Merge branch '1802-sync-via-removable-storage' into offline-testing

# Conflicts:
#	bramble-api/src/main/java/org/briarproject/bramble/api/FeatureFlags.java
#	bramble-core/build.gradle
#	bramble-core/src/test/java/org/briarproject/bramble/test/BrambleCoreIntegrationTestModule.java
#	bramble-core/witness.gradle
#	bramble-java/src/main/java/org/briarproject/bramble/plugin/tor/UnixTorPluginFactory.java
#	briar-android/src/main/java/org/briarproject/briar/android/AndroidComponent.java
#	briar-android/src/main/java/org/briarproject/briar/android/AppModule.java
#	briar-android/src/main/java/org/briarproject/briar/android/activity/ActivityComponent.java
#	briar-android/src/main/java/org/briarproject/briar/android/util/UiUtils.java
#	briar-android/src/main/res/values/strings.xml
#	briar-headless/src/main/java/org/briarproject/briar/headless/HeadlessModule.kt
#	briar-headless/src/test/java/org/briarproject/briar/headless/HeadlessTestModule.kt

bramble-api/src/main/java/org/briarproject/bramble/api/Consumer.java

@@ -0,0 +1,9 @@
+package org.briarproject.bramble.api;
+
+import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
+
+@NotNullByDefault
+public interface Consumer<T> {
+
+	void accept(T t);
+}

bramble-api/src/main/java/org/briarproject/bramble/api/FeatureFlags.java

@@ -14,4 +14,6 @@ public interface FeatureFlags {
 	boolean shouldEnableConnectViaBluetooth();
 
 	boolean shouldEnableShareAppViaOfflineHotspot();
+
+	boolean shouldEnableTransferData();
 }

bramble-api/src/main/java/org/briarproject/bramble/api/client/BdfIncomingMessageHook.java

@@ -32,28 +32,31 @@ public abstract class BdfIncomingMessageHook implements IncomingMessageHook {
 
 	/**
 	 * Called once for each incoming message that passes validation.
+	 * <p>
+	 * If an unexpected exception occurs while handling data that is assumed
+	 * to be valid (e.g. locally created metadata), it may be sensible to
+	 * rethrow the unexpected exception as a DbException so that delivery is
+	 * attempted again at next startup. This will allow delivery to succeed if
+	 * the unexpected exception was caused by a bug that has subsequently been
+	 * fixed.
 	 *
 	 * @param txn A read-write transaction
-	 * @return Whether or not this message should be shared
-	 * @throws DbException Should only be used for real database errors.
-	 * If this is thrown, delivery will be attempted again at next startup,
-	 * whereas if a FormatException is thrown, the message will be permanently
-	 * invalidated.
-	 * @throws FormatException Use this for any non-database error
-	 * that occurs while handling remotely created data.
-	 * This includes errors that occur while handling locally created data
-	 * in a context controlled by remotely created data
-	 * (for example, parsing the metadata of a dependency
-	 * of an incoming message).
-	 * Never rethrow DbException as FormatException!
+	 * @throws DbException if a database error occurs while delivering the
+	 * message. Delivery will be attempted again at next startup. Throwing
+	 * this exception has the same effect as returning
+	 * {@link DeliveryAction#DEFER}.
+	 * @throws FormatException if the message is invalid in the context of its
+	 * dependencies. The message and any dependents will be marked as invalid
+	 * and deleted along with their metadata. Throwing this exception has the
+	 * same effect as returning {@link DeliveryAction#REJECT}.
 	 */
-	protected abstract boolean incomingMessage(Transaction txn, Message m,
-			BdfList body, BdfDictionary meta) throws DbException,
-			FormatException;
+	protected abstract DeliveryAction incomingMessage(Transaction txn,
+			Message m, BdfList body, BdfDictionary meta)
+			throws DbException, FormatException;
 
