const capabilities2 = await client.getCapabilities();
+
+            client.startClient();
+            await httpBackend!.flushAllExpected();
+
+            expect(await client.getCapabilities()).toEqual(capsObject);
+        });
+
+        it("should fetch capabilities if cache not present", async () => {
+            const capsObject = {
+                "m.change_password": false,
+            };
+
+            httpBackend.when("GET", "/capabilities").respond(200, {
+                capabilities: capsObject,
+            });
+
+            const capsPromise = client.getCapabilities();
+            await httpBackend!.flushAllExpected();
+
+            expect(await capsPromise).toEqual(capsObject);
+        });
+    });
+
+    describe("getCachedCapabilities", () => {
+        it("should return cached capabilities or undefined", async () => {
+            const capsObject = {
+                "m.change_password": false,
+            };
+
+            httpBackend!.when("GET", "/versions").respond(200, {});
+            httpBackend!.when("GET", "/pushrules").respond(200, {});
+            httpBackend!.when("POST", "/filter").respond(200, { filter_id: "a filter id" });
+            httpBackend.when("GET", "/capabilities").respond(200, {
+                capabilities: capsObject,
+            });
+
+            expect(client.getCachedCapabilities()).toBeUndefined();
+
+            client.startClient();
+
+            await httpBackend!.flushAllExpected();
+
+            expect(client.getCachedCapabilities()).toEqual(capsObject);
+        });
+    });
+
+    describe("fetchCapabilities", () => {
+        const capsObject = {
+            "m.change_password": false,
+        };
+
+        beforeEach(() => {
+            httpBackend.when("GET", "/capabilities").respond(200, {
+                capabilities: capsObject,
+            });
+        });
+
+        afterEach(() => {
+            vi.useRealTimers();
+        });
+
+        it("should always fetch capabilities and then cache", async () => {
+            const prom = client.fetchCapabilities();
+            await httpBackend.flushAllExpected();
+            const caps = await prom;
+
+            expect(caps).toEqual(capsObject);
+        });
+
+        it("should write-through the cache", async () => {
+            httpBackend!.when("GET", "/versions").respond(200, {});
+            httpBackend!.when("GET", "/pushrules").respond(200, {});
+            httpBackend!.when("POST", "/filter").respond(200, { filter_id: "a filter id" });
+
+            client.startClient();
+            await httpBackend!.flushAllExpected();
+
+            expect(client.getCachedCapabilities()).toEqual(capsObject);
+
+            const newCapsObject = {
+                "m.change_password": true,
+            };
+
+            httpBackend.when("GET", "/capabilities").respond(200, {
+                capabilities: newCapsObject,
+            });
+
+            const prom = client.fetchCapabilities();
+            await httpBackend.flushAllExpected();
            await prom;

-            expect(capabilities1).toStrictEqual(capabilities2);
+            expect(client.getCachedCapabilities()).toEqual(newCapsObject);
        });
    });

@@ -1332,6 +1391,7 @@ describe("MatrixClient", function () {
    });

    describe("publicRooms", () => {
+        // eslint-disable-next-line @vitest/expect-expect
        it("should use GET request if no server or filter is specified", () => {
            httpBackend.when("GET", "/publicRooms").respond(200, {});
            client.publicRooms({});
@@ -1518,52 +1578,9 @@ describe("MatrixClient", function () {
        });
    });

-    describe("uploadKeys", () => {
-        // uploadKeys() is a no-op nowadays, so there's not much to test here.
-        it("should complete successfully", async () => {
-            await client.uploadKeys();
-        });
-    });
-
-    describe("getCryptoTrustCrossSignedDevices", () => {
-        it("should throw if e2e is disabled", () => {
-            expect(() => client.getCryptoTrustCrossSignedDevices()).toThrow("End-to-end encryption disabled");
-        });
-
-        it("should proxy to the crypto backend", async () => {
-            const mockBackend = {
-                getTrustCrossSignedDevices: jest.fn().mockReturnValue(true),
-            } as unknown as Mocked<CryptoBackend>;
-            client["cryptoBackend"] = mockBackend;
-
-            expect(client.getCryptoTrustCrossSignedDevices()).toBe(true);
-            mockBackend.getTrustCrossSignedDevices.mockReturnValue(false);
-            expect(client.getCryptoTrustCrossSignedDevices()).toBe(false);
-        });
-    });
-
-    describe("setCryptoTrustCrossSignedDevices", () => {
-        it("should throw if e2e is disabled", () => {
-            expect(() => client.setCryptoTrustCrossSignedDevices(false)).toThrow("End-to-end encryption disabled");
-        });
-
-        it("should proxy to the crypto backend", async () => {
-            const mockBackend = {
-                setTrustCrossSignedDevices: jest.fn(),
-            } as unknown as Mocked<CryptoBackend>;
-            client["cryptoBackend"] = mockBackend;
-
-            client.setCryptoTrustCrossSignedDevices(true);
-            expect(mockBackend.setTrustCrossSignedDevices).toHaveBeenLastCalledWith(true);
-
-            client.setCryptoTrustCrossSignedDevices(false);
-            expect(mockBackend.setTrustCrossSignedDevices).toHaveBeenLastCalledWith(false);
-        });
-    });
-
    describe("setSyncPresence", () => {
        it("should pass calls through to the underlying sync api", () => {
-            const setPresence = jest.fn();
+            const setPresence = vi.fn();
            // @ts-ignore
            client.syncApi = { setPresence };
            client.setSyncPresence(SetPresence.Unavailable);
@@ -1572,6 +1589,7 @@ describe("MatrixClient", function () {
    });

    describe("sendTyping", () => {
+        // eslint-disable-next-line @vitest/expect-expect
        it("should bail early for guests", async () => {
            client.setGuest(true);
            await client.sendTyping("!room:server", true, 100);
@@ -1709,6 +1727,146 @@ describe("MatrixClient", function () {
            await Promise.all([client.unbindThreePid("email", "alice@server.com"), httpBackend.flushAllExpected()]);
        });
    });
+
+    describe("getRoomSummary", () => {
+        const roomId = "!foo:bar";
+        const encodedRoomId = encodeURIComponent(roomId);
+
+        const roomSummary: RoomSummary = {
+            "room_id": roomId,
+            "name": "My Room",
+            "avatar_url": "",
+            "topic": "My room topic",
+            "world_readable": false,
+            "guest_can_join": false,
+            "num_joined_members": 1,
+            "room_type": "",
+            "join_rule": JoinRule.Public,
+            "membership": "leave",
+            "im.nheko.summary.room_version": "6",
+            "im.nheko.summary.encryption": "algo",
+        };
+
+        const prefix = "/_matrix/client/unstable/im.nheko.summary/";
+        const suffix = `summary/${encodedRoomId}`;
+        const deprecatedSuffix = `rooms/${encodedRoomId}/summary`;
+
+        const errorUnrecogStatus = 404;
+        const errorUnrecogBody = {
+            errcode: "M_UNRECOGNIZED",
+            error: "Unsupported endpoint",
+        };
+
+        const errorBadreqStatus = 400;
+        const errorBadreqBody = {
+            errcode: "M_UNKNOWN",
+            error: "Invalid request",
+        };
+
+        it("should respond with a valid room summary object", () => {
+            httpBackend.when("GET", prefix + suffix).respond(200, roomSummary);
+
+            const prom = client.getRoomSummary(roomId).then((response) => {
+                expect(response).toEqual(roomSummary);
+            });
+
+            httpBackend.flush("");
+            return prom;
+        });
+
+        it("should allow fallback to the deprecated endpoint", () => {
+            httpBackend.when("GET", prefix + suffix).respond(errorUnrecogStatus, errorUnrecogBody);
+            httpBackend.when("GET", prefix + deprecatedSuffix).respond(200, roomSummary);
+
+            const prom = client.getRoomSummary(roomId).then((response) => {
+                expect(response).toEqual(roomSummary);
+            });
+
+            httpBackend.flush("");
+            return prom;
+        });
+
+        it("should respond to unsupported path with error", () => {
+            httpBackend.when("GET", prefix + suffix).respond(errorUnrecogStatus, errorUnrecogBody);
+            httpBackend.when("GET", prefix + deprecatedSuffix).respond(errorUnrecogStatus, errorUnrecogBody);
+
+            const prom = client.getRoomSummary(roomId).then(
+                function (response) {
+                    throw Error("request not failed");
+                },
+                function (error) {
+                    expect(error.httpStatus).toEqual(errorUnrecogStatus);
+                    expect(error.errcode).toEqual(errorUnrecogBody.errcode);
+                    expect(error.message).toEqual(`MatrixError: [${errorUnrecogStatus}] ${errorUnrecogBody.error}`);
+                },
+            );
+
+            httpBackend.flush("");
+            return prom;
+        });
+
+        it("should respond to invalid path arguments with error", () => {
+            httpBackend.when("GET", prefix).respond(errorBadreqStatus, errorBadreqBody);
+
+            const prom = client.getRoomSummary("notAroom").then(
+                function (response) {
+                    throw Error("request not failed");
+                },
+                function (error) {
+                    expect(error.httpStatus).toEqual(errorBadreqStatus);
+                    expect(error.errcode).toEqual(errorBadreqBody.errcode);
+                    expect(error.message).toEqual(`MatrixError: [${errorBadreqStatus}] ${errorBadreqBody.error}`);
+                },
+            );
+
+            httpBackend.flush("");
+            return prom;
+        });
+    });
+
+    describe("getDomain", () => {
+        it("should return null if no userId is set", () => {
+            const client = new MatrixClient({ baseUrl: "http://localhost" });
+            expect(client.getDomain()).toBeNull();
+        });
+
+        it("should return the domain of the userId", () => {
+            expect(client.getDomain()).toBe("localhost");
+        });
+    });
+
+    describe("getUserIdLocalpart", () => {
+        it("should return null if no userId is set", () => {
+            const client = new MatrixClient({ baseUrl: "http://localhost" });
+            expect(client.getUserIdLocalpart()).toBeNull();
+        });
+
+        it("should return the localpart of the userId", () => {
+            expect(client.getUserIdLocalpart()).toBe("alice");
+        });
+    });
+
+    describe("setRoomMutePushRule", () => {
+        // eslint-disable-next-line @vitest/expect-expect
+        it("should set room push rule to muted", async () => {
+            const roomId = "!roomId:server";
+            const client = new MatrixClient({
+                baseUrl: "http://localhost",
+                fetchFn: httpBackend.fetchFn as typeof globalThis.fetch,
+            });
+            client.pushRules = {
+                global: {
+                    room: [{ rule_id: roomId, actions: [], default: false, enabled: false }],
+                },
+            };
+
+            const path = `/pushrules/global/room/${encodeURIComponent(roomId)}`;
+            httpBackend.when("DELETE", path).respond(200, {});
+            httpBackend.when("PUT", path).respond(200, {});
+            client.setRoomMutePushRule("global", roomId, true);
+            await httpBackend.flush("");
+        });
+    });
 });

 function withThreadId(event: MatrixEvent, newThreadId: string): MatrixEvent {
@@ -1719,7 +1877,6 @@ function withThreadId(event: MatrixEvent, newThreadId: string): MatrixEvent {

 const buildEventMessageInThread = (root: MatrixEvent) =>
    new MatrixEvent({
-        age: 80098509,
        content: {
            "algorithm": "m.megolm.v1.aes-sha2",
            "ciphertext": "ENCRYPTEDSTUFF",
@@ -1740,12 +1897,10 @@ const buildEventMessageInThread = (root: MatrixEvent) =>
        sender: "@andybalaam-test1:matrix.org",
        type: "m.room.encrypted",
        unsigned: { age: 80098509 },
-        user_id: "@andybalaam-test1:matrix.org",
    });

 const buildEventPollResponseReference = () =>
    new MatrixEvent({
-        age: 80098509,
        content: {
            "algorithm": "m.megolm.v1.aes-sha2",
            "ciphertext": "ENCRYPTEDSTUFF",
@@ -1763,7 +1918,6 @@ const buildEventPollResponseReference = () =>
        sender: "@andybalaam-test1:matrix.org",
        type: "m.room.encrypted",
        unsigned: { age: 80106237 },
-        user_id: "@andybalaam-test1:matrix.org",
    });

 const buildEventReaction = (event: MatrixEvent) =>
@@ -1803,7 +1957,6 @@ const buildEventRedaction = (event: MatrixEvent) =>

 const buildEventPollStartThreadRoot = () =>
    new MatrixEvent({
-        age: 80108647,
        content: {
            algorithm: "m.megolm.v1.aes-sha2",
            ciphertext: "ENCRYPTEDSTUFF",
@@ -1817,12 +1970,10 @@ const buildEventPollStartThreadRoot = () =>
        sender: "@andybalaam-test1:matrix.org",
        type: "m.room.encrypted",
        unsigned: { age: 80108647 },
-        user_id: "@andybalaam-test1:matrix.org",
    });

 const buildEventReply = (target: MatrixEvent) =>
    new MatrixEvent({
-        age: 80098509,
        content: {
            "algorithm": "m.megolm.v1.aes-sha2",
            "ciphertext": "ENCRYPTEDSTUFF",
@@ -1841,12 +1992,10 @@ const buildEventReply = (target: MatrixEvent) =>
        sender: "@andybalaam-test1:matrix.org",
        type: "m.room.encrypted",
        unsigned: { age: 80098509 },
-        user_id: "@andybalaam-test1:matrix.org",
    });

 const buildEventRoomName = () =>
    new MatrixEvent({
-        age: 80123249,
        content: {
            name: "1 poll, 1 vote, 1 thread",
        },
@@ -1857,12 +2006,10 @@ const buildEventRoomName = () =>
        state_key: "",
        type: "m.room.name",
        unsigned: { age: 80123249 },
-        user_id: "@andybalaam-test1:matrix.org",
    });

 const buildEventEncryption = () =>
    new MatrixEvent({
-        age: 80123383,
        content: {
            algorithm: "m.megolm.v1.aes-sha2",
        },
@@ -1873,12 +2020,10 @@ const buildEventEncryption = () =>
        state_key: "",
        type: "m.room.encryption",
        unsigned: { age: 80123383 },
-        user_id: "@andybalaam-test1:matrix.org",
    });

 const buildEventGuestAccess = () =>
    new MatrixEvent({
-        age: 80123473,
        content: {
            guest_access: "can_join",
        },
@@ -1889,12 +2034,10 @@ const buildEventGuestAccess = () =>
        state_key: "",
        type: "m.room.guest_access",
        unsigned: { age: 80123473 },
-        user_id: "@andybalaam-test1:matrix.org",
    });

 const buildEventHistoryVisibility = () =>
    new MatrixEvent({
-        age: 80123556,
        content: {
            history_visibility: "shared",
        },
@@ -1905,14 +2048,12 @@ const buildEventHistoryVisibility = () =>
        state_key: "",
        type: "m.room.history_visibility",
        unsigned: { age: 80123556 },
-        user_id: "@andybalaam-test1:matrix.org",
    });

 const buildEventJoinRules = () =>
    new MatrixEvent({
-        age: 80123696,
        content: {
-            join_rule: "invite",
+            join_rule: KnownMembership.Invite,
        },
        event_id: "$6JDDeDp7fEc0F6YnTWMruNcKWFltR3e9wk7wWDDJrAU",
        origin_server_ts: 1643815441191,
@@ -1921,12 +2062,10 @@ const buildEventJoinRules = () =>
        state_key: "",
        type: "m.room.join_rules",
        unsigned: { age: 80123696 },
-        user_id: "@andybalaam-test1:matrix.org",
    });

 const buildEventPowerLevels = () =>
    new MatrixEvent({
-        age: 80124105,
        content: {
            ban: 50,
            events: {
@@ -1957,16 +2096,14 @@ const buildEventPowerLevels = () =>
        state_key: "",
        type: "m.room.power_levels",
        unsigned: { age: 80124105 },
-        user_id: "@andybalaam-test1:matrix.org",
    });

