@poolzin/pool-bot 2026.1.34 → 2026.1.35

package/CHANGELOG.md

@@ -1,3 +1,87 @@
+# Changelog
+
+All notable changes to Pool Bot will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [2026.1.35] - 2026-02-06
+
+### 📦 Stability Snapshot
+
+**Release Type:** Pre-enhancement checkpoint
+
+#### Summary
+This release is a stable checkpoint before implementing local memory search enhancements.
+
+#### Changes
+- **Version bump:** 2026.1.30 → 2026.1.35
+- **Repository sync:** All repositories clean and synchronized
+- **Backup verification:** Complete backup of configurations and state
+
+#### Technical Details
+- Package: @poolzin/pool-bot
+- Node.js: v22.22.0 compatible
+- Backup: /root/poolbot-backup-20260206-130344.tar.gz (35MB)
+
+#### Next Steps (Post-Release)
+- Implement Ollama integration for local memory_search
+- Complete QMD embeddings (220 pending → 0)
+- Remove auto-study skill (user-managed cron)
+- Enhance memory architecture with local embeddings
+
+#### Maintenance
+- All repositories verified clean
+- Git states documented
+- Gateway status captured
+
+---
+
+## v2026.1.30 (2026-02-05)
+
+### 🔒 Security Release - CRITICAL VULNERABILITY FIXES
+
+#### Critical Vulnerabilities Fixed 🔴
+- **Gateway URL Override (CVE-level):** Prevent credential leakage via malicious gateway redirects
+  - Added `validateGatewayUrlSecurity()` requiring explicit token confirmation for custom URLs
+  - Custom URLs now require 32+ character tokens
+  - Validation applied in `src/gateway/client.ts` before connection
+
+- **Discord Prompt Injection (HIGH):** Block arbitrary command injection via channel.topic
+  - Removed `channel.topic` from system prompts in `src/discord/monitor/message-handler.process.ts`
+  - Only admin-controlled metadata is now included
+  - Prevents users with edit permissions from manipulating agent behavior
+
+- **Slack Prompt Injection (HIGH):** Block arbitrary command injection via topic/purpose
+  - Removed `channel.topic` and `channel.purpose` from system prompts
+  - Fixed in `src/slack/monitor/message-handler/prepare.ts` and `src/slack/monitor/slash.ts`
+  - Same attack vector as Discord, now mitigated
+
+#### Security Features Added ✅
+- **Tool Gating System:** Owner-only access to sensitive tools
+  - `validateToolAccess()` function in `src/agents/tool-security.ts`
+  - Protected tools: `whatsapp_login`, `gateway`, `cron`, `sessions_spawn`
+  - Configurable via `security.owners` in poolbot.json
+
+- **Security Utilities:** Prevention and validation functions
+  - Path sanitization utilities in `src/media/path-sanitization.ts`
+  - URL validation in `src/gateway/url-validation.ts`
+  - Security config schema in `src/config/types.security.ts`
+
+#### Documentation
+- **New:** `SECURITY.md` - Complete security policy and vulnerability disclosure
+- Breaking changes documented
+- Security best practices for users and developers
+- Reporting guidelines for security issues
+
+#### Credits
+- Security improvements inspired by [OpenClaw](https://github.com/openclaw/openclaw) security hardening
+- Internal security audit based on OpenClaw v2026.2.4 analysis
+
+**UPGRADE RECOMMENDED:** All users should upgrade to v2026.1.30 due to critical security fixes.
+
+---
+
 ## v1.0.1 (2026-02-02)
 
 ### WhatsApp Gateway Stability

package/dist/agents/tool-security-helpers.js

@@ -0,0 +1,66 @@
+/**
+ * Tool Security Integration Helper
+ *
+ * Provides helper functions for tool security validation in plugins
+ * until full sender context integration is complete.
+ *
+ * @version 2026.1.30
+ */
+import { validateToolAccess, canUseTool } from "./tool-security.js";
+/**
+ * Create access denied response for tool execution
+ *
+ * @param toolName - Name of the tool that was denied
+ * @param reason - Optional reason for denial
+ */
+export function createAccessDeniedResponse(toolName, reason) {
+    const message = reason ||
+        `⛔ Access Denied\n\n` +
+            `Tool "${toolName}" is restricted to owners only.\n` +
+            `This tool requires owner permissions for security reasons.\n\n` +
+            `Contact the bot owner for access.`;
+    return {
+        content: [{ type: "text", text: message }],
+        details: { error: "access_denied", tool: toolName },
+    };
+}
+/**
+ * Check if a tool can be used with optional sender validation
+ *
+ * @param toolName - Tool name to validate
+ * @param config - Pool Bot config (for owners list)
+ * @param sender - Optional sender identifier
+ * @returns true if tool can be used, false otherwise
+ *
+ * NOTE: If sender is undefined, sensitive tools will be denied.
+ * This is a safe default until sender context integration is complete.
+ */
+export function canUseToolSafe(toolName, config, sender) {
+    const owners = config?.security?.owners || [];
+    return canUseTool(toolName, sender, owners);
+}
+/**
+ * Validate tool access and return error response if denied
+ *
+ * @param toolName - Tool name to validate
+ * @param config - Pool Bot config (for owners list)
+ * @param sender - Optional sender identifier
+ * @returns null if access is allowed, error response if denied
+ *
+ * Usage:
+ * ```typescript
+ * const denied = validateToolAccessResponse("whatsapp_login", config, sender);
+ * if (denied) return denied;
+ * // ... proceed with tool execution
+ * ```
+ */
+export function validateToolAccessResponse(toolName, config, sender) {
+    const owners = config?.security?.owners || [];
+    try {
+        validateToolAccess(toolName, sender, owners);
+        return null; // Access allowed
+    }
+    catch (err) {
+        return createAccessDeniedResponse(toolName, err.message);
+    }
+}

