Enhance bot functionality and configuration for E2EE support

- Added MATRIX_USER_ID and MATRIX_PASSWORD to .env.example for E2EE hygiene.
- Updated ASR_MODEL_NAME in .env.example to version 0.6b-v3.
- Modified Dockerfile to install libolm dependencies and improve pip caching.
- Updated docker-compose.yml to mount store directory for persistent data.
- Adjusted requirements.txt to include matrix-nio with E2E support.
- Enhanced audio_converter.py to handle encrypted attachments and improve audio downloading.
- Updated bot_service.py to process encrypted audio events and manage device pruning.
- Added matrix_password to config.py for E2EE support.
- Implemented device management in main.py for better E2EE hygiene.
- Enhanced matrix_handlers.py to trust devices and claim missing Olm sessions.
- Applied schema patches in nio_patch.py for compatibility with key upload responses.
- Added local settings for permissions in settings.local.json.
- Expanded .gitignore to include additional files and directories.
- Created new files for blacklisted, ignored, and trusted devices in the store.

Author: Repulsiveprogress

.env.example

@@ -1,8 +1,11 @@
 MATRIX_HS_URL=https://matrix.example.org
 MATRIX_USER_ID=@transcriptbot:example.org
 MATRIX_ACCESS_TOKEN=syt_...
+# Optional — required only to auto-prune stale bot devices for E2EE hygiene
+MATRIX_PASSWORD=
 
 # Optional
 LOCALE=en
-ASR_MODEL_NAME=nvidia/parakeet-tdt-0.6b-v2
+ASR_MODEL_NAME=nvidia/parakeet-tdt-0.6b-v3
 MAX_AUDIO_BYTES=26214400
+STORE_PATH=/data/store

.gitignore

@@ -0,0 +1,14 @@
+.env
+.env.local
+data/
+*.db
+__pycache__/
+*.py[cod]
+*$py.class
+.Python
+.venv/
+venv/
+.idea/
+.vscode/
+*.log
+.DS_Store

Dockerfile

@@ -3,23 +3,34 @@ FROM python:3.11-slim
 # ffmpeg is required by pydub for audio decoding/conversion
 RUN apt-get update && apt-get install -y --no-install-recommends \
         ffmpeg \
+        libolm-dev \
+        libolm3 \
     && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /app
 
 # Install CPU-only PyTorch first as a separate layer — saves ~2 GB vs CUDA wheels
-RUN pip install --no-cache-dir \
+RUN --mount=type=cache,target=/root/.cache/pip \
+    pip install --timeout 300 --retries 5 \
     torch \
     torchaudio \
     --extra-index-url https://download.pytorch.org/whl/cpu
 
 COPY requirements.txt .
-RUN pip install --no-cache-dir -r requirements.txt
+RUN --mount=type=cache,target=/root/.cache/pip \
+    pip install -r requirements.txt
 
 COPY src ./src
 
 # Mount a volume here to cache the 2.4 GB Parakeet checkpoint across container restarts
 ENV NEMO_CACHE_DIR=/models
 ENV PYTHONUNBUFFERED=1
 
+# Disable NVIDIA/NeMo telemetry
+ENV NEMO_ONE_LOGGER_ENABLED=false
+ENV ONE_LOGGER_ENABLED=false
+ENV NVIDIA_TF32_OVERRIDE=0
+ENV HF_HUB_DISABLE_TELEMETRY=1
+ENV DO_NOT_TRACK=1
+
 CMD ["python", "-m", "src.main"]

docker-compose.yml

@@ -5,3 +5,4 @@ services:
     env_file: .env
     volumes:
       - ./models:/models
+      - ./store:/data/store

requirements.txt

@@ -1,4 +1,4 @@
-matrix-nio>=0.24.0,<0.26
+matrix-nio[e2e]>=0.24.0,<0.26
 pydantic-settings>=2.2.0
 aiohttp>=3.9.0
 nemo_toolkit[asr]>=2.0.0

src/audio_converter.py

@@ -1,12 +1,17 @@
 from __future__ import annotations
 
+import contextlib
 import io
 import logging
+import os
 import tempfile
 from urllib.parse import quote
 
 import aiohttp
 from nio import AsyncClient
+from nio.crypto.attachments import decrypt_attachment
+
+_ = io  # kept for backwards compat; pydub no longer used
 
 logger = logging.getLogger(__name__)
 
