@kodelyth/matrix 2026.5.42 → 2026.6.2

package/src/doctor-contract.ts

@@ -1,287 +0,0 @@
-import type {
-  ChannelDoctorConfigMutation,
-  ChannelDoctorLegacyConfigRule,
-} from "klaw/plugin-sdk/channel-contract";
-import type { KlawConfig } from "klaw/plugin-sdk/config-contracts";
-import {
-  hasLegacyFlatAllowPrivateNetworkAlias,
-  migrateLegacyFlatAllowPrivateNetworkAlias,
-} from "klaw/plugin-sdk/ssrf-runtime";
-import { isRecord } from "./record-shared.js";
-
-function hasLegacyMatrixRoomAllowAlias(value: unknown): boolean {
-  const room = isRecord(value) ? value : null;
-  return Boolean(room && typeof room.allow === "boolean");
-}
-
-function hasLegacyMatrixRoomMapAllowAliases(value: unknown): boolean {
-  const rooms = isRecord(value) ? value : null;
-  return Boolean(rooms && Object.values(rooms).some((room) => hasLegacyMatrixRoomAllowAlias(room)));
-}
-
-function hasLegacyMatrixAccountRoomAllowAliases(value: unknown): boolean {
-  const accounts = isRecord(value) ? value : null;
-  if (!accounts) {
-    return false;
-  }
-  return Object.values(accounts).some((account) => {
-    if (!isRecord(account)) {
-      return false;
-    }
-    return (
-      hasLegacyMatrixRoomMapAllowAliases(account.groups) ||
-      hasLegacyMatrixRoomMapAllowAliases(account.rooms)
-    );
-  });
-}
-
-function hasLegacyMatrixAccountPrivateNetworkAliases(value: unknown): boolean {
-  const accounts = isRecord(value) ? value : null;
-  if (!accounts) {
-    return false;
-  }
-  return Object.values(accounts).some((account) =>
-    hasLegacyFlatAllowPrivateNetworkAlias(isRecord(account) ? account : {}),
-  );
-}
-
-function hasLegacyTrustedDmPolicy(value: unknown): boolean {
-  const root = isRecord(value) ? value : null;
-  if (!root) {
-    return false;
-  }
-  const dm = isRecord(root.dm) ? root.dm : null;
-  return dm?.policy === "trusted";
-}
-
-function hasLegacyMatrixAccountTrustedDmPolicies(value: unknown): boolean {
-  const accounts = isRecord(value) ? value : null;
-  if (!accounts) {
-    return false;
-  }
-  return Object.values(accounts).some((account) => hasLegacyTrustedDmPolicy(account));
-}
-
-function migrateLegacyTrustedDmPolicy(params: {
-  entry: Record<string, unknown>;
-  pathPrefix: string;
-  changes: string[];
-}): { entry: Record<string, unknown>; changed: boolean } {
-  const dm = isRecord(params.entry.dm) ? params.entry.dm : null;
-  if (!dm || dm.policy !== "trusted") {
-    return { entry: params.entry, changed: false };
-  }
-  const allowFromRaw = dm.allowFrom;
-  // Trim before counting: downstream allowlist normalization drops whitespace-only
-  // entries, so a config like ["   "] must still fall back to "pairing"
-  // instead of becoming an effectively empty allowlist.
-  const allowFromEntries = Array.isArray(allowFromRaw)
-    ? allowFromRaw.filter(
-        (entry): entry is string => typeof entry === "string" && entry.trim().length > 0,
-      ).length
-    : 0;
-  // Preserve the operator's existing trust boundary when an explicit allowFrom
-  // list is present; only fall back to pairing when the effective allowlist is
-  // empty.
