@openclaw/matrix 2026.5.28 → 2026.5.30-beta.1

package/dist/{shared-CmsjJY4i.js → shared-DjJds8e0.js}

@@ -1,11 +1,11 @@
 import { t as __exportAll } from "./rolldown-runtime-8H4AJuhK.js";
-import { a as resolveMatrixDefaultOrOnlyAccountId, n as requiresExplicitMatrixDefaultAccount, o as resolveMatrixAccountStringValues } from "./account-selection-C3arLOhC.js";
+import { a as resolveMatrixDefaultOrOnlyAccountId, n as requiresExplicitMatrixDefaultAccount, o as resolveMatrixAccountStringValues } from "./account-selection-DEMtY2cn.js";
 import { t as getMatrixScopedEnvVarNames } from "./env-vars-KzaYveuy.js";
 import { i as findMatrixAccountConfig, l as resolveMatrixBaseConfig, o as listNormalizedMatrixAccountIds, t as resolveMatrixConfigFieldPath } from "./config-paths-ZBCMwSos.js";
 import { i as resolveScopedMatrixEnvConfig, n as resolveGlobalMatrixEnvConfig } from "./env-auth-DIzOApj0.js";
 import { t as getMatrixRuntime } from "./runtime-6S3DNFNv.js";
 import { t as resolveValidatedMatrixHomeserverUrl } from "./url-validation-GRHde6lq.js";
-import { r as repairCurrentTokenStorageMetaDeviceId } from "./storage-onzulLbU.js";
+import { i as repairCurrentTokenStorageMetaDeviceId } from "./storage-Ds-2Iur5.js";
 import { DEFAULT_ACCOUNT_ID as DEFAULT_ACCOUNT_ID$1, normalizeAccountId as normalizeAccountId$1, normalizeOptionalAccountId, normalizeOptionalAccountId as normalizeOptionalAccountId$1 } from "openclaw/plugin-sdk/account-id";
 import { coerceSecretRef, normalizeResolvedSecretInputString } from "openclaw/plugin-sdk/secret-input-runtime";
 import { formatErrorMessage } from "openclaw/plugin-sdk/error-runtime";
@@ -22,21 +22,21 @@ let matrixCredentialsWriteRuntimePromise;
 let matrixSecretInputDepsPromise;
 const MATRIX_AUTH_REQUEST_RETRY_RE = /\b(fetch failed|econnreset|econnrefused|enotfound|etimedout|ehostunreach|enetunreach|eai_again|und_err_|socket hang up|network|headers timeout|body timeout|connect timeout)\b/i;
 async function loadMatrixAuthClientDeps() {
-	matrixAuthClientDepsPromise ??= Promise.all([import("./sdk-ymjYByhr.js"), import("./logging-yEwXx4Hm.js")]).then(([sdkModule, loggingModule]) => ({
+	matrixAuthClientDepsPromise ??= Promise.all([import("./sdk-C2iC7PJZ.js"), import("./logging-C7wjdKK5.js")]).then(([sdkModule, loggingModule]) => ({
 		MatrixClient: sdkModule.MatrixClient,
 		ensureMatrixSdkLoggingConfigured: loggingModule.ensureMatrixSdkLoggingConfigured
 	}));
 	return await matrixAuthClientDepsPromise;
 }
 async function loadMatrixCredentialsReadDeps() {
-	matrixCredentialsReadDepsPromise ??= import("./credentials-read-DySnJlLx.js").then((n) => n.r).then((credentialsReadModule) => ({
+	matrixCredentialsReadDepsPromise ??= import("./credentials-read-DpxFOhx0.js").then((n) => n.r).then((credentialsReadModule) => ({
 		loadMatrixCredentials: credentialsReadModule.loadMatrixCredentials,
 		credentialsMatchConfig: credentialsReadModule.credentialsMatchConfig
 	}));
 	return await matrixCredentialsReadDepsPromise;
 }
 async function loadMatrixCredentialsWriteRuntime() {
-	matrixCredentialsWriteRuntimePromise ??= import("./credentials-write.runtime-Ca2MN99y.js");
+	matrixCredentialsWriteRuntimePromise ??= import("./credentials-write.runtime-BB5QuM4Z.js");
 	return await matrixCredentialsWriteRuntimePromise;
 }
 async function loadMatrixSecretInputDeps() {
@@ -569,7 +569,7 @@ var shared_exports = /* @__PURE__ */ __exportAll({
 });
 let matrixCreateClientDepsPromise;
 async function loadMatrixCreateClientDeps() {
-	matrixCreateClientDepsPromise ??= import("./create-client-B1a3Am-I.js").then((n) => n.n).then((runtime) => ({ createMatrixClient: runtime.createMatrixClient }));
+	matrixCreateClientDepsPromise ??= import("./create-client-B4CPKa5P.js").then((n) => n.n).then((runtime) => ({ createMatrixClient: runtime.createMatrixClient }));
 	return await matrixCreateClientDepsPromise;
 }
 const sharedClientStates = /* @__PURE__ */ new Map();

package/dist/startup-verification-DdSXlCLn.js

@@ -0,0 +1,233 @@
+import { t as getMatrixRuntime } from "./runtime-6S3DNFNv.js";