@@ -33,6 +38,13 @@ def _pydub_format(mime: str) -> str:
     return _MIME_TO_PYDUB.get(mime.lower().split(";")[0].strip(), "ogg")
 
 
+def _input_suffix(mime: str) -> str:
+    fmt = _pydub_format(mime)
+    return {"mp4": ".m4a", "webm": ".webm", "ogg": ".ogg",
+            "mp3": ".mp3", "flac": ".flac", "wav": ".wav",
+            "aac": ".aac"}.get(fmt, ".bin")
+
+
 def _parse_mxc(mxc_url: str) -> tuple[str, str] | None:
     if not mxc_url.startswith("mxc://"):
         return None
@@ -49,8 +61,15 @@ def __init__(self, matrix: AsyncClient, max_bytes: int) -> None:
         self._matrix = matrix
         self._max_bytes = max_bytes
 
-    async def download_mxc(self, mxc_url: str) -> bytes | None:
-        """Download mxc:// URL via authenticated v1 endpoint with legacy fallback."""
+    async def download_mxc(
+        self,
+        mxc_url: str,
+        encrypted_file: dict | None = None,
+    ) -> bytes | None:
+        """Download mxc:// URL and optionally decrypt an E2EE attachment.
+
+        Pass the content["file"] dict from the Matrix event for encrypted rooms.
+        """
         parsed = _parse_mxc(mxc_url)
         if parsed is None:
             logger.warning("Invalid mxc URL: %s", mxc_url)
@@ -71,17 +90,54 @@ async def download_mxc(self, mxc_url: str) -> bytes | None:
         async with aiohttp.ClientSession() as session:
             for url in urls:
                 try:
-                    async with session.get(url, headers=headers) as resp:
+                    async with session.get(url, headers=headers, allow_redirects=True) as resp:
                         if resp.status != 200:
+                            logger.info("Download endpoint %s returned %d", url, resp.status)
                             continue
                         content_length = resp.content_length
                         if content_length and content_length > self._max_bytes:
                             logger.warning("Audio too large: %d bytes", content_length)
                             return None
-                        data = await resp.content.read(self._max_bytes + 1)
+                        # Read full body, comparing against declared Content-Length to
+                        # catch truncated responses from Synapse's media replication.
+                        data = await resp.read()
                         if len(data) > self._max_bytes:
                             logger.warning("Audio exceeds max bytes after download")
                             return None
+                        if not data:
+                            logger.warning("Empty body from %s", url)
+                            continue
+                        if content_length and len(data) < content_length:
+                            logger.warning(
+                                "Truncated response from %s: got %d / %d bytes",
+                                url, len(data), content_length,
+                            )
+                            continue
+                        content_type = resp.headers.get("Content-Type", "?")
+                        logger.info(
+                            "Downloaded %d bytes from %s (Content-Type=%s, declared=%s)",
+                            len(data), url, content_type, content_length,
+                        )
+                        # Suspiciously small response that isn't audio — likely a JSON error
+                        if len(data) < 1024 and not content_type.startswith("audio/"):
+                            preview = data[:512].decode("utf-8", errors="replace")
+                            logger.warning("Non-audio short response body: %s", preview)
+                            continue
+                        # Validate OGG signature when MIME claims ogg — Synapse sometimes
+                        # serves stub responses on cache miss
+                        if content_type.startswith("audio/ogg") and not data.startswith(b"OggS"):
+                            preview = data[:64].hex()
+                            logger.warning(
+                                "Response claims ogg but missing OggS magic from %s: %s",
+                                url, preview,
+                            )
+                            continue
+                        if encrypted_file:
+                            try:
+                                data = decrypt_attachment(data, encrypted_file)
+                            except Exception:
+                                logger.exception("Failed to decrypt attachment mxc=%s", mxc_url)
+                                return None
                         return data
                 except aiohttp.ClientError:
                     logger.exception("Download failed for %s", url)
@@ -97,15 +153,37 @@ def convert_to_wav(self, audio_bytes: bytes, mime: str) -> str | None:
         Caller must delete the file (e.g. via os.unlink in a finally block).
         Blocking — must be called via run_in_executor.
         """
-        from pydub import AudioSegment
+        import subprocess
+
+        # Write to disk first — ffmpeg's pipe input is unreliable with some
+        # ogg/opus payloads on ffmpeg 7.x, while file input is rock-solid.
+        with tempfile.NamedTemporaryFile(suffix=_input_suffix(mime), delete=False) as src:
+            src.write(audio_bytes)
+            src_path = src.name
+
+        dst_path = tempfile.NamedTemporaryFile(suffix=".wav", delete=False).name
 
