agent-messenger 2.19.5 → 2.20.0

package/skills/agent-teams/references/common-patterns.md

@@ -438,6 +438,34 @@ SNAPSHOT=$(teams_cmd agent-teams snapshot)
 
 **When to use**: Any script that runs for more than a few minutes.
 
+## Pattern 12: Personal Account Chats (No Teams)
+
+**Use case**: Message from a personal Microsoft account (`@outlook.com` / `@live.com`), which has no teams or channels — only 1:1, group, and self ("to me") chats
+
+```bash
+#!/bin/bash
+
+# Personal accounts have no teams, so `team list` is empty and team/channel
+# commands fail with "No current team set". Use the `chat` commands instead.
+
+agent-teams auth extract 2>/dev/null || true
+
+# List chats (type is oneOnOne, group, or self)
+CHATS=$(agent-teams chat list)
+echo "$CHATS" | jq -r '.[] | "  \(.type): \(.id) — \(.topic // .last_message // "")"'
+
+# Pick a chat ID (here: the self "to me" notes thread)
+CHAT_ID=$(echo "$CHATS" | jq -r '.[] | select(.type=="self") | .id')
+
+# Read history and send a message
+agent-teams chat history "$CHAT_ID" --limit 20
+agent-teams chat send "$CHAT_ID" "Reminder: stand-up at 10am"
+```
+
+**When to use**: Any workflow on a personal/consumer Teams account. Get chat IDs from `chat list` — they look like `19:guid1_guid2@unq.gbl.spaces` (1:1), `19:guid@thread.tacv2` (group), or `48:notes` (self).
+
+**Note**: Work accounts also have 1:1 and group chats and can use these same `chat` commands.
+
 ## Best Practices
 
 ### 1. Always Handle Token Expiry

package/skills/agent-telegram/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-telegram
 description: Interact with Telegram through TDLib - authenticate, inspect chats, and send messages
-version: 2.19.5
+version: 2.20.0
 allowed-tools: Bash(agent-telegram:*)
 ---
 

package/skills/agent-telegrambot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-telegrambot
 description: Interact with Telegram using bot tokens - send messages, read chats, manage reactions
-version: 2.19.5
+version: 2.20.0
 allowed-tools: Bash(agent-telegrambot:*)
 metadata:
   openclaw:

package/skills/agent-webex/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-webex
 description: Interact with Cisco Webex - send messages, read spaces, manage memberships
-version: 2.19.5
+version: 2.20.0
 allowed-tools: Bash(agent-webex:*)
 metadata:
   openclaw:

package/skills/agent-wechatbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-wechatbot
 description: Interact with WeChat Official Account using API credentials - send messages, manage templates, list followers
-version: 2.19.5
+version: 2.20.0
 allowed-tools: Bash(agent-wechatbot:*)
 metadata:
   openclaw:

package/skills/agent-whatsapp/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-whatsapp
 description: Interact with WhatsApp - send messages, read chats, manage conversations
-version: 2.19.5
+version: 2.20.0
 allowed-tools: Bash(agent-whatsapp:*)
 metadata:
   openclaw:

package/skills/agent-whatsappbot/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: agent-whatsappbot
 description: Interact with WhatsApp using Cloud API credentials - send messages, manage templates
-version: 2.19.5
+version: 2.20.0
 allowed-tools: Bash(agent-whatsappbot:*)
 metadata:
   openclaw:

package/src/platforms/line/client.test.ts

@@ -56,9 +56,10 @@ describe('LineClient', () => {
   })
 
   describe('getMessages()', () => {
-    function clientWithTalk(talk: Record<string, unknown>): LineClient {
+    function clientWithTalk(talk: Record<string, unknown>, e2ee?: Record<string, unknown>): LineClient {
       const client = new LineClient()
-      ;(client as any).client = { base: { talk } }
+      const { profile, ...talkMethods } = talk
+      ;(client as any).client = { base: { talk: talkMethods, profile, e2ee: e2ee ?? {} } }
       return client
     }
 