package/dist/agents/tool-security.js

@@ -0,0 +1,96 @@
+/**
+ * Tool Security - Tool Gating and Access Control
+ *
+ * Based on OpenClaw 2026.2.4 security fixes:
+ * - Gate sensitive tools to owner senders only
+ * - Prevent tool hijacking by non-owners
+ *
+ * @version 2026.1.30
+ */
+/**
+ * List of sensitive tools that require owner permissions
+ */
+export const SENSITIVE_TOOLS = [
+    // WhatsApp
+    "whatsapp_login",
+    // Gateway management
+    "gateway",
+    "gateway:restart",
+    "gateway:update",
+    // Config management
+    "gateway:config:apply",
+    "gateway:config:patch",
+    // Cron management
+    "cron:add",
+    "cron:remove",
+    "cron:update",
+    // Session management
+    "sessions_spawn", // Pode criar sub-agentes
+];
+/**
+ * Check if a tool is sensitive (requires owner permission)
+ */
+export function isSensitiveTool(toolName) {
+    const normalized = toolName.trim().toLowerCase();
+    return SENSITIVE_TOOLS.some((tool) => {
+        const normalizedTool = tool.toLowerCase();
+        // Exact match ou prefix match (ex: "gateway" match "gateway:restart")
+        return normalized === normalizedTool || normalized.startsWith(`${normalizedTool}:`);
+    });
+}
+/**
+ * Check if a sender is an owner
+ *
+ * Owners are configured in poolbot.json:
+ * {
+ *   "security": {
+ *     "owners": ["+554498569337", "5140768830"]
+ *   }
+ * }
+ */
+export function isOwner(sender, owners = []) {
+    if (!sender)
+        return false;
+    const normalizedSender = sender.trim();
+    if (!normalizedSender)
+        return false;
+    // Check if sender is in owners list
+    return owners.some((owner) => {
+        const normalizedOwner = owner.trim();
+        return normalizedOwner === normalizedSender;
+    });
+}
+/**
+ * Check if a user can use a tool
+ *
+ * @param toolName - Tool name (ex: "whatsapp_login")
+ * @param sender - Sender identifier (phone number, user ID, etc.)
+ * @param owners - List of owner identifiers
+ * @returns true if user can use the tool, false otherwise
+ */
+export function canUseTool(toolName, sender, owners = []) {
+    // Non-sensitive tools são permitidas para todos
+    if (!isSensitiveTool(toolName)) {
+        return true;
+    }
+    // Sensitive tools requerem owner permission
+    return isOwner(sender, owners);
+}
+/**
+ * Error message for denied tool access
+ */
+export function toolAccessDeniedMessage(toolName) {
+    return (`Tool "${toolName}" is restricted to owners only. ` +
+        `This tool requires owner permissions for security reasons. ` +
+        `Contact the bot owner for access.`);
+}
+/**
+ * Validate tool access and throw if denied
+ *
+ * @throws Error if access is denied
+ */
+export function validateToolAccess(toolName, sender, owners = []) {
+    if (!canUseTool(toolName, sender, owners)) {
+        throw new Error(toolAccessDeniedMessage(toolName));
+    }
+}

package/dist/agents/workspace.js

@@ -208,7 +208,11 @@ export async function loadWorkspaceBootstrapFiles(dir) {
             filePath: path.join(resolvedDir, DEFAULT_BOOTSTRAP_FILENAME),
         },
     ];
-    entries.push(...(await resolveMemoryBootstrapEntries(resolvedDir)));
+    // MEMORY.md is deliberately NOT loaded as a bootstrap file.
+    // Per AGENTS.md guidance: "use memory_search() on demand when user asks about past"
+    // This prevents ~9.8K tokens (~52.7% of bootstrap) from being injected into every conversation.
+    // MEMORY.md remains accessible via the memory_search tool when needed.
+    // entries.push(...(await resolveMemoryBootstrapEntries(resolvedDir)));
     const result = [];
     for (const entry of entries) {
         try {

