feat: enable Matrix E2EE with cross-signing verification on bot

Add end-to-end encryption support to the Matrix bot using the matrix-sdk crypto features. The bot now: - Enables E2EE on the Matrix client with cross-signing bootstrapping - Auto-verifies its own cross-signing identity on startup - Handles key verification requests from other users automatically - Sends encrypted messages in E2EE-enabled rooms - Adds MATRIX_STORE_PATH config for persistent crypto store Squash merge of feature/story-194_story_enable_matrix_e2ee_with_cross_signing_verification_on_bot Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 10:41:29 +00:00
parent 92395c5068
commit 08e23e3830
5 changed files with 629 additions and 8 deletions
--- a/server/src/matrix/config.rs
+++ b/server/src/matrix/config.rs
@@ -35,6 +35,12 @@ pub struct BotConfig {
    /// dropped. Defaults to 20.
    #[serde(default = "default_history_size")]
    pub history_size: usize,
+    /// When `true`, the bot rejects messages from users whose devices have not
+    /// been verified via cross-signing in encrypted rooms. When `false`
+    /// (default), messages are accepted regardless of device verification
+    /// status, preserving existing plaintext-room behaviour.
+    #[serde(default)]
+    pub require_verified_devices: bool,
    /// Previously used to select an Anthropic model. Now ignored — the bot
    /// uses Claude Code which manages its own model selection. Kept for
    /// backwards compatibility so existing bot.toml files still parse.
@@ -235,6 +241,47 @@ enabled = true
        assert_eq!(config.history_size, 20);
    }

+    #[test]
+    fn load_defaults_require_verified_devices_to_false() {
+        let tmp = tempfile::tempdir().unwrap();
+        let sk = tmp.path().join(".story_kit");
+        fs::create_dir_all(&sk).unwrap();
+        fs::write(
+            sk.join("bot.toml"),
+            r#"
+homeserver = "https://matrix.example.com"
+username = "@bot:example.com"
+password = "secret"
+room_ids = ["!abc:example.com"]
+enabled = true
+"#,
+        )
+        .unwrap();
+        let config = BotConfig::load(tmp.path()).unwrap();
+        assert!(!config.require_verified_devices);
+    }
+
+    #[test]
+    fn load_respects_require_verified_devices_true() {
+        let tmp = tempfile::tempdir().unwrap();
+        let sk = tmp.path().join(".story_kit");
+        fs::create_dir_all(&sk).unwrap();
+        fs::write(
+            sk.join("bot.toml"),
+            r#"
+homeserver = "https://matrix.example.com"
+username = "@bot:example.com"
+password = "secret"
+room_ids = ["!abc:example.com"]
+enabled = true
+require_verified_devices = true
+"#,
+        )
+        .unwrap();
+        let config = BotConfig::load(tmp.path()).unwrap();
+        assert!(config.require_verified_devices);
+    }
+
    #[test]
    fn load_respects_custom_history_size() {
        let tmp = tempfile::tempdir().unwrap();