bug(matrix): isStrictDirectMembership classifies 2-person rooms as DMs regardless of is_direct=false or groups[] config — requireMention silently bypassed

[paulmeier]

Summary

extensions/matrix/src/matrix/direct-room.ts classifies any 2-member room (bot + 1 user) as a "strict direct room" using a pure member-count heuristic. This happens before per-room/per-group config is consulted, so:

• A room explicitly configured under channels.matrix.groups[<roomId>] with requireMention: true is still treated as a DM at runtime.
• A room created with is_direct: false and a name is still treated as a DM.
• DM mode bypasses requireMention, so the bot responds to every message in those rooms regardless of mention status.

The CHANGELOG entry from #57124 ("honor explicit local is_direct: false for discovered DM candidates") was a partial fix — only for inherited/discovered DM candidates, not for the runtime isStrictDirectRoom path that drives mention/skill/session routing.

Affected code

// extensions/matrix/src/matrix/direct-room.ts
export function isStrictDirectMembership(params: {
  selfUserId?: string | null;
  remoteUserId?: string | null;
  joinedMembers?: readonly string[] | null;
}): boolean {
  // ...
  return Boolean(
    selfUserId &&
    remoteUserId &&
    joinedMembers.length === 2 &&        // ← pure heuristic
    joinedMembers.includes(selfUserId) &&
    joinedMembers.includes(remoteUserId),
  );
}

inspectMatrixDirectRoomEvidence does read the is_direct membership flag via hasDirectMatrixMemberFlag, but the result (memberStateFlag) is never used to negate the strict flag — even when explicitly false. isStrictDirectRoom returns .strict directly without considering is_direct: false or local config.

Reproduction (verified on 2026.5.19)

1. Configure OpenClaw with:

   "channels.matrix": {
     "enabled": true,
     "encryption": true,
     "dm": {
       "enabled": true,
       "policy": "allowlist",
       "allowFrom": ["@user:server"],
       "sessionScope": "per-room"
     },
     "groupPolicy": "open",
     "groups": {
       "!roomId:server": {
         "requireMention": true,
         "skills": ["..."]
       }
     }
   }

2. Create a Matrix room via the client API with:

   {
     "name": "parents",
     "preset": "private_chat",
     "is_direct": false,
     "initial_state": [
       { "type": "m.room.encryption", "state_key": "", "content": { "algorithm": "m.megolm.v1.aes-sha2" } }
     ],
     "invite": ["@user:server"]
   }

3. Invite the bot, bot joins → room has 2 members. The room has a name, is_direct: false on the membership events, and is explicitly in OpenClaw's groups[] map.

4. From @user:server, send a plain message (no @bot mention) → bot responds despite requireMention: true.

5. Add a third member (any user) to the same room → restart not required, eventually joinedMembers.length === 3 so isStrictDirectMembership returns false → requireMention: true is now honored: plain messages ignored, only @bot ... triggers a reply.

The workaround "add a third member" confirms the diagnosis: the 2-person count is the sole DM classifier.

Why this matters

The pattern "private 1:1 room with the bot that should still require mentions" is reasonable: a personal scratch room for an admin, a held-aside room before adding family/team members, an OPS room where the user wants explicit invocation. The current code makes this impossible without inviting a placeholder third user.

The deeper issue: groups[<roomId>] config has no effect for any 2-person room. The schema's rooms vs groups distinction is silently broken for the smallest rooms.

Proposed fix shape

In isStrictDirectRoom (or its callers), treat as NOT a strict direct room when any of the following hold:

1. The bot's own m.room.member event has is_direct: false (already readable via hasDirectMatrixMemberFlag — just needs to be honored as a veto, not an augmentation).
2. The room's room_id is explicitly listed in channels.matrix.groups[].
3. (Optional, more conservative) The room has an m.room.name set — DMs are conventionally nameless.

