diff --git a/extensions/matrix/runtime-api.ts b/extensions/matrix/runtime-api.ts new file mode 100644 index 00000000000..392ca4de932 --- /dev/null +++ b/extensions/matrix/runtime-api.ts @@ -0,0 +1,4 @@ +export * from "./src/account-selection.js"; +export * from "./src/auth-precedence.js"; +export * from "./src/env-vars.js"; +export * from "./src/storage-paths.js"; diff --git a/extensions/matrix/src/account-selection.ts b/extensions/matrix/src/account-selection.ts new file mode 100644 index 00000000000..51bf75061b2 --- /dev/null +++ b/extensions/matrix/src/account-selection.ts @@ -0,0 +1,106 @@ +import { + DEFAULT_ACCOUNT_ID, + normalizeAccountId, + normalizeOptionalAccountId, +} from "openclaw/plugin-sdk/account-id"; +import type { OpenClawConfig } from "openclaw/plugin-sdk/config-runtime"; +import { listMatrixEnvAccountIds } from "./env-vars.js"; + +function isRecord(value: unknown): value is Record { + return Boolean(value) && typeof value === "object" && !Array.isArray(value); +} + +export function resolveMatrixChannelConfig(cfg: OpenClawConfig): Record | null { + return isRecord(cfg.channels?.matrix) ? cfg.channels.matrix : null; +} + +export function findMatrixAccountEntry( + cfg: OpenClawConfig, + accountId: string, +): Record | null { + const channel = resolveMatrixChannelConfig(cfg); + if (!channel) { + return null; + } + + const accounts = isRecord(channel.accounts) ? channel.accounts : null; + if (!accounts) { + return null; + } + + const normalizedAccountId = normalizeAccountId(accountId); + for (const [rawAccountId, value] of Object.entries(accounts)) { + if (normalizeAccountId(rawAccountId) === normalizedAccountId && isRecord(value)) { + return value; + } + } + + return null; +} + +export function resolveConfiguredMatrixAccountIds( + cfg: OpenClawConfig, + env: NodeJS.ProcessEnv = process.env, +): string[] { + const channel = resolveMatrixChannelConfig(cfg); + const ids = new Set(listMatrixEnvAccountIds(env)); + + const accounts = channel && isRecord(channel.accounts) ? channel.accounts : null; + if (accounts) { + for (const [accountId, value] of Object.entries(accounts)) { + if (isRecord(value)) { + ids.add(normalizeAccountId(accountId)); + } + } + } + + if (ids.size === 0 && channel) { + ids.add(DEFAULT_ACCOUNT_ID); + } + + return Array.from(ids).toSorted((a, b) => a.localeCompare(b)); +} + +export function resolveMatrixDefaultOrOnlyAccountId( + cfg: OpenClawConfig, + env: NodeJS.ProcessEnv = process.env, +): string { + const channel = resolveMatrixChannelConfig(cfg); + if (!channel) { + return DEFAULT_ACCOUNT_ID; + } + + const configuredDefault = normalizeOptionalAccountId( + typeof channel.defaultAccount === "string" ? channel.defaultAccount : undefined, + ); + const configuredAccountIds = resolveConfiguredMatrixAccountIds(cfg, env); + if (configuredDefault && configuredAccountIds.includes(configuredDefault)) { + return configuredDefault; + } + if (configuredAccountIds.includes(DEFAULT_ACCOUNT_ID)) { + return DEFAULT_ACCOUNT_ID; + } + + if (configuredAccountIds.length === 1) { + return configuredAccountIds[0] ?? DEFAULT_ACCOUNT_ID; + } + return DEFAULT_ACCOUNT_ID; +} + +export function requiresExplicitMatrixDefaultAccount( + cfg: OpenClawConfig, + env: NodeJS.ProcessEnv = process.env, +): boolean { + const channel = resolveMatrixChannelConfig(cfg); + if (!channel) { + return false; + } + const configuredAccountIds = resolveConfiguredMatrixAccountIds(cfg, env); + if (configuredAccountIds.length <= 1) { + return false; + } + const configuredDefault = normalizeOptionalAccountId( + typeof channel.defaultAccount === "string" ? channel.defaultAccount : undefined, + ); + return !(configuredDefault && configuredAccountIds.includes(configuredDefault)); +} diff --git a/extensions/matrix/src/auth-precedence.ts b/extensions/matrix/src/auth-precedence.ts new file mode 100644 index 00000000000..244a7eb9e90 --- /dev/null +++ b/extensions/matrix/src/auth-precedence.ts @@ -0,0 +1,61 @@ +import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "openclaw/plugin-sdk/account-id"; + +export type MatrixResolvedStringField = + | "homeserver" + | "userId" + | "accessToken" + | "password" + | "deviceId" + | "deviceName"; + +export type MatrixResolvedStringValues = Record; + +type MatrixStringSourceMap = Partial>; + +const MATRIX_DEFAULT_ACCOUNT_AUTH_ONLY_FIELDS = new Set([ + "userId", + "accessToken", + "password", + "deviceId", +]); + +function resolveMatrixStringSourceValue(value: string | undefined): string { + return typeof value === "string" ? value : ""; +} + +function shouldAllowBaseAuthFallback(accountId: string, field: MatrixResolvedStringField): boolean { + return ( + normalizeAccountId(accountId) === DEFAULT_ACCOUNT_ID || + !MATRIX_DEFAULT_ACCOUNT_AUTH_ONLY_FIELDS.has(field) + ); +} + +export function resolveMatrixAccountStringValues(params: { + accountId: string; + account?: MatrixStringSourceMap; + scopedEnv?: MatrixStringSourceMap; + channel?: MatrixStringSourceMap; + globalEnv?: MatrixStringSourceMap; +}): MatrixResolvedStringValues { + const fields: MatrixResolvedStringField[] = [ + "homeserver", + "userId", + "accessToken", + "password", + "deviceId", + "deviceName", + ]; + const resolved = {} as MatrixResolvedStringValues; + + for (const field of fields) { + resolved[field] = + resolveMatrixStringSourceValue(params.account?.[field]) || + resolveMatrixStringSourceValue(params.scopedEnv?.[field]) || + (shouldAllowBaseAuthFallback(params.accountId, field) + ? resolveMatrixStringSourceValue(params.channel?.[field]) || + resolveMatrixStringSourceValue(params.globalEnv?.[field]) + : ""); + } + + return resolved; +} diff --git a/extensions/matrix/src/env-vars.ts b/extensions/matrix/src/env-vars.ts new file mode 100644 index 00000000000..ac16c416ffc --- /dev/null +++ b/extensions/matrix/src/env-vars.ts @@ -0,0 +1,92 @@ +import { normalizeAccountId, normalizeOptionalAccountId } from "openclaw/plugin-sdk/account-id"; + +const MATRIX_SCOPED_ENV_SUFFIXES = [ + "HOMESERVER", + "USER_ID", + "ACCESS_TOKEN", + "PASSWORD", + "DEVICE_ID", + "DEVICE_NAME", +] as const; +const MATRIX_GLOBAL_ENV_KEYS = MATRIX_SCOPED_ENV_SUFFIXES.map((suffix) => `MATRIX_${suffix}`); + +const MATRIX_SCOPED_ENV_RE = new RegExp(`^MATRIX_(.+)_(${MATRIX_SCOPED_ENV_SUFFIXES.join("|")})$`); + +export function resolveMatrixEnvAccountToken(accountId: string): string { + return Array.from(normalizeAccountId(accountId)) + .map((char) => + /[a-z0-9]/.test(char) + ? char.toUpperCase() + : `_X${char.codePointAt(0)?.toString(16).toUpperCase() ?? "00"}_`, + ) + .join(""); +} + +export function getMatrixScopedEnvVarNames(accountId: string): { + homeserver: string; + userId: string; + accessToken: string; + password: string; + deviceId: string; + deviceName: string; +} { + const token = resolveMatrixEnvAccountToken(accountId); + return { + homeserver: `MATRIX_${token}_HOMESERVER`, + userId: `MATRIX_${token}_USER_ID`, + accessToken: `MATRIX_${token}_ACCESS_TOKEN`, + password: `MATRIX_${token}_PASSWORD`, + deviceId: `MATRIX_${token}_DEVICE_ID`, + deviceName: `MATRIX_${token}_DEVICE_NAME`, + }; +} + +function decodeMatrixEnvAccountToken(token: string): string | undefined { + let decoded = ""; + for (let index = 0; index < token.length; ) { + const hexEscape = /^_X([0-9A-F]+)_/.exec(token.slice(index)); + if (hexEscape) { + const hex = hexEscape[1]; + const codePoint = hex ? Number.parseInt(hex, 16) : Number.NaN; + if (!Number.isFinite(codePoint)) { + return undefined; + } + const char = String.fromCodePoint(codePoint); + decoded += char; + index += hexEscape[0].length; + continue; + } + const char = token[index]; + if (!char || !/[A-Z0-9]/.test(char)) { + return undefined; + } + decoded += char.toLowerCase(); + index += 1; + } + const normalized = normalizeOptionalAccountId(decoded); + if (!normalized) { + return undefined; + } + return resolveMatrixEnvAccountToken(normalized) === token ? normalized : undefined; +} + +export function listMatrixEnvAccountIds(env: NodeJS.ProcessEnv = process.env): string[] { + const ids = new Set(); + for (const key of MATRIX_GLOBAL_ENV_KEYS) { + if (typeof env[key] === "string" && env[key]?.trim()) { + ids.add(normalizeAccountId("default")); + break; + } + } + for (const key of Object.keys(env)) { + const match = MATRIX_SCOPED_ENV_RE.exec(key); + if (!match) { + continue; + } + const accountId = decodeMatrixEnvAccountToken(match[1]); + if (accountId) { + ids.add(accountId); + } + } + return Array.from(ids).toSorted((a, b) => a.localeCompare(b)); +} diff --git a/extensions/matrix/src/storage-paths.ts b/extensions/matrix/src/storage-paths.ts new file mode 100644 index 00000000000..5e1a3d394c3 --- /dev/null +++ b/extensions/matrix/src/storage-paths.ts @@ -0,0 +1,93 @@ +import crypto from "node:crypto"; +import path from "node:path"; +import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "openclaw/plugin-sdk/account-id"; + +export function sanitizeMatrixPathSegment(value: string): string { + const cleaned = value + .trim() + .toLowerCase() + .replace(/[^a-z0-9._-]+/g, "_") + .replace(/^_+|_+$/g, ""); + return cleaned || "unknown"; +} + +export function resolveMatrixHomeserverKey(homeserver: string): string { + try { + const url = new URL(homeserver); + if (url.host) { + return sanitizeMatrixPathSegment(url.host); + } + } catch { + // fall through + } + return sanitizeMatrixPathSegment(homeserver); +} + +export function hashMatrixAccessToken(accessToken: string): string { + return crypto.createHash("sha256").update(accessToken).digest("hex").slice(0, 16); +} + +export function resolveMatrixCredentialsFilename(accountId?: string | null): string { + const normalized = normalizeAccountId(accountId); + return normalized === DEFAULT_ACCOUNT_ID ? "credentials.json" : `credentials-${normalized}.json`; +} + +export function resolveMatrixCredentialsDir(stateDir: string): string { + return path.join(stateDir, "credentials", "matrix"); +} + +export function resolveMatrixCredentialsPath(params: { + stateDir: string; + accountId?: string | null; +}): string { + return path.join( + resolveMatrixCredentialsDir(params.stateDir), + resolveMatrixCredentialsFilename(params.accountId), + ); +} + +export function resolveMatrixLegacyFlatStoreRoot(stateDir: string): string { + return path.join(stateDir, "matrix"); +} + +export function resolveMatrixLegacyFlatStoragePaths(stateDir: string): { + rootDir: string; + storagePath: string; + cryptoPath: string; +} { + const rootDir = resolveMatrixLegacyFlatStoreRoot(stateDir); + return { + rootDir, + storagePath: path.join(rootDir, "bot-storage.json"), + cryptoPath: path.join(rootDir, "crypto"), + }; +} + +export function resolveMatrixAccountStorageRoot(params: { + stateDir: string; + homeserver: string; + userId: string; + accessToken: string; + accountId?: string | null; +}): { + rootDir: string; + accountKey: string; + tokenHash: string; +} { + const accountKey = sanitizeMatrixPathSegment(params.accountId ?? DEFAULT_ACCOUNT_ID); + const userKey = sanitizeMatrixPathSegment(params.userId); + const serverKey = resolveMatrixHomeserverKey(params.homeserver); + const tokenHash = hashMatrixAccessToken(params.accessToken); + return { + rootDir: path.join( + params.stateDir, + "matrix", + "accounts", + accountKey, + `${serverKey}__${userKey}`, + tokenHash, + ), + accountKey, + tokenHash, + }; +} diff --git a/src/commands/doctor-config-flow.test.ts b/src/commands/doctor-config-flow.test.ts index 39e7b9d00fe..4a461c58267 100644 --- a/src/commands/doctor-config-flow.test.ts +++ b/src/commands/doctor-config-flow.test.ts @@ -1,6 +1,7 @@ import fs from "node:fs/promises"; import path from "node:path"; import { describe, expect, it, vi } from "vitest"; +import { resolveMatrixAccountStorageRoot } from "../../extensions/matrix/runtime-api.js"; import { withTempHome } from "../../test/helpers/temp-home.js"; import * as noteModule from "../terminal/note.js"; import { loadAndMaybeMigrateDoctorConfig } from "./doctor-config-flow.js"; @@ -203,6 +204,250 @@ describe("doctor config flow", () => { ).toBe("existing-session"); }); + it("previews Matrix legacy sync-store migration in read-only mode", async () => { + const noteSpy = vi.spyOn(noteModule, "note").mockImplementation(() => {}); + try { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + await fs.mkdir(path.join(stateDir, "matrix"), { recursive: true }); + await fs.writeFile( + path.join(stateDir, "openclaw.json"), + JSON.stringify({ + channels: { + matrix: { + homeserver: "https://matrix.example.org", + userId: "@bot:example.org", + accessToken: "tok-123", + }, + }, + }), + ); + await fs.writeFile( + path.join(stateDir, "matrix", "bot-storage.json"), + '{"next_batch":"s1"}', + ); + await loadAndMaybeMigrateDoctorConfig({ + options: { nonInteractive: true }, + confirm: async () => false, + }); + }); + + const warning = noteSpy.mock.calls.find( + (call) => + call[1] === "Doctor warnings" && + String(call[0]).includes("Matrix plugin upgraded in place."), + ); + expect(warning?.[0]).toContain("Legacy sync store:"); + expect(warning?.[0]).toContain( + 'Run "openclaw doctor --fix" to migrate this Matrix state now.', + ); + } finally { + noteSpy.mockRestore(); + } + }); + + it("previews Matrix encrypted-state migration in read-only mode", async () => { + const noteSpy = vi.spyOn(noteModule, "note").mockImplementation(() => {}); + try { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + const { rootDir: accountRoot } = resolveMatrixAccountStorageRoot({ + stateDir, + homeserver: "https://matrix.example.org", + userId: "@bot:example.org", + accessToken: "tok-123", + }); + await fs.mkdir(path.join(accountRoot, "crypto"), { recursive: true }); + await fs.writeFile( + path.join(stateDir, "openclaw.json"), + JSON.stringify({ + channels: { + matrix: { + homeserver: "https://matrix.example.org", + userId: "@bot:example.org", + accessToken: "tok-123", + }, + }, + }), + ); + await fs.writeFile( + path.join(accountRoot, "crypto", "bot-sdk.json"), + JSON.stringify({ deviceId: "DEVICE123" }), + ); + await loadAndMaybeMigrateDoctorConfig({ + options: { nonInteractive: true }, + confirm: async () => false, + }); + }); + + const warning = noteSpy.mock.calls.find( + (call) => + call[1] === "Doctor warnings" && + String(call[0]).includes("Matrix encrypted-state migration is pending"), + ); + expect(warning?.