@@ -106,28 +107,179 @@ describe('LineClient', () => {
       expect(result.map((m) => m.text)).toEqual(['c', 'b'])
     })
 
-    it('marks encrypted chunk messages without text as missing E2EE keys', async () => {
+    it('resolves author MIDs to display names via getContacts', async () => {
       const client = clientWithTalk({
+        profile: { mid: 'me' },
         getServerTime: async () => 1700000000000,
         getPreviousMessagesV2WithRequest: async () => [
-          {
-            id: '40',
-            from: 'u1',
-            text: null,
-            contentType: 'NONE',
-            createdTime: 1700000004000,
-            chunks: ['a', 'b'],
-            metadata: { e2eeMark: '2', e2eeVersion: '2' },
-          },
+          { id: '10', from: 'u1', text: 'hi', contentType: 'NONE', createdTime: 1700000001000 },
+          { id: '11', from: 'u2', text: 'yo', contentType: 'NONE', createdTime: 1700000002000 },
+        ],
+        getContacts: async ({ mids }: { mids: string[] }) =>
+          mids.map((mid) => ({ mid, displayName: mid === 'u1' ? 'Alice' : 'Bob' })),
+      })
+
+      const result = await client.getMessages('chat1', { count: 2 })
+      expect(result.map((m) => m.author_name)).toEqual(['Alice', 'Bob'])
+    })
+
+    it('batch-resolves unique authors in a single getContacts call', async () => {
+      let contactCalls = 0
+      const client = clientWithTalk({
+        profile: { mid: 'me' },
+        getServerTime: async () => 1700000000000,
+        getPreviousMessagesV2WithRequest: async () => [
+          { id: '10', from: 'u1', text: 'a', contentType: 'NONE', createdTime: 1700000001000 },
+          { id: '11', from: 'u1', text: 'b', contentType: 'NONE', createdTime: 1700000002000 },
+          { id: '12', from: 'u2', text: 'c', contentType: 'NONE', createdTime: 1700000003000 },
         ],
+        getContacts: async ({ mids }: { mids: string[] }) => {
+          contactCalls++
+          expect([...mids].sort()).toEqual(['u1', 'u2'])
+          return mids.map((mid) => ({ mid, displayName: mid.toUpperCase() }))
+        },
+      })
+
+      const result = await client.getMessages('chat1', { count: 3 })
+      expect(contactCalls).toBe(1)
+      expect(result.map((m) => m.author_name)).toEqual(['U1', 'U1', 'U2'])
+    })
+
+    it('resolves the current user via getProfile since getContacts omits self', async () => {
+      const client = clientWithTalk({
+        profile: { mid: 'me' },
+        getServerTime: async () => 1700000000000,
+        getPreviousMessagesV2WithRequest: async () => [
+          { id: '10', from: 'me', text: 'mine', contentType: 'NONE', createdTime: 1700000001000 },
+        ],
+        getContacts: async () => [],
+        getProfile: async () => ({ mid: 'me', displayName: 'My Name' }),
       })
 