 	@Override
-	public boolean incomingMessage(Transaction txn, Message m, Metadata meta)
-			throws DbException, InvalidMessageException {
+	public DeliveryAction incomingMessage(Transaction txn, Message m,
+			Metadata meta) throws DbException, InvalidMessageException {
 		try {
 			BdfList body = clientHelper.toList(m);
 			BdfDictionary metaDictionary = metadataParser.parse(meta);

bramble-api/src/main/java/org/briarproject/bramble/api/crypto/SecretKey.java

@@ -1,23 +1,19 @@
 package org.briarproject.bramble.api.crypto;
 
+import org.briarproject.bramble.api.Bytes;
+
 /**
  * A secret key used for encryption and/or authentication.
  */
-public class SecretKey {
+public class SecretKey extends Bytes {
 
 	/**
 	 * The length of a secret key in bytes.
 	 */
 	public static final int LENGTH = 32;
 
-	private final byte[] key;
-
 	public SecretKey(byte[] key) {
+		super(key);
 		if (key.length != LENGTH) throw new IllegalArgumentException();
-		this.key = key;
-	}
-
-	public byte[] getBytes() {
-		return key;
 	}
 }

bramble-api/src/main/java/org/briarproject/bramble/api/db/DatabaseComponent.java

@@ -101,7 +101,7 @@ public interface DatabaseComponent extends TransactionManager {
 	/**
 	 * Stores a transport.
 	 */
-	void addTransport(Transaction txn, TransportId t, int maxLatency)
+	void addTransport(Transaction txn, TransportId t, long maxLatency)
 			throws DbException;
 
 	/**
@@ -118,6 +118,18 @@ public interface DatabaseComponent extends TransactionManager {
 	KeySetId addTransportKeys(Transaction txn, PendingContactId p,
 			TransportKeys k) throws DbException;
 
+	/**
+	 * Returns true if there are any acks or messages to send to the given
+	 * contact over a transport with the given maximum latency.
+	 * <p/>
+	 * Read-only.
+	 *
+	 * @param eager True if messages that are not yet due for retransmission
+	 * should be included
+	 */
+	boolean containsAnythingToSend(Transaction txn, ContactId c,
+			long maxLatency, boolean eager) throws DbException;
+
 	/**
 	 * Returns true if the database contains the given contact for the given
 	 * local pseudonym.
@@ -150,6 +162,16 @@ public interface DatabaseComponent extends TransactionManager {
 	boolean containsPendingContact(Transaction txn, PendingContactId p)
 			throws DbException;
 
+	/**
+	 * Returns true if the database contains keys for communicating with the
+	 * given contact over the given transport. Handshake mode and rotation mode
+	 * keys are included, whether activated or not.
+	 * <p/>
+	 * Read-only.
+	 */
+	boolean containsTransportKeys(Transaction txn, ContactId c, TransportId t)
+			throws DbException;
+
 	/**
 	 * Deletes the message with the given ID. Unlike
 	 * {@link #removeMessage(Transaction, MessageId)}, the message ID,
@@ -178,7 +200,19 @@ public interface DatabaseComponent extends TransactionManager {
 	 */
 	@Nullable
 	Collection<Message> generateBatch(Transaction txn, ContactId c,
-			int maxLength, int maxLatency) throws DbException;
+			int maxLength, long maxLatency) throws DbException;
+
+	/**
+	 * Returns a batch of messages for the given contact containing the
+	 * messages with the given IDs, for transmission over a transport with
+	 * the given maximum latency.
+	 * <p/>
+	 * If any of the given messages are not in the database or are not visible
+	 * to the contact, they are omitted from the batch without throwing an
+	 * exception.
+	 */
+	Collection<Message> generateBatch(Transaction txn, ContactId c,
+			Collection<MessageId> ids, long maxLatency) throws DbException;
 
 	/**
 	 * Returns an offer for the given contact for transmission over a
@@ -187,7 +221,7 @@ public interface DatabaseComponent extends TransactionManager {
 	 */
 	@Nullable
 	Offer generateOffer(Transaction txn, ContactId c, int maxMessages,
-			int maxLatency) throws DbException;
+			long maxLatency) throws DbException;
 