-  const nextPolicy: "allowlist" | "pairing" = allowFromEntries > 0 ? "allowlist" : "pairing";
-  const nextDm = { ...dm, policy: nextPolicy };
-  params.changes.push(
-    `Migrated ${params.pathPrefix}.dm.policy "trusted" → "${nextPolicy}" (legacy alias removed; ` +
-      `${allowFromEntries > 0 ? `preserved ${allowFromEntries} ${params.pathPrefix}.dm.allowFrom ${allowFromEntries === 1 ? "entry" : "entries"}` : "no allowFrom entries present, defaulting to pairing for safety"}).`,
-  );
-  return { entry: { ...params.entry, dm: nextDm }, changed: true };
-}
-
-function normalizeMatrixRoomAllowAliases(params: {
-  rooms: Record<string, unknown>;
-  pathPrefix: string;
-  changes: string[];
-}): { rooms: Record<string, unknown>; changed: boolean } {
-  let changed = false;
-  const nextRooms: Record<string, unknown> = { ...params.rooms };
-  for (const [roomId, roomValue] of Object.entries(params.rooms)) {
-    const room = isRecord(roomValue) ? roomValue : null;
-    if (!room || typeof room.allow !== "boolean") {
-      continue;
-    }
-    const nextRoom = { ...room };
-    if (typeof nextRoom.enabled !== "boolean") {
-      nextRoom.enabled = room.allow;
-    }
-    delete nextRoom.allow;
-    nextRooms[roomId] = nextRoom;
-    changed = true;
-    params.changes.push(
-      `Moved ${params.pathPrefix}.${roomId}.allow → ${params.pathPrefix}.${roomId}.enabled (${String(nextRoom.enabled)}).`,
-    );
-  }
-  return { rooms: nextRooms, changed };
-}
-
-export const legacyConfigRules: ChannelDoctorLegacyConfigRule[] = [
-  {
-    path: ["channels", "matrix"],
-    message:
-      'channels.matrix.allowPrivateNetwork is legacy; use channels.matrix.network.dangerouslyAllowPrivateNetwork instead. Run "klaw doctor --fix".',
-    match: (value) => hasLegacyFlatAllowPrivateNetworkAlias(isRecord(value) ? value : {}),
-  },
-  {
-    path: ["channels", "matrix", "accounts"],
-    message:
-      'channels.matrix.accounts.<id>.allowPrivateNetwork is legacy; use channels.matrix.accounts.<id>.network.dangerouslyAllowPrivateNetwork instead. Run "klaw doctor --fix".',
-    match: hasLegacyMatrixAccountPrivateNetworkAliases,
-  },
-  {
-    path: ["channels", "matrix", "groups"],
-    message:
-      'channels.matrix.groups.<room>.allow is legacy; use channels.matrix.groups.<room>.enabled instead. Run "klaw doctor --fix".',
-    match: hasLegacyMatrixRoomMapAllowAliases,
-  },
-  {
-    path: ["channels", "matrix", "rooms"],
-    message:
-      'channels.matrix.rooms.<room>.allow is legacy; use channels.matrix.rooms.<room>.enabled instead. Run "klaw doctor --fix".',
-    match: hasLegacyMatrixRoomMapAllowAliases,
-  },
-  {
-    path: ["channels", "matrix", "accounts"],
-    message:
-      'channels.matrix.accounts.<id>.{groups,rooms}.<room>.allow is legacy; use channels.matrix.accounts.<id>.{groups,rooms}.<room>.enabled instead. Run "klaw doctor --fix".',
-    match: hasLegacyMatrixAccountRoomAllowAliases,
-  },
-  {
-    path: ["channels", "matrix"],
-    message:
-      'channels.matrix.dm.policy "trusted" is legacy; use "allowlist" (with allowFrom entries) or "pairing" instead. Run "klaw doctor --fix".',
-    match: hasLegacyTrustedDmPolicy,
-  },
-  {
-    path: ["channels", "matrix", "accounts"],
-    message:
-      'channels.matrix.accounts.<id>.dm.policy "trusted" is legacy; use "allowlist" (with allowFrom entries) or "pairing" instead. Run "klaw doctor --fix".',
-    match: hasLegacyMatrixAccountTrustedDmPolicies,
-  },
-];
-
-export function normalizeCompatibilityConfig({
-  cfg,
-}: {
-  cfg: KlawConfig;
-}): ChannelDoctorConfigMutation {
-  const channels = isRecord(cfg.channels) ? cfg.channels : null;
-  const matrix = isRecord(channels?.matrix) ? channels.matrix : null;
-  if (!matrix) {
-    return { config: cfg, changes: [] };
-  }
-
-  const changes: string[] = [];
-  let updatedMatrix: Record<string, unknown> = matrix;
-  let changed = false;
-
-  const topLevelPrivateNetwork = migrateLegacyFlatAllowPrivateNetworkAlias({
-    entry: updatedMatrix,
-    pathPrefix: "channels.matrix",
-    changes,
-  });
-  updatedMatrix = topLevelPrivateNetwork.entry;
-  changed = changed || topLevelPrivateNetwork.changed;
-
-  const topLevelTrustedDmPolicy = migrateLegacyTrustedDmPolicy({
-    entry: updatedMatrix,
-    pathPrefix: "channels.matrix",
-    changes,
-  });
-  updatedMatrix = topLevelTrustedDmPolicy.entry;
-  changed = changed || topLevelTrustedDmPolicy.changed;
-
-  const normalizeTopLevelRoomScope = (key: "groups" | "rooms") => {
-    const rooms = isRecord(updatedMatrix[key]) ? updatedMatrix[key] : null;
-    if (!rooms) {
-      return;
-    }
-    const normalized = normalizeMatrixRoomAllowAliases({
-      rooms,
-      pathPrefix: `channels.matrix.${key}`,
-      changes,
-    });
-    if (normalized.changed) {
-      updatedMatrix = { ...updatedMatrix, [key]: normalized.rooms };
-      changed = true;
-    }
-  };
-
-  normalizeTopLevelRoomScope("groups");
-  normalizeTopLevelRoomScope("rooms");
-
-  const accounts = isRecord(updatedMatrix.accounts) ? updatedMatrix.accounts : null;
-  if (accounts) {
-    let accountsChanged = false;
-    const nextAccounts: Record<string, unknown> = { ...accounts };
-    for (const [accountId, accountValue] of Object.entries(accounts)) {
-      const account = isRecord(accountValue) ? accountValue : null;
-      if (!account) {
-        continue;
-      }
-      let nextAccount: Record<string, unknown> = account;
-      let accountChanged = false;
-
-      const privateNetworkMigration = migrateLegacyFlatAllowPrivateNetworkAlias({
-        entry: nextAccount,
-        pathPrefix: `channels.matrix.accounts.${accountId}`,
-        changes,
-      });
-      if (privateNetworkMigration.changed) {
-        nextAccount = privateNetworkMigration.entry;
-        accountChanged = true;
-      }
-
-      const accountTrustedDmPolicy = migrateLegacyTrustedDmPolicy({
-        entry: nextAccount,
-        pathPrefix: `channels.matrix.accounts.${accountId}`,
-        changes,
-      });
-      if (accountTrustedDmPolicy.changed) {
-        nextAccount = accountTrustedDmPolicy.entry;
-        accountChanged = true;
-      }
-
-      for (const key of ["groups", "rooms"] as const) {
-        const rooms = isRecord(nextAccount[key]) ? nextAccount[key] : null;
-        if (!rooms) {
-          continue;
-        }
-        const normalized = normalizeMatrixRoomAllowAliases({
-          rooms,
-          pathPrefix: `channels.matrix.accounts.${accountId}.${key}`,
-          changes,
-        });
-        if (normalized.changed) {
-          nextAccount = { ...nextAccount, [key]: normalized.rooms };