package/dist/build-info.json

@@ -1,5 +1,5 @@
 {
-  "version": "2026.1.34",
-  "commit": "84710f9a55bc3eca77fd7ffa882d9f11b9f92acc",
-  "builtAt": "2026-02-05T14:57:54.102Z"
+  "version": "2026.1.35",
+  "commit": "582e7d0d30d89c8f4b16bcfdc684fd60300fb9a9",
+  "builtAt": "2026-02-06T13:08:41.796Z"
 }

package/dist/channels/plugins/agent-tools/whatsapp-login.js

@@ -1,5 +1,14 @@
 import { Type } from "@sinclair/typebox";
-export function createWhatsAppLoginTool() {
+import { validateToolAccessResponse } from "../../../agents/tool-security-helpers.js";
+/**
+ * Create WhatsApp Login tool
+ *
+ * SECURITY: This tool is restricted to owners only.
+ * Unauthorized access could allow hijacking the WhatsApp instance.
+ *
+ * @param config - Optional Pool Bot config for security validation
+ */
+export function createWhatsAppLoginTool(config) {
     return {
         label: "WhatsApp Login",
         name: "whatsapp_login",
@@ -15,6 +24,13 @@ export function createWhatsAppLoginTool() {
             force: Type.Optional(Type.Boolean()),
         }),
         execute: async (_toolCallId, args) => {
+            // SECURITY: Validate owner access
+            // NOTE: sender context integration is pending. For now, sensitive tools
+            // are denied unless explicitly configured with owners list.
+            // TODO: Integrate sender context from session/channel
+            const denied = validateToolAccessResponse("whatsapp_login", config, undefined);
+            if (denied)
+                return denied;
             const { startWebLoginWithQr, waitForWebLogin } = await import("../../../web/login-qr.js");
             const action = args?.action ?? "start";
             if (action === "wait") {

package/dist/commands/doctor-state-integrity.js

@@ -3,7 +3,7 @@ import os from "node:os";
 import path from "node:path";
 import { resolveDefaultAgentId } from "../agents/agent-scope.js";
 import { resolveOAuthDir, resolveStateDir } from "../config/paths.js";
-import { loadSessionStore, resolveMainSessionKey, resolveSessionFilePath, resolveSessionTranscriptsDirForAgent, resolveStorePath, } from "../config/sessions.js";
+import { loadSessionStore, resolveMainSessionKey, resolveSessionFilePath, resolveSessionTranscriptPath, resolveSessionTranscriptsDirForAgent, resolveStorePath, } from "../config/sessions.js";
 import { note } from "../terminal/note.js";
 import { shortenHomePath } from "../utils.js";
 function existsDir(dir) {
@@ -291,7 +291,19 @@ export async function noteStateIntegrity(cfg, prompter, configPath) {
             const transcriptPath = resolveSessionFilePath(sessionId, entry, {
                 agentId,
             });
-            return !existsFile(transcriptPath);
+            // Fix: Verificar se o arquivo existe antes de declarar "missing"
+            // Se o arquivo não existe no path esperado, verificar também o path alternativo
+            if (!existsFile(transcriptPath)) {
+                // Tentar verificar se o arquivo existe com o path alternativo (sem sessionFile)
+                const altPath = resolveSessionTranscriptPath(sessionId, agentId);
+                if (existsFile(altPath)) {
+                    // Arquivo existe em path alternativo - atualizar entry se necessário
+                    return false;
+                }
+                // Arquivo realmente não existe em nenhum path
+                return true;
+            }
+            return false;
         });
         if (missing.length > 0) {
             warnings.push(`- ${missing.length}/${recent.length} recent sessions are missing transcripts. Check for deleted session files or split state dirs.`);

package/dist/config/types.js

@@ -20,6 +20,7 @@ export * from "./types.msteams.js";
 export * from "./types.plugins.js";
 export * from "./types.queue.js";
 export * from "./types.sandbox.js";
+export * from "./types.security.js";
 export * from "./types.signal.js";
 export * from "./types.skills.js";
 export * from "./types.slack.js";

package/dist/config/types.security.js

@@ -0,0 +1,5 @@
+/**
+ * Security configuration types
+ * @version 2026.1.30
+ */
+export {};

package/dist/config/zod-schema.js

@@ -436,6 +436,12 @@ export const PoolBotSchema = z
     })
         .strict()
         .optional(),
+    security: z
+        .object({
+        owners: z.array(z.string()).optional(),
+    })
+        .strict()
+        .optional(),
     skills: z
         .object({
         allowBundled: z.array(z.string()).optional(),