 	/**
 	 * Returns a request for the given contact, or null if there are no
@@ -206,7 +240,7 @@ public interface DatabaseComponent extends TransactionManager {
 	 */
 	@Nullable
 	Collection<Message> generateRequestedBatch(Transaction txn, ContactId c,
-			int maxLength, int maxLatency) throws DbException;
+			int maxLength, long maxLatency) throws DbException;
 
 	/**
 	 * Returns the contact with the given ID.
@@ -426,6 +460,27 @@ public interface DatabaseComponent extends TransactionManager {
 	MessageStatus getMessageStatus(Transaction txn, ContactId c, MessageId m)
 			throws DbException;
 
+	/**
+	 * Returns the IDs of all messages that are eligible to be sent to the
+	 * given contact, together with their raw lengths. This may include
+	 * messages that have already been sent and are not yet due for
+	 * retransmission.
+	 * <p/>
+	 * Read-only.
+	 */
+	Map<MessageId, Integer> getUnackedMessagesToSend(Transaction txn,
+			ContactId c) throws DbException;
+
+	/**
+	 * Returns the total length, including headers, of all messages that are
+	 * eligible to be sent to the given contact. This may include messages
+	 * that have already been sent and are not yet due for retransmission.
+	 * <p/>
+	 * Read-only.
+	 */
+	long getUnackedMessageBytesToSend(Transaction txn, ContactId c)
+			throws DbException;
+
 	/**
 	 * Returns the next time (in milliseconds since the Unix epoch) when a
 	 * message is due to be deleted, or {@link #NO_CLEANUP_DEADLINE}
@@ -483,6 +538,16 @@ public interface DatabaseComponent extends TransactionManager {
 	Collection<TransportKeySet> getTransportKeys(Transaction txn, TransportId t)
 			throws DbException;
 
+	/**
+	 * Returns the contact IDs and transport IDs for which the DB contains
+	 * at least one set of transport keys. Handshake mode and rotation mode
+	 * keys are included, whether activated or not.
+	 * <p/>
+	 * Read-only.
+	 */
+	Map<ContactId, Collection<TransportId>> getTransportsWithKeys(
+			Transaction txn) throws DbException;
+
 	/**
 	 * Increments the outgoing stream counter for the given transport keys.
 	 */

bramble-api/src/main/java/org/briarproject/bramble/api/lifecycle/LifecycleManager.java

@@ -5,6 +5,7 @@ import org.briarproject.bramble.api.db.DatabaseComponent;
 import org.briarproject.bramble.api.db.DbException;
 import org.briarproject.bramble.api.db.Transaction;
 import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
+import org.briarproject.bramble.api.system.Clock;
 import org.briarproject.bramble.api.system.Wakeful;
 
 import java.util.concurrent.ExecutorService;
@@ -22,6 +23,7 @@ public interface LifecycleManager {
 	 */
 	enum StartResult {
 		ALREADY_RUNNING,
+		CLOCK_ERROR,
 		DB_ERROR,
 		DATA_TOO_OLD_ERROR,
 		DATA_TOO_NEW_ERROR,
@@ -65,6 +67,10 @@ public interface LifecycleManager {
 	/**
 	 * Opens the {@link DatabaseComponent} using the given key and starts any
 	 * registered {@link Service Services}.
+	 *
+	 * @return {@link StartResult#CLOCK_ERROR} if the system clock is earlier
+	 * than {@link Clock#MIN_REASONABLE_TIME_MS} or later than
+	 * {@link Clock#MAX_REASONABLE_TIME_MS}.
 	 */
 	@Wakeful
 	StartResult startServices(SecretKey dbKey);

bramble-api/src/main/java/org/briarproject/bramble/api/plugin/Plugin.java

@@ -61,7 +61,7 @@ public interface Plugin {
 	/**
 	 * Returns the transport's maximum latency in milliseconds.
 	 */
-	int getMaxLatency();
+	long getMaxLatency();
 