-          accountChanged = true;
-        }
-      }
-      if (accountChanged) {
-        nextAccounts[accountId] = nextAccount;
-        accountsChanged = true;
-      }
-    }
-    if (accountsChanged) {
-      updatedMatrix = { ...updatedMatrix, accounts: nextAccounts };
-      changed = true;
-    }
-  }
-
-  if (!changed) {
-    return { config: cfg, changes: [] };
-  }
-  return {
-    config: {
-      ...cfg,
-      channels: {
-        ...cfg.channels,
-        matrix: updatedMatrix as NonNullable<KlawConfig["channels"]>["matrix"],
-      },
-    },
-    changes,
-  };
-}

package/src/doctor.ts

@@ -1,262 +0,0 @@
-import { type ChannelDoctorAdapter } from "klaw/plugin-sdk/channel-contract";
-import type { KlawConfig } from "klaw/plugin-sdk/config-contracts";
-import {
-  detectPluginInstallPathIssue,
-  formatPluginInstallPathIssue,
-  removePluginFromConfig,
-} from "klaw/plugin-sdk/runtime-doctor";
-import {
-  legacyConfigRules as MATRIX_LEGACY_CONFIG_RULES,
-  normalizeCompatibilityConfig as normalizeMatrixCompatibilityConfig,
-} from "./doctor-contract.js";
-import {
-  autoMigrateLegacyMatrixState,
-  autoPrepareLegacyMatrixCrypto,
-  detectLegacyMatrixCrypto,
-  detectLegacyMatrixState,
-  maybeCreateMatrixMigrationSnapshot,
-  resolveMatrixMigrationStatus,
-} from "./matrix-migration.runtime.js";
-import { isRecord } from "./record-shared.js";
-
-function hasConfiguredMatrixChannel(cfg: KlawConfig): boolean {
-  const channels = cfg.channels as Record<string, unknown> | undefined;
-  return isRecord(channels?.matrix);
-}
-
-function hasConfiguredMatrixPluginSurface(cfg: KlawConfig): boolean {
-  return Boolean(
-    cfg.plugins?.installs?.matrix ||
-    cfg.plugins?.entries?.matrix ||
-    cfg.plugins?.allow?.includes("matrix") ||
-    cfg.plugins?.deny?.includes("matrix"),
-  );
-}
-
-function hasConfiguredMatrixEnv(env: NodeJS.ProcessEnv): boolean {
-  return Object.entries(env).some(
-    ([key, value]) => key.startsWith("MATRIX_") && typeof value === "string" && value.trim(),
-  );
-}
-
-function configMayNeedMatrixDoctorSequence(cfg: KlawConfig, env: NodeJS.ProcessEnv): boolean {
-  return (
-    hasConfiguredMatrixChannel(cfg) ||
-    hasConfiguredMatrixPluginSurface(cfg) ||
-    hasConfiguredMatrixEnv(env)
-  );
-}
-
-export function formatMatrixLegacyStatePreview(
-  detection: Exclude<ReturnType<typeof detectLegacyMatrixState>, null | { warning: string }>,
-): string {
-  return [
-    "- Matrix plugin upgraded in place.",
-    `- Legacy sync store: ${detection.legacyStoragePath} -> ${detection.targetStoragePath}`,
-    `- Legacy crypto store: ${detection.legacyCryptoPath} -> ${detection.targetCryptoPath}`,
-    ...(detection.selectionNote ? [`- ${detection.selectionNote}`] : []),
-    '- Run "klaw doctor --fix" to migrate this Matrix state now.',
-  ].join("\n");
-}
-
-export function formatMatrixLegacyCryptoPreview(
-  detection: ReturnType<typeof detectLegacyMatrixCrypto>,
-): string[] {
-  const notes: string[] = [];
-  for (const warning of detection.warnings) {
-    notes.push(`- ${warning}`);
-  }
-  for (const plan of detection.plans) {
-    notes.push(
-      [
-        `- Matrix encrypted-state migration is pending for account "${plan.accountId}".`,
-        `- Legacy crypto store: ${plan.legacyCryptoPath}`,