[0]).toContain("Legacy crypto store:"); + expect(warning?.[0]).toContain("New recovery key file:"); + } finally { + noteSpy.mockRestore(); + } + }); + + it("migrates Matrix legacy state on doctor repair", async () => { + const noteSpy = vi.spyOn(noteModule, "note").mockImplementation(() => {}); + try { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + await fs.mkdir(path.join(stateDir, "matrix"), { recursive: true }); + await fs.writeFile( + path.join(stateDir, "openclaw.json"), + JSON.stringify({ + channels: { + matrix: { + homeserver: "https://matrix.example.org", + userId: "@bot:example.org", + accessToken: "tok-123", + }, + }, + }), + ); + await fs.writeFile( + path.join(stateDir, "matrix", "bot-storage.json"), + '{"next_batch":"s1"}', + ); + await loadAndMaybeMigrateDoctorConfig({ + options: { nonInteractive: true, repair: true }, + confirm: async () => false, + }); + + const migratedRoot = path.join( + stateDir, + "matrix", + "accounts", + "default", + "matrix.example.org__bot_example.org", + ); + const migratedChildren = await fs.readdir(migratedRoot); + expect(migratedChildren.length).toBe(1); + expect( + await fs + .access(path.join(migratedRoot, migratedChildren[0] ?? "", "bot-storage.json")) + .then(() => true) + .catch(() => false), + ).toBe(true); + expect( + await fs + .access(path.join(stateDir, "matrix", "bot-storage.json")) + .then(() => true) + .catch(() => false), + ).toBe(false); + }); + + expect( + noteSpy.mock.calls.some( + (call) => + call[1] === "Doctor changes" && + String(call[0]).includes("Matrix plugin upgraded in place."), + ), + ).toBe(true); + } finally { + noteSpy.mockRestore(); + } + }); + + it("creates a Matrix migration snapshot before doctor repair mutates Matrix state", async () => { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + await fs.mkdir(path.join(stateDir, "matrix"), { recursive: true }); + await fs.writeFile( + path.join(stateDir, "openclaw.json"), + JSON.stringify({ + channels: { + matrix: { + homeserver: "https://matrix.example.org", + userId: "@bot:example.org", + accessToken: "tok-123", + }, + }, + }), + ); + await fs.writeFile(path.join(stateDir, "matrix", "bot-storage.json"), '{"next_batch":"s1"}'); + + await loadAndMaybeMigrateDoctorConfig({ + options: { nonInteractive: true, repair: true }, + confirm: async () => false, + }); + + const snapshotDir = path.join(home, "Backups", "openclaw-migrations"); + const snapshotEntries = await fs.readdir(snapshotDir); + expect(snapshotEntries.some((entry) => entry.endsWith(".tar.gz"))).toBe(true); + + const marker = JSON.parse( + await fs.readFile(path.join(stateDir, "matrix", "migration-snapshot.json"), "utf8"), + ) as { + archivePath: string; + }; + expect(marker.archivePath).toContain(path.join("Backups", "openclaw-migrations")); + }); + }); + + it("warns when Matrix is installed from a stale custom path", async () => { + const doctorWarnings = await collectDoctorWarnings({ + channels: { + matrix: { + homeserver: "https://matrix.example.org", + accessToken: "tok-123", + }, + }, + plugins: { + installs: { + matrix: { + source: "path", + sourcePath: "/tmp/openclaw-matrix-missing", + installPath: "/tmp/openclaw-matrix-missing", + }, + }, + }, + }); + + expect( + doctorWarnings.some( + (line) => line.includes("custom path") && line.includes("/tmp/openclaw-matrix-missing"), + ), + ).toBe(true); + }); + + it("warns when Matrix is installed from an existing custom path", async () => { + await withTempHome(async (home) => { + const pluginPath = path.join(home, "matrix-plugin"); + await fs.mkdir(pluginPath, { recursive: true }); + + const doctorWarnings = await collectDoctorWarnings({ + channels: { + matrix: { + homeserver: "https://matrix.example.org", + accessToken: "tok-123", + }, + }, + plugins: { + installs: { + matrix: { + source: "path", + sourcePath: pluginPath, + installPath: pluginPath, + }, + }, + }, + }); + + expect( + doctorWarnings.some((line) => line.includes("Matrix is installed from a custom path")), + ).toBe(true); + expect( + doctorWarnings.some((line) => line.includes("will not automatically replace that plugin")), + ).toBe(true); + }); + }); + it("notes legacy browser extension migration changes", async () => { const noteSpy = vi.spyOn(noteModule, "note").mockImplementation(() => {}); try { diff --git a/src/commands/doctor-config-flow.ts b/src/commands/doctor-config-flow.ts index ae755423987..5270b359a9e 100644 --- a/src/commands/doctor-config-flow.ts +++ b/src/commands/doctor-config-flow.ts @@ -21,6 +21,23 @@ import { isTrustedSafeBinPath, normalizeTrustedSafeBinDirs, } from "../infra/exec-safe-bin-trust.js"; +import { + autoPrepareLegacyMatrixCrypto, + detectLegacyMatrixCrypto, +} from "../infra/matrix-legacy-crypto.js"; +import { + autoMigrateLegacyMatrixState, + detectLegacyMatrixState, +} from "../infra/matrix-legacy-state.js"; +import { + hasActionableMatrixMigration, + hasPendingMatrixMigration, + maybeCreateMatrixMigrationSnapshot, +} from "../infra/matrix-migration-snapshot.js"; +import { + detectPluginInstallPathIssue, + formatPluginInstallPathIssue, +} from "../infra/plugin-install-path-warnings.js"; import { readChannelAllowFromStore } from "../pairing/pairing-store.js"; import { resolveTelegramAccount } from "../plugin-sdk/account-resolution.js"; import { @@ -316,6 +333,56 @@ function scanTelegramAllowFromUsernameEntries(cfg: OpenClawConfig): TelegramAllo return hits; } +function formatMatrixLegacyStatePreview( + detection: Exclude, null | { warning: string }>, +): string { + return [ + "- Matrix plugin upgraded in place.", + `- Legacy sync store: ${detection.legacyStoragePath} -> ${detection.targetStoragePath}`, + `- Legacy crypto store: ${detection.legacyCryptoPath} -> ${detection.targetCryptoPath}`, + ...(detection.selectionNote ? [`- ${detection.selectionNote}`] : []), + '- Run "openclaw doctor --fix" to migrate this Matrix state now.', + ].join("\n"); +} + +function formatMatrixLegacyCryptoPreview( + detection: ReturnType, +): string[] { + const notes: string[] = []; + for (const warning of detection.warnings) { + notes.push(`- ${warning}`); + } + for (const plan of detection.plans) { + notes.push( + [ + `- Matrix encrypted-state migration is pending for account "${plan.accountId}".`, + `- Legacy crypto store: ${plan.legacyCryptoPath}`, + `- New recovery key file: ${plan.recoveryKeyPath}`, + `- Migration state file: ${plan.statePath}`, + '- Run "openclaw doctor --fix" to extract any saved backup key now. Backed-up room keys will restore automatically on next gateway start.', + ].join("\n"), + ); + } + return notes; +} + +async function collectMatrixInstallPathWarnings(cfg: OpenClawConfig): Promise { + const issue = await detectPluginInstallPathIssue({ + pluginId: "matrix", + install: cfg.plugins?.installs?.matrix, + }); + if (!issue) { + return []; + } + return formatPluginInstallPathIssue({ + issue, + pluginLabel: "Matrix", + defaultInstallCommand: "openclaw plugins install @openclaw/matrix", + repoInstallCommand: "openclaw plugins install ./extensions/matrix", + formatCommand: formatCliCommand, + }).map((entry) => `- ${entry}`); +} + async function maybeRepairTelegramAllowFromUsernames(cfg: OpenClawConfig): Promise<{ config: OpenClawConfig; changes: string[]; @@ -1771,6 +1838,110 @@ export async function loadAndMaybeMigrateDoctorConfig(params: { } } + const matrixLegacyState = detectLegacyMatrixState({ + cfg: candidate, + env: process.env, + }); + const matrixLegacyCrypto = detectLegacyMatrixCrypto({ + cfg: candidate, + env: process.env, + }); + const pendingMatrixMigration = hasPendingMatrixMigration({ + cfg: candidate, + env: process.env, + }); + const actionableMatrixMigration = hasActionableMatrixMigration({ + cfg: candidate, + env: process.env, + }); + if (shouldRepair) { + let matrixSnapshotReady = true; + if (actionableMatrixMigration) { + try { + const snapshot = await maybeCreateMatrixMigrationSnapshot({ + trigger: "doctor-fix", + env: process.env, + }); + note( + `Matrix migration snapshot ${snapshot.created ? "created" : "reused"} before applying Matrix upgrades.\n- ${snapshot.archivePath}`, + "Doctor changes", + ); + } catch (err) { + matrixSnapshotReady = false; + note( + `- Failed creating a Matrix migration snapshot before repair: ${String(err)}`, + "Doctor warnings", + ); + note( + '- Skipping Matrix migration changes for now. Resolve the snapshot failure, then rerun "openclaw doctor --fix".', + "Doctor warnings", + ); + } + } else if (pendingMatrixMigration) { + note( + "- Matrix migration warnings are present, but no on-disk Matrix mutation is actionable yet. No pre-migration snapshot was needed.", + "Doctor warnings", + ); + } + if (matrixSnapshotReady) { + const matrixStateRepair = await autoMigrateLegacyMatrixState({ + cfg: candidate, + env: process.env, + }); + if (matrixStateRepair.changes.length > 0) { + note( + [ + "Matrix plugin upgraded in place.", + ...matrixStateRepair.changes.map((entry) => `- ${entry}`), + "- No user action required.", + ].join("\n"), + "Doctor changes", + ); + } + if (matrixStateRepair.warnings.length > 0) { + note(matrixStateRepair.warnings.map((entry) => `- ${entry}`).join("\n"), "Doctor warnings"); + } + const matrixCryptoRepair = await autoPrepareLegacyMatrixCrypto({ + cfg: candidate, + env: process.env, + }); + if (matrixCryptoRepair.changes.length > 0) { + note( + [ + "Matrix encrypted-state migration prepared.", + ...matrixCryptoRepair.changes.map((entry) => `- ${entry}`), + ].join("\n"), + "Doctor changes", + ); + } + if (matrixCryptoRepair.warnings.length > 0) { + note( + matrixCryptoRepair.warnings.map((entry) => `- ${entry}`).join("\n"), + "Doctor warnings", + ); + } + } + } else if (matrixLegacyState) { + if ("warning" in matrixLegacyState) { + note(`- ${matrixLegacyState.warning}`, "Doctor warnings"); + } else { + note(formatMatrixLegacyStatePreview(matrixLegacyState), "Doctor warnings"); + } + } + if ( + !shouldRepair && + (matrixLegacyCrypto.warnings.length > 0 || matrixLegacyCrypto.plans.length > 0) + ) { + for (const preview of formatMatrixLegacyCryptoPreview(matrixLegacyCrypto)) { + note(preview, "Doctor warnings"); + } + } + + const matrixInstallWarnings = await collectMatrixInstallPathWarnings(candidate); + if (matrixInstallWarnings.length > 0) { + note(matrixInstallWarnings.join("\n"), "Doctor warnings"); + } + const missingDefaultAccountBindingWarnings = collectMissingDefaultAccountBindingWarnings(candidate); if (missingDefaultAccountBindingWarnings.length > 0) { diff --git a/src/gateway/server-startup-matrix-migration.test.ts b/src/gateway/server-startup-matrix-migration.test.ts new file mode 100644 index 00000000000..95e72bf39dc --- /dev/null +++ b/src/gateway/server-startup-matrix-migration.test.ts @@ -0,0 +1,180 @@ +import fs from "node:fs/promises"; +import path from "node:path"; +import { describe, expect, it, vi } from "vitest"; +import { withTempHome } from "../../test/helpers/temp-home.js"; +import { runStartupMatrixMigration } from "./server-startup-matrix-migration.js"; + +describe("runStartupMatrixMigration", () => { + it("creates a snapshot before actionable startup migration", async () => { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + await fs.mkdir(path.join(stateDir, "matrix"), { recursive: true }); + await fs.writeFile(path.join(stateDir, "matrix", "bot-storage.json"), '{"legacy":true}'); + const maybeCreateMatrixMigrationSnapshotMock = vi.fn(async () => ({ + created: true, + archivePath: "/tmp/snapshot.tar.gz", + markerPath: "/tmp/migration-snapshot.json", + })); + const autoMigrateLegacyMatrixStateMock = vi.fn(async () => ({ + migrated: true, + changes: [], + warnings: [], + })); + const autoPrepareLegacyMatrixCryptoMock = vi.fn(async () => ({ + migrated: false, + changes: [], + warnings: [], + })); + + await runStartupMatrixMigration({ + cfg: { + channels: { + matrix: { + homeserver: "https://matrix.example.org", + userId: "@bot:example.org", + accessToken: "tok-123", + }, + }, + } as never, + env: process.env, + deps: { + maybeCreateMatrixMigrationSnapshot: maybeCreateMatrixMigrationSnapshotMock, + autoMigrateLegacyMatrixState: autoMigrateLegacyMatrixStateMock, + autoPrepareLegacyMatrixCrypto: autoPrepareLegacyMatrixCryptoMock, + }, + log: {}, + }); + + expect(maybeCreateMatrixMigrationSnapshotMock).toHaveBeenCalledWith( + expect.objectContaining({ trigger: "gateway-startup" }), + ); + expect(autoMigrateLegacyMatrixStateMock).toHaveBeenCalledOnce(); + expect(autoPrepareLegacyMatrixCryptoMock).toHaveBeenCalledOnce(); + }); + }); + + it("skips snapshot creation when startup only has warning-only migration state", async () => { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + await fs.mkdir(path.join(stateDir, "matrix"), { recursive: true }); + await fs.writeFile(path.join(stateDir, "matrix", "bot-storage.json"), '{"legacy":true}'); + const maybeCreateMatrixMigrationSnapshotMock = vi.fn(); + const autoMigrateLegacyMatrixStateMock = vi.fn(); + const autoPrepareLegacyMatrixCryptoMock = vi.fn(); + const info = vi.fn(); + + await runStartupMatrixMigration({ + cfg: { + channels: { + matrix: { + homeserver: "https://matrix.example.org", + }, + }, + } as never, + env: process.env, + deps: { + maybeCreateMatrixMigrationSnapshot: maybeCreateMatrixMigrationSnapshotMock as never, + autoMigrateLegacyMatrixState: autoMigrateLegacyMatrixStateMock as never, + autoPrepareLegacyMatrixCrypto: autoPrepareLegacyMatrixCryptoMock as never, + }, + log: { info }, + }); + + expect(maybeCreateMatrixMigrationSnapshotMock).not.toHaveBeenCalled(); + expect(autoMigrateLegacyMatrixStateMock).not.toHaveBeenCalled(); + expect(autoPrepareLegacyMatrixCryptoMock).not.toHaveBeenCalled(); + expect(info).toHaveBeenCalledWith( + "matrix: migration remains in a warning-only state; no pre-migration snapshot was needed yet", + ); + }); + }); + + it("skips startup migration when snapshot creation fails", async () => { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + await fs.mkdir(path.join(stateDir, "matrix"), { recursive: true }); + await fs.writeFile(path.join(stateDir, "matrix", "bot-storage.json"), '{"legacy":true}'); + const