From b7c28f3e1f32f84eeaad92dba3def277e010ac2b Mon Sep 17 00:00:00 2001
From: Gustavo Madeira Santana <gumadeiras@gmail.com>
Date: Thu, 9 Apr 2026 01:27:35 -0400
Subject: [PATCH] Matrix: trim dead client config exports

---
 extensions/matrix/src/matrix/client.test.ts   | 38 +++++++-------
 extensions/matrix/src/matrix/client/config.ts | 50 +------------------
 2 files changed, 19 insertions(+), 69 deletions(-)

diff --git a/extensions/matrix/src/matrix/client.test.ts b/extensions/matrix/src/matrix/client.test.ts
index e6ba3738b56..a27362d2b6a 100644
--- a/extensions/matrix/src/matrix/client.test.ts
+++ b/extensions/matrix/src/matrix/client.test.ts
@@ -42,8 +42,6 @@ vi.mock("./client/storage.js", async () => {
 const {
   backfillMatrixAuthDeviceIdAfterStartup,
   getMatrixScopedEnvVarNames,
-  resolveImplicitMatrixAccountId,
-  resolveMatrixConfig,
   resolveMatrixConfigForAccount,
   resolveMatrixAuth,
   resolveMatrixAuthContext,
@@ -69,11 +67,18 @@ function requireCredentialsReadModule(): typeof import("./credentials-read.js")
   return credentialsReadModule;
 }
 
+function resolveDefaultMatrixAuthContext(
+  cfg: CoreConfig,
+  env: NodeJS.ProcessEnv = {} as NodeJS.ProcessEnv,
+) {
+  return resolveMatrixAuthContext({ cfg, env });
+}
+
 beforeEach(() => {
   installMatrixTestRuntime();
 });
 
-describe("resolveMatrixConfig", () => {
+describe("Matrix auth/config live surfaces", () => {
   it("prefers config over env", () => {
     const cfg = {
       channels: {
@@ -94,7 +99,7 @@ describe("resolveMatrixConfig", () => {
       MATRIX_PASSWORD: "env-pass",
       MATRIX_DEVICE_NAME: "EnvDevice",
     } as NodeJS.ProcessEnv;
-    const resolved = resolveMatrixConfig(cfg, env);
+    const resolved = resolveDefaultMatrixAuthContext(cfg, env).resolved;
     expect(resolved).toEqual({
       homeserver: "https://cfg.example.org",
       userId: "@cfg:example.org",
@@ -117,7 +122,7 @@ describe("resolveMatrixConfig", () => {
       MATRIX_DEVICE_ID: "ENVDEVICE",
       MATRIX_DEVICE_NAME: "EnvDevice",
     } as NodeJS.ProcessEnv;
-    const resolved = resolveMatrixConfig(cfg, env);
+    const resolved = resolveDefaultMatrixAuthContext(cfg, env).resolved;
     expect(resolved.homeserver).toBe("https://env.example.org");
     expect(resolved.userId).toBe("@env:example.org");
     expect(resolved.accessToken).toBe("env-token");
@@ -146,7 +151,7 @@ describe("resolveMatrixConfig", () => {
       MATRIX_ACCESS_TOKEN: "env-token",
     } as NodeJS.ProcessEnv;
 
-    const resolved = resolveMatrixConfig(cfg, env);
+    const resolved = resolveDefaultMatrixAuthContext(cfg, env).resolved;
     expect(resolved.accessToken).toBe("env-token");
   });
 
@@ -169,7 +174,7 @@ describe("resolveMatrixConfig", () => {
       MATRIX_PASSWORD: "env-pass",
     } as NodeJS.ProcessEnv;
 
-    const resolved = resolveMatrixConfig(cfg, env);
+    const resolved = resolveDefaultMatrixAuthContext(cfg, env).resolved;
     expect(resolved.password).toBe("env-pass");
   });
 
@@ -241,7 +246,7 @@ describe("resolveMatrixConfig", () => {
       },
     } as CoreConfig;
 
