@archipelagolab/lobi 1.0.5 → 1.0.6

package/dist/chunk-OKDOVX4B.js

@@ -0,0 +1,699 @@
+import {
+  repairCurrentTokenStorageMetaDeviceId
+} from "./chunk-HKF5EBER.js";
+import {
+  resolveMatrixConfigFieldPath
+} from "./chunk-SPNSM6SB.js";
+import {
+  DEFAULT_ACCOUNT_ID,
+  assertHttpUrlTargetsPrivateNetwork,
+  isPrivateNetworkOptInEnabled,
+  normalizeAccountId,
+  normalizeOptionalAccountId,
+  ssrfPolicyFromDangerouslyAllowPrivateNetwork
+} from "./chunk-FZJOJ6P4.js";
+import {
+  isPrivateOrLoopbackHost
+} from "./chunk-4QTZHELX.js";
+import {
+  findMatrixAccountConfig,
+  listNormalizedMatrixAccountIds,
+  resolveMatrixBaseConfig
+} from "./chunk-3OXOEMBS.js";
+import {
+  getMatrixRuntime
+} from "./chunk-ZGAUVPAB.js";
+import {
+  requiresExplicitMatrixDefaultAccount,
+  resolveMatrixDefaultOrOnlyAccountId
+} from "./chunk-3R4ATE4Q.js";
+import {
+  resolveMatrixAccountStringValues
+} from "./chunk-5BQ6LLNU.js";
+import {
+  getLobiScopedEnvVarNames
+} from "./chunk-HJ5E2JRL.js";
+import {
+  init_shims
+} from "./chunk-G4TIS2SC.js";
+
+// src/matrix/client/config.ts
+init_shims();
+import { formatErrorMessage } from "openclaw/plugin-sdk/infra-runtime";
+import { coerceSecretRef } from "openclaw/plugin-sdk/provider-auth";
+import { retryAsync } from "openclaw/plugin-sdk/retry-runtime";
+import { normalizeResolvedSecretInputString } from "openclaw/plugin-sdk/secret-input";
+var matrixAuthClientDepsPromise;
+var matrixCredentialsReadDepsPromise;
+var matrixSecretInputDepsPromise;
+var matrixAuthClientDepsForTest;
+var MATRIX_AUTH_REQUEST_RETRY_RE = /\b(fetch failed|econnreset|econnrefused|enotfound|etimedout|ehostunreach|enetunreach|eai_again|und_err_|socket hang up|network|headers timeout|body timeout|connect timeout)\b/i;
+function setMatrixAuthClientDepsForTest(deps) {
+  matrixAuthClientDepsForTest = deps;
+}
+async function loadMatrixAuthClientDeps() {
+  if (matrixAuthClientDepsForTest) {
+    return matrixAuthClientDepsForTest;
+  }
+  matrixAuthClientDepsPromise ??= Promise.all([import("./src/matrix/sdk.js"), import("./src/matrix/client/logging.js")]).then(
+    ([sdkModule, loggingModule]) => ({
+      MatrixClient: sdkModule.MatrixClient,
+      ensureMatrixSdkLoggingConfigured: loggingModule.ensureMatrixSdkLoggingConfigured
+    })
+  );
+  return await matrixAuthClientDepsPromise;
+}
+async function loadMatrixCredentialsReadDeps() {
+  matrixCredentialsReadDepsPromise ??= import("./src/matrix/credentials-read.js").then(
+    (credentialsReadModule) => ({
+      loadMatrixCredentials: credentialsReadModule.loadMatrixCredentials,
+      credentialsMatchConfig: credentialsReadModule.credentialsMatchConfig
+    })
+  );
+  return await matrixCredentialsReadDepsPromise;
+}
+async function loadMatrixSecretInputDeps() {
+  matrixSecretInputDepsPromise ??= import("./src/matrix/client/config-secret-input.runtime.js").then((runtime) => ({
+    resolveConfiguredSecretInputString: runtime.resolveConfiguredSecretInputString
+  }));
+  return await matrixSecretInputDepsPromise;
+}
+function shouldRetryMatrixAuthRequest(err) {
+  return MATRIX_AUTH_REQUEST_RETRY_RE.test(formatErrorMessage(err));
+}
+function isAbortSignalTriggered(signal) {
+  return signal?.aborted === true;
+}
+function credentialsMatchBackfillAuthLineage(params) {
+  if (!params.stored) {
+    return true;
+  }
+  return params.stored.homeserver === params.auth.homeserver && params.stored.userId === params.auth.userId && params.stored.accessToken === params.auth.accessToken;
