npm - @gakr-gakr/matrix - Versions diffs - 0.1.0 - Mend

@gakr-gakr/matrix 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (205) hide show

package/CHANGELOG.md +285 -0
package/SPEC-SUPPORT.md +116 -0
package/api.ts +38 -0
package/auth-presence.ts +56 -0
package/autobot.plugin.json +28 -0
package/channel-plugin-api.ts +3 -0
package/cli-metadata.ts +11 -0
package/contract-api.ts +17 -0
package/doctor-contract-api.ts +1 -0
package/helper-api.ts +3 -0
package/index.ts +55 -0
package/package.json +101 -0
package/plugin-entry.handlers.runtime.ts +1 -0
package/runtime-api.ts +72 -0
package/runtime-heavy-api.ts +1 -0
package/runtime-setter-api.ts +3 -0
package/secret-contract-api.ts +5 -0
package/setup-entry.ts +17 -0
package/setup-plugin-api.ts +3 -0
package/src/account-selection.ts +223 -0
package/src/actions.ts +346 -0
package/src/approval-auth.ts +25 -0
package/src/approval-handler.runtime.ts +595 -0
package/src/approval-ids.ts +6 -0
package/src/approval-native.ts +348 -0
package/src/approval-reaction-auth.ts +45 -0
package/src/approval-reactions.ts +313 -0
package/src/auth-precedence.ts +61 -0
package/src/channel-account-paths.ts +97 -0
package/src/channel.runtime.ts +17 -0
package/src/channel.setup.ts +48 -0
package/src/channel.ts +667 -0
package/src/cli-metadata.ts +19 -0
package/src/cli.ts +2298 -0
package/src/config-adapter.ts +41 -0
package/src/config-schema.ts +159 -0
package/src/config-ui-hints.ts +56 -0
package/src/directory-live.ts +238 -0
package/src/doctor-contract.ts +287 -0
package/src/doctor.ts +262 -0
package/src/env-vars.ts +92 -0
package/src/exec-approval-resolver.ts +23 -0
package/src/exec-approvals.ts +293 -0
package/src/group-mentions.ts +41 -0
package/src/legacy-crypto-inspector-availability.ts +60 -0
package/src/legacy-crypto.ts +531 -0
package/src/legacy-state.ts +156 -0
package/src/matrix/account-config.ts +175 -0
package/src/matrix/accounts.ts +194 -0
package/src/matrix/actions/client.ts +31 -0
package/src/matrix/actions/devices.ts +34 -0
package/src/matrix/actions/limits.ts +6 -0
package/src/matrix/actions/messages.ts +129 -0
package/src/matrix/actions/pins.ts +63 -0
package/src/matrix/actions/polls.ts +109 -0
package/src/matrix/actions/profile.ts +37 -0
package/src/matrix/actions/reactions.ts +59 -0
package/src/matrix/actions/room.ts +71 -0
package/src/matrix/actions/summary.ts +88 -0
package/src/matrix/actions/types.ts +63 -0
package/src/matrix/actions/verification.ts +589 -0
package/src/matrix/actions.ts +37 -0
package/src/matrix/active-client.ts +26 -0
package/src/matrix/async-lock.ts +18 -0
package/src/matrix/backup-health.ts +124 -0
package/src/matrix/client/config-runtime-api.ts +9 -0
package/src/matrix/client/config-secret-input.runtime.ts +1 -0
package/src/matrix/client/config.ts +853 -0
package/src/matrix/client/create-client.ts +105 -0
package/src/matrix/client/env-auth.ts +95 -0
package/src/matrix/client/file-sync-store.ts +289 -0
package/src/matrix/client/logging.ts +140 -0
package/src/matrix/client/migration-snapshot.runtime.ts +1 -0
package/src/matrix/client/private-network-host.ts +1 -0
package/src/matrix/client/runtime.ts +4 -0
package/src/matrix/client/shared.ts +316 -0
package/src/matrix/client/storage.ts +543 -0
package/src/matrix/client/types.ts +50 -0
package/src/matrix/client/url-validation.ts +76 -0
package/src/matrix/client-bootstrap.ts +173 -0
package/src/matrix/client.ts +23 -0
package/src/matrix/config-paths.ts +31 -0
package/src/matrix/config-update.ts +292 -0
