chore: remove extra MLS verification transactions on epoch changes [WPB-23368]

[Garzas]

https://wearezeta.atlassian.net/browse/WPB-23368

---

PR Submission Checklist for internal contributors

• The PR Title

  • conforms to the style of semantic commits messages¹ supported in Wire's Github Workflow²
  • contains a reference JIRA issue number like SQPIT-764
  • answers the question: If merged, this PR will: ... ³

• The PR Description

  • is free of optional paragraphs and you have filled the relevant parts to the best of your ability

---

What's new in this PR?

Issues

• Verification refresh during MLS epoch-change flow was opening additional CC transactions.
• During batch decrypt, those extra transactions could be blocked by ongoing decrypt work, causing delays and noisy waiting logs.
• Member verification status retrieval used a mixed access pattern, leading to duplicated read logic.

Causes (Optional)

• Verification checks in epoch/conversation flows were still tied to transaction-based access.
• Read-only verification/identity checks were not consistently routed through the same non-blocking path.

Solutions

• Removed extra transaction usage from epoch-change and conversation verification refresh flows.
• Switched verification state reads to the read-only client path.
• Standardized member-identity retrieval by passing the client explicitly to repository methods, instead of using transaction context/provider inside the repository.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Test Results

4 045 tests   - 286   4 025 ✅  - 189   3m 24s ⏱️ - 2m 26s
   12 suites  - 713      20 💤  -  97 
   12 files    - 713       0 ❌ ±  0 

Results for commit 2c40069. ± Comparison against base commit 3e70856.

This pull request removes 4331 and adds 4045 tests. Note that renamed tests count towards both.

com.wire.backup.BackupEndToEndTest ‑ givenBackedUpAssetMessage_whenRestoring_thenShouldReadTheSameContent[js, browser]
com.wire.backup.BackupEndToEndTest ‑ givenBackedUpAssetMessage_whenRestoring_thenShouldReadTheSameContent[jvm]
com.wire.backup.BackupEndToEndTest ‑ givenBackedUpLocationMessage_whenRestoring_thenShouldReadTheSameContent[js, browser]
com.wire.backup.BackupEndToEndTest ‑ givenBackedUpLocationMessage_whenRestoring_thenShouldReadTheSameContent[jvm]
com.wire.backup.BackupEndToEndTest ‑ givenBackedUpReactions_whenRestoring_thenShouldReadTheSameContent[js, browser]
com.wire.backup.BackupEndToEndTest ‑ givenBackedUpReactions_whenRestoring_thenShouldReadTheSameContent[jvm]
com.wire.backup.BackupEndToEndTest ‑ givenBackedUpTextMessages_whenRestoring_thenShouldReadTheSameContent[js, browser]
com.wire.backup.BackupEndToEndTest ‑ givenBackedUpTextMessages_whenRestoring_thenShouldReadTheSameContent[jvm]
com.wire.backup.BackupEndToEndTest ‑ givenBackupWithPassword_whenPeeking_thenShouldBeEncrypted[js, browser]
com.wire.backup.BackupEndToEndTest ‑ givenBackupWithPassword_whenPeeking_thenShouldBeEncrypted[jvm]
…

com.wire.backup.BackupEndToEndTest ‑ givenBackedUpAssetMessage_whenRestoring_thenShouldReadTheSameContent
com.wire.backup.BackupEndToEndTest ‑ givenBackedUpLocationMessage_whenRestoring_thenShouldReadTheSameContent
com.wire.backup.BackupEndToEndTest ‑ givenBackedUpReactions_whenRestoring_thenShouldReadTheSameContent
com.wire.backup.BackupEndToEndTest ‑ givenBackedUpTextMessages_whenRestoring_thenShouldReadTheSameContent
com.wire.backup.BackupEndToEndTest ‑ givenBackupWithPassword_whenPeeking_thenShouldBeEncrypted
com.wire.backup.BackupEndToEndTest ‑ givenBackupWithoutPassword_whenPeeking_thenShouldNotBeEncrypted
com.wire.backup.BackupEndToEndTest ‑ givenEncryptedBackedUpTextMessages_whenRestoring_thenShouldReadTheSameContent
com.wire.backup.data.BackupContentTextTest ‑ givenMultipleValidMentions_whenCreatingText_thenShouldNotThrow
com.wire.backup.data.BackupContentTextTest ‑ givenNegativeStart_whenCreatingMention_thenShouldThrowIAE
com.wire.backup.data.BackupContentTextTest ‑ givenNoMentions_whenCreatingText_thenShouldNotThrow
…

This pull request removes 117 skipped tests and adds 20 skipped tests. Note that renamed tests count towards both.