+}
+async function retryMatrixAuthRequest(label, run) {
+  return await retryAsync(run, {
+    attempts: 3,
+    minDelayMs: 250,
+    maxDelayMs: 1500,
+    jitter: 0.1,
+    label,
+    shouldRetry: (err) => shouldRetryMatrixAuthRequest(err)
+  });
+}
+async function fetchMatrixWhoamiIdentity(params) {
+  const { MatrixClient, ensureMatrixSdkLoggingConfigured } = await loadMatrixAuthClientDeps();
+  ensureMatrixSdkLoggingConfigured();
+  const tempClient = new MatrixClient(params.homeserver, params.accessToken, {
+    userId: params.userId,
+    ssrfPolicy: params.ssrfPolicy,
+    dispatcherPolicy: params.dispatcherPolicy
+  });
+  return await retryMatrixAuthRequest("matrix auth whoami", async () => {
+    return await tempClient.doRequest("GET", "/_matrix/client/v3/account/whoami");
+  });
+}
+function readEnvSecretRefFallback(params) {
+  const ref = coerceSecretRef(params.value, params.config?.secrets?.defaults);
+  if (!ref || ref.source !== "env" || !params.env) {
+    return void 0;
+  }
+  const providerConfig = params.config?.secrets?.providers?.[ref.provider];
+  if (providerConfig) {
+    if (providerConfig.source !== "env") {
+      throw new Error(
+        `Secret provider "${ref.provider}" has source "${providerConfig.source}" but ref requests "env".`
+      );
+    }
+    if (providerConfig.allowlist && !providerConfig.allowlist.includes(ref.id)) {
+      throw new Error(
+        `Environment variable "${ref.id}" is not allowlisted in secrets.providers.${ref.provider}.allowlist.`
+      );
+    }
+  } else if (ref.provider !== (params.config?.secrets?.defaults?.env?.trim() || "default")) {
+    throw new Error(
+      `Secret provider "${ref.provider}" is not configured (ref: ${ref.source}:${ref.provider}:${ref.id}).`
+    );
+  }
+  const resolved = params.env[ref.id];
+  if (typeof resolved !== "string") {
+    return void 0;
+  }
+  const trimmed = resolved.trim();
+  return trimmed.length > 0 ? trimmed : void 0;
+}
+function clean(value, path, opts) {
+  const ref = coerceSecretRef(value, opts?.config?.secrets?.defaults);
+  if (opts?.suppressSecretRef && ref) {
+    return "";
+  }
+  const normalizedValue = opts?.allowEnvSecretRefFallback ? ref?.source === "env" ? readEnvSecretRefFallback({
+    value,
+    env: opts.env,
+    config: opts.config
+  }) ?? value : ref ? "" : value : value;
+  return normalizeResolvedSecretInputString({
+    value: normalizedValue,
+    path,
+    defaults: opts?.config?.secrets?.defaults
+  }) ?? "";
+}
+function resolveMatrixBaseConfigFieldPath(field) {
+  return `channels.lobi.${field}`;
+}
+function shouldAllowEnvSecretRefFallback(field) {
+  return field === "accessToken" || field === "password";
+}
+function hasConfiguredSecretInputValue(value, cfg) {
+  return typeof value === "string" && value.trim().length > 0 || Boolean(coerceSecretRef(value, cfg.secrets?.defaults));
+}
+function hasConfiguredMatrixAccessTokenSource(params) {
+  const normalizedAccountId = normalizeAccountId(params.accountId);
+  const account = findMatrixAccountConfig(params.cfg, normalizedAccountId) ?? {};
+  const scopedAccessTokenVar = getLobiScopedEnvVarNames(normalizedAccountId).accessToken;
+  if (hasConfiguredSecretInputValue(account.accessToken, params.cfg) || clean(params.env[scopedAccessTokenVar], scopedAccessTokenVar).length > 0) {
+    return true;
+  }
+  if (normalizedAccountId !== DEFAULT_ACCOUNT_ID) {
+    return false;
+  }
+  const matrix = resolveMatrixBaseConfig(params.cfg);