-        fmt = _pydub_format(mime)
         try:
-            seg = AudioSegment.from_file(io.BytesIO(audio_bytes), format=fmt)
-            seg = seg.set_frame_rate(16000).set_channels(1).set_sample_width(2)
-            with tempfile.NamedTemporaryFile(suffix=".wav", delete=False) as tmp:
-                seg.export(tmp.name, format="wav")
-                return tmp.name
-        except Exception:
-            logger.exception("Audio conversion failed (mime=%s)", mime)
-            return None
+            result = subprocess.run(
+                [
+                    "ffmpeg", "-y", "-hide_banner", "-loglevel", "error",
+                    "-i", src_path,
+                    "-ac", "1", "-ar", "16000", "-sample_fmt", "s16",
+                    dst_path,
+                ],
+                capture_output=True,
+                check=False,
+            )
+            if result.returncode != 0:
+                logger.error(
+                    "ffmpeg failed (mime=%s, rc=%d): %s",
+                    mime, result.returncode,
+                    result.stderr.decode("utf-8", errors="replace").strip(),
+                )
+                with contextlib.suppress(OSError):
+                    os.unlink(dst_path)
+                return None
+            return dst_path
+        finally:
+            with contextlib.suppress(OSError):
+                os.unlink(src_path)

src/bot_service.py

@@ -54,28 +54,37 @@ async def handle_audio_event(
         if event.sender == self.matrix.user_id:
             return
 
-        mxc_url = getattr(event, "url", None)
+        content: dict = event.source.get("content", {})
+        info: dict = content.get("info") or {}
+        mime: str = info.get("mimetype", "audio/ogg")
+        file_size: int = info.get("size", 0)
+
+        # Encrypted rooms use content["file"] with embedded key material;
+        # unencrypted rooms use content["url"].
+        encrypted_file: dict | None = content.get("file")
+        if encrypted_file:
+            mxc_url = encrypted_file.get("url")
+        else:
+            mxc_url = getattr(event, "url", None) or content.get("url")
+
         if not mxc_url or not str(mxc_url).startswith("mxc://"):
             logger.warning("Audio event has no mxc url room=%s", room.room_id)  # type: ignore[attr-defined]
             return
 
-        info: dict = event.source.get("content", {}).get("info") or {}
-        mime: str = info.get("mimetype", "audio/ogg")
-        file_size: int = info.get("size", 0)
-
         if file_size and file_size > self.settings.max_audio_bytes:
             max_mb = self.settings.max_audio_bytes // (1024 * 1024)
             await self._send_plain(room.room_id, self.strings.audio_too_large.format(max_mb=max_mb))  # type: ignore[attr-defined]
             return
 
         logger.info(
-            "Processing audio event room=%s sender=%s mime=%s",
+            "Processing audio event room=%s sender=%s mime=%s encrypted=%s",
             room.room_id,  # type: ignore[attr-defined]
             event.sender,
             mime,
+            encrypted_file is not None,
         )
 
-        audio_bytes = await self._converter.download_mxc(str(mxc_url))
+        audio_bytes = await self._converter.download_mxc(str(mxc_url), encrypted_file)
         if audio_bytes is None:
             await self._send_plain(room.room_id, self.strings.no_audio_url)  # type: ignore[attr-defined]
             return
@@ -119,4 +128,5 @@ async def _send_plain(self, room_id: str, text: str) -> None:
             room_id,
             "m.room.message",
             {"msgtype": "m.text", "body": text},
+            ignore_unverified_devices=True,
         )

src/config.py

@@ -11,12 +11,15 @@ class Settings(BaseSettings):
     matrix_hs_url: str
     matrix_user_id: str
     matrix_access_token: str
+    matrix_password: str | None = None
 
     locale: str = "en"
 
     asr_model_name: str = "nvidia/parakeet-tdt-0.6b-v2"
 
     max_audio_bytes: int = 25 * 1024 * 1024
 
+    store_path: str = "/data/store"
+
     def matrix_homeserver_base(self) -> str:
         return self.matrix_hs_url.rstrip("/")