Suggested minimal patch in inspectMatrixDirectRoomEvidence:

const memberStateFlag = await hasDirectMatrixMemberFlag(params.client, params.roomId, selfUserId);
// Explicit local override: is_direct === false negates the strict-DM classification
if (memberStateFlag === false) {
  return {
    joinedMembers,
    strict: false,
    viaMemberState: false,
    memberStateFlag,
  };
}

Then a separate change in the channel runtime to check groups[roomId] presence before routing through DM logic.

Environment

• OpenClaw: 2026.5.19
• Matrix homeserver: Synapse (latest)
• Matrix plugin: bundled @openclaw/matrix
• Node: as shipped in ghcr.io/openclaw/openclaw:latest

Related

• fix(matrix): correct DM classification with three-tier is_direct logic and 2-member guard #57124 — partial fix for the same root cause, addressing "discovered DM candidates" only.
• bug(matrix): requireMention does not detect m.mentions from non-OpenClaw senders #64785 — closed, related but distinct (mention detection on non-OpenClaw senders, after the room is correctly classified as a group).

Happy to draft a PR if the maintainers concur on the fix shape — wanted to file the issue first to get the design discussion in the right place.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Source review shows the Matrix room path still depends on strict two-member classification before per-room group config is applied in some branches, so this should stay open as an actionable Matrix routing bug rather than cleanup-close.

Reproducibility: yes. from source, but not from a live homeserver in this read-only pass: the handler computes isDirectMessage before room config, and strict two-member fallback paths can classify room traffic as DM before requireMention is considered.

Next step
This is a narrow Matrix routing bug with clear likely files and regression-test targets, but it still needs a careful repair because the existing DM fallback is intentional for fresh unnamed invites.

Security
Needs attention: The report describes a concrete trigger-authorization bypass in Matrix room handling, so the fix should be reviewed as security-sensitive channel routing work.

Review details

Best possible solution:

Move the group-config/name and local is_direct: false veto ahead of every strict-DM classification path used for inbound routing, while keeping the existing recent-invite recovery for true unnamed DMs and adding focused Matrix monitor regression coverage.

Do we have a high-confidence way to reproduce the issue?

Yes from source, but not from a live homeserver in this read-only pass: the handler computes isDirectMessage before room config, and strict two-member fallback paths can classify room traffic as DM before requireMention is considered.

Is this the best way to solve the issue?

Yes in direction: the narrow fix is to make explicit local non-DM and configured-room signals veto strict-DM routing before inbound room/DM policy branches, with tests protecting the existing fresh-DM recovery behavior.

Label changes:

• add P1: A configured Matrix group can be routed as a DM and bypass mention gating, causing real channel workflow and authorization-policy breakage.
• add impact:security: Bypassing requireMention in a configured room weakens a documented trigger-authorization boundary.
• add impact:message-loss: The issue is about Matrix messages being misclassified and routed through the wrong mention-gating path.
• add issue-rating: 🐚 platinum hermit: Current issue advisory state selects this label.
• add clawsweeper:needs-live-repro: Current issue advisory state selects this label.
• add clawsweeper:no-new-fix-pr: Current issue advisory state selects this label.
• add clawsweeper:needs-security-review: Current issue advisory state selects this label.

Label justifications:

• P1: A configured Matrix group can be routed as a DM and bypass mention gating, causing real channel workflow and authorization-policy breakage.
• impact:message-loss: The issue is about Matrix messages being misclassified and routed through the wrong mention-gating path.
• impact:security: Bypassing requireMention in a configured room weakens a documented trigger-authorization boundary.

Security concerns:

• [medium] Matrix room mention gate can be bypassed by DM misclassification — extensions/matrix/src/matrix/monitor/handler.ts:1003
  When two-person configured rooms are routed as DMs, the handler skips room requireMention, allowing unmentioned Matrix messages to trigger the agent despite documented room policy.
  Confidence: 0.78

Acceptance criteria:

• node scripts/run-vitest.mjs extensions/matrix/src/matrix/direct-room.test.ts extensions/matrix/src/matrix/monitor/direct.test.ts extensions/matrix/src/matrix/monitor/index.test.ts extensions/matrix/src/matrix/monitor/handler.test.ts