+  return hasConfiguredSecretInputValue(matrix.accessToken, params.cfg) || clean(params.env.LOBI_ACCESS_TOKEN, "LOBI_ACCESS_TOKEN").length > 0;
+}
+function resolveConfiguredMatrixAuthInput(params) {
+  const normalizedAccountId = normalizeAccountId(params.accountId);
+  const account = findMatrixAccountConfig(params.cfg, normalizedAccountId) ?? {};
+  const accountValue = account[params.field];
+  if (accountValue !== void 0) {
+    return {
+      value: accountValue,
+      path: resolveMatrixConfigFieldPath(params.cfg, normalizedAccountId, params.field)
+    };
+  }
+  const scopedKeys = getLobiScopedEnvVarNames(normalizedAccountId);
+  const scopedEnv = resolveScopedMatrixEnvConfig(normalizedAccountId, params.env);
+  const scopedValue = scopedEnv[params.field];
+  if (scopedValue !== void 0) {
+    return {
+      value: scopedValue,
+      path: params.field === "accessToken" ? scopedKeys.accessToken : scopedKeys.password
+    };
+  }
+  if (normalizedAccountId !== DEFAULT_ACCOUNT_ID) {
+    return void 0;
+  }
+  const matrix = resolveMatrixBaseConfig(params.cfg);
+  const baseValue = matrix[params.field];
+  if (baseValue !== void 0) {
+    return {
+      value: baseValue,
+      path: resolveMatrixBaseConfigFieldPath(params.field)
+    };
+  }
+  const globalValue = params.field === "accessToken" ? params.env.LOBI_ACCESS_TOKEN : params.env.LOBI_PASSWORD;
+  if (globalValue !== void 0) {
+    return {
+      value: globalValue,
+      path: params.field === "accessToken" ? "LOBI_ACCESS_TOKEN" : "LOBI_PASSWORD"
+    };
+  }
+  return void 0;
+}
+async function resolveConfiguredMatrixAuthSecretInput(params) {
+  const configured = resolveConfiguredMatrixAuthInput(params);
+  if (!configured) {
+    return void 0;
+  }
+  const { resolveConfiguredSecretInputString } = await loadMatrixSecretInputDeps();
+  const resolved = await resolveConfiguredSecretInputString({
+    config: params.cfg,
+    env: params.env,
+    value: configured.value,
+    path: configured.path,
+    unresolvedReasonStyle: "detailed"
+  });
+  if (resolved.value !== void 0) {
+    return resolved.value;
+  }
+  if (coerceSecretRef(configured.value, params.cfg.secrets?.defaults)) {
+    throw new Error(
+      resolved.unresolvedRefReason ?? `${configured.path} SecretRef could not be resolved.`
+    );
+  }
+  return void 0;
+}
+function readMatrixBaseConfigField(matrix, field, opts) {
+  return clean(matrix[field], resolveMatrixBaseConfigFieldPath(field), {
+    env: opts?.env,
+    config: opts?.config,
+    allowEnvSecretRefFallback: shouldAllowEnvSecretRefFallback(field),
+    suppressSecretRef: opts?.suppressSecretRef
+  });
+}
+function readMatrixAccountConfigField(cfg, accountId, account, field, opts) {
+  return clean(account[field], resolveMatrixConfigFieldPath(cfg, accountId, field), {
+    env: opts?.env,
+    config: opts?.config,
+    allowEnvSecretRefFallback: shouldAllowEnvSecretRefFallback(field),
+    suppressSecretRef: opts?.suppressSecretRef
+  });
+}
+function clampMatrixInitialSyncLimit(value) {
+  return typeof value === "number" ? Math.max(0, Math.floor(value)) : void 0;
+}
+var MATRIX_HTTP_HOMESERVER_ERROR = "Matrix homeserver must use https:// unless it targets a private or loopback host";
+function buildMatrixNetworkFields(params) {
+  const dispatcherPolicy = params.dispatcherPolicy ?? (params.proxy ? { mode: "explicit-proxy", proxyUrl: params.proxy } : void 0);
+  if (!params.allowPrivateNetwork && !dispatcherPolicy) {