 const buildEventMember = () =>
    new MatrixEvent({
-        age: 80125279,
        content: {
            avatar_url: "mxc://matrix.org/aNtbVcFfwotudypZcHsIcPOc",
            displayname: "andybalaam-test1",
-            membership: "join",
+            membership: KnownMembership.Join,
        },
        event_id: "$Ex5eVmMs_ti784mo8bgddynbwLvy6231lCycJr7Cl9M",
        origin_server_ts: 1643815439608,
@@ -1975,12 +2112,10 @@ const buildEventMember = () =>
        state_key: "@andybalaam-test1:matrix.org",
        type: "m.room.member",
        unsigned: { age: 80125279 },
-        user_id: "@andybalaam-test1:matrix.org",
    });

 const buildEventCreate = () =>
    new MatrixEvent({
-        age: 80126105,
        content: {
            room_version: "6",
        },
@@ -1991,13 +2126,4 @@ const buildEventCreate = () =>
        state_key: "",
        type: "m.room.create",
        unsigned: { age: 80126105 },
-        user_id: "@andybalaam-test1:matrix.org",
    });
-
-function assertObjectContains(obj: Record<string, any>, expected: any): void {
-    for (const k in expected) {
-        if (expected.hasOwnProperty(k)) {
-            expect(obj[k]).toEqual(expected[k]);
-        }
-    }
-}
@@ -5,7 +5,8 @@ import { ClientEvent, MatrixClient } from "../../src/matrix";
 import { MatrixScheduler } from "../../src/scheduler";
 import { MemoryStore } from "../../src/store/memory";
 import { MatrixError } from "../../src/http-api";
-import { IStore } from "../../src/store";
+import { type IStore } from "../../src/store";
+import { KnownMembership } from "../../src/@types/membership";

 describe("MatrixClient opts", function () {
    const baseUrl = "http://localhost.or.something";
@@ -43,13 +44,13 @@ describe("MatrixClient opts", function () {
                            }),
                            utils.mkMembership({
                                room: roomId,
-                                mship: "join",
+                                mship: KnownMembership.Join,
                                user: userB,
                                name: "Bob",
                            }),
                            utils.mkMembership({
                                room: roomId,
-                                mship: "join",
+                                mship: KnownMembership.Join,
                                user: userId,
                                name: "Alice",
                            }),
@@ -79,7 +80,7 @@ describe("MatrixClient opts", function () {
        let client: MatrixClient;
        beforeEach(function () {
            client = new MatrixClient({
-                fetchFn: httpBackend.fetchFn as typeof global.fetch,
+                fetchFn: httpBackend.fetchFn as typeof globalThis.fetch,
                store: undefined,
                baseUrl: baseUrl,
                userId: userId,
@@ -134,7 +135,7 @@ describe("MatrixClient opts", function () {
        let client: MatrixClient;
        beforeEach(function () {
            client = new MatrixClient({
-                fetchFn: httpBackend.fetchFn as typeof global.fetch,
+                fetchFn: httpBackend.fetchFn as typeof globalThis.fetch,
                store: new MemoryStore() as IStore,
                baseUrl: baseUrl,
                userId: userId,
@@ -158,7 +159,7 @@ describe("MatrixClient opts", function () {

            await expect(
                Promise.all([client.sendTextMessage("!foo:bar", "a body", "txn1"), httpBackend.flush("/txn1", 1)]),
-            ).rejects.toThrow("MatrixError: [500] Unknown message");
+            ).rejects.toThrow("MatrixError: [500] Ruh roh");
        });

        it("shouldn't queue events", async () => {
@@ -204,4 +205,109 @@ describe("MatrixClient opts", function () {
            expect(res.event_id).toEqual("foo");
        });
    });
+
+    describe("with opts.queryParams", function () {
+        let client: MatrixClient;
+        let httpBackend: HttpBackend;
+        const userId = "@rsb-tbg:localhost";
+
+        beforeEach(function () {
+            httpBackend = new HttpBackend();
+            client = new MatrixClient({
+                fetchFn: httpBackend.fetchFn as typeof globalThis.fetch,
+                store: new MemoryStore() as IStore,
+                baseUrl: baseUrl,
+                userId: userId,
+                accessToken: accessToken,
+                queryParams: { user_id: userId },
+            });
+        });
+
+        afterEach(function () {
+            client.stopClient();
+            httpBackend.verifyNoOutstandingExpectation();
+            return httpBackend.stop();
+        });
+
+        it("should include queryParams in matrix server requests", async () => {
+            const eventId = "$test:event";
+            httpBackend
+                .when("PUT", "/txn1")
+                .check((req) => {
+                    expect(req.path).toContain(`user_id=${encodeURIComponent(userId)}`);
+                    return true;
+                })
+                .respond(200, {
+                    event_id: eventId,
+                });
+
+            const [res] = await Promise.all([
+                client.sendTextMessage("!foo:bar", "test message", "txn1"),
+                httpBackend.flush("/txn1", 1),
+            ]);
+
+            expect(res.event_id).toEqual(eventId);
+        });
+
+        it("should include queryParams in sync requests", async () => {
+            httpBackend
+                .when("GET", "/versions")
+                .check((req) => {
+                    expect(req.path).toContain(`user_id=${encodeURIComponent(userId)}`);
+                    return true;
+                })
+                .respond(200, {});
+
+            httpBackend
+                .when("GET", "/pushrules")
+                .check((req) => {
+                    expect(req.path).toContain(`user_id=${encodeURIComponent(userId)}`);
+                    return true;
+                })
+                .respond(200, {});
+
+            httpBackend
+                .when("POST", "/filter")
+                .check((req) => {
+                    expect(req.path).toContain(`user_id=${encodeURIComponent(userId)}`);
+                    return true;
+                })
+                .respond(200, { filter_id: "foo" });
+
+            httpBackend
+                .when("GET", "/sync")
+                .check((req) => {
+                    expect(req.path).toContain(`user_id=${encodeURIComponent(userId)}`);
+                    return true;
+                })
+                .respond(200, syncData);
+
+            client.startClient();
+            await httpBackend.flush("/versions", 1);
+            await httpBackend.flush("/pushrules", 1);
+            await httpBackend.flush("/filter", 1);
+            await Promise.all([httpBackend.flush("/sync", 1), utils.syncPromise(client)]);
+        });
+
+        it("should merge queryParams with request-specific params", async () => {
+            const eventId = "$test:event";
+            httpBackend
+                .when("PUT", "/txn1")
+                .check((req) => {
+                    // Should contain both global queryParams and request-specific params
+                    expect(req.path).toContain(`user_id=${encodeURIComponent(userId)}`);
+                    return true;
+                })
+                .respond(200, {
+                    event_id: eventId,
+                });
+
+            const [res] = await Promise.all([
+                client.sendTextMessage("!foo:bar", "test message", "txn1"),
+                httpBackend.flush("/txn1", 1),
+            ]);
+
+            expect(res.event_id).toEqual(eventId);
+        });
+    });
 });
@@ -15,9 +15,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-import HttpBackend from "matrix-mock-request";
-
-import { Direction, MatrixClient, MatrixScheduler } from "../../src/matrix";
+import type HttpBackend from "matrix-mock-request";
+import { Direction, type MatrixClient, MatrixScheduler } from "../../src/matrix";
 import { TestClient } from "../TestClient";

 describe("MatrixClient relations", () => {
@@ -14,9 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-import HttpBackend from "matrix-mock-request";
-
-import { EventStatus, RoomEvent, MatrixClient, MatrixScheduler } from "../../src/matrix";
+import type HttpBackend from "matrix-mock-request";
+import { EventStatus, type MatrixClient, MatrixScheduler, MsgType, RoomEvent } from "../../src/matrix";
 import { Room } from "../../src/models/room";
 import { TestClient } from "../TestClient";

@@ -60,7 +59,7 @@ describe("MatrixClient retrying", function () {
        // send a couple of events; the second will be queued
        const p1 = client!
            .sendMessage(roomId, {
-                msgtype: "m.text",
+                msgtype: MsgType.Text,
                body: "m1",
            })
            .then(
@@ -77,7 +76,7 @@ describe("MatrixClient retrying", function () {
        // never gets resolved.
        // https://github.com/matrix-org/matrix-js-sdk/issues/496
        client!.sendMessage(roomId, {
-            msgtype: "m.text",
+            msgtype: MsgType.Text,
            body: "m2",
        });

@@ -14,22 +14,22 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-import HttpBackend from "matrix-mock-request";
-
+import type HttpBackend from "matrix-mock-request";
 import * as utils from "../test-utils/test-utils";
 import { EventStatus } from "../../src/models/event";
 import {
    MatrixError,
    ClientEvent,
-    IEvent,
-    MatrixClient,
+    type IEvent,
+    type MatrixClient,
    RoomEvent,
-    ISyncResponse,
-    IMinimalEvent,
-    IRoomEvent,
-    Room,
+    type ISyncResponse,
+    type IMinimalEvent,
+    type IRoomEvent,
+    type Room,
 } from "../../src";
 import { TestClient } from "../TestClient";
+import { KnownMembership } from "../../src/@types/membership";

 describe("MatrixClient room timelines", function () {
    const userId = "@alice:localhost";
@@ -42,7 +42,7 @@ describe("MatrixClient room timelines", function () {

    const USER_MEMBERSHIP_EVENT = utils.mkMembership({
        room: roomId,
-        mship: "join",
+        mship: KnownMembership.Join,
        user: userId,
        name: userName,
    });
@@ -76,7 +76,7 @@ describe("MatrixClient room timelines", function () {
                            ROOM_NAME_EVENT,
                            utils.mkMembership({
                                room: roomId,
-                                mship: "join",
+                                mship: KnownMembership.Join,
                                user: otherUserId,
                                name: "Bob",
                            }),
@@ -316,7 +316,7 @@ describe("MatrixClient room timelines", function () {

            // make an m.room.member event for alice's join
            const joinMshipEvent = utils.mkMembership({
-                mship: "join",
+                mship: KnownMembership.Join,
                user: userId,
                room: roomId,
                name: "Old Alice",
@@ -326,16 +326,16 @@ describe("MatrixClient room timelines", function () {
            // make an m.room.member event with prev_content for alice's nick
            // change
            const oldMshipEvent = utils.mkMembership({
-                mship: "join",
+                mship: KnownMembership.Join,
                user: userId,
                room: roomId,
                name: userName,
                url: "mxc://some/url",
            });
-            oldMshipEvent.prev_content = {
+            oldMshipEvent.unsigned!.prev_content = {
                displayname: "Old Alice",
                avatar_url: undefined,
-                membership: "join",
+                membership: KnownMembership.Join,
            };

            // set the list of events to return on scrollback (/messages)
@@ -487,7 +487,7 @@ describe("MatrixClient room timelines", function () {
                utils.mkMembership({
                    user: userId,
                    room: roomId,
-                    mship: "join",
+                    mship: KnownMembership.Join,
                    name: "New Name",
                }),
                utils.mkMessage({ user: userId, room: roomId }),
@@ -554,13 +554,13 @@ describe("MatrixClient room timelines", function () {
                utils.mkMembership({
                    user: userC,
                    room: roomId,
-                    mship: "join",
+                    mship: KnownMembership.Join,
                    name: "C",
                }),
                utils.mkMembership({
                    user: userC,
                    room: roomId,
-                    mship: "invite",
+                    mship: KnownMembership.Invite,
                    skey: userD,
                }),
            ];
@@ -571,9 +571,9 @@ describe("MatrixClient room timelines", function () {
                return Promise.all([httpBackend!.flush("/sync", 1), utils.syncPromise(client!)]).then(function () {
                    expect(room.currentState.getMembers().length).toEqual(4);
                    expect(room.currentState.getMember(userC)!.name).toEqual("C");
-                    expect(room.currentState.getMember(userC)!.membership).toEqual("join");
+                    expect(room.currentState.getMember(userC)!.membership).toEqual(KnownMembership.Join);
                    expect(room.currentState.getMember(userD)!.name).toEqual(userD);
-                    expect(room.currentState.getMember(userD)!.membership).toEqual("invite");
+                    expect(room.currentState.getMember(userD)!.membership).toEqual(KnownMembership.Invite);
                });
            });
        });
@@ -598,9 +598,9 @@ describe("MatrixClient room timelines", function () {
                    expect(room.timeline[0].event).toEqual(eventData[0]);
                    expect(room.currentState.getMembers().length).toEqual(2);
                    expect(room.currentState.getMember(userId)!.name).toEqual(userName);
-                    expect(room.currentState.getMember(userId)!.membership).toEqual("join");
+                    expect(room.currentState.getMember(userId)!.membership).toEqual(KnownMembership.Join);
                    expect(room.currentState.getMember(otherUserId)!.name).toEqual("Bob");
-                    expect(room.currentState.getMember(otherUserId)!.membership).toEqual("join");
+                    expect(room.currentState.getMember(otherUserId)!.membership).toEqual(KnownMembership.Join);
                });
            });
        });
@@ -720,7 +720,7 @@ describe("MatrixClient room timelines", function () {
                    } else {
                        reject(new Error("TestError: Timed out while waiting for `RoomEvent.TimelineReset` to fire."));
                    }
-                }, 4000 /* FIXME: Is there a way to reference the current timeout of this test in Jest? */);
+                }, 4000 /* FIXME: Is there a way to reference the current timeout of this test in Vitest? */);

                room.on(RoomEvent.TimelineReset, async () => {
                    try {
@@ -15,9 +15,9 @@ limitations under the License.
 */

 import "fake-indexeddb/auto";
-import fetchMock from "fetch-mock-jest";
+import fetchMock from "@fetch-mock/vitest";

-import { MatrixClient, ClientEvent, createClient, SyncState } from "../../src";
+import { type MatrixClient, ClientEvent, createClient, SyncState } from "../../src";

 const makeQueryablePromise = <T = void>(promise: Promise<T>) => {
    let resolved = false;
@@ -83,8 +83,7 @@ describe("MatrixClient syncing errors", () => {
    });

    it("should retry, until errors are solved.", async () => {
-        jest.useFakeTimers();
-        fetchMock.config.overwriteRoutes = false;
+        vi.useFakeTimers();
        fetchMock
            .getOnce("end:versions", {}) // first version check without credentials needs to succeed
            .getOnce("end:versions", 429) // second version check fails with 429 triggering another retry
@@ -105,20 +104,20 @@ describe("MatrixClient syncing errors", () => {

        await client!.startClient();
        expect(await syncEvents[0].promise).toBe(SyncState.Error);
-        jest.runAllTimers(); // this will skip forward to trigger the keepAlive/sync
+        vi.advanceTimersByTime(60 * 1000); // this will skip forward to trigger the keepAlive/sync
        expect(await syncEvents[1].promise).toBe(SyncState.Error);
-        jest.runAllTimers(); // this will skip forward to trigger the keepAlive/sync
+        vi.advanceTimersByTime(60 * 1000); // this will skip forward to trigger the keepAlive/sync
        expect(await syncEvents[2].promise).toBe(SyncState.Prepared);
-        jest.runAllTimers(); // this will skip forward to trigger the keepAlive/sync
+        vi.advanceTimersByTime(60 * 1000); // this will skip forward to trigger the keepAlive/sync
        expect(await syncEvents[3].promise).toBe(SyncState.Syncing);
-        jest.runAllTimers(); // this will skip forward to trigger the keepAlive/sync
+        vi.advanceTimersByTime(60 * 1000); // this will skip forward to trigger the keepAlive/sync
        expect(await syncEvents[4].promise).toBe(SyncState.Syncing);
    });

    it("should stop sync keep alive when client is stopped.", async () => {
-        jest.useFakeTimers();
-        fetchMock.config.overwriteRoutes = false;
+        vi.useFakeTimers();
        fetchMock
+            .get("end:capabilities", {})
            .getOnce("end:versions", {}) // first version check without credentials needs to succeed
            .get("end:versions", unknownTokenErrorData) // further version checks fails with 401
            .get("end:pushrules/", 401) // fails with 401 without an error. This does happen in practice e.g. with Synapse
@@ -145,9 +144,9 @@ describe("MatrixClient syncing errors", () => {

        const syntState = await firstSyncEvent.promise;
        expect(syntState).toBe(SyncState.Error);
-        jest.runAllTimers(); // this will skip forward to trigger the keepAlive
+        vi.runAllTimers(); // this will skip forward to trigger the keepAlive

