package main import ( "context" "crypto/rand" "encoding/hex" "errors" "fmt" "path/filepath" "sync" "time" "fn-registry/projects/element_agents/apps/matrix_client_pc/internal/infra" "github.com/wailsapp/wails/v2/pkg/runtime" "maunium.net/go/mautrix" "maunium.net/go/mautrix/event" "maunium.net/go/mautrix/id" ) // Constants are operator-configurable later via settings UI. Hardcoded for issue 0147 MVP. const ( homeserverURL = "https://matrix-af2f3d.organic-machine.com" masIssuer = "https://auth-af2f3d.organic-machine.com/" masClientID = "VDC4XQ2ZKN2TJ0BYVJ54FK7M6Y" loopbackPort = 8765 keyringServiceName = "fn_registry.matrix_client_pc" oidcTimeoutSeconds = 300 ) var defaultScopes = []string{ "openid", "urn:matrix:org.matrix.msc2967.client:api:*", } // MatrixService is bound to the Wails frontend. type MatrixService struct { ctx context.Context mu sync.Mutex store *infra.KeyringTokenStore client *mautrix.Client sync *infra.MatrixSyncServiceHandle crypto *infra.MatrixCryptoInitResult userID string } func NewMatrixService() *MatrixService { return &MatrixService{ store: infra.NewKeyringTokenStore(keyringServiceName), } } func (s *MatrixService) SetContext(ctx context.Context) { s.ctx = ctx } // SessionView is the safe-to-send JSON for the frontend (no tokens). type SessionView struct { UserID string `json:"user_id"` DeviceID string `json:"device_id"` HomeserverURL string `json:"homeserver_url"` HasToken bool `json:"has_token"` ExpiresAt string `json:"expires_at,omitempty"` } // MatrixEvent is the exportable, JSON-friendly shape of a Matrix event for the frontend. type MatrixEvent struct { EventID string `json:"event_id"` RoomID string `json:"room_id"` Sender string `json:"sender"` Type string `json:"type"` Ts int64 `json:"ts"` Body string `json:"body,omitempty"` EncryptedRaw bool `json:"encrypted_raw"` } // SyncEventView is what we emit through Wails events. Mirrors MatrixSyncEvent but without // the raw event pointer that wouldn't survive JSON serialization. type SyncEventView struct { Type string `json:"type"` RoomID string `json:"room_id"` EventID string `json:"event_id"` Sender string `json:"sender"` Ts int64 `json:"ts"` Body string `json:"body,omitempty"` } // Login launches the OAuth2 PKCE flow against MAS. Blocks until completion or timeout. // Returns the user_id of the authenticated session. func (s *MatrixService) Login() (string, error) { s.mu.Lock() defer s.mu.Unlock() cfg := infra.MasOidcLoopbackConfig{ Issuer: masIssuer, ClientID: masClientID, Scopes: defaultScopes, LoopbackPort: loopbackPort, OpenBrowser: true, TimeoutSeconds: oidcTimeoutSeconds, } res, err := infra.MasOidcLoopback(cfg) if err != nil { return "", fmt.Errorf("oidc: %w", err) } // Pre-fetch user_id by hitting /whoami directly (mautrix requires UserID at NewClient). userID, deviceID, err := whoami(s.ctx, homeserverURL, res.AccessToken) if err != nil { return "", fmt.Errorf("whoami: %w", err) } clientCfg := infra.MatrixClientInitConfig{ HomeserverURL: homeserverURL, UserID: userID, DeviceID: deviceID, AccessToken: res.AccessToken, StoreDir: userStoreDir(userID), EnableCrypto: false, // crypto goes through MatrixCryptoInit in Start() } if _, err := infra.MatrixClientInit(clientCfg); err != nil { return "", fmt.Errorf("matrix init: %w", err) } tok := infra.Token{ AccessToken: res.AccessToken, RefreshToken: res.RefreshToken, UserID: userID, DeviceID: deviceID, HomeserverURL: homeserverURL, Issuer: masIssuer, ClientID: masClientID, } if