+    return {};
+  }
+  return {
+    ...params.allowPrivateNetwork ? {
+      allowPrivateNetwork: true,
+      ssrfPolicy: ssrfPolicyFromDangerouslyAllowPrivateNetwork(true)
+    } : {},
+    ...dispatcherPolicy ? { dispatcherPolicy } : {}
+  };
+}
+var DEFAULT_LOBI_HOMESERVER = "https://lobi.lobisland.com/";
+function resolveGlobalMatrixEnvConfig(env) {
+  const homeserver = clean(env.LOBI_HOMESERVER, "LOBI_HOMESERVER");
+  return {
+    homeserver: homeserver || DEFAULT_LOBI_HOMESERVER,
+    userId: clean(env.LOBI_USER_ID, "LOBI_USER_ID"),
+    accessToken: clean(env.LOBI_ACCESS_TOKEN, "LOBI_ACCESS_TOKEN") || void 0,
+    password: clean(env.LOBI_PASSWORD, "LOBI_PASSWORD") || void 0,
+    deviceId: clean(env.LOBI_DEVICE_ID, "LOBI_DEVICE_ID") || void 0,
+    deviceName: clean(env.LOBI_DEVICE_NAME, "LOBI_DEVICE_NAME") || void 0
+  };
+}
+function resolveMatrixEnvAuthReadiness(accountId, env = process.env) {
+  const normalizedAccountId = normalizeAccountId(accountId);
+  const scoped = resolveScopedMatrixEnvConfig(normalizedAccountId, env);
+  const scopedReady = hasReadyMatrixEnvAuth(scoped);
+  if (normalizedAccountId !== DEFAULT_ACCOUNT_ID) {
+    const keys = getLobiScopedEnvVarNames(normalizedAccountId);
+    return {
+      ready: scopedReady,
+      homeserver: scoped.homeserver || void 0,
+      userId: scoped.userId || void 0,
+      sourceHint: `${keys.homeserver} (+ auth vars)`,
+      missingMessage: `Set per-account env vars for "${normalizedAccountId}" (for example ${keys.homeserver} + ${keys.accessToken} or ${keys.userId} + ${keys.password}).`
+    };
+  }
+  const defaultScoped = resolveScopedMatrixEnvConfig(DEFAULT_ACCOUNT_ID, env);
+  const global = resolveGlobalMatrixEnvConfig(env);
+  const defaultScopedReady = hasReadyMatrixEnvAuth(defaultScoped);
+  const globalReady = hasReadyMatrixEnvAuth(global);
+  const defaultKeys = getLobiScopedEnvVarNames(DEFAULT_ACCOUNT_ID);
+  return {
+    ready: defaultScopedReady || globalReady,
+    homeserver: defaultScoped.homeserver || global.homeserver || void 0,
+    userId: defaultScoped.userId || global.userId || void 0,
+    sourceHint: "LOBI_* or LOBI_DEFAULT_*",
+    missingMessage: `Set Lobi env vars for the default account (for example LOBI_HOMESERVER + LOBI_ACCESS_TOKEN, LOBI_USER_ID + LOBI_PASSWORD, or ${defaultKeys.homeserver} + ${defaultKeys.accessToken}).`
+  };
+}
+function resolveScopedMatrixEnvConfig(accountId, env = process.env) {
+  const keys = getLobiScopedEnvVarNames(accountId);
+  return {
+    homeserver: clean(env[keys.homeserver], keys.homeserver),
+    userId: clean(env[keys.userId], keys.userId),
+    accessToken: clean(env[keys.accessToken], keys.accessToken) || void 0,
+    password: clean(env[keys.password], keys.password) || void 0,
+    deviceId: clean(env[keys.deviceId], keys.deviceId) || void 0,
+    deviceName: clean(env[keys.deviceName], keys.deviceName) || void 0
+  };
+}
+function hasScopedMatrixEnvConfig(accountId, env) {
+  const scoped = resolveScopedMatrixEnvConfig(accountId, env);
+  return Boolean(
+    scoped.homeserver || scoped.userId || scoped.accessToken || scoped.password || scoped.deviceId || scoped.deviceName
+  );
+}
+function hasReadyMatrixEnvAuth(config) {
+  const homeserver = clean(config.homeserver, "matrix.env.homeserver");
+  const userId = clean(config.userId, "matrix.env.userId");
+  const accessToken = clean(config.accessToken, "matrix.env.accessToken");
+  const password = clean(config.password, "matrix.env.password");