-        `- New recovery key file: ${plan.recoveryKeyPath}`,
-        `- Migration state file: ${plan.statePath}`,
-        '- Run "klaw doctor --fix" to extract any saved backup key now. Backed-up room keys will restore automatically on next gateway start.',
-      ].join("\n"),
-    );
-  }
-  return notes;
-}
-
-export async function collectMatrixInstallPathWarnings(cfg: KlawConfig): Promise<string[]> {
-  const issue = await detectPluginInstallPathIssue({
-    pluginId: "matrix",
-    install: cfg.plugins?.installs?.matrix,
-  });
-  if (!issue) {
-    return [];
-  }
-  return formatPluginInstallPathIssue({
-    issue,
-    pluginLabel: "Matrix",
-    defaultInstallCommand: "klaw plugins install @kodelyth/matrix",
-  }).map((entry) => `- ${entry}`);
-}
-
-export async function cleanStaleMatrixPluginConfig(cfg: KlawConfig) {
-  const issue = await detectPluginInstallPathIssue({
-    pluginId: "matrix",
-    install: cfg.plugins?.installs?.matrix,
-  });
-  if (!issue || issue.kind !== "missing-path") {
-    return { config: cfg, changes: [] };
-  }
-  const { config, actions } = removePluginFromConfig(cfg, "matrix");
-  const removed: string[] = [];
-  if (actions.install) {
-    removed.push("install record");
-  }
-  if (actions.loadPath) {
-    removed.push("load path");
-  }
-  if (actions.entry) {
-    removed.push("plugin entry");
-  }
-  if (actions.allowlist) {
-    removed.push("allowlist entry");
-  }
-  if (removed.length === 0) {
-    return { config: cfg, changes: [] };
-  }
-  return {
-    config,
-    changes: [
-      `Removed stale Matrix plugin references (${removed.join(", ")}). The previous install path no longer exists: ${issue.path}`,
-    ],
-  };
-}
-
-export async function applyMatrixDoctorRepair(params: {
-  cfg: KlawConfig;
-  env: NodeJS.ProcessEnv;
-}): Promise<{ changes: string[]; warnings: string[] }> {
-  const changes: string[] = [];
-  const warnings: string[] = [];
-  const migrationStatus = resolveMatrixMigrationStatus({
-    cfg: params.cfg,
-    env: params.env,
-  });
-
-  let matrixSnapshotReady = true;
-  if (migrationStatus.actionable) {
-    try {
-      const snapshot = await maybeCreateMatrixMigrationSnapshot({
-        trigger: "doctor-fix",
-        env: params.env,
-      });
-      changes.push(
-        `Matrix migration snapshot ${snapshot.created ? "created" : "reused"} before applying Matrix upgrades.\n- ${snapshot.archivePath}`,
-      );
-    } catch (error) {
-      matrixSnapshotReady = false;
-      warnings.push(
-        `- Failed creating a Matrix migration snapshot before repair: ${String(error)}`,
-      );
-      warnings.push(
-        '- Skipping Matrix migration changes for now. Resolve the snapshot failure, then rerun "klaw doctor --fix".',
-      );
-    }
-  } else if (migrationStatus.pending) {
-    warnings.push(
-      "- Matrix migration warnings are present, but no on-disk Matrix mutation is actionable yet. No pre-migration snapshot was needed.",
-    );
-  }
-
-  if (!matrixSnapshotReady) {
-    return { changes, warnings };
-  }
-
-  const matrixStateRepair = await autoMigrateLegacyMatrixState({
-    cfg: params.cfg,
-    env: params.env,
-  });
-  if (matrixStateRepair.changes.length > 0) {
-    changes.push(
-      [
-        "Matrix plugin upgraded in place.",
