fix(matrix): bootstrap missing crypto runtime after script-skipped installs

[bmendonca3]

Summary

Describe the problem and fix in 2–5 bullets:

• Problem: plugin installs run npm install --ignore-scripts, so @matrix-org/matrix-sdk-crypto-nodejs never runs postinstall and the native crypto library is missing.
• Why it matters: Matrix plugin fails to load at startup with Cannot find module '@matrix-org/matrix-sdk-crypto-nodejs-<platform>'.
• What changed: Matrix plugin registration now proactively bootstraps the crypto runtime (runs download-lib.js) only when that specific missing-native-module error is detected, then retries loading.
• What did NOT change (scope boundary): no global plugin-installer behavior change, no dependency patching, no channel behavior changes beyond startup recovery for missing Matrix crypto runtime.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes [Bug]: Matrix plugin install yields - Error: Cannot find module '@matrix-org/matrix-sdk-crypto-nodejs-linux-x64-gnu' #31928
• Related #

User-visible / Behavior Changes

• Matrix plugin can self-recover from missing matrix-sdk-crypto native runtime after plugin install/update paths that skip npm scripts.
• Startup no longer hard-fails on the missing native module; plugin attempts one bootstrap and retries load.

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (No)
• New/changed network calls? (Yes)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:
  • Yes: on the specific missing-native-runtime error path, the plugin runs the existing @matrix-org/matrix-sdk-crypto-nodejs/download-lib.js helper to fetch the platform binary. This mirrors the documented manual workaround and is scoped to Matrix plugin startup only.

Repro + Verification

Environment

• OS: macOS 15 (repro equivalent to Linux issue path)
• Runtime/container: Node v22.22.0
• Model/provider: N/A
• Integration/channel (if any): Matrix plugin install/load
• Relevant config (redacted): default plugin install flow

Steps

1. Fresh install in a temp matrix plugin copy with scripts disabled:
   npm install --omit=dev --silent --ignore-scripts
2. Attempt to load Matrix SDK:
   node -e 'require("@vector-im/matrix-bot-sdk")'
3. Observe missing crypto runtime module error.

Expected

• Matrix plugin startup should recover from the missing crypto runtime produced by script-skipping installs.

Actual

• Before fix: hard crash with Cannot find module '@matrix-org/matrix-sdk-crypto-nodejs-<platform>'.
• After fix: plugin bootstrap path downloads runtime and retries SDK load.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios:
  • Reproduced failure in temp plugin install with:
    • npm install --omit=dev --silent --ignore-scripts
    • node -e 'require("@vector-im/matrix-bot-sdk")' -> missing module error
  • Verified manual bootstrap workaround succeeds in same temp install:
    • node node_modules/@matrix-org/matrix-sdk-crypto-nodejs/download-lib.js
    • node -e 'require("@vector-im/matrix-bot-sdk")' -> success
  • Verified new bootstrap logic via unit tests:
    • pnpm test extensions/matrix/src/matrix/deps.test.ts
  • Verified matrix channel wiring still passes:
    • pnpm test extensions/matrix/src/channel.directory.test.ts
  • Verified type/lint:
    • pnpm tsgo
    • pnpm lint
• Edge cases checked:
  • Missing crypto-runtime error triggers bootstrap path.
  • Unrelated module load errors are rethrown (no unintended bootstrap).
• What you did not verify:
  • Live Matrix message flow against a real homeserver after bootstrap.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly:
  • Revert this PR commit.
• Files/config to restore:
  • extensions/matrix/index.ts
  • extensions/matrix/src/matrix/deps.ts
  • extensions/matrix/src/matrix/deps.test.ts
• Known bad symptoms reviewers should watch for:
  • Matrix startup delay/failure when download helper invocation fails.

Risks and Mitigations

List only real risks for this PR. Add/remove entries as needed. If none, write None.

• Risk: startup now invokes a download helper on a specific error path, which can fail under restricted egress.
  • Mitigation: scope is narrow (only this known missing-runtime error), failures remain explicit and actionable.

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 1 potential security issue(s) in this PR:

#	Severity	Title
1	🟡 Medium	Matrix plugin auto-executes dependency downloader script at runtime (native binary fetch without OpenClaw verification)

---

1. 🟡 Matrix plugin auto-executes dependency downloader script at runtime (native binary fetch without OpenClaw verification)

Property	Value
Severity	Medium
CWE	CWE-494
Location	extensions/matrix/src/matrix/deps.ts:69-76

Description

ensureMatrixCryptoRuntime() resolves and runs @​matrix-org/matrix-sdk-crypto-nodejs/download-lib.js when the Matrix SDK fails to load due to a missing platform crypto runtime.