       const result = await client.getMessages('chat1', { count: 1 })
-      expect(result[0].text).toBeNull()
-      expect(result[0].decryption_error).toEqual({
-        code: 'missing_e2ee_key',
-        message: 'LINE message is encrypted with Letter Sealing, but this session has no saved E2EE key material.',
+      expect(result[0].author_name).toBe('My Name')
+    })
+
+    it('falls back to bare author_id when name resolution fails', async () => {
+      const client = clientWithTalk({
+        profile: { mid: 'me' },
+        getServerTime: async () => 1700000000000,
+        getPreviousMessagesV2WithRequest: async () => [
+          { id: '10', from: 'u1', text: 'hi', contentType: 'NONE', createdTime: 1700000001000 },
+        ],
+        getContacts: async () => {
+          throw new Error('network down')
+        },
       })
+
+      const result = await client.getMessages('chat1', { count: 1 })
+      expect(result[0].author_name).toBeUndefined()
+      expect(result[0].author_id).toBe('u1')
+    })
+
+    it('decrypts Letter-Sealing chunk messages via decryptE2EEMessage', async () => {
+      const encrypted = {
+        id: '40',
+        from: 'u1',
+        text: null,
+        contentType: 'NONE',
+        createdTime: 1700000004000,
+        chunks: ['a', 'b'],
+        metadata: { e2eeMark: '2', e2eeVersion: '2' },
+      }
+      const client = clientWithTalk(
+        {
+          getServerTime: async () => 1700000000000,
+          getPreviousMessagesV2WithRequest: async () => [encrypted],
+        },
+        { decryptE2EEMessage: async (m: { id: string }) => ({ ...m, text: 'decrypted secret' }) },
+      )
+
+      const result = await client.getMessages('chat1', { count: 1 })
+      expect(result[0].text).toBe('decrypted secret')
+      expect(result[0].decryption_error).toBeUndefined()
+    })
+
+    it('normalizes metadata-shaped history messages to contentMetadata before decrypting', async () => {
+      let received: { contentMetadata?: unknown } | undefined
+      const client = clientWithTalk(
+        {
+          getServerTime: async () => 1700000000000,
+          getPreviousMessagesV2WithRequest: async () => [
+            {
+              id: '40',
+              from: 'u1',
+              text: null,
+              contentType: 'NONE',
+              createdTime: 1700000004000,
+              chunks: ['a', 'b'],
+              metadata: { e2eeMark: '2', e2eeVersion: '2' },
+            },
+          ],
+        },
+        {
+          decryptE2EEMessage: async (m: { contentMetadata?: unknown }) => {
+            received = m
+            // mirror the vendor decryptor: it reads contentMetadata.e2eeVersion
+            const meta = m.contentMetadata as { e2eeVersion?: string }
+            return { text: `v${meta.e2eeVersion}` }
+          },
+        },
+      )
+
+      const result = await client.getMessages('chat1', { count: 1 })
+      expect((received?.contentMetadata as { e2eeVersion?: string })?.e2eeVersion).toBe('2')
+      expect(result[0].text).toBe('v2')
+    })
+
+    it('surfaces missing_e2ee_key when decryption fails for lack of keys', async () => {
+      const client = clientWithTalk(
+        {
+          getServerTime: async () => 1700000000000,
+          getPreviousMessagesV2WithRequest: async () => [
+            {
+              id: '40',
+              from: 'u1',
+              text: null,
+              contentType: 'NONE',
+              createdTime: 1700000004000,
+              chunks: ['a', 'b'],
+              metadata: { e2eeMark: '2', e2eeVersion: '2' },
+            },
+          ],
+        },
+        {
+          decryptE2EEMessage: async () => {
+            throw new Error('NoE2EEKey: E2EE Key has not been saved')
+          },
+        },
+      )
+
+      const result = await client.getMessages('chat1', { count: 1 })
+      expect(result[0].text).toBeNull()
+      expect(result[0].decryption_error?.code).toBe('missing_e2ee_key')
+    })
+
+    it('does not decrypt plain messages that already carry text', async () => {
+      let decryptCalls = 0
+      const client = clientWithTalk(
+        {
+          getServerTime: async () => 1700000000000,
+          getPreviousMessagesV2WithRequest: async () => [
+            { id: '50', from: 'u1', text: 'plain hello', contentType: 'NONE', createdTime: 1700000005000 },
+          ],
+        },
+        {
+          decryptE2EEMessage: async () => {
+            decryptCalls++
+            return { text: 'should-not-run' }
+          },
+        },
+      )
+
+      const result = await client.getMessages('chat1', { count: 1 })
+      expect(result[0].text).toBe('plain hello')
+      expect(decryptCalls).toBe(0)
     })
   })
 

package/src/platforms/line/client.ts

@@ -1,4 +1,4 @@
-import { copyFileSync, existsSync, mkdirSync } from 'node:fs'
+import { mkdirSync } from 'node:fs'
 import { join } from 'node:path'
 
 import type { Operation as LineOperation } from '@jsr/evex__linejs-types'
@@ -13,6 +13,7 @@ import {
 } from '@/vendor/linejs/client/mod.js'
 
 import { LineCredentialManager } from './credential-manager'
+import { ensureSelfKeyForMid, migrateOwnE2EEKeys } from './e2ee-storage'
 import type {
   LineAccountCredentials,
   LineChat,
@@ -48,6 +49,8 @@ export interface LineRawMessage {
 
 export type LineRawEvent = { kind: 'message'; message: LineRawMessage } | { kind: 'event'; op: LineOperation }
 
