@poolzin/pool-bot 2026.1.33 → 2026.1.35

package/CHANGELOG.md

@@ -1,3 +1,87 @@
+# Changelog
+
+All notable changes to Pool Bot will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [2026.1.35] - 2026-02-06
+
+### 📦 Stability Snapshot
+
+**Release Type:** Pre-enhancement checkpoint
+
+#### Summary
+This release is a stable checkpoint before implementing local memory search enhancements.
+
+#### Changes
+- **Version bump:** 2026.1.30 → 2026.1.35
+- **Repository sync:** All repositories clean and synchronized
+- **Backup verification:** Complete backup of configurations and state
+
+#### Technical Details
+- Package: @poolzin/pool-bot
+- Node.js: v22.22.0 compatible
+- Backup: /root/poolbot-backup-20260206-130344.tar.gz (35MB)
+
+#### Next Steps (Post-Release)
+- Implement Ollama integration for local memory_search
+- Complete QMD embeddings (220 pending → 0)
+- Remove auto-study skill (user-managed cron)
+- Enhance memory architecture with local embeddings
+
+#### Maintenance
+- All repositories verified clean
+- Git states documented
+- Gateway status captured
+
+---
+
+## v2026.1.30 (2026-02-05)
+
+### 🔒 Security Release - CRITICAL VULNERABILITY FIXES
+
+#### Critical Vulnerabilities Fixed 🔴
+- **Gateway URL Override (CVE-level):** Prevent credential leakage via malicious gateway redirects
+  - Added `validateGatewayUrlSecurity()` requiring explicit token confirmation for custom URLs
+  - Custom URLs now require 32+ character tokens
+  - Validation applied in `src/gateway/client.ts` before connection
+
+- **Discord Prompt Injection (HIGH):** Block arbitrary command injection via channel.topic
+  - Removed `channel.topic` from system prompts in `src/discord/monitor/message-handler.process.ts`
+  - Only admin-controlled metadata is now included
+  - Prevents users with edit permissions from manipulating agent behavior
+
+- **Slack Prompt Injection (HIGH):** Block arbitrary command injection via topic/purpose
+  - Removed `channel.topic` and `channel.purpose` from system prompts
+  - Fixed in `src/slack/monitor/message-handler/prepare.ts` and `src/slack/monitor/slash.ts`
+  - Same attack vector as Discord, now mitigated
+
+#### Security Features Added ✅
+- **Tool Gating System:** Owner-only access to sensitive tools
+  - `validateToolAccess()` function in `src/agents/tool-security.ts`
+  - Protected tools: `whatsapp_login`, `gateway`, `cron`, `sessions_spawn`
+  - Configurable via `security.owners` in poolbot.json
+
+- **Security Utilities:** Prevention and validation functions
+  - Path sanitization utilities in `src/media/path-sanitization.ts`
+  - URL validation in `src/gateway/url-validation.ts`
+  - Security config schema in `src/config/types.security.ts`
+
+#### Documentation
+- **New:** `SECURITY.md` - Complete security policy and vulnerability disclosure
+- Breaking changes documented
+- Security best practices for users and developers
+- Reporting guidelines for security issues
+
+#### Credits
+- Security improvements inspired by [OpenClaw](https://github.com/openclaw/openclaw) security hardening
+- Internal security audit based on OpenClaw v2026.2.4 analysis
+
+**UPGRADE RECOMMENDED:** All users should upgrade to v2026.1.30 due to critical security fixes.
+
+---
+
 ## v1.0.1 (2026-02-02)
 
 ### WhatsApp Gateway Stability

package/dist/agents/pi-embedded-helpers/errors.js

@@ -342,9 +342,7 @@ const ERROR_PATTERNS = {
         "string should match pattern",
         "tool_use.id",
         "tool_use_id",
-        "tool_use.name",
         "messages.1.content.1.tool_use.id",
-        "messages.1.content.1.tool_use.name",
         "invalid request format",
     ],
 };

package/dist/agents/session-tool-result-guard.js

@@ -1,4 +1,4 @@
-import { makeMissingToolResult, sanitizeToolName } from "./session-transcript-repair.js";
+import { makeMissingToolResult } from "./session-transcript-repair.js";
 import { emitSessionTranscriptUpdate } from "../sessions/transcript-events.js";
 function extractAssistantToolCalls(msg) {
     const content = msg.content;
@@ -14,7 +14,7 @@ function extractAssistantToolCalls(msg) {
         if (rec.type === "toolCall" || rec.type === "toolUse" || rec.type === "functionCall") {
             toolCalls.push({
                 id: rec.id,
-                name: sanitizeToolName(typeof rec.name === "string" ? rec.name : undefined),
+                name: typeof rec.name === "string" ? rec.name : undefined,
             });
         }
     }