maybeCreateMatrixMigrationSnapshotMock = vi.fn(async () => { + throw new Error("backup failed"); + }); + const autoMigrateLegacyMatrixStateMock = vi.fn(); + const autoPrepareLegacyMatrixCryptoMock = vi.fn(); + const warn = vi.fn(); + + await runStartupMatrixMigration({ + cfg: { + channels: { + matrix: { + homeserver: "https://matrix.example.org", + userId: "@bot:example.org", + accessToken: "tok-123", + }, + }, + } as never, + env: process.env, + deps: { + maybeCreateMatrixMigrationSnapshot: maybeCreateMatrixMigrationSnapshotMock, + autoMigrateLegacyMatrixState: autoMigrateLegacyMatrixStateMock as never, + autoPrepareLegacyMatrixCrypto: autoPrepareLegacyMatrixCryptoMock as never, + }, + log: { warn }, + }); + + expect(autoMigrateLegacyMatrixStateMock).not.toHaveBeenCalled(); + expect(autoPrepareLegacyMatrixCryptoMock).not.toHaveBeenCalled(); + expect(warn).toHaveBeenCalledWith( + "gateway: failed creating a Matrix migration snapshot; skipping Matrix migration for now: Error: backup failed", + ); + }); + }); + + it("downgrades migration step failures to warnings so startup can continue", async () => { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + await fs.mkdir(path.join(stateDir, "matrix"), { recursive: true }); + await fs.writeFile(path.join(stateDir, "matrix", "bot-storage.json"), '{"legacy":true}'); + const maybeCreateMatrixMigrationSnapshotMock = vi.fn(async () => ({ + created: true, + archivePath: "/tmp/snapshot.tar.gz", + markerPath: "/tmp/migration-snapshot.json", + })); + const autoMigrateLegacyMatrixStateMock = vi.fn(async () => ({ + migrated: true, + changes: [], + warnings: [], + })); + const autoPrepareLegacyMatrixCryptoMock = vi.fn(async () => { + throw new Error("disk full"); + }); + const warn = vi.fn(); + + await expect( + runStartupMatrixMigration({ + cfg: { + channels: { + matrix: { + homeserver: "https://matrix.example.org", + userId: "@bot:example.org", + accessToken: "tok-123", + }, + }, + } as never, + env: process.env, + deps: { + maybeCreateMatrixMigrationSnapshot: maybeCreateMatrixMigrationSnapshotMock, + autoMigrateLegacyMatrixState: autoMigrateLegacyMatrixStateMock, + autoPrepareLegacyMatrixCrypto: autoPrepareLegacyMatrixCryptoMock, + }, + log: { warn }, + }), + ).resolves.toBeUndefined(); + + expect(maybeCreateMatrixMigrationSnapshotMock).toHaveBeenCalledOnce(); + expect(autoMigrateLegacyMatrixStateMock).toHaveBeenCalledOnce(); + expect(autoPrepareLegacyMatrixCryptoMock).toHaveBeenCalledOnce(); + expect(warn).toHaveBeenCalledWith( + "gateway: legacy Matrix encrypted-state preparation failed during Matrix migration; continuing startup: Error: disk full", + ); + }); + }); +}); diff --git a/src/gateway/server-startup-matrix-migration.ts b/src/gateway/server-startup-matrix-migration.ts new file mode 100644 index 00000000000..64a5f4e0721 --- /dev/null +++ b/src/gateway/server-startup-matrix-migration.ts @@ -0,0 +1,92 @@ +import type { OpenClawConfig } from "../config/config.js"; +import { autoPrepareLegacyMatrixCrypto } from "../infra/matrix-legacy-crypto.js"; +import { autoMigrateLegacyMatrixState } from "../infra/matrix-legacy-state.js"; +import { + hasActionableMatrixMigration, + hasPendingMatrixMigration, + maybeCreateMatrixMigrationSnapshot, +} from "../infra/matrix-migration-snapshot.js"; + +type MatrixMigrationLogger = { + info?: (message: string) => void; + warn?: (message: string) => void; +}; + +async function runBestEffortMatrixMigrationStep(params: { + label: string; + log: MatrixMigrationLogger; + run: () => Promise; +}): Promise { + try { + await params.run(); + } catch (err) { + params.log.warn?.( + `gateway: ${params.label} failed during Matrix migration; continuing startup: ${String(err)}`, + ); + } +} + +export async function runStartupMatrixMigration(params: { + cfg: OpenClawConfig; + env?: NodeJS.ProcessEnv; + log: MatrixMigrationLogger; + deps?: { + maybeCreateMatrixMigrationSnapshot?: typeof maybeCreateMatrixMigrationSnapshot; + autoMigrateLegacyMatrixState?: typeof autoMigrateLegacyMatrixState; + autoPrepareLegacyMatrixCrypto?: typeof autoPrepareLegacyMatrixCrypto; + }; +}): Promise { + const env = params.env ?? process.env; + const createSnapshot = + params.deps?.maybeCreateMatrixMigrationSnapshot ?? maybeCreateMatrixMigrationSnapshot; + const migrateLegacyState = + params.deps?.autoMigrateLegacyMatrixState ?? autoMigrateLegacyMatrixState; + const prepareLegacyCrypto = + params.deps?.autoPrepareLegacyMatrixCrypto ?? autoPrepareLegacyMatrixCrypto; + const actionable = hasActionableMatrixMigration({ cfg: params.cfg, env }); + const pending = actionable || hasPendingMatrixMigration({ cfg: params.cfg, env }); + + if (!pending) { + return; + } + if (!actionable) { + params.log.info?.( + "matrix: migration remains in a warning-only state; no pre-migration snapshot was needed yet", + ); + return; + } + + try { + await createSnapshot({ + trigger: "gateway-startup", + env, + log: params.log, + }); + } catch (err) { + params.log.warn?.( + `gateway: failed creating a Matrix migration snapshot; skipping Matrix migration for now: ${String(err)}`, + ); + return; + } + + await runBestEffortMatrixMigrationStep({ + label: "legacy Matrix state migration", + log: params.log, + run: () => + migrateLegacyState({ + cfg: params.cfg, + env, + log: params.log, + }), + }); + await runBestEffortMatrixMigrationStep({ + label: "legacy Matrix encrypted-state preparation", + log: params.log, + run: () => + prepareLegacyCrypto({ + cfg: params.cfg, + env, + log: params.log, + }), + }); +} diff --git a/src/gateway/server.impl.ts b/src/gateway/server.impl.ts index cec8f2cb42a..6925fb3dc9b 100644 --- a/src/gateway/server.impl.ts +++ b/src/gateway/server.impl.ts @@ -36,6 +36,10 @@ import { onHeartbeatEvent } from "../infra/heartbeat-events.js"; import { startHeartbeatRunner, type HeartbeatRunner } from "../infra/heartbeat-runner.js"; import { getMachineDisplayName } from "../infra/machine-name.js"; import { ensureOpenClawCliOnPath } from "../infra/path-env.js"; +import { + detectPluginInstallPathIssue, + formatPluginInstallPathIssue, +} from "../infra/plugin-install-path-warnings.js"; import { setGatewaySigusr1RestartPolicy, setPreRestartDeferralCheck } from "../infra/restart.js"; import { primeRemoteSkillsCache, @@ -98,6 +102,7 @@ import { resolveGatewayRuntimeConfig } from "./server-runtime-config.js"; import { createGatewayRuntimeState } from "./server-runtime-state.js"; import { resolveSessionKeyForRun } from "./server-session-key.js"; import { logGatewayStartup } from "./server-startup-log.js"; +import { runStartupMatrixMigration } from "./server-startup-matrix-migration.js"; import { startGatewaySidecars } from "./server-startup.js"; import { startGatewayTailscaleExposure } from "./server-tailscale.js"; import { createWizardSessionTracker } from "./server-wizard-sessions.js"; @@ -404,6 +409,29 @@ export async function startGatewayServer( } let secretsDegraded = false; + const matrixMigrationConfig = + autoEnable.changes.length > 0 ? autoEnable.config : configSnapshot.config; + await runStartupMatrixMigration({ + cfg: matrixMigrationConfig, + env: process.env, + log, + }); + const matrixInstallPathIssue = await detectPluginInstallPathIssue({ + pluginId: "matrix", + install: matrixMigrationConfig.plugins?.installs?.matrix, + }); + if (matrixInstallPathIssue) { + const lines = formatPluginInstallPathIssue({ + issue: matrixInstallPathIssue, + pluginLabel: "Matrix", + defaultInstallCommand: "openclaw plugins install @openclaw/matrix", + repoInstallCommand: "openclaw plugins install ./extensions/matrix", + formatCommand: formatCliCommand, + }); + log.warn( + `gateway: matrix install path warning:\n${lines.map((entry) => `- ${entry}`).join("\n")}`, + ); + } const emitSecretsStateEvent = ( code: "SECRETS_RELOADER_DEGRADED" | "SECRETS_RELOADER_RECOVERED", message: string, diff --git a/src/infra/matrix-legacy-crypto.test.ts b/src/infra/matrix-legacy-crypto.test.ts new file mode 100644 index 00000000000..08501260943 --- /dev/null +++ b/src/infra/matrix-legacy-crypto.test.ts @@ -0,0 +1,448 @@ +import fs from "node:fs"; +import path from "node:path"; +import { describe, expect, it, vi } from "vitest"; +import { resolveMatrixAccountStorageRoot } from "../../extensions/matrix/runtime-api.js"; +import { withTempHome } from "../../test/helpers/temp-home.js"; +import type { OpenClawConfig } from "../config/config.js"; +import { autoPrepareLegacyMatrixCrypto, detectLegacyMatrixCrypto } from "./matrix-legacy-crypto.js"; +import { MATRIX_LEGACY_CRYPTO_INSPECTOR_UNAVAILABLE_MESSAGE } from "./matrix-plugin-helper.js"; + +function writeFile(filePath: string, value: string) { + fs.mkdirSync(path.dirname(filePath), { recursive: true }); + fs.writeFileSync(filePath, value, "utf8"); +} + +function writeMatrixPluginFixture(rootDir: string): void { + fs.mkdirSync(rootDir, { recursive: true }); + fs.writeFileSync( + path.join(rootDir, "openclaw.plugin.json"), + JSON.stringify({ + id: "matrix", + configSchema: { + type: "object", + additionalProperties: false, + }, + }), + "utf8", + ); + fs.writeFileSync(path.join(rootDir, "index.js"), "export default {};\n", "utf8"); + fs.writeFileSync( + path.join(rootDir, "legacy-crypto-inspector.js"), + [ + "export async function inspectLegacyMatrixCryptoStore() {", + ' return { deviceId: "FIXTURE", roomKeyCounts: { total: 1, backedUp: 1 }, backupVersion: "1", decryptionKeyBase64: null };', + "}", + ].join("\n"), + "utf8", + ); +} + +const matrixHelperEnv = { + OPENCLAW_BUNDLED_PLUGINS_DIR: (home: string) => path.join(home, "bundled"), +}; + +describe("matrix legacy encrypted-state migration", () => { + it("extracts a saved backup key into the new recovery-key path", async () => { + await withTempHome( + async (home) => { + writeMatrixPluginFixture(path.join(home, "bundled", "matrix")); + const stateDir = path.join(home, ".openclaw"); + const cfg: OpenClawConfig = { + channels: { + matrix: { + homeserver: "https://matrix.example.org", + userId: "@bot:example.org", + accessToken: "tok-123", + }, + }, + }; + const { rootDir } = resolveMatrixAccountStorageRoot({ + stateDir, + homeserver: "https://matrix.example.org", + userId: "@bot:example.org", + accessToken: "tok-123", + }); + writeFile(path.join(rootDir, "crypto", "bot-sdk.json"), '{"deviceId":"DEVICE123"}'); + + const detection = detectLegacyMatrixCrypto({ cfg, env: process.env }); + expect(detection.warnings).toEqual([]); + expect(detection.plans).toHaveLength(1); + + const inspectLegacyStore = vi.fn(async () => ({ + deviceId: "DEVICE123", + roomKeyCounts: { total: 12, backedUp: 12 }, + backupVersion: "1", + decryptionKeyBase64: "YWJjZA==", + })); + + const result = await autoPrepareLegacyMatrixCrypto({ + cfg, + env: process.env, + deps: { inspectLegacyStore }, + }); + + expect(result.migrated).toBe(true); + expect(result.warnings).toEqual([]); + expect(inspectLegacyStore).toHaveBeenCalledOnce(); + + const recovery = JSON.parse( + fs.readFileSync(path.join(rootDir, "recovery-key.json"), "utf8"), + ) as { + privateKeyBase64: string; + }; + expect(recovery.privateKeyBase64).toBe("YWJjZA=="); + + const state = JSON.parse( + fs.readFileSync(path.join(rootDir, "legacy-crypto-migration.json"), "utf8"), + ) as { + restoreStatus: string; + decryptionKeyImported: boolean; + }; + expect(state.restoreStatus).toBe("pending"); + expect(state.decryptionKeyImported).toBe(true); + }, + { env: matrixHelperEnv }, + ); + }); + + it("warns when legacy local-only room keys cannot be recovered automatically", async () => { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + const cfg: OpenClawConfig = { + channels: { + matrix: { + homeserver: "https://matrix.example.org", + userId: "@bot:example.org", + accessToken: "tok-123", + }, + }, + }; + const { rootDir } = resolveMatrixAccountStorageRoot({ + stateDir, + homeserver: "https://matrix.example.org", + userId: "@bot:example.org", + accessToken: "tok-123", + }); + writeFile(path.join(rootDir, "crypto", "bot-sdk.json"), '{"deviceId":"DEVICE123"}'); + + const result = await autoPrepareLegacyMatrixCrypto({ + cfg, + env: process.env, + deps: { + inspectLegacyStore: async () => ({ + deviceId: "DEVICE123", + roomKeyCounts: { total: 15, backedUp: 10 }, + backupVersion: null, + decryptionKeyBase64: null, + }), + }, + }); + + expect(result.migrated).toBe(true); + expect(result.warnings).toContain( + 'Legacy Matrix encrypted state for account "default" contains 5 room key(s) that were never backed up. Backed-up keys can be restored automatically, but local-only encrypted history may remain unavailable after upgrade.', + ); + expect(result.warnings).toContain( + 'Legacy Matrix encrypted state for account "default" cannot be fully converted automatically because the old rust crypto store does not expose all local room keys for export.', + ); + const state = JSON.parse( + fs.readFileSync(path.join(rootDir, "legacy-crypto-migration.json"), "utf8"), + ) as { + restoreStatus: string; + }; + expect(state.restoreStatus).toBe("manual-action-required"); + }); + }); + + it("warns instead of throwing when recovery-key persistence fails", async () => { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + const cfg: OpenClawConfig = { + channels: { + matrix: { + homeserver: "https://matrix.example.org", + userId: "@bot:example.org", + accessToken: "tok-123", + }, + }, + }; + const { rootDir } = resolveMatrixAccountStorageRoot({ + stateDir, + homeserver: "https://matrix.example.org", + userId: "@bot:example.org", + accessToken: "tok-123", + }); + writeFile(path.join(rootDir, "crypto", "bot-sdk.json"), '{"deviceId":"DEVICE123"}'); + + const result = await autoPrepareLegacyMatrixCrypto({ + cfg, + env: process.env, + deps: { + inspectLegacyStore: async () => ({ + deviceId: "DEVICE123", + roomKeyCounts: { total: 12, backedUp: 12 }, + backupVersion: "1", + decryptionKeyBase64: "YWJjZA==", + }), + writeJsonFileAtomically: async (filePath) => { + if (filePath.endsWith("recovery-key.json")) { + throw new Error("disk full"); + } + writeFile(filePath, JSON.stringify({ ok: true }, null, 2)); + }, + }, + }); + + expect(result.migrated).toBe(false); + expect(result.warnings).toContain( + `Failed