deps: bump openmls fork to feature/external-commit-by-value @ 9cdd5e7

[tylerhawkes]

Summary

Bumps the openmls dependency to the XMTP fork's feature/external-commit-by-value branch (commit 9cdd5e7).

The fork relaxes add_proposal / add_proposals on the external CommitBuilder from &mut MlsGroup to BorrowMut<MlsGroup>, allowing by-value Add and AppDataUpdate proposals to be carried in a single external commit (RFC 9420 §12.4.3.2). This is the openmls-side enabler for the atomic-external-commit flow built in PR-L11.

Touches: Cargo.toml, Cargo.lock, crates/xmtp-workspace-hack/Cargo.toml. No source-level changes in this PR.

Stack

• Base: tyler/qr-invite-l8-ingestion (xmtp_mls: route Sender::NewMemberCommit through from_external_commit + envelope-timestamp plumbing #3668) ← xmtp_mls: ValidatedCommit::from_external_commit — XIP-82 receive-side check set #3667 ← xmtp_mls: EXTERNAL_COMMIT_POLICY component + enable/revoke API with XIP-82 lifecycle invariants #3666 ← xmtp_mls_common: add invite::encrypted_group_info + XMTP_EXTERNAL_INVITE_LABEL #3671 ← xmtp_proto: bump to xmtp/proto XIP-82 revisions (typed invite primitives) + adapt invite::payload #3751 ← main.
• Downstream: PR-L11 (join_group_by_external_invite) is the first consumer of the new openmls API surface.

Test plan

• cargo check -p xmtp_mls passes against the bumped openmls.
• CI green (full build).

Note

Bump openmls fork dependencies to feature/external-commit-by-value at 9cdd5e7

Updates all openmls* crate revisions in Cargo.toml and crates/xmtp-workspace-hack/Cargo.toml from e125674 to 9cdd5e7. Also downgrades itertools from 0.14 to 0.13 in the workspace-hack crate to match the new dependency tree.

^{Macroscope summarized 6849a56.}

[claude]

Claude finished @tylerhawkes's task —— View job

---

PR Review - Dependency Bump

Review completed: 2026-06-10 06:29 UTC

Tasks

• Read changed dependency files
• Analyze dependency bump for issues
• Provide review feedback

---

Review Feedback

This PR contains only dependency updates with no source code changes. The changes are straightforward and low-risk:

Changes:

• Updates all openmls* crate git revisions from e125674 → 9cdd5e7 (XMTP fork, feature/external-commit-by-value branch)
• Downgrades itertools from 0.14 → 0.13 in workspace-hack (transitive dependency adjustment)

Assessment:

✅ Code Quality: N/A - no code changes

✅ Potential Issues: None identified in the dependency changes themselves. The openmls fork bump is intentional and documented in the PR description.

✅ Performance: No performance impact from this change alone. The actual performance characteristics depend on the openmls changes referenced.

⚠️ Security: The PR description states this bump enables by-value external commits. Since openmls is a cryptographic library implementing MLS, the upstream changes should be reviewed (though that's outside the scope of this PR). The Macroscope bot correctly flagged this as requiring human review.

✅ Test Coverage: The PR states CI should be green. The dependency bump itself doesn't require additional tests - the existing test suite will validate compatibility.

Note on Macroscope comments: The two review comments from Macroscope reference code in mls_sync.rs:1210 and validated_commit.rs:2692, but neither of these files are modified in this PR. Those comments appear to be general code analysis findings unrelated to the dependency bump.

---

[macroscopeapp]

Approvability

Verdict: Needs human review

2 blocking correctness issues found. This PR bumps the openmls fork to a new revision. Since openmls is a security-critical cryptographic library (MLS protocol), dependency updates warrant human review to verify the upstream changes are safe and intentional.

No code changes detected at 6849a56. Prior analysis still applies.

^{You can customize Macroscope's approvability policy. Learn more.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.29%. Comparing base (04fbcca) to head (6849a56).