package/dist/agents/session-transcript-repair.js

@@ -1,22 +1,3 @@
-import { logWarn } from "../logger.js";
-/**
- * Maximum allowed tool name length per Anthropic API spec.
- * Names exceeding this will cause "tool_use.name > 200 chars" validation errors.
- */
-export const MAX_TOOL_NAME_LENGTH = 64;
-/**
- * Truncate tool names that exceed the API limit.
- * This prevents "tool_use.name > 200 chars" validation errors when
- * the model hallucinates overly long tool names.
- */
-export function sanitizeToolName(name) {
-    if (!name)
-        return name;
-    if (name.length <= MAX_TOOL_NAME_LENGTH)
-        return name;
-    logWarn(`[transcript-repair] truncating tool name from ${name.length} to ${MAX_TOOL_NAME_LENGTH} chars: ${name.slice(0, 50)}...`);
-    return name.slice(0, MAX_TOOL_NAME_LENGTH);
-}
 function extractToolCallsFromAssistant(msg) {
     const content = msg.content;
     if (!Array.isArray(content))
@@ -31,7 +12,7 @@ function extractToolCallsFromAssistant(msg) {
         if (rec.type === "toolCall" || rec.type === "toolUse" || rec.type === "functionCall") {
             toolCalls.push({
                 id: rec.id,
-                name: sanitizeToolName(typeof rec.name === "string" ? rec.name : undefined),
+                name: typeof rec.name === "string" ? rec.name : undefined,
             });
         }
     }

package/dist/agents/tool-security-helpers.js

@@ -0,0 +1,66 @@
+/**
+ * Tool Security Integration Helper
+ *
+ * Provides helper functions for tool security validation in plugins
+ * until full sender context integration is complete.
+ *
+ * @version 2026.1.30
+ */
+import { validateToolAccess, canUseTool } from "./tool-security.js";
+/**
+ * Create access denied response for tool execution
+ *
+ * @param toolName - Name of the tool that was denied
+ * @param reason - Optional reason for denial
+ */
+export function createAccessDeniedResponse(toolName, reason) {
+    const message = reason ||
+        `⛔ Access Denied\n\n` +
+            `Tool "${toolName}" is restricted to owners only.\n` +
+            `This tool requires owner permissions for security reasons.\n\n` +
+            `Contact the bot owner for access.`;
+    return {
+        content: [{ type: "text", text: message }],
+        details: { error: "access_denied", tool: toolName },
+    };
+}
+/**
+ * Check if a tool can be used with optional sender validation
+ *
+ * @param toolName - Tool name to validate
+ * @param config - Pool Bot config (for owners list)
+ * @param sender - Optional sender identifier
+ * @returns true if tool can be used, false otherwise
+ *
+ * NOTE: If sender is undefined, sensitive tools will be denied.
+ * This is a safe default until sender context integration is complete.
+ */
+export function canUseToolSafe(toolName, config, sender) {
+    const owners = config?.security?.owners || [];
+    return canUseTool(toolName, sender, owners);
+}
+/**
+ * Validate tool access and return error response if denied
+ *
+ * @param toolName - Tool name to validate
+ * @param config - Pool Bot config (for owners list)
+ * @param sender - Optional sender identifier
+ * @returns null if access is allowed, error response if denied
+ *
+ * Usage:
+ * ```typescript
+ * const denied = validateToolAccessResponse("whatsapp_login", config, sender);
+ * if (denied) return denied;
+ * // ... proceed with tool execution
+ * ```
+ */
+export function validateToolAccessResponse(toolName, config, sender) {
+    const owners = config?.security?.owners || [];
+    try {
+        validateToolAccess(toolName, sender, owners);
+        return null; // Access allowed
+    }
+    catch (err) {
+        return createAccessDeniedResponse(toolName, err.message);
+    }
+}

package/dist/agents/tool-security.js

@@ -0,0 +1,96 @@
+/**
+ * Tool Security - Tool Gating and Access Control
+ *
+ * Based on OpenClaw 2026.2.4 security fixes:
+ * - Gate sensitive tools to owner senders only
+ * - Prevent tool hijacking by non-owners
+ *
+ * @version 2026.1.30
+ */
+/**
+ * List of sensitive tools that require owner permissions
+ */
+export const SENSITIVE_TOOLS = [
+    // WhatsApp
+    "whatsapp_login",
+    // Gateway management
+    "gateway",
+    "gateway:restart",
+    "gateway:update",
+    // Config management
+    "gateway:config:apply",
+    "gateway:config:patch",
+    // Cron management
+    "cron:add",
+    "cron:remove",
+    "cron:update",
+    // Session management
+    "sessions_spawn", // Pode criar sub-agentes
+];
+/**
+ * Check if a tool is sensitive (requires owner permission)
+ */
+export function isSensitiveTool(toolName) {
+    const normalized = toolName.trim().toLowerCase();
+    return SENSITIVE_TOOLS.some((tool) => {
+        const normalizedTool = tool.toLowerCase();
+        // Exact match ou prefix match (ex: "gateway" match "gateway:restart")
+        return normalized === normalizedTool || normalized.startsWith(`${normalizedTool}:`);
+    });
+}
+/**
+ * Check if a sender is an owner
+ *
+ * Owners are configured in poolbot.json:
+ * {
+ *   "security": {
+ *     "owners": ["+554498569337", "5140768830"]
+ *   }
+ * }
+ */
+export function isOwner(sender, owners = []) {
+    if (!sender)
+        return false;
+    const normalizedSender = sender.trim();
+    if (!normalizedSender)
+        return false;
+    // Check if sender is in owners list
+    return owners.some((owner) => {
+        const normalizedOwner = owner.trim();
+        return normalizedOwner === normalizedSender;
+    });
+}
+/**
+ * Check if a user can use a tool
+ *
+ * @param toolName - Tool name (ex: "whatsapp_login")
+ * @param sender - Sender identifier (phone number, user ID, etc.)
+ * @param owners - List of owner identifiers
+ * @returns true if user can use the tool, false otherwise
+ */
+export function canUseTool(toolName, sender, owners = []) {
+    // Non-sensitive tools são permitidas para todos
+    if (!isSensitiveTool(toolName)) {
+        return true;
+    }
+    // Sensitive tools requerem owner permission
+    return isOwner(sender, owners);
+}
+/**
+ * Error message for denied tool access
+ */
+export function toolAccessDeniedMessage(toolName) {
+    return (`Tool "${toolName}" is restricted to owners only. ` +
+        `This tool requires owner permissions for security reasons. ` +
+        `Contact the bot owner for access.`);
+}
+/**
+ * Validate tool access and throw if denied
+ *
+ * @throws Error if access is denied
+ */
+export function validateToolAccess(toolName, sender, owners = []) {
+    if (!canUseTool(toolName, sender, owners)) {
+        throw new Error(toolAccessDeniedMessage(toolName));
+    }
+}