+import { t as formatMatrixErrorMessage } from "./errors-C47hvAF8.js";
+import { o as resolveMatrixStoragePaths, r as recordCurrentStorageMetaDeviceId } from "./storage-Ds-2Iur5.js";
+import { n as resolveMatrixSqliteStateEnv } from "./thread-bindings-yt8HTZo0.js";
+import path from "node:path";
+import { createHash } from "node:crypto";
+import { timestampMsToIsoString } from "openclaw/plugin-sdk/number-runtime";
+import { readJsonFileWithFallback } from "openclaw/plugin-sdk/json-store";
+import fs from "node:fs/promises";
+//#region extensions/matrix/src/matrix/monitor/startup-verification.ts
+const STARTUP_VERIFICATION_STATE_FILENAME = "startup-verification.json";
+const STARTUP_VERIFICATION_NAMESPACE = "startup-verification";
+const STARTUP_VERIFICATION_MIGRATIONS_NAMESPACE = "startup-verification-migrations";
+const STARTUP_VERIFICATION_MAX_ENTRIES = 1e3;
+const DEFAULT_STARTUP_VERIFICATION_MODE = "if-unverified";
+const DEFAULT_STARTUP_VERIFICATION_COOLDOWN_HOURS = 24;
+const DEFAULT_STARTUP_VERIFICATION_FAILURE_COOLDOWN_MS = 3600 * 1e3;
+function normalizeCooldownHours(value) {
+	if (typeof value !== "number" || !Number.isFinite(value)) return DEFAULT_STARTUP_VERIFICATION_COOLDOWN_HOURS;
+	return Math.max(0, value);
+}
+function resolveStartupVerificationStatePath(params) {
+	const storagePaths = resolveMatrixStoragePaths({
+		homeserver: params.auth.homeserver,
+		userId: params.auth.userId,
+		accessToken: params.auth.accessToken,
+		accountId: params.auth.accountId,
+		deviceId: params.auth.deviceId,
+		env: params.env,
+		stateDir: params.stateDir
+	});
+	return path.join(storagePaths.rootDir, STARTUP_VERIFICATION_STATE_FILENAME);
+}
+function buildStartupVerificationKey(auth) {
+	return auth.accountId.trim() || "default";
+}
+function createStartupVerificationStore(params) {
+	return getMatrixRuntime().state.openKeyedStore({
+		namespace: STARTUP_VERIFICATION_NAMESPACE,
+		maxEntries: STARTUP_VERIFICATION_MAX_ENTRIES,
+		env: resolveMatrixSqliteStateEnv(params)
+	});
+}
+function createStartupVerificationMigrationStore(params) {
+	return getMatrixRuntime().state.openKeyedStore({
+		namespace: STARTUP_VERIFICATION_MIGRATIONS_NAMESPACE,
+		maxEntries: STARTUP_VERIFICATION_MAX_ENTRIES,
+		env: resolveMatrixSqliteStateEnv(params)
+	});
+}
+function buildStartupVerificationImportKey(params) {
+	const accountId = params.auth.accountId.trim() || "default";
+	return `${accountId}:${createHash("sha256").update(accountId).update("\0").update(params.legacyFilePath).digest("hex")}`;
+}
+async function readLegacyStartupVerificationState(filePath) {
+	const { value } = await readJsonFileWithFallback(filePath, null);
+	return value && typeof value === "object" ? value : null;
+}
+async function readStartupVerificationState(params) {
+	const store = createStartupVerificationStore(params);
+	const key = buildStartupVerificationKey(params.auth);
+	const value = await store.lookup(key);
+	if (value && typeof value === "object") return value;
+	const migrationStore = createStartupVerificationMigrationStore(params);
+	const legacyImportKey = buildStartupVerificationImportKey({
+		auth: params.auth,
+		legacyFilePath: params.legacyFilePath
+	});
+	if (await migrationStore.lookup(legacyImportKey)) return null;
+	const legacy = await readLegacyStartupVerificationState(params.legacyFilePath);
+	if (legacy) await store.register(key, legacy).then(async () => {
+		if (typeof legacy.deviceId === "string" && legacy.deviceId.trim()) recordCurrentStorageMetaDeviceId({
+			rootDir: path.dirname(params.legacyFilePath),
+			deviceId: legacy.deviceId
+		});
+		await migrationStore.register(legacyImportKey, { importedAt: Date.now() });
+		await fs.rm(params.legacyFilePath, { force: true }).catch(() => {});
+	}).catch(() => {});
+	return legacy;
+}
+async function writeStartupVerificationState(params) {
+	await createStartupVerificationStore(params).register(buildStartupVerificationKey(params.auth), params.state);
+	await createStartupVerificationMigrationStore(params).register(buildStartupVerificationImportKey({