-        jest.useRealTimers(); // we need real timer for the setTimout below to work
+        vi.useRealTimers(); // we need real timer for the setTimout below to work

        const timeoutPromise = makeQueryablePromise(new Promise<void>((res) => setTimeout(res, 1)));

@@ -16,44 +16,82 @@ limitations under the License.

 import "fake-indexeddb/auto";

-import HttpBackend from "matrix-mock-request";
-
+import type HttpBackend from "matrix-mock-request";
 import {
    Category,
    ClientEvent,
    EventType,
-    ISyncResponse,
-    MatrixClient,
+    type ISyncResponse,
+    type MatrixClient,
    MatrixEvent,
    NotificationCountType,
    RelationType,
    Room,
+    fixNotificationCountOnDecryption,
 } from "../../src";
 import { TestClient } from "../TestClient";
 import { ReceiptType } from "../../src/@types/read_receipts";
 import { mkThread } from "../test-utils/thread";
 import { SyncState } from "../../src/sync";
+import { KnownMembership } from "../../src/@types/membership";
+
+const userA = "@alice:localhost";
+const userB = "@bob:localhost";
+const selfUserId = userA;
+const selfAccessToken = "aseukfgwef";
+
+function setupTestClient(): [MatrixClient, HttpBackend] {
+    const testClient = new TestClient(selfUserId, "DEVICE", selfAccessToken);
+    const httpBackend = testClient.httpBackend;
+    const client = testClient.client;
+    httpBackend!.when("GET", "/versions").respond(200, {});
+    httpBackend!.when("GET", "/pushrules").respond(200, {});
+    httpBackend!.when("POST", "/filter").respond(200, { filter_id: "a filter id" });
+    return [client, httpBackend];
+}
+
+describe("Notification count fixing", () => {
+    let client: MatrixClient | undefined;
+
+    beforeEach(() => {
+        [client] = setupTestClient();
+    });
+
+    it("doesn't increment notification count for events that can't be found in a room", async () => {
+        const roomId = "!room:localhost";
+
+        client!.startClient({ threadSupport: true });
+        const room = new Room(roomId, client!, selfUserId);
+        vi.spyOn(client!, "getRoom").mockImplementation((id) => (id === roomId ? room : null));
+
+        const event = new MatrixEvent({
+            room_id: roomId,
+            type: "m.reaction",
+            event_id: "$foo",
+            content: {
+                "m.relates_to": {
+                    rel_type: RelationType.Annotation,
+                    event_id: "$foo",
+                    key: "x",
+                },
+            },
+        });
+
+        vi.spyOn(event, "getPushActions").mockReturnValue({
+            notify: true,
+            tweaks: {},
+        });
+
+        fixNotificationCountOnDecryption(client!, event);
+
+        expect(room.getUnreadNotificationCount(NotificationCountType.Total)).toBe(0);
+    });
+});

 describe("MatrixClient syncing", () => {
-    const userA = "@alice:localhost";
-    const userB = "@bob:localhost";
-
-    const selfUserId = userA;
-    const selfAccessToken = "aseukfgwef";
-
    let client: MatrixClient | undefined;
    let httpBackend: HttpBackend | undefined;

-    const setupTestClient = (): [MatrixClient, HttpBackend] => {
-        const testClient = new TestClient(selfUserId, "DEVICE", selfAccessToken);
-        const httpBackend = testClient.httpBackend;
-        const client = testClient.client;
-        httpBackend!.when("GET", "/versions").respond(200, {});
-        httpBackend!.when("GET", "/pushrules").respond(200, {});
-        httpBackend!.when("POST", "/filter").respond(200, { filter_id: "a filter id" });
-        return [client, httpBackend];
-    };
-
    beforeEach(() => {
        [client, httpBackend] = setupTestClient();
    });
@@ -85,11 +123,11 @@ describe("MatrixClient syncing", () => {
        ]);

        const room = new Room(roomId, client!, selfUserId);
-        jest.spyOn(client!, "getRoom").mockImplementation((id) => (id === roomId ? room : null));
+        vi.spyOn(client!, "getRoom").mockImplementation((id) => (id === roomId ? room : null));

        const thread = mkThread({ room, client: client!, authorId: selfUserId, participantUserIds: [selfUserId] });
        const threadReply = thread.events.at(-1)!;
-        await room.addLiveEvents([thread.rootEvent]);
+        await room.addLiveEvents([thread.rootEvent], { addToState: false });

        // Initialize read receipt datastructure before testing the reaction
        room.addReceiptToStructure(thread.rootEvent.getId()!, ReceiptType.Read, selfUserId, { ts: 1 }, false);
@@ -105,7 +143,7 @@ describe("MatrixClient syncing", () => {

        const reactionEventId = `$9-${Math.random()}-${Math.random()}`;
        let lastEvent: MatrixEvent | null = null;
-        jest.spyOn(client! as any, "sendEventHttpRequest").mockImplementation((event) => {
+        vi.spyOn(client! as any, "sendEventHttpRequest").mockImplementation((event) => {
            lastEvent = event as MatrixEvent;
            return { event_id: reactionEventId };
        });
@@ -113,7 +151,7 @@ describe("MatrixClient syncing", () => {
        await client!.sendEvent(roomId, EventType.Reaction, {
            "m.relates_to": {
                rel_type: RelationType.Annotation,
-                event_id: threadReply.getId(),
+                event_id: threadReply.getId()!,
                key: "",
            },
        });
@@ -157,7 +195,7 @@ describe("MatrixClient syncing", () => {
                })
                .respond(200, syncData);

-            client!.store.getSavedSyncToken = jest.fn().mockResolvedValue("this-is-a-token");
+            client!.store.getSavedSyncToken = vi.fn().mockResolvedValue("this-is-a-token");
            client!.startClient({ initialSyncLimit: 1 });

            await httpBackend!.flushAllExpected();
@@ -191,7 +229,7 @@ describe("MatrixClient syncing", () => {
                                    content: {
                                        avatar_url: "",
                                        displayname: userB,
-                                        membership: "join",
+                                        membership: KnownMembership.Join,
                                    },
                                    origin_server_ts: 2,
                                    sender: userB,
@@ -232,7 +270,7 @@ describe("MatrixClient syncing", () => {
                                },
                                {
                                    content: {
-                                        join_rule: "invite",
+                                        join_rule: KnownMembership.Invite,
                                    },
                                    origin_server_ts: 4,
                                    sender: userB,
@@ -278,7 +316,7 @@ describe("MatrixClient syncing", () => {
                                        avatar_url: "",
                                        displayname: userA,
                                        is_direct: true,
-                                        membership: "invite",
+                                        membership: KnownMembership.Invite,
                                    },
                                    origin_server_ts: 8,
                                    sender: userB,
@@ -300,7 +338,7 @@ describe("MatrixClient syncing", () => {
                                    content: {
                                        avatar_url: "",
                                        displayname: userA,
-                                        membership: "join",
+                                        membership: KnownMembership.Join,
                                    },
                                    origin_server_ts: 10,
                                    sender: userA,
@@ -0,0 +1,348 @@
+/*
+Copyright 2024 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import { QrCodeData, QrCodeIntent } from "@matrix-org/matrix-sdk-crypto-wasm";
+import fetchMock from "@fetch-mock/vitest";
+
+import {
+    MSC4108FailureReason,
+    MSC4108RendezvousSession,
+    MSC4108SecureChannel,
+    MSC4108SignInWithQR,
+    PayloadType,
+    RendezvousError,
+} from "../../../src/rendezvous";
+import {
+    ClientPrefix,
+    DEVICE_CODE_SCOPE,
+    type IHttpOpts,
+    type IMyDevice,
+    type MatrixClient,
+    MatrixError,
+    MatrixHttpApi,
+} from "../../../src";
+import { makeDelegatedAuthConfig } from "../../test-utils/oidc";
+
+function makeMockClient(opts: { userId: string; deviceId: string; msc4108Enabled: boolean }): MatrixClient {
+    const baseUrl = "https://example.com";
+    const crypto = {
+        exportSecretsForQrLogin: vi.fn(),
+    };
+    const client = {
+        doesServerSupportUnstableFeature(feature: string) {
+            return Promise.resolve(opts.msc4108Enabled && feature === "org.matrix.msc4108");
+        },
+        getUserId() {
+            return opts.userId;
+        },
+        getDeviceId() {
+            return opts.deviceId;
+        },
+        baseUrl,
+        getDomain: () => "example.com",
+        getDevice: vi.fn(),
+        getCrypto: vi.fn(() => crypto),
+        getAuthMetadata: vi.fn().mockResolvedValue(makeDelegatedAuthConfig("https://issuer/", [DEVICE_CODE_SCOPE])),
+    } as unknown as MatrixClient;
+    client.http = new MatrixHttpApi<IHttpOpts & { onlyData: true }>(client, {
+        baseUrl: client.baseUrl,
+        prefix: ClientPrefix.Unstable,
+        onlyData: true,
+    });
+    return client;
+}
+
+describe("MSC4108SignInWithQR", () => {
+    beforeEach(() => {
+        fetchMock.get("https://issuer/jwks", {
+            status: 200,
+            headers: {
+                "Content-Type": "application/json",
+            },
+            keys: [],
+        });
+    });
+
+    const url = "https://fallbackserver/rz/123";
+    const deviceId = "DEADB33F";
+    const verificationUri = "https://example.com/verify";
+    const verificationUriComplete = "https://example.com/verify/complete";
+
+    it("should generate qr code data as expected", async () => {
+        const session = new MSC4108RendezvousSession({
+            url,
+        });
+        const channel = new MSC4108SecureChannel(session);
+        const login = new MSC4108SignInWithQR(channel, false);
+
+        await login.generateCode();
+        const code = login.code;
+        expect(code).toHaveLength(71);
+        const text = new TextDecoder().decode(code);
+        expect(text.startsWith("MATRIX")).toBeTruthy();
+        expect(text.endsWith(url)).toBeTruthy();
+
+        // Assert that the code is stable
+        await login.generateCode();
+        expect(login.code).toEqual(code);
+    });
+
+    describe("should be able to connect as a reciprocating device", () => {
+        let client: MatrixClient;
+        let ourLogin: MSC4108SignInWithQR;
+        let opponentLogin: MSC4108SignInWithQR;
+
+        beforeEach(async () => {
+            let ourData = Promise.withResolvers<string>();
+            let opponentData = Promise.withResolvers<string>();
+
+            const ourMockSession = {
+                send: vi.fn(async (newData) => {
+                    ourData.resolve(newData);
+                }),
+                receive: vi.fn(() => {
+                    const prom = opponentData.promise;
+                    prom.then(() => {
+                        opponentData = Promise.withResolvers();
+                    });
+                    return prom;
+                }),
+                url,
+                cancelled: false,
+                cancel: () => {
+                    // @ts-ignore
+                    ourMockSession.cancelled = true;
+                    ourData.resolve("");
+                },
+            } as unknown as MSC4108RendezvousSession;
+            const opponentMockSession = {
+                send: vi.fn(async (newData) => {
+                    opponentData.resolve(newData);
+                }),
+                receive: vi.fn(() => {
+                    const prom = ourData.promise;
+                    prom.then(() => {
+                        ourData = Promise.withResolvers();
+                    });
+                    return prom;
+                }),
+                url,
+            } as unknown as MSC4108RendezvousSession;
+
+            client = makeMockClient({ userId: "@alice:example.com", deviceId: "alice", msc4108Enabled: true });
+
+            const ourChannel = new MSC4108SecureChannel(ourMockSession);
+            const qrCodeData = QrCodeData.fromBytes(
+                await ourChannel.generateCode(QrCodeIntent.Reciprocate, client.getDomain()!),
+            );
+            const opponentChannel = new MSC4108SecureChannel(opponentMockSession, qrCodeData.publicKey);
+
+            ourLogin = new MSC4108SignInWithQR(ourChannel, true, client);
+            opponentLogin = new MSC4108SignInWithQR(opponentChannel, false);
+        });
+
+        it("should be able to connect with opponent and share server name & check code", async () => {
+            await Promise.all([
+                expect(ourLogin.negotiateProtocols()).resolves.toEqual({}),
+                expect(opponentLogin.negotiateProtocols()).resolves.toEqual({ serverName: client.getDomain() }),
+            ]);
+
+            expect(ourLogin.checkCode).toBe(opponentLogin.checkCode);
+        });
+
+        it("should be able to connect with opponent and share verificationUri", async () => {
+            await Promise.all([ourLogin.negotiateProtocols(), opponentLogin.negotiateProtocols()]);
+
+            vi.mocked(client.getDevice).mockRejectedValue(new MatrixError({ errcode: "M_NOT_FOUND" }, 404));
+
+            await Promise.all([
+                expect(ourLogin.deviceAuthorizationGrant()).resolves.toEqual({
+                    verificationUri: verificationUriComplete,
+                }),
+                // We don't have the new device side of this flow implemented at this time so mock it
+                // @ts-ignore
+                opponentLogin.send({
+                    type: PayloadType.Protocol,
+                    protocol: "device_authorization_grant",
+                    device_authorization_grant: {
+                        verification_uri: verificationUri,
+                        verification_uri_complete: verificationUriComplete,
+                    },
+                    device_id: deviceId,
+                }),
+            ]);
+        });
+
+        it("should abort if device already exists", async () => {
+            await Promise.all([ourLogin.negotiateProtocols(), opponentLogin.negotiateProtocols()]);
+
+            vi.mocked(client.getDevice).mockResolvedValue({} as IMyDevice);
+
+            await Promise.all([
+                expect(ourLogin.deviceAuthorizationGrant()).rejects.toThrow("Specified device ID already exists"),
+                // We don't have the new device side of this flow implemented at this time so mock it
+                // @ts-ignore
+                opponentLogin.send({
+                    type: PayloadType.Protocol,
+                    protocol: "device_authorization_grant",
+                    device_authorization_grant: {
+                        verification_uri: verificationUri,
+                    },
+                    device_id: deviceId,
+                }),
+            ]);
+        });
+
+        it("should abort on unsupported protocol", async () => {
+            await Promise.all([ourLogin.negotiateProtocols(), opponentLogin.negotiateProtocols()]);
+
+            await Promise.all([
+                expect(ourLogin.deviceAuthorizationGrant()).rejects.toThrow(
+                    "Received a request for an unsupported protocol",
+                ),
+                // We don't have the new device side of this flow implemented at this time so mock it
+                // @ts-ignore
+                opponentLogin.send({
+                    type: PayloadType.Protocol,
+                    protocol: "device_authorization_grant_v2",
+                    device_authorization_grant: {
+                        verification_uri: verificationUri,
+                    },
+                    device_id: deviceId,
+                }),
+            ]);
+        });
+
+        it("should be able to connect with opponent and share secrets", async () => {
+            await Promise.all([ourLogin.negotiateProtocols(), opponentLogin.negotiateProtocols()]);
+
+            // We don't have the new device side of this flow implemented at this time so mock it
+            // @ts-ignore
+            ourLogin.expectingNewDeviceId = "DEADB33F";
+
+            const ourProm = ourLogin.shareSecrets();
+
+            // Consume the ProtocolAccepted message which would normally be handled by step 4 which we do not have here
+            // @ts-ignore
+            await opponentLogin.receive();
+
+            vi.mocked(client.getDevice).mockResolvedValue({} as IMyDevice);
+
+            const secrets = {
+                cross_signing: { master_key: "mk", user_signing_key: "usk", self_signing_key: "ssk" },
+            };
+            client.getCrypto()!.exportSecretsBundle = vi.fn().mockResolvedValue(secrets);
+
+            const payload = {
+                secrets: expect.objectContaining(secrets),
+            };
+            await Promise.all([
+                expect(ourProm).resolves.toEqual(payload),
+                expect(opponentLogin.shareSecrets()).resolves.toEqual(payload),
+            ]);
+        });
+
+        it("should abort if device doesn't come up by timeout", async () => {
+            vi.spyOn(globalThis, "setTimeout").mockImplementation((fn) => {
+                fn();
+                // TODO: mock timers properly
+                return -1 as any;
+            });
+            vi.spyOn(Date, "now").mockImplementation(() => {
+                return 12345678 + vi.mocked(setTimeout).mock.calls.length * 1000;
+            });
+
+            await Promise.all([ourLogin.negotiateProtocols(), opponentLogin.negotiateProtocols()]);
+
+            // We don't have the new device side of this flow implemented at this time so mock it
+            // @ts-ignore
+            ourLogin.expectingNewDeviceId = "DEADB33F";
+
+            // @ts-ignore
+            await opponentLogin.send({
+                type: PayloadType.Success,
+            });
+            vi.mocked(client.getDevice).mockRejectedValue(new MatrixError({ errcode: "M_NOT_FOUND" }, 404));
+
+            const ourProm = ourLogin.shareSecrets();
+            await expect(ourProm).rejects.toThrow("New device not found");
+        });
+
+        it("should abort on unexpected errors", async () => {
+            await Promise.all([ourLogin.negotiateProtocols(), opponentLogin.negotiateProtocols()]);
+
+            // We don't have the new device side of this flow implemented at this time so mock it
+            // @ts-ignore
+            ourLogin.expectingNewDeviceId = "DEADB33F";
+
+            // @ts-ignore
+            await opponentLogin.send({
+                type: PayloadType.Success,
+            });
+            vi.mocked(client.getDevice).mockRejectedValue(
+                new MatrixError({ errcode: "M_UNKNOWN", error: "The message" }, 500),
+            );
+
+            await expect(ourLogin.shareSecrets()).rejects.toThrow("The message");
+        });
+
+        it("should abort on declined login", async () => {
+            await Promise.all([ourLogin.negotiateProtocols(), opponentLogin.negotiateProtocols()]);
+
+            await ourLogin.declineLoginOnExistingDevice();
+            await expect(opponentLogin.shareSecrets()).rejects.toThrow(
+                new RendezvousError("Failed", MSC4108FailureReason.UserCancelled),
+            );
+        });
+
+        it("should not send secrets if user cancels", async () => {
+            vi.spyOn(globalThis, "setTimeout").mockImplementation((fn) => {
+                fn();
+                // TODO: mock timers properly
+                return -1 as any;
+            });
+
+            await Promise.all([ourLogin.negotiateProtocols(), opponentLogin.negotiateProtocols()]);
+
+            // We don't have the new device side of this flow implemented at this time so mock it
+            // @ts-ignore
+            ourLogin.expectingNewDeviceId = "DEADB33F";
+
+            const ourProm = ourLogin.shareSecrets();
+            const opponentProm = opponentLogin.shareSecrets();
+
+            // Consume the ProtocolAccepted message which would normally be handled by step 4 which we do not have here
+            // @ts-ignore
+            await opponentLogin.receive();
+
+            const deviceResolvers = Promise.withResolvers<IMyDevice>();
+            vi.mocked(client.getDevice).mockReturnValue(deviceResolvers.promise);
+
+            ourLogin.cancel(MSC4108FailureReason.UserCancelled).catch(() => {});
+            deviceResolvers.resolve({} as IMyDevice);
+
+            const secrets = {
+                cross_signing: { master_key: "mk", user_signing_key: "usk", self_signing_key: "ssk" },
+            };
+            client.getCrypto()!.exportSecretsBundle = vi.fn().mockResolvedValue(secrets);
+
+            await Promise.all([
+                expect(ourProm).rejects.toThrow("User cancelled"),
+                expect(opponentProm).rejects.toThrow("Unexpected message received"),
+            ]);
+        });
+    });
+});
@@ -15,55 +15,70 @@ limitations under the License.
 */