+type VendorMessage = Parameters<Client['base']['e2ee']['decryptE2EEMessage']>[0]
+
 const MAX_MESSAGE_ID = 9223372036854775807n
 
 function wrapError(error: unknown, code: string): LineError {
@@ -89,17 +92,19 @@ function getDefaultDevice(): LineDevice {
   return 'ANDROIDSECONDARY'
 }
 
-function createStorage(accountId?: string): FileStorage {
+function lineStorageDir(): string {
   const dir = join(getConfigDir(), 'line-storage')
   mkdirSync(dir, { recursive: true })
-  const defaultPath = join(dir, 'default.json')
-  if (!accountId) return new FileStorage(defaultPath)
+  return dir
+}
 
-  const accountPath = join(dir, `${accountId}.json`)
-  if (!existsSync(accountPath) && existsSync(defaultPath)) {
-    copyFileSync(defaultPath, accountPath)
-  }
-  return new FileStorage(accountPath)
+// Per-account stores stay isolated: blindly cloning default.json would copy another
+// account's E2EE private keys into this account's file. E2EE key material is migrated
+// explicitly via migrateOwnE2EEKeys after login resolves the account MID.
+function createStorage(accountId?: string): FileStorage {
+  const dir = lineStorageDir()
+  const fileName = accountId ? `${accountId}.json` : 'default.json'
+  return new FileStorage(join(dir, fileName))
 }
 
 export class LineClient {
@@ -130,7 +135,7 @@ export class LineClient {
       this.client = client
 
       const profile = await client.base.talk.getProfile()
-      createStorage(profile.mid)
+      await this.persistAccountE2EEKeys(client, profile.mid)
       const now = new Date().toISOString()
 
       await this.credManager.setAccount({
@@ -176,7 +181,7 @@ export class LineClient {
       this.client = client
 
       const profile = await client.base.talk.getProfile()
-      createStorage(profile.mid)
+      await this.persistAccountE2EEKeys(client, profile.mid)
       const now = new Date().toISOString()
 
       await this.credManager.setAccount({
@@ -214,12 +219,38 @@ export class LineClient {
       const storage = createStorage(creds.account_id)
 
       this.client = await linejsLoginWithAuthToken(creds.auth_token, { device, storage })
+      await this.repairSelfE2EEKey(this.client, creds.account_id)
       return this
     } catch (error) {
       throw wrapError(error, 'login_failed')
     }
   }
 
+  // A fresh QR/email login writes E2EE keys into the shared default store. Copy only
+  // this account's verified key material into its isolated per-account store so token
+  // logins (which read the per-account store) can later encrypt for E2EE chats.
+  private async persistAccountE2EEKeys(client: Client, mid: string): Promise<void> {
+    try {
+      const advertised = await client.base.talk.getE2EEPublicKeys().catch(() => undefined)
+      const target = createStorage(mid)
+      await migrateOwnE2EEKeys(client.base.storage, target, mid, advertised)
+    } catch (error) {
+      warnDegraded('persist account E2EE keys', error)
+    }
+  }
+
+  // Token sessions don't perform an E2EE handshake, so getE2EESelfKeyData can't find
+  // a key under the account MID even when the keyId-addressed key already exists in
+  // storage. Promote it to the MID address, trusting only server-advertised keyIds.
+  private async repairSelfE2EEKey(client: Client, mid: string): Promise<void> {
+    try {
+      const advertised = await client.base.talk.getE2EEPublicKeys().catch(() => undefined)
+      await ensureSelfKeyForMid(client.base.storage, mid, advertised)
+    } catch (error) {
+      warnDegraded('repair self E2EE key', error)
+    }
+  }
+
   async getProfile(): Promise<LineProfile> {
     try {
       const profile = await this.ensureClient().base.talk.getProfile()
@@ -360,23 +391,86 @@ export class LineClient {
         },
       })
 