writing Matrix recovery key for account "default" (${path.join(rootDir, "recovery-key.json")}): Error: disk full`, + ); + expect(fs.existsSync(path.join(rootDir, "recovery-key.json"))).toBe(false); + expect(fs.existsSync(path.join(rootDir, "legacy-crypto-migration.json"))).toBe(false); + }); + }); + + it("prepares flat legacy crypto for the only configured non-default Matrix account", async () => { + await withTempHome( + async (home) => { + writeMatrixPluginFixture(path.join(home, "bundled", "matrix")); + const stateDir = path.join(home, ".openclaw"); + writeFile( + path.join(stateDir, "matrix", "crypto", "bot-sdk.json"), + JSON.stringify({ deviceId: "DEVICEOPS" }), + ); + writeFile( + path.join(stateDir, "credentials", "matrix", "credentials-ops.json"), + JSON.stringify( + { + homeserver: "https://matrix.example.org", + userId: "@ops-bot:example.org", + accessToken: "tok-ops", + deviceId: "DEVICEOPS", + }, + null, + 2, + ), + ); + + const cfg: OpenClawConfig = { + channels: { + matrix: { + accounts: { + ops: { + homeserver: "https://matrix.example.org", + userId: "@ops-bot:example.org", + }, + }, + }, + }, + }; + const { rootDir } = resolveMatrixAccountStorageRoot({ + stateDir, + homeserver: "https://matrix.example.org", + userId: "@ops-bot:example.org", + accessToken: "tok-ops", + accountId: "ops", + }); + + const detection = detectLegacyMatrixCrypto({ cfg, env: process.env }); + expect(detection.warnings).toEqual([]); + expect(detection.plans).toHaveLength(1); + expect(detection.plans[0]?.accountId).toBe("ops"); + + const result = await autoPrepareLegacyMatrixCrypto({ + cfg, + env: process.env, + deps: { + inspectLegacyStore: async () => ({ + deviceId: "DEVICEOPS", + roomKeyCounts: { total: 6, backedUp: 6 }, + backupVersion: "21868", + decryptionKeyBase64: "YWJjZA==", + }), + }, + }); + + expect(result.migrated).toBe(true); + expect(result.warnings).toEqual([]); + const recovery = JSON.parse( + fs.readFileSync(path.join(rootDir, "recovery-key.json"), "utf8"), + ) as { + privateKeyBase64: string; + }; + expect(recovery.privateKeyBase64).toBe("YWJjZA=="); + const state = JSON.parse( + fs.readFileSync(path.join(rootDir, "legacy-crypto-migration.json"), "utf8"), + ) as { + accountId: string; + }; + expect(state.accountId).toBe("ops"); + }, + { env: matrixHelperEnv }, + ); + }); + + it("uses scoped Matrix env vars when resolving flat legacy crypto migration", async () => { + await withTempHome( + async (home) => { + writeMatrixPluginFixture(path.join(home, "bundled", "matrix")); + const stateDir = path.join(home, ".openclaw"); + writeFile( + path.join(stateDir, "matrix", "crypto", "bot-sdk.json"), + JSON.stringify({ deviceId: "DEVICEOPS" }), + ); + + const cfg: OpenClawConfig = { + channels: { + matrix: { + accounts: { + ops: {}, + }, + }, + }, + }; + const { rootDir } = resolveMatrixAccountStorageRoot({ + stateDir, + homeserver: "https://matrix.example.org", + userId: "@ops-bot:example.org", + accessToken: "tok-ops-env", + accountId: "ops", + }); + + const detection = detectLegacyMatrixCrypto({ cfg, env: process.env }); + expect(detection.warnings).toEqual([]); + expect(detection.plans).toHaveLength(1); + expect(detection.plans[0]?.accountId).toBe("ops"); + + const result = await autoPrepareLegacyMatrixCrypto({ + cfg, + env: process.env, + deps: { + inspectLegacyStore: async () => ({ + deviceId: "DEVICEOPS", + roomKeyCounts: { total: 4, backedUp: 4 }, + backupVersion: "9001", + decryptionKeyBase64: "YWJjZA==", + }), + }, + }); + + expect(result.migrated).toBe(true); + expect(result.warnings).toEqual([]); + const recovery = JSON.parse( + fs.readFileSync(path.join(rootDir, "recovery-key.json"), "utf8"), + ) as { + privateKeyBase64: string; + }; + expect(recovery.privateKeyBase64).toBe("YWJjZA=="); + }, + { + env: { + ...matrixHelperEnv, + MATRIX_OPS_HOMESERVER: "https://matrix.example.org", + MATRIX_OPS_USER_ID: "@ops-bot:example.org", + MATRIX_OPS_ACCESS_TOKEN: "tok-ops-env", + }, + }, + ); + }); + + it("requires channels.matrix.defaultAccount before preparing flat legacy crypto for one of multiple accounts", async () => { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + writeFile( + path.join(stateDir, "matrix", "crypto", "bot-sdk.json"), + JSON.stringify({ deviceId: "DEVICEOPS" }), + ); + + const cfg: OpenClawConfig = { + channels: { + matrix: { + accounts: { + ops: { + homeserver: "https://matrix.example.org", + userId: "@ops-bot:example.org", + accessToken: "tok-ops", + }, + alerts: { + homeserver: "https://matrix.example.org", + userId: "@alerts-bot:example.org", + accessToken: "tok-alerts", + }, + }, + }, + }, + }; + + const detection = detectLegacyMatrixCrypto({ cfg, env: process.env }); + expect(detection.plans).toHaveLength(0); + expect(detection.warnings).toContain( + "Legacy Matrix encrypted state detected at " + + path.join(stateDir, "matrix", "crypto") + + ', but multiple Matrix accounts are configured and channels.matrix.defaultAccount is not set. Set "channels.matrix.defaultAccount" to the intended target account before rerunning "openclaw doctor --fix" or restarting the gateway.', + ); + }); + }); + + it("warns instead of throwing when a legacy crypto path is a file", async () => { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + writeFile(path.join(stateDir, "matrix", "crypto"), "not-a-directory"); + + const cfg: OpenClawConfig = { + channels: { + matrix: { + homeserver: "https://matrix.example.org", + userId: "@bot:example.org", + accessToken: "tok-123", + }, + }, + }; + + const detection = detectLegacyMatrixCrypto({ cfg, env: process.env }); + expect(detection.plans).toHaveLength(0); + expect(detection.warnings).toContain( + `Legacy Matrix encrypted state path exists but is not a directory: ${path.join(stateDir, "matrix", "crypto")}. OpenClaw skipped automatic crypto migration for that path.`, + ); + }); + }); + + it("reports a missing matrix plugin helper once when encrypted-state migration cannot run", async () => { + await withTempHome( + async (home) => { + const stateDir = path.join(home, ".openclaw"); + writeFile( + path.join(stateDir, "matrix", "crypto", "bot-sdk.json"), + '{"deviceId":"DEVICE123"}', + ); + + const cfg: OpenClawConfig = { + channels: { + matrix: { + homeserver: "https://matrix.example.org", + userId: "@bot:example.org", + accessToken: "tok-123", + }, + }, + }; + + const result = await autoPrepareLegacyMatrixCrypto({ + cfg, + env: process.env, + }); + + expect(result.migrated).toBe(false); + expect( + result.warnings.filter( + (warning) => warning === MATRIX_LEGACY_CRYPTO_INSPECTOR_UNAVAILABLE_MESSAGE, + ), + ).toHaveLength(1); + }, + { + env: { + OPENCLAW_BUNDLED_PLUGINS_DIR: (home) => path.join(home, "empty-bundled"), + }, + }, + ); + }); +}); diff --git a/src/infra/matrix-legacy-crypto.ts b/src/infra/matrix-legacy-crypto.ts new file mode 100644 index 00000000000..1e0d5050ab8 --- /dev/null +++ b/src/infra/matrix-legacy-crypto.ts @@ -0,0 +1,493 @@ +import fs from "node:fs"; +import os from "node:os"; +import path from "node:path"; +import { + resolveConfiguredMatrixAccountIds, + resolveMatrixLegacyFlatStoragePaths, +} from "../../extensions/matrix/runtime-api.js"; +import type { OpenClawConfig } from "../config/config.js"; +import { resolveStateDir } from "../config/paths.js"; +import { writeJsonFileAtomically as writeJsonFileAtomicallyImpl } from "../plugin-sdk/json-store.js"; +import { + resolveLegacyMatrixFlatStoreTarget, + resolveMatrixMigrationAccountTarget, +} from "./matrix-migration-config.js"; +import { + MATRIX_LEGACY_CRYPTO_INSPECTOR_UNAVAILABLE_MESSAGE, + isMatrixLegacyCryptoInspectorAvailable, + loadMatrixLegacyCryptoInspector, + type MatrixLegacyCryptoInspector, +} from "./matrix-plugin-helper.js"; + +type MatrixLegacyCryptoCounts = { + total: number; + backedUp: number; +}; + +type MatrixLegacyCryptoSummary = { + deviceId: string | null; + roomKeyCounts: MatrixLegacyCryptoCounts | null; + backupVersion: string | null; + decryptionKeyBase64: string | null; +}; + +type MatrixLegacyCryptoMigrationState = { + version: 1; + source: "matrix-bot-sdk-rust"; + accountId: string; + deviceId: string | null; + roomKeyCounts: MatrixLegacyCryptoCounts | null; + backupVersion: string | null; + decryptionKeyImported: boolean; + restoreStatus: "pending" | "completed" | "manual-action-required"; + detectedAt: string; + restoredAt?: string; + importedCount?: number; + totalCount?: number; + lastError?: string | null; +}; + +type MatrixLegacyCryptoPlan = { + accountId: string; + rootDir: string; + recoveryKeyPath: string; + statePath: string; + legacyCryptoPath: string; + homeserver: string; + userId: string; + accessToken: string; + deviceId: string | null; +}; + +type MatrixLegacyCryptoDetection = { + plans: MatrixLegacyCryptoPlan[]; + warnings: string[]; +}; + +type MatrixLegacyCryptoPreparationResult = { + migrated: boolean; + changes: string[]; + warnings: string[]; +}; + +type MatrixLegacyCryptoPrepareDeps = { + inspectLegacyStore: MatrixLegacyCryptoInspector; + writeJsonFileAtomically: typeof writeJsonFileAtomicallyImpl; +}; + +type MatrixLegacyBotSdkMetadata = { + deviceId: string | null; +}; + +type MatrixStoredRecoveryKey = { + version: 1; + createdAt: string; + keyId?: string | null; + encodedPrivateKey?: string; + privateKeyBase64: string; + keyInfo?: { + passphrase?: unknown; + name?: string; + }; +}; + +function detectLegacyBotSdkCryptoStore(cryptoRootDir: string): { + detected: boolean; + warning?: string; +} { + try { + const stat = fs.statSync(cryptoRootDir); + if (!stat.isDirectory()) { + return { + detected: false, + warning: + `Legacy Matrix encrypted state path exists but is not a directory: ${cryptoRootDir}. ` + + "OpenClaw skipped automatic crypto migration for that path.", + }; + } + } catch (err) { + return { + detected: false, + warning: + `Failed reading legacy Matrix encrypted state path (${cryptoRootDir}): ${String(err)}. ` + + "OpenClaw skipped automatic crypto migration for that path.", + }; + } + + try { + return { + detected: + fs.existsSync(path.join(cryptoRootDir, "bot-sdk.json")) || + fs.existsSync(path.join(cryptoRootDir, "matrix-sdk-crypto.sqlite3")) || + fs + .readdirSync(cryptoRootDir, { withFileTypes: true }) + .some( + (entry) => + entry.isDirectory() && + fs.existsSync(path.join(cryptoRootDir, entry.name, "matrix-sdk-crypto.sqlite3")), + ), + }; + } catch (err) { + return { + detected: false, + warning: + `Failed scanning legacy Matrix encrypted state path (${cryptoRootDir}): ${String(err)}. ` + + "OpenClaw skipped automatic crypto migration for that path.", + }; + } +} + +function resolveMatrixAccountIds(cfg: OpenClawConfig): string[] { + return resolveConfiguredMatrixAccountIds(cfg); +} + +function resolveLegacyMatrixFlatStorePlan(params: { + cfg: OpenClawConfig; + env: NodeJS.ProcessEnv; +}): MatrixLegacyCryptoPlan | { warning: string } | null { + const legacy = resolveMatrixLegacyFlatStoragePaths(resolveStateDir(params.env, os.homedir)); + if (!fs.existsSync(legacy.cryptoPath)) { + return null; + } + const legacyStore = detectLegacyBotSdkCryptoStore(legacy.cryptoPath); + if (legacyStore.warning) { + return { warning: legacyStore.warning }; + } + if (!legacyStore.detected) { + return null; + } + + const target = resolveLegacyMatrixFlatStoreTarget({ + cfg: params.cfg, + env: params.env, + detectedPath: legacy.cryptoPath, + detectedKind: "encrypted state", + }); + if ("warning" in target) { + return target; + } + + const metadata = loadLegacyBotSdkMetadata(legacy.cryptoPath); + return { + accountId: target.accountId, + rootDir: target.rootDir, + recoveryKeyPath: path.join(target.rootDir, "recovery-key.json"), + statePath: path.join(target.rootDir, "legacy-crypto-migration.json"), + legacyCryptoPath: legacy.cryptoPath, + homeserver: target.homeserver, + userId: target.userId, + accessToken: target.accessToken, + deviceId: metadata.deviceId ?? target.storedDeviceId, + }; +} + +function loadLegacyBotSdkMetadata(cryptoRootDir: string): MatrixLegacyBotSdkMetadata { + const metadataPath = path.join(cryptoRootDir, "bot-sdk.json"); + const fallback: MatrixLegacyBotSdkMetadata = { deviceId: null }; + try { + if (!fs.existsSync(metadataPath)) { + return fallback; + } + const parsed = JSON.parse(fs.readFileSync(metadataPath, "utf8")) as { + deviceId?: unknown; + }; + return { + deviceId: + typeof parsed.deviceId === "string" && parsed.deviceId.trim() ? parsed.deviceId : null, + }; + } catch { + return fallback; + } +} + +function resolveMatrixLegacyCryptoPlans(params: { + cfg: OpenClawConfig; + env: NodeJS.ProcessEnv; +}): MatrixLegacyCryptoDetection { + const warnings: string[] = []; + const plans: MatrixLegacyCryptoPlan[] = []; + + const flatPlan = resolveLegacyMatrixFlatStorePlan(params); + if (flatPlan) { + if ("warning" in flatPlan) { + warnings.push(flatPlan.warning); + } else { + plans.push(flatPlan); + } + } + + for (const accountId of resolveMatrixAccountIds(params.cfg)) { + const target = resolveMatrixMigrationAccountTarget({ + cfg: params.cfg, + env: params.env, + accountId, + }); + if (!target) { + continue; + } + const legacyCryptoPath = path.join(target.rootDir, "crypto"); + if (!fs.existsSync(legacyCryptoPath)) { + continue; + } + const detectedStore = detectLegacyBotSdkCryptoStore(legacyCryptoPath); + if (detectedStore.warning) { + warnings.push(detectedStore.warning); + continue; + } + if (!detectedStore.detected) { + continue; + } + if ( + plans.some( + (plan) => + plan.accountId === accountId && + path.resolve(plan.legacyCryptoPath) === path.resolve(legacyCryptoPath), + ) + ) { + continue; + } + const metadata = loadLegacyBotSdkMetadata(legacyCryptoPath); + plans.push({ + accountId: target.accountId, + rootDir: target.rootDir, + recoveryKeyPath: path.join(target.rootDir, "recovery-key.json"), + statePath: path.join(target.rootDir, "legacy-crypto-migration.json"), + legacyCryptoPath, + homeserver: target.homeserver, + userId: target.userId, + accessToken: target.accessToken, + deviceId: metadata.deviceId ?? target.storedDeviceId, + }); + } + + return { plans, warnings }; +} + +function loadStoredRecoveryKey(filePath: string): MatrixStoredRecoveryKey | null { + try { + if (!fs.existsSync(filePath)) { + return