+		auth: params.auth,
+		legacyFilePath: params.legacyFilePath
+	}), { importedAt: Date.now() }).catch(() => {});
+	if (typeof params.state.deviceId === "string" && params.state.deviceId.trim()) recordCurrentStorageMetaDeviceId({
+		rootDir: path.dirname(params.legacyFilePath),
+		deviceId: params.state.deviceId
+	});
+	await fs.rm(params.legacyFilePath, { force: true }).catch(() => {});
+}
+async function clearStartupVerificationState(params) {
+	await createStartupVerificationStore(params).delete(buildStartupVerificationKey(params.auth)).catch(() => {});
+	await createStartupVerificationMigrationStore(params).register(buildStartupVerificationImportKey({
+		auth: params.auth,
+		legacyFilePath: params.legacyFilePath
+	}), { importedAt: Date.now() }).catch(() => {});
+	await fs.rm(params.legacyFilePath, { force: true }).catch(() => {});
+}
+function resolveStateCooldownMs(state, cooldownMs) {
+	if (state?.outcome === "failed") return Math.min(cooldownMs, DEFAULT_STARTUP_VERIFICATION_FAILURE_COOLDOWN_MS);
+	return cooldownMs;
+}
+function resolveRetryAfterMs(params) {
+	const attemptedAtMs = Date.parse(params.attemptedAt ?? "");
+	if (!Number.isFinite(attemptedAtMs)) return;
+	const remaining = attemptedAtMs + params.cooldownMs - params.nowMs;
+	return remaining > 0 ? remaining : void 0;
+}
+function resolveStartupVerificationTimestamp(nowMs) {
+	return timestampMsToIsoString(nowMs) ?? timestampMsToIsoString(Date.now()) ?? "1970-01-01T00:00:00.000Z";
+}
+function shouldHonorCooldown(params) {
+	if (!params.state || params.stateCooldownMs <= 0) return false;
+	if (params.state.userId && params.verification.userId && params.state.userId !== params.verification.userId) return false;
+	if (params.state.deviceId && params.verification.deviceId && params.state.deviceId !== params.verification.deviceId) return false;
+	return resolveRetryAfterMs({
+		attemptedAt: params.state.attemptedAt,
+		cooldownMs: params.stateCooldownMs,
+		nowMs: params.nowMs
+	}) !== void 0;
+}
+function hasPendingSelfVerification(verifications) {
+	return verifications.some((entry) => entry.isSelfVerification && !entry.completed && entry.pending);
+}
+async function ensureMatrixStartupVerification(params) {
+	if (params.auth.encryption !== true || !params.client.crypto) return { kind: "unsupported" };
+	const verification = await params.client.getOwnDeviceVerificationStatus();
+	const statePath = params.stateFilePath ?? resolveStartupVerificationStatePath({
+		auth: params.auth,
+		env: params.env,
+		stateDir: params.stateDir
+	});
+	const stateDir = params.stateDir ?? path.dirname(statePath);
+	if (verification.verified) {
+		await clearStartupVerificationState({
+			auth: params.auth,
+			env: params.env,
+			stateDir,
+			legacyFilePath: statePath
+		});
+		return {
+			kind: "verified",
+			verification
+		};
+	}
+	if ((params.accountConfig.startupVerification ?? DEFAULT_STARTUP_VERIFICATION_MODE) === "off") {
+		await clearStartupVerificationState({
+			auth: params.auth,
+			env: params.env,
+			stateDir,
+			legacyFilePath: statePath
+		});
+		return {
+			kind: "disabled",
+			verification
+		};
+	}
+	if (hasPendingSelfVerification(await params.client.crypto.listVerifications().catch(() => []))) return {
+		kind: "pending",
+		verification
+	};
+	const cooldownMs = normalizeCooldownHours(params.accountConfig.startupVerificationCooldownHours) * 60 * 60 * 1e3;
+	const nowMs = params.nowMs ?? Date.now();
+	const attemptedAt = resolveStartupVerificationTimestamp(nowMs);
+	const state = await readStartupVerificationState({
+		auth: params.auth,
+		env: params.env,
+		stateDir,
+		legacyFilePath: statePath
+	});
+	const stateCooldownMs = resolveStateCooldownMs(state, cooldownMs);
+	if (shouldHonorCooldown({
+		state,
+		verification,
+		stateCooldownMs,
+		nowMs
+	})) return {
+		kind: "cooldown",
+		verification,
+		retryAfterMs: resolveRetryAfterMs({
+			attemptedAt: state?.attemptedAt,
+			cooldownMs: stateCooldownMs,
+			nowMs
+		})
+	};
+	try {
+		const request = await params.client.crypto.requestVerification({ ownUser: true });