package/dist/agents/workspace.js

@@ -208,7 +208,11 @@ export async function loadWorkspaceBootstrapFiles(dir) {
             filePath: path.join(resolvedDir, DEFAULT_BOOTSTRAP_FILENAME),
         },
     ];
-    entries.push(...(await resolveMemoryBootstrapEntries(resolvedDir)));
+    // MEMORY.md is deliberately NOT loaded as a bootstrap file.
+    // Per AGENTS.md guidance: "use memory_search() on demand when user asks about past"
+    // This prevents ~9.8K tokens (~52.7% of bootstrap) from being injected into every conversation.
+    // MEMORY.md remains accessible via the memory_search tool when needed.
+    // entries.push(...(await resolveMemoryBootstrapEntries(resolvedDir)));
     const result = [];
     for (const entry of entries) {
         try {

package/dist/build-info.json

@@ -1,5 +1,5 @@
 {
-  "version": "2026.1.33",
-  "commit": "e1bdb6f2a583877b7491c951af6ff5d69636befe",
-  "builtAt": "2026-02-04T17:02:44.196Z"
+  "version": "2026.1.35",
+  "commit": "582e7d0d30d89c8f4b16bcfdc684fd60300fb9a9",
+  "builtAt": "2026-02-06T13:08:41.796Z"
 }

package/dist/channels/plugins/agent-tools/whatsapp-login.js

@@ -1,5 +1,14 @@
 import { Type } from "@sinclair/typebox";
-export function createWhatsAppLoginTool() {
+import { validateToolAccessResponse } from "../../../agents/tool-security-helpers.js";
+/**
+ * Create WhatsApp Login tool
+ *
+ * SECURITY: This tool is restricted to owners only.
+ * Unauthorized access could allow hijacking the WhatsApp instance.
+ *
+ * @param config - Optional Pool Bot config for security validation
+ */
+export function createWhatsAppLoginTool(config) {
     return {
         label: "WhatsApp Login",
         name: "whatsapp_login",
@@ -15,6 +24,13 @@ export function createWhatsAppLoginTool() {
             force: Type.Optional(Type.Boolean()),
         }),
         execute: async (_toolCallId, args) => {
+            // SECURITY: Validate owner access
+            // NOTE: sender context integration is pending. For now, sensitive tools
+            // are denied unless explicitly configured with owners list.
+            // TODO: Integrate sender context from session/channel
+            const denied = validateToolAccessResponse("whatsapp_login", config, undefined);
+            if (denied)
+                return denied;
             const { startWebLoginWithQr, waitForWebLogin } = await import("../../../web/login-qr.js");
             const action = args?.action ?? "start";
             if (action === "wait") {

package/dist/commands/doctor-state-integrity.js

@@ -3,7 +3,7 @@ import os from "node:os";
 import path from "node:path";
 import { resolveDefaultAgentId } from "../agents/agent-scope.js";
 import { resolveOAuthDir, resolveStateDir } from "../config/paths.js";
-import { loadSessionStore, resolveMainSessionKey, resolveSessionFilePath, resolveSessionTranscriptsDirForAgent, resolveStorePath, } from "../config/sessions.js";
+import { loadSessionStore, resolveMainSessionKey, resolveSessionFilePath, resolveSessionTranscriptPath, resolveSessionTranscriptsDirForAgent, resolveStorePath, } from "../config/sessions.js";
 import { note } from "../terminal/note.js";
 import { shortenHomePath } from "../utils.js";
 function existsDir(dir) {
@@ -291,7 +291,19 @@ export async function noteStateIntegrity(cfg, prompter, configPath) {
             const transcriptPath = resolveSessionFilePath(sessionId, entry, {
                 agentId,
             });
-            return !existsFile(transcriptPath);
+            // Fix: Verificar se o arquivo existe antes de declarar "missing"
+            // Se o arquivo não existe no path esperado, verificar também o path alternativo
+            if (!existsFile(transcriptPath)) {
+                // Tentar verificar se o arquivo existe com o path alternativo (sem sessionFile)
+                const altPath = resolveSessionTranscriptPath(sessionId, agentId);
+                if (existsFile(altPath)) {
+                    // Arquivo existe em path alternativo - atualizar entry se necessário
+                    return false;
+                }
+                // Arquivo realmente não existe em nenhum path
+                return true;
+            }
+            return false;
         });
         if (missing.length > 0) {
             warnings.push(`- ${missing.length}/${recent.length} recent sessions are missing transcripts. Check for deleted session files or split state dirs.`);