+  return Boolean(homeserver && (accessToken || userId && password));
+}
+function validateMatrixHomeserverUrl(homeserver, opts) {
+  const trimmed = clean(homeserver, "matrix.homeserver");
+  if (!trimmed) {
+    throw new Error("Matrix homeserver is required (matrix.homeserver)");
+  }
+  let parsed;
+  try {
+    parsed = new URL(trimmed);
+  } catch {
+    throw new Error("Matrix homeserver must be a valid http(s) URL");
+  }
+  if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
+    throw new Error("Matrix homeserver must use http:// or https://");
+  }
+  if (!parsed.hostname) {
+    throw new Error("Matrix homeserver must include a hostname");
+  }
+  if (parsed.username || parsed.password) {
+    throw new Error("Matrix homeserver URL must not include embedded credentials");
+  }
+  if (parsed.search || parsed.hash) {
+    throw new Error("Matrix homeserver URL must not include query strings or fragments");
+  }
+  if (parsed.protocol === "http:" && opts?.allowPrivateNetwork !== true && !isPrivateOrLoopbackHost(parsed.hostname)) {
+    throw new Error(MATRIX_HTTP_HOMESERVER_ERROR);
+  }
+  return trimmed;
+}
+async function resolveValidatedMatrixHomeserverUrl(homeserver, opts) {
+  const allowPrivateNetwork = typeof opts?.dangerouslyAllowPrivateNetwork === "boolean" ? opts.dangerouslyAllowPrivateNetwork : opts?.allowPrivateNetwork;
+  const normalized = validateMatrixHomeserverUrl(homeserver, {
+    allowPrivateNetwork
+  });
+  await assertHttpUrlTargetsPrivateNetwork(normalized, {
+    dangerouslyAllowPrivateNetwork: opts?.dangerouslyAllowPrivateNetwork,
+    allowPrivateNetwork,
+    lookupFn: opts?.lookupFn,
+    errorMessage: MATRIX_HTTP_HOMESERVER_ERROR
+  });
+  return normalized;
+}
+function resolveMatrixConfigForAccount(cfg, accountId, env = process.env) {
+  const matrix = resolveMatrixBaseConfig(cfg);
+  const account = findMatrixAccountConfig(cfg, accountId) ?? {};
+  const normalizedAccountId = normalizeAccountId(accountId);
+  const suppressInactivePasswordSecretRef = hasConfiguredMatrixAccessTokenSource({
+    cfg,
+    env,
+    accountId: normalizedAccountId
+  });
+  const fieldReadOptions = {
+    env,
+    config: cfg
+  };
+  const scopedEnv = resolveScopedMatrixEnvConfig(normalizedAccountId, env);
+  const globalEnv = resolveGlobalMatrixEnvConfig(env);
+  const accountField = (field) => readMatrixAccountConfigField(cfg, normalizedAccountId, account, field, {
+    ...fieldReadOptions,
+    suppressSecretRef: field === "password" ? suppressInactivePasswordSecretRef : void 0
+  });
+  const resolvedStrings = resolveMatrixAccountStringValues({
+    accountId: normalizedAccountId,
+    account: {
+      homeserver: accountField("homeserver"),
+      userId: accountField("userId"),
+      accessToken: accountField("accessToken"),
+      password: accountField("password"),
+      deviceId: accountField("deviceId"),
+      deviceName: accountField("deviceName")
+    },
+    scopedEnv,
+    channel: {
+      homeserver: readMatrixBaseConfigField(matrix, "homeserver", fieldReadOptions),
+      userId: readMatrixBaseConfigField(matrix, "userId", fieldReadOptions),
+      accessToken: readMatrixBaseConfigField(matrix, "accessToken", fieldReadOptions),
+      password: readMatrixBaseConfigField(matrix, "password", {
+        ...fieldReadOptions,
+        suppressSecretRef: suppressInactivePasswordSecretRef
+      }),
+      deviceId: readMatrixBaseConfigField(matrix, "deviceId", fieldReadOptions),