 // eslint-disable-next-line no-restricted-imports
-import MockHttpBackend from "matrix-mock-request";
 import { fail } from "assert";

-import { SlidingSync, SlidingSyncEvent, MSC3575RoomData, SlidingSyncState, Extension } from "../../src/sliding-sync";
-import { TestClient } from "../TestClient";
-import { IRoomEvent, IStateEvent } from "../../src";
+import type MockHttpBackend from "matrix-mock-request";
 import {
-    MatrixClient,
-    MatrixEvent,
+    SlidingSync,
+    SlidingSyncEvent,
+    type MSC3575RoomData,
+    SlidingSyncState,
+    type Extension,
+} from "../../src/sliding-sync";
+import { TestClient } from "../TestClient";
+import { type IContent, type IRoomEvent, type IStateEvent } from "../../src";
+import {
+    type MatrixClient,
+    type MatrixEvent,
    NotificationCountType,
    JoinRule,
    MatrixError,
    EventType,
-    IPushRules,
+    type IPushRules,
    PushRuleKind,
    TweakName,
    ClientEvent,
    RoomMemberEvent,
    RoomEvent,
-    Room,
-    IRoomTimelineData,
+    type Room,
+    type IRoomTimelineData,
 } from "../../src";
 import { SlidingSyncSdk } from "../../src/sliding-sync-sdk";
-import { SyncApiOptions, SyncState } from "../../src/sync";
-import { IStoredClientOpts } from "../../src";
+import { type SyncApiOptions, SyncState } from "../../src/sync";
+import { type IStoredClientOpts } from "../../src";
 import { logger } from "../../src/logger";
 import { emitPromise } from "../test-utils/test-utils";
-import { defer } from "../../src/utils";
+import { KnownMembership } from "../../src/@types/membership";
+import { type SyncCryptoCallbacks } from "../../src/common-crypto/CryptoBackend";
+
+declare module "../../src/@types/event" {
+    interface AccountDataEvents {
+        global_test: {};
+        tester: {};
+    }
+}

 describe("SlidingSyncSdk", () => {
    let client: MatrixClient | undefined;
    let httpBackend: MockHttpBackend | undefined;
    let sdk: SlidingSyncSdk | undefined;
    let mockSlidingSync: SlidingSync | undefined;
+    let syncCryptoCallback: SyncCryptoCallbacks | undefined;
    const selfUserId = "@alice:localhost";
    const selfAccessToken = "aseukfgwef";

    const mockifySlidingSync = (s: SlidingSync): SlidingSync => {
-        s.getListParams = jest.fn();
-        s.getListData = jest.fn();
-        s.getRoomSubscriptions = jest.fn();
-        s.modifyRoomSubscriptionInfo = jest.fn();
-        s.modifyRoomSubscriptions = jest.fn();
-        s.registerExtension = jest.fn();
-        s.setList = jest.fn();
-        s.setListRanges = jest.fn();
-        s.start = jest.fn();
-        s.stop = jest.fn();
-        s.resend = jest.fn();
+        s.getListParams = vi.fn();
+        s.getListData = vi.fn();
+        s.getRoomSubscriptions = vi.fn();
+        s.modifyRoomSubscriptionInfo = vi.fn();
+        s.modifyRoomSubscriptions = vi.fn();
+        s.registerExtension = vi.fn();
+        s.setList = vi.fn();
+        s.setListRanges = vi.fn();
+        s.start = vi.fn();
+        s.stop = vi.fn();
+        s.resend = vi.fn();
        return s;
    };

@@ -96,7 +111,7 @@ describe("SlidingSyncSdk", () => {
            expect(m.getType()).toEqual(want[i].type);
            expect(m.getSender()).toEqual(want[i].sender);
            expect(m.getId()).toEqual(want[i].event_id);
-            expect(m.getContent()).toEqual(want[i].content);
+            expect(m.getContent<IContent>()).toEqual(want[i].content);
            expect(m.getTs()).toEqual(want[i].origin_server_ts);
            if (want[i].unsigned) {
                expect(m.getUnsigned()).toEqual(want[i].unsigned);
@@ -111,15 +126,16 @@ describe("SlidingSyncSdk", () => {
    // assign client/httpBackend globals
    const setupClient = async (testOpts?: Partial<IStoredClientOpts & { withCrypto: boolean }>) => {
        testOpts = testOpts || {};
-        const syncOpts: SyncApiOptions = {};
+        const syncOpts: SyncApiOptions = { logger };
        const testClient = new TestClient(selfUserId, "DEVICE", selfAccessToken);
        httpBackend = testClient.httpBackend;
        client = testClient.client;
        mockSlidingSync = mockifySlidingSync(new SlidingSync("", new Map(), {}, client, 0));
        if (testOpts.withCrypto) {
            httpBackend!.when("GET", "/room_keys/version").respond(404, {});
-            await client!.initCrypto();
-            syncOpts.cryptoCallbacks = syncOpts.crypto = client!.crypto;
+            await client!.initRustCrypto({ useIndexedDB: false });
+            syncCryptoCallback = client!.getCrypto() as unknown as SyncCryptoCallbacks;
+            syncOpts.cryptoCallbacks = syncCryptoCallback;
        }
        httpBackend!.when("GET", "/_matrix/client/v3/pushrules").respond(200, {});
        sdk = new SlidingSyncSdk(mockSlidingSync, client, testOpts, syncOpts);
@@ -134,7 +150,7 @@ describe("SlidingSyncSdk", () => {
    // find an extension on a SlidingSyncSdk instance
    const findExtension = (name: string): Extension<any, any> => {
        expect(mockSlidingSync!.registerExtension).toHaveBeenCalled();
-        const mockFn = mockSlidingSync!.registerExtension as jest.Mock;
+        const mockFn = vi.mocked(mockSlidingSync!.registerExtension);
        // find the extension
        for (let i = 0; i < mockFn.mock.calls.length; i++) {
            const calledExtension = mockFn.mock.calls[i][0] as Extension<any, any>;
@@ -189,7 +205,7 @@ describe("SlidingSyncSdk", () => {
                    name: "A",
                    required_state: [
                        mkOwnStateEvent(EventType.RoomCreate, {}, ""),
-                        mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                        mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                        mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
                        mkOwnStateEvent(EventType.RoomName, { name: "A" }, ""),
                    ],
@@ -204,7 +220,7 @@ describe("SlidingSyncSdk", () => {
                    required_state: [],
                    timeline: [
                        mkOwnStateEvent(EventType.RoomCreate, {}, ""),
-                        mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                        mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                        mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
                        mkOwnEvent(EventType.RoomMessage, { body: "hello B" }),
                        mkOwnEvent(EventType.RoomMessage, { body: "world B" }),
@@ -216,7 +232,7 @@ describe("SlidingSyncSdk", () => {
                    required_state: [],
                    timeline: [
                        mkOwnStateEvent(EventType.RoomCreate, {}, ""),
-                        mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                        mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                        mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
                        mkOwnEvent(EventType.RoomMessage, { body: "hello C" }),
                        mkOwnEvent(EventType.RoomMessage, { body: "world C" }),
@@ -229,7 +245,7 @@ describe("SlidingSyncSdk", () => {
                    required_state: [],
                    timeline: [
                        mkOwnStateEvent(EventType.RoomCreate, {}, ""),
-                        mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                        mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                        mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
                        mkOwnEvent(EventType.RoomMessage, { body: "hello D" }),
                        mkOwnEvent(EventType.RoomMessage, { body: "world D" }),
@@ -244,7 +260,7 @@ describe("SlidingSyncSdk", () => {
                    invite_state: [
                        {
                            type: EventType.RoomMember,
-                            content: { membership: "invite" },
+                            content: { membership: KnownMembership.Invite },
                            state_key: selfUserId,
                            sender: "@bob:localhost",
                            event_id: "$room_e_invite",
@@ -265,7 +281,7 @@ describe("SlidingSyncSdk", () => {
                    name: "#foo:localhost",
                    required_state: [
                        mkOwnStateEvent(EventType.RoomCreate, {}, ""),
-                        mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                        mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                        mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
                        mkOwnStateEvent(EventType.RoomCanonicalAlias, { alias: "#foo:localhost" }, ""),
                        mkOwnStateEvent(EventType.RoomName, { name: "This should be ignored" }, ""),
@@ -281,7 +297,7 @@ describe("SlidingSyncSdk", () => {
                    required_state: [],
                    timeline: [
                        mkOwnStateEvent(EventType.RoomCreate, {}, ""),
-                        mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                        mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                        mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
                    ],
                    joined_count: 5,
@@ -293,7 +309,7 @@ describe("SlidingSyncSdk", () => {
                    required_state: [],
                    timeline: [
                        mkOwnStateEvent(EventType.RoomCreate, {}, ""),
-                        mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                        mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                        mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
                        mkOwnEvent(EventType.RoomMessage, { body: "live event" }),
                    ],
@@ -308,7 +324,7 @@ describe("SlidingSyncSdk", () => {
                const gotRoom = client!.getRoom(roomA);
                expect(gotRoom).toBeTruthy();
                expect(gotRoom!.name).toEqual(data[roomA].name);
-                expect(gotRoom!.getMyMembership()).toEqual("join");
+                expect(gotRoom!.getMyMembership()).toEqual(KnownMembership.Join);
                assertTimelineEvents(gotRoom!.getLiveTimeline().getEvents().slice(-2), data[roomA].timeline);
            });

@@ -318,7 +334,7 @@ describe("SlidingSyncSdk", () => {
                const gotRoom = client!.getRoom(roomB);
                expect(gotRoom).toBeTruthy();
                expect(gotRoom!.name).toEqual(data[roomB].name);
-                expect(gotRoom!.getMyMembership()).toEqual("join");
+                expect(gotRoom!.getMyMembership()).toEqual(KnownMembership.Join);
                assertTimelineEvents(gotRoom!.getLiveTimeline().getEvents().slice(-5), data[roomB].timeline);
            });

@@ -352,7 +368,7 @@ describe("SlidingSyncSdk", () => {
            });

            it("can be created with live events", async () => {
-                const seenLiveEventDeferred = defer<boolean>();
+                const seenLiveEventDeferred = Promise.withResolvers<boolean>();
                const listener = (
                    ev: MatrixEvent,
                    room?: Room,
@@ -372,7 +388,7 @@ describe("SlidingSyncSdk", () => {
                const gotRoom = client!.getRoom(roomH);
                expect(gotRoom).toBeTruthy();
                expect(gotRoom!.name).toEqual(data[roomH].name);
-                expect(gotRoom!.getMyMembership()).toEqual("join");
+                expect(gotRoom!.getMyMembership()).toEqual(KnownMembership.Join);
                // check the entire timeline is correct
                assertTimelineEvents(gotRoom!.getLiveTimeline().getEvents(), data[roomH].timeline);
                await expect(seenLiveEventDeferred.promise).resolves.toBeTruthy();
@@ -383,7 +399,7 @@ describe("SlidingSyncSdk", () => {
                await emitPromise(client!, ClientEvent.Room);
                const gotRoom = client!.getRoom(roomE);
                expect(gotRoom).toBeTruthy();
-                expect(gotRoom!.getMyMembership()).toEqual("invite");
+                expect(gotRoom!.getMyMembership()).toEqual(KnownMembership.Invite);
                expect(gotRoom!.currentState.getJoinRule()).toEqual(JoinRule.Invite);
            });

@@ -600,13 +616,13 @@ describe("SlidingSyncSdk", () => {
            mockSlidingSync!.emit(SlidingSyncEvent.RoomData, roomId, {
                initial: true,
                name: "Room with Invite",
-                required_state: [],
-                timeline: [
+                required_state: [
                    mkOwnStateEvent(EventType.RoomCreate, {}, ""),
-                    mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                    mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                    mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
-                    mkOwnStateEvent(EventType.RoomMember, { membership: "invite" }, invitee),
+                    mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Invite }, invitee),
                ],
+                timeline: [],
            });
            await httpBackend!.flush("/profile", 1, 1000);
            await emitPromise(client!, RoomMemberEvent.Name);
@@ -632,43 +648,38 @@ describe("SlidingSyncSdk", () => {
            ext = findExtension("e2ee");
        });