com.wire.kalium.api.common.ACMEApiTest ‑ whenCallingGeTrustAnchorsApi_theResponseShouldBeConfigureCorrectly[jvm]
com.wire.kalium.api.common.ACMEApiTest ‑ whenCallingSendChallengeRequestApi_theResponseShouldBeConfigureCorrectly[jvm]
com.wire.kalium.api.v0.user.register.RegisterApiV0Test ‑ givenAValidEmail_whenActivationEmailWIthCode_theRequestShouldBeConfiguredCorrectly[jvm]
com.wire.kalium.api.v0.user.register.RegisterApiV0Test ‑ givenAValidEmail_whenRegisteringAccountWithEMail_theRequestShouldBeConfiguredCorrectly[jvm]
com.wire.kalium.api.v0.user.register.RegisterApiV0Test ‑ givenAValidEmail_whenSendingActivationEmail_theRequestShouldBeConfiguredCorrectly[jvm]
com.wire.kalium.api.v0.user.register.RegisterApiV0Test ‑ givenActivationCodeFail_thenErrorIsPropagated[jvm]
com.wire.kalium.api.v0.user.register.RegisterApiV0Test ‑ givenRegistrationFail_whenRegisteringAccountWithEMMail_thenErrorIsPropagated[jvm]
com.wire.kalium.api.v0.user.register.RegisterApiV0Test ‑ givenSendActivationCodeFail_thenErrorIsPropagated[jvm]
com.wire.kalium.cryptography.CryptoUtilsTest ‑ givenDummyText_whenEncryptedAndDecryptedWithAES256_returnsOriginalText[js, browser]
com.wire.kalium.cryptography.CryptoUtilsTest ‑ givenSomeDummyFile_whenEncryptedAndDecryptedWithAES256_returnsExpectedOriginalFile[js, browser]
…

com.wire.kalium.api.common.ACMEApiTest ‑ whenCallingGeTrustAnchorsApi_theResponseShouldBeConfigureCorrectly
com.wire.kalium.api.common.ACMEApiTest ‑ whenCallingSendChallengeRequestApi_theResponseShouldBeConfigureCorrectly
com.wire.kalium.api.v0.user.register.RegisterApiV0Test ‑ null
com.wire.kalium.cryptography.CryptoUtilsTest ‑ givenDummyText_whenEncryptedAndDecryptedWithAES256_returnsOriginalText
com.wire.kalium.cryptography.CryptoUtilsTest ‑ givenSomeDummyFile_whenEncryptedAndDecryptedWithAES256_returnsExpectedOriginalFile
com.wire.kalium.cryptography.CryptoUtilsTest ‑ givenSomeDummyFile_whenEncryptedAsAFileAndDecryptedWithAES256AsData_returnsExpectedOriginalFileContent
com.wire.kalium.cryptography.CryptoUtilsTest ‑ givenSomeDummyFile_whenEncryptedAsDataAndDecryptedWithAES256AsAFile_returnsExpectedOriginalFileContent
com.wire.kalium.cryptography.CryptoUtilsTest ‑ testGivenByteArray_whenCallingCalcMd5_returnsExpectedDigest
com.wire.kalium.cryptography.CryptoUtilsTest ‑ testGivenByteArray_whenCallingCalcSHA256_returnsExpectedDigest
com.wire.kalium.logic.data.conversation.ConversationRepositoryTest ‑ givenAGroupConversationHasNotNewMessages_whenGettingConversationDetails_ThenReturnZeroUnreadMessageCount
…

♻️ This comment has been updated with latest results.

[github-actions]

Bencher Report

Branch	chore/mls-verification-without-extra-transactions
Testbed	ubuntu-latest

⚠️ WARNING: No Threshold found!

Without a Threshold, no Alerts will ever be generated.

• Latency (nanoseconds (ns))

Click here to create a new Threshold
For more information, see the Threshold documentation.
To only post results if a Threshold exists, set the --ci-only-thresholds flag.

Click to view all benchmark results

Benchmark	Latency	microseconds (µs)
com.wire.kalium.benchmarks.logic.CoreLogicBenchmark.createObjectInFiles	📈 view plot ⚠️ NO THRESHOLD	699.75 µs
com.wire.kalium.benchmarks.logic.CoreLogicBenchmark.createObjectInMemory	📈 view plot ⚠️ NO THRESHOLD	339,443.35 µs
com.wire.kalium.benchmarks.persistence.MessagesNoPragmaTuneBenchmark.messageInsertionBenchmark	📈 view plot ⚠️ NO THRESHOLD	1,350,349.67 µs
com.wire.kalium.benchmarks.persistence.MessagesNoPragmaTuneBenchmark.queryMessagesBenchmark	📈 view plot ⚠️ NO THRESHOLD	21,027.00 µs

🐰 View full continuous benchmarking report in Bencher