package/src/matrix/credentials-read.ts +207 -0
package/src/matrix/credentials-write.runtime.ts +35 -0
package/src/matrix/credentials.ts +95 -0
package/src/matrix/deps.ts +309 -0
package/src/matrix/device-health.ts +31 -0
package/src/matrix/direct-management.ts +349 -0
package/src/matrix/direct-room.ts +128 -0
package/src/matrix/draft-stream.ts +225 -0
package/src/matrix/encryption-guidance.ts +24 -0
package/src/matrix/errors.ts +21 -0
package/src/matrix/format.ts +426 -0
package/src/matrix/legacy-crypto-inspector.ts +95 -0
package/src/matrix/media-errors.ts +20 -0
package/src/matrix/media-text.ts +162 -0
package/src/matrix/monitor/access-state.ts +145 -0
package/src/matrix/monitor/ack-config.ts +27 -0
package/src/matrix/monitor/allowlist.ts +92 -0
package/src/matrix/monitor/auto-join.ts +86 -0
package/src/matrix/monitor/config.ts +569 -0
package/src/matrix/monitor/context-summary.ts +43 -0
package/src/matrix/monitor/direct.ts +296 -0
package/src/matrix/monitor/events.ts +397 -0
package/src/matrix/monitor/handler.ts +2271 -0
package/src/matrix/monitor/inbound-dedupe.ts +267 -0
package/src/matrix/monitor/index.ts +540 -0
package/src/matrix/monitor/legacy-crypto-restore.ts +139 -0
package/src/matrix/monitor/location.ts +108 -0
package/src/matrix/monitor/media.ts +119 -0
package/src/matrix/monitor/mentions.ts +256 -0
package/src/matrix/monitor/reaction-events.ts +197 -0
package/src/matrix/monitor/recent-invite.ts +30 -0
package/src/matrix/monitor/replies.ts +136 -0
package/src/matrix/monitor/reply-context.ts +92 -0
package/src/matrix/monitor/room-history.ts +301 -0
package/src/matrix/monitor/room-info.ts +126 -0
package/src/matrix/monitor/rooms.ts +52 -0
package/src/matrix/monitor/route.ts +179 -0
package/src/matrix/monitor/runtime-api.ts +28 -0
package/src/matrix/monitor/startup-verification.ts +237 -0
package/src/matrix/monitor/startup.ts +218 -0
package/src/matrix/monitor/status.ts +120 -0
package/src/matrix/monitor/sync-lifecycle.ts +91 -0
package/src/matrix/monitor/task-runner.ts +38 -0
package/src/matrix/monitor/test-events.ts +21 -0
package/src/matrix/monitor/thread-context.ts +108 -0
package/src/matrix/monitor/threads.ts +85 -0
package/src/matrix/monitor/types.ts +30 -0
package/src/matrix/monitor/verification-events.ts +643 -0
package/src/matrix/monitor/verification-utils.ts +46 -0
package/src/matrix/outbound-media-runtime.ts +1 -0
package/src/matrix/poll-summary.ts +110 -0
package/src/matrix/poll-types.ts +429 -0
package/src/matrix/probe.runtime.ts +4 -0
package/src/matrix/probe.ts +97 -0
package/src/matrix/profile.ts +184 -0
package/src/matrix/reaction-common.ts +147 -0
package/src/matrix/sdk/crypto-bootstrap.ts +438 -0
package/src/matrix/sdk/crypto-facade.ts +242 -0
package/src/matrix/sdk/crypto-node.runtime.ts +17 -0
package/src/matrix/sdk/crypto-runtime.ts +14 -0
package/src/matrix/sdk/decrypt-bridge.ts +410 -0
package/src/matrix/sdk/event-helpers.ts +83 -0
package/src/matrix/sdk/http-client.ts +87 -0
package/src/matrix/sdk/idb-persistence-lock.ts +51 -0
package/src/matrix/sdk/idb-persistence.ts +286 -0
package/src/matrix/sdk/logger.ts +108 -0
package/src/matrix/sdk/read-response-with-limit.ts +19 -0
package/src/matrix/sdk/recovery-key-store.ts +453 -0
package/src/matrix/sdk/timeout-abort-signal.ts +1 -0
package/src/matrix/sdk/transport-runtime-api.ts +18 -0
package/src/matrix/sdk/transport.ts +352 -0
package/src/matrix/sdk/types.ts +245 -0
package/src/matrix/sdk/verification-manager.ts +795 -0