-      return (rawMessages ?? []).map((msg) => {
-        const decryptionError = getUndecryptableMessageError(msg)
-        return {
-          message_id: String(msg.id),
-          chat_id: chatId,
-          author_id: String(msg.from ?? ''),
-          text: msg.text || null,
-          ...(decryptionError && { decryption_error: decryptionError }),
-          content_type: String(msg.contentType ?? 'NONE'),
-          sent_at: new Date(Number(msg.createdTime)).toISOString(),
-        }
-      })
+      const messages = rawMessages ?? []
+      const authorNames = await this.resolveAuthorNames(client, messages)
+
+      return await Promise.all(
+        messages.map(async (msg) => {
+          const { text, decryptionError } = await this.decryptMessageText(client, msg)
+          const authorId = String(msg.from ?? '')
+          const authorName = authorNames.get(authorId)
+          return {
+            message_id: String(msg.id),
+            chat_id: chatId,
+            author_id: authorId,
+            ...(authorName && { author_name: authorName }),
+            text,
+            ...(decryptionError && { decryption_error: decryptionError }),
+            content_type: String(msg.contentType ?? 'NONE'),
+            sent_at: new Date(Number(msg.createdTime)).toISOString(),
+          }
+        }),
+      )
     } catch (error) {
       throw wrapError(error, 'get_messages_failed')
     }
   }
 
+  // getPreviousMessagesV2WithRequest returns Letter-Sealing messages as encrypted
+  // chunks with null text, so they must be decrypted with the same path streamEvents
+  // uses. Plain messages already carry text and skip decryption.
+  private async decryptMessageText(
+    client: Client,
+    msg: VendorMessage,
+  ): Promise<{ text: string | null; decryptionError?: LineDecryptionError }> {
+    if (!isEncryptedChunkMessage(msg)) {
+      return { text: msg.text || null }
+    }
+
+    try {
+      const decrypted = await client.base.e2ee.decryptE2EEMessage(normalizeE2EEMetadata(msg))
+      return { text: decrypted.text ?? null }
+    } catch (error) {
+      return { text: null, decryptionError: getDecryptionError(error) }
+    }
+  }
+
+  // getContacts doesn't return the current user, so self-authored messages need
+  // getProfile separately. Lookups degrade to bare MIDs rather than failing.
+  private async resolveAuthorNames(
+    client: Client,
+    messages: ReadonlyArray<{ from?: unknown }>,
+  ): Promise<Map<string, string>> {
+    const names = new Map<string, string>()
+    const authorMids = [...new Set(messages.map((m) => String(m.from ?? '')).filter((mid) => mid.length > 0))]
+    if (authorMids.length === 0) return names
+
+    const selfMid = client.base.profile?.mid
+    const contactMids = authorMids.filter((mid) => mid !== selfMid)
+
+    if (contactMids.length > 0) {
+      try {
+        const contacts = await client.base.talk.getContacts({ mids: contactMids })
+        for (const contact of contacts ?? []) {
+          if (contact.displayName) names.set(contact.mid, contact.displayName)
+        }
+      } catch (error) {
+        warnDegraded('resolve message author names', error)
+      }
+    }
+
+    if (selfMid && authorMids.includes(selfMid) && !names.has(selfMid)) {
+      try {
+        const profile = await client.base.talk.getProfile()
+        if (profile.displayName) names.set(selfMid, profile.displayName)
+      } catch (error) {
+        warnDegraded('resolve own display name', error)
+      }
+    }
+
+    return names
+  }
+
   async sendMessage(chatId: string, text: string): Promise<LineSendResult> {
     try {
       const client = this.ensureClient()
@@ -510,6 +604,16 @@ function isEncryptedChunkMessage(raw: unknown): boolean {
   return hasE2EEMetadata(message.contentMetadata) || hasE2EEMetadata(message.metadata)
 }
 
