diff --git a/package.json b/package.json
index a3b078f3106..3c348648379 100644
--- a/package.json
+++ b/package.json
@@ -1215,6 +1215,7 @@
     "linkedom": "^0.18.12",
     "long": "^5.3.2",
     "markdown-it": "^14.1.1",
+    "matrix-js-sdk": "41.2.0",
     "node-edge-tts": "^1.2.10",
     "osc-progress": "^0.3.0",
     "pdfjs-dist": "^5.5.207",
@@ -1263,6 +1264,7 @@
     }
   },
   "optionalDependencies": {
+    "@matrix-org/matrix-sdk-crypto-nodejs": "^0.4.0",
     "openshell": "0.1.0"
   },
   "engines": {
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index d10a66b636e..5e384cc1a4b 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -126,6 +126,9 @@ importers:
       markdown-it:
         specifier: ^14.1.1
         version: 14.1.1
+      matrix-js-sdk:
+        specifier: 41.2.0
+        version: 41.2.0
       node-edge-tts:
         specifier: ^1.2.10
         version: 1.2.10
@@ -236,6 +239,9 @@ importers:
         specifier: ^4.1.2
         version: 4.1.2(@opentelemetry/api@1.9.1)(@types/node@25.5.0)(@vitest/browser-playwright@4.1.2)(jsdom@29.0.1(@noble/hashes@2.0.1))(vite@8.0.3(@types/node@25.5.0)(esbuild@0.27.3)(jiti@2.6.1)(tsx@4.21.0)(yaml@2.8.3))
     optionalDependencies:
+      '@matrix-org/matrix-sdk-crypto-nodejs':
+        specifier: ^0.4.0
+        version: 0.4.0
       openshell:
         specifier: 0.1.0
         version: 0.1.0
diff --git a/src/plugin-sdk/package-contract-guardrails.test.ts b/src/plugin-sdk/package-contract-guardrails.test.ts
index f319b6997aa..e390e1bbf62 100644
--- a/src/plugin-sdk/package-contract-guardrails.test.ts
+++ b/src/plugin-sdk/package-contract-guardrails.test.ts
@@ -46,6 +46,16 @@ function collectPluginSdkSubpathReferences() {
   return references;
 }
 
+function readRootPackageJson(): {
+  dependencies?: Record<string, string>;
+  optionalDependencies?: Record<string, string>;
+} {
+  return JSON.parse(readFileSync(resolve(REPO_ROOT, "package.json"), "utf8")) as {
+    dependencies?: Record<string, string>;
+    optionalDependencies?: Record<string, string>;
+  };
+}
+
 describe("plugin-sdk package contract guardrails", () => {
   it("keeps package.json exports aligned with built plugin-sdk entrypoints", () => {
     expect(collectPluginSdkPackageExports()).toEqual([...pluginSdkEntrypoints].toSorted());
@@ -74,4 +84,11 @@ describe("plugin-sdk package contract guardrails", () => {
 
     expect(failures).toEqual([]);
   });
+
+  it("mirrors matrix runtime deps needed by the bundled host graph", () => {
+    const { dependencies = {}, optionalDependencies = {} } = readRootPackageJson();
+
+    expect(dependencies["matrix-js-sdk"]).toBe("41.2.0");
+    expect(optionalDependencies["@matrix-org/matrix-sdk-crypto-nodejs"]).toBe("^0.4.0");
+  });
 });