package/src/matrix/sdk/verification-status.ts +23 -0
package/src/matrix/sdk.ts +2152 -0
package/src/matrix/send/client.ts +93 -0
package/src/matrix/send/formatting.ts +189 -0
package/src/matrix/send/media.ts +244 -0
package/src/matrix/send/targets.ts +104 -0
package/src/matrix/send/types.ts +131 -0
package/src/matrix/send.ts +660 -0
package/src/matrix/session-store-metadata.ts +108 -0
package/src/matrix/startup-abort.ts +44 -0
package/src/matrix/subagent-hooks.ts +308 -0
package/src/matrix/sync-state.ts +27 -0
package/src/matrix/target-ids.ts +79 -0
package/src/matrix/thread-bindings-shared.ts +206 -0
package/src/matrix/thread-bindings.ts +580 -0
package/src/matrix-migration.runtime.ts +9 -0
package/src/migration-config.ts +243 -0
package/src/migration-snapshot-backup.ts +116 -0
package/src/migration-snapshot.ts +53 -0
package/src/onboarding.ts +775 -0
package/src/outbound.ts +248 -0
package/src/plugin-entry.runtime.js +115 -0
package/src/plugin-entry.runtime.ts +70 -0
package/src/profile-update.ts +71 -0
package/src/record-shared.ts +3 -0
package/src/resolve-targets.ts +175 -0
package/src/resolver.runtime.ts +5 -0
package/src/resolver.ts +21 -0
package/src/runtime-api.ts +106 -0
package/src/runtime.ts +13 -0
package/src/secret-contract.ts +174 -0
package/src/session-route.ts +126 -0
package/src/setup-bootstrap.ts +102 -0
package/src/setup-config.ts +222 -0
package/src/setup-contract.ts +90 -0
package/src/setup-core.ts +146 -0
package/src/setup-dm-policy.ts +15 -0
package/src/setup-surface.ts +4 -0
package/src/startup-maintenance.ts +114 -0
package/src/storage-paths.ts +92 -0
package/src/thread-binding-api.ts +23 -0
package/src/tool-actions.runtime.ts +1 -0
package/src/tool-actions.ts +498 -0
package/src/types.ts +257 -0
package/subagent-hooks-api.ts +31 -0
package/test-api.ts +21 -0
package/thread-binding-api.ts +4 -0
package/thread-bindings-runtime.ts +4 -0
package/tsconfig.json +16 -0

package/src/matrix/monitor/direct.ts ADDED Viewed

@@ -0,0 +1,296 @@
+import { promoteMatrixDirectRoomCandidate } from "../direct-management.js";
+import {
+  hasDirectMatrixMemberFlag,
+  isStrictDirectMembership,
+  readJoinedMatrixMembers,
+} from "../direct-room.js";
+import type { MatrixClient } from "../sdk.js";
+type DirectMessageCheck = {
+  roomId: string;
+  senderId?: string;
+  selfUserId?: string;
+};
+type DirectRoomTrackerOptions = {
+  log?: (message: string) => void;
+  canPromoteRecentInvite?: (roomId: string) => boolean | Promise<boolean>;
+  canPromoteUnmappedStrictRoom?: (roomId: string) => boolean | Promise<boolean>;
+  shouldKeepLocallyPromotedDirectRoom?:
+    | ((roomId: string) => boolean | undefined | Promise<boolean | undefined>)
+    | undefined;
+};
+const DM_CACHE_TTL_MS = 30_000;
+const RECENT_INVITE_TTL_MS = 30_000;
+const MAX_TRACKED_DM_ROOMS = 1024;
+const MAX_TRACKED_DM_MEMBER_FLAGS = 2048;
+function rememberBounded<T>(
+  map: Map<string, T>,
+  key: string,
+  value: T,
+  maxSize = MAX_TRACKED_DM_ROOMS,
+): void {
+  map.set(key, value);
+  if (map.size > maxSize) {
+    const oldest = map.keys().next().value;
+    if (typeof oldest === "string") {
+      map.delete(oldest);
+    }
+  }
+}
+export function createDirectRoomTracker(client: MatrixClient, opts: DirectRoomTrackerOptions = {}) {
+  const log = opts.log ?? (() => {});
+  let lastDmUpdateMs = 0;
+  // Once m.direct has seeded successfully, prefer the explicit cache over
+  // re-enabling the broad 2-person fallback after a later transient failure.