+// decryptE2EEMessage reads messageObj.contentMetadata.e2eeVersion unconditionally.
+// History messages from getPreviousMessagesV2WithRequest may carry E2EE metadata
+// only under `metadata`, which would crash the decryptor on undefined.e2eeVersion.
+function normalizeE2EEMetadata<T extends VendorMessage>(msg: T): T {
+  const m = msg as { contentMetadata?: unknown; metadata?: unknown }
+  if (hasE2EEMetadata(m.contentMetadata)) return msg
+  if (!hasE2EEMetadata(m.metadata)) return msg
+  return { ...msg, contentMetadata: m.metadata }
+}
+
 function hasE2EEMetadata(raw: unknown): boolean {
   if (!raw || typeof raw !== 'object') return false
   const metadata = raw as { e2eeMark?: unknown; e2eeVersion?: unknown }

package/src/platforms/line/e2ee-storage.test.ts

@@ -0,0 +1,154 @@
+import { describe, expect, it } from 'bun:test'
+
+import { ensureSelfKeyForMid, migrateOwnE2EEKeys } from './e2ee-storage'
+
+function memStore(initial: Record<string, string> = {}) {
+  const data: Record<string, string> = { ...initial }
+  return {
+    data,
+    async get(key: string) {
+      return data[key]
+    },
+    async set(key: string, value: string) {
+      data[key] = value
+    },
+    async getAll() {
+      return { ...data }
+    },
+  }
+}
+
+const SELF_A = { keyId: 100, privKey: 'privA', pubKey: 'pubA', e2eeVersion: 2 }
+const SELF_B = { keyId: 200, privKey: 'privB', pubKey: 'pubB', e2eeVersion: 2 }
+
+describe('ensureSelfKeyForMid', () => {
+  it('keeps an existing MID-addressed self-key', async () => {
+    const store = memStore({ 'e2eeKeys:midA': JSON.stringify(SELF_A) })
+
+    const ok = await ensureSelfKeyForMid(store, 'midA', [{ keyId: 100 }])
+
+    expect(ok).toBe(true)
+    expect(JSON.parse(store.data['e2eeKeys:midA'])).toMatchObject({ privKey: 'privA' })
+  })
+
+  it('promotes a keyId-addressed self-key when the server advertises that keyId', async () => {
+    const store = memStore({ 'e2eeKeys:100': JSON.stringify(SELF_A) })
+
+    const ok = await ensureSelfKeyForMid(store, 'midA', [{ keyId: 100 }])
+
+    expect(ok).toBe(true)
+    expect(JSON.parse(store.data['e2eeKeys:midA'])).toMatchObject({ privKey: 'privA' })
+  })
+
+  it('supports the array-shaped public key (keyId at index 2)', async () => {
+    const store = memStore({ 'e2eeKeys:100': JSON.stringify(SELF_A) })
+
+    const ok = await ensureSelfKeyForMid(store, 'midA', [[undefined, undefined, 100] as never])
+
+    expect(ok).toBe(true)
+  })
+
+  it('never promotes a foreign-MID-addressed key (no advertised match)', async () => {
+    // given: storage contaminated with another account's self-key under its MID
+    const store = memStore({ 'e2eeKeys:midB': JSON.stringify(SELF_B) })
+
+    // when: account A has no advertised keyId matching any stored key
+    const ok = await ensureSelfKeyForMid(store, 'midA', [{ keyId: 999 }])
+
+    // then: A's MID key is not created from B's material
+    expect(ok).toBe(false)
+    expect(store.data['e2eeKeys:midA']).toBeUndefined()
+  })
+
+  it('never promotes a keyId key the server did not advertise for this account', async () => {
+    const store = memStore({ 'e2eeKeys:200': JSON.stringify(SELF_B) })
+
+    const ok = await ensureSelfKeyForMid(store, 'midA', [{ keyId: 100 }])
+
+    expect(ok).toBe(false)
+    expect(store.data['e2eeKeys:midA']).toBeUndefined()
+  })
+