+		await writeStartupVerificationState({
+			auth: params.auth,
+			env: params.env,
+			stateDir,
+			legacyFilePath: statePath,
+			state: {
+				userId: verification.userId,
+				deviceId: verification.deviceId,
+				attemptedAt,
+				outcome: "requested",
+				requestId: request.id,
+				transactionId: request.transactionId
+			}
+		});
+		return {
+			kind: "requested",
+			verification,
+			requestId: request.id,
+			transactionId: request.transactionId ?? void 0
+		};
+	} catch (err) {
+		const error = formatMatrixErrorMessage(err);
+		await writeStartupVerificationState({
+			auth: params.auth,
+			env: params.env,
+			stateDir,
+			legacyFilePath: statePath,
+			state: {
+				userId: verification.userId,
+				deviceId: verification.deviceId,
+				attemptedAt,
+				outcome: "failed",
+				error
+			}
+		}).catch(() => {});
+		return {
+			kind: "request-failed",
+			verification,
+			error
+		};
+	}
+}
+//#endregion
+export { ensureMatrixStartupVerification };

package/dist/{storage-onzulLbU.js → storage-Ds-2Iur5.js}

@@ -1,6 +1,6 @@
-import { a as resolveMatrixDefaultOrOnlyAccountId, n as requiresExplicitMatrixDefaultAccount } from "./account-selection-C3arLOhC.js";
+import { a as resolveMatrixDefaultOrOnlyAccountId, n as requiresExplicitMatrixDefaultAccount } from "./account-selection-DEMtY2cn.js";
 import { t as getMatrixRuntime } from "./runtime-6S3DNFNv.js";
-import { n as resolveMatrixAccountStorageRoot, s as resolveMatrixLegacyFlatStoragePaths } from "./storage-paths-BV2Z7bns.js";
+import { n as resolveMatrixAccountStorageRoot, s as resolveMatrixLegacyFlatStoragePaths } from "./storage-paths-BWo_ZEMC.js";
 import { normalizeAccountId } from "openclaw/plugin-sdk/account-id";
 import fs from "node:fs";
 import os from "node:os";
@@ -13,7 +13,6 @@ const THREAD_BINDINGS_FILENAME = "thread-bindings.json";
 const LEGACY_CRYPTO_MIGRATION_FILENAME = "legacy-crypto-migration.json";
 const RECOVERY_KEY_FILENAME = "recovery-key.json";
 const IDB_SNAPSHOT_FILENAME = "crypto-idb-snapshot.json";
-const STARTUP_VERIFICATION_FILENAME = "startup-verification.json";
 function resolveLegacyStoragePaths(env = process.env) {
 	const legacy = resolveMatrixLegacyFlatStoragePaths(getMatrixRuntime().state.resolveStateDir(env, os.homedir));
 	return {
@@ -59,8 +58,6 @@ function readStoredRootMetadata(rootDir) {
 		if (parsed.currentTokenStateClaimed === true) metadata.currentTokenStateClaimed = true;
 		if (typeof parsed.createdAt === "string" && parsed.createdAt.trim()) metadata.createdAt = parsed.createdAt.trim();
 	}
-	const verification = loadJsonFile(path.join(rootDir, STARTUP_VERIFICATION_FILENAME));
-	if (!metadata.deviceId && typeof verification?.deviceId === "string" && verification.deviceId.trim()) metadata.deviceId = verification.deviceId.trim();
 	return metadata;
 }
 function isCompatibleStorageRoot(params) {
@@ -261,6 +258,21 @@ function claimCurrentTokenStorageState(params) {
 		createdAt: metadata.createdAt ?? (/* @__PURE__ */ new Date()).toISOString()
 	});
 }
+function recordCurrentStorageMetaDeviceId(params) {
+	const deviceId = params.deviceId.trim();
+	if (!deviceId) return false;
+	const metadata = readStoredRootMetadata(params.rootDir);
+	if (!metadata.accessTokenHash?.trim()) return false;
+	return writeStoredRootMetadata(path.join(params.rootDir, STORAGE_META_FILENAME), {
+		homeserver: metadata.homeserver,
+		userId: metadata.userId,
+		accountId: metadata.accountId ?? DEFAULT_ACCOUNT_KEY,
+		accessTokenHash: metadata.accessTokenHash,
+		deviceId,
+		currentTokenStateClaimed: metadata.currentTokenStateClaimed === true,
+		createdAt: metadata.createdAt ?? (/* @__PURE__ */ new Date()).toISOString()
+	});
+}
 function repairCurrentTokenStorageMetaDeviceId(params) {
 	return writeStorageMeta({
 		storagePaths: resolveMatrixStoragePaths({
@@ -278,4 +290,4 @@ function repairCurrentTokenStorageMetaDeviceId(params) {
 	});
 }
 //#endregion
-export { resolveMatrixStoragePaths as a, resolveMatrixStateFilePath as i, maybeMigrateLegacyStorage as n, writeStorageMeta as o, repairCurrentTokenStorageMetaDeviceId as r, claimCurrentTokenStorageState as t };
