Add crypto store details, room IDs, and decryption instructions

Matrix.md

@@ -65,6 +65,43 @@ Outgoing verification events must NOT contain `transaction_id` (that field is fo
 
 To-device verification is also handled as a fallback.
 
+### Crypto Store
+
+E2EE state (olm sessions, megolm group sessions, device keys) is persisted in SQLite databases:
+
+```
+~/matrixbot/data/
+├── adolf/@bot:mtx.alogins.net_ADOLFDEVICE.db
+├── adolf/cross_signing.json
+├── zabbix/@zabbix:mtx.alogins.net_ZABBIXDEVICE.db
+└── zabbix/cross_signing.json
+```
+
+| Store | Pickle passphrase |
+|-------|-------------------|
+| SQLite databases (olm/megolm sessions) | `DEFAULT_KEY` (matrix-nio default) |
+| `cross_signing.json` files | `matrixbot-cs-keys` (`CS_PICKLE_PASS` in bot.py) |
+
+To decrypt E2EE messages, run inside the matrixbot container (host `python-olm` links against a different libolm, causing `BAD_ACCOUNT_KEY`):
+
+```python
+# docker exec matrixbot python3 -c "..."
+import olm, sqlite3
+conn = sqlite3.connect('/data/zabbix/@zabbix:mtx.alogins.net_ZABBIXDEVICE.db')
+cur = conn.cursor()
+cur.execute('SELECT session_id, session FROM megolminboundsessions WHERE room_id = ?', (ROOM,))
+for sid, blob in cur.fetchall():
+    session = olm.InboundGroupSession.from_pickle(blob, 'DEFAULT_KEY')
+    plaintext, idx = session.decrypt(ciphertext)
+```
+
+### Rooms
+
+| Room ID | Name |
+|---------|------|
+| `!kNQXdXrjSAjoAMdosG:mtx.alogins.net` | Agap Notifications (Zabbix) |
+| `!vYXGUTRHUIIrrZXTFE:mtx.alogins.net` | Adolf chat |
+
 ### Gotchas
 
 - **Device key upload before cross-signing**: `keys_upload()` must run before `bootstrap_cross_signing()`, otherwise the server can't find the device for self-signing.