package/dist/config/types.js

@@ -20,6 +20,7 @@ export * from "./types.msteams.js";
 export * from "./types.plugins.js";
 export * from "./types.queue.js";
 export * from "./types.sandbox.js";
+export * from "./types.security.js";
 export * from "./types.signal.js";
 export * from "./types.skills.js";
 export * from "./types.slack.js";

package/dist/config/types.security.js

@@ -0,0 +1,5 @@
+/**
+ * Security configuration types
+ * @version 2026.1.30
+ */
+export {};

package/dist/config/zod-schema.js

@@ -436,6 +436,12 @@ export const PoolBotSchema = z
     })
         .strict()
         .optional(),
+    security: z
+        .object({
+        owners: z.array(z.string()).optional(),
+    })
+        .strict()
+        .optional(),
     skills: z
         .object({
         allowBundled: z.array(z.string()).optional(),

package/dist/discord/monitor/message-handler.process.js

@@ -73,12 +73,10 @@ export async function processDiscordMessage(ctx) {
     const forumContextLine = isForumStarter ? `[Forum parent: #${forumParentSlug}]` : null;
     const groupChannel = isGuildMessage && displayChannelSlug ? `#${displayChannelSlug}` : undefined;
     const groupSubject = isDirectMessage ? undefined : groupChannel;
-    const channelDescription = channelInfo?.topic?.trim();
-    const systemPromptParts = [
-        channelDescription ? `Channel topic: ${channelDescription}` : null,
-        channelConfig?.systemPrompt?.trim() || null,
-    ].filter((entry) => Boolean(entry));
-    const groupSystemPrompt = systemPromptParts.length > 0 ? systemPromptParts.join("\n\n") : undefined;
+    // SECURITY: Do NOT include channel topic/description in system prompt
+    // Channel metadata is user-controlled and can cause prompt injection
+    // Only include channelConfig.systemPrompt (admin-controlled)
+    const groupSystemPrompt = channelConfig?.systemPrompt?.trim() || undefined;
     const storePath = resolveStorePath(cfg.session?.store, {
         agentId: route.agentId,
     });

package/dist/gateway/client.js

@@ -3,6 +3,7 @@ import { WebSocket } from "ws";
 import { normalizeFingerprint } from "../infra/tls/fingerprint.js";
 import { rawDataToString } from "../infra/ws.js";
 import { logDebug, logError } from "../logger.js";
+import { validateGatewayUrlSecurity } from "./url-validation.js";
 import { loadOrCreateDeviceIdentity, publicKeyRawBase64UrlFromPem, signDevicePayload, } from "../infra/device-identity.js";
 import { clearDeviceAuthToken, loadDeviceAuthToken, storeDeviceAuthToken, } from "../infra/device-auth-store.js";
 import { GATEWAY_CLIENT_MODES, GATEWAY_CLIENT_NAMES, } from "../utils/message-channel.js";
@@ -41,6 +42,19 @@ export class GatewayClient {
         if (this.closed)
             return;
         const url = this.opts.url ?? "ws://127.0.0.1:18789";
+        // SECURITY: Validate gateway URL override
+        // Prevents credential leakage via redirects to untrusted gateways
+        try {
+            validateGatewayUrlSecurity({
+                url,
+                token: this.opts.token,
+                requireExplicitToken: this.opts.requireExplicitToken,
+            });
+        }
+        catch (err) {
+            this.opts.onConnectError?.(err instanceof Error ? err : new Error(String(err)));
+            return;
+        }
         if (this.opts.tlsFingerprint && !url.startsWith("wss://")) {
             this.opts.onConnectError?.(new Error("gateway tls fingerprint requires wss:// gateway url"));
             return;

package/dist/gateway/hooks/index.js

@@ -24,8 +24,6 @@ defaultOnSessionStart, defaultOnSessionEnd, registerDefaultHooks,
 clearAllHooks, } from "./lifecycle-hooks.js";
 // Integration with agent events
 export { startLifecycleHooksIntegration, getIntegrationStats, isSessionTracked, getTrackedSessionInfo, clearTrackedSessions, removeTrackedSession, } from "./lifecycle-hooks-integration.js";
-// Tool usage capture (Day 2 - ACTIVE, feature-flagged)
-export { toolUsageCaptureHook, loadSessionToolUsage, saveSessionToolUsage, } from "./tool-usage-capture.js";
 // Progressive disclosure (Day 3 - ACTIVE, feature-flagged, OPT-IN)
 // Feature flag: PROGRESSIVE_DISCLOSURE_FLAGS.ENABLED = false (OFF by default)
 // Safe: Returns error "feature disabled" if called without enabling flag