+export { resolveMatrixStateFilePath as a, repairCurrentTokenStorageMetaDeviceId as i, maybeMigrateLegacyStorage as n, resolveMatrixStoragePaths as o, recordCurrentStorageMetaDeviceId as r, writeStorageMeta as s, claimCurrentTokenStorageState as t };

package/dist/subagent-hooks-api.js

@@ -1,2 +1,18 @@
-import { i as handleMatrixSubagentSpawning, n as handleMatrixSubagentDeliveryTarget, r as handleMatrixSubagentEnded, t as registerMatrixSubagentHooks } from "./subagent-hooks-api-bedE4GYl.js";
-export { handleMatrixSubagentDeliveryTarget, handleMatrixSubagentEnded, handleMatrixSubagentSpawning, registerMatrixSubagentHooks };
+//#region extensions/matrix/subagent-hooks-api.ts
+let matrixSubagentHooksPromise = null;
+function loadMatrixSubagentHooksModule() {
+	matrixSubagentHooksPromise ??= import("./subagent-hooks-dkPAF6Et.js");
+	return matrixSubagentHooksPromise;
+}
+function registerMatrixSubagentHooks(api) {
+	api.on("subagent_ended", async (event) => {
+		const { handleMatrixSubagentEnded } = await loadMatrixSubagentHooksModule();
+		await handleMatrixSubagentEnded(event);
+	});
+	api.on("subagent_delivery_target", async (event) => {
+		const { handleMatrixSubagentDeliveryTarget } = await loadMatrixSubagentHooksModule();
+		return handleMatrixSubagentDeliveryTarget(event);
+	});
+}
+//#endregion
+export { registerMatrixSubagentHooks };

package/dist/{subagent-hooks-api-bedE4GYl.js → subagent-hooks-dkPAF6Et.js}

@@ -1,16 +1,10 @@
-import { t as __exportAll } from "./rolldown-runtime-8H4AJuhK.js";
 import { a as resolveMatrixTargetIdentity } from "./target-ids-B-5aQxwn.js";
 import { a as listBindingsForAccount, c as resolveBindingKey, i as listAllBindings, n as getMatrixThreadBindingManager, o as removeBindingRecord } from "./thread-bindings-shared-CKnY4LSd.js";
-import { DEFAULT_ACCOUNT_ID } from "openclaw/plugin-sdk/account-id";
-import { getSessionBindingService } from "openclaw/plugin-sdk/conversation-binding-runtime";
 import { formatThreadBindingDisabledError, formatThreadBindingSpawnDisabledError, resolveThreadBindingSpawnPolicy } from "openclaw/plugin-sdk/conversation-runtime";
 import { normalizeOptionalString } from "openclaw/plugin-sdk/string-coerce-runtime";
+import { DEFAULT_ACCOUNT_ID } from "openclaw/plugin-sdk/account-id";
+import { getSessionBindingService } from "openclaw/plugin-sdk/conversation-binding-runtime";
 //#region extensions/matrix/src/matrix/subagent-hooks.ts
-var subagent_hooks_exports = /* @__PURE__ */ __exportAll({
-	handleMatrixSubagentDeliveryTarget: () => handleMatrixSubagentDeliveryTarget,
-	handleMatrixSubagentEnded: () => handleMatrixSubagentEnded,
-	handleMatrixSubagentSpawning: () => handleMatrixSubagentSpawning
-});
 function summarizeError(err) {
 	if (err instanceof Error) return err.message;
 	if (typeof err === "string") return err;
@@ -146,25 +140,4 @@ function handleMatrixSubagentDeliveryTarget(event) {
 	} };
 }
 //#endregion
-//#region extensions/matrix/subagent-hooks-api.ts
-let matrixSubagentHooksPromise = null;
-function loadMatrixSubagentHooksModule() {
-	matrixSubagentHooksPromise ??= Promise.resolve().then(() => subagent_hooks_exports);
-	return matrixSubagentHooksPromise;
-}
-function registerMatrixSubagentHooks(api) {
-	api.on("subagent_spawning", async (event) => {
-		const { handleMatrixSubagentSpawning } = await loadMatrixSubagentHooksModule();
-		return await handleMatrixSubagentSpawning(api, event);
-	});
-	api.on("subagent_ended", async (event) => {
-		const { handleMatrixSubagentEnded } = await loadMatrixSubagentHooksModule();
-		await handleMatrixSubagentEnded(event);
-	});
-	api.on("subagent_delivery_target", async (event) => {
-		const { handleMatrixSubagentDeliveryTarget } = await loadMatrixSubagentHooksModule();
-		return handleMatrixSubagentDeliveryTarget(event);
-	});
-}
-//#endregion
-export { handleMatrixSubagentSpawning as i, handleMatrixSubagentDeliveryTarget as n, handleMatrixSubagentEnded as r, registerMatrixSubagentHooks as t };