 	/**
 	 * Returns the transport's maximum idle time in milliseconds.

bramble-api/src/main/java/org/briarproject/bramble/api/plugin/PluginFactory.java

@@ -0,0 +1,25 @@
+package org.briarproject.bramble.api.plugin;
+
+import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
+
+import javax.annotation.Nullable;
+
+@NotNullByDefault
+public interface PluginFactory<P extends Plugin> {
+
+	/**
+	 * Returns the plugin's transport identifier.
+	 */
+	TransportId getId();
+
+	/**
+	 * Returns the maximum latency of the transport in milliseconds.
+	 */
+	long getMaxLatency();
+
+	/**
+	 * Creates and returns a plugin, or null if no plugin can be created.
+	 */
+	@Nullable
+	P createPlugin(PluginCallback callback);
+}

bramble-api/src/main/java/org/briarproject/bramble/api/plugin/TransportConnectionWriter.java

@@ -15,13 +15,18 @@ public interface TransportConnectionWriter {
 	/**
 	 * Returns the maximum latency of the transport in milliseconds.
 	 */
-	int getMaxLatency();
+	long getMaxLatency();
 
 	/**
 	 * Returns the maximum idle time of the transport in milliseconds.
 	 */
 	int getMaxIdleTime();
 
+	/**
+	 * Returns true if the transport is lossy and cheap.
+	 */
+	boolean isLossyAndCheap();
+
 	/**
 	 * Returns an output stream for writing to the transport connection.
 	 */

bramble-api/src/main/java/org/briarproject/bramble/api/plugin/duplex/AbstractDuplexTransportConnection.java

@@ -70,7 +70,7 @@ public abstract class AbstractDuplexTransportConnection
 	private class Writer implements TransportConnectionWriter {
 
 		@Override
-		public int getMaxLatency() {
+		public long getMaxLatency() {
 			return plugin.getMaxLatency();
 		}
 
@@ -79,6 +79,11 @@ public abstract class AbstractDuplexTransportConnection
 			return plugin.getMaxIdleTime();
 		}
 
+		@Override
+		public boolean isLossyAndCheap() {
+			return false;
+		}
+
 		@Override
 		public OutputStream getOutputStream() throws IOException {
 			return AbstractDuplexTransportConnection.this.getOutputStream();

bramble-api/src/main/java/org/briarproject/bramble/api/plugin/duplex/DuplexPluginFactory.java

@@ -1,30 +1,11 @@
 package org.briarproject.bramble.api.plugin.duplex;
 
 import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
-import org.briarproject.bramble.api.plugin.PluginCallback;
-import org.briarproject.bramble.api.plugin.TransportId;
-
-import javax.annotation.Nullable;
+import org.briarproject.bramble.api.plugin.PluginFactory;
 
 /**
  * Factory for creating a plugin for a duplex transport.
  */
 @NotNullByDefault
-public interface DuplexPluginFactory {
-
-	/**
-	 * Returns the plugin's transport identifier.
-	 */
-	TransportId getId();
-
-	/**
-	 * Returns the maximum latency of the transport in milliseconds.
-	 */
-	int getMaxLatency();
-
-	/**
-	 * Creates and returns a plugin, or null if no plugin can be created.
-	 */
-	@Nullable
-	DuplexPlugin createPlugin(PluginCallback callback);
+public interface DuplexPluginFactory extends PluginFactory<DuplexPlugin> {
 }

bramble-api/src/main/java/org/briarproject/bramble/api/plugin/file/FileConstants.java

@@ -1,4 +1,4 @@
-package org.briarproject.bramble.api.plugin;
+package org.briarproject.bramble.api.plugin.file;
 
 public interface FileConstants {
 

bramble-api/src/main/java/org/briarproject/bramble/api/plugin/file/RemovableDriveConstants.java