+  let hasSeededDmCache = false;
+  let cachedSelfUserId: string | null = null;
+  const joinedMembersCache = new Map<string, { members: string[]; ts: number }>();
+  const directMemberFlagCache = new Map<string, { isDirect: boolean | null; ts: number }>();
+  const recentInviteCandidates = new Map<string, { remoteUserId: string; ts: number }>();
+  const locallyPromotedDirectRooms = new Map<string, { remoteUserId: string }>();
+  const ensureSelfUserId = async (): Promise<string | null> => {
+    if (cachedSelfUserId) {
+      return cachedSelfUserId;
+    }
+    try {
+      cachedSelfUserId = await client.getUserId();
+    } catch {
+      cachedSelfUserId = null;
+    }
+    return cachedSelfUserId;
+  };
+  const refreshDmCache = async (): Promise<void> => {
+    const now = Date.now();
+    if (now - lastDmUpdateMs < DM_CACHE_TTL_MS) {
+      return;
+    }
+    lastDmUpdateMs = now;
+    hasSeededDmCache = (await client.dms.update()) || hasSeededDmCache;
+  };
+  const resolveJoinedMembers = async (roomId: string): Promise<string[] | null> => {
+    const cached = joinedMembersCache.get(roomId);
+    const now = Date.now();
+    if (cached && now - cached.ts < DM_CACHE_TTL_MS) {
+      return cached.members;
+    }
+    try {
+      const normalized = await readJoinedMatrixMembers(client, roomId);
+      if (!normalized) {
+        throw new Error("membership unavailable");
+      }
+      rememberBounded(joinedMembersCache, roomId, { members: normalized, ts: now });
+      return normalized;
+    } catch (err) {
+      log(`matrix: dm member lookup failed room=${roomId} (${String(err)})`);
+      return null;
+    }
+  };
+  const resolveDirectMemberFlag = async (
+    roomId: string,
+    userId?: string | null,
+  ): Promise<boolean | null> => {
+    const normalizedUserId = userId?.trim();
+    if (!normalizedUserId) {
+      return null;
+    }
+    const cacheKey = `${roomId}\n${normalizedUserId}`;
+    const cached = directMemberFlagCache.get(cacheKey);
+    const now = Date.now();
+    if (cached && now - cached.ts < DM_CACHE_TTL_MS) {
+      return cached.isDirect;
+    }
+    const isDirect = await hasDirectMatrixMemberFlag(client, roomId, normalizedUserId);
+    rememberBounded(
+      directMemberFlagCache,
+      cacheKey,
+      { isDirect, ts: now },
+      MAX_TRACKED_DM_MEMBER_FLAGS,
+    );
+    return isDirect;
+  };
+  const hasRecentInviteCandidate = (roomId: string, remoteUserId?: string | null): boolean => {
+    const normalizedRemoteUserId = remoteUserId?.trim();
+    if (!normalizedRemoteUserId) {
+      return false;
+    }
+    const cached = recentInviteCandidates.get(roomId);
+    if (!cached) {
+      return false;
+    }
+    if (Date.now() - cached.ts >= RECENT_INVITE_TTL_MS) {
+      recentInviteCandidates.delete(roomId);
+      return false;
+    }
+    return cached.remoteUserId === normalizedRemoteUserId;
+  };
+  const canPromoteRecentInvite = async (roomId: string): Promise<boolean> => {
+    try {
+      return (await opts.canPromoteRecentInvite?.(roomId)) ?? true;
+    } catch (err) {
+      log(`matrix: recent invite promotion veto failed room=${roomId} (${String(err)})`);
+      return false;
+    }
+  };
+  const canPromoteUnmappedStrictRoom = async (roomId: string): Promise<boolean> => {
+    try {
+      return (await opts.canPromoteUnmappedStrictRoom?.(roomId)) ?? false;
+    } catch (err) {
+      log(`matrix: unmapped strict room promotion veto failed room=${roomId} (${String(err)})`);
+      return false;
+    }
+  };
+  const shouldKeepLocallyPromotedDirectRoom = async (
+    roomId: string,
+  ): Promise<boolean | undefined> => {
+    try {
+      return await opts.shouldKeepLocallyPromotedDirectRoom?.(roomId);
+    } catch (err) {
+      log(`matrix: local promotion keep-check failed room=${roomId} (${String(err)})`);
+      return undefined;
+    }
+  };
+  const hasLocallyPromotedDirectRoom = (roomId: string, remoteUserId?: string | null): boolean => {
+    const normalizedRemoteUserId = remoteUserId?.trim();
+    if (!normalizedRemoteUserId) {
+      return false;
+    }
+    return locallyPromotedDirectRooms.get(roomId)?.remoteUserId === normalizedRemoteUserId;
+  };
+  const rememberLocallyPromotedDirectRoom = (roomId: string, remoteUserId: string): void => {
+    const normalizedRemoteUserId = remoteUserId.trim();
+    if (!normalizedRemoteUserId) {
+      return;
+    }
+    rememberBounded(locallyPromotedDirectRooms, roomId, {
+      remoteUserId: normalizedRemoteUserId,
+    });
+  };
+  return {
+    invalidateRoom: (roomId: string): void => {
+      joinedMembersCache.delete(roomId);