null; + } + return JSON.parse(fs.readFileSync(filePath, "utf8")) as MatrixStoredRecoveryKey; + } catch { + return null; + } +} + +function loadLegacyCryptoMigrationState(filePath: string): MatrixLegacyCryptoMigrationState | null { + try { + if (!fs.existsSync(filePath)) { + return null; + } + return JSON.parse(fs.readFileSync(filePath, "utf8")) as MatrixLegacyCryptoMigrationState; + } catch { + return null; + } +} + +async function persistLegacyMigrationState(params: { + filePath: string; + state: MatrixLegacyCryptoMigrationState; + writeJsonFileAtomically: typeof writeJsonFileAtomicallyImpl; +}): Promise { + await params.writeJsonFileAtomically(params.filePath, params.state); +} + +export function detectLegacyMatrixCrypto(params: { + cfg: OpenClawConfig; + env?: NodeJS.ProcessEnv; +}): MatrixLegacyCryptoDetection { + const detection = resolveMatrixLegacyCryptoPlans({ + cfg: params.cfg, + env: params.env ?? process.env, + }); + if ( + detection.plans.length > 0 && + !isMatrixLegacyCryptoInspectorAvailable({ + cfg: params.cfg, + env: params.env, + }) + ) { + return { + plans: detection.plans, + warnings: [...detection.warnings, MATRIX_LEGACY_CRYPTO_INSPECTOR_UNAVAILABLE_MESSAGE], + }; + } + return detection; +} + +export async function autoPrepareLegacyMatrixCrypto(params: { + cfg: OpenClawConfig; + env?: NodeJS.ProcessEnv; + log?: { info?: (message: string) => void; warn?: (message: string) => void }; + deps?: Partial; +}): Promise { + const env = params.env ?? process.env; + const detection = params.deps?.inspectLegacyStore + ? resolveMatrixLegacyCryptoPlans({ cfg: params.cfg, env }) + : detectLegacyMatrixCrypto({ cfg: params.cfg, env }); + const warnings = [...detection.warnings]; + const changes: string[] = []; + let inspectLegacyStore = params.deps?.inspectLegacyStore; + const writeJsonFileAtomically = + params.deps?.writeJsonFileAtomically ?? writeJsonFileAtomicallyImpl; + if (!inspectLegacyStore) { + try { + inspectLegacyStore = await loadMatrixLegacyCryptoInspector({ + cfg: params.cfg, + env, + }); + } catch (err) { + const message = err instanceof Error ? err.message : String(err); + if (!warnings.includes(message)) { + warnings.push(message); + } + if (warnings.length > 0) { + params.log?.warn?.( + `matrix: legacy encrypted-state warnings:\n${warnings.map((entry) => `- ${entry}`).join("\n")}`, + ); + } + return { + migrated: false, + changes, + warnings, + }; + } + } + + for (const plan of detection.plans) { + const existingState = loadLegacyCryptoMigrationState(plan.statePath); + if (existingState?.version === 1) { + continue; + } + if (!plan.deviceId) { + warnings.push( + `Legacy Matrix encrypted state detected at ${plan.legacyCryptoPath}, but no device ID was found for account "${plan.accountId}". ` + + `OpenClaw will continue, but old encrypted history cannot be recovered automatically.`, + ); + continue; + } + + let summary: MatrixLegacyCryptoSummary; + try { + summary = await inspectLegacyStore({ + cryptoRootDir: plan.legacyCryptoPath, + userId: plan.userId, + deviceId: plan.deviceId, + log: params.log?.info, + }); + } catch (err) { + warnings.push( + `Failed inspecting legacy Matrix encrypted state for account "${plan.accountId}" (${plan.legacyCryptoPath}): ${String(err)}`, + ); + continue; + } + + let decryptionKeyImported = false; + if (summary.decryptionKeyBase64) { + const existingRecoveryKey = loadStoredRecoveryKey(plan.recoveryKeyPath); + if ( + existingRecoveryKey?.privateKeyBase64 && + existingRecoveryKey.privateKeyBase64 !== summary.decryptionKeyBase64 + ) { + warnings.push( + `Legacy Matrix backup key was found for account "${plan.accountId}", but ${plan.recoveryKeyPath} already contains a different recovery key. Leaving the existing file unchanged.`, + ); + } else if (!existingRecoveryKey?.privateKeyBase64) { + const payload: MatrixStoredRecoveryKey = { + version: 1, + createdAt: new Date().toISOString(), + keyId: null, + privateKeyBase64: summary.decryptionKeyBase64, + }; + try { + await writeJsonFileAtomically(plan.recoveryKeyPath, payload); + changes.push( + `Imported Matrix legacy backup key for account "${plan.accountId}": ${plan.recoveryKeyPath}`, + ); + decryptionKeyImported = true; + } catch (err) { + warnings.push( + `Failed writing Matrix recovery key for account "${plan.accountId}" (${plan.recoveryKeyPath}): ${String(err)}`, + ); + } + } else { + decryptionKeyImported = true; + } + } + + const localOnlyKeys = + summary.roomKeyCounts && summary.roomKeyCounts.total > summary.roomKeyCounts.backedUp + ? summary.roomKeyCounts.total - summary.roomKeyCounts.backedUp + : 0; + if (localOnlyKeys > 0) { + warnings.push( + `Legacy Matrix encrypted state for account "${plan.accountId}" contains ${localOnlyKeys} room key(s) that were never backed up. ` + + "Backed-up keys can be restored automatically, but local-only encrypted history may remain unavailable after upgrade.", + ); + } + if (!summary.decryptionKeyBase64 && (summary.roomKeyCounts?.backedUp ?? 0) > 0) { + warnings.push( + `Legacy Matrix encrypted state for account "${plan.accountId}" has backed-up room keys, but no local backup decryption key was found. ` + + `Ask the operator to run "openclaw matrix verify backup restore --recovery-key " after upgrade if they have the recovery key.`, + ); + } + if (!summary.decryptionKeyBase64 && (summary.roomKeyCounts?.total ?? 0) > 0) { + warnings.push( + `Legacy Matrix encrypted state for account "${plan.accountId}" cannot be fully converted automatically because the old rust crypto store does not expose all local room keys for export.`, + ); + } + // If recovery-key persistence failed, leave the migration state absent so the next startup can retry. + if ( + summary.decryptionKeyBase64 && + !decryptionKeyImported && + !loadStoredRecoveryKey(plan.recoveryKeyPath) + ) { + continue; + } + + const state: MatrixLegacyCryptoMigrationState = { + version: 1, + source: "matrix-bot-sdk-rust", + accountId: plan.accountId, + deviceId: summary.deviceId, + roomKeyCounts: summary.roomKeyCounts, + backupVersion: summary.backupVersion, + decryptionKeyImported, + restoreStatus: decryptionKeyImported ? "pending" : "manual-action-required", + detectedAt: new Date().toISOString(), + lastError: null, + }; + try { + await persistLegacyMigrationState({ + filePath: plan.statePath, + state, + writeJsonFileAtomically, + }); + changes.push( + `Prepared Matrix legacy encrypted-state migration for account "${plan.accountId}": ${plan.statePath}`, + ); + } catch (err) { + warnings.push( + `Failed writing Matrix legacy encrypted-state migration record for account "${plan.accountId}" (${plan.statePath}): ${String(err)}`, + ); + } + } + + if (changes.length > 0) { + params.log?.info?.( + `matrix: prepared encrypted-state upgrade.\n${changes.map((entry) => `- ${entry}`).join("\n")}`, + ); + } + if (warnings.length > 0) { + params.log?.warn?.( + `matrix: legacy encrypted-state warnings:\n${warnings.map((entry) => `- ${entry}`).join("\n")}`, + ); + } + + return { + migrated: changes.length > 0, + changes, + warnings, + }; +} diff --git a/src/infra/matrix-legacy-state.test.ts b/src/infra/matrix-legacy-state.test.ts new file mode 100644 index 00000000000..f2b921ad626 --- /dev/null +++ b/src/infra/matrix-legacy-state.test.ts @@ -0,0 +1,244 @@ +import fs from "node:fs"; +import path from "node:path"; +import { describe, expect, it } from "vitest"; +import { withTempHome } from "../../test/helpers/temp-home.js"; +import type { OpenClawConfig } from "../config/config.js"; +import { autoMigrateLegacyMatrixState, detectLegacyMatrixState } from "./matrix-legacy-state.js"; + +function writeFile(filePath: string, value: string) { + fs.mkdirSync(path.dirname(filePath), { recursive: true }); + fs.writeFileSync(filePath, value, "utf-8"); +} + +describe("matrix legacy state migration", () => { + it("migrates the flat legacy Matrix store into account-scoped storage", async () => { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + writeFile(path.join(stateDir, "matrix", "bot-storage.json"), '{"next_batch":"s1"}'); + writeFile(path.join(stateDir, "matrix", "crypto", "store.db"), "crypto"); + + const cfg: OpenClawConfig = { + channels: { + matrix: { + homeserver: "https://matrix.example.org", + userId: "@bot:example.org", + accessToken: "tok-123", + }, + }, + }; + + const detection = detectLegacyMatrixState({ cfg, env: process.env }); + expect(detection && "warning" in detection).toBe(false); + if (!detection || "warning" in detection) { + throw new Error("expected a migratable Matrix legacy state plan"); + } + + const result = await autoMigrateLegacyMatrixState({ cfg, env: process.env }); + expect(result.migrated).toBe(true); + expect(result.warnings).toEqual([]); + expect(fs.existsSync(path.join(stateDir, "matrix", "bot-storage.json"))).toBe(false); + expect(fs.existsSync(path.join(stateDir, "matrix", "crypto"))).toBe(false); + expect(fs.existsSync(detection.targetStoragePath)).toBe(true); + expect(fs.existsSync(path.join(detection.targetCryptoPath, "store.db"))).toBe(true); + }); + }); + + it("uses cached Matrix credentials when the config no longer stores an access token", async () => { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + writeFile(path.join(stateDir, "matrix", "bot-storage.json"), '{"next_batch":"s1"}'); + writeFile( + path.join(stateDir, "credentials", "matrix", "credentials.json"), + JSON.stringify( + { + homeserver: "https://matrix.example.org", + userId: "@bot:example.org", + accessToken: "tok-from-cache", + }, + null, + 2, + ), + ); + + const cfg: OpenClawConfig = { + channels: { + matrix: { + homeserver: "https://matrix.example.org", + userId: "@bot:example.org", + password: "secret", // pragma: allowlist secret + }, + }, + }; + + const detection = detectLegacyMatrixState({ cfg, env: process.env }); + expect(detection && "warning" in detection).toBe(false); + if (!detection || "warning" in detection) { + throw new Error("expected cached credentials to make Matrix migration resolvable"); + } + + expect(detection.targetRootDir).toContain("matrix.example.org__bot_example.org"); + + const result = await autoMigrateLegacyMatrixState({ cfg, env: process.env }); + expect(result.migrated).toBe(true); + expect(fs.existsSync(detection.targetStoragePath)).toBe(true); + }); + }); + + it("records which account receives a flat legacy store when multiple Matrix accounts exist", async () => { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + writeFile(path.join(stateDir, "matrix", "bot-storage.json"), '{"next_batch":"s1"}'); + + const cfg: OpenClawConfig = { + channels: { + matrix: { + defaultAccount: "work", + accounts: { + work: { + homeserver: "https://matrix.example.org", + userId: "@work-bot:example.org", + accessToken: "tok-work", + }, + alerts: { + homeserver: "https://matrix.example.org", + userId: "@alerts-bot:example.org", + accessToken: "tok-alerts", + }, + }, + }, + }, + }; + + const detection = detectLegacyMatrixState({ cfg, env: process.env }); + expect(detection && "warning" in detection).toBe(false); + if (!detection || "warning" in detection) { + throw new Error("expected a migratable Matrix legacy state plan"); + } + + expect(detection.accountId).toBe("work"); + expect(detection.selectionNote).toContain('account "work"'); + }); + }); + + it("requires channels.matrix.defaultAccount before migrating a flat store into one of multiple accounts", async () => { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + writeFile(path.join(stateDir, "matrix", "bot-storage.json"), '{"next_batch":"s1"}'); + + const cfg: OpenClawConfig = { + channels: { + matrix: { + accounts: { + work: { + homeserver: "https://matrix.example.org", + userId: "@work-bot:example.org", + accessToken: "tok-work", + }, + alerts: { + homeserver: "https://matrix.example.org", + userId: "@alerts-bot:example.org", + accessToken: "tok-alerts", + }, + }, + }, + }, + }; + + const detection = detectLegacyMatrixState({ cfg, env: process.env }); + expect(detection && "warning" in detection).toBe(true); + if (!detection || !("warning" in detection)) { + throw new Error("expected a warning-only Matrix legacy state result"); + } + expect(detection.warning).toContain("channels.matrix.defaultAccount is not set"); + }); + }); + + it("uses scoped Matrix env vars when resolving a flat-store migration target", async () => { + await withTempHome( + async (home) => { + const stateDir = path.join(home, ".openclaw"); + writeFile(path.join(stateDir, "matrix", "bot-storage.json"), '{"next_batch":"s1"}'); + writeFile(path.join(stateDir, "matrix", "crypto", "store.db"), "crypto"); + + const cfg: OpenClawConfig = { + channels: { + matrix: { + accounts: { + ops: {}, + }, + }, + }, + }; + + const detection = detectLegacyMatrixState({ cfg, env: process.env }); + expect(detection && "warning" in detection).toBe(false); + if (!detection || "warning" in detection) { + throw new Error("expected scoped Matrix env vars to resolve a legacy state plan"); + } + + expect(detection.accountId).toBe("ops"); + expect(detection.targetRootDir).toContain("matrix.example.org__ops-bot_example.org"); + + const result = await autoMigrateLegacyMatrixState({ cfg, env: process.env }); + expect(result.migrated).toBe(true); + expect(result.warnings).toEqual([]); + expect(fs.existsSync(detection.targetStoragePath)).toBe(true); + expect(fs.existsSync(path.join(detection.targetCryptoPath, "store.db"))).toBe(true); + }, + { + env: { + MATRIX_OPS_HOMESERVER: "https://matrix.example.org", + MATRIX_OPS_USER_ID: "@ops-bot:example.org", + MATRIX_OPS_ACCESS_TOKEN: "tok-ops-env", + }, + }, + ); + }); + + it("migrates flat legacy Matrix state into the only configured non-default account", async () => { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + writeFile(path.join(stateDir, "matrix", "bot-storage.json"), '{"next_batch":"s1"}'); + writeFile(path.join(stateDir, "matrix", "crypto", "store.db"), "crypto"); + writeFile( + path.join(stateDir, "credentials", "matrix", "credentials-ops.json"), + JSON.stringify( + { + homeserver: "https://matrix.example.org", + userId: "@ops-bot:example.org", + accessToken: "tok-ops", + }, + null, + 2, + ), + ); + + const cfg: OpenClawConfig = { + channels: { + matrix: { + accounts: { + ops: { + homeserver: "https://matrix.example.org", + userId: "@ops-bot:example.org", + }, + }, + }, + }, + }; + + const detection = detectLegacyMatrixState({ cfg, env: process.env }); + expect(detection && "warning" in detection).toBe(false); + if (!detection || "warning" in detection) { + throw new Error("expected a migratable Matrix legacy state plan"); + } + + expect(detection.accountId).toBe("ops"); + + const result = await autoMigrateLegacyMatrixState({ cfg, env: process.env }); + expect(result.migrated).toBe(true); + expect(result.warnings).toEqual([]); + expect(fs.existsSync(detection.targetStoragePath)).toBe(true); + expect(fs.existsSync(path.join(detection.targetCryptoPath, "store.db"))).toBe(true); + }); + }); +}); diff --git a/src/infra/matrix-legacy-state.ts b/src/infra/matrix-legacy-state.ts new file mode 100644 index 00000000000..050ae7dd793 --- /dev/null +++ b/src/infra/matrix-legacy-state.ts @@ -0,0 +1,156 @@ +import fs from "node:fs"; +import os from "node:os"; +import path from "node:path"; +import { resolveMatrixLegacyFlatStoragePaths } from "../../extensions/matrix/runtime-api.js"; +import type { OpenClawConfig } from "../config/config.js"; +import { resolveStateDir } from "../config/paths.js"; +import { resolveLegacyMatrixFlatStoreTarget } from "./matrix-migration-config.js"; + +export type MatrixLegacyStateMigrationResult = { + migrated: boolean; + changes: string[]; + warnings: string[]; +}; + +type MatrixLegacyStatePlan = { + accountId: string; + legacyStoragePath: string; + legacyCryptoPath: string; + targetRootDir: string; + targetStoragePath: string; + targetCryptoPath: string; + selectionNote?: string; +}; + +function resolveLegacyMatrixPaths(env: NodeJS.ProcessEnv): { + rootDir: string; + storagePath: string; + cryptoPath: string; +} { + const stateDir = resolveStateDir(env, os.homedir); + return resolveMatrixLegacyFlatStoragePaths(stateDir); +} + +function resolveMatrixMigrationPlan(params: { + cfg: OpenClawConfig; + env: NodeJS.ProcessEnv; +}): MatrixLegacyStatePlan | { warning: string } | null { + const legacy = resolveLegacyMatrixPaths(params.env); + if (!fs.existsSync(legacy.storagePath) && !fs.existsSync(legacy.cryptoPath)) { + return null; + } + + const target = resolveLegacyMatrixFlatStoreTarget({ + cfg: params.cfg, + env: params.env, + detectedPath: legacy.rootDir, + detectedKind: "state", + }); + if ("warning" in target) { + return target; + } + + return { + accountId: target.accountId, + legacyStoragePath: legacy.storagePath, + legacyCryptoPath: legacy.cryptoPath, + targetRootDir: target.rootDir, + targetStoragePath: path.join(target.rootDir, "bot-storage.json"), + targetCryptoPath: path.join(target.rootDir, "crypto"), + selectionNote: target.selectionNote, + }; +} + +export function detectLegacyMatrixState(params: { + cfg: OpenClawConfig; + env?: NodeJS.ProcessEnv; +}): MatrixLegacyStatePlan | { warning: string } | null { + return resolveMatrixMigrationPlan({ + cfg: params.cfg, + env: params.env ?? process.env, + }); +} + +function moveLegacyPath(params: { + sourcePath: string; + targetPath: string; + label: string; + changes: string[]; + warnings: string[]; +}): void { + if (!fs.existsSync(params.sourcePath)) { + return; + } + if (fs.existsSync(params.targetPath)) { + params.warnings.push( + `Matrix legacy ${params.label} not migrated because the target already exists (${params.targetPath}).`, + ); + return; + } + try { + fs.mkdirSync(path.dirname(params.targetPath), { recursive: true }); + fs.renameSync(params.sourcePath, params.targetPath); + params.changes.push( + `Migrated Matrix legacy ${params.label}: ${params.sourcePath} -> ${params.targetPath}`, + ); + } catch (err) { + params.warnings.push( + `Failed migrating Matrix legacy ${params.label} (${params.sourcePath} -> ${params.targetPath}): ${String(err)}`, + ); + } +} + +export async function autoMigrateLegacyMatrixState(params: { + cfg: OpenClawConfig; + env?: NodeJS.ProcessEnv; + log?: { info?: (message: string) => void; warn?: (message: string) => void }; +}): Promise { + const env = params.env ?? process.env; + const detection = detectLegacyMatrixState({ cfg: params.cfg, env }); + if (!detection) { + return { migrated: false, changes: [], warnings: [] }; + } + if ("warning" in detection) { + params.log?.warn?.(`matrix: ${detection.warning}`); + return { migrated: false, changes: [], warnings: [detection.warning] }; + } + + const changes: string[] = []; + const warnings: string[] = []; + moveLegacyPath({ + sourcePath: detection.legacyStoragePath, + targetPath: detection.targetStoragePath, + label: "sync store", + changes, + warnings, + }); + moveLegacyPath({ + sourcePath: detection.legacyCryptoPath, + targetPath: detection.targetCryptoPath, + label: "crypto store", + changes, + warnings, + }); + + if (changes.length > 0) { + const details = [ + ...changes.map((entry) => `- ${entry}`), + ...(detection.selectionNote ? [`- ${detection.selectionNote}`] : []), + "- No user action required.", + ]; + params.log?.info?.( + `matrix: plugin upgraded in place for account "${detection.accountId}".\n${details.join("\n")}`, + ); + } + if (warnings.length > 0) { + params.log?.warn?.( + `matrix: legacy state migration warnings:\n${warnings.map((entry) => `- ${entry}`).join("\n")}`, + ); + } + + return { + migrated: changes.length > 0, + changes, + warnings, + }; +} diff --git a/src/infra/matrix-migration-config.test.ts b/src/infra/matrix-migration-config.test.ts new file mode 100644 index 00000000000..9ae032d5887 --- /dev/null +++ b/src/infra/matrix-migration-config.test.ts @@ -0,0 +1,273 @@ +import fs from "node:fs"; +import path from "node:path"; +import { describe, expect, it } from "vitest"; +import { withTempHome } from "../../test/helpers/temp-home.js"; +import type { OpenClawConfig } from "../config/config.js"; +import { resolveMatrixMigrationAccountTarget } from "./matrix-migration-config.js"; + +function writeFile(filePath: string, value: string) { + fs.mkdirSync(path.dirname(filePath), { recursive: true }); + fs.writeFileSync(filePath, value, "utf8"); +} + +describe("resolveMatrixMigrationAccountTarget", () => { + it("reuses stored user identity for token-only configs when the access token matches", async () => { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + writeFile( + path.join(stateDir, "credentials", "matrix", "credentials-ops.json"), + JSON.stringify( + { + homeserver: "https://matrix.example.org", + userId: "@ops-bot:example.org", + accessToken: "tok-ops", + deviceId: "DEVICE-OPS", + }, + null, + 2, + ), + ); + + const cfg: OpenClawConfig = { + channels: { + matrix: { + accounts: { + ops: { + homeserver: "https://matrix.example.org", + accessToken: "tok-ops", + }, + }, + }, + }, + }; + + const target = resolveMatrixMigrationAccountTarget({ + cfg, + env: process.env, + accountId: "ops", + }); + + expect(target).not.toBeNull(); + expect(target?.userId).toBe("@ops-bot:example.org"); + expect(target?.storedDeviceId).toBe("DEVICE-OPS"); + }); + }); + + it("ignores stored device IDs from stale cached Matrix credentials", async () => { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + writeFile( + path.join(stateDir, "credentials", "matrix", "credentials-ops.json"), + JSON.stringify( + { + homeserver: "https://matrix.example.org", + userId: "@old-bot:example.org", + accessToken: "tok-old", + deviceId: "DEVICE-OLD", + }, + null, + 2, + ), + ); + + const cfg: OpenClawConfig = { + channels: { + matrix: { + accounts: { + ops: { + homeserver: "https://matrix.example.org", + userId: "@new-bot:example.org", + accessToken: "tok-new", + }, + }, + }, + }, + }; + + const target = resolveMatrixMigrationAccountTarget({ + cfg, + env: process.env, + accountId: "ops", + }); + + expect(target).not.toBeNull(); + expect(target?.userId).toBe("@new-bot:example.org"); + expect(target?.accessToken).toBe("tok-new"); + expect(target?.storedDeviceId).toBeNull(); + }); + }); + + it("does not trust stale stored creds on the same homeserver when the token changes", async () => { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + writeFile( + path.join(stateDir, "credentials", "matrix", "credentials-ops.json"), + JSON.stringify( + { + homeserver: "https://matrix.example.org", + userId: "@old-bot:example.org", + accessToken: "tok-old", + deviceId: "DEVICE-OLD", + }, + null, + 2, + ), + ); + + const cfg: OpenClawConfig = { + channels: { + matrix: { + accounts: { + ops: { + homeserver: "https://matrix.example.org", + accessToken: "tok-new", + }, + }, + }, + }, + }; + + const target = resolveMatrixMigrationAccountTarget({ + cfg, + env: process.env, + accountId: "ops", + }); + + expect(target).toBeNull(); + }); + }); + + it("does not inherit the base userId for non-default token-only accounts", async () => { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + writeFile( + path.join(stateDir, "credentials", "matrix", "credentials-ops.json"), + JSON.stringify( + { + homeserver: "https://matrix.example.org", + userId: "@ops-bot:example.org", + accessToken: "tok-ops", + deviceId: "DEVICE-OPS", + }, + null, + 2, + ), + ); + + const cfg: OpenClawConfig = { + channels: { + matrix: { + homeserver: "https://matrix.example.org", + userId: "@base-bot:example.org", + accounts: { + ops: { + homeserver: "https://matrix.example.org", + accessToken: "tok-ops", + }, + }, + }, + }, + }; + + const target = resolveMatrixMigrationAccountTarget({ + cfg, + env: process.env, + accountId: "ops", + }); + + expect(target).not.toBeNull(); + expect(target?.userId).toBe("@ops-bot:example.org"); + expect(target?.storedDeviceId).toBe("DEVICE-OPS"); + }); + }); + + it("does not inherit the base access token for non-default accounts", async () => { + await withTempHome(async () => { + const cfg: OpenClawConfig = { + channels: { + matrix: { + homeserver: "https://matrix.example.org", + userId: "@base-bot:example.org", + accessToken: "tok-base", + accounts: { + ops: { + homeserver: "https://matrix.example.org", + userId: "@ops-bot:example.org", + }, + }, + }, + }, + }; + + const target = resolveMatrixMigrationAccountTarget({ + cfg, + env: process.env, + accountId: "ops", + }); + + expect(target).toBeNull(); + }); + }); + + it("does not inherit the global Matrix access token for non-default accounts", async () => { + await withTempHome( + async () => { + const cfg: OpenClawConfig = { + channels: { + matrix: { + accounts: { + ops: { + homeserver: "https://matrix.example.org", + userId: "@ops-bot:example.org", + }, + }, + }, + }, + }; + + const target = resolveMatrixMigrationAccountTarget({ + cfg, + env: process.env, + accountId: "ops", + }); + + expect(target).toBeNull(); + }, + { + env: { + MATRIX_ACCESS_TOKEN: "tok-global", + }, + }, + ); + }); + + it("uses the same scoped env token encoding as runtime account auth", async () => { + await withTempHome(async () => { + const cfg: OpenClawConfig = { + channels: { + matrix: { + accounts: { + "ops-prod": {}, + }, + }, + }, + }; + const env = { + MATRIX_OPS_X2D_PROD_HOMESERVER: "https://matrix.example.org", + MATRIX_OPS_X2D_PROD_USER_ID: "@ops-prod:example.org", + MATRIX_OPS_X2D_PROD_ACCESS_TOKEN: "tok-ops-prod", + } as NodeJS.ProcessEnv; + + const target = resolveMatrixMigrationAccountTarget({ + cfg, + env, + accountId: "ops-prod", + }); + + expect(target).not.toBeNull(); + expect(target?.homeserver).toBe("https://matrix.example.org"); + expect(target?.userId).toBe("@ops-prod:example.org"); + expect(target?.accessToken).toBe("tok-ops-prod"); + }); + }); +}); diff --git a/src/infra/matrix-migration-config.ts b/src/infra/matrix-migration-config.ts new file mode 100644 index 00000000000..e0fce130f69 --- /dev/null +++ b/src/infra/matrix-migration-config.ts @@ -0,0 +1,268 @@ +import fs from "node:fs"; +import os from "node:os"; +import { + findMatrixAccountEntry, + getMatrixScopedEnvVarNames, + requiresExplicitMatrixDefaultAccount, + resolveMatrixAccountStringValues, + resolveConfiguredMatrixAccountIds, + resolveMatrixAccountStorageRoot, + resolveMatrixChannelConfig, + resolveMatrixCredentialsPath, + resolveMatrixDefaultOrOnlyAccountId, +} from "../../extensions/matrix/runtime-api.js"; +import type { OpenClawConfig } from "../config/config.js"; +import { resolveStateDir } from "../config/paths.js"; +import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../routing/session-key.js"; + +export type MatrixStoredCredentials = { + homeserver: string; + userId: string; + accessToken: string; + deviceId?: string; +}; + +export type MatrixMigrationAccountTarget = { + accountId: string; + homeserver: string; + userId: string; + accessToken: string; + rootDir: string; + storedDeviceId: string | null; +}; + +export type MatrixLegacyFlatStoreTarget = MatrixMigrationAccountTarget & { + selectionNote?: string; +}; + +type MatrixLegacyFlatStoreKind = "state" | "encrypted state"; + +function clean(value: unknown): string { + return typeof value === "string" ? value.trim() : ""; +} + +function resolveScopedMatrixEnvConfig( + accountId: string, + env: NodeJS.ProcessEnv, +): { + homeserver: string; + userId: string; + accessToken: string; +} { + const keys = getMatrixScopedEnvVarNames(accountId); + return { + homeserver: clean(env[keys.homeserver]), + userId: clean(env[keys.userId]), + accessToken: clean(env[keys.accessToken]), + }; +} + +function resolveGlobalMatrixEnvConfig(env: NodeJS.ProcessEnv): { + homeserver: string; + userId: string; + accessToken: string; +} { + return { + homeserver: clean(env.MATRIX_HOMESERVER), + userId: clean(env.MATRIX_USER_ID), + accessToken: clean(env.MATRIX_ACCESS_TOKEN), + }; +} + +function resolveMatrixAccountConfigEntry( + cfg: OpenClawConfig, + accountId: string, +): Record | null { + return findMatrixAccountEntry(cfg, accountId); +} + +function resolveMatrixFlatStoreSelectionNote( + cfg: OpenClawConfig, + accountId: string, +): string | undefined { + if (resolveConfiguredMatrixAccountIds(cfg).length <= 1) { + return undefined; + } + return ( + `Legacy Matrix flat store uses one shared on-disk state, so it will be migrated into ` + + `account "${accountId}".