@@ -0,0 +1,12 @@
+package org.briarproject.bramble.api.plugin.file;
+
+import org.briarproject.bramble.api.plugin.TransportId;
+
+public interface RemovableDriveConstants {
+
+	TransportId ID = new TransportId("org.briarproject.bramble.drive");
+
+	String PROP_PATH = "path";
+	String PROP_URI = "uri";
+	String PROP_SUPPORTED = "supported";
+}

bramble-api/src/main/java/org/briarproject/bramble/api/plugin/file/RemovableDriveManager.java

@@ -0,0 +1,52 @@
+package org.briarproject.bramble.api.plugin.file;
+
+import org.briarproject.bramble.api.contact.ContactId;
+import org.briarproject.bramble.api.db.DbException;
+import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
+import org.briarproject.bramble.api.properties.TransportProperties;
+
+import javax.annotation.Nullable;
+
+@NotNullByDefault
+public interface RemovableDriveManager {
+
+	/**
+	 * Returns the currently running reader task, or null if no reader task
+	 * is running.
+	 */
+	@Nullable
+	RemovableDriveTask getCurrentReaderTask();
+
+	/**
+	 * Returns the currently running writer task,  or null if no writer task
+	 * is running.
+	 */
+	@Nullable
+	RemovableDriveTask getCurrentWriterTask();
+
+	/**
+	 * Starts and returns a reader task, reading from a stream described by
+	 * the given transport properties. If a reader task is already running,
+	 * it will be returned and the argument will be ignored.
+	 */
+	RemovableDriveTask startReaderTask(TransportProperties p);
+
+	/**
+	 * Starts and returns a writer task for the given contact, writing to
+	 * a stream described by the given transport properties. If a writer task
+	 * is already running, it will be returned and the arguments will be
+	 * ignored.
+	 */
+	RemovableDriveTask startWriterTask(ContactId c, TransportProperties p);
+
+	/**
+	 * Returns true if the given contact has indicated support for the
+	 * removable drive transport.
+	 */
+	boolean isTransportSupportedByContact(ContactId c) throws DbException;
+
+	/**
+	 * Returns true if there is anything to send to the given contact.
+	 */
+	boolean isWriterTaskNeeded(ContactId c) throws DbException;
+}

bramble-api/src/main/java/org/briarproject/bramble/api/plugin/file/RemovableDriveTask.java

@@ -0,0 +1,65 @@
+package org.briarproject.bramble.api.plugin.file;
+
+import org.briarproject.bramble.api.Consumer;
+import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
+import org.briarproject.bramble.api.properties.TransportProperties;
+
+@NotNullByDefault
+public interface RemovableDriveTask extends Runnable {
+
+	/**
+	 * Returns the {@link TransportProperties} that were used for creating
+	 * this task.
+	 */
+	TransportProperties getTransportProperties();
+
+	/**
+	 * Adds an observer to the task. The observer will be notified of state
+	 * changes on the event thread. If the task has already finished, the
+	 * observer will be notified of its final state.
+	 */
+	void addObserver(Consumer<State> observer);
+
+	/**
+	 * Removes an observer from the task.
+	 */
+	void removeObserver(Consumer<State> observer);
+
+	class State {
+
+		private final long done, total;
+		private final boolean finished, success;
+
+		public State(long done, long total, boolean finished, boolean success) {
+			this.done = done;
+			this.total = total;
+			this.finished = finished;
+			this.success = success;
+		}
+
+		/**
+		 * Returns the total length in bytes of the messages read or written
+		 * so far, or zero if the total is unknown.
+		 */
+		public long getDone() {
+			return done;
+		}
+
+		/**
+		 * Returns the total length in bytes of the messages that will have
+		 * been read or written when the task is complete, or zero if the
+		 * total is unknown.
+		 */
+		public long getTotal() {
+			return total;
+		}
+
+		public boolean isFinished() {
+			return finished;
+		}
+
+		public boolean isSuccess() {
+			return success;
+		}
+	}
+}

bramble-api/src/main/java/org/briarproject/bramble/api/plugin/simplex/SimplexPlugin.java

