feat: add recovery key support for E2EE agents, including configuration and documentation updates

agents/asistente2/config.yaml

@@ -116,13 +116,14 @@ matrix:
   homeserver: "https://matrix-af2f3d.organic-machine.com"
   user_id: "@asistente-2:matrix-af2f3d.organic-machine.com"
   access_token_env: MATRIX_TOKEN_ASISTENTE2
-  device_id: "YBFNMNMJIC"
+  device_id: "XUGTSZJYFQ"
 
   encryption:
     enabled: true
     store_path: "./agents/asistente2/data/crypto/"
     pickle_key_env: PICKLE_KEY_ASISTENTE_2
     trust_mode: tofu
+    recovery_key_env: SSSS_RECOVERY_KEY_ASISTENTE_2
 
   rooms:
     listen: []

agents/assistant/config.yaml

@@ -117,13 +117,14 @@ matrix:
   homeserver: "https://matrix-af2f3d.organic-machine.com"
   user_id: "@assistant-bot:matrix-af2f3d.organic-machine.com"
   access_token_env: MATRIX_TOKEN_ASSISTANT
-  device_id: "ASSISTANTBOT01"
+  device_id: "SMWMRKMHDH"
 
   encryption:
     enabled: true
     store_path: "./agents/assistant/data/crypto/"
     pickle_key_env: PICKLE_KEY_ASSISTANT_BOT
     trust_mode: tofu
+    recovery_key_env: SSSS_RECOVERY_KEY_ASSISTANT_BOT
 
   rooms:
     listen: []     # vacío = escucha en todos los rooms donde está invitado

agents/runtime.go

@@ -56,6 +56,18 @@ func New(cfg *config.AgentConfig, rules []decision.Rule, logger *slog.Logger) (*
 		if err != nil {
 			return nil, fmt.Errorf("e2ee init: %w", err)
 		}
+
+		// Auto-fetch cross-signing private keys from SSSS if recovery key is configured.
+		if envName := cfg.Matrix.Encryption.RecoveryKeyEnv; envName != "" {
+			if rk := os.Getenv(envName); rk != "" {
+				if err := matrixClient.FetchCrossSigningKeys(context.Background(), rk); err != nil {
+					logger.Warn("failed to fetch cross-signing keys from SSSS (non-fatal)", "err", err)
+				} else {
+					logger.Info("cross-signing private keys fetched from SSSS")
+				}
+			}
+		}
+
 		logger.Info("e2ee ready")
 	}