+      deviceName: readMatrixBaseConfigField(matrix, "deviceName", fieldReadOptions)
+    },
+    globalEnv
+  });
+  const accountInitialSyncLimit = clampMatrixInitialSyncLimit(account.initialSyncLimit);
+  const initialSyncLimit = accountInitialSyncLimit ?? clampMatrixInitialSyncLimit(matrix.initialSyncLimit);
+  const encryption = typeof account.encryption === "boolean" ? account.encryption : matrix.encryption ?? false;
+  const allowPrivateNetwork = isPrivateNetworkOptInEnabled(account) || isPrivateNetworkOptInEnabled(matrix) ? true : void 0;
+  return {
+    homeserver: resolvedStrings.homeserver,
+    userId: resolvedStrings.userId,
+    accessToken: resolvedStrings.accessToken || void 0,
+    password: resolvedStrings.password || void 0,
+    deviceId: resolvedStrings.deviceId || void 0,
+    deviceName: resolvedStrings.deviceName || void 0,
+    initialSyncLimit,
+    encryption,
+    ...buildMatrixNetworkFields({
+      allowPrivateNetwork,
+      proxy: account.proxy ?? matrix.proxy
+    })
+  };
+}
+function resolveImplicitMatrixAccountId(cfg, env = process.env) {
+  if (requiresExplicitMatrixDefaultAccount(cfg, env)) {
+    return null;
+  }
+  return normalizeAccountId(resolveMatrixDefaultOrOnlyAccountId(cfg, env));
+}
+function resolveMatrixAuthContext(params) {
+  const cfg = params?.cfg ?? getMatrixRuntime().config.loadConfig();
+  const env = params?.env ?? process.env;
+  const explicitAccountId = normalizeOptionalAccountId(params?.accountId);
+  const effectiveAccountId = explicitAccountId ?? resolveImplicitMatrixAccountId(cfg, env);
+  if (!effectiveAccountId) {
+    throw new Error(
+      'Multiple Lobi accounts are configured and channels.lobi.defaultAccount is not set. Set "channels.lobi.defaultAccount" to the intended account or pass --account <id>.'
+    );
+  }
+  if (explicitAccountId && explicitAccountId !== DEFAULT_ACCOUNT_ID && !listNormalizedMatrixAccountIds(cfg).includes(explicitAccountId) && !hasScopedMatrixEnvConfig(explicitAccountId, env)) {
+    throw new Error(
+      `Lobi account "${explicitAccountId}" is not configured. Add channels.lobi.accounts.${explicitAccountId} or define scoped ${getLobiScopedEnvVarNames(explicitAccountId).accessToken.replace(/_ACCESS_TOKEN$/, "")}_* variables.`
+    );
+  }
+  const resolved = resolveMatrixConfigForAccount(cfg, effectiveAccountId, env);
+  return {
+    cfg,
+    env,
+    accountId: effectiveAccountId,
+    resolved
+  };
+}
+async function resolveMatrixAuth(params) {
+  const { cfg, env, accountId, resolved } = resolveMatrixAuthContext(params);
+  const accessToken = await resolveConfiguredMatrixAuthSecretInput({
+    cfg,
+    env,
+    accountId,
+    field: "accessToken"
+  }) ?? resolved.accessToken;
+  const tokenAuthPassword = resolved.password;
+  const homeserver = await resolveValidatedMatrixHomeserverUrl(resolved.homeserver, {
+    dangerouslyAllowPrivateNetwork: resolved.allowPrivateNetwork
+  });
+  let credentialsWriter;
+  const loadCredentialsWriter = async () => {
+    credentialsWriter ??= await import("./src/matrix/credentials-write.runtime.js");
+    return credentialsWriter;
+  };
+  const { loadMatrixCredentials, credentialsMatchConfig } = await loadMatrixCredentialsReadDeps();
+  const cached = loadMatrixCredentials(env, accountId);
+  const cachedCredentials = cached && credentialsMatchConfig(cached, {
+    homeserver,
+    userId: resolved.userId || "",
+    accessToken
+  }) ? cached : null;
+  if (accessToken) {
+    let userId = resolved.userId;
