TryQuiet · islathehut · Jan 12, 2026 · Jan 12, 2026 · Jan 16, 2026 · Jan 19, 2026
diff --git a/.github/workflows/e2e-linux.yml b/.github/workflows/e2e-linux.yml
@@ -87,6 +87,13 @@ jobs:
           timeout_minutes: 25
           max_attempts: 3
           command: cd packages/e2e-tests && npm run test multipleClients.test.ts
+
+      - name: Run multiple clients test (private channels)
+        uses: nick-fields/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # v2.9.0
+        with:
+          timeout_minutes: 25
+          max_attempts: 3
+          command: cd packages/e2e-tests && npm run test multipleClients.privateChannels.test.ts
 
       - name: Run invitation link test - Includes 2 separate application clients
         uses: nick-fields/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # v2.9.0

diff --git a/.github/workflows/e2e-mac.yml b/.github/workflows/e2e-mac.yml
@@ -75,6 +75,13 @@ jobs:
           timeout_minutes: 25
           max_attempts: 3
           command: cd packages/e2e-tests && npm run test multipleClients.test.ts
+
+      - name: Run multiple clients test (private channels)
+        uses: nick-fields/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # v2.9.0
+        with:
+          timeout_minutes: 25
+          max_attempts: 3
+          command: cd packages/e2e-tests && npm run test multipleClients.privateChannels.test.ts
 
       - name: Run invitation link test - Includes 2 separate application clients
         uses: nick-fields/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # v2.9.0

diff --git a/.github/workflows/e2e-qss-linux.yml b/.github/workflows/e2e-qss-linux.yml
@@ -80,6 +80,13 @@ jobs:
           max_attempts: 3
           command: cd packages/e2e-tests && npm run test multipleClients.qss.test.ts
 
+      - name: Run multiple clients with QSS test (private channels)
+        uses: nick-fields/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # v2.9.0
+        with:
+          timeout_minutes: 25
+          max_attempts: 3
+          command: cd packages/e2e-tests && npm run test multipleClients.privateChannels.qss.test.ts
+
       - name: Run one client with QSS test
         uses: nick-fields/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # v2.9.0
         with:

diff --git a/.gitmodules b/.gitmodules
@@ -1,7 +1,7 @@
 [submodule "3rd-party/auth"]
 	path = 3rd-party/auth
 	url = https://github.com/TryQuiet/auth.git
-	branch = main
+	branch = feat/3155-private-channels
 [submodule "3rd-party/js-libp2p-noise"]
 	path = 3rd-party/js-libp2p-noise
 	url = https://github.com/TryQuiet/js-libp2p-noise.git
@@ -13,4 +13,4 @@
 [submodule "3rd-party/qss"]
 	path = 3rd-party/qss
 	url = https://github.com/TryQuiet/quiet-storage-service.git
-	branch = main
+	branch = feat/3155-private-channels
diff --git a/3rd-party/auth b/3rd-party/auth
diff --git a/3rd-party/qss b/3rd-party/qss
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,7 @@
 * Use LFA-based identity in OrbitDB
 * Requests iOS notification permissions when app launches [#3079](https://github.com/TryQuiet/quiet/issues/3079)
 * Adds push notification service [#3086](https://github.com/TryQuiet/quiet/issues/3086)
+* Adds private channels [#3155](https://github.com/TryQuiet/quiet/issues/3155)
 