-        afterAll(async () => {
-            // needed else we do some async operations in the background which can cause Jest to whine:
-            // "Cannot log after tests are done. Did you forget to wait for something async in your test?"
-            // Attempted to log "Saving device tracking data null"."
-            client!.crypto!.stop();
-        });
-
-        it("gets enabled on the initial request only", () => {
-            expect(ext.onRequest(true)).toEqual({
+        it("gets enabled all the time", async () => {
+            expect(await ext.onRequest(true)).toEqual({
+                enabled: true,
+            });
+            expect(await ext.onRequest(false)).toEqual({
                enabled: true,
            });
-            expect(ext.onRequest(false)).toEqual(undefined);
        });

        it("can update device lists", () => {
-            client!.crypto!.processDeviceLists = jest.fn();
+            syncCryptoCallback!.processDeviceLists = vi.fn();
            ext.onResponse({
                device_lists: {
                    changed: ["@alice:localhost"],
                    left: ["@bob:localhost"],
                },
            });
-            expect(client!.crypto!.processDeviceLists).toHaveBeenCalledWith({
+            expect(syncCryptoCallback!.processDeviceLists).toHaveBeenCalledWith({
                changed: ["@alice:localhost"],
                left: ["@bob:localhost"],
            });
        });

        it("can update OTK counts and unused fallback keys", () => {
-            client!.crypto!.processKeyCounts = jest.fn();
+            syncCryptoCallback!.processKeyCounts = vi.fn();
            ext.onResponse({
                device_one_time_keys_count: {
                    signed_curve25519: 42,
                },
                device_unused_fallback_key_types: ["signed_curve25519"],
            });
-            expect(client!.crypto!.processKeyCounts).toHaveBeenCalledWith({ signed_curve25519: 42 }, [
+            expect(syncCryptoCallback!.processKeyCounts).toHaveBeenCalledWith({ signed_curve25519: 42 }, [
                "signed_curve25519",
            ]);
        });
@@ -685,11 +696,13 @@ describe("SlidingSyncSdk", () => {
            ext = findExtension("account_data");
        });

-        it("gets enabled on the initial request only", () => {
-            expect(ext.onRequest(true)).toEqual({
+        it("gets enabled all the time", async () => {
+            expect(await ext.onRequest(true)).toEqual({
+                enabled: true,
+            });
+            expect(await ext.onRequest(false)).toEqual({
                enabled: true,
            });
-            expect(ext.onRequest(false)).toEqual(undefined);
        });

        it("processes global account data", async () => {
@@ -709,7 +722,7 @@ describe("SlidingSyncSdk", () => {
            });
            globalData = client!.getAccountData(globalType)!;
            expect(globalData).toBeTruthy();
-            expect(globalData.getContent()).toEqual(globalContent);
+            expect(globalData.getContent<IContent>()).toEqual(globalContent);
        });

        it("processes rooms account data", async () => {
@@ -719,7 +732,7 @@ describe("SlidingSyncSdk", () => {
                required_state: [],
                timeline: [
                    mkOwnStateEvent(EventType.RoomCreate, {}, ""),
-                    mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                    mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                    mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
                    mkOwnEvent(EventType.RoomMessage, { body: "hello" }),
                ],
@@ -744,7 +757,7 @@ describe("SlidingSyncSdk", () => {
            expect(room).toBeTruthy();
            const event = room.getAccountData(roomType)!;
            expect(event).toBeTruthy();
-            expect(event.getContent()).toEqual(roomContent);
+            expect(event.getContent<IContent>()).toEqual(roomContent);
        });

        it("doesn't crash for unknown room account data", async () => {
@@ -813,8 +826,12 @@ describe("SlidingSyncSdk", () => {
            ext = findExtension("to_device");
        });

-        it("gets enabled with a limit on the initial request only", () => {
-            const reqJson: any = ext.onRequest(true);
+        it("gets enabled all the time", async () => {
+            let reqJson: any = await ext.onRequest(true);
+            expect(reqJson.enabled).toEqual(true);
+            expect(reqJson.limit).toBeGreaterThan(0);
+            expect(reqJson.since).toBeUndefined();
+            reqJson = await ext.onRequest(false);
            expect(reqJson.enabled).toEqual(true);
            expect(reqJson.limit).toBeGreaterThan(0);
            expect(reqJson.since).toBeUndefined();
@@ -825,11 +842,12 @@ describe("SlidingSyncSdk", () => {
                next_batch: "12345",
                events: [],
            });
-            expect(ext.onRequest(false)).toEqual({
+            expect(await ext.onRequest(false)).toMatchObject({
                since: "12345",
            });
        });

+        // eslint-disable-next-line @vitest/expect-expect
        it("can handle missing fields", async () => {
            ext.onResponse({
                next_batch: "23456",
@@ -844,7 +862,7 @@ describe("SlidingSyncSdk", () => {
            };
            let called = false;
            client!.once(ClientEvent.ToDeviceEvent, (ev) => {
-                expect(ev.getContent()).toEqual(toDeviceContent);
+                expect(ev.getContent<IContent>()).toEqual(toDeviceContent);
                expect(ev.getType()).toEqual(toDeviceType);
                called = true;
            });
@@ -909,24 +927,25 @@ describe("SlidingSyncSdk", () => {
            ext = findExtension("typing");
        });

-        it("gets enabled on the initial request only", () => {
-            expect(ext.onRequest(true)).toEqual({
+        it("gets enabled all the time", async () => {
+            expect(await ext.onRequest(true)).toEqual({
+                enabled: true,
+            });
+            expect(await ext.onRequest(false)).toEqual({
                enabled: true,
            });
-            expect(ext.onRequest(false)).toEqual(undefined);
        });

        it("processes typing notifications", async () => {
            const roomId = "!room:id";
            mockSlidingSync!.emit(SlidingSyncEvent.RoomData, roomId, {
                name: "Room with typing",
-                required_state: [],
-                timeline: [
+                required_state: [
                    mkOwnStateEvent(EventType.RoomCreate, {}, ""),
-                    mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                    mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                    mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
-                    mkOwnEvent(EventType.RoomMessage, { body: "hello" }),
                ],
+                timeline: [mkOwnEvent(EventType.RoomMessage, { body: "hello" })],
                initial: true,
            });
            await emitPromise(client!, ClientEvent.Room);
@@ -961,13 +980,12 @@ describe("SlidingSyncSdk", () => {
            const roomId = "!room:id";
            mockSlidingSync!.emit(SlidingSyncEvent.RoomData, roomId, {
                name: "Room with typing",
-                required_state: [],
-                timeline: [
+                required_state: [
                    mkOwnStateEvent(EventType.RoomCreate, {}, ""),
-                    mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                    mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                    mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
-                    mkOwnEvent(EventType.RoomMessage, { body: "hello" }),
                ],
+                timeline: [mkOwnEvent(EventType.RoomMessage, { body: "hello" })],
                initial: true,
            });
            const room = client!.getRoom(roomId)!;
@@ -1034,11 +1052,13 @@ describe("SlidingSyncSdk", () => {
            ext = findExtension("receipts");
        });

-        it("gets enabled on the initial request only", () => {
-            expect(ext.onRequest(true)).toEqual({
+        it("gets enabled all the time", async () => {
+            expect(await ext.onRequest(true)).toEqual({
+                enabled: true,
+            });
+            expect(await ext.onRequest(false)).toEqual({
                enabled: true,
            });
-            expect(ext.onRequest(false)).toEqual(undefined);
        });

        it("processes receipts", async () => {
@@ -1050,12 +1070,12 @@ describe("SlidingSyncSdk", () => {
                required_state: [],
                timeline: [
                    mkOwnStateEvent(EventType.RoomCreate, {}, ""),
-                    mkOwnStateEvent(EventType.RoomMember, { membership: "join" }, selfUserId),
+                    mkOwnStateEvent(EventType.RoomMember, { membership: KnownMembership.Join }, selfUserId),
                    mkOwnStateEvent(EventType.RoomPowerLevels, { users: { [selfUserId]: 100 } }, ""),
                    {
                        type: EventType.RoomMember,
                        state_key: alice,
-                        content: { membership: "join" },
+                        content: { membership: KnownMembership.Join },
                        sender: alice,
                        origin_server_ts: Date.now(),
                        event_id: "$alice",
@@ -1076,6 +1096,7 @@ describe("SlidingSyncSdk", () => {
            expect(receipt?.data.thread_id).toBeFalsy();
        });

+        // eslint-disable-next-line @vitest/expect-expect
        it("gracefully handles missing rooms when receiving receipts", async () => {
            const roomId = "!room:id";
            const alice = "@alice:alice";
@@ -15,21 +15,20 @@ limitations under the License.
 */

 // eslint-disable-next-line no-restricted-imports
-import EventEmitter from "events";
-import MockHttpBackend from "matrix-mock-request";
-
+import type EventEmitter from "events";
+import type MockHttpBackend from "matrix-mock-request";
 import {
    SlidingSync,
    SlidingSyncState,
    ExtensionState,
    SlidingSyncEvent,
-    Extension,
-    SlidingSyncEventHandlerMap,
-    MSC3575RoomData,
+    type Extension,
+    type SlidingSyncEventHandlerMap,
+    type MSC3575RoomData,
 } from "../../src/sliding-sync";
 import { TestClient } from "../TestClient";
 import { logger } from "../../src/logger";
-import { MatrixClient } from "../../src";
+import { type MatrixClient } from "../../src";

 /**
 * Tests for sliding sync. These tests are broken down into sub-tests which are reliant upon one another.
@@ -42,7 +41,7 @@ describe("SlidingSync", () => {
    const selfUserId = "@alice:localhost";
    const selfAccessToken = "aseukfgwef";
    const proxyBaseUrl = "http://localhost:8008";
-    const syncUrl = proxyBaseUrl + "/_matrix/client/unstable/org.matrix.msc3575/sync";
+    const syncUrl = proxyBaseUrl + "/_matrix/client/unstable/org.matrix.simplified_msc3575/sync";

    // assign client/httpBackend globals
    const setupClient = () => {
@@ -83,6 +82,7 @@ describe("SlidingSync", () => {
            await p;
        });

+        // eslint-disable-next-line @vitest/expect-expect
        it("should stop the sync loop upon calling stop()", () => {
            slidingSync.stop();
            httpBackend!.verifyNoOutstandingExpectation();
@@ -104,11 +104,11 @@ describe("SlidingSync", () => {
            };
            const ext: Extension<any, any> = {
                name: () => "custom_extension",
-                onRequest: (initial) => {
-                    return { initial: initial };
+                onRequest: async (_) => {
+                    return { initial: true };
                },
-                onResponse: (res) => {
-                    return {};
+                onResponse: async (res) => {
+                    return;
                },
                when: () => ExtensionState.PreProcess,
            };
@@ -144,18 +144,16 @@ describe("SlidingSync", () => {
                });
            await httpBackend!.flushAllExpected();

-            // expect nothing but ranges and non-initial extensions to be sent
+            // expect all params to be sent TODO: check MSC4186
            httpBackend!
                .when("POST", syncUrl)
                .check(function (req) {
                    const body = req.data;
                    logger.debug("got ", body);
                    expect(body.room_subscriptions).toBeFalsy();
-                    expect(body.lists["a"]).toEqual({
-                        ranges: [[0, 10]],
-                    });
+                    expect(body.lists["a"]).toEqual(listInfo);
                    expect(body.extensions).toBeTruthy();
-                    expect(body.extensions["custom_extension"]).toEqual({ initial: false });
+                    expect(body.extensions["custom_extension"]).toEqual({ initial: true });
                    expect(req.queryParams!["pos"]).toEqual("11");
                })
                .respond(200, function () {
@@ -333,6 +331,7 @@ describe("SlidingSync", () => {
            await p;
        });

+        // TODO: this does not exist in MSC4186
        it("should be able to unsubscribe from a room", async () => {
            httpBackend!
                .when("POST", syncUrl)
@@ -390,18 +389,19 @@ describe("SlidingSync", () => {
            [3, 5],
        ];

+        // request first 3 rooms
+        const listReq = {
+            ranges: [[0, 2]],
+            sort: ["by_name"],
+            timeline_limit: 1,
+            required_state: [["m.room.topic", ""]],
+            filters: {
+                is_dm: true,
+            },
+        };
+
        let slidingSync: SlidingSync;
        it("should be possible to subscribe to a list", async () => {
-            // request first 3 rooms
-            const listReq = {
-                ranges: [[0, 2]],
-                sort: ["by_name"],
-                timeline_limit: 1,
-                required_state: [["m.room.topic", ""]],
-                filters: {
-                    is_dm: true,
-                },
-            };
            slidingSync = new SlidingSync(proxyBaseUrl, new Map([["a", listReq]]), {}, client!, 1);
            httpBackend!
                .when("POST", syncUrl)
@@ -453,11 +453,6 @@ describe("SlidingSync", () => {
            expect(slidingSync.getListData("b")).toBeNull();
            const syncData = slidingSync.getListData("a")!;
            expect(syncData.joinedCount).toEqual(500); // from previous test
-            expect(syncData.roomIndexToRoomId).toEqual({
-                0: roomA,
-                1: roomB,
-                2: roomC,
-            });
        });

        it("should be possible to adjust list ranges", async () => {
@@ -468,10 +463,9 @@ describe("SlidingSync", () => {
                    const body = req.data;
                    logger.log("next ranges", body.lists["a"].ranges);
                    expect(body.lists).toBeTruthy();
-                    expect(body.lists["a"]).toEqual({
-                        // only the ranges should be sent as the rest are unchanged and sticky
-                        ranges: newRanges,
-                    });
+                    // list range should be changed
+                    listReq.ranges = newRanges;
+                    expect(body.lists["a"]).toEqual(listReq); // resend all values TODO: check MSC4186
                })
                .respond(200, {
                    pos: "b",
@@ -496,7 +490,9 @@ describe("SlidingSync", () => {
            await httpBackend!.flushAllExpected();
            await responseProcessed;
            // setListRanges for an invalid list key returns an error
-            await expect(slidingSync.setListRanges("idontexist", newRanges)).rejects.toBeTruthy();
+            expect(() => {
+                slidingSync.setListRanges("idontexist", newRanges);
+            }).toThrow();
        });