+      for (const key of directMemberFlagCache.keys()) {
+        if (key.startsWith(`${roomId}\n`)) {
+          directMemberFlagCache.delete(key);
+        }
+      }
+      lastDmUpdateMs = 0;
+      log(`matrix: invalidated dm cache room=${roomId}`);
+    },
+    rememberInvite: (roomId: string, remoteUserId: string): void => {
+      const normalizedRemoteUserId = remoteUserId.trim();
+      if (!normalizedRemoteUserId) {
+        return;
+      }
+      rememberBounded(recentInviteCandidates, roomId, {
+        remoteUserId: normalizedRemoteUserId,
+        ts: Date.now(),
+      });
+      log(`matrix: remembered invite candidate room=${roomId} sender=${normalizedRemoteUserId}`);
+    },
+    isDirectMessage: async (params: DirectMessageCheck): Promise<boolean> => {
+      const { roomId, senderId } = params;
+      const selfUserId = params.selfUserId ?? (await ensureSelfUserId());
+      const joinedMembers = await resolveJoinedMembers(roomId);
+      const strictDirectMembership = isStrictDirectMembership({
+        selfUserId,
+        remoteUserId: senderId,
+        joinedMembers,
+      });
+      try {
+        await refreshDmCache();
+      } catch (err) {
+        log(`matrix: dm cache refresh failed (${String(err)})`);
+      }
+      if (client.dms.isDm(roomId)) {
+        if (strictDirectMembership) {
+          log(`matrix: dm detected via m.direct room=${roomId}`);
+          return true;
+        }
+        log(`matrix: ignoring stale m.direct classification room=${roomId}`);
+      }
+      if (strictDirectMembership) {
+        const directViaSelf = await resolveDirectMemberFlag(roomId, selfUserId);
+        if (directViaSelf === true) {
+          log(`matrix: dm detected via member state room=${roomId}`);
+          return true;
+        }
+        if (directViaSelf === false) {
+          log(`matrix: dm rejected via member state room=${roomId}`);
+          return false;
+        }
+        if (!hasSeededDmCache) {
+          log(
+            `matrix: dm detected via exact 2-member fallback before dm cache seed room=${roomId}`,
+          );
+          return true;
+        }
+        if (hasLocallyPromotedDirectRoom(roomId, senderId)) {
+          const shouldKeep = await shouldKeepLocallyPromotedDirectRoom(roomId);
+          if (shouldKeep !== false) {
+            log(`matrix: dm detected via local promotion room=${roomId}`);
+            return true;
+          }
+          locallyPromotedDirectRooms.delete(roomId);
+          log(`matrix: local promotion cleared room=${roomId}`);
+        }
+        if (hasRecentInviteCandidate(roomId, senderId) && (await canPromoteRecentInvite(roomId))) {
+          const promotion = await promoteMatrixDirectRoomCandidate({
+            client,
+            remoteUserId: senderId ?? "",
+            roomId,
+            selfUserId,
+          });
+          if (promotion.classifyAsDirect) {
+            rememberLocallyPromotedDirectRoom(roomId, senderId ?? "");
+            log(
+              `matrix: dm detected via recent invite room=${roomId} reason=${promotion.reason} repaired=${String(promotion.repaired)}`,
+            );
+            return true;
+          }
+        }
+        if (await canPromoteUnmappedStrictRoom(roomId)) {
+          const promotion = await promoteMatrixDirectRoomCandidate({
+            client,
+            remoteUserId: senderId ?? "",
+            roomId,
+            selfUserId,
+          });
+          if (promotion.classifyAsDirect) {
+            rememberLocallyPromotedDirectRoom(roomId, senderId ?? "");
+            log(
+              `matrix: dm detected via per-room strict fallback room=${roomId} reason=${promotion.reason} repaired=${String(promotion.repaired)}`,
+            );
+            return true;
+          }
+        }
+      }
+      log(
+        `matrix: dm check room=${roomId} result=group members=${joinedMembers?.length ?? "unknown"}`,
+      );
+      return false;
+    },
+  };
+}

package/src/matrix/monitor/events.ts ADDED Viewed

@@ -0,0 +1,397 @@
+import { normalizeOptionalString } from "autobot/plugin-sdk/string-coerce-runtime";
+import type { PluginRuntime, RuntimeLogger } from "../../runtime-api.js";
+import type { CoreConfig } from "../../types.js";
+import type { MatrixAuth } from "../client.js";
+import { formatMatrixEncryptedEventDisabledWarning } from "../encryption-guidance.js";
+import type { MatrixClient } from "../sdk.js";
+import type { MatrixRawEvent } from "./types.js";
+import { EventType } from "./types.js";
+import { createMatrixVerificationEventRouter } from "./verification-events.js";