package/dist/discord/monitor/message-handler.process.js

@@ -73,12 +73,10 @@ export async function processDiscordMessage(ctx) {
     const forumContextLine = isForumStarter ? `[Forum parent: #${forumParentSlug}]` : null;
     const groupChannel = isGuildMessage && displayChannelSlug ? `#${displayChannelSlug}` : undefined;
     const groupSubject = isDirectMessage ? undefined : groupChannel;
-    const channelDescription = channelInfo?.topic?.trim();
-    const systemPromptParts = [
-        channelDescription ? `Channel topic: ${channelDescription}` : null,
-        channelConfig?.systemPrompt?.trim() || null,
-    ].filter((entry) => Boolean(entry));
-    const groupSystemPrompt = systemPromptParts.length > 0 ? systemPromptParts.join("\n\n") : undefined;
+    // SECURITY: Do NOT include channel topic/description in system prompt
+    // Channel metadata is user-controlled and can cause prompt injection
+    // Only include channelConfig.systemPrompt (admin-controlled)
+    const groupSystemPrompt = channelConfig?.systemPrompt?.trim() || undefined;
     const storePath = resolveStorePath(cfg.session?.store, {
         agentId: route.agentId,
     });

package/dist/gateway/client.js

@@ -3,6 +3,7 @@ import { WebSocket } from "ws";
 import { normalizeFingerprint } from "../infra/tls/fingerprint.js";
 import { rawDataToString } from "../infra/ws.js";
 import { logDebug, logError } from "../logger.js";
+import { validateGatewayUrlSecurity } from "./url-validation.js";
 import { loadOrCreateDeviceIdentity, publicKeyRawBase64UrlFromPem, signDevicePayload, } from "../infra/device-identity.js";
 import { clearDeviceAuthToken, loadDeviceAuthToken, storeDeviceAuthToken, } from "../infra/device-auth-store.js";
 import { GATEWAY_CLIENT_MODES, GATEWAY_CLIENT_NAMES, } from "../utils/message-channel.js";
@@ -41,6 +42,19 @@ export class GatewayClient {
         if (this.closed)
             return;
         const url = this.opts.url ?? "ws://127.0.0.1:18789";
+        // SECURITY: Validate gateway URL override
+        // Prevents credential leakage via redirects to untrusted gateways
+        try {
+            validateGatewayUrlSecurity({
+                url,
+                token: this.opts.token,
+                requireExplicitToken: this.opts.requireExplicitToken,
+            });
+        }
+        catch (err) {
+            this.opts.onConnectError?.(err instanceof Error ? err : new Error(String(err)));
+            return;
+        }
         if (this.opts.tlsFingerprint && !url.startsWith("wss://")) {
             this.opts.onConnectError?.(new Error("gateway tls fingerprint requires wss:// gateway url"));
             return;

package/dist/gateway/url-validation.js

@@ -0,0 +1,94 @@
+/**
+ * Gateway URL Override Security
+ * Prevents credential leakage via gateway URL redirects
+ *
+ * Based on OpenClaw 2026.2.4 security fix:
+ * - Require explicit credentials for gateway URL overrides
+ *
+ * @version 2026.1.30
+ */
+/**
+ * Default gateway URLs (considered safe)
+ */
+export const DEFAULT_GATEWAY_URLS = [
+    "http://127.0.0.1:18789",
+    "http://localhost:18789",
+    "http://[::1]:18789",
+];
+/**
+ * Minimum token length for security
+ */
+export const MIN_TOKEN_LENGTH = 32;
+/**
+ * Check if URL is a default/safe gateway URL
+ */
+export function isDefaultGatewayUrl(url) {
+    if (!url)
+        return true; // No URL means use default
+    const normalized = url.trim().toLowerCase();
+    return DEFAULT_GATEWAY_URLS.some((defaultUrl) => normalized === defaultUrl.toLowerCase());
+}
+/**
+ * Validate gateway URL override security
+ *
+ * @param config - Gateway configuration
+ * @throws Error if security requirements are not met
+ *
+ * @example
+ * ```typescript
+ * // Safe: Using default URL
+ * validateGatewayUrlSecurity({ url: "http://localhost:18789" });
+ *
+ * // Safe: Custom URL with explicit token
+ * validateGatewayUrlSecurity({
+ *   url: "http://custom.gateway.com",
+ *   token: "very-long-secure-token-32chars+",
+ *   requireExplicitToken: true
+ * });
+ *
+ * // Unsafe: Custom URL without explicit flag
+ * validateGatewayUrlSecurity({
+ *   url: "http://malicious.com",
+ *   token: "token"
+ * });
+ * // Throws: "Gateway URL override requires explicit token flag"
+ * ```
+ */
+export function validateGatewayUrlSecurity(config) {
+    // If URL is default/safe, no additional validation needed
+    if (isDefaultGatewayUrl(config.url)) {
+        return;
+    }
+    // Custom URL detected - require explicit confirmation
+    if (!config.requireExplicitToken) {
+        throw new Error("Gateway URL override requires explicit token flag. " +
+            "Set 'requireExplicitToken: true' in your gateway config to confirm " +
+            "you want to use a custom gateway URL. This prevents accidental " +
+            "credential leakage to untrusted gateways.");
+    }
+    // Require token when using custom URL
+    if (!config.token) {
+        throw new Error("Gateway URL override requires a token. " +
+            "Provide a secure token when using a custom gateway URL.");
+    }
+    // Require strong token (32+ characters)
+    if (config.token.length < MIN_TOKEN_LENGTH) {
+        throw new Error(`Gateway URL override requires a strong token (${MIN_TOKEN_LENGTH}+ characters). ` +
+            `Current token length: ${config.token.length} characters.`);
+    }
+}
+/**
+ * Check if gateway config is safe without throwing
+ *
+ * @param config - Gateway configuration
+ * @returns true if config is safe, false otherwise
+ */
+export function isGatewayConfigSafe(config) {
+    try {
+        validateGatewayUrlSecurity(config);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}