+    const hasMatchingCachedToken = cachedCredentials?.accessToken === accessToken;
+    let knownDeviceId = hasMatchingCachedToken ? cachedCredentials?.deviceId || resolved.deviceId : resolved.deviceId;
+    if (!userId) {
+      const whoami = await fetchMatrixWhoamiIdentity({
+        homeserver,
+        accessToken,
+        userId,
+        ssrfPolicy: resolved.ssrfPolicy,
+        dispatcherPolicy: resolved.dispatcherPolicy
+      });
+      const fetchedUserId = whoami.user_id?.trim();
+      if (!fetchedUserId) {
+        throw new Error("Matrix whoami did not return user_id");
+      }
+      userId = fetchedUserId;
+      knownDeviceId = knownDeviceId || whoami.device_id?.trim() || resolved.deviceId;
+    }
+    const shouldRefreshCachedCredentials = !cachedCredentials || !hasMatchingCachedToken || cachedCredentials.userId !== userId || (cachedCredentials.deviceId || void 0) !== knownDeviceId;
+    if (shouldRefreshCachedCredentials) {
+      const { saveMatrixCredentials: saveMatrixCredentials2 } = await loadCredentialsWriter();
+      await saveMatrixCredentials2(
+        {
+          homeserver,
+          userId,
+          accessToken,
+          deviceId: knownDeviceId
+        },
+        env,
+        accountId
+      );
+    } else if (hasMatchingCachedToken) {
+      const { touchMatrixCredentials } = await loadCredentialsWriter();
+      await touchMatrixCredentials(env, accountId);
+    }
+    return {
+      accountId,
+      homeserver,
+      userId,
+      accessToken,
+      password: tokenAuthPassword,
+      deviceId: knownDeviceId,
+      deviceName: resolved.deviceName,
+      initialSyncLimit: resolved.initialSyncLimit,
+      encryption: resolved.encryption,
+      ...buildMatrixNetworkFields({
+        allowPrivateNetwork: resolved.allowPrivateNetwork,
+        dispatcherPolicy: resolved.dispatcherPolicy
+      })
+    };
+  }
+  if (cachedCredentials) {
+    const { touchMatrixCredentials } = await loadCredentialsWriter();
+    await touchMatrixCredentials(env, accountId);
+    return {
+      accountId,
+      homeserver: cachedCredentials.homeserver,
+      userId: cachedCredentials.userId,
+      accessToken: cachedCredentials.accessToken,
+      password: tokenAuthPassword,
+      deviceId: cachedCredentials.deviceId || resolved.deviceId,
+      deviceName: resolved.deviceName,
+      initialSyncLimit: resolved.initialSyncLimit,
+      encryption: resolved.encryption,
+      ...buildMatrixNetworkFields({
+        allowPrivateNetwork: resolved.allowPrivateNetwork,
+        dispatcherPolicy: resolved.dispatcherPolicy
+      })
+    };
+  }
+  if (!resolved.userId) {
+    throw new Error("Matrix userId is required when no access token is configured (matrix.userId)");
+  }
+  const password = await resolveConfiguredMatrixAuthSecretInput({
+    cfg,
+    env,
+    accountId,
+    field: "password"
+  }) ?? resolved.password;
+  if (!password) {
+    throw new Error(
+      "Matrix password is required when no access token is configured (matrix.password)"
+    );
+  }
+  const { MatrixClient, ensureMatrixSdkLoggingConfigured } = await loadMatrixAuthClientDeps();
+  ensureMatrixSdkLoggingConfigured();
+  const loginClient = new MatrixClient(homeserver, "", {
+    ssrfPolicy: resolved.ssrfPolicy,
+    dispatcherPolicy: resolved.dispatcherPolicy
+  });
+  const login = await retryMatrixAuthRequest("matrix auth login", async () => {
+    return await loginClient.doRequest("POST", "/_matrix/client/v3/login", void 0, {
