- Add api.session.close() on E2EE dep check and E2EE setup failure paths (two missing cleanup points from the mautrix migration) - Replace raw pickle.load/dump with HMAC-SHA256 signed payloads to prevent arbitrary code execution from a tampered store file