` + ); +} + +export function resolveMatrixMigrationConfigFields(params: { + cfg: OpenClawConfig; + env: NodeJS.ProcessEnv; + accountId: string; +}): { + homeserver: string; + userId: string; + accessToken: string; +} { + const channel = resolveMatrixChannelConfig(params.cfg); + const account = resolveMatrixAccountConfigEntry(params.cfg, params.accountId); + const scopedEnv = resolveScopedMatrixEnvConfig(params.accountId, params.env); + const globalEnv = resolveGlobalMatrixEnvConfig(params.env); + const normalizedAccountId = normalizeAccountId(params.accountId); + const resolvedStrings = resolveMatrixAccountStringValues({ + accountId: normalizedAccountId, + account: { + homeserver: clean(account?.homeserver), + userId: clean(account?.userId), + accessToken: clean(account?.accessToken), + }, + scopedEnv, + channel: { + homeserver: clean(channel?.homeserver), + userId: clean(channel?.userId), + accessToken: clean(channel?.accessToken), + }, + globalEnv, + }); + + return { + homeserver: resolvedStrings.homeserver, + userId: resolvedStrings.userId, + accessToken: resolvedStrings.accessToken, + }; +} + +export function loadStoredMatrixCredentials( + env: NodeJS.ProcessEnv, + accountId: string, +): MatrixStoredCredentials | null { + const stateDir = resolveStateDir(env, os.homedir); + const credentialsPath = resolveMatrixCredentialsPath({ + stateDir, + accountId: normalizeAccountId(accountId), + }); + try { + if (!fs.existsSync(credentialsPath)) { + return null; + } + const parsed = JSON.parse( + fs.readFileSync(credentialsPath, "utf8"), + ) as Partial; + if ( + typeof parsed.homeserver !== "string" || + typeof parsed.userId !== "string" || + typeof parsed.accessToken !== "string" + ) { + return null; + } + return { + homeserver: parsed.homeserver, + userId: parsed.userId, + accessToken: parsed.accessToken, + deviceId: typeof parsed.deviceId === "string" ? parsed.deviceId : undefined, + }; + } catch { + return null; + } +} + +export function credentialsMatchResolvedIdentity( + stored: MatrixStoredCredentials | null, + identity: { + homeserver: string; + userId: string; + accessToken: string; + }, +): stored is MatrixStoredCredentials { + if (!stored || !identity.homeserver) { + return false; + } + if (!identity.userId) { + if (!identity.accessToken) { + return false; + } + return stored.homeserver === identity.homeserver && stored.accessToken === identity.accessToken; + } + return stored.homeserver === identity.homeserver && stored.userId === identity.userId; +} + +export function resolveMatrixMigrationAccountTarget(params: { + cfg: OpenClawConfig; + env: NodeJS.ProcessEnv; + accountId: string; +}): MatrixMigrationAccountTarget | null { + const stored = loadStoredMatrixCredentials(params.env, params.accountId); + const resolved = resolveMatrixMigrationConfigFields(params); + const matchingStored = credentialsMatchResolvedIdentity(stored, { + homeserver: resolved.homeserver, + userId: resolved.userId, + accessToken: resolved.accessToken, + }) + ? stored + : null; + const homeserver = resolved.homeserver; + const userId = resolved.userId || matchingStored?.userId || ""; + const accessToken = resolved.accessToken || matchingStored?.accessToken || ""; + if (!homeserver || !userId || !accessToken) { + return null; + } + + const stateDir = resolveStateDir(params.env, os.homedir); + const { rootDir } = resolveMatrixAccountStorageRoot({ + stateDir, + homeserver, + userId, + accessToken, + accountId: params.accountId, + }); + + return { + accountId: params.accountId, + homeserver, + userId, + accessToken, + rootDir, + storedDeviceId: matchingStored?.deviceId ?? null, + }; +} + +export function resolveLegacyMatrixFlatStoreTarget(params: { + cfg: OpenClawConfig; + env: NodeJS.ProcessEnv; + detectedPath: string; + detectedKind: MatrixLegacyFlatStoreKind; +}): MatrixLegacyFlatStoreTarget | { warning: string } { + const channel = resolveMatrixChannelConfig(params.cfg); + if (!channel) { + return { + warning: + `Legacy Matrix ${params.detectedKind} detected at ${params.detectedPath}, but channels.matrix is not configured yet. ` + + 'Configure Matrix, then rerun "openclaw doctor --fix" or restart the gateway.', + }; + } + if (requiresExplicitMatrixDefaultAccount(params.cfg)) { + return { + warning: + `Legacy Matrix ${params.detectedKind} detected at ${params.detectedPath}, but multiple Matrix accounts are configured and channels.matrix.defaultAccount is not set. ` + + 'Set "channels.matrix.defaultAccount" to the intended target account before rerunning "openclaw doctor --fix" or restarting the gateway.', + }; + } + + const accountId = resolveMatrixDefaultOrOnlyAccountId(params.cfg); + const target = resolveMatrixMigrationAccountTarget({ + cfg: params.cfg, + env: params.env, + accountId, + }); + if (!target) { + const targetDescription = + params.detectedKind === "state" + ? "the new account-scoped target" + : "the account-scoped target"; + return { + warning: + `Legacy Matrix ${params.detectedKind} detected at ${params.detectedPath}, but ${targetDescription} could not be resolved yet ` + + `(need homeserver, userId, and access token for channels.matrix${accountId === DEFAULT_ACCOUNT_ID ? "" : `.accounts.${accountId}`}). ` + + 'Start the gateway once with a working Matrix login, or rerun "openclaw doctor --fix" after cached credentials are available.', + }; + } + + return { + ...target, + selectionNote: resolveMatrixFlatStoreSelectionNote(params.cfg, accountId), + }; +} diff --git a/src/infra/matrix-migration-snapshot.test.ts b/src/infra/matrix-migration-snapshot.test.ts new file mode 100644 index 00000000000..2d0fb850109 --- /dev/null +++ b/src/infra/matrix-migration-snapshot.test.ts @@ -0,0 +1,251 @@ +import fs from "node:fs"; +import path from "node:path"; +import { afterEach, describe, expect, it, vi } from "vitest"; +import { resolveMatrixAccountStorageRoot } from "../../extensions/matrix/runtime-api.js"; +import { withTempHome } from "../../test/helpers/temp-home.js"; +import { detectLegacyMatrixCrypto } from "./matrix-legacy-crypto.js"; + +const createBackupArchiveMock = vi.hoisted(() => vi.fn()); + +vi.mock("./backup-create.js", () => ({ + createBackupArchive: (...args: unknown[]) => createBackupArchiveMock(...args), +})); + +import { + hasActionableMatrixMigration, + maybeCreateMatrixMigrationSnapshot, + resolveMatrixMigrationSnapshotMarkerPath, + resolveMatrixMigrationSnapshotOutputDir, +} from "./matrix-migration-snapshot.js"; + +describe("matrix migration snapshots", () => { + afterEach(() => { + createBackupArchiveMock.mockReset(); + }); + + it("creates a backup marker after writing a pre-migration snapshot", async () => { + await withTempHome(async (home) => { + const archivePath = path.join(home, "Backups", "openclaw-migrations", "snapshot.tar.gz"); + fs.mkdirSync(path.dirname(archivePath), { recursive: true }); + fs.writeFileSync(path.join(home, ".openclaw", "openclaw.json"), "{}\n", "utf8"); + fs.writeFileSync(path.join(home, ".openclaw", "state.txt"), "state\n", "utf8"); + createBackupArchiveMock.mockResolvedValueOnce({ + createdAt: "2026-03-10T18:00:00.000Z", + archivePath, + includeWorkspace: false, + }); + + const result = await maybeCreateMatrixMigrationSnapshot({ trigger: "unit-test" }); + + expect(result).toEqual({ + created: true, + archivePath, + markerPath: resolveMatrixMigrationSnapshotMarkerPath(process.env), + }); + expect(createBackupArchiveMock).toHaveBeenCalledWith( + expect.objectContaining({ + output: resolveMatrixMigrationSnapshotOutputDir(process.env), + includeWorkspace: false, + }), + ); + + const marker = JSON.parse( + fs.readFileSync(resolveMatrixMigrationSnapshotMarkerPath(process.env), "utf8"), + ) as { + archivePath: string; + trigger: string; + }; + expect(marker.archivePath).toBe(archivePath); + expect(marker.trigger).toBe("unit-test"); + }); + }); + + it("reuses an existing snapshot marker when the archive still exists", async () => { + await withTempHome(async (home) => { + const archivePath = path.join(home, "Backups", "openclaw-migrations", "snapshot.tar.gz"); + const markerPath = resolveMatrixMigrationSnapshotMarkerPath(process.env); + fs.mkdirSync(path.dirname(archivePath), { recursive: true }); + fs.mkdirSync(path.dirname(markerPath), { recursive: true }); + fs.writeFileSync(archivePath, "archive", "utf8"); + fs.writeFileSync( + markerPath, + JSON.stringify({ + version: 1, + createdAt: "2026-03-10T18:00:00.000Z", + archivePath, + trigger: "older-run", + includeWorkspace: false, + }), + "utf8", + ); + + const result = await maybeCreateMatrixMigrationSnapshot({ trigger: "unit-test" }); + + expect(result.created).toBe(false); + expect(result.archivePath).toBe(archivePath); + expect(createBackupArchiveMock).not.toHaveBeenCalled(); + }); + }); + + it("recreates the snapshot when the marker exists but the archive is missing", async () => { + await withTempHome(async (home) => { + const markerPath = resolveMatrixMigrationSnapshotMarkerPath(process.env); + const replacementArchivePath = path.join( + home, + "Backups", + "openclaw-migrations", + "replacement.tar.gz", + ); + fs.mkdirSync(path.dirname(markerPath), { recursive: true }); + fs.mkdirSync(path.dirname(replacementArchivePath), { recursive: true }); + fs.writeFileSync( + markerPath, + JSON.stringify({ + version: 1, + createdAt: "2026-03-10T18:00:00.000Z", + archivePath: path.join(home, "Backups", "openclaw-migrations", "missing.tar.gz"), + trigger: "older-run", + includeWorkspace: false, + }), + "utf8", + ); + createBackupArchiveMock.mockResolvedValueOnce({ + createdAt: "2026-03-10T19:00:00.000Z", + archivePath: replacementArchivePath, + includeWorkspace: false, + }); + + const result = await maybeCreateMatrixMigrationSnapshot({ trigger: "unit-test" }); + + expect(result.created).toBe(true); + expect(result.archivePath).toBe(replacementArchivePath); + const marker = JSON.parse(fs.readFileSync(markerPath, "utf8")) as { archivePath: string }; + expect(marker.archivePath).toBe(replacementArchivePath); + }); + }); + + it("surfaces backup creation failures without writing a marker", async () => { + await withTempHome(async () => { + createBackupArchiveMock.mockRejectedValueOnce(new Error("backup failed")); + + await expect(maybeCreateMatrixMigrationSnapshot({ trigger: "unit-test" })).rejects.toThrow( + "backup failed", + ); + expect(fs.existsSync(resolveMatrixMigrationSnapshotMarkerPath(process.env))).toBe(false); + }); + }); + + it("does not treat warning-only Matrix migration as actionable", async () => { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + fs.mkdirSync(path.join(stateDir, "matrix", "crypto"), { recursive: true }); + fs.writeFileSync( + path.join(stateDir, "matrix", "bot-storage.json"), + '{"legacy":true}', + "utf8", + ); + fs.writeFileSync( + path.join(stateDir, "openclaw.json"), + JSON.stringify({ + channels: { + matrix: { + homeserver: "https://matrix.example.org", + }, + }, + }), + "utf8", + ); + + expect( + hasActionableMatrixMigration({ + cfg: { + channels: { + matrix: { + homeserver: "https://matrix.example.org", + }, + }, + } as never, + env: process.env, + }), + ).toBe(false); + }); + }); + + it("treats resolvable Matrix legacy state as actionable", async () => { + await withTempHome(async (home) => { + const stateDir = path.join(home, ".openclaw"); + fs.mkdirSync(path.join(stateDir, "matrix"), { recursive: true }); + fs.writeFileSync( + path.join(stateDir, "matrix", "bot-storage.json"), + '{"legacy":true}', + "utf8", + ); + + expect( + hasActionableMatrixMigration({ + cfg: { + channels: { + matrix: { + homeserver: "https://matrix.example.org", + userId: "@bot:example.org", + accessToken: "tok-123", + }, + }, + } as never, + env: process.env, + }), + ).toBe(true); + }); + }); + + it("treats legacy Matrix crypto as warning-only until the plugin helper is available", async () => { + await withTempHome( + async (home) => { + const stateDir = path.join(home, ".openclaw"); + fs.mkdirSync(path.join(home, "empty-bundled"), { recursive: true }); + const { rootDir } = resolveMatrixAccountStorageRoot({ + stateDir, + homeserver: "https://matrix.example.org", + userId: "@bot:example.org", + accessToken: "tok-123", + }); + fs.mkdirSync(path.join(rootDir, "crypto"), { recursive: true }); + fs.writeFileSync( + path.join(rootDir, "crypto", "bot-sdk.json"), + JSON.stringify({ deviceId: "DEVICE123" }), + "utf8", + ); + + const cfg = { + channels: { + matrix: { + homeserver: "https://matrix.example.org", + userId: "@bot:example.org", + accessToken: "tok-123", + }, + }, + } as never; + + const detection = detectLegacyMatrixCrypto({ + cfg, + env: process.env, + }); + expect(detection.plans).toHaveLength(1); + expect(detection.warnings).toContain( + "Legacy Matrix encrypted state was detected, but the Matrix plugin helper is unavailable. Install or repair @openclaw/matrix so OpenClaw can inspect the old rust crypto store before upgrading.", + ); + expect( + hasActionableMatrixMigration({ + cfg, + env: process.env, + }), + ).toBe(false); + }, + { + env: { + OPENCLAW_BUNDLED_PLUGINS_DIR: (home) => path.join(home, "empty-bundled"), + }, + }, + ); + }); +}); diff --git a/src/infra/matrix-migration-snapshot.ts b/src/infra/matrix-migration-snapshot.ts new file mode 100644 index 00000000000..ff3129be554 --- /dev/null +++ b/src/infra/matrix-migration-snapshot.ts @@ -0,0 +1,151 @@ +import fs from "node:fs"; +import os from "node:os"; +import path from "node:path"; +import type { OpenClawConfig } from "../config/config.js"; +import { resolveStateDir } from "../config/paths.js"; +import { writeJsonFileAtomically } from "../plugin-sdk/json-store.js"; +import { createBackupArchive } from "./backup-create.js"; +import { resolveRequiredHomeDir } from "./home-dir.js"; +import { detectLegacyMatrixCrypto } from "./matrix-legacy-crypto.js"; +import { detectLegacyMatrixState } from "./matrix-legacy-state.js"; +import { isMatrixLegacyCryptoInspectorAvailable } from "./matrix-plugin-helper.js"; + +const MATRIX_MIGRATION_SNAPSHOT_DIRNAME = "openclaw-migrations"; + +type MatrixMigrationSnapshotMarker = { + version: 1; + createdAt: string; + archivePath: string; + trigger: string; + includeWorkspace: boolean; +}; + +export type MatrixMigrationSnapshotResult = { + created: boolean; + archivePath: string; + markerPath: string; +}; + +function loadSnapshotMarker(filePath: string): MatrixMigrationSnapshotMarker | null { + try { + if (!fs.existsSync(filePath)) { + return null; + } + const parsed = JSON.parse( + fs.readFileSync(filePath, "utf8"), + ) as Partial; + if ( + parsed.version !