-        ...matrixStateRepair.changes.map((entry) => `- ${entry}`),
-        "- No user action required.",
-      ].join("\n"),
-    );
-  }
-  if (matrixStateRepair.warnings.length > 0) {
-    warnings.push(matrixStateRepair.warnings.map((entry) => `- ${entry}`).join("\n"));
-  }
-
-  const matrixCryptoRepair = await autoPrepareLegacyMatrixCrypto({
-    cfg: params.cfg,
-    env: params.env,
-  });
-  if (matrixCryptoRepair.changes.length > 0) {
-    changes.push(
-      [
-        "Matrix encrypted-state migration prepared.",
-        ...matrixCryptoRepair.changes.map((entry) => `- ${entry}`),
-      ].join("\n"),
-    );
-  }
-  if (matrixCryptoRepair.warnings.length > 0) {
-    warnings.push(matrixCryptoRepair.warnings.map((entry) => `- ${entry}`).join("\n"));
-  }
-
-  return { changes, warnings };
-}
-
-export async function runMatrixDoctorSequence(params: {
-  cfg: KlawConfig;
-  env: NodeJS.ProcessEnv;
-  shouldRepair: boolean;
-}): Promise<{ changeNotes: string[]; warningNotes: string[] }> {
-  const warningNotes: string[] = [];
-  const changeNotes: string[] = [];
-  const installWarnings = await collectMatrixInstallPathWarnings(params.cfg);
-  if (installWarnings.length > 0) {
-    warningNotes.push(installWarnings.join("\n"));
-  }
-  if (!configMayNeedMatrixDoctorSequence(params.cfg, params.env)) {
-    return { changeNotes, warningNotes };
-  }
-
-  if (params.shouldRepair) {
-    const repair = await applyMatrixDoctorRepair({
-      cfg: params.cfg,
-      env: params.env,
-    });
-    changeNotes.push(...repair.changes);
-    warningNotes.push(...repair.warnings);
-  } else {
-    const migrationStatus = resolveMatrixMigrationStatus({
-      cfg: params.cfg,
-      env: params.env,
-    });
-    if (migrationStatus.legacyState) {
-      if ("warning" in migrationStatus.legacyState) {
-        warningNotes.push(`- ${migrationStatus.legacyState.warning}`);
-      } else {
-        warningNotes.push(formatMatrixLegacyStatePreview(migrationStatus.legacyState));
-      }
-    }
-    if (
-      migrationStatus.legacyCrypto.warnings.length > 0 ||
-      migrationStatus.legacyCrypto.plans.length > 0
-    ) {
-      warningNotes.push(...formatMatrixLegacyCryptoPreview(migrationStatus.legacyCrypto));
-    }
-  }
-
-  return { changeNotes, warningNotes };
-}
-
-export const matrixDoctor: ChannelDoctorAdapter = {
-  dmAllowFromMode: "nestedOnly",
-  groupModel: "sender",
-  groupAllowFromFallbackToAllowFrom: false,
-  warnOnEmptyGroupSenderAllowlist: true,
-  legacyConfigRules: MATRIX_LEGACY_CONFIG_RULES,
-  normalizeCompatibilityConfig: normalizeMatrixCompatibilityConfig,
-  runConfigSequence: async ({ cfg, env, shouldRepair }) =>
-    await runMatrixDoctorSequence({ cfg, env, shouldRepair }),
-  cleanStaleConfig: async ({ cfg }) => await cleanStaleMatrixPluginConfig(cfg),
-};

package/src/env-vars.ts

@@ -1,92 +0,0 @@
-import { normalizeAccountId, normalizeOptionalAccountId } from "klaw/plugin-sdk/account-id";
-
-const MATRIX_SCOPED_ENV_SUFFIXES = [
-  "HOMESERVER",
-  "USER_ID",
-  "ACCESS_TOKEN",
-  "PASSWORD",
-  "DEVICE_ID",
-  "DEVICE_NAME",
-] as const;
-const MATRIX_GLOBAL_ENV_KEYS = MATRIX_SCOPED_ENV_SUFFIXES.map((suffix) => `MATRIX_${suffix}`);
-
-const MATRIX_SCOPED_ENV_RE = new RegExp(`^MATRIX_(.+)_(${MATRIX_SCOPED_ENV_SUFFIXES.join("|")})$`);
-