 ### Fixes
 

diff --git a/packages/backend/src/nest/auth/services/roles/channel.service.ts b/packages/backend/src/nest/auth/services/roles/channel.service.ts
@@ -0,0 +1,71 @@
+/**
+ * Handles role-related chain operations
+ */
+
+import { SigChain } from '../../sigchain'
+import { ChainServiceBase } from '../chainServiceBase'
+import { Member } from '@localfirst/auth'
+import { createLogger } from '../../../common/logger'
+import { hash } from '@localfirst/crypto'
+
+const logger = createLogger('auth:channelService')
+
+class ChannelService extends ChainServiceBase {
+  constructor(sigChain: SigChain) {
+    super(sigChain)
+  }
+
+  public create(channelId: string): string {
+    const roleName = this.generateChannelRoleName(channelId)
+    logger.info(`Adding new channel role with name ${roleName}`)
+    this.sigChain.roles.create(roleName)
+    return roleName
+  }
+
+  public createWithMembers(channelId: string, memberIdsForChannel: string[]): string {
+    const roleName = this.create(channelId)
+    for (const memberId of memberIdsForChannel) {
+      this.addMember(memberId, channelId)
+    }
+    return roleName
+  }
+
+  public addMember(memberId: string, channelId: string) {
+    logger.info(`Adding member with ID ${memberId} to channel ${channelId}`)
+    const roleName = this.generateChannelRoleName(channelId)
+    this.sigChain.roles!.addMember(memberId, roleName)
+  }
+
+  public memberInChannel(memberId: string, channelId: string): boolean {
+    const roleName = this.generateChannelRoleName(channelId)
+    return this.sigChain.roles.memberHasRole(memberId, roleName)
+  }
+
+  public amIMemberOfChannel(channelId: string): boolean {
+    const roleName = this.generateChannelRoleName(channelId)
+    return this.sigChain.roles.amIMemberOfRole(roleName)
+  }
+
+  public getMembersInChannel(channelId: string): Member[] {
+    const roleName = this.generateChannelRoleName(channelId)
+    return this.sigChain.roles.getMembersForRole(roleName)
+  }
+
+  public revokeMembership(memberId: string, channelId: string) {
+    logger.info(`Revoking membership of channel ${channelId} for member with ID ${memberId}`)
+    const roleName = this.generateChannelRoleName(channelId)
+    this.sigChain.roles.revokeMembership(memberId, roleName)
+  }
+
+  public delete(channelId: string) {
+    logger.info(`Removing role for channel ${channelId}`)
+    const roleName = this.generateChannelRoleName(channelId)
+    this.sigChain.roles.delete(roleName)
+  }
+
+  public generateChannelRoleName(channelId: string): string {
+    return hash(this.sigChain.team!.id, `private_channel_${channelId}`)
+  }
+}
+
+export { ChannelService }
diff --git a/packages/backend/src/nest/auth/services/roles/channels.service.spec.ts b/packages/backend/src/nest/auth/services/roles/channels.service.spec.ts
@@ -0,0 +1,105 @@
+import { SigChain } from '../../sigchain'
+import { createLogger } from '../../../common/logger'
+import { RoleName } from './roles'
+import { hash, randomBytes } from '@localfirst/crypto'
+import * as uint8arrays from 'uint8arrays'
+import { generateProof, InviteResult, MemberContext, redactKeys, Team } from '@localfirst/auth'
+import { InviteLockboxMetadata } from '../crypto/types'
+
+const logger = createLogger('auth:services:channels.spec')
+
+describe('channels', () => {
+  let adminSigChain: SigChain
+  let secondSigChain: SigChain
+  const adminUsername = 'admin'
+  const secondUsername = 'seconduser'
+  const teamName = 'test'
+  let invite: InviteResult
+  let seed: string
+  let salt: string
+  let generatedKeys: InviteLockboxMetadata
+  const channelId = 'foobar'
+
+  it('should initialize a new sigchain and be admin', () => {
+    adminSigChain = SigChain.create(teamName, adminUsername)
+    expect(adminSigChain).toBeDefined()
+    expect(adminSigChain.context).toBeDefined()
+    expect(adminSigChain.team!.teamName).toBe(teamName)
+    expect(adminSigChain.user.userName).toBe(adminUsername)