+export { handleMatrixSubagentDeliveryTarget, handleMatrixSubagentEnded, handleMatrixSubagentSpawning };

package/dist/{thread-bindings-DAg6grT8.js → thread-bindings-yt8HTZo0.js}

@@ -1,13 +1,39 @@
+import { t as getMatrixRuntime } from "./runtime-6S3DNFNv.js";
 import { a as listBindingsForAccount, c as resolveBindingKey, f as setMatrixThreadBindingManagerEntry, h as toSessionBindingRecord, l as resolveEffectiveBindingExpiry, m as toMatrixBindingTargetKind, o as removeBindingRecord, r as getMatrixThreadBindingManagerEntry, t as deleteMatrixThreadBindingManagerEntry, u as setBindingRecord } from "./thread-bindings-shared-CKnY4LSd.js";
-import { i as resolveMatrixStateFilePath, t as claimCurrentTokenStorageState } from "./storage-onzulLbU.js";
-import { a as sendMessageMatrix } from "./send-peVVVL75.js";
+import { a as resolveMatrixStateFilePath, t as claimCurrentTokenStorageState } from "./storage-Ds-2Iur5.js";
+import { a as sendMessageMatrix } from "./send-CAmsWgZ2.js";
 import { normalizeOptionalString } from "openclaw/plugin-sdk/string-coerce-runtime";
-import { registerSessionBindingAdapter, resolveThreadBindingFarewellText, unregisterSessionBindingAdapter } from "openclaw/plugin-sdk/thread-bindings-session-runtime";
+import os from "node:os";
 import path from "node:path";
-import { readJsonFileWithFallback, writeJsonFileAtomically } from "openclaw/plugin-sdk/json-store";
+import { createHash } from "node:crypto";
+import { registerSessionBindingAdapter, resolveThreadBindingFarewellText, unregisterSessionBindingAdapter } from "openclaw/plugin-sdk/thread-bindings-session-runtime";
+import { readJsonFileWithFallback } from "openclaw/plugin-sdk/json-store";
+import fs from "node:fs/promises";
 import { resolveAgentIdFromSessionKey } from "openclaw/plugin-sdk/session-key-runtime";
+//#region extensions/matrix/src/matrix/sqlite-state.ts
+function resolveStateDirOverride(options) {
+	if (!options) return;
+	if (options.stateDir) return options.stateDir;
+	if (options.stateRootDir) return options.stateRootDir;
+	return getMatrixRuntime().state.resolveStateDir(options.env ?? process.env, os.homedir);
+}
+function resolveMatrixSqliteStateKey(options) {
+	return resolveStateDirOverride(options) ?? "";
+}
+function resolveMatrixSqliteStateEnv(options) {
+	const stateDir = resolveStateDirOverride(options);
+	if (!stateDir) return options?.env;
+	return {
+		...options?.env ?? process.env,
+		OPENCLAW_STATE_DIR: stateDir
+	};
+}
+//#endregion
 //#region extensions/matrix/src/matrix/thread-bindings.ts
 const STORE_VERSION = 1;
+const THREAD_BINDINGS_NAMESPACE = "thread-bindings";
+const THREAD_BINDINGS_MIGRATIONS_NAMESPACE = "thread-bindings-migrations";
+const THREAD_BINDINGS_MAX_ENTRIES = 1e4;
 const THREAD_BINDINGS_SWEEP_INTERVAL_MS = 6e4;
 const TOUCH_PERSIST_DELAY_MS = 3e4;
 function resolveBindingsPath(params) {
@@ -19,43 +45,80 @@ function resolveBindingsPath(params) {
 		filename: "thread-bindings.json"
 	});
 }
-async function loadBindingsFromDisk(filePath, accountId) {
+function createThreadBindingStore(params) {
+	return getMatrixRuntime().state.openKeyedStore({
+		namespace: THREAD_BINDINGS_NAMESPACE,
+		maxEntries: THREAD_BINDINGS_MAX_ENTRIES,
+		env: resolveMatrixSqliteStateEnv(params)
+	});
+}
+function createThreadBindingMigrationStore(params) {
+	return getMatrixRuntime().state.openKeyedStore({
+		namespace: THREAD_BINDINGS_MIGRATIONS_NAMESPACE,
+		maxEntries: 1e3,
+		env: resolveMatrixSqliteStateEnv(params)
+	});
+}
+function buildThreadBindingStoreKey(record) {
+	const digest = createHash("sha256").update(record.accountId).update("\0").update(record.parentConversationId ?? "").update("\0").update(record.conversationId).digest("hex");
+	return `${record.accountId}:${digest}`;
+}
+function buildLegacyThreadBindingsImportKey(params) {
+	const digest = createHash("sha256").update(params.accountId).update("\0").update(params.legacyFilePath).digest("hex");
+	return `${params.accountId}:${digest}`;
+}
+function normalizeBindingRecord(entry, accountId) {