res.ExpiresIn > 0 { tok.ExpiresAt = time.Now().Add(time.Duration(res.ExpiresIn) * time.Second) } if err := s.store.Save(userID, tok); err != nil { return "", fmt.Errorf("keyring save: %w", err) } return userID, nil } // GetSession returns the persisted session for the given user_id. func (s *MatrixService) GetSession(userID string) (*SessionView, error) { if userID == "" { return nil, errors.New("user_id required (v0.1.0 multi-account index TODO)") } tok, err := s.store.Load(userID) if err != nil { if errors.Is(err, infra.ErrNotFound) { return nil, nil } return nil, fmt.Errorf("keyring load: %w", err) } view := &SessionView{ UserID: tok.UserID, DeviceID: tok.DeviceID, HomeserverURL: tok.HomeserverURL, HasToken: tok.AccessToken != "", } if !tok.ExpiresAt.IsZero() { view.ExpiresAt = tok.ExpiresAt.Format(time.RFC3339) } return view, nil } // Logout deletes the persisted token + stops sync. func (s *MatrixService) Logout(userID string) error { s.mu.Lock() defer s.mu.Unlock() if userID == "" { return errors.New("user_id required") } if s.sync != nil { s.sync.Stop() s.sync = nil } s.client = nil s.crypto = nil s.userID = "" return s.store.Delete(userID) } // Stop shuts down the sync loop without deleting credentials. Safe to call multiple times. func (s *MatrixService) Stop() { s.mu.Lock() defer s.mu.Unlock() if s.sync != nil { s.sync.Stop() s.sync = nil } } // Start initializes the Matrix client + crypto + sync loop for the given user. // Must be called after Login() or after a successful GetSession() for a returning user. // Idempotent: safe to call multiple times for the same user. func (s *MatrixService) Start(userID string) error { s.mu.Lock() defer s.mu.Unlock() if userID == "" { return errors.New("user_id required") } // Idempotent for same user if s.sync != nil && s.userID == userID { return nil } // Different user or restart: stop previous if s.sync != nil { s.sync.Stop() s.sync = nil } tok, err := s.store.Load(userID) if err != nil { return fmt.Errorf("keyring load: %w", err) } storeDir := userStoreDir(userID) clientCfg := infra.MatrixClientInitConfig{ HomeserverURL: tok.HomeserverURL, UserID: tok.UserID, DeviceID: tok.DeviceID, AccessToken: tok.AccessToken, StoreDir: storeDir, EnableCrypto: false, } clientRes, err := infra.MatrixClientInit(clientCfg) if err != nil { return fmt.Errorf("matrix init: %w", err) } // Pickle key: load from keyring (hex), or generate fresh and persist. pickleKey, err := s.loadOrCreatePickleKey(tok) if err != nil { return fmt.Errorf("pickle key: %w", err) } cryptoStorePath := filepath.Join(storeDir, "crypto.db") // Wrap MatrixCryptoInit in 60s timeout — hang here is the canonical MAS-UIA-rejection signal. cryptoCtx, cancel := context.WithTimeout(s.ctx, 60*time.Second) defer cancel() cryptoRes, err := infra.MatrixCryptoInit(cryptoCtx, infra.MatrixCryptoInitConfig{ Client: clientRes.Client, StorePath: cryptoStorePath, PickleKey: pickleKey, }) if err != nil { return fmt.Errorf("matrix crypto init (hang here = MAS rejected UIA, see memory feedback_agents_e2ee_unblock_pattern): %w", err) } syncRes, err := infra.MatrixSyncService(s.ctx, infra.MatrixSyncServiceConfig{ Client: clientRes.Client, }) if err != nil { return fmt.Errorf("matrix sync: %w", err) } s.client = clientRes.Client s.crypto = cryptoRes s.sync = syncRes s.userID = userID // Fan events out via Wails runtime. go s.fanout() return nil } func (s *MatrixService) fanout() { if s.ctx == nil || s.sync == nil { return } events := s.sync.Events errs := s.sync.Errors for { select { case <-s.ctx.Done(): return case ev, ok := <-events: if !ok { return } view := SyncEventView{ Type: ev.Type, RoomID: ev.RoomID, EventID: ev.EventID, Sender: ev.Sender, Ts: ev.Ts, Body: ev.Body, } runtime.EventsEmit(s.ctx, "matrix:event", view) case e, ok := <-errs: if !ok { return } if e != nil { runtime.EventsEmit(s.ctx, "matrix:error", e.Error()) } } } } // ListRooms returns the joined rooms with summary metadata. func (s *MatrixService) ListRooms() ([]infra.RoomSummary, error) { s.mu.Lock() client := s.client s.mu.Unlock() if client == nil { return nil, errors.New("matrix service not started — call Start() first") } return infra.MatrixRoomList(s.ctx, infra.MatrixRoomListConfig{Client: client}) } // LoadTimeline fetches the last N messages of a room (most recent first). func (s *MatrixService) LoadTimeline(roomID string, limit int) ([]MatrixEvent, error) { s.mu.Lock() client := s.client s.mu.Unlock() if client == nil { return nil, errors.New("matrix service not started — call Start() first") } if limit <= 0 { limit = 50 } msgs, err := client.Messages(s.ctx, id.RoomID(roomID), "", "", mautrix.DirectionBackward, nil, limit) if err != nil { return nil, fmt.Errorf("messages: %w", err) } out := make([]MatrixEvent, 0, len(msgs.Chunk)) for _, evt := range msgs.Chunk { out = append(out, eventToView(evt)) } return out, nil } func eventToView(evt *event.Event) MatrixEvent { view := MatrixEvent{ EventID: evt.ID.String(), RoomID: evt.RoomID.String(), Sender: evt.Sender.String(), Type: evt.Type.String(), Ts: evt.Timestamp, } if evt.Type == event.EventEncrypted { view.EncryptedRaw = true return view } // Try to parse and extract body for messages. if evt.Type == event.EventMessage { _ = evt.Content.ParseRaw(evt.Type) if mc, ok := evt.Content.Parsed.(*event.MessageEventContent); ok && mc != nil { view.Body = mc.Body } } return view } // SendText sends a plain text message to the given room. func (s *MatrixService) SendText(roomID, body string) (string, error) { s.mu.Lock() client := s.client s.mu.Unlock() if client == nil { return "", errors.New("matrix service not started — call Start() first") } evID, err := infra.MatrixSendText(s.ctx, client, id.RoomID(roomID), body) if err != nil { return "", err } return string(evID), nil } // SendMarkdown sends a markdown-formatted message (rendered + sanitized HTML). func (s *MatrixService) SendMarkdown(roomID, md string) (string, error) { s.mu.Lock() client := s.client s.mu.Unlock() if client == nil { return "", errors.New("matrix service not started — call Start() first") } evID, err := infra.MatrixSendMarkdown(s.ctx, client, id.RoomID(roomID), md) if err != nil { return "", err } return string(evID), nil } // loadOrCreatePickleKey returns the 32-byte pickle key for the user. // If absent in keyring, generates fresh random bytes, hex-encodes them, persists, and returns. func (s *MatrixService) loadOrCreatePickleKey(tok *infra.Token) ([]byte, error) { if tok.PickleKeyHex != "" { key, err := hex.DecodeString(tok.PickleKeyHex) if err == nil && len(key) == 32 { return key, nil } // Malformed key in keyring — fall through and regenerate. } buf := make([]byte, 32) if _, err := rand.Read(buf); err != nil { return nil, fmt.Errorf("rand: %w", err) } tok.PickleKeyHex = hex.EncodeToString(buf) if err := s.store.Save(tok.UserID, *tok); err != nil { return nil, fmt.Errorf("save pickle key: %w", err) } return buf, nil }