-export function resolveMatrixEnvAccountToken(accountId: string): string {
-  return Array.from(normalizeAccountId(accountId))
-    .map((char) =>
-      /[a-z0-9]/.test(char)
-        ? char.toUpperCase()
-        : `_X${char.codePointAt(0)?.toString(16).toUpperCase() ?? "00"}_`,
-    )
-    .join("");
-}
-
-export function getMatrixScopedEnvVarNames(accountId: string): {
-  homeserver: string;
-  userId: string;
-  accessToken: string;
-  password: string;
-  deviceId: string;
-  deviceName: string;
-} {
-  const token = resolveMatrixEnvAccountToken(accountId);
-  return {
-    homeserver: `MATRIX_${token}_HOMESERVER`,
-    userId: `MATRIX_${token}_USER_ID`,
-    accessToken: `MATRIX_${token}_ACCESS_TOKEN`,
-    password: `MATRIX_${token}_PASSWORD`,
-    deviceId: `MATRIX_${token}_DEVICE_ID`,
-    deviceName: `MATRIX_${token}_DEVICE_NAME`,
-  };
-}
-
-function decodeMatrixEnvAccountToken(token: string): string | undefined {
-  let decoded = "";
-  for (let index = 0; index < token.length; ) {
-    const hexEscape = /^_X([0-9A-F]+)_/.exec(token.slice(index));
-    if (hexEscape) {
-      const hex = hexEscape[1];
-      const codePoint = hex ? Number.parseInt(hex, 16) : Number.NaN;
-      if (!Number.isFinite(codePoint)) {
-        return undefined;
-      }
-      const char = String.fromCodePoint(codePoint);
-      decoded += char;
-      index += hexEscape[0].length;
-      continue;
-    }
-    const char = token[index];
-    if (!char || !/[A-Z0-9]/.test(char)) {
-      return undefined;
-    }
-    decoded += char.toLowerCase();
-    index += 1;
-  }
-  const normalized = normalizeOptionalAccountId(decoded);
-  if (!normalized) {
-    return undefined;
-  }
-  return resolveMatrixEnvAccountToken(normalized) === token ? normalized : undefined;
-}
-
-export function listMatrixEnvAccountIds(env: NodeJS.ProcessEnv = process.env): string[] {
-  const ids = new Set<string>();
-  for (const key of MATRIX_GLOBAL_ENV_KEYS) {
-    if (typeof env[key] === "string" && env[key]?.trim()) {
-      ids.add(normalizeAccountId("default"));
-      break;
-    }
-  }
-  for (const key of Object.keys(env)) {
-    const match = MATRIX_SCOPED_ENV_RE.exec(key);
-    if (!match) {
-      continue;
-    }
-    const accountId = decodeMatrixEnvAccountToken(match[1]);
-    if (accountId) {
-      ids.add(accountId);
-    }
-  }
-  return Array.from(ids).toSorted((a, b) => a.localeCompare(b));
-}

package/src/exec-approval-resolver.ts

@@ -1,23 +0,0 @@
-import { resolveApprovalOverGateway } from "klaw/plugin-sdk/approval-gateway-runtime";
-import type { ExecApprovalReplyDecision } from "klaw/plugin-sdk/approval-runtime";
-import type { KlawConfig } from "klaw/plugin-sdk/config-contracts";
-import { isApprovalNotFoundError } from "klaw/plugin-sdk/error-runtime";
-
-export { isApprovalNotFoundError };
-
-export async function resolveMatrixApproval(params: {
-  cfg: KlawConfig;
-  approvalId: string;
-  decision: ExecApprovalReplyDecision;
-  senderId?: string | null;
-  gatewayUrl?: string;
-}): Promise<void> {
-  await resolveApprovalOverGateway({
-    cfg: params.cfg,
-    approvalId: params.approvalId,
-    decision: params.decision,
-    senderId: params.senderId,
-    gatewayUrl: params.gatewayUrl,
-    clientDisplayName: `Matrix approval (${params.senderId?.trim() || "unknown"})`,
-  });
-}