What I checked:

• Current strict classifier is member-count only: isStrictDirectMembership returns true for exactly bot + sender membership and has no room config, room name, or is_direct: false veto. (extensions/matrix/src/matrix/direct-room.ts:20, 652712e0ad96)
• isStrictDirectRoom exposes raw strict state: inspectMatrixDirectRoomEvidence records memberStateFlag, but isStrictDirectRoom returns .strict directly, so callers of that helper do not get an explicit-false veto. (extensions/matrix/src/matrix/direct-room.ts:105, 652712e0ad96)
• Group config is only resolved after DM classification: The inbound handler calls directTracker.isDirectMessage before resolving resolveMatrixRoomConfig; if the tracker classifies the event as a DM, requireMention is set to false by the room-vs-DM branch. (extensions/matrix/src/matrix/monitor/handler.ts:652, 652712e0ad96)
• Tracker has partial local-false guard but still has strict fallback paths: createDirectRoomTracker rejects local is_direct: false after reading member state, but still returns true for strict two-member fallback before DM cache seed and for m.direct cache hits before consulting room config. (extensions/matrix/src/matrix/monitor/direct.ts:221, 652712e0ad96)
• Docs and types define per-room Matrix group mention policy: Matrix docs show channels.matrix.groups with requireMention: true, and the Matrix type exposes groups?: Record<string, MatrixRoomConfig> plus MatrixRoomConfig.requireMention. Public docs: docs/channels/matrix.md. (docs/channels/matrix.md:621, 652712e0ad96)
• Prior local-false handling was partial: The merged direct-room classification fix at fix(matrix): correct DM classification with three-tier is_direct logic and 2-member guard #57124 added explicit local is_direct handling, matching the reporter's context that this area has already needed partial repair. (extensions/matrix/CHANGELOG.md:205, 2b2edaa01db5)

Likely related people:

• @gumadeiras: Authored recent invite promotion and metadata veto work that explicitly keeps named, aliased, and configured Matrix rooms on the room path. (role: recent Matrix direct-room contributor; confidence: high; commits: b3f894ea7ebb, 8c0245f57b5d; files: extensions/matrix/src/matrix/monitor/direct.ts, extensions/matrix/src/matrix/monitor/index.ts, extensions/matrix/src/matrix/monitor/recent-invite.ts)
• @w-sss: The merged fix(matrix): correct DM classification with three-tier is_direct logic and 2-member guard #57124 change introduced the three-tier is_direct handling and explicit-false logic now implicated as partial coverage. (role: prior DM classification fix author; confidence: medium; commits: 2b2edaa01db5; files: extensions/matrix/src/matrix/direct-room.ts, extensions/matrix/src/matrix/monitor/direct.ts, extensions/matrix/src/matrix/direct-management.ts)
• @private-peter: The two-member fallback behavior was narrowed in fix(matrix): only use 2-member DM fallback when dm refresh fails #54890, which remains central to the current fallback and cache-seed branch. (role: earlier strict fallback contributor; confidence: medium; commits: 0558f2470dd5; files: extensions/matrix/src/matrix/direct-room.ts, extensions/matrix/src/matrix/monitor/direct.ts)
• @steipete: Recent current-main history recreates the Matrix direct-room files in this checkout, so this handle is relevant for routing even though the behavioral logic dates to older Matrix commits. (role: recent area restorer; confidence: low; commits: 3faddfb506b9, a185ca283a74; files: extensions/matrix/src/matrix/direct-room.ts, extensions/matrix/src/matrix/monitor/direct.ts, extensions/matrix/src/matrix/monitor/handler.ts)

Remaining risk / open question:

• I did not run a live Synapse/Matrix reproduction in this read-only review, so the exact reported release scenario is supported by source-path evidence rather than a fresh transport trace.
• The fix must preserve fresh unnamed DM recovery from fix(matrix): repair fresh invited DMs #58024 and fix(matrix): tighten DM invite promotion state #58099 while adding group-config and explicit-false vetoes in the right place.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 652712e0ad96.