+const MATRIX_POST_HEALTHY_SYNC_DECRYPT_FAILURE_WINDOW_MS = 2 * 60_000;
+const MATRIX_POST_HEALTHY_SYNC_DECRYPT_FAILURE_THRESHOLD = 3;
+const MATRIX_POST_HEALTHY_SYNC_DECRYPT_FAILURE_SAMPLE_LIMIT = 3;
+type MatrixPostHealthySyncDecryptFailureObservation = {
+  key: string;
+  roomId: string;
+  eventId: string;
+  sender: string | null;
+  eventTs: number;
+  error: string;
+};
+function formatMatrixPostHealthySyncDecryptionHint(accountId: string): string {
+  return (
+    "matrix: repeated fresh encrypted messages are still failing to decrypt after Matrix resumed healthy sync. " +
+    "This device may still be missing new room keys. " +
+    `Check 'autobot matrix verify status --verbose --account ${accountId}' and 'autobot matrix devices list --account ${accountId}'.`
+  );
+}
+function isFreshPostHealthySyncDecryptFailure(params: {
+  event: MatrixRawEvent;
+  healthySyncSinceMs?: number;
+  graceMs?: number;
+  nowMs: number;
+}): boolean {
+  const { event, healthySyncSinceMs, graceMs = 0, nowMs } = params;
+  if (typeof healthySyncSinceMs !== "number" || !Number.isFinite(healthySyncSinceMs)) {
+    return false;
+  }
+  const eventTs = event.origin_server_ts;
+  if (!Number.isFinite(eventTs) || eventTs <= 0) {
+    return false;
+  }
+  if (eventTs < healthySyncSinceMs + graceMs) {
+    return false;
+  }
+  if (eventTs > nowMs + 60_000) {
+    return false;
+  }
+  return true;
+}
+function createMatrixPostHealthySyncDecryptFailureTracker(params: {
+  getHealthySyncSinceMs?: () => number | undefined;
+  startupGraceMs?: number;
+}) {
+  let observations: MatrixPostHealthySyncDecryptFailureObservation[] = [];
+  let warningEmitted = false;
+  let trackedHealthySyncSinceMs: number | undefined;
+  const resetObservations = () => {
+    observations = [];
+    warningEmitted = false;
+  };
+  const pruneObservations = (nowMs: number) => {
+    observations = observations.filter(
+      (entry) => nowMs - entry.eventTs <= MATRIX_POST_HEALTHY_SYNC_DECRYPT_FAILURE_WINDOW_MS,
+    );
+    if (observations.length === 0) {
+      warningEmitted = false;
+    }
+  };
+  return {
+    recordFailure(roomId: string, event: MatrixRawEvent, error: Error) {
+      const nowMs = Date.now();
+      const healthySyncSinceMs = params.getHealthySyncSinceMs?.();
+      if (healthySyncSinceMs !== trackedHealthySyncSinceMs) {
+        trackedHealthySyncSinceMs = healthySyncSinceMs;
+        resetObservations();
+      }
+      if (
+        !isFreshPostHealthySyncDecryptFailure({
+          event,
+          healthySyncSinceMs,
+          graceMs: params.startupGraceMs,
+          nowMs,
+        })
+      ) {
+        return { freshAfterHealthySync: false, failureCount: 0 } as const;
+      }
+      pruneObservations(nowMs);
+      const key = `${roomId}|${event.event_id}`;
+      if (!observations.some((entry) => entry.key === key)) {
+        observations.push({
+          key,
+          roomId,
+          eventId: event.event_id,
+          sender: typeof event.sender === "string" ? event.sender : null,
+          eventTs: event.origin_server_ts,
+          error: error.message,
+        });
+      }
+      const failureCount = observations.length;
+      if (warningEmitted || failureCount < MATRIX_POST_HEALTHY_SYNC_DECRYPT_FAILURE_THRESHOLD) {
+        return { freshAfterHealthySync: true, failureCount } as const;
+      }
+      warningEmitted = true;
+      const rooms = [...new Set(observations.map((entry) => entry.roomId))].slice(
+        0,
+        MATRIX_POST_HEALTHY_SYNC_DECRYPT_FAILURE_SAMPLE_LIMIT,
+      );
+      const senders = [...new Set(observations.map((entry) => entry.sender).filter(Boolean))].slice(
+        0,
+        MATRIX_POST_HEALTHY_SYNC_DECRYPT_FAILURE_SAMPLE_LIMIT,
+      );
+      const eventIds = observations
+        .slice(-MATRIX_POST_HEALTHY_SYNC_DECRYPT_FAILURE_SAMPLE_LIMIT)
+        .map((entry) => entry.eventId);
+      const latestError = observations.at(-1)?.error ?? error.message;
+      return {
+        freshAfterHealthySync: true,
+        failureCount,
+        warning: {
+          rooms,
+          roomCount: new Set(observations.map((entry) => entry.roomId)).size,
+          senders,
+          senderCount: new Set(observations.map((entry) => entry.sender).filter(Boolean)).size,
+          eventIds,
+          latestError,
+          windowMs: MATRIX_POST_HEALTHY_SYNC_DECRYPT_FAILURE_WINDOW_MS,
+        },
+      } as const;
+    },
+  };
+}
+function formatMatrixSelfDecryptionHint(accountId: string): string {
+  return (
+    "matrix: failed to decrypt a message from this same Matrix user. " +