+	if (!entry || typeof entry !== "object" || Array.isArray(entry)) return null;
+	const record = entry;
+	if (record.accountId && record.accountId !== accountId) return null;
+	const conversationId = normalizeOptionalString(record.conversationId);
+	const parentConversationId = normalizeOptionalString(record.parentConversationId);
+	const targetSessionKey = normalizeOptionalString(record.targetSessionKey) ?? "";
+	if (!conversationId || !targetSessionKey) return null;
+	const boundAt = typeof record.boundAt === "number" && Number.isFinite(record.boundAt) ? Math.floor(record.boundAt) : Date.now();
+	const lastActivityAt = typeof record.lastActivityAt === "number" && Number.isFinite(record.lastActivityAt) ? Math.floor(record.lastActivityAt) : boundAt;
+	return {
+		accountId,
+		conversationId,
+		...parentConversationId ? { parentConversationId } : {},
+		targetKind: record.targetKind === "subagent" ? "subagent" : "acp",
+		targetSessionKey,
+		agentId: normalizeOptionalString(record.agentId) || void 0,
+		label: normalizeOptionalString(record.label) || void 0,
+		boundBy: normalizeOptionalString(record.boundBy) || void 0,
+		boundAt,
+		lastActivityAt: Math.max(lastActivityAt, boundAt),
+		idleTimeoutMs: typeof record.idleTimeoutMs === "number" && Number.isFinite(record.idleTimeoutMs) ? Math.max(0, Math.floor(record.idleTimeoutMs)) : void 0,
+		maxAgeMs: typeof record.maxAgeMs === "number" && Number.isFinite(record.maxAgeMs) ? Math.max(0, Math.floor(record.maxAgeMs)) : void 0
+	};
+}
+async function loadBindingsFromLegacyDisk(filePath, accountId) {
 	const { value } = await readJsonFileWithFallback(filePath, null);
 	if (value?.version !== STORE_VERSION || !Array.isArray(value.bindings)) return [];
 	const loaded = [];
 	for (const entry of value.bindings) {
-		const conversationId = normalizeOptionalString(entry?.conversationId);
-		const parentConversationId = normalizeOptionalString(entry?.parentConversationId);
-		const targetSessionKey = normalizeOptionalString(entry?.targetSessionKey) ?? "";
-		if (!conversationId || !targetSessionKey) continue;
-		const boundAt = typeof entry?.boundAt === "number" && Number.isFinite(entry.boundAt) ? Math.floor(entry.boundAt) : Date.now();
-		const lastActivityAt = typeof entry?.lastActivityAt === "number" && Number.isFinite(entry.lastActivityAt) ? Math.floor(entry.lastActivityAt) : boundAt;
-		loaded.push({
-			accountId,
-			conversationId,
-			...parentConversationId ? { parentConversationId } : {},
-			targetKind: entry?.targetKind === "subagent" ? "subagent" : "acp",
-			targetSessionKey,
-			agentId: normalizeOptionalString(entry?.agentId) || void 0,
-			label: normalizeOptionalString(entry?.label) || void 0,
-			boundBy: normalizeOptionalString(entry?.boundBy) || void 0,
-			boundAt,
-			lastActivityAt: Math.max(lastActivityAt, boundAt),
-			idleTimeoutMs: typeof entry?.idleTimeoutMs === "number" && Number.isFinite(entry.idleTimeoutMs) ? Math.max(0, Math.floor(entry.idleTimeoutMs)) : void 0,
-			maxAgeMs: typeof entry?.maxAgeMs === "number" && Number.isFinite(entry.maxAgeMs) ? Math.max(0, Math.floor(entry.maxAgeMs)) : void 0
-		});
+		const record = normalizeBindingRecord(entry, accountId);
+		if (record) loaded.push(record);
 	}
 	return loaded;
 }
-function toStoredBindingsState(bindings) {
-	return {
-		version: STORE_VERSION,
-		bindings: [...bindings].toSorted((a, b) => a.boundAt - b.boundAt)
-	};
+async function loadBindingsFromPluginState(params) {
+	const store = createThreadBindingStore(params);
+	const loaded = [];
+	for (const entry of await store.entries()) {
+		const record = normalizeBindingRecord(entry.value, params.accountId);
+		if (record) loaded.push(record);
+	}
+	return loaded;
+}
+function toPluginJsonValue(value) {
+	return JSON.parse(JSON.stringify(value));
 }
-async function persistBindingsSnapshot(filePath, bindings) {
-	await writeJsonFileAtomically(filePath, toStoredBindingsState(bindings));
-	claimCurrentTokenStorageState({ rootDir: path.dirname(filePath) });
+async function persistBindingsSnapshot(params) {