        it("should be possible to add an extra list", async () => {
@@ -514,10 +510,7 @@ describe("SlidingSync", () => {
                    const body = req.data;
                    logger.log("extra list", body);
                    expect(body.lists).toBeTruthy();
-                    expect(body.lists["a"]).toEqual({
-                        // only the ranges should be sent as the rest are unchanged and sticky
-                        ranges: newRanges,
-                    });
+                    expect(body.lists["a"]).toEqual(listReq); // resend all values TODO: check MSC4186
                    expect(body.lists["b"]).toEqual(extraListReq);
                })
                .respond(200, {
@@ -538,16 +531,6 @@ describe("SlidingSync", () => {
                        },
                    },
                });
-            listenUntil(slidingSync, "SlidingSync.List", (listKey, joinedCount, roomIndexToRoomId) => {
-                expect(listKey).toEqual("b");
-                expect(joinedCount).toEqual(50);
-                expect(roomIndexToRoomId).toEqual({
-                    0: roomA,
-                    1: roomB,
-                    2: roomC,
-                });
-                return true;
-            });
            const responseProcessed = listenUntil(slidingSync, "SlidingSync.Lifecycle", (state) => {
                return state === SlidingSyncState.Complete;
            });
@@ -555,706 +538,6 @@ describe("SlidingSync", () => {
            await httpBackend!.flushAllExpected();
            await responseProcessed;
        });
-
-        it("should be possible to get list DELETE/INSERTs", async () => {
-            // move C (2) to A (0)
-            httpBackend!.when("POST", syncUrl).respond(200, {
-                pos: "e",
-                lists: {
-                    a: {
-                        count: 500,
-                        ops: [
-                            {
-                                op: "DELETE",
-                                index: 2,
-                            },
-                            {
-                                op: "INSERT",
-                                index: 0,
-                                room_id: roomC,
-                            },
-                        ],
-                    },
-                    b: {
-                        count: 50,
-                    },
-                },
-            });
-            let listPromise = listenUntil(
-                slidingSync,
-                "SlidingSync.List",
-                (listKey, joinedCount, roomIndexToRoomId) => {
-                    expect(listKey).toEqual("a");
-                    expect(joinedCount).toEqual(500);
-                    expect(roomIndexToRoomId).toEqual({
-                        0: roomC,
-                        1: roomA,
-                        2: roomB,
-                    });
-                    return true;
-                },
-            );
-            let responseProcessed = listenUntil(slidingSync, "SlidingSync.Lifecycle", (state) => {
-                return state === SlidingSyncState.Complete;
-            });
-            await httpBackend!.flushAllExpected();
-            await responseProcessed;
-            await listPromise;
-
-            // move C (0) back to A (2)
-            httpBackend!.when("POST", syncUrl).respond(200, {
-                pos: "f",
-                lists: {
-                    a: {
-                        count: 500,
-                        ops: [
-                            {
-                                op: "DELETE",
-                                index: 0,
-                            },
-                            {
-                                op: "INSERT",
-                                index: 2,
-                                room_id: roomC,
-                            },
-                        ],
-                    },
-                    b: {
-                        count: 50,
-                    },
-                },
-            });
-            listPromise = listenUntil(slidingSync, "SlidingSync.List", (listKey, joinedCount, roomIndexToRoomId) => {
-                expect(listKey).toEqual("a");
-                expect(joinedCount).toEqual(500);
-                expect(roomIndexToRoomId).toEqual({
-                    0: roomA,
-                    1: roomB,
-                    2: roomC,
-                });
-                return true;
-            });
-            responseProcessed = listenUntil(slidingSync, "SlidingSync.Lifecycle", (state) => {
-                return state === SlidingSyncState.Complete;
-            });
-            await httpBackend!.flushAllExpected();
-            await responseProcessed;
-            await listPromise;
-        });
-
-        it("should ignore invalid list indexes", async () => {
-            httpBackend!.when("POST", syncUrl).respond(200, {
-                pos: "e",
-                lists: {
-                    a: {
-                        count: 500,
-                        ops: [
-                            {
-                                op: "DELETE",
-                                index: 2324324,
-                            },
-                        ],
-                    },
-                    b: {
-                        count: 50,
-                    },
-                },
-            });
-            const listPromise = listenUntil(
-                slidingSync,
-                "SlidingSync.List",
-                (listKey, joinedCount, roomIndexToRoomId) => {
-                    expect(listKey).toEqual("a");
-                    expect(joinedCount).toEqual(500);
-                    expect(roomIndexToRoomId).toEqual({
-                        0: roomA,
-                        1: roomB,
-                        2: roomC,
-                    });
-                    return true;
-                },
-            );
-            const responseProcessed = listenUntil(slidingSync, "SlidingSync.Lifecycle", (state) => {
-                return state === SlidingSyncState.Complete;
-            });
-            await httpBackend!.flushAllExpected();
-            await responseProcessed;
-            await listPromise;
-        });
-
-        it("should be possible to update a list", async () => {
-            httpBackend!.when("POST", syncUrl).respond(200, {
-                pos: "g",
-                lists: {
-                    a: {
-                        count: 42,
-                        ops: [
-                            {
-                                op: "INVALIDATE",
-                                range: [0, 2],
-                            },
-                            {
-                                op: "SYNC",
-                                range: [0, 1],
-                                room_ids: [roomB, roomC],
-                            },
-                        ],
-                    },
-                    b: {
-                        count: 50,
-                    },
-                },
-            });
-            // update the list with a new filter
-            slidingSync.setList("a", {
-                filters: {
-                    is_encrypted: true,
-                },
-                ranges: [[0, 100]],
-            });
-            const listPromise = listenUntil(
-                slidingSync,
-                "SlidingSync.List",
-                (listKey, joinedCount, roomIndexToRoomId) => {
-                    expect(listKey).toEqual("a");
-                    expect(joinedCount).toEqual(42);
-                    expect(roomIndexToRoomId).toEqual({
-                        0: roomB,
-                        1: roomC,
-                    });
-                    return true;
-                },
-            );
-            const responseProcessed = listenUntil(slidingSync, "SlidingSync.Lifecycle", (state) => {
-                return state === SlidingSyncState.Complete;
-            });
-            await httpBackend!.flushAllExpected();
-            await responseProcessed;
-            await listPromise;
-        });
-
-        // this refers to a set of operations where the end result is no change.
-        it("should handle net zero operations correctly", async () => {
-            const indexToRoomId = {
-                0: roomB,
-                1: roomC,
-            };
-            expect(slidingSync.getListData("a")!.roomIndexToRoomId).toEqual(indexToRoomId);
-            httpBackend!.when("POST", syncUrl).respond(200, {
-                pos: "f",
-                // currently the list is [B,C] so we will insert D then immediately delete it
-                lists: {
-                    a: {
-                        count: 500,
-                        ops: [
-                            {
-                                op: "DELETE",
-                                index: 2,
-                            },
-                            {
-                                op: "INSERT",
-                                index: 0,
-                                room_id: roomA,
-                            },
-                            {
-                                op: "DELETE",
-                                index: 0,
-                            },
-                        ],
-                    },
-                    b: {
-                        count: 50,
-                    },
-                },
-            });
-            const listPromise = listenUntil(
-                slidingSync,
-                "SlidingSync.List",
-                (listKey, joinedCount, roomIndexToRoomId) => {
-                    expect(listKey).toEqual("a");
-                    expect(joinedCount).toEqual(500);
-                    expect(roomIndexToRoomId).toEqual(indexToRoomId);
-                    return true;
-                },
-            );
-            const responseProcessed = listenUntil(slidingSync, "SlidingSync.Lifecycle", (state) => {
-                return state === SlidingSyncState.Complete;
-            });
-            await httpBackend!.flushAllExpected();
-            await responseProcessed;
-            await listPromise;
-        });
-
-        it("should handle deletions correctly", async () => {
-            expect(slidingSync.getListData("a")!.roomIndexToRoomId).toEqual({
-                0: roomB,
-                1: roomC,
-            });
-            httpBackend!.when("POST", syncUrl).respond(200, {
-                pos: "g",
-                lists: {
-                    a: {
-                        count: 499,
-                        ops: [
-                            {
-                                op: "DELETE",
-                                index: 0,
-                            },
-                        ],
-                    },
-                    b: {
-                        count: 50,
-                    },
-                },
-            });
-            const listPromise = listenUntil(
-                slidingSync,
-                "SlidingSync.List",
-                (listKey, joinedCount, roomIndexToRoomId) => {
-                    expect(listKey).toEqual("a");
-                    expect(joinedCount).toEqual(499);
-                    expect(roomIndexToRoomId).toEqual({
-                        0: roomC,
-                    });
-                    return true;
-                },
-            );
-            const responseProcessed = listenUntil(slidingSync, "SlidingSync.Lifecycle", (state) => {
-                return state === SlidingSyncState.Complete;
-            });
-            await httpBackend!.flushAllExpected();
-            await responseProcessed;
-            await listPromise;
-        });
-
-        it("should handle insertions correctly", async () => {
-            expect(slidingSync.getListData("a")!.roomIndexToRoomId).toEqual({
-                0: roomC,
-            });
-            httpBackend!.when("POST", syncUrl).respond(200, {
-                pos: "h",
-                lists: {
-                    a: {
-                        count: 500,
-                        ops: [
-                            {
-                                op: "INSERT",
-                                index: 1,
-                                room_id: roomA,
-                            },
-                        ],
-                    },
-                    b: {
-                        count: 50,
-                    },
-                },
-            });
-            let listPromise = listenUntil(
-                slidingSync,
-                "SlidingSync.List",
-                (listKey, joinedCount, roomIndexToRoomId) => {
-                    expect(listKey).toEqual("a");
-                    expect(joinedCount).toEqual(500);
-                    expect(roomIndexToRoomId).toEqual({
-                        0: roomC,
-                        1: roomA,
-                    });
-                    return true;
-                },
-            );
-            let responseProcessed = listenUntil(slidingSync, "SlidingSync.Lifecycle", (state) => {
-                return state === SlidingSyncState.Complete;
-            });
-            await httpBackend!.flushAllExpected();
-            await responseProcessed;
-            await listPromise;
-
-            httpBackend!.when("POST", syncUrl).respond(200, {
-                pos: "h",
-                lists: {
-                    a: {
-                        count: 501,
-                        ops: [
-                            {
-                                op: "INSERT",
-                                index: 1,
-                                room_id: roomB,
-                            },
-                        ],
-                    },
-                    b: {
-                        count: 50,
-                    },
-                },
-            });
-            listPromise = listenUntil(slidingSync, "SlidingSync.List", (listKey, joinedCount, roomIndexToRoomId) => {
-                expect(listKey).toEqual("a");
-                expect(joinedCount).toEqual(501);
-                expect(roomIndexToRoomId).toEqual({
-                    0: roomC,
-                    1: roomB,
-                    2: roomA,
-                });
-                return true;
-            });
-            responseProcessed = listenUntil(slidingSync, "SlidingSync.Lifecycle", (state) => {
-                return state === SlidingSyncState.Complete;
-            });
-            await httpBackend!.flushAllExpected();
-            await responseProcessed;
-            await listPromise;
-            slidingSync.stop();
-        });
-
-        // Regression test to make sure things like DELETE 0 INSERT 0 work correctly and we don't
-        // end up losing room IDs.
-        it("should handle insertions with a spurious DELETE correctly", async () => {
-            slidingSync = new SlidingSync(
-                proxyBaseUrl,
-                new Map([
-                    [
-                        "a",
-                        {
-                            ranges: [[0, 20]],
-                        },
-                    ],
-                ]),
-                {},
-                client!,
-                1,
-            );
-            // initially start with nothing
-            httpBackend!.when("POST", syncUrl).respond(200, {
-                pos: "a",
-                lists: {
-                    a: {
-                        count: 0,
-                        ops: [],
-                    },
-                },
-            });
-            slidingSync.start();
-            await httpBackend!.flushAllExpected();
-            expect(slidingSync.getListData("a")!.roomIndexToRoomId).toEqual({});
-
-            // insert a room
-            httpBackend!.when("POST", syncUrl).respond(200, {
-                pos: "b",
-                lists: {
-                    a: {
-                        count: 1,
-                        ops: [
-                            {
-                                op: "DELETE",
-                                index: 0,
-                            },
-                            {
-                                op: "INSERT",
-                                index: 0,
-                                room_id: roomA,
-                            },
-                        ],
-                    },
-                },
-            });
-            await httpBackend!.flushAllExpected();
-            expect(slidingSync.getListData("a")!.roomIndexToRoomId).toEqual({
-                0: roomA,
-            });
-
-            // insert another room
-            httpBackend!.when("POST", syncUrl).respond(200, {
-                pos: "c",
-                lists: {
-                    a: {
-                        count: 1,
-                        ops: [
-                            {
-                                op: "DELETE",
-                                index: 1,
-                            },
-                            {
-                                op: "INSERT",
-                                index: 0,
-                                room_id: roomB,
-                            },
-                        ],
-                    },
-                },
-            });
-            await httpBackend!.flushAllExpected();
-            expect(slidingSync.getListData("a")!.roomIndexToRoomId).toEqual({
-                0: roomB,
-                1: roomA,
-            });
-
-            // insert a final room
-            httpBackend!.when("POST", syncUrl).respond(200, {
-                pos: "c",
-                lists: {
-                    a: {
-                        count: 1,
-                        ops: [
-                            {
-                                op: "DELETE",
-                                index: 2,
-                            },
-                            {
-                                op: "INSERT",
-                                index: 0,
-                                room_id: roomC,
-                            },
-                        ],
-                    },
-                },
-            });
-            await httpBackend!.flushAllExpected();
-            expect(slidingSync.getListData("a")!.roomIndexToRoomId).toEqual({
-                0: roomC,
-                1: roomB,
-                2: roomA,
-            });
-            slidingSync.stop();
-        });
-    });
-
-    describe("transaction IDs", () => {
-        beforeAll(setupClient);
-        afterAll(teardownClient);
-        const roomId = "!foo:bar";
-
-        let slidingSync: SlidingSync;
-
-        // really this applies to them all but it's easier to just test one
-        it("should resolve modifyRoomSubscriptions after SlidingSync.start() is called", async () => {
-            const roomSubInfo = {
-                timeline_limit: 1,
-                required_state: [["m.room.name", ""]],
-            };
-            // add the subscription
-            slidingSync = new SlidingSync(proxyBaseUrl, new Map(), roomSubInfo, client!, 1);
-            // modification before SlidingSync.start()
-            const subscribePromise = slidingSync.modifyRoomSubscriptions(new Set([roomId]));
-            let txnId: string | undefined;
-            httpBackend!
-                .when("POST", syncUrl)
-                .check(function (req) {
-                    const body = req.data;
-                    logger.debug("got ", body);
-                    expect(body.room_subscriptions).toBeTruthy();
-                    expect(body.room_subscriptions[roomId]).toEqual(roomSubInfo);
-                    expect(body.txn_id).toBeTruthy();
-                    txnId = body.txn_id;
-                })
-                .respond(200, function () {
-                    return {
-                        pos: "aaa",
-                        txn_id: txnId,
-                        lists: {},
-                        extensions: {},
-                        rooms: {
-                            [roomId]: {
-                                name: "foo bar",
-                                required_state: [],
-                                timeline: [],
-                            },
-                        },
-                    };
-                });
-            slidingSync.start();
-            await httpBackend!.flushAllExpected();
-            await subscribePromise;
-        });
-        it("should resolve setList during a connection", async () => {
-            const newList = {
-                ranges: [[0, 20]],
-            };
-            const promise = slidingSync.setList("a", newList);
-            let txnId: string | undefined;
-            httpBackend!
-                .when("POST", syncUrl)
-                .check(function (req) {
-                    const body = req.data;
-                    logger.debug("got ", body);
-                    expect(body.room_subscriptions).toBeFalsy();
-                    expect(body.lists["a"]).toEqual(newList);
-                    expect(body.txn_id).toBeTruthy();
-                    txnId = body.txn_id;
-                })
-                .respond(200, function () {
-                    return {
-                        pos: "bbb",
-                        txn_id: txnId,
-                        lists: { a: { count: 5 } },
-                        extensions: {},
-                    };
-                });
-            await httpBackend!.flushAllExpected();
-            await promise;
-            expect(txnId).toBeDefined();
-        });
-        it("should resolve setListRanges during a connection", async () => {
-            const promise = slidingSync.setListRanges("a", [[20, 40]]);
-            let txnId: string | undefined;
-            httpBackend!
-                .when("POST", syncUrl)
-                .check(function (req) {
-                    const body = req.data;
-                    logger.debug("got ", body);
-                    expect(body.room_subscriptions).toBeFalsy();
-                    expect(body.lists["a"]).toEqual({
-                        ranges: [[20, 40]],
-                    });
-                    expect(body.txn_id).toBeTruthy();
-                    txnId = body.txn_id;
-                })
-                .respond(200, function () {
-                    return {
-                        pos: "ccc",
-                        txn_id: txnId,
-                        lists: { a: { count: 5 } },
-                        extensions: {},
-                    };
-                });
-            await httpBackend!.flushAllExpected();
-            await promise;
-            expect(txnId).toBeDefined();
-        });
-        it("should resolve modifyRoomSubscriptionInfo during a connection", async () => {
-            const promise = slidingSync.modifyRoomSubscriptionInfo({
-                timeline_limit: 99,
-            });
-            let txnId: string | undefined;
-            httpBackend!
-                .when("POST", syncUrl)
-                .check(function (req) {
-                    const body = req.data;
-                    logger.debug("got ", body);
-                    expect(body.room_subscriptions).toBeTruthy();
-                    expect(body.room_subscriptions[roomId]).toEqual({
-                        timeline_limit: 99,
-                    });
-                    expect(body.txn_id).toBeTruthy();
-                    txnId = body.txn_id;
-                })
-                .respond(200, function () {
-                    return {
-                        pos: "ddd",
-                        txn_id: txnId,
-                        extensions: {},
-                    };
-                });
-            await httpBackend!.flushAllExpected();
-            await promise;
-            expect(txnId).toBeDefined();
-        });
-        it("should reject earlier pending promises if a later transaction is acknowledged", async () => {
-            // i.e if we have [A,B,C] and see txn_id=C then A,B should be rejected.
-            const gotTxnIds: any[] = [];
-            const pushTxn = function (req: MockHttpBackend["requests"][0]) {
-                gotTxnIds.push(req.data.txn_id);
-            };
-            const failPromise = slidingSync.setListRanges("a", [[20, 40]]);
-            httpBackend!.when("POST", syncUrl).check(pushTxn).respond(200, { pos: "e" }); // missing txn_id
-            await httpBackend!.flushAllExpected();
-            const failPromise2 = slidingSync.setListRanges("a", [[60, 70]]);
-            httpBackend!.when("POST", syncUrl).check(pushTxn).respond(200, { pos: "f" }); // missing txn_id
-            await httpBackend!.flushAllExpected();
-
-            const okPromise = slidingSync.setListRanges("a", [[0, 20]]);
-            let txnId: string | undefined;
-            httpBackend!
-                .when("POST", syncUrl)
-                .check((req) => {
-                    txnId = req.data.txn_id;
-                })
-                .respond(200, () => {
-                    // include the txn_id, earlier requests should now be reject()ed.
-                    return {
-                        pos: "g",
-                        txn_id: txnId,
-                    };
-                });
-            await Promise.all([
-                expect(failPromise).rejects.toEqual(gotTxnIds[0]),
-                expect(failPromise2).rejects.toEqual(gotTxnIds[1]),
-                httpBackend!.flushAllExpected(),
-                okPromise,
-            ]);
-
-            expect(txnId).toBeDefined();
-        });
-        it("should not reject later pending promises if an earlier transaction is acknowledged", async () => {
-            // i.e if we have [A,B,C] and see txn_id=B then C should not be rejected but A should.
-            const gotTxnIds: any[] = [];
-            const pushTxn = function (req: MockHttpBackend["requests"][0]) {
-                gotTxnIds.push(req.data?.txn_id);
-            };
-            const A = slidingSync.setListRanges("a", [[20, 40]]);
-            httpBackend!.when("POST", syncUrl).check(pushTxn).respond(200, { pos: "A" });
-            await httpBackend!.flushAllExpected();
-            const B = slidingSync.setListRanges("a", [[60, 70]]);
-            httpBackend!.when("POST", syncUrl).check(pushTxn).respond(200, { pos: "B" }); // missing txn_id
-            await httpBackend!.flushAllExpected();
-
-            // attach rejection handlers now else if we do it later Jest treats that as an unhandled rejection
-            // which is a fail.
-
-            const C = slidingSync.setListRanges("a", [[0, 20]]);
-            let pendingC = true;
-            C.finally(() => {
-                pendingC = false;
-            });
-            httpBackend!
-                .when("POST", syncUrl)
-                .check(pushTxn)
-                .respond(200, () => {
-                    // include the txn_id for B, so C's promise is outstanding
-                    return {
-                        pos: "C",
-                        txn_id: gotTxnIds[1],
-                    };
-                });
-            await Promise.all([
-                expect(A).rejects.toEqual(gotTxnIds[0]),
-                httpBackend!.flushAllExpected(),
-                // A is rejected, see above
-                expect(B).resolves.toEqual(gotTxnIds[1]), // B is resolved
-            ]);
-            expect(pendingC).toBe(true); // C is pending still
-        });
-        it("should do nothing for unknown txn_ids", async () => {
-            const promise = slidingSync.setListRanges("a", [[20, 40]]);
-            let pending = true;
-            promise.finally(() => {
-                pending = false;
-            });
-            let txnId: string | undefined;
-            httpBackend!
-                .when("POST", syncUrl)
-                .check(function (req) {
-                    const body = req.data;
-                    logger.debug("got ", body);
-                    expect(body.room_subscriptions).toBeFalsy();
-                    expect(body.lists["a"]).toEqual({
-                        ranges: [[20, 40]],
-                    });
-                    expect(body.txn_id).toBeTruthy();
-                    txnId = body.txn_id;
-                })
-                .respond(200, function () {
-                    return {
-                        pos: "ccc",
-                        txn_id: "bogus transaction id",
-                        lists: { a: { count: 5 } },
-                        extensions: {},
-                    };
-                });
-            await httpBackend!.flushAllExpected();
-            expect(txnId).toBeDefined();
-            expect(pending).toBe(true);
-            slidingSync.stop();
-        });
    });