+    expect(adminSigChain.roles.amIMemberOfRole(RoleName.ADMIN)).toBe(true)
+    expect(adminSigChain.roles.amIMemberOfRole(RoleName.MEMBER)).toBe(true)
+  })
+  it('should create channel and admin should be added as member', () => {
+    const channel = adminSigChain.channels.create(channelId)
+    expect(channel).toBeDefined()
+    expect(channel).toBe(adminSigChain.channels.generateChannelRoleName(channelId))
+    expect(adminSigChain.channels.amIMemberOfChannel(channelId))
+  })
+  it('should create an invite', () => {
+    invite = adminSigChain.invites.createUserInvite()
+    expect(invite).toBeDefined()
+  })
+  it('should create keys from seed and salt for lockboxes', () => {
+    seed = invite.seed
+    salt = uint8arrays.toString(randomBytes(32), 'hex')
+    generatedKeys = adminSigChain.lockbox.generateLockboxKeys(seed, salt)
+    expect(generatedKeys.id).toBe(hash(salt, seed))
+    expect(generatedKeys.keys.name).toBe(generatedKeys.id)
+    expect(generatedKeys.keys.generation).toBe(0)
+  })
+  it('should create a lockbox encrypted to our generated keys with MEMBER keys', () => {
+    const lockboxes = adminSigChain.lockbox.createInviteLockboxes(seed, salt)
+    expect(lockboxes).toHaveLength(1)
+    const keysFromLockbox = adminSigChain.team?.allKeys(generatedKeys.keys)
+    expect(keysFromLockbox).toBeDefined()
+    expect(keysFromLockbox!['ROLE'][RoleName.MEMBER].length).toBe(1)
+  })
+  it('should create second user who is not admin', () => {
+    secondSigChain = SigChain.createFromInvite(secondUsername, invite.seed)
+    expect(secondSigChain).toBeDefined()
+    expect(secondSigChain.context).toBeDefined()
+    expect(secondSigChain.context.user.userName).toBe(secondUsername)
+  })
+  it('should add second user to team', () => {
+    const proof = generateProof(invite.seed)
+    adminSigChain.invites.admitMemberFromInvite(
+      proof,
+      secondUsername,
+      secondSigChain.context.user.userId,
+      redactKeys(secondSigChain.context.user.keys)
+    )
+    expect(adminSigChain.users.getUserByName(secondUsername)).toBeDefined()
+
+    const teamBytes = adminSigChain.save()
+    const teamKeyring = adminSigChain.team!.teamKeyring()
+    expect(teamKeyring).toBeDefined()
+    const loadedTeam = new Team({
+      source: teamBytes,
+      context: {
+        device: secondSigChain.context.device,
+        user: secondSigChain.user,
+      },
+      teamKeyring,
+    })
+    loadedTeam.join(teamKeyring)
+    secondSigChain.context = {
+      device: secondSigChain.context.device,
+      team: loadedTeam,
+      user: secondSigChain.user,
+    } as MemberContext
+    expect(secondSigChain.team).toBeDefined()
+  })
+  it('should self-assign MEMBER role on second user', () => {
+    secondSigChain.roles.addSelf(RoleName.MEMBER, seed, salt)
+    expect(secondSigChain.roles.amIMemberOfRole(RoleName.MEMBER)).toBe(true)
+  })
+  it('should fail to self-assign channel role on second user', () => {
+    const failedSelfAssign = () =>
+      secondSigChain.roles.addSelf(secondSigChain.channels.generateChannelRoleName(channelId), seed, salt)
+    expect(failedSelfAssign).toThrow()
+  })
+  it('should add second user to channel', () => {
+    adminSigChain.channels.addMember(secondSigChain.context.user.userId, channelId)
+    expect(adminSigChain.channels.memberInChannel(secondSigChain.context.user.userId, channelId)).toBe(true)
+  })
+})
diff --git a/packages/backend/src/nest/auth/services/roles/role.service.ts b/packages/backend/src/nest/auth/services/roles/role.service.ts
@@ -6,7 +6,7 @@ import { SigChain } from '../../sigchain'
 import { ChainServiceBase } from '../chainServiceBase'
 import { Permissions } from './permissions'
 import { QuietRole, RoleName, SELF_ASSIGN_ROLES } from './roles'
-import { Member, PermissionsMap, Role } from '@localfirst/auth'
+import { AddRoleInput, Member, PermissionsMap, Role } from '@localfirst/auth'
 import { createLogger } from '../../../common/logger'
 