== 1 || + typeof parsed.createdAt !== "string" || + typeof parsed.archivePath !== "string" || + typeof parsed.trigger !== "string" + ) { + return null; + } + return { + version: 1, + createdAt: parsed.createdAt, + archivePath: parsed.archivePath, + trigger: parsed.trigger, + includeWorkspace: parsed.includeWorkspace === true, + }; + } catch { + return null; + } +} + +export function resolveMatrixMigrationSnapshotMarkerPath( + env: NodeJS.ProcessEnv = process.env, +): string { + const stateDir = resolveStateDir(env, os.homedir); + return path.join(stateDir, "matrix", "migration-snapshot.json"); +} + +export function resolveMatrixMigrationSnapshotOutputDir( + env: NodeJS.ProcessEnv = process.env, +): string { + const homeDir = resolveRequiredHomeDir(env, os.homedir); + return path.join(homeDir, "Backups", MATRIX_MIGRATION_SNAPSHOT_DIRNAME); +} + +export function hasPendingMatrixMigration(params: { + cfg: OpenClawConfig; + env?: NodeJS.ProcessEnv; +}): boolean { + const env = params.env ?? process.env; + const legacyState = detectLegacyMatrixState({ cfg: params.cfg, env }); + if (legacyState) { + return true; + } + const legacyCrypto = detectLegacyMatrixCrypto({ cfg: params.cfg, env }); + return legacyCrypto.plans.length > 0 || legacyCrypto.warnings.length > 0; +} + +export function hasActionableMatrixMigration(params: { + cfg: OpenClawConfig; + env?: NodeJS.ProcessEnv; +}): boolean { + const env = params.env ?? process.env; + const legacyState = detectLegacyMatrixState({ cfg: params.cfg, env }); + if (legacyState && !("warning" in legacyState)) { + return true; + } + const legacyCrypto = detectLegacyMatrixCrypto({ cfg: params.cfg, env }); + return ( + legacyCrypto.plans.length > 0 && + isMatrixLegacyCryptoInspectorAvailable({ + cfg: params.cfg, + env, + }) + ); +} + +export async function maybeCreateMatrixMigrationSnapshot(params: { + trigger: string; + env?: NodeJS.ProcessEnv; + outputDir?: string; + log?: { info?: (message: string) => void; warn?: (message: string) => void }; +}): Promise { + const env = params.env ?? process.env; + const markerPath = resolveMatrixMigrationSnapshotMarkerPath(env); + const existingMarker = loadSnapshotMarker(markerPath); + if (existingMarker?.archivePath && fs.existsSync(existingMarker.archivePath)) { + params.log?.info?.( + `matrix: reusing existing pre-migration backup snapshot: ${existingMarker.archivePath}`, + ); + return { + created: false, + archivePath: existingMarker.archivePath, + markerPath, + }; + } + if (existingMarker?.archivePath && !fs.existsSync(existingMarker.archivePath)) { + params.log?.warn?.( + `matrix: previous migration snapshot is missing (${existingMarker.archivePath}); creating a replacement backup before continuing`, + ); + } + + const snapshot = await createBackupArchive({ + output: (() => { + const outputDir = params.outputDir ?? resolveMatrixMigrationSnapshotOutputDir(env); + fs.mkdirSync(outputDir, { recursive: true }); + return outputDir; + })(), + includeWorkspace: false, + }); + + const marker: MatrixMigrationSnapshotMarker = { + version: 1, + createdAt: snapshot.createdAt, + archivePath: snapshot.archivePath, + trigger: params.trigger, + includeWorkspace: snapshot.includeWorkspace, + }; + await writeJsonFileAtomically(markerPath, marker); + params.log?.info?.(`matrix: created pre-migration backup snapshot: ${snapshot.archivePath}`); + return { + created: true, + archivePath: snapshot.archivePath, + markerPath, + }; +} diff --git a/src/infra/matrix-plugin-helper.test.ts b/src/infra/matrix-plugin-helper.test.ts new file mode 100644 index 00000000000..650edc434ca --- /dev/null +++ b/src/infra/matrix-plugin-helper.test.ts @@ -0,0 +1,186 @@ +import fs from "node:fs"; +import path from "node:path"; +import { describe, expect, it } from "vitest"; +import { withTempHome } from "../../test/helpers/temp-home.js"; +import { + isMatrixLegacyCryptoInspectorAvailable, + loadMatrixLegacyCryptoInspector, +} from "./matrix-plugin-helper.js"; + +function writeMatrixPluginFixture(rootDir: string, helperBody: string): void { + fs.mkdirSync(rootDir, { recursive: true }); + fs.writeFileSync( + path.join(rootDir, "openclaw.plugin.json"), + JSON.stringify({ + id: "matrix", + configSchema: { + type: "object", + additionalProperties: false, + }, + }), + "utf8", + ); + fs.writeFileSync(path.join(rootDir, "index.js"), "export default {};\n", "utf8"); + fs.writeFileSync(path.join(rootDir, "legacy-crypto-inspector.js"), helperBody, "utf8"); +} + +describe("matrix plugin helper resolution", () => { + it("loads the legacy crypto inspector from the bundled matrix plugin", async () => { + await withTempHome( + async (home) => { + const bundledRoot = path.join(home, "bundled", "matrix"); + writeMatrixPluginFixture( + bundledRoot, + [ + "export async function inspectLegacyMatrixCryptoStore() {", + ' return { deviceId: "BUNDLED", roomKeyCounts: { total: 7, backedUp: 6 }, backupVersion: "1", decryptionKeyBase64: "YWJjZA==" };', + "}", + ].join("\n"), + ); + + const cfg = {} as const; + + expect(isMatrixLegacyCryptoInspectorAvailable({ cfg, env: process.env })).toBe(true); + const inspectLegacyStore = await loadMatrixLegacyCryptoInspector({ + cfg, + env: process.env, + }); + + await expect( + inspectLegacyStore({ + cryptoRootDir: "/tmp/legacy", + userId: "@bot:example.org", + deviceId: "DEVICE123", + }), + ).resolves.toEqual({ + deviceId: "BUNDLED", + roomKeyCounts: { total: 7, backedUp: 6 }, + backupVersion: "1", + decryptionKeyBase64: "YWJjZA==", + }); + }, + { + env: { + OPENCLAW_BUNDLED_PLUGINS_DIR: (home) => path.join(home, "bundled"), + }, + }, + ); + }); + + it("prefers configured plugin load paths over bundled matrix plugins", async () => { + await withTempHome( + async (home) => { + const bundledRoot = path.join(home, "bundled", "matrix"); + const customRoot = path.join(home, "plugins", "matrix-local"); + writeMatrixPluginFixture( + bundledRoot, + [ + "export async function inspectLegacyMatrixCryptoStore() {", + ' return { deviceId: "BUNDLED", roomKeyCounts: null, backupVersion: null, decryptionKeyBase64: null };', + "}", + ].join("\n"), + ); + writeMatrixPluginFixture( + customRoot, + [ + "export default async function inspectLegacyMatrixCryptoStore() {", + ' return { deviceId: "CONFIG", roomKeyCounts: null, backupVersion: null, decryptionKeyBase64: null };', + "}", + ].join("\n"), + ); + + const cfg = { + plugins: { + load: { + paths: [customRoot], + }, + }, + } as const; + + expect(isMatrixLegacyCryptoInspectorAvailable({ cfg, env: process.env })).toBe(true); + const inspectLegacyStore = await loadMatrixLegacyCryptoInspector({ + cfg, + env: process.env, + }); + + await expect( + inspectLegacyStore({ + cryptoRootDir: "/tmp/legacy", + userId: "@bot:example.org", + deviceId: "DEVICE123", + }), + ).resolves.toEqual({ + deviceId: "CONFIG", + roomKeyCounts: null, + backupVersion: null, + decryptionKeyBase64: null, + }); + }, + { + env: { + OPENCLAW_BUNDLED_PLUGINS_DIR: (home) => path.join(home, "bundled"), + }, + }, + ); + }); + + it("rejects helper files that escape the plugin root", async () => { + await withTempHome( + async (home) => { + const customRoot = path.join(home, "plugins", "matrix-local"); + const outsideRoot = path.join(home, "outside"); + fs.mkdirSync(customRoot, { recursive: true }); + fs.mkdirSync(outsideRoot, { recursive: true }); + fs.writeFileSync( + path.join(customRoot, "openclaw.plugin.json"), + JSON.stringify({ + id: "matrix", + configSchema: { + type: "object", + additionalProperties: false, + }, + }), + "utf8", + ); + fs.writeFileSync(path.join(customRoot, "index.js"), "export default {};\n", "utf8"); + const outsideHelper = path.join(outsideRoot, "legacy-crypto-inspector.js"); + fs.writeFileSync( + outsideHelper, + 'export default async function inspectLegacyMatrixCryptoStore() { return { deviceId: "ESCAPE", roomKeyCounts: null, backupVersion: null, decryptionKeyBase64: null }; }\n', + "utf8", + ); + + try { + fs.symlinkSync( + outsideHelper, + path.join(customRoot, "legacy-crypto-inspector.js"), + process.platform === "win32" ? "file" : undefined, + ); + } catch { + return; + } + + const cfg = { + plugins: { + load: { + paths: [customRoot], + }, + }, + } as const; + + expect(isMatrixLegacyCryptoInspectorAvailable({ cfg, env: process.env })).toBe(false); + await expect( + loadMatrixLegacyCryptoInspector({ + cfg, + env: process.env, + }), + ).rejects.toThrow("Matrix plugin helper path is unsafe"); + }, + { + env: { + OPENCLAW_BUNDLED_PLUGINS_DIR: (home) => path.join(home, "empty-bundled"), + }, + }, + ); + }); +}); diff --git a/src/infra/matrix-plugin-helper.ts b/src/infra/matrix-plugin-helper.ts new file mode 100644 index 00000000000..ab40287029f --- /dev/null +++ b/src/infra/matrix-plugin-helper.ts @@ -0,0 +1,173 @@ +import fs from "node:fs"; +import path from "node:path"; +import { createJiti } from "jiti"; +import type { OpenClawConfig } from "../config/config.js"; +import { + loadPluginManifestRegistry, + type PluginManifestRecord, +} from "../plugins/manifest-registry.js"; +import { openBoundaryFileSync } from "./boundary-file-read.js"; + +const MATRIX_PLUGIN_ID = "matrix"; +const MATRIX_HELPER_CANDIDATES = [ + "legacy-crypto-inspector.ts", + "legacy-crypto-inspector.js", + path.join("dist", "legacy-crypto-inspector.js"), +] as const; + +export const MATRIX_LEGACY_CRYPTO_INSPECTOR_UNAVAILABLE_MESSAGE = + "Legacy Matrix encrypted state was detected, but the Matrix plugin helper is unavailable. Install or repair @openclaw/matrix so OpenClaw can inspect the old rust crypto store before upgrading."; + +type MatrixLegacyCryptoInspectorParams = { + cryptoRootDir: string; + userId: string; + deviceId: string; + log?: (message: string) => void; +}; + +type MatrixLegacyCryptoInspectorResult = { + deviceId: string | null; + roomKeyCounts: { + total: number; + backedUp: number; + } | null; + backupVersion: string | null; + decryptionKeyBase64: string | null; +}; + +export type MatrixLegacyCryptoInspector = ( + params: MatrixLegacyCryptoInspectorParams, +) => Promise; + +function resolveMatrixPluginRecord(params: { + cfg: OpenClawConfig; + env?: NodeJS.ProcessEnv; + workspaceDir?: string; +}): PluginManifestRecord | null { + const registry = loadPluginManifestRegistry({ + config: params.cfg, + workspaceDir: params.workspaceDir, + env: params.env, + }); + return registry.plugins.find((plugin) => plugin.id === MATRIX_PLUGIN_ID) ?? null; +} + +type MatrixLegacyCryptoInspectorPathResolution = + | { status: "ok"; helperPath: string } + | { status: "missing" } + | { status: "unsafe"; candidatePath: string }; + +function resolveMatrixLegacyCryptoInspectorPath(params: { + cfg: OpenClawConfig; + env?: NodeJS.ProcessEnv; + workspaceDir?: string; +}): MatrixLegacyCryptoInspectorPathResolution { + const plugin = resolveMatrixPluginRecord(params); + if (!plugin) { + return { status: "missing" }; + } + for (const relativePath of MATRIX_HELPER_CANDIDATES) { + const candidatePath = path.join(plugin.rootDir, relativePath); + const opened = openBoundaryFileSync({ + absolutePath: candidatePath, + rootPath: plugin.rootDir, + boundaryLabel: "plugin root", + rejectHardlinks: plugin.origin !== "bundled", + allowedType: "file", + }); + if (opened.ok) { + fs.closeSync(opened.fd); + return { status: "ok", helperPath: opened.path }; + } + if (opened.reason !== "path") { + return { status: "unsafe", candidatePath }; + } + } + return { status: "missing" }; +} + +export function isMatrixLegacyCryptoInspectorAvailable(params: { + cfg: OpenClawConfig; + env?: NodeJS.ProcessEnv; + workspaceDir?: string; +}): boolean { + return resolveMatrixLegacyCryptoInspectorPath(params).status === "ok"; +} + +let jitiLoader: ReturnType | null = null; +const inspectorCache = new Map>(); + +function getJiti() { + if (!jitiLoader) { + jitiLoader = createJiti(import.meta.url, { + interopDefault: false, + extensions: [".ts", ".tsx", ".mts", ".cts", ".js", ".mjs", ".cjs", ".json"], + }); + } + return jitiLoader; +} + +function isObjectRecord(value: unknown): value is Record { + return typeof value === "object" && value !== null; +} + +function resolveInspectorExport(loaded: unknown): MatrixLegacyCryptoInspector | null { + if (!isObjectRecord(loaded)) { + return null; + } + const directInspector = loaded.inspectLegacyMatrixCryptoStore; + if (typeof directInspector === "function") { + return directInspector as MatrixLegacyCryptoInspector; + } + const directDefault = loaded.default; + if (typeof directDefault === "function") { + return directDefault as MatrixLegacyCryptoInspector; + } + if (!isObjectRecord(directDefault)) { + return null; + } + const nestedInspector = directDefault.inspectLegacyMatrixCryptoStore; + return typeof nestedInspector === "function" + ? (nestedInspector as MatrixLegacyCryptoInspector) + : null; +} + +export async function loadMatrixLegacyCryptoInspector(params: { + cfg: OpenClawConfig; + env?: NodeJS.ProcessEnv; + workspaceDir?: string; +}): Promise { + const resolution = resolveMatrixLegacyCryptoInspectorPath(params); + if (resolution.status === "missing") { + throw new Error(MATRIX_LEGACY_CRYPTO_INSPECTOR_UNAVAILABLE_MESSAGE); + } + if (resolution.status === "unsafe") { + throw new Error( + `Matrix plugin helper path is unsafe: ${resolution.candidatePath}. Reinstall @openclaw/matrix and try again.`, + ); + } + const helperPath = resolution.helperPath; + + const cached = inspectorCache.get(helperPath); + if (cached) { + return await cached; + } + + const pending = (async () => { + const loaded: unknown = await getJiti().import(helperPath); + const inspectLegacyMatrixCryptoStore = resolveInspectorExport(loaded); + if (!inspectLegacyMatrixCryptoStore) { + throw new Error( + `Matrix plugin helper at ${helperPath} does not export inspectLegacyMatrixCryptoStore(). Reinstall @openclaw/matrix and try again.`, + ); + } + return inspectLegacyMatrixCryptoStore; + })(); + inspectorCache.set(helperPath, pending); + try { + return await pending; + } catch (err) { + inspectorCache.delete(helperPath); + throw err; + } +}