    describe("custom room subscriptions", () => {
@@ -1544,7 +827,7 @@ describe("SlidingSync", () => {

        const extPre: Extension<any, any> = {
            name: () => preExtName,
-            onRequest: (initial) => {
+            onRequest: async (initial) => {
                return onPreExtensionRequest(initial);
            },
            onResponse: (res) => {
@@ -1554,7 +837,7 @@ describe("SlidingSync", () => {
        };
        const extPost: Extension<any, any> = {
            name: () => postExtName,
-            onRequest: (initial) => {
+            onRequest: async (initial) => {
                return onPostExtensionRequest(initial);
            },
            onResponse: (res) => {
@@ -1569,10 +852,10 @@ describe("SlidingSync", () => {

            const callbackOrder: string[] = [];
            let extensionOnResponseCalled = false;
-            onPreExtensionRequest = () => {
+            onPreExtensionRequest = async () => {
                return extReq;
            };
-            onPreExtensionResponse = (resp) => {
+            onPreExtensionResponse = async (resp) => {
                extensionOnResponseCalled = true;
                callbackOrder.push("onPreExtensionResponse");
                expect(resp).toEqual(extResp);
@@ -1609,11 +892,11 @@ describe("SlidingSync", () => {
        });

        it("should be able to send nothing in an extension request/response", async () => {
-            onPreExtensionRequest = () => {
+            onPreExtensionRequest = async () => {
                return undefined;
            };
            let responseCalled = false;
-            onPreExtensionResponse = (resp) => {
+            onPreExtensionResponse = async (resp) => {
                responseCalled = true;
            };
            httpBackend!
@@ -1644,12 +927,12 @@ describe("SlidingSync", () => {

        it("is possible to register extensions after start() has been called", async () => {
            slidingSync.registerExtension(extPost);
-            onPostExtensionRequest = () => {
+            onPostExtensionRequest = async () => {
                return extReq;
            };
            let responseCalled = false;
            const callbackOrder: string[] = [];
-            onPostExtensionResponse = (resp) => {
+            onPostExtensionResponse = async (resp) => {
                expect(resp).toEqual(extResp);
                responseCalled = true;
                callbackOrder.push("onPostExtensionResponse");
@@ -14,12 +14,22 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-import DOMException from "domexception";
+import fetchMock, { manageFetchMockGlobally } from "@fetch-mock/vitest";

-global.DOMException = DOMException as typeof global.DOMException;
-
-jest.mock("../src/http-api/utils", () => ({
-    ...jest.requireActual("../src/http-api/utils"),
+vi.mock("../src/http-api/utils", async () => ({
+    ...(await vi.importActual("../src/http-api/utils")),
    // We mock timeoutSignal otherwise it causes tests to leave timers running
    timeoutSignal: () => new AbortController().signal,
 }));
+
+manageFetchMockGlobally();
+
+beforeEach(() => {
+    fetchMock.hardReset();
+    fetchMock.mockGlobal();
+});
+
+// Don't make test fail too soon due to timeouts while debugging.
+if (process.env.VSCODE_INSPECTOR_OPTIONS) {
+    vi.setConfig({ testTimeout: 60 * 1000 * 5 }); // 5 minutes
+}
@@ -0,0 +1,135 @@
+/*
+Copyright 2023 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import fetchMock from "@fetch-mock/vitest";
+
+import { type ISyncResponder } from "./SyncResponder";
+
+/**
+ * An object which intercepts `account_data` get and set requests via fetch-mock.
+ *
+ * To use this, call {@link interceptSetAccountData} for each type of account date that should be handled. The updated
+ * account data will be stored in {@link accountDataEvents}; it will also trigger a sync response echoing the updated
+ * data.
+ *
+ * Optionally, you can also call {@link interceptGetAccountData}.
+ */
+export class AccountDataAccumulator {
+    /**
+     * The account data events to be returned by the sync.
+     * Will be updated when fetchMock intercepts calls to PUT `/_matrix/client/v3/user/:userId/account_data/`.
+     */
+    public accountDataEvents: Map<string, any> = new Map();
+
+    public constructor(private syncResponder: ISyncResponder) {}
+
+    private accountDataResolvers = new Map<string, PromiseWithResolvers<any>>();
+    private setInterceptRunning = false;
+
+    /**
+     * Intercept setting of account data.
+     *
+     * Once it is set, its data is stored (for future return by `interceptGetAccountData` etc) and the resolved promise is
+     * resolved.
+     *
+     * @returns a Promise which will resolve (with the content of the account data) once it is set.
+     */
+    public interceptSetAccountData(): void {
+        if (this.setInterceptRunning) return;
+        this.setInterceptRunning = true;
+
+        fetchMock.put(`express:/_matrix/client/v3/user/:userId/account_data/:type`, (callLog) => {
+            const content = JSON.parse(callLog.options.body as string);
+            const type = callLog.url.split("/").pop();
+            // update account data for sync response
+            this.accountDataEvents.set(type!, content);
+
+            this.accountDataResolvers.get(type!)?.resolve(content);
+            if (!this.accountDataResolvers.delete(type!)) {
+                // Check for a wildcard matcher
+                for (const [key, resolver] of this.accountDataResolvers) {
+                    if (key.endsWith("*") && type?.startsWith(key.slice(0, -1))) {
+                        resolver.resolve(content);
+                        this.accountDataResolvers.delete(key);
+                    }
+                }
+            }
+
+            // return a sync response
+            this.sendSyncResponseWithUpdatedAccountData();
+            return {};
+        });
+    }
+
+    /**
+     * Wait for a particular type of account data.
+     *
+     * Once it is set, its data is stored (for future return by `interceptGetAccountData` etc) and the resolved promise is
+     * resolved.
+     *
+     * @returns a Promise which will resolve (with the content of the account data) once it is set.
+     */
+    public waitForAccountData(type: string): Promise<any> {
+        const resolvers = Promise.withResolvers<any>();
+        this.accountDataResolvers.set(type, resolvers);
+        this.interceptSetAccountData();
+        return resolvers.promise;
+    }
+
+    /**
+     * Intercept all requests to get account data
+     */
+    public interceptGetAccountData(): void {
+        fetchMock.get(`express:/_matrix/client/v3/user/:userId/account_data/:type`, (callLog) => {
+            const type = callLog.url.split("/").pop();
+            const existing = this.accountDataEvents.get(type!);
+            if (existing) {
+                // return it
+                return {
+                    status: 200,
+                    body: existing,
+                };
+            } else {
+                // 404
+                return {
+                    status: 404,
+                    body: { errcode: "M_NOT_FOUND", error: "Account data not found." },
+                };
+            }
+        });
+    }
+
+    /**
+     * Send a sync response the current account data events.
+     */
+    private sendSyncResponseWithUpdatedAccountData(): void {
+        try {
+            this.syncResponder.sendOrQueueSyncResponse({
+                next_batch: 1,
+                account_data: {
+                    events: Array.from(this.accountDataEvents, ([type, content]) => ({
+                        type: type,
+                        content: content,
+                    })),
+                },
+            });
+        } catch {
+            // Might fail with "Cannot queue more than one /sync response" if called too often.
+            // It's ok if it fails here, the sync response is cumulative and will contain
+            // the latest account data.
+        }
+    }
+}
@@ -14,11 +14,12 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-import debugFunc from "debug";
-import { Debugger } from "debug";
-import fetchMock from "fetch-mock-jest";
+import debugFunc, { type Debugger } from "debug";
+import fetchMock from "@fetch-mock/vitest";

 import type { IDeviceKeys, IOneTimeKey } from "../../src/@types/crypto";
+import type { CrossSigningKeys, ISignedKey, KeySignatures } from "../../src";
+import type { CrossSigningKeyInfo } from "../../src/crypto-api";

 /** Interface implemented by classes that intercept `/keys/upload` requests from test clients to catch the uploaded keys
 *
@@ -55,28 +56,53 @@ export class E2EKeyReceiver implements IE2EKeyReceiver {
    private readonly debug: Debugger;

    private deviceKeys: IDeviceKeys | null = null;
+    private crossSigningKeys: CrossSigningKeys | null = null;
    private oneTimeKeys: Record<string, IOneTimeKey> = {};
    private readonly oneTimeKeysPromise: Promise<void>;

    /**
     * Construct a new E2EKeyReceiver.
     *
-     * It will immediately register an intercept of `/keys/uploads` requests for the given homeserverUrl.
-     * Only /upload requests made to this server will be intercepted: this allows a single test to use more than one
+     * It will immediately register an intercept of [`/keys/upload`][1], [`/keys/signatures/upload`][2] and
+     * [`/keys/device_signing/upload`][3] requests for the given homeserverUrl.
+     * Only requests made to this server will be intercepted: this allows a single test to use more than one
     * client and have the keys collected separately.
     *
-     * @param homeserverUrl - the Homeserver Url of the client under test.
+     * [1]: https://spec.matrix.org/v1.14/client-server-api/#post_matrixclientv3keysupload
+     * [2]: https://spec.matrix.org/v1.14/client-server-api/#post_matrixclientv3keyssignaturesupload
+     * [3]: https://spec.matrix.org/v1.14/client-server-api/#post_matrixclientv3keysdevice_signingupload
+     *
+     * @param homeserverUrl - The Homeserver Url of the client under test.
+     * @param routeNamePrefix - An optional prefix to add to the fetchmock route names. Required if there is more than
+     *    one E2EKeyReceiver instance active.
     */
-    public constructor(homeserverUrl: string) {
+    public constructor(homeserverUrl: string, routeNamePrefix: string = "") {
        this.debug = debugFunc(`e2e-key-receiver:[${homeserverUrl}]`);

        // set up a listener for /keys/upload.
        this.oneTimeKeysPromise = new Promise((resolveOneTimeKeys) => {
-            const listener = (url: string, options: RequestInit) =>
-                this.onKeyUploadRequest(resolveOneTimeKeys, options);
-
-            fetchMock.post(new URL("/_matrix/client/v3/keys/upload", homeserverUrl).toString(), listener);
+            fetchMock.post(
+                new URL("/_matrix/client/v3/keys/upload", homeserverUrl).toString(),
+                (callLog) => this.onKeyUploadRequest(resolveOneTimeKeys, callLog.options),
+                { name: routeNamePrefix + "keys-upload" },
+            );
        });
+
+        fetchMock.post(
+            new URL("/_matrix/client/v3/keys/signatures/upload", homeserverUrl).toString(),
+            (callLog) => this.onSignaturesUploadRequest(callLog.options),
+            {
+                name: routeNamePrefix + "upload-sigs",
+            },
+        );
+
+        fetchMock.post(
+            new URL("/_matrix/client/v3/keys/device_signing/upload", homeserverUrl).toString(),
+            (callLog) => this.onSigningKeyUploadRequest(callLog.options),
+            {
+                name: routeNamePrefix + "upload-cross-signing-keys",
+            },
+        );
    }

    private async onKeyUploadRequest(onOnTimeKeysUploaded: () => void, options: RequestInit): Promise<object> {
@@ -87,8 +113,10 @@ export class E2EKeyReceiver implements IE2EKeyReceiver {
            if (this.deviceKeys) {
                throw new Error("Application attempted to upload E2E device keys multiple times");
            }
-            this.debug(`received device keys`);
            this.deviceKeys = content.device_keys;
+            this.debug(
+                `received device keys for user ID ${this.deviceKeys!.user_id}, device ID ${this.deviceKeys!.device_id}`,
+            );
        }

        if (content.one_time_keys && Object.keys(content.one_time_keys).length > 0) {
@@ -113,6 +141,47 @@ export class E2EKeyReceiver implements IE2EKeyReceiver {
        };
    }