package/dist/gateway/url-validation.js

@@ -0,0 +1,94 @@
+/**
+ * Gateway URL Override Security
+ * Prevents credential leakage via gateway URL redirects
+ *
+ * Based on OpenClaw 2026.2.4 security fix:
+ * - Require explicit credentials for gateway URL overrides
+ *
+ * @version 2026.1.30
+ */
+/**
+ * Default gateway URLs (considered safe)
+ */
+export const DEFAULT_GATEWAY_URLS = [
+    "http://127.0.0.1:18789",
+    "http://localhost:18789",
+    "http://[::1]:18789",
+];
+/**
+ * Minimum token length for security
+ */
+export const MIN_TOKEN_LENGTH = 32;
+/**
+ * Check if URL is a default/safe gateway URL
+ */
+export function isDefaultGatewayUrl(url) {
+    if (!url)
+        return true; // No URL means use default
+    const normalized = url.trim().toLowerCase();
+    return DEFAULT_GATEWAY_URLS.some((defaultUrl) => normalized === defaultUrl.toLowerCase());
+}
+/**
+ * Validate gateway URL override security
+ *
+ * @param config - Gateway configuration
+ * @throws Error if security requirements are not met
+ *
+ * @example
+ * ```typescript
+ * // Safe: Using default URL
+ * validateGatewayUrlSecurity({ url: "http://localhost:18789" });
+ *
+ * // Safe: Custom URL with explicit token
+ * validateGatewayUrlSecurity({
+ *   url: "http://custom.gateway.com",
+ *   token: "very-long-secure-token-32chars+",
+ *   requireExplicitToken: true
+ * });
+ *
+ * // Unsafe: Custom URL without explicit flag
+ * validateGatewayUrlSecurity({
+ *   url: "http://malicious.com",
+ *   token: "token"
+ * });
+ * // Throws: "Gateway URL override requires explicit token flag"
+ * ```
+ */
+export function validateGatewayUrlSecurity(config) {
+    // If URL is default/safe, no additional validation needed
+    if (isDefaultGatewayUrl(config.url)) {
+        return;
+    }
+    // Custom URL detected - require explicit confirmation
+    if (!config.requireExplicitToken) {
+        throw new Error("Gateway URL override requires explicit token flag. " +
+            "Set 'requireExplicitToken: true' in your gateway config to confirm " +
+            "you want to use a custom gateway URL. This prevents accidental " +
+            "credential leakage to untrusted gateways.");
+    }
+    // Require token when using custom URL
+    if (!config.token) {
+        throw new Error("Gateway URL override requires a token. " +
+            "Provide a secure token when using a custom gateway URL.");
+    }
+    // Require strong token (32+ characters)
+    if (config.token.length < MIN_TOKEN_LENGTH) {
+        throw new Error(`Gateway URL override requires a strong token (${MIN_TOKEN_LENGTH}+ characters). ` +
+            `Current token length: ${config.token.length} characters.`);
+    }
+}
+/**
+ * Check if gateway config is safe without throwing
+ *
+ * @param config - Gateway configuration
+ * @returns true if config is safe, false otherwise
+ */
+export function isGatewayConfigSafe(config) {
+    try {
+        validateGatewayUrlSecurity(config);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}

package/dist/media/path-sanitization.js

@@ -0,0 +1,78 @@
+/**
+ * Media Path Sanitization
+ * Prevents path traversal attacks in media attachments
+ *
+ * Based on OpenClaw 2026.2.4 security fix:
+ * - Enforce sandboxed media paths for message tool attachments
+ *
+ * @version 2026.1.30
+ */
+import path from "node:path";
+import fs from "node:fs";
+/**
+ * Sanitize media path to prevent path traversal
+ *
+ * @param inputPath - User-provided path (may contain ../ or absolute paths)
+ * @param baseDir - Base directory for media files (sandbox root)
+ * @returns Sanitized absolute path within baseDir
+ * @throws Error if path is outside baseDir or file doesn't exist
+ *
+ * @example
+ * ```typescript
+ * // Safe usage:
+ * const safe = sanitizeMediaPath("photo.jpg", "/root/.poolbot/media/");
+ * // Returns: "/root/.poolbot/media/photo.jpg"
+ *
+ * // Blocked (path traversal):
+ * sanitizeMediaPath("../../etc/passwd", "/root/.poolbot/media/");
+ * // Throws: "Path traversal detected"
+ * ```
+ */
+export function sanitizeMediaPath(inputPath, baseDir) {
+    // 1. Normalize base directory (ensure trailing slash)
+    const normalizedBase = path.resolve(baseDir);
+    // 2. Resolve absolute path (follows ../ and resolves relative paths)
+    const resolved = path.resolve(normalizedBase, inputPath);
+    // 3. Security check: must be within baseDir
+    if (!resolved.startsWith(normalizedBase + path.sep) && resolved !== normalizedBase) {
+        throw new Error(`Path traversal detected: "${inputPath}" resolves to "${resolved}" ` +
+            `which is outside the allowed directory "${normalizedBase}"`);
+    }
+    // 4. Check if file exists
+    if (!fs.existsSync(resolved)) {
+        throw new Error(`File not found: ${inputPath}`);
+    }
+    // 5. Check if it's a file (not directory)
+    const stats = fs.statSync(resolved);
+    if (!stats.isFile()) {
+        throw new Error(`Path is not a file: ${inputPath}`);
+    }
+    return resolved;
+}
+/**
+ * Sanitize multiple media paths
+ *
+ * @param inputPaths - Array of user-provided paths
+ * @param baseDir - Base directory for media files
+ * @returns Array of sanitized paths
+ * @throws Error if any path is invalid
+ */
+export function sanitizeMediaPaths(inputPaths, baseDir) {
+    return inputPaths.map((p) => sanitizeMediaPath(p, baseDir));
+}
+/**
+ * Check if path is safe without throwing
+ *
+ * @param inputPath - User-provided path
+ * @param baseDir - Base directory
+ * @returns true if path is safe, false otherwise
+ */
+export function isMediaPathSafe(inputPath, baseDir) {
+    try {
+        sanitizeMediaPath(inputPath, baseDir);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}