package/dist/media/path-sanitization.js

@@ -0,0 +1,78 @@
+/**
+ * Media Path Sanitization
+ * Prevents path traversal attacks in media attachments
+ *
+ * Based on OpenClaw 2026.2.4 security fix:
+ * - Enforce sandboxed media paths for message tool attachments
+ *
+ * @version 2026.1.30
+ */
+import path from "node:path";
+import fs from "node:fs";
+/**
+ * Sanitize media path to prevent path traversal
+ *
+ * @param inputPath - User-provided path (may contain ../ or absolute paths)
+ * @param baseDir - Base directory for media files (sandbox root)
+ * @returns Sanitized absolute path within baseDir
+ * @throws Error if path is outside baseDir or file doesn't exist
+ *
+ * @example
+ * ```typescript
+ * // Safe usage:
+ * const safe = sanitizeMediaPath("photo.jpg", "/root/.poolbot/media/");
+ * // Returns: "/root/.poolbot/media/photo.jpg"
+ *
+ * // Blocked (path traversal):
+ * sanitizeMediaPath("../../etc/passwd", "/root/.poolbot/media/");
+ * // Throws: "Path traversal detected"
+ * ```
+ */
+export function sanitizeMediaPath(inputPath, baseDir) {
+    // 1. Normalize base directory (ensure trailing slash)
+    const normalizedBase = path.resolve(baseDir);
+    // 2. Resolve absolute path (follows ../ and resolves relative paths)
+    const resolved = path.resolve(normalizedBase, inputPath);
+    // 3. Security check: must be within baseDir
+    if (!resolved.startsWith(normalizedBase + path.sep) && resolved !== normalizedBase) {
+        throw new Error(`Path traversal detected: "${inputPath}" resolves to "${resolved}" ` +
+            `which is outside the allowed directory "${normalizedBase}"`);
+    }
+    // 4. Check if file exists
+    if (!fs.existsSync(resolved)) {
+        throw new Error(`File not found: ${inputPath}`);
+    }
+    // 5. Check if it's a file (not directory)
+    const stats = fs.statSync(resolved);
+    if (!stats.isFile()) {
+        throw new Error(`Path is not a file: ${inputPath}`);
+    }
+    return resolved;
+}
+/**
+ * Sanitize multiple media paths
+ *
+ * @param inputPaths - Array of user-provided paths
+ * @param baseDir - Base directory for media files
+ * @returns Array of sanitized paths
+ * @throws Error if any path is invalid
+ */
+export function sanitizeMediaPaths(inputPaths, baseDir) {
+    return inputPaths.map((p) => sanitizeMediaPath(p, baseDir));
+}
+/**
+ * Check if path is safe without throwing
+ *
+ * @param inputPath - User-provided path
+ * @param baseDir - Base directory
+ * @returns true if path is safe, false otherwise
+ */
+export function isMediaPathSafe(inputPath, baseDir) {
+    try {
+        sanitizeMediaPath(inputPath, baseDir);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}

package/dist/slack/monitor/message-handler/prepare.js

@@ -350,16 +350,10 @@ export async function prepareSlackMessage(params) {
         });
     }
     const slackTo = isDirectMessage ? `user:${message.user}` : `channel:${message.channel}`;
-    const channelDescription = [channelInfo?.topic, channelInfo?.purpose]
-        .map((entry) => entry?.trim())
-        .filter((entry) => Boolean(entry))
-        .filter((entry, index, list) => list.indexOf(entry) === index)
-        .join("\n");
-    const systemPromptParts = [
-        channelDescription ? `Channel description: ${channelDescription}` : null,
-        channelConfig?.systemPrompt?.trim() || null,
-    ].filter((entry) => Boolean(entry));
-    const groupSystemPrompt = systemPromptParts.length > 0 ? systemPromptParts.join("\n\n") : undefined;
+    // SECURITY: Do NOT include channel topic/purpose in system prompt
+    // Channel metadata is user-controlled and can cause prompt injection
+    // Only include channelConfig.systemPrompt (admin-controlled)
+    const groupSystemPrompt = channelConfig?.systemPrompt?.trim() || undefined;
     let threadStarterBody;
     let threadLabel;
     let threadStarterMedia = null;