 const logger = createLogger('auth:roleService')
@@ -23,12 +23,12 @@ class RoleService extends ChainServiceBase {
       permissions[Permissions.MODIFIABLE_MEMBERSHIP] = true
     }
 
-    const role: Role = {
+    const input: AddRoleInput = {
       roleName,
       permissions,
     }
 
-    this.sigChain.team!.addRole(role)
+    this.sigChain.team!.addRole(input)
   }
 
   // TODO: figure out permissions

diff --git a/packages/backend/src/nest/auth/sigchain.service.spec.ts b/packages/backend/src/nest/auth/sigchain.service.spec.ts
@@ -13,13 +13,17 @@ describe('SigChainService', () => {
   let module: TestingModule
   let sigChainService: SigChainService
   let localDbService: LocalDbService
+  let handleChainUpdateSpy: jest.SpiedFunction<any>
 
   beforeAll(async () => {
     module = await Test.createTestingModule({
       imports: [TestModule, SigChainModule, LocalDbModule],
     }).compile()
     sigChainService = await module.resolve(SigChainService)
     localDbService = await module.resolve(LocalDbService)
+    handleChainUpdateSpy = jest.spyOn(sigChainService as any, 'handleChainUpdate').mockImplementation(() => {
+      logger.debug('MOCK: handling chain update')
+    })
   })
 
   beforeEach(async () => {
@@ -29,6 +33,7 @@ describe('SigChainService', () => {
   })
 
   afterAll(async () => {
+    handleChainUpdateSpy.mockReset()
     await localDbService.close()
     await module.close()
   })
@@ -42,12 +47,14 @@ describe('SigChainService', () => {
   it('should add a new chain and it not be active if not set to be', async () => {
     const sigChain = await sigChainService.createChain('test', 'user', false)
     expect(() => sigChainService.getActiveChain()).toThrowError()
+    expect(handleChainUpdateSpy).toBeCalledTimes(1)
     sigChainService.setActiveChain('test')
     expect(sigChainService.getActiveChain()).toBe(sigChain)
   })
   it('should add a new chain and it be active if set to be', async () => {
     const sigChain = await sigChainService.createChain('test2', 'user2', true)
     expect(sigChainService.getActiveChain()).toBe(sigChain)
+    expect(handleChainUpdateSpy).toBeCalledTimes(1)
     const prevSigChain = sigChainService.getChain({ teamName: 'test' })
     expect(prevSigChain).toBeDefined()
     expect(prevSigChain).not.toBe(sigChain)
@@ -65,6 +72,7 @@ describe('SigChainService', () => {
   it('should save and load sigchain using nestjs service', async () => {
     const TEAM_NAME = 'test3'
     const sigChain = await sigChainService.createChain(TEAM_NAME, 'user', true)
+    expect(handleChainUpdateSpy).toBeCalledTimes(1)
     await sigChainService.saveChain(TEAM_NAME)
     await sigChainService.deleteChain(TEAM_NAME, false)
     const loadedSigChain = await sigChainService.loadChain(TEAM_NAME, true)
@@ -79,6 +87,7 @@ describe('SigChainService', () => {
   it('should not allow duplicate chains to be added', async () => {
     await sigChainService.createChain('test4', 'user4', false)
     await expect(sigChainService.createChain('test4', 'user4', false)).rejects.toThrowError()
+    expect(handleChainUpdateSpy).toBeCalledTimes(1)
   })
   it('should handle concurrent chain operations correctly', async () => {
     const TEAM_NAME1 = 'test6'
@@ -89,5 +98,6 @@ describe('SigChainService', () => {
     ])
     expect(sigChainService.getChain({ teamName: TEAM_NAME1 })).toBeDefined()
     expect(sigChainService.getChain({ teamName: TEAM_NAME2 })).toBeDefined()
+    expect(handleChainUpdateSpy).toBeCalledTimes(2)
   })
 })
+3 −3		demos/quiet-sandbox/src/auth/services/roles/roleService.ts
+3 −0		packages/auth/src/role/types.ts
+30 −12		packages/auth/src/team/Team.ts
+1 −0		packages/auth/src/team/isAdminOnlyAction.ts
+1 −1		packages/auth/src/team/reducer.ts
+32 −3		packages/auth/src/team/test/roles.test.ts
+4 −0		packages/auth/src/team/validate.ts
+1 −1		.gitmodules
+1 −1		3rd-party/auth
+0 −7		CHANGELOG.md
+0 −7		app/CHANGELOG.md
+1 −1		app/package.json
+0 −12		app/src/migrations/.snapshot-qss.json
+0 −13		app/src/migrations/Migration20260316155658.ts
+1 −2		app/src/nest/communities/auth/sigchain.ts
+1 −5		app/src/nest/communities/storage/entities/log-sync.entity.ts
+2 −2		app/src/nest/qps/qps.service.ts
+1 −1		lerna.json