-    expect(() => resolveMatrixConfig(cfg, {} as NodeJS.ProcessEnv)).toThrow(
+    expect(() => resolveDefaultMatrixAuthContext(cfg, {} as NodeJS.ProcessEnv)).toThrow(
       /channels\.matrix\.accessToken: unresolved SecretRef "env:default:MATRIX_ACCESS_TOKEN"/i,
     );
   });
@@ -265,7 +270,7 @@ describe("resolveMatrixConfig", () => {
     } as CoreConfig;
 
     expect(() =>
-      resolveMatrixConfig(cfg, {
+      resolveDefaultMatrixAuthContext(cfg, {
         MATRIX_ACCESS_TOKEN: "env-token",
       } as NodeJS.ProcessEnv),
     ).toThrow(/not allowlisted in secrets\.providers\.matrix-env\.allowlist/i);
@@ -289,7 +294,9 @@ describe("resolveMatrixConfig", () => {
       },
     } as CoreConfig;
 
-    expect(resolveMatrixConfig(cfg, {} as NodeJS.ProcessEnv).accessToken).toBeUndefined();
+    expect(
+      resolveDefaultMatrixAuthContext(cfg, {} as NodeJS.ProcessEnv).resolved.accessToken,
+    ).toBeUndefined();
   });
 
   it("uses account-scoped env vars for non-default accounts before global env", () => {
@@ -368,7 +375,6 @@ describe("resolveMatrixConfig", () => {
       },
     } as CoreConfig;
 
-    expect(resolveImplicitMatrixAccountId(cfg, {} as NodeJS.ProcessEnv)).toBe("default");
     expect(resolveMatrixAuthContext({ cfg, env: {} as NodeJS.ProcessEnv }).accountId).toBe(
       "default",
     );
@@ -392,7 +398,6 @@ describe("resolveMatrixConfig", () => {
       },
     } as CoreConfig;
 
-    expect(resolveImplicitMatrixAccountId(cfg, {} as NodeJS.ProcessEnv)).toBeNull();
     expect(() => resolveMatrixAuthContext({ cfg, env: {} as NodeJS.ProcessEnv })).toThrow(
       /channels\.matrix\.defaultAccount.*--account <id>/i,
     );
@@ -413,7 +418,6 @@ describe("resolveMatrixConfig", () => {
       },
     } as CoreConfig;
 
-    expect(resolveImplicitMatrixAccountId(cfg, {} as NodeJS.ProcessEnv)).toBe("ops");
     expect(resolveMatrixAuthContext({ cfg, env: {} as NodeJS.ProcessEnv }).accountId).toBe("ops");
   });
 
@@ -432,7 +436,6 @@ describe("resolveMatrixConfig", () => {
       },
     } as CoreConfig;
 
-    expect(resolveImplicitMatrixAccountId(cfg, {} as NodeJS.ProcessEnv)).toBe("ops");
     expect(resolveMatrixAuthContext({ cfg, env: {} as NodeJS.ProcessEnv }).accountId).toBe("ops");
   });
 
@@ -449,7 +452,6 @@ describe("resolveMatrixConfig", () => {
       MATRIX_OPS_ACCESS_TOKEN: "ops-token",
     } as NodeJS.ProcessEnv;
 
-    expect(resolveImplicitMatrixAccountId(cfg, env)).toBeNull();
     expect(() => resolveMatrixAuthContext({ cfg, env })).toThrow(
       /channels\.matrix\.defaultAccount.*--account <id>/i,
     );
@@ -467,7 +469,6 @@ describe("resolveMatrixConfig", () => {
       MATRIX_OPS_ACCESS_TOKEN: "ops-token",
     } as NodeJS.ProcessEnv;
 
-    expect(resolveImplicitMatrixAccountId(cfg, env)).toBe("ops");
     expect(resolveMatrixAuthContext({ cfg, env }).accountId).toBe("ops");
   });
 
@@ -487,7 +488,6 @@ describe("resolveMatrixConfig", () => {
       },
     } as CoreConfig;
 
-    expect(resolveImplicitMatrixAccountId(cfg, {} as NodeJS.ProcessEnv)).toBe("ops");
     expect(resolveMatrixAuthContext({ cfg, env: {} as NodeJS.ProcessEnv }).accountId).toBe("ops");
   });
 
@@ -504,7 +504,6 @@ describe("resolveMatrixConfig", () => {
       MATRIX_OPS_ACCESS_TOKEN: "ops-token",
     } as NodeJS.ProcessEnv;
 