+      type: "m.login.password",
+      identifier: { type: "m.id.user", user: resolved.userId },
+      password,
+      device_id: resolved.deviceId,
+      initial_device_display_name: resolved.deviceName ?? "OpenClaw Gateway"
+    });
+  });
+  const loginAccessToken = login.access_token?.trim();
+  if (!loginAccessToken) {
+    throw new Error("Matrix login did not return an access token");
+  }
+  const auth = {
+    accountId,
+    homeserver,
+    userId: login.user_id ?? resolved.userId,
+    accessToken: loginAccessToken,
+    password,
+    deviceId: login.device_id ?? resolved.deviceId,
+    deviceName: resolved.deviceName,
+    initialSyncLimit: resolved.initialSyncLimit,
+    encryption: resolved.encryption,
+    ...buildMatrixNetworkFields({
+      allowPrivateNetwork: resolved.allowPrivateNetwork,
+      dispatcherPolicy: resolved.dispatcherPolicy
+    })
+  };
+  const { saveMatrixCredentials } = await loadCredentialsWriter();
+  await saveMatrixCredentials(
+    {
+      homeserver: auth.homeserver,
+      userId: auth.userId,
+      accessToken: auth.accessToken,
+      deviceId: auth.deviceId
+    },
+    env,
+    accountId
+  );
+  return auth;
+}
+async function backfillMatrixAuthDeviceIdAfterStartup(params) {
+  const knownDeviceId = params.auth.deviceId?.trim();
+  if (knownDeviceId) {
+    return knownDeviceId;
+  }
+  if (isAbortSignalTriggered(params.abortSignal)) {
+    return void 0;
+  }
+  const whoami = await fetchMatrixWhoamiIdentity({
+    homeserver: params.auth.homeserver,
+    accessToken: params.auth.accessToken,
+    userId: params.auth.userId,
+    ssrfPolicy: params.auth.ssrfPolicy,
+    dispatcherPolicy: params.auth.dispatcherPolicy
+  });
+  const deviceId = whoami.device_id?.trim();
+  if (!deviceId) {
+    return void 0;
+  }
+  if (isAbortSignalTriggered(params.abortSignal)) {
+    return void 0;
+  }
+  const env = params.env ?? process.env;
+  const { loadMatrixCredentials } = await loadMatrixCredentialsReadDeps();
+  if (!credentialsMatchBackfillAuthLineage({
+    stored: loadMatrixCredentials(env, params.auth.accountId),
+    auth: params.auth
+  })) {
+    return void 0;
+  }
+  const repairedStorageMeta = repairCurrentTokenStorageMetaDeviceId({
+    homeserver: params.auth.homeserver,
+    userId: params.auth.userId,
+    accessToken: params.auth.accessToken,
+    accountId: params.auth.accountId,
+    deviceId,
+    env: params.env
+  });
+  if (!repairedStorageMeta) {
+    throw new Error("Matrix deviceId backfill failed to repair current-token storage metadata");
+  }
+  if (isAbortSignalTriggered(params.abortSignal)) {
+    return void 0;
+  }
+  const credentialsWriter = await import("./src/matrix/credentials-write.runtime.js");
+  const saved = await credentialsWriter.saveBackfilledMatrixDeviceId(
+    {
+      homeserver: params.auth.homeserver,
+      userId: params.auth.userId,
+      accessToken: params.auth.accessToken,
+      deviceId
+    },
+    env,
+    params.auth.accountId
+  );
+  return saved === "saved" ? deviceId : void 0;
+}
+
+export {
+  setMatrixAuthClientDepsForTest,
+  resolveGlobalMatrixEnvConfig,
+  resolveMatrixEnvAuthReadiness,
+  resolveScopedMatrixEnvConfig,
+  hasReadyMatrixEnvAuth,
+  validateMatrixHomeserverUrl,
+  resolveValidatedMatrixHomeserverUrl,
+  resolveMatrixConfigForAccount,
+  resolveMatrixAuthContext,
+  resolveMatrixAuth,
+  backfillMatrixAuthDeviceIdAfterStartup
+};
+//# sourceMappingURL=chunk-OKDOVX4B.js.map