package/dist/slack/monitor/message-handler/prepare.js

@@ -350,16 +350,10 @@ export async function prepareSlackMessage(params) {
         });
     }
     const slackTo = isDirectMessage ? `user:${message.user}` : `channel:${message.channel}`;
-    const channelDescription = [channelInfo?.topic, channelInfo?.purpose]
-        .map((entry) => entry?.trim())
-        .filter((entry) => Boolean(entry))
-        .filter((entry, index, list) => list.indexOf(entry) === index)
-        .join("\n");
-    const systemPromptParts = [
-        channelDescription ? `Channel description: ${channelDescription}` : null,
-        channelConfig?.systemPrompt?.trim() || null,
-    ].filter((entry) => Boolean(entry));
-    const groupSystemPrompt = systemPromptParts.length > 0 ? systemPromptParts.join("\n\n") : undefined;
+    // SECURITY: Do NOT include channel topic/purpose in system prompt
+    // Channel metadata is user-controlled and can cause prompt injection
+    // Only include channelConfig.systemPrompt (admin-controlled)
+    const groupSystemPrompt = channelConfig?.systemPrompt?.trim() || undefined;
     let threadStarterBody;
     let threadLabel;
     let threadStarterMedia = null;

package/dist/slack/monitor/slash.js

@@ -288,16 +288,10 @@ export function registerSlackMonitorSlashCommands(params) {
                     id: isDirectMessage ? command.user_id : command.channel_id,
                 },
             });
-            const channelDescription = [channelInfo?.topic, channelInfo?.purpose]
-                .map((entry) => entry?.trim())
-                .filter((entry) => Boolean(entry))
-                .filter((entry, index, list) => list.indexOf(entry) === index)
-                .join("\n");
-            const systemPromptParts = [
-                channelDescription ? `Channel description: ${channelDescription}` : null,
-                channelConfig?.systemPrompt?.trim() || null,
-            ].filter((entry) => Boolean(entry));
-            const groupSystemPrompt = systemPromptParts.length > 0 ? systemPromptParts.join("\n\n") : undefined;
+            // SECURITY: Do NOT include channel topic/purpose in system prompt
+            // Channel metadata is user-controlled and can cause prompt injection
+            // Only include channelConfig.systemPrompt (admin-controlled)
+            const groupSystemPrompt = channelConfig?.systemPrompt?.trim() || undefined;
             const ctxPayload = finalizeInboundContext({
                 Body: prompt,
                 RawBody: prompt,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@poolzin/pool-bot",
-  "version": "2026.1.33",
+  "version": "2026.1.35",
   "description": "🎱 Pool Bot - AI assistant with PLCODE integrations",
   "type": "module",
   "main": "dist/index.js",