package/dist/slack/monitor/slash.js

@@ -288,16 +288,10 @@ export function registerSlackMonitorSlashCommands(params) {
                     id: isDirectMessage ? command.user_id : command.channel_id,
                 },
             });
-            const channelDescription = [channelInfo?.topic, channelInfo?.purpose]
-                .map((entry) => entry?.trim())
-                .filter((entry) => Boolean(entry))
-                .filter((entry, index, list) => list.indexOf(entry) === index)
-                .join("\n");
-            const systemPromptParts = [
-                channelDescription ? `Channel description: ${channelDescription}` : null,
-                channelConfig?.systemPrompt?.trim() || null,
-            ].filter((entry) => Boolean(entry));
-            const groupSystemPrompt = systemPromptParts.length > 0 ? systemPromptParts.join("\n\n") : undefined;
+            // SECURITY: Do NOT include channel topic/purpose in system prompt
+            // Channel metadata is user-controlled and can cause prompt injection
+            // Only include channelConfig.systemPrompt (admin-controlled)
+            const groupSystemPrompt = channelConfig?.systemPrompt?.trim() || undefined;
             const ctxPayload = finalizeInboundContext({
                 Body: prompt,
                 RawBody: prompt,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@poolzin/pool-bot",
-  "version": "2026.1.34",
+  "version": "2026.1.35",
   "description": "🎱 Pool Bot - AI assistant with PLCODE integrations",
   "type": "module",
   "main": "dist/index.js",
@@ -76,12 +76,81 @@
     "dist/pairing/**",
     "dist/whatsapp/**"
   ],
+  "scripts": {
+    "dev": "node scripts/run-node.mjs",
+    "postinstall": "node scripts/postinstall.js",
+    "prepack": "pnpm build && pnpm ui:build",
+    "docs:list": "node scripts/docs-list.js",
+    "docs:bin": "node scripts/build-docs-list.mjs",
+    "docs:dev": "cd docs && mint dev",
+    "docs:build": "cd docs && pnpm dlx --reporter append-only mint broken-links",
+    "build": "tsc -p tsconfig.json && node --import tsx scripts/canvas-a2ui-copy.ts && node --import tsx scripts/copy-hook-metadata.ts && node --import tsx scripts/write-build-info.ts",
+    "plugins:sync": "node --import tsx scripts/sync-plugin-versions.ts",
+    "release:check": "node --import tsx scripts/release-check.ts",
+    "ui:install": "node scripts/ui.js install",
+    "ui:dev": "node scripts/ui.js dev",
+    "ui:build": "node scripts/ui.js build",
+    "start": "node scripts/run-node.mjs",
+    "poolbot": "node scripts/run-node.mjs",
+    "gateway:watch": "node scripts/watch-node.mjs gateway --force",
+    "gateway:dev": "CLAWDBOT_SKIP_CHANNELS=1 node scripts/run-node.mjs --dev gateway",
+    "gateway:dev:reset": "CLAWDBOT_SKIP_CHANNELS=1 node scripts/run-node.mjs --dev gateway --reset",
+    "tui": "node scripts/run-node.mjs tui",
+    "tui:dev": "CLAWDBOT_PROFILE=dev node scripts/run-node.mjs tui",
+    "poolbot:rpc": "node scripts/run-node.mjs agent --mode rpc --json",
+    "ios:gen": "cd apps/ios && xcodegen generate",
+    "ios:open": "cd apps/ios && xcodegen generate && open Moltbot.xcodeproj",
+    "ios:build": "bash -lc 'cd apps/ios && xcodegen generate && xcodebuild -project Moltbot.xcodeproj -scheme Moltbot -destination \"${IOS_DEST:-platform=iOS Simulator,name=iPhone 17}\" -configuration Debug build'",
+    "ios:run": "bash -lc 'cd apps/ios && xcodegen generate && xcodebuild -project Moltbot.xcodeproj -scheme Moltbot -destination \"${IOS_DEST:-platform=iOS Simulator,name=iPhone 17}\" -configuration Debug build && xcrun simctl boot \"${IOS_SIM:-iPhone 17}\" || true && xcrun simctl launch booted com.poolbot.ios'",
+    "android:assemble": "cd apps/android && ./gradlew :app:assembleDebug",
+    "android:install": "cd apps/android && ./gradlew :app:installDebug",
+    "android:run": "cd apps/android && ./gradlew :app:installDebug && adb shell am start -n com.poolbot.android/.MainActivity",
+    "android:test": "cd apps/android && ./gradlew :app:testDebugUnitTest",
+    "mac:restart": "bash scripts/restart-mac.sh",