Additional details and impacted files

@@                       Coverage Diff                        @@
##           tyler/qr-invite-l8-ingestion    #3672      +/-   ##
================================================================
+ Coverage                         84.22%   84.29%   +0.06%     
================================================================
  Files                               410      410              
  Lines                             61655    61655              
================================================================
+ Hits                              51930    51970      +40     
+ Misses                             9725     9685      -40     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Dismissing prior approval to re-evaluate 9ba7051

[macroscopeapp]

🟠 High groups/mls_sync.rs:1210

In the other => branch at line 1210, the function returns CommitValidationError::ActorNotMember without calling self.maybe_update_cursor(), unlike every other error path in this function. This causes repeated reprocessing of commits from unsupported sender types (e.g., Sender::External, Sender::NewMemberProposal, Sender::Preconfigured) because the cursor is never advanced past the invalid message. Consider adding self.maybe_update_cursor(&self.context.db(), envelope)?; before the return Err to match the pattern used elsewhere.

                     other => {
                         tracing::warn!(
                             inbox_id = self.context.inbox_id(),
                             group_id = %self.group_id,
                             ?other,
                             "rejecting commit from unsupported sender type"
                         );
+                        self.maybe_update_cursor(&self.context.db(), envelope)?;
                         return Err(GroupMessageProcessingError::CommitValidation(
                             CommitValidationError::ActorNotMember,
                         ));
                     }

🚀 Reply "fix it for me" or copy this AI Prompt for your agent:

In file crates/xmtp_mls/src/groups/mls_sync.rs around lines 1210-1219:

In the `other =>` branch at line 1210, the function returns `CommitValidationError::ActorNotMember` without calling `self.maybe_update_cursor()`, unlike every other error path in this function. This causes repeated reprocessing of commits from unsupported sender types (e.g., `Sender::External`, `Sender::NewMemberProposal`, `Sender::Preconfigured`) because the cursor is never advanced past the invalid message. Consider adding `self.maybe_update_cursor(&self.context.db(), envelope)?;` before the `return Err` to match the pattern used elsewhere.

Evidence trail:
crates/xmtp_mls/src/groups/mls_sync.rs lines 1210-1220 (REVIEWED_COMMIT): `other =>` branch returns error without calling `maybe_update_cursor`. Compare with lines 1131-1133, 1139-1141, 1162-1164, 1169-1173, 1179-1181, 1190-1194 which all call `self.maybe_update_cursor` before returning errors. Lines 1223-1235: downstream error handling with `maybe_update_cursor` is bypassed because line 1217 uses `return Err(...)`. Lines 2499-2517: `maybe_update_cursor` function advances the DB cursor via `db.update_cursor()`.

[macroscopeapp]

🟡 Medium groups/validated_commit.rs:2692

enforce_app_data_update_scope allows TlsMapMutation::Delete for the joiner's own inbox, but a joiner submitting only a Delete mutation passes validation while leaving the MLS group without a GROUP_MEMBERSHIP entry for them. This violates the invariant that external joins must register the joiner. Consider rejecting Delete and Update mutations entirely since resync external commits are unsupported, leaving only Insert as valid for joiners.

    for mutation in &delta.mutations {
         let key = match mutation {
             TlsMapMutation::Insert { key, .. }
-            | TlsMapMutation::Update { key, .. }
-            | TlsMapMutation::Delete { key } => key,
+            | TlsMapMutation::Update { key, .. } => key,
+            TlsMapMutation::Delete { .. } => {
+                return Err(CommitValidationError::ExternalCommitAppDataUpdateOutOfScope);
+            }
         };
         if key != &joiner_id {
             return Err(CommitValidationError::ExternalCommitAppDataUpdateOutOfScope);

🚀 Reply "fix it for me" or copy this AI Prompt for your agent:

In file crates/xmtp_mls/src/groups/validated_commit.rs around lines 2692-2701:

`enforce_app_data_update_scope` allows `TlsMapMutation::Delete` for the joiner's own inbox, but a joiner submitting only a `Delete` mutation passes validation while leaving the MLS group without a `GROUP_MEMBERSHIP` entry for them. This violates the invariant that external joins must register the joiner. Consider rejecting `Delete` and `Update` mutations entirely since resync external commits are unsupported, leaving only `Insert` as valid for joiners.

Evidence trail:
crates/xmtp_mls/src/groups/validated_commit.rs lines 2630-2703 (enforce_app_data_update_scope function - doc comment says only insert, code allows Delete/Update at TlsMapMutation level); lines 2692-2701 (mutation type not checked, only key equality); lines 2656-2663 (only AppDataUpdateOperation::Remove is rejected, not TlsMapMutation::Delete); lines 990-997 (caller site); lines 1008-1012 (unconditionally builds added_inboxes without verifying Insert existed in delta)