package/dist/gateway/hooks/tool-usage-capture.js

@@ -1,253 +0,0 @@
-/**
- * Tool Usage Capture Hook
- *
- * Captures tool usage automatically via lifecycle hooks.
- * Safe: never throws, async operations, feature-flagged.
- *
- * Integration:
- * - Registers as onToolUse hook
- * - Captures all tool calls automatically
- * - Stores compressed data in SessionEntry
- */
-import { TOOL_USAGE_ENABLED, TOOL_USAGE_MAX_RECORDS, createToolUsageRecord, updateToolStats, addToHistory, } from "./tool-usage-storage.js";
-// ============================================================================
-// Configuration
-// ============================================================================
-const TOOL_USAGE_BUFFER_FLUSH_INTERVAL = 30000; // 30 seconds
-const TOOL_USAGE_BUFFER_MAX_SIZE = 50; // Flush after 50 tool calls
-const toolUsageBuffer = new Map();
-let bufferFlushScheduled = false;
-// ============================================================================
-// SessionEntry Extension (Type-safe, backward compatible)
-// ============================================================================
-/**
- * Load tool usage from SessionEntry
- * Safe: handles missing data, validates structure
- */
-export async function loadSessionToolUsage(sessionKey) {
-    try {
-        // TODO: Integrate with actual SessionEntry in Phase 4
-        // For now, return in-memory placeholder
-        const existing = toolUsageBuffer.get(sessionKey);
-        if (existing && existing.length > 0) {
-            // Return computed stats from buffer
-            const tools = {};
-            for (const record of existing) {
-                if (!tools[record.toolName]) {
-                    tools[record.toolName] = {
-                        count: 0,
-                        totalMs: 0,
-                        avgMs: 0,
-                        lastUsed: record.timestamp,
-                    };
-                }
-                tools[record.toolName] = updateToolStats(tools[record.toolName], record.executionTimeMs);
-            }
-            return {
-                version: 2,
-                sessionKey,
-                sessionId: sessionKey, // Placeholder
-                tools,
-                history: existing,
-                lastCaptured: Date.now(),
-            };
-        }
-        // Return empty usage
-        return {
-            version: 2,
-            sessionKey,
-            sessionId: sessionKey,
-            tools: {},
-            history: [],
-            lastCaptured: Date.now(),
-        };
-    }
-    catch (err) {
-        console.error("[tool-usage-capture] Failed to load tool usage:", err);
-        // Return empty usage on error
-        return {
-            version: 2,
-            sessionKey,
-            sessionId: sessionKey,
-            tools: {},
-            history: [],
-            lastCaptured: Date.now(),
-        };
-    }
-}
-/**
- * Save tool usage to SessionEntry
- * Safe: validates data, handles errors gracefully
- */
-export async function saveSessionToolUsage(sessionKey, usage) {
-    try {
-        // TODO: Integrate with actual SessionEntry in Phase 4
-        // For now, just update in-memory buffer
-        const existing = toolUsageBuffer.get(sessionKey) || [];
-        const newRecords = usage.history.slice(existing.length);
-        if (newRecords.length > 0) {
-            toolUsageBuffer.set(sessionKey, [...existing, ...newRecords]);
-        }
-        if (TOOL_USAGE_ENABLED) {
-            console.log(`[tool-usage-capture] Saved ${newRecords.length} records for ${sessionKey}`);
-        }
-    }
-    catch (err) {
-        console.error("[tool-usage-capture] Failed to save tool usage:", err);
-        // Never throw - errors are logged only
-    }
-}
-// ============================================================================
-// Hook Implementation
-// ============================================================================
-/**
- * Main hook: captures tool usage automatically
- * Safe: validates all inputs, never throws, handles all edge cases
- */
-export const toolUsageCaptureHook = async (ctx) => {
-    // Feature flag check (safe exit)
-    if (!TOOL_USAGE_ENABLED) {
-        return;
-    }
-    try {
-        // Validate inputs (safe defaults)
-        const toolName = ctx.toolName || "unknown_tool";
-        const executionTimeMs = ctx.executionTimeMs || 0;
-        const success = ctx.success !== undefined ? ctx.success : true;
-        // Create compressed record
-        const record = createToolUsageRecord(toolName, ctx.toolInput, ctx.toolOutput, executionTimeMs, success, ctx.error);
-        // Load existing usage
-        const usage = await loadSessionToolUsage(ctx.sessionKey);
-        // Update stats
-        if (!usage.tools[toolName]) {
-            usage.tools[toolName] = {
-                count: 0,
-                totalMs: 0,
-                avgMs: 0,
-                lastUsed: record.timestamp,
-            };
-        }
-        usage.tools[toolName] = updateToolStats(usage.tools[toolName], executionTimeMs);
-        // Add to history (respects max limit)
-        usage.history = addToHistory(usage.history, record, TOOL_USAGE_MAX_RECORDS);
-        usage.lastCaptured = Date.now();
-        // Save (async, non-blocking)
-        await saveSessionToolUsage(ctx.sessionKey, usage).catch((err) => {
-            // Save errors are logged in saveSessionToolUsage
-            // This catch is just for extra safety
-            console.error("[tool-usage-capture] Unhandled save error:", err);
-        });
-        // Debug logging (can be disabled)
-        if (success && TOOL_USAGE_ENABLED) {
-            console.log(`[tool-usage-capture] ${toolName} (${executionTimeMs}ms) - ${ctx.sessionKey}`);
-        }
-    }
-    catch (err) {
-        // NEVER throw from hook - would break the tool call
-        console.error("[tool-usage-capture] Hook error:", err);
-    }
-};
-// ============================================================================
-// Buffer Management (performance optimization)
-// ============================================================================
-/**
- * Flush in-memory buffer to storage
- * Safe: handles errors, never throws
- */
-export async function flushToolUsageBuffer() {
-    try {
-        if (toolUsageBuffer.size === 0) {
-            return; // Nothing to flush
-        }
-        let flushed = 0;
-        for (const [sessionKey, records] of toolUsageBuffer.entries()) {
-            try {
-                // TODO: Actually persist to SessionEntry in Phase 4
-                // For now, buffer stays in-memory
-                flushed += records.length;
-            }
-            catch (err) {
-                console.error(`[tool-usage-capture] Failed to flush buffer for ${sessionKey}:`, err);
-            }
-        }
-        if (flushed > 0 && TOOL_USAGE_ENABLED) {
-            console.log(`[tool-usage-capture] Flushed ${flushed} records from buffer`);
-        }
-    }
-    catch (err) {
-        console.error("[tool-usage-capture] Buffer flush error:", err);
-    }
-}
-/**
- * Schedule buffer flush
- * Safe: debounced, only schedules once
- */
-function scheduleBufferFlush() {
-    if (bufferFlushScheduled) {
-        return; // Already scheduled
-    }
-    bufferFlushScheduled = true;
-    // Flush after 30 seconds
-    setTimeout(async () => {
-        await flushToolUsageBuffer();
-        bufferFlushScheduled = false;
-    }, TOOL_USAGE_BUFFER_FLUSH_INTERVAL);
-}
-// ============================================================================
-// Query API (for future use)
-// ============================================================================
-/**
- * Get tool usage statistics for a session
- * Safe: returns empty object if no data
- */
-export async function getSessionToolUsage(sessionKey) {
-    try {
-        const usage = await loadSessionToolUsage(sessionKey);
-        return usage;
-    }
-    catch (err) {
-        console.error(`[tool-usage-capture] Failed to get usage for ${sessionKey}:`, err);
-        return undefined;
-    }
-}
-/**
- * Get recent tool usage (last N records)
- * Safe: returns empty array if no data
- */
-export async function getRecentToolUsage(sessionKey, count = 10) {
-    try {
-        const usage = await loadSessionToolUsage(sessionKey);
-        return usage.history.slice(-count);
-    }
-    catch (err) {
-        console.error(`[tool-usage-capture] Failed to get recent usage for ${sessionKey}:`, err);
-        return [];
-    }
-}
-// ============================================================================
-// Cleanup
-// ============================================================================
-/**
- * Clear tool usage buffer (for testing)
- * Safe: never throws
- */
-export function clearToolUsageBuffer() {
-    try {
-        toolUsageBuffer.clear();
-    }
-    catch (err) {
-        console.error("[tool-usage-capture] Buffer clear error:", err);
-    }
-}
-/**
- * Clear tool usage for a specific session
- * Safe: never throws
- */
-export function clearSessionToolUsage(sessionKey) {
-    try {
-        toolUsageBuffer.delete(sessionKey);
-    }
-    catch (err) {
-        console.error(`[tool-usage-capture] Failed to clear usage for ${sessionKey}:`, err);
-    }
-}