+    "mac:package": "bash scripts/package-mac-app.sh",
+    "mac:open": "open dist/Moltbot.app",
+    "lint": "oxlint --type-aware src test",
+    "lint:swift": "swiftlint lint --config .swiftlint.yml && (cd apps/ios && swiftlint lint --config .swiftlint.yml)",
+    "lint:all": "pnpm lint && pnpm lint:swift",
+    "lint:fix": "pnpm format:fix && oxlint --type-aware --fix src test",
+    "format": "oxfmt --check src test",
+    "format:swift": "swiftformat --lint --config .swiftformat apps/macos/Sources apps/ios/Sources apps/shared/ClawdbotKit/Sources",
+    "format:all": "pnpm format && pnpm format:swift",
+    "format:fix": "oxfmt --write src test",
+    "test": "node scripts/test-parallel.mjs",
+    "test:watch": "vitest",
+    "test:ui": "pnpm --dir ui test",
+    "test:force": "node --import tsx scripts/test-force.ts",
+    "test:coverage": "vitest run --coverage",
+    "test:e2e": "vitest run --config vitest.e2e.config.ts",
+    "test:live": "CLAWDBOT_LIVE_TEST=1 vitest run --config vitest.live.config.ts",
+    "test:docker:onboard": "bash scripts/e2e/onboard-docker.sh",
+    "test:docker:gateway-network": "bash scripts/e2e/gateway-network-docker.sh",
+    "test:docker:live-models": "bash scripts/test-live-models-docker.sh",
+    "test:docker:live-gateway": "bash scripts/test-live-gateway-models-docker.sh",
+    "test:docker:qr": "bash scripts/e2e/qr-import-docker.sh",
+    "test:docker:doctor-switch": "bash scripts/e2e/doctor-install-switch-docker.sh",
+    "test:docker:plugins": "bash scripts/e2e/plugins-docker.sh",
+    "test:docker:cleanup": "bash scripts/test-cleanup-docker.sh",
+    "test:docker:all": "pnpm test:docker:live-models && pnpm test:docker:live-gateway && pnpm test:docker:onboard && pnpm test:docker:gateway-network && pnpm test:docker:qr && pnpm test:docker:doctor-switch && pnpm test:docker:plugins && pnpm test:docker:cleanup",
+    "test:all": "pnpm lint && pnpm build && pnpm test && pnpm test:e2e && pnpm test:live && pnpm test:docker:all",
+    "test:install:e2e": "bash scripts/test-install-sh-e2e-docker.sh",
+    "test:install:smoke": "bash scripts/test-install-sh-docker.sh",
+    "test:install:e2e:openai": "CLAWDBOT_E2E_MODELS=openai bash scripts/test-install-sh-e2e-docker.sh",
+    "test:install:e2e:anthropic": "CLAWDBOT_E2E_MODELS=anthropic bash scripts/test-install-sh-e2e-docker.sh",
+    "protocol:gen": "node --import tsx scripts/protocol-gen.ts",
+    "protocol:gen:swift": "node --import tsx scripts/protocol-gen-swift.ts",
+    "protocol:check": "pnpm protocol:gen && pnpm protocol:gen:swift && git diff --exit-code -- dist/protocol.schema.json apps/macos/Sources/ClawdbotProtocol/GatewayModels.swift",
+    "canvas:a2ui:bundle": "bash scripts/bundle-a2ui.sh",
+    "check:loc": "node --import tsx scripts/check-ts-max-loc.ts --max 500"
+  },
   "keywords": [],
   "author": "João Vitor Cunha <jvsantos.cunha@gmail.com>",
   "license": "MIT",
   "engines": {
     "node": ">=22.12.0"
   },
+  "packageManager": "pnpm@10.23.0",
   "dependencies": {
     "@agentclientprotocol/sdk": "0.13.1",
     "@aws-sdk/client-bedrock": "^3.975.0",
@@ -173,6 +242,14 @@
   "overrides": {
     "tar": "7.5.4"
   },
+  "pnpm": {
+    "minimumReleaseAge": 2880,
+    "overrides": {
+      "@sinclair/typebox": "0.34.47",
+      "hono": "4.11.4",
+      "tar": "7.5.4"
+    }
+  },
   "vitest": {
     "coverage": {
       "provider": "v8",
@@ -204,72 +281,5 @@
       "apps/macos/.build/**",
       "dist/Moltbot.app/**"
     ]
-  },
-  "scripts": {
-    "dev": "node scripts/run-node.mjs",
-    "postinstall": "node scripts/postinstall.js",
-    "docs:list": "node scripts/docs-list.js",
-    "docs:bin": "node scripts/build-docs-list.mjs",
-    "docs:dev": "cd docs && mint dev",
-    "docs:build": "cd docs && pnpm dlx --reporter append-only mint broken-links",
-    "build": "tsc -p tsconfig.json && node --import tsx scripts/canvas-a2ui-copy.ts && node --import tsx scripts/copy-hook-metadata.ts && node --import tsx scripts/write-build-info.ts",
-    "plugins:sync": "node --import tsx scripts/sync-plugin-versions.ts",
-    "release:check": "node --import tsx scripts/release-check.ts",