Security impact:

• Unprompted runtime network fetch: the Matrix plugin triggers a download attempt automatically during plugin registration (startup) rather than requiring an explicit admin action/confirmation.
• Native code supply-chain risk: the helper is intended to download a platform-specific native crypto library which will then be loaded in-process. If the helper downloads a tampered artifact (e.g., compromised upstream release, registry compromise, or hostile proxy/MITM in environments with TLS interception), this can become RCE in the OpenClaw process.
• No integrity policy enforced by OpenClaw: this code performs no checksum/signature verification itself, and the helper script is not vendored; OpenClaw fully delegates trust decisions to the dependency’s runtime downloader.

Vulnerable code:

const scriptPath = resolveFn("@​matrix-org/matrix-sdk-crypto-nodejs/download-lib.js");
const result = await runCommand({
  argv: [nodeExecutable, scriptPath],
  cwd: path.dirname(scriptPath),
  timeoutMs: 300_000,
  env: { COREPACK_ENABLE_DOWNLOAD_PROMPT: "0" },
});

Recommendation

Avoid runtime bootstrapping of native binaries, or gate it behind explicit admin consent and integrity controls.

Suggested mitigations (choose one or combine):

1. Require install-time provisioning (preferred): document that users must install/rebuild @​matrix-org/matrix-sdk-crypto-nodejs during deployment, and remove the runtime download step.

2. Explicit opt-in + prompt: default to disabled, and only run the downloader when an admin sets a config flag (or confirms interactively).

3. Integrity verification: if runtime download is unavoidable, implement a verification layer that checks an expected digest/signature for the downloaded artifact before it is loaded.

Example (opt-in gate):

export async function ensureMatrixCryptoRuntime({ allowDownload = false, ...params } = {}) {
  ​// ... detect missing runtime ...
  if (!allowDownload) {
    throw new Error(
      "Matrix crypto runtime missing. Refusing to download native binary at runtime; please install/rebuild @​matrix-org/matrix-sdk-crypto-nodejs during deployment.",
    );
  }
  ​// run downloader only when explicitly allowed
}

Additionally, consider running the helper with a restricted environment (do not inherit full process.env) and store artifacts in an application-controlled directory rather than modifying node_modules at runtime.

---

Analyzed PR: #31989 at commit 549b9f9

_{Last updated on: 2026-03-02T19:46:55Z}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 283c2c5f62

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[greptile-apps]

Greptile Summary

Adds automatic crypto runtime bootstrap recovery for the Matrix plugin when npm install --ignore-scripts skips postinstall scripts. The implementation detects the specific missing native module error, runs the existing download helper script, and retries SDK loading before proceeding with channel registration.

Key changes:

• New ensureMatrixCryptoRuntime() function with targeted error detection for missing @matrix-org/matrix-sdk-crypto-nodejs-<platform> native modules
• Plugin registration now async with crypto bootstrap call before channel import
• Dynamic import of channel module ensures crypto runtime availability
• Comprehensive unit tests covering bootstrap, retry, and error paths
• 5-minute timeout for binary download with proper error handling

Implementation details:

• Error detection checks for both "Cannot find module" and package name substring to avoid false positives
• Bootstrap only triggers on the specific crypto error; other errors are rethrown immediately
• Retry after bootstrap ensures the fix actually worked before proceeding
• Similar pattern to existing ensureMatrixSdkInstalled function in the same file

Confidence Score: 4/5

• Safe to merge with one minor UX improvement recommended (add logging for visibility during bootstrap).
• Well-implemented fix with targeted error detection, proper error handling, and good test coverage. The bootstrap logic mirrors the documented manual workaround and is scoped to Matrix plugin startup only. Deducted one point for missing log parameter that would improve UX during the download process.
• No files require special attention - the implementation is straightforward and well-tested.

_{Last reviewed commit: 283c2c5}

[greptile-apps]

_{3 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[steipete]

Addressed review feedback:

• Kept plugin register synchronous (no async return), matching current loader behavior.
• Added bootstrap visibility with ensureMatrixCryptoRuntime({ log: api.logger.info }).
• Added explicit .catch(...) logging on bootstrap promise to avoid unhandled rejection path.

Targeted gate run:
pnpm -s vitest run extensions/matrix/src/matrix/deps.test.ts

[steipete]

Landed via temp rebase onto main.

• Gate: pnpm -s vitest run extensions/matrix/src/matrix/deps.test.ts
• Land commit: 549b9f9
• Merge commit: fcec2e3

Thanks @bmendonca3!

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 549b9f9e74

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Bootstrap crypto before importing matrix plugin module

Move the bootstrap earlier because this call is currently unreachable in the failure mode it targets: extensions/matrix/index.ts imports matrixPlugin at module load time, and that import chain reaches extensions/matrix/src/matrix/client/config.ts where @vector-im/matrix-bot-sdk is imported at top level. In npm install --ignore-scripts installs (missing @matrix-org/matrix-sdk-crypto-nodejs-<platform>), the plugin load throws during module import (in loadOpenClawPlugins's getJiti()(safeSource) path) before register() runs, so ensureMatrixCryptoRuntime() here never executes and Matrix still fails to load.

Useful? React with 👍 / 👎.