package/dist/gateway/hooks/tool-usage-storage.js

@@ -1,144 +0,0 @@
-/**
- * Tool Usage Capture - Storage Layer
- *
- * Safe, efficient storage for tool usage data.
- * Phase 2a: Type definitions and interfaces (NO breaking changes)
- *
- * Safety measures:
- * - All fields optional (backward compatible)
- * - Version field for future migrations
- * - No modifications to existing SessionEntry fields
- */
-// ============================================================================
-// Constants
-// ============================================================================
-export const TOOL_USAGE_MAX_RECORDS = 100; // Keep only last 100 records
-export const TOOL_USAGE_MAX_SUMMARY_LEN = 100; // Max 100 chars per summary
-export const TOOL_USAGE_ENABLED = true; // Feature flag (master switch)
-// ============================================================================
-// Compression Functions (safe, no side effects)
-// ============================================================================
-/**
- * Compress a tool input/output value to a short summary
- * Safe: never throws, handles all types gracefully
- */
-export function compressToolValue(value, maxLen = TOOL_USAGE_MAX_SUMMARY_LEN) {
-    try {
-        // Handle primitives
-        if (value === null)
-            return "null";
-        if (value === undefined)
-            return "undefined";
-        if (typeof value === "string") {
-            return value.length > maxLen ? value.slice(0, maxLen) + "..." : value;
-        }
-        if (typeof value === "number")
-            return String(value);
-        if (typeof value === "boolean")
-            return String(value);
-        // Handle objects and arrays
-        if (typeof value === "object") {
-            const json = JSON.stringify(value);
-            return json.length > maxLen ? json.slice(0, maxLen) + "..." : json;
-        }
-        // Fallback
-        return String(value);
-    }
-    catch (err) {
-        // If compression fails, return safe fallback
-        return "[compression_error]";
-    }
-}
-/**
- * Create a tool usage record from hook context
- * Safe: validates all inputs, never throws
- */
-export function createToolUsageRecord(toolName, toolInput, toolOutput, executionTimeMs, success, error) {
-    // Validate inputs (safe defaults)
-    const safeToolName = typeof toolName === "string" && toolName.length > 0 ? toolName : "unknown_tool";
-    const safeInput = typeof toolInput === "object" && toolInput !== null ? toolInput : {};
-    const safeTime = typeof executionTimeMs === "number" && executionTimeMs >= 0 ? executionTimeMs : 0;
-    const safeSuccess = Boolean(success);
-    return {
-        toolName: safeToolName,
-        timestamp: Date.now(),
-        executionTimeMs: safeTime,
-        success: safeSuccess,
-        inputSummary: compressToolValue(safeInput),
-        outputSummary: compressToolValue(toolOutput),
-        error: error ? String(error).slice(0, 200) : undefined,
-    };
-}
-// ============================================================================
-// Statistics Update (pure function, no side effects)
-// ============================================================================
-/**
- * Update tool statistics with a new record
- * Safe: never mutates input, returns new object
- */
-export function updateToolStats(existingStats, executionTimeMs) {
-    const count = (existingStats?.count ?? 0) + 1;
-    const totalMs = (existingStats?.totalMs ?? 0) + executionTimeMs;
-    const avgMs = count > 0 ? Math.round((totalMs / count) * 100) / 100 : 0;
-    return {
-        count,
-        totalMs,
-        avgMs,
-        lastUsed: Date.now(),
-    };
-}
-// ============================================================================
-// History Management (pure functions)
-// ============================================================================
-/**
- * Add record to history, respecting max limit
- * Safe: never exceeds max records, returns new array
- */
-export function addToHistory(history, record, maxRecords = TOOL_USAGE_MAX_RECORDS) {
-    const newHistory = [...history, record];
-    // Keep only last N records
-    if (newHistory.length > maxRecords) {
-        return newHistory.slice(-maxRecords);
-    }
-    return newHistory;
-}
-/**
- * Get recent tool usage (last N records)
- * Safe: never mutates input, returns slice
- */
-export function getRecentToolUsage(history, count = 10) {
-    return history.slice(-count);
-}
-// ============================================================================
-// Query Functions (for future use)
-// ============================================================================
-/**
- * Get statistics for a specific tool
- * Safe: returns undefined if tool not found
- */
-export function getToolStats(usage, toolName) {
-    return usage?.tools[toolName];
-}
-/**
- * Get all tool names sorted by usage frequency
- * Safe: returns empty array if no data
- */
-export function getToolsByFrequency(usage) {
-    if (!usage?.tools)
-        return [];
-    return Object.entries(usage.tools)
-        .map(([toolName, stats]) => ({ toolName, count: stats.count }))
-        .sort((a, b) => b.count - a.count);
-}
-/**
- * Get slowest tools (by average execution time)
- * Safe: returns empty array if no data
- */
-export function getSlowestTools(usage, limit = 5) {
-    if (!usage?.tools)
-        return [];
-    return Object.entries(usage.tools)
-        .map(([toolName, stats]) => ({ toolName, avgMs: stats.avgMs }))
-        .sort((a, b) => b.avgMs - a.avgMs)
-        .slice(0, limit);
-}