feat: implement end-to-end encryption (E2EE) support for agents with configuration and documentation updates

agents/asistente2/config.yaml

@@ -120,7 +120,8 @@ matrix:
 
   encryption:
     enabled: true
-    store_path: "./data/crypto/"
+    store_path: "./agents/asistente2/data/crypto/"
+    pickle_key_env: PICKLE_KEY_ASISTENTE_2
     trust_mode: tofu
 
   rooms:

agents/assistant/config.yaml

@@ -121,7 +121,8 @@ matrix:
 
   encryption:
     enabled: true
-    store_path: "./data/crypto/"
+    store_path: "./agents/assistant/data/crypto/"
+    pickle_key_env: PICKLE_KEY_ASSISTANT_BOT
     trust_mode: tofu
 
   rooms:

agents/devops/config.yaml

@@ -135,7 +135,8 @@ matrix:
 
   encryption:
     enabled: false           # habilitar cuando E2EE esté configurado
-    store_path: "./data/crypto/"
+    store_path: "./agents/devops/data/crypto/"
+    pickle_key_env: PICKLE_KEY_DEVOPS_BOT
     trust_mode: tofu
 
   rooms:

agents/runtime.go

@@ -6,7 +6,9 @@ import (
 	"fmt"
 	"io"
 	"log/slog"
+	"os"
 	"path/filepath"
+	"strings"
 
 	"maunium.net/go/mautrix/event"
 
@@ -49,9 +51,16 @@ func New(cfg *config.AgentConfig, rules []decision.Rule, logger *slog.Logger) (*
 	var cryptoStore io.Closer
 	if cfg.Matrix.Encryption.Enabled {
 		storePath := filepath.Join(cfg.Matrix.Encryption.StorePath, "crypto.db")
+		pickleKey := os.Getenv(cfg.Matrix.Encryption.PickleKeyEnv)
 		logger.Info("initializing e2ee", "store", storePath)
-		cryptoStore, err = matrixClient.InitCrypto(context.Background(), storePath, cfg.Agent.ID)
+		cryptoStore, err = matrixClient.InitCrypto(context.Background(), storePath, pickleKey, cfg.Agent.ID)
 		if err != nil {
+			if strings.Contains(err.Error(), "not marked as shared") {
+				logger.Error("crypto store is inconsistent with server — need a fresh device",
+					"store", storePath,
+					"fix", "delete crypto.db, login with password to get new token+device, update .env, restart",
+				)
+			}
 			return nil, fmt.Errorf("e2ee init: %w", err)
 		}
 		logger.Info("e2ee ready")