+  it('rejects a payload whose own keyId does not match the advertised slot', async () => {
+    // given: the slot e2eeKeys:100 holds a payload that claims keyId 999
+    const mislabeled = { keyId: 999, privKey: 'privX', pubKey: 'pubX', e2eeVersion: 2 }
+    const store = memStore({ 'e2eeKeys:100': JSON.stringify(mislabeled) })
+
+    const ok = await ensureSelfKeyForMid(store, 'midA', [{ keyId: 100 }])
+
+    expect(ok).toBe(false)
+    expect(store.data['e2eeKeys:midA']).toBeUndefined()
+  })
+
+  it('returns false when no keys exist', async () => {
+    const store = memStore()
+    expect(await ensureSelfKeyForMid(store, 'midA', [{ keyId: 100 }])).toBe(false)
+  })
+
+  it('returns false for an empty mid', async () => {
+    const store = memStore({ 'e2eeKeys:100': JSON.stringify(SELF_A) })
+    expect(await ensureSelfKeyForMid(store, '', [{ keyId: 100 }])).toBe(false)
+  })
+})
+
+describe('migrateOwnE2EEKeys', () => {
+  it('copies only the advertised keyId material into the target', async () => {
+    const source = memStore({
+      'e2eeKeys:100': JSON.stringify(SELF_A),
+      'e2eePublicKeys:100': 'pubkey-blob-A',
+      'e2eeKeys:200': JSON.stringify(SELF_B),
+      'e2eePublicKeys:200': 'pubkey-blob-B',
+    })
+    const target = memStore()
+
+    const count = await migrateOwnE2EEKeys(source, target, 'midA', [{ keyId: 100 }])
+
+    expect(count).toBe(1)
+    expect(JSON.parse(target.data['e2eeKeys:100'])).toMatchObject({ privKey: 'privA' })
+    expect(target.data['e2eePublicKeys:100']).toBe('pubkey-blob-A')
+    // foreign account B keys must not leak across
+    expect(target.data['e2eeKeys:200']).toBeUndefined()
+    expect(target.data['e2eePublicKeys:200']).toBeUndefined()
+  })
+
+  it('copies the MID-addressed self-key when present', async () => {
+    const source = memStore({ 'e2eeKeys:midA': JSON.stringify(SELF_A) })
+    const target = memStore()
+
+    const count = await migrateOwnE2EEKeys(source, target, 'midA', [])
+
+    expect(count).toBe(1)
+    expect(JSON.parse(target.data['e2eeKeys:midA'])).toMatchObject({ privKey: 'privA' })
+  })
+
+  it('migrates nothing when only foreign keys are present', async () => {
+    const source = memStore({ 'e2eeKeys:midB': JSON.stringify(SELF_B), 'e2eeKeys:200': JSON.stringify(SELF_B) })
+    const target = memStore()
+
+    const count = await migrateOwnE2EEKeys(source, target, 'midA', [{ keyId: 100 }])
+
+    expect(count).toBe(0)
+    expect(Object.keys(target.data)).toHaveLength(0)
+  })
+
+  it('skips a payload whose own keyId does not match the advertised slot', async () => {
+    const mislabeled = { keyId: 999, privKey: 'privX', pubKey: 'pubX', e2eeVersion: 2 }
+    const source = memStore({ 'e2eeKeys:100': JSON.stringify(mislabeled), 'e2eePublicKeys:100': 'blob' })
+    const target = memStore()
+
+    const count = await migrateOwnE2EEKeys(source, target, 'midA', [{ keyId: 100 }])
+
+    expect(count).toBe(0)
+    expect(target.data['e2eeKeys:100']).toBeUndefined()
+    expect(target.data['e2eePublicKeys:100']).toBeUndefined()
+  })
+
+  it('ignores malformed key entries', async () => {
+    const source = memStore({ 'e2eeKeys:100': 'not-json', 'e2eeKeys:midA': '{"keyId":1}' })
+    const target = memStore()
+
+    const count = await migrateOwnE2EEKeys(source, target, 'midA', [{ keyId: 100 }])
+
+    expect(count).toBe(0)
+  })
+})