+	const store = createThreadBindingStore(params);
+	const liveKeys = new Set(params.bindings.map((record) => buildThreadBindingStoreKey(record)));
+	for (const entry of await store.entries()) if (normalizeBindingRecord(entry.value, params.accountId) && !liveKeys.has(entry.key)) await store.delete(entry.key);
+	for (const record of params.bindings) await store.register(buildThreadBindingStoreKey(record), toPluginJsonValue(record));
 }
 function buildMatrixBindingIntroText(params) {
 	const introText = normalizeOptionalString(params.metadata?.introText);
@@ -94,24 +157,56 @@ async function sendFarewellMessage(params) {
 }
 async function createMatrixThreadBindingManager(params) {
 	if (params.auth.accountId !== params.accountId) throw new Error(`Matrix thread binding account mismatch: requested ${params.accountId}, auth resolved ${params.auth.accountId}`);
-	const filePath = resolveBindingsPath({
+	const legacyFilePath = resolveBindingsPath({
 		auth: params.auth,
 		accountId: params.accountId,
 		env: params.env,
 		stateDir: params.stateDir
 	});
+	const sqliteStateDir = path.dirname(legacyFilePath);
+	const storageKey = resolveMatrixSqliteStateKey({
+		env: params.env,
+		stateDir: sqliteStateDir
+	});
 	const existingEntry = getMatrixThreadBindingManagerEntry(params.accountId);
 	if (existingEntry) {
-		if (existingEntry.filePath === filePath) return existingEntry.manager;
+		if (existingEntry.storageKey === storageKey) return existingEntry.manager;
 		existingEntry.manager.stop();
 	}
-	const loaded = await loadBindingsFromDisk(filePath, params.accountId);
+	const pluginLoaded = await loadBindingsFromPluginState({
+		accountId: params.accountId,
+		env: params.env,
+		stateDir: sqliteStateDir
+	});
+	const migrationStore = createThreadBindingMigrationStore({
+		env: params.env,
+		stateDir: sqliteStateDir
+	});
+	const legacyImportKey = buildLegacyThreadBindingsImportKey({
+		accountId: params.accountId,
+		legacyFilePath
+	});
+	const pluginLoadedKeys = new Set(pluginLoaded.map((record) => buildThreadBindingStoreKey(record)));
+	let legacyHadRows = false;
+	let legacyLoaded = [];
+	if (!await migrationStore.lookup(legacyImportKey)) {
+		const legacyCandidates = await loadBindingsFromLegacyDisk(legacyFilePath, params.accountId);
+		legacyHadRows = legacyCandidates.length > 0;
+		legacyLoaded = legacyCandidates.filter((record) => !pluginLoadedKeys.has(buildThreadBindingStoreKey(record)));
+	}
+	const loaded = [...pluginLoaded, ...legacyLoaded];
 	for (const record of loaded) setBindingRecord(record);
 	let persistQueue = Promise.resolve();
 	const enqueuePersist = (bindings) => {
 		const snapshot = bindings ?? listBindingsForAccount(params.accountId);
 		const next = persistQueue.catch(() => {}).then(async () => {
-			await persistBindingsSnapshot(filePath, snapshot);
+			await persistBindingsSnapshot({
+				accountId: params.accountId,
+				bindings: snapshot,
+				env: params.env,
+				stateDir: sqliteStateDir
+			});
+			claimCurrentTokenStorageState({ rootDir: sqliteStateDir });
 		});
 		persistQueue = next;
 		return next;
@@ -126,6 +221,13 @@ async function createMatrixThreadBindingManager(params) {
 		idleTimeoutMs: params.idleTimeoutMs,
 		maxAgeMs: params.maxAgeMs
 	};
+	if (legacyHadRows) {
+		if (legacyLoaded.length > 0) await persist();
+		await migrationStore.register(legacyImportKey, { importedAt: Date.now() });
+		await fs.rm(legacyFilePath, { force: true }).catch((err) => {
+			params.logVerboseMessage?.(`matrix: failed removing migrated legacy thread bindings account=${params.accountId}: ${String(err)}`);
+		});
+	}
 	let persistTimer = null;
 	const schedulePersist = (delayMs) => {
 		if (persistTimer) return;
@@ -343,10 +445,10 @@ async function createMatrixThreadBindingManager(params) {
 		sweepTimer.unref?.();
 	}
 	setMatrixThreadBindingManagerEntry(params.accountId, {
-		filePath,
+		storageKey,
 		manager
 	});
 	return manager;
 }
 //#endregion
-export { createMatrixThreadBindingManager as t };
+export { resolveMatrixSqliteStateEnv as n, createMatrixThreadBindingManager as t };