+    private async onSignaturesUploadRequest(request: RequestInit): Promise<object> {
+        const content = JSON.parse(request.body as string) as KeySignatures;
+        for (const [userId, userKeys] of Object.entries(content)) {
+            for (const [deviceId, signedKey] of Object.entries(userKeys)) {
+                this.onDeviceSignatureUpload(userId, deviceId, signedKey);
+            }
+        }
+
+        return {};
+    }
+
+    private onDeviceSignatureUpload(userId: string, deviceId: string, signedKey: CrossSigningKeyInfo | ISignedKey) {
+        if (!this.deviceKeys || userId != this.deviceKeys.user_id || deviceId != this.deviceKeys.device_id) {
+            this.debug(
+                `Ignoring device key signature upload for unknown device user ID ${userId}, device ID ${deviceId}`,
+            );
+            return;
+        }
+
+        this.debug(`received device key signature for user ID ${userId}, device ID ${deviceId}`);
+        this.deviceKeys.signatures ??= {};
+        for (const [signingUser, signatures] of Object.entries(signedKey.signatures!)) {
+            this.deviceKeys.signatures[signingUser] = Object.assign(
+                this.deviceKeys.signatures[signingUser] ?? {},
+                signatures,
+            );
+        }
+    }
+
+    private async onSigningKeyUploadRequest(request: RequestInit): Promise<object> {
+        const content = JSON.parse(request.body as string);
+        if (this.crossSigningKeys) {
+            throw new Error("Application attempted to upload E2E cross-signing keys multiple times");
+        }
+        this.debug(`received cross-signing keys`);
+        // Remove UIA data
+        delete content["auth"];
+        this.crossSigningKeys = content;
+        return {};
+    }
+
    /** Get the uploaded Ed25519 key
     *
     * If device keys have not yet been uploaded, throws an error
@@ -150,6 +219,13 @@ export class E2EKeyReceiver implements IE2EKeyReceiver {
        return this.deviceKeys;
    }

+    /**
+     * If cross-signing keys have been uploaded, return them. Else return null.
+     */
+    public getUploadedCrossSigningKeys(): CrossSigningKeys | null {
+        return this.crossSigningKeys;
+    }
+
    /**
     * If one-time keys have already been uploaded, return them. Otherwise,
     * set up an expectation that the keys will be uploaded, and wait for
@@ -161,4 +237,18 @@ export class E2EKeyReceiver implements IE2EKeyReceiver {
        await this.oneTimeKeysPromise;
        return this.oneTimeKeys;
    }
+
+    /**
+     * If no one-time keys have yet been uploaded, return `null`.
+     * Otherwise, pop a key from the uploaded list.
+     */
+    public getOneTimeKey(): [string, IOneTimeKey] | null {
+        const keys = Object.entries(this.oneTimeKeys);
+        if (keys.length == 0) {
+            return null;
+        }
+        const [otkId, otk] = keys[0];
+        delete this.oneTimeKeys[otkId];
+        return [otkId, otk];
+    }
 }
@@ -14,12 +14,12 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-import fetchMock from "fetch-mock-jest";
+import fetchMock from "@fetch-mock/vitest";

 import { MapWithDefault } from "../../src/utils";
-import { IDownloadKeyResult } from "../../src";
-import { IDeviceKeys } from "../../src/@types/crypto";
-import { E2EKeyReceiver } from "./E2EKeyReceiver";
+import { type IDownloadKeyResult, type SigningKeys } from "../../src";
+import { type IDeviceKeys } from "../../src/@types/crypto";
+import { type E2EKeyReceiver } from "./E2EKeyReceiver";

 /**
 * An object which intercepts `/keys/query` fetches via fetch-mock.
@@ -42,26 +42,23 @@ export class E2EKeyResponder {
     */
    public constructor(homeserverUrl: string) {
        // set up a listener for /keys/query.
-        const listener = (url: string, options: RequestInit) => this.onKeyQueryRequest(options);
-        fetchMock.post(new URL("/_matrix/client/v3/keys/query", homeserverUrl).toString(), listener);
+        fetchMock.post(new URL("/_matrix/client/v3/keys/query", homeserverUrl).toString(), (callLog) =>
+            this.onKeyQueryRequest(callLog.options),
+        );
    }

    private onKeyQueryRequest(options: RequestInit) {
        const content = JSON.parse(options.body as string);
        const usersToReturn = Object.keys(content["device_keys"]);
        const response = {
-            device_keys: {} as { [userId: string]: any },
-            master_keys: {} as { [userId: string]: any },
-            self_signing_keys: {} as { [userId: string]: any },
-            user_signing_keys: {} as { [userId: string]: any },
-            failures: {} as { [serverName: string]: any },
-        };
+            device_keys: {},
+            master_keys: {},
+            self_signing_keys: {},
+            user_signing_keys: {},
+            failures: {},
+        } as IDownloadKeyResult;
        for (const user of usersToReturn) {
-            const userKeys = this.deviceKeysByUserByDevice.get(user);
-            if (userKeys !== undefined) {
-                response.device_keys[user] = Object.fromEntries(userKeys.entries());
-            }
-
+            // First see if we have an E2EKeyReceiver for this user, and if so, return any keys that have been uploaded
            const e2eKeyReceiver = this.e2eKeyReceiversByUser.get(user);
            if (e2eKeyReceiver !== undefined) {
                const deviceKeys = e2eKeyReceiver.getUploadedDeviceKeys();
@@ -69,16 +66,27 @@ export class E2EKeyResponder {
                    response.device_keys[user] ??= {};
                    response.device_keys[user][deviceKeys.device_id] = deviceKeys;
                }
+                const crossSigningKeys = e2eKeyReceiver.getUploadedCrossSigningKeys();
+                if (crossSigningKeys !== null) {
+                    response.master_keys![user] = crossSigningKeys["master_key"];
+                    response.self_signing_keys![user] = crossSigningKeys["self_signing_key"] as SigningKeys;
+                }
            }

+            // Mix in any keys that have been added explicitly to this E2EKeyResponder.
+            const userKeys = this.deviceKeysByUserByDevice.get(user);
+            if (userKeys !== undefined) {
+                response.device_keys[user] ??= {};
+                Object.assign(response.device_keys[user], Object.fromEntries(userKeys.entries()));
+            }
            if (this.masterKeysByUser.hasOwnProperty(user)) {
-                response.master_keys[user] = this.masterKeysByUser[user];
+                response.master_keys![user] = this.masterKeysByUser[user];
            }
            if (this.selfSigningKeysByUser.hasOwnProperty(user)) {
-                response.self_signing_keys[user] = this.selfSigningKeysByUser[user];
+                response.self_signing_keys![user] = this.selfSigningKeysByUser[user];
            }
            if (this.userSigningKeysByUser.hasOwnProperty(user)) {
-                response.user_signing_keys[user] = this.userSigningKeysByUser[user];
+                response.user_signing_keys![user] = this.userSigningKeysByUser[user];
            }
        }
        return response;
@@ -0,0 +1,74 @@
+/*
+Copyright 2025 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import fetchMock from "@fetch-mock/vitest";
+
+import { MapWithDefault } from "../../src/utils";
+import { type E2EKeyReceiver } from "./E2EKeyReceiver";
+import { type IClaimKeysRequest } from "../../src";
+
+/**
+ * An object which intercepts `/keys/claim` fetches via fetch-mock.
+ */
+export class E2EOTKClaimResponder {
+    private e2eKeyReceiversByUserByDevice = new MapWithDefault<string, Map<string, E2EKeyReceiver>>(() => new Map());
+
+    /**
+     * Construct a new E2EOTKClaimResponder.
+     *
+     * It will immediately register an intercept of `/keys/claim` requests for the given homeserverUrl.
+     * Only /claim requests made to this server will be intercepted: this allows a single test to use more than one
+     * client and have the keys collected separately.
+     *
+     * @param homeserverUrl - the Homeserver Url of the client under test.
+     */
+    public constructor(homeserverUrl: string) {
+        fetchMock.post(new URL("/_matrix/client/v3/keys/claim", homeserverUrl).toString(), (callLog) =>
+            this.onKeyClaimRequest(callLog.options),
+        );
+    }
+
+    private onKeyClaimRequest(options: RequestInit) {
+        const content = JSON.parse(options.body as string) as IClaimKeysRequest;
+        const response = {
+            one_time_keys: {} as { [userId: string]: any },
+        };
+        for (const [userId, devices] of Object.entries(content["one_time_keys"])) {
+            for (const deviceId of Object.keys(devices)) {
+                const e2eKeyReceiver = this.e2eKeyReceiversByUserByDevice.get(userId)?.get(deviceId);
+                const otk = e2eKeyReceiver?.getOneTimeKey();
+                if (otk) {
+                    const [keyId, key] = otk;
+                    response.one_time_keys[userId] ??= {};
+                    response.one_time_keys[userId][deviceId] = {
+                        [keyId]: key,
+                    };
+                }
+            }
+        }
+        return response;
+    }
+
+    /**
+     * Add an E2EKeyReceiver to poll for uploaded keys
+     *
+     * When the `/keys/claim` request is received, a OTK will be removed from the `E2EKeyReceiver` and
+     * added to the response.
+     */
+    public addKeyReceiver(userId: string, deviceId: string, e2eKeyReceiver: E2EKeyReceiver) {
+        this.e2eKeyReceiversByUserByDevice.getOrCreate(userId).set(deviceId, e2eKeyReceiver);
+    }
+}
@@ -15,9 +15,9 @@ limitations under the License.
 */

 import debugFunc from "debug";
-import { Debugger } from "debug";
-import fetchMock from "fetch-mock-jest";
-import { MockResponse } from "fetch-mock";
+import { type Debugger } from "debug";
+import fetchMock from "@fetch-mock/vitest";
+import { type RouteResponse } from "fetch-mock";

 /** Interface implemented by classes that intercept `/sync` requests from test clients
 *
@@ -75,12 +75,12 @@ export class SyncResponder implements ISyncResponder {
     */
    public constructor(homeserverUrl: string) {
        this.debug = debugFunc(`sync-responder:[${homeserverUrl}]`);
-        fetchMock.get("begin:" + new URL("/_matrix/client/v3/sync?", homeserverUrl).toString(), (_url, _options) =>
+        fetchMock.get("begin:" + new URL("/_matrix/client/v3/sync?", homeserverUrl).toString(), (callLog) =>
            this.onSyncRequest(),
        );
    }

-    private async onSyncRequest(): Promise<MockResponse> {
+    private async onSyncRequest(): Promise<RouteResponse> {
        switch (this.state) {
            case SyncResponderState.IDLE: {
                this.debug("Got /sync request: waiting for response to be ready");
@@ -16,7 +16,7 @@ limitations under the License.

 import { MatrixEvent } from "../../src";
 import { M_BEACON, M_BEACON_INFO } from "../../src/@types/beacon";
-import { LocationAssetType } from "../../src/@types/location";
+import { type LocationAssetType } from "../../src/@types/location";
 import { makeBeaconContent, makeBeaconInfoContent } from "../../src/content-helpers";

 type InfoContentProps = {
@@ -101,9 +101,8 @@ export const makeGeolocationPosition = ({
 }: {
    timestamp?: number;
    coords: Partial<GeolocationCoordinates>;
-}): GeolocationPosition => ({
-    timestamp: timestamp ?? 1647256791840,
-    coords: {
+}): GeolocationPosition => {
+    const { toJSON, ...coordsJSON } = {
        accuracy: 1,
        latitude: 54.001927,
        longitude: -8.253491,
@@ -112,5 +111,16 @@ export const makeGeolocationPosition = ({
        heading: null,
        speed: null,
        ...coords,
-    },
-});
+    };
+    const posJSON = {
+        timestamp: timestamp ?? 1647256791840,
+        coords: {
+            toJSON: () => coordsJSON,
+            ...coordsJSON,
+        },
+    };
+    return {
+        toJSON: () => posJSON,
+        ...posJSON,
+    };
+};
@@ -14,12 +14,18 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

-import { MethodLikeKeys, mocked, MockedObject } from "jest-mock";
+import { type MockedObject } from "vitest";

-import { ClientEventHandlerMap, EmittedEvents, MatrixClient } from "../../src/client";
+import { type ClientEventHandlerMap, type EmittedEvents, type MatrixClient } from "../../src/client";
 import { TypedEventEmitter } from "../../src/models/typed-event-emitter";
 import { User } from "../../src/models/user";

+// Cribbed from https://github.com/jestjs/jest/blob/94830794dc5dfca1b49bc435b7b031b27838a798/packages/jest-mock/src/index.ts
+type FunctionLike = (...args: any) => any;
+type MethodLikeKeys<T> = keyof {
+    [K in keyof T as Required<T>[K] extends FunctionLike ? K : never]: T[K];
+};
+
 /**
 * Mock client with real event emitter
 * useful for testing code that listens
@@ -34,19 +40,19 @@ export class MockClientWithEventEmitter extends TypedEventEmitter<EmittedEvents,

 /**
 * - make a mock client
- * - cast the type to mocked(MatrixClient)
+ * - cast the type to vi.mocked(MatrixClient)
 * - spy on MatrixClientPeg.get to return the mock
 * eg
 * ```
 * const mockClient = getMockClientWithEventEmitter({
-        getUserId: jest.fn().mockReturnValue(aliceId),
+        getUserId: vi.fn().mockReturnValue(aliceId),
    });
 * ```
 */
 export const getMockClientWithEventEmitter = (
    mockProperties: Partial<Record<MethodLikeKeys<MatrixClient>, unknown>>,
 ): MockedObject<MatrixClient> => {
-    const mock = mocked(new MockClientWithEventEmitter(mockProperties) as unknown as MatrixClient);
+    const mock = vi.mocked(new MockClientWithEventEmitter(mockProperties) as unknown as MatrixClient);
    return mock;
 };

@@ -59,14 +65,14 @@ export const getMockClientWithEventEmitter = (
 * ```
 */
 export const mockClientMethodsUser = (userId = "@alice:domain") => ({
-    getUserId: jest.fn().mockReturnValue(userId),
-    getSafeUserId: jest.fn().mockReturnValue(userId),
-    getUser: jest.fn().mockReturnValue(new User(userId)),
-    isGuest: jest.fn().mockReturnValue(false),
-    mxcUrlToHttp: jest.fn().mockReturnValue("mock-mxcUrlToHttp"),
+    getUserId: vi.fn().mockReturnValue(userId),
+    getSafeUserId: vi.fn().mockReturnValue(userId),
+    getUser: vi.fn().mockReturnValue(new User(userId)),
+    isGuest: vi.fn().mockReturnValue(false),
+    mxcUrlToHttp: vi.fn().mockReturnValue("mock-mxcUrlToHttp"),
    credentials: { userId },
-    getThreePids: jest.fn().mockResolvedValue({ threepids: [] }),
-    getAccessToken: jest.fn(),
+    getThreePids: vi.fn().mockResolvedValue({ threepids: [] }),
+    getAccessToken: vi.fn(),
 });

 /**
@@ -78,16 +84,16 @@ export const mockClientMethodsUser = (userId = "@alice:domain") => ({
 * ```
 */
 export const mockClientMethodsEvents = () => ({
-    decryptEventIfNeeded: jest.fn(),
-    getPushActionsForEvent: jest.fn(),
+    decryptEventIfNeeded: vi.fn(),
+    getPushActionsForEvent: vi.fn(),
 });

 /**
 * Returns basic mocked client methods related to server support
 */
 export const mockClientMethodsServer = (): Partial<Record<MethodLikeKeys<MatrixClient>, unknown>> => ({
-    getIdentityServerUrl: jest.fn(),
-    getHomeserverUrl: jest.fn(),
-    getCapabilities: jest.fn().mockReturnValue({}),
-    doesServerSupportUnstableFeature: jest.fn().mockResolvedValue(false),
+    getIdentityServerUrl: vi.fn(),
+    getHomeserverUrl: vi.fn(),
+    getCachedCapabilities: vi.fn().mockReturnValue({}),
+    doesServerSupportUnstableFeature: vi.fn().mockResolvedValue(false),
 });
@@ -14,15 +14,17 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

+import { type MockInstance } from "vitest";
+
 /**
 * Filter emitter.emit mock calls to find relevant events
 * eg:
 * ```
- * const emitSpy = jest.spyOn(state, 'emit');
+ * const emitSpy = vi.spyOn(state, 'emit');
 * << actions >>
 * const beaconLivenessEmits = emitCallsByEventType(BeaconEvent.New, emitSpy);
 * expect(beaconLivenessEmits.length).toBe(1);
 * ```
 */
-export const filterEmitCallsByEventType = (eventType: string, spy: jest.SpyInstance<any, any[]>) =>
+export const filterEmitCallsByEventType = (eventType: string, spy: MockInstance<(...args: any[]) => any>) =>
    spy.mock.calls.filter((args) => args[0] === eventType);
--- a/Show More
+++ b/Show More