-    expect(resolveImplicitMatrixAccountId(cfg, env)).toBe("ops");
     expect(resolveMatrixAuthContext({ cfg, env }).accountId).toBe("ops");
   });
 
@@ -520,7 +519,6 @@ describe("resolveMatrixConfig", () => {
       MATRIX_OPS_USER_ID: "@ops:example.org",
     } as NodeJS.ProcessEnv;
 
-    expect(resolveImplicitMatrixAccountId(cfg, env)).toBe("ops");
     expect(resolveMatrixAuthContext({ cfg, env }).accountId).toBe("ops");
   });
 
@@ -686,7 +684,7 @@ describe("resolveMatrixConfig", () => {
       },
     } as CoreConfig;
 
-    const resolved = resolveMatrixConfig(cfg, {} as NodeJS.ProcessEnv);
+    const resolved = resolveDefaultMatrixAuthContext(cfg, {} as NodeJS.ProcessEnv).resolved;
 
     expect(resolved.dispatcherPolicy).toEqual({
       mode: "explicit-proxy",
diff --git a/extensions/matrix/src/matrix/client/config.ts b/extensions/matrix/src/matrix/client/config.ts
index ed79138375b..7417b1c55cb 100644
--- a/extensions/matrix/src/matrix/client/config.ts
+++ b/extensions/matrix/src/matrix/client/config.ts
@@ -589,54 +589,6 @@ export async function resolveValidatedMatrixHomeserverUrl(
   return normalized;
 }
 
-export function resolveMatrixConfig(
-  cfg: CoreConfig = getMatrixRuntime().config.loadConfig() as CoreConfig,
-  env: NodeJS.ProcessEnv = process.env,
-): MatrixResolvedConfig {
-  const matrix = resolveMatrixBaseConfig(cfg);
-  const suppressInactivePasswordSecretRef = hasConfiguredMatrixAccessTokenSource({
-    cfg,
-    env,
-    accountId: DEFAULT_ACCOUNT_ID,
-  });
-  const fieldReadOptions = {
-    env,
-    config: cfg,
-  };
-  const defaultScopedEnv = resolveScopedMatrixEnvConfig(DEFAULT_ACCOUNT_ID, env);
-  const globalEnv = resolveGlobalMatrixEnvConfig(env);
-  const resolvedStrings = resolveMatrixAccountStringValues({
-    accountId: DEFAULT_ACCOUNT_ID,
-    scopedEnv: defaultScopedEnv,
-    channel: {
-      homeserver: readMatrixBaseConfigField(matrix, "homeserver", fieldReadOptions),
-      userId: readMatrixBaseConfigField(matrix, "userId", fieldReadOptions),
-      accessToken: readMatrixBaseConfigField(matrix, "accessToken", fieldReadOptions),
-      password: readMatrixBaseConfigField(matrix, "password", {
-        ...fieldReadOptions,
-        suppressSecretRef: suppressInactivePasswordSecretRef,
-      }),
-      deviceId: readMatrixBaseConfigField(matrix, "deviceId", fieldReadOptions),
-      deviceName: readMatrixBaseConfigField(matrix, "deviceName", fieldReadOptions),
-    },
-    globalEnv,
-  });
-  const initialSyncLimit = clampMatrixInitialSyncLimit(matrix.initialSyncLimit);
-  const encryption = matrix.encryption ?? false;
-  const allowPrivateNetwork = isPrivateNetworkOptInEnabled(matrix) ? true : undefined;
-  return {
-    homeserver: resolvedStrings.homeserver,
-    userId: resolvedStrings.userId,
-    accessToken: resolvedStrings.accessToken || undefined,
-    password: resolvedStrings.password || undefined,
-    deviceId: resolvedStrings.deviceId || undefined,
-    deviceName: resolvedStrings.deviceName || undefined,
-    initialSyncLimit,
-    encryption,
-    ...buildMatrixNetworkFields({ allowPrivateNetwork, proxy: matrix.proxy }),
-  };
-}
-
 export function resolveMatrixConfigForAccount(
   cfg: CoreConfig,
   accountId: string,
@@ -712,7 +664,7 @@ export function resolveMatrixConfigForAccount(
   };
 }
 
-export function resolveImplicitMatrixAccountId(
+function resolveImplicitMatrixAccountId(
   cfg: CoreConfig,
   env: NodeJS.ProcessEnv = process.env,
 ): string | null {