matt/echo6-docs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Migration: consolidate Echo6 docs to cortex with full infrastructure cleanup sync

Browse source 
- Documents recent infrastructure cleanup (8 CTs destroyed, 35 DNS records removed, Headscale cleanup)
- Adds 24 new runbooks covering Authentik, PeerTube, Meshtastic, RECON, Proxmox, Mailcow, Internet Archive, GPU routing
- Adds project documentation for headscale, vaultwarden, peertube, matrix, mmud, advbbs, arr stack
- Updates services.md, environment.md, caddy.md, authentik.md to match live infrastructure
- Removes 4 deprecated runbook duplicates (canonical versions live in projects/)
- Adds .gitignore for binary archives and editor temp files

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Matt Johnson 2026-04-13 06:02:16 +00:00
commit e9231ac24a
93 changed files with 51223 additions and 254 deletions
Download patch file Download diff file Expand all files Collapse all files

103
hookshot_e2ee_discovery.ref Normal file
View file

@ -0,0 +1,103 @@
# Hookshot E2EE Discovery
# Generated: 2026-04-09 (Phase 6.0, Question 3)
## !! BLOCKER: Hookshot E2EE + MAS is BROKEN !!
### The Problem
Hookshot v7.3.2 CANNOT establish E2EE crypto sessions when Synapse uses MAS
(Matrix Authentication Service). This is confirmed in two open GitHub issues:
- Issue #1084: "MAS + hookshot can't login for encryption"
https://github.com/matrix-org/matrix-hookshot/issues/1084
- Issue #980: "Encryption + MAS unable to start"
https://github.com/matrix-org/matrix-hookshot/issues/980
Both issues remain OPEN as of March 2026.
### Root Cause
When encryption is enabled, hookshot needs to establish a device and crypto
session. It does this via a login call that MAS intercepts and rejects with
`M_UNRECOGNIZED: Invalid login type`. The mautrix bridges solved this via
MSC4190 (`encryption.msc4190: true`), but hookshot's bot-sdk does NOT implement
MSC4190 for device management — only for user registration (fixed in v7.2.0).
### Compatibility Matrix
| Scenario | Status | Source |
|----------|--------|--------|
| Hookshot + MAS, no encryption | WORKS (since v7.2.0) | PR #1092 |
| Hookshot + MAS, with encryption | BROKEN | Issue #1084, #980 |
| Hookshot + no MAS, with encryption | WORKS | Docs confirm |
| Hookshot + no MAS, no encryption | WORKS | Trivial case |
### Echo6 Impact
Echo6 Synapse uses MAS (matrix_authentication_service.enabled: true).
All mautrix-signal portal rooms use E2BE encryption (encryption.require: true).
This means:
1. Hookshot CANNOT decrypt events in bridged Signal rooms
2. Outbound webhooks from encrypted rooms would contain CIPHERTEXT, not plaintext
3. The entire archive would be "Unable to decrypt" — USELESS
### Encryption Library (for reference)
Hookshot uses:
- @vector-im/matrix-bot-sdk → @matrix-org/matrix-sdk-crypto-nodejs → vodozemac (Rust)
- NOT libolm (deprecated)
- Crypto store: SQLite format
- Redis: REQUIRED when encryption is enabled
### Config Keys (for reference, cannot be used with MAS)
```yaml
# hookshot config.yml
encryption:
storagePath: ./cryptostore # persistent volume required
# Redis required for encryption
cache:
redisUri: redis://localhost:6379
# registration.yml additions for encryption
de.sorunome.msc2409.push_ephemeral: true
push_ephemeral: true
org.matrix.msc3202: true
```
### Device Verification
IF encryption worked (which it doesn't with MAS), hookshot would:
- Auto-generate a device on first crypto login
- Need manual verification from a trusted device
- Support key sharing via MSC3202 transaction extensions
### Workaround Options
1. **Wait for upstream fix** — Issue #1084 is open but no timeline
2. **Disable MAS** — Not viable, MAS handles all user auth for echo6.co
3. **Disable E2BE on bridge** — Would expose Signal messages in plaintext on Synapse
wire, defeating the purpose of E2BE. Not recommended.
4. **Use a different tool** — A custom matrix-nio bot (Python) with native MSC4190
support could work. matrix-nio has vodozemac bindings and can be configured for
MAS-compatible device login. This is the Phase 6 original plan's approach.
5. **Skip hookshot entirely** — Use Synapse-level retention (redaction_retention_period: null
+ MSC2815) for the DB-level archive, and build a lightweight custom worker for
real-time export. No hookshot needed.
## Recommendation
Hookshot is NOT viable for archiving E2BE-encrypted Signal bridge rooms on a
MAS-enabled Synapse. The E2EE + MAS incompatibility is a hard blocker with no
workaround short of disabling MAS or E2BE.
The original Phase 6 plan's custom bot approach (matrix-nio + asyncpg) avoids
this entirely because matrix-nio supports MSC4190 natively and can be configured
for MAS-compatible appservice login.
Alternatively, the Synapse-level approach (retention null + MSC2815) requires
NO additional bot for the archival function — the data stays in Synapse's DB
and is queryable via admin API. A simple export script can pull events from the
Synapse DB directly.