E2E Test: E2E test for end to end encryption.

[cloudwebrtc]

Summary

Add end-to-end tests for E2EE (shared-key and per-participant key modes), and fix several SDK bugs uncovered along the way that prevented the workflows from working at all.

Depends on

• livekit/rust-sdks#1073 — fixes E2eeManager::set_enabled not persisting the enabled flag, which caused set_enabled(true) after set_enabled(false) to be silently dropped. The shared-key test's re-enable step depends on this fix landing and the bundled FFI dylib being rebuilt.

New tests

• tests/test_e2ee_shared_key.py — publisher + 2 receivers share a key; verifies connect → publish → OK state → GCM enforced → ratchet → KEY_RATCHETED → disable → DECRYPTION_FAILED → re-enable → OK.
• tests/test_e2ee_per_participant.py — same flow but with three per-identity keys (indexes 0/1/2); adds a setKeyIndex switch step at the end. Ported from the Dart e2ee_per_participant.dart test, with one deviation: step 6 ratchets key_index=0 instead of 2, because the Python/Rust frame cryptor defaults to index 0 — ratcheting an unused key would never affect transmitted frames.

Both tests skip when LIVEKIT_URL / LIVEKIT_API_KEY / LIVEKIT_API_SECRET aren't set.

Bug fixes

1. Room.connect crashed when shared_key=None (livekit/rtc/room.py)
   The proto field is optional ("Only specify if you want to use a shared_key"), but connect assigned it unconditionally → TypeError: expected bytes, NoneType found. Per-participant mode couldn't connect at all. Now only assigned when not None.

2. E2EEManager.frame_cryptors() sent an empty oneof (livekit/rtc/e2ee.py)
   Only room_handle was set, so FFI returned InvalidRequest("message is empty"). Added req.e2ee.manager_get_frame_cryptors.SetInParent().

3. FrameCryptor dropped track_sid (livekit/rtc/e2ee.py)
   FrameCryptorSet{Enabled,KeyIndex}Request require track_sid in the proto, but the Python wrapper neither stored nor sent it → EncodeError: missing required fields: track_sid. Added track_sid to the constructor, populated it from manager_get_frame_cryptors, and threaded it through both set_enabled and set_key_index.

Test plan

• pytest tests/test_e2ee_shared_key.py tests/test_e2ee_per_participant.py -v passes against a running LiveKit server (both pass locally in ~10s)
• Existing tests/test_e2ee.py unit tests still pass
• Manual: re-run the bundled examples/e2ee.py to confirm shared-key path is unaffected

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.

[cloudwebrtc]

@copilot resolve the merge conflicts in this pull request

[Copilot]

@copilot resolve the merge conflicts in this pull request

Resolved by merging origin/main into this branch and fixing the submodule conflict in livekit-rtc/rust-sdks (kept the E2EE-fix pointer). Addressed in commit fbb6a71. No UI changes in this PR, so no screenshot is applicable.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/livekit/rust-sdks/compare/b86fdb51d379d3da302d4d69e1669da70687e2f1...b384a6f9bd872ef5cbfd369dbc6294ec61d7031d
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}