+    "This usually means another Matrix device did not share the room key, or another AutoBot runtime is using the same account. " +
+    `Check 'autobot matrix verify status --verbose --account ${accountId}' and 'autobot matrix devices list --account ${accountId}'.`
+  );
+}
+async function resolveMatrixSelfUserId(
+  client: MatrixClient,
+  logVerboseMessage: (message: string) => void,
+): Promise<string | null> {
+  if (typeof client.getUserId !== "function") {
+    return null;
+  }
+  try {
+    return (await client.getUserId()) ?? null;
+  } catch (err) {
+    logVerboseMessage(`matrix: failed resolving self user id for decrypt warning: ${String(err)}`);
+    return null;
+  }
+}
+export function registerMatrixMonitorEvents(params: {
+  cfg: CoreConfig;
+  client: MatrixClient;
+  auth: MatrixAuth;
+  allowFrom: string[];
+  dmEnabled: boolean;
+  dmPolicy: "open" | "pairing" | "allowlist" | "disabled";
+  readStoreAllowFrom: () => Promise<string[]>;
+  directTracker?: {
+    invalidateRoom: (roomId: string) => void;
+    rememberInvite?: (roomId: string, remoteUserId: string) => void;
+  };
+  logVerboseMessage: (message: string) => void;
+  warnedEncryptedRooms: Set<string>;
+  warnedCryptoMissingRooms: Set<string>;
+  logger: RuntimeLogger;
+  startupGraceMs?: number;
+  getHealthySyncSinceMs?: () => number | undefined;
+  formatNativeDependencyHint: PluginRuntime["system"]["formatNativeDependencyHint"];
+  onRoomMessage: (roomId: string, event: MatrixRawEvent) => void | Promise<void>;
+  runDetachedTask?: (label: string, task: () => Promise<void>) => Promise<void>;
+  sasNoticeRetryDelayMs?: number;
+}): void {
+  const {
+    cfg,
+    client,
+    auth,
+    allowFrom,
+    dmEnabled,
+    dmPolicy,
+    readStoreAllowFrom,
+    directTracker,
+    logVerboseMessage,
+    warnedEncryptedRooms,
+    warnedCryptoMissingRooms,
+    logger,
+    startupGraceMs,
+    getHealthySyncSinceMs,
+    formatNativeDependencyHint,
+    onRoomMessage,
+    runDetachedTask,
+    sasNoticeRetryDelayMs,
+  } = params;
+  const postHealthySyncDecryptFailureTracker = createMatrixPostHealthySyncDecryptFailureTracker({
+    getHealthySyncSinceMs,
+    startupGraceMs,
+  });
+  const { routeVerificationEvent, routeVerificationSummary } = createMatrixVerificationEventRouter({
+    client,
+    allowFrom,
+    dmEnabled,
+    dmPolicy,
+    readStoreAllowFrom,
+    logVerboseMessage,
+    runDetachedTask,
+    sasNoticeRetryDelayMs,
+  });
+  const runMonitorTask = (label: string, task: () => Promise<void>) => {
+    if (runDetachedTask) {
+      return runDetachedTask(label, task);
+    }
+    return Promise.resolve()
+      .then(task)
+      .catch((error) => {
+        logVerboseMessage(`matrix: ${label} failed (${String(error)})`);
+      });
+  };
+  client.on("room.message", (roomId: string, event: MatrixRawEvent) => {
+    if (routeVerificationEvent(roomId, event)) {
+      return;
+    }
+    void runMonitorTask(
+      `room message handler room=${roomId} id=${event.event_id ?? "unknown"}`,
+      async () => {
+        await onRoomMessage(roomId, event);
+      },
+    );
+  });
+  client.on("room.encrypted_event", (roomId: string, event: MatrixRawEvent) => {
+    const eventId = event?.event_id ?? "unknown";
+    const eventType = event?.type ?? "unknown";
+    logVerboseMessage(`matrix: encrypted event room=${roomId} type=${eventType} id=${eventId}`);
+  });
+  client.on("room.decrypted_event", (roomId: string, event: MatrixRawEvent) => {
+    const eventId = event?.event_id ?? "unknown";
+    const eventType = event?.type ?? "unknown";
+    logVerboseMessage(`matrix: decrypted event room=${roomId} type=${eventType} id=${eventId}`);
+    if (routeVerificationEvent(roomId, event)) {
+      return;
+    }
+    if (eventType !== EventType.RoomMessage) {
+      return;
+    }
+    void runMonitorTask(
+      `decrypted room message handler room=${roomId} id=${event.event_id ?? "unknown"}`,
+      async () => {
+        await onRoomMessage(roomId, event);
+      },
+    );
+  });
+  client.on(
+    "room.failed_decryption",
+    async (roomId: string, event: MatrixRawEvent, error: Error) => {
+      const failureState = postHealthySyncDecryptFailureTracker.recordFailure(roomId, event, error);
+      const selfUserId = await resolveMatrixSelfUserId(client, logVerboseMessage);
+      const sender = typeof event.sender === "string" ? event.sender : null;
+      const senderMatchesOwnUser = Boolean(selfUserId && sender && selfUserId === sender);
+      logger.warn(
+        failureState.freshAfterHealthySync
+          ? "Failed to decrypt fresh post-healthy-sync message"