@@ -15,6 +15,12 @@ import javax.annotation.Nullable;
 @NotNullByDefault
 public interface SimplexPlugin extends Plugin {
 
+	/**
+	 * Returns true if the transport is likely to lose streams and the cost of
+	 * transmitting redundant copies of data is cheap.
+	 */
+	boolean isLossyAndCheap();
+
 	/**
 	 * Attempts to create and return a reader for the given transport
 	 * properties. Returns null if a reader cannot be created.

bramble-api/src/main/java/org/briarproject/bramble/api/plugin/simplex/SimplexPluginFactory.java

@@ -1,30 +1,11 @@
 package org.briarproject.bramble.api.plugin.simplex;
 
 import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
-import org.briarproject.bramble.api.plugin.PluginCallback;
-import org.briarproject.bramble.api.plugin.TransportId;
-
-import javax.annotation.Nullable;
+import org.briarproject.bramble.api.plugin.PluginFactory;
 
 /**
  * Factory for creating a plugin for a simplex transport.
  */
 @NotNullByDefault
-public interface SimplexPluginFactory {
-
-	/**
-	 * Returns the plugin's transport identifier.
-	 */
-	TransportId getId();
-
-	/**
-	 * Returns the maximum latency of the transport in milliseconds.
-	 */
-	int getMaxLatency();
-
-	/**
-	 * Creates and returns a plugin, or null if no plugin can be created.
-	 */
-	@Nullable
-	SimplexPlugin createPlugin(PluginCallback callback);
+public interface SimplexPluginFactory extends PluginFactory<SimplexPlugin> {
 }

bramble-api/src/main/java/org/briarproject/bramble/api/sync/SyncConstants.java

@@ -5,6 +5,7 @@ import org.briarproject.bramble.api.UniqueId;
 import java.util.List;
 
 import static java.util.Collections.singletonList;
+import static java.util.concurrent.TimeUnit.DAYS;
 import static org.briarproject.bramble.api.record.Record.MAX_RECORD_PAYLOAD_BYTES;
 
 public interface SyncConstants {
@@ -55,4 +56,9 @@ public interface SyncConstants {
 	 * connections.
 	 */
 	int PRIORITY_NONCE_BYTES = 16;
+
+	/**
+	 * The maximum allowed latency for any transport, in milliseconds.
+	 */
+	long MAX_TRANSPORT_LATENCY = DAYS.toMillis(365);
 }

bramble-api/src/main/java/org/briarproject/bramble/api/sync/SyncSessionFactory.java

@@ -16,9 +16,9 @@ public interface SyncSessionFactory {
 			PriorityHandler handler);
 
 	SyncSession createSimplexOutgoingSession(ContactId c, TransportId t,
-			int maxLatency, StreamWriter streamWriter);
+			long maxLatency, boolean eager, StreamWriter streamWriter);
 
 	SyncSession createDuplexOutgoingSession(ContactId c, TransportId t,
-			int maxLatency, int maxIdleTime, StreamWriter streamWriter,
+			long maxLatency, int maxIdleTime, StreamWriter streamWriter,
 			@Nullable Priority priority);
 }

bramble-api/src/main/java/org/briarproject/bramble/api/sync/event/MessagesSentEvent.java

@@ -18,11 +18,13 @@ public class MessagesSentEvent extends Event {
 
 	private final ContactId contactId;
 	private final Collection<MessageId> messageIds;
+	private final long totalLength;
 
 	public MessagesSentEvent(ContactId contactId,
-			Collection<MessageId> messageIds) {
+			Collection<MessageId> messageIds, long totalLength) {
 		this.contactId = contactId;
 		this.messageIds = messageIds;
+		this.totalLength = totalLength;
 	}
 
 	public ContactId getContactId() {
@@ -32,4 +34,8 @@ public class MessagesSentEvent extends Event {
 	public Collection<MessageId> getMessageIds() {
 		return messageIds;
 	}
+
+	public long getTotalLength() {
+		return totalLength;
+	}
 }

bramble-api/src/main/java/org/briarproject/bramble/api/sync/validation/IncomingMessageHook.java

@@ -10,23 +10,54 @@ public interface IncomingMessageHook {
 
 	/**
 	 * Called once for each incoming message that passes validation.
+	 * <p>
+	 * If an unexpected exception occurs while handling data that is assumed
+	 * to be valid (e.g. locally created metadata), it may be sensible to
+	 * rethrow the unexpected exception as a DbException so that delivery is
+	 * attempted again at next startup. This will allow delivery to succeed if
+	 * the unexpected exception was caused by a bug that has subsequently been
+	 * fixed.
 	 *
 	 * @param txn A read-write transaction
-	 * @return Whether or not this message should be shared
-	 * @throws DbException Should only be used for real database errors.
-	 * If this is thrown, delivery will be attempted again at next startup,
-	 * whereas if an InvalidMessageException is thrown,
-	 * the message will be permanently invalidated.
-	 * @throws InvalidMessageException for any non-database error
-	 * that occurs while handling remotely created data.
-	 * This includes errors that occur while handling locally created data
-	 * in a context controlled by remotely created data
-	 * (for example, parsing the metadata of a dependency
-	 * of an incoming message).
-	 * Throwing this will delete the incoming message and its metadata
-	 * marking it as invalid in the database.
-	 * Never rethrow DbException as InvalidMessageException!
+	 * @throws DbException if a database error occurs while delivering the
+	 * message. Delivery will be attempted again at next startup. Throwing
+	 * this exception has the same effect as returning
+	 * {@link DeliveryAction#DEFER}.
+	 * @throws InvalidMessageException if the message is invalid in the context
+	 * of its dependencies. The message and any dependents will be marked as
+	 * invalid and deleted along with their metadata. Throwing this exception
+	 * has the same effect as returning {@link DeliveryAction#REJECT}.
 	 */
-	boolean incomingMessage(Transaction txn, Message m, Metadata meta)
+	DeliveryAction incomingMessage(Transaction txn, Message m, Metadata meta)
 			throws DbException, InvalidMessageException;
+
+	enum DeliveryAction {
+
+		/**
+		 * The message and any dependent messages will be moved to the
+		 * {@link MessageState#INVALID INVALID state} and deleted, along with
+		 * their metadata.
+		 */
+		REJECT,
+
+		/**
+		 * The message will be moved to the
+		 * {@link MessageState#PENDING PENDING state}. Delivery will be
+		 * attempted again at next startup.
+		 */
+		DEFER,
+
+		/**
+		 * The message will be moved to the
+		 * {@link MessageState#DELIVERED DELIVERED state} and shared.
+		 */
+		ACCEPT_SHARE,
+
+		/**
+		 * The message will be moved to the
+		 * {@link MessageState#DELIVERED DELIVERED state} and will not be
+		 * shared.
+		 */
+		ACCEPT_DO_NOT_SHARE
+	}
 }

bramble-api/src/main/java/org/briarproject/bramble/api/sync/validation/MessageState.java

@@ -1,8 +1,33 @@
 package org.briarproject.bramble.api.sync.validation;
 
+import org.briarproject.bramble.api.sync.validation.IncomingMessageHook.DeliveryAction;
+
 public enum MessageState {
 
-	UNKNOWN(0), INVALID(1), PENDING(2), DELIVERED(3);
+	/**
+	 * A remote message that has not yet been validated.
+	 */
+	UNKNOWN(0),
+
+	/**
+	 * A remote message that has failed validation, has been
+	 * {@link DeliveryAction#REJECT rejected} by the local sync client, or
+	 * depends on another message that has failed validation or been rejected.
+	 */
+	INVALID(1),
+
+	/**
+	 * A remote message that has passed validation and is awaiting delivery to
+	 * the local sync client. The message will not be delivered until all its
+	 * dependencies have been validated and delivered.
+	 */
+	PENDING(2),
+
+	/**
+	 * A local message, or a remote message that has passed validation and
+	 * been delivered to the local sync client.
+	 */
+	DELIVERED(3);
 
 	private final int value;
 

bramble-api/src/main/java/org/briarproject/bramble/api/system/Clock.java

@@ -6,6 +6,22 @@ package org.briarproject.bramble.api.system;
  */
 public interface Clock {
 