+          : "Failed to decrypt message",
+        {
+          roomId,
+          eventId: event.event_id,
+          sender,
+          senderMatchesOwnUser,
+          error: error.message,
+          freshAfterHealthySync: failureState.freshAfterHealthySync,
+          ...(failureState.freshAfterHealthySync
+            ? {
+                postHealthySyncFailureCount: failureState.failureCount,
+              }
+            : {}),
+        },
+      );
+      if (failureState.warning) {
+        logger.warn(formatMatrixPostHealthySyncDecryptionHint(auth.accountId), {
+          roomId,
+          eventId: event.event_id,
+          failureCount: failureState.failureCount,
+          roomCount: failureState.warning.roomCount,
+          rooms: failureState.warning.rooms,
+          senderCount: failureState.warning.senderCount,
+          senders: failureState.warning.senders,
+          sampleEventIds: failureState.warning.eventIds,
+          latestError: failureState.warning.latestError,
+          windowMs: failureState.warning.windowMs,
+        });
+      }
+      if (senderMatchesOwnUser) {
+        logger.warn(formatMatrixSelfDecryptionHint(auth.accountId), {
+          roomId,
+          eventId: event.event_id,
+          sender,
+        });
+      }
+      logVerboseMessage(
+        `matrix: failed decrypt room=${roomId} id=${event.event_id ?? "unknown"} freshAfterHealthySync=${String(failureState.freshAfterHealthySync)} error=${error.message}`,
+      );
+    },
+  );
+  client.on("verification.summary", (summary) => {
+    void runMonitorTask("verification summary handler", async () => {
+      await routeVerificationSummary(summary);
+    });
+  });
+  client.on("room.invite", (roomId: string, event: MatrixRawEvent) => {
+    directTracker?.invalidateRoom(roomId);
+    const eventId = event?.event_id ?? "unknown";
+    const sender = event?.sender ?? "unknown";
+    const invitee = normalizeOptionalString(event?.state_key) ?? "";
+    const senderIsInvitee =
+      Boolean(invitee) && (normalizeOptionalString(event?.sender) ?? "") === invitee;
+    const isDirect = (event?.content as { is_direct?: boolean } | undefined)?.is_direct === true;
+    const rememberedSender = normalizeOptionalString(event?.sender);
+    if (rememberedSender && !senderIsInvitee) {
+      directTracker?.rememberInvite?.(roomId, rememberedSender);
+    }
+    logVerboseMessage(
+      `matrix: invite room=${roomId} sender=${sender} direct=${String(isDirect)} id=${eventId}`,
+    );
+  });
+  client.on("room.join", (roomId: string, event: MatrixRawEvent) => {
+    directTracker?.invalidateRoom(roomId);
+    const eventId = event?.event_id ?? "unknown";
+    logVerboseMessage(`matrix: join room=${roomId} id=${eventId}`);
+  });
+  client.on("room.event", (roomId: string, event: MatrixRawEvent) => {
+    const eventType = event?.type ?? "unknown";
+    if (eventType === EventType.RoomMessageEncrypted) {
+      logVerboseMessage(
+        `matrix: encrypted raw event room=${roomId} id=${event?.event_id ?? "unknown"}`,
+      );
+      if (auth.encryption !== true && !warnedEncryptedRooms.has(roomId)) {
+        warnedEncryptedRooms.add(roomId);
+        const warning = formatMatrixEncryptedEventDisabledWarning(cfg, auth.accountId);
+        logger.warn(warning, { roomId });
+      }
+      if (auth.encryption === true && !client.crypto && !warnedCryptoMissingRooms.has(roomId)) {
+        warnedCryptoMissingRooms.add(roomId);
+        const hint = formatNativeDependencyHint({
+          packageName: "@matrix-org/matrix-sdk-crypto-nodejs",
+          manager: "pnpm",
+          downloadCommand: "node node_modules/@matrix-org/matrix-sdk-crypto-nodejs/download-lib.js",
+        });
+        const warning = `matrix: encryption enabled but crypto is unavailable; ${hint}`;
+        logger.warn(warning, { roomId });
+      }
+      return;
+    }
+    if (eventType === EventType.RoomMember) {
+      directTracker?.invalidateRoom(roomId);
+      const membership = (event?.content as { membership?: string } | undefined)?.membership;
+      const stateKey = (event as { state_key?: string }).state_key ?? "";
+      logVerboseMessage(
+        `matrix: member event room=${roomId} stateKey=${stateKey} membership=${membership ?? "unknown"}`,
+      );
+    }
+    if (eventType === EventType.Reaction) {
+      void runMonitorTask(
+        `reaction handler room=${roomId} id=${event.event_id ?? "unknown"}`,
+        async () => {
+          await onRoomMessage(roomId, event);
+        },
+      );
+      return;
+    }
+    routeVerificationEvent(roomId, event);
+  });
+}