+	/**
+	 * The minimum reasonable value for the system clock, in milliseconds
+	 * since the Unix epoch.
+	 * <p/>
+	 * 1 Jan 2021, 00:00:00 UTC
+	 */
+	long MIN_REASONABLE_TIME_MS = 1_609_459_200_000L;
+
+	/**
+	 * The maximum reasonable value for the system clock, in milliseconds
+	 * since the Unix epoch.
+	 * <p/>
+	 * 1 Jan 2121, 00:00:00 UTC
+	 */
+	long MAX_REASONABLE_TIME_MS = 4_765_132_800_000L;
+
 	/**
 	 * @see System#currentTimeMillis()
 	 */

bramble-api/src/main/java/org/briarproject/bramble/api/transport/KeyManager.java

@@ -22,8 +22,24 @@ public interface KeyManager {
 
 	/**
 	 * Derives and stores a set of rotation mode transport keys for
-	 * communicating with the given contact over each transport and returns the
-	 * key set IDs.
+	 * communicating with the given contact over the given transport and
+	 * returns the key set ID, or null if the transport is not supported.
+	 * <p/>
+	 * {@link StreamContext StreamContexts} for the contact can be created
+	 * after this method has returned.
+	 *
+	 * @param alice True if the local party is Alice
+	 * @param active Whether the derived keys can be used for outgoing streams
+	 */
+	@Nullable
+	KeySetId addRotationKeys(Transaction txn, ContactId c, TransportId t,
+			SecretKey rootKey, long timestamp, boolean alice,
+			boolean active) throws DbException;
+
+	/**
+	 * Derives and stores a set of rotation mode transport keys for
+	 * communicating with the given contact over each supported transport and
+	 * returns the key set IDs.
 	 * <p/>
 	 * {@link StreamContext StreamContexts} for the contact can be created
 	 * after this method has returned.

bramble-api/src/main/java/org/briarproject/bramble/api/transport/agreement/TransportKeyAgreementManager.java

@@ -0,0 +1,24 @@
+package org.briarproject.bramble.api.transport.agreement;
+
+import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
+import org.briarproject.bramble.api.sync.ClientId;
+
+@NotNullByDefault
+public interface TransportKeyAgreementManager {
+
+	/**
+	 * The unique ID of the transport key agreement client.
+	 */
+	ClientId CLIENT_ID =
+			new ClientId("org.briarproject.bramble.transport.agreement");
+
+	/**
+	 * The current major version of the transport key agreement client.
+	 */
+	int MAJOR_VERSION = 0;
+
+	/**
+	 * The current minor version of the transport key agreement client.
+	 */
+	int MINOR_VERSION = 0;
+}

bramble-api/src/test/java/org/briarproject/bramble/test/TestUtils.java

@@ -163,10 +163,15 @@ public class TestUtils {
 
 	public static Message getMessage(GroupId groupId) {
 		int bodyLength = 1 + random.nextInt(MAX_MESSAGE_BODY_LENGTH);
-		return getMessage(groupId, bodyLength);
+		return getMessage(groupId, bodyLength, timestamp);
 	}
 
 	public static Message getMessage(GroupId groupId, int bodyLength) {
+		return getMessage(groupId, bodyLength, timestamp);
+	}
+
+	public static Message getMessage(GroupId groupId, int bodyLength,
+			long timestamp) {
 		MessageId id = new MessageId(getRandomId());
 		byte[] body = getRandomBytes(bodyLength);
 		return new Message(id, groupId, timestamp, body);