-    "ui:install": "node scripts/ui.js install",
-    "ui:dev": "node scripts/ui.js dev",
-    "ui:build": "node scripts/ui.js build",
-    "start": "node scripts/run-node.mjs",
-    "poolbot": "node scripts/run-node.mjs",
-    "gateway:watch": "node scripts/watch-node.mjs gateway --force",
-    "gateway:dev": "CLAWDBOT_SKIP_CHANNELS=1 node scripts/run-node.mjs --dev gateway",
-    "gateway:dev:reset": "CLAWDBOT_SKIP_CHANNELS=1 node scripts/run-node.mjs --dev gateway --reset",
-    "tui": "node scripts/run-node.mjs tui",
-    "tui:dev": "CLAWDBOT_PROFILE=dev node scripts/run-node.mjs tui",
-    "poolbot:rpc": "node scripts/run-node.mjs agent --mode rpc --json",
-    "ios:gen": "cd apps/ios && xcodegen generate",
-    "ios:open": "cd apps/ios && xcodegen generate && open Moltbot.xcodeproj",
-    "ios:build": "bash -lc 'cd apps/ios && xcodegen generate && xcodebuild -project Moltbot.xcodeproj -scheme Moltbot -destination \"${IOS_DEST:-platform=iOS Simulator,name=iPhone 17}\" -configuration Debug build'",
-    "ios:run": "bash -lc 'cd apps/ios && xcodegen generate && xcodebuild -project Moltbot.xcodeproj -scheme Moltbot -destination \"${IOS_DEST:-platform=iOS Simulator,name=iPhone 17}\" -configuration Debug build && xcrun simctl boot \"${IOS_SIM:-iPhone 17}\" || true && xcrun simctl launch booted com.poolbot.ios'",
-    "android:assemble": "cd apps/android && ./gradlew :app:assembleDebug",
-    "android:install": "cd apps/android && ./gradlew :app:installDebug",
-    "android:run": "cd apps/android && ./gradlew :app:installDebug && adb shell am start -n com.poolbot.android/.MainActivity",
-    "android:test": "cd apps/android && ./gradlew :app:testDebugUnitTest",
-    "mac:restart": "bash scripts/restart-mac.sh",
-    "mac:package": "bash scripts/package-mac-app.sh",
-    "mac:open": "open dist/Moltbot.app",
-    "lint": "oxlint --type-aware src test",
-    "lint:swift": "swiftlint lint --config .swiftlint.yml && (cd apps/ios && swiftlint lint --config .swiftlint.yml)",
-    "lint:all": "pnpm lint && pnpm lint:swift",
-    "lint:fix": "pnpm format:fix && oxlint --type-aware --fix src test",
-    "format": "oxfmt --check src test",
-    "format:swift": "swiftformat --lint --config .swiftformat apps/macos/Sources apps/ios/Sources apps/shared/ClawdbotKit/Sources",
-    "format:all": "pnpm format && pnpm format:swift",
-    "format:fix": "oxfmt --write src test",
-    "test": "node scripts/test-parallel.mjs",
-    "test:watch": "vitest",
-    "test:ui": "pnpm --dir ui test",
-    "test:force": "node --import tsx scripts/test-force.ts",
-    "test:coverage": "vitest run --coverage",
-    "test:e2e": "vitest run --config vitest.e2e.config.ts",
-    "test:live": "CLAWDBOT_LIVE_TEST=1 vitest run --config vitest.live.config.ts",
-    "test:docker:onboard": "bash scripts/e2e/onboard-docker.sh",
-    "test:docker:gateway-network": "bash scripts/e2e/gateway-network-docker.sh",
-    "test:docker:live-models": "bash scripts/test-live-models-docker.sh",
-    "test:docker:live-gateway": "bash scripts/test-live-gateway-models-docker.sh",
-    "test:docker:qr": "bash scripts/e2e/qr-import-docker.sh",
-    "test:docker:doctor-switch": "bash scripts/e2e/doctor-install-switch-docker.sh",
-    "test:docker:plugins": "bash scripts/e2e/plugins-docker.sh",
-    "test:docker:cleanup": "bash scripts/test-cleanup-docker.sh",
-    "test:docker:all": "pnpm test:docker:live-models && pnpm test:docker:live-gateway && pnpm test:docker:onboard && pnpm test:docker:gateway-network && pnpm test:docker:qr && pnpm test:docker:doctor-switch && pnpm test:docker:plugins && pnpm test:docker:cleanup",
-    "test:all": "pnpm lint && pnpm build && pnpm test && pnpm test:e2e && pnpm test:live && pnpm test:docker:all",
-    "test:install:e2e": "bash scripts/test-install-sh-e2e-docker.sh",
-    "test:install:smoke": "bash scripts/test-install-sh-docker.sh",
-    "test:install:e2e:openai": "CLAWDBOT_E2E_MODELS=openai bash scripts/test-install-sh-e2e-docker.sh",
-    "test:install:e2e:anthropic": "CLAWDBOT_E2E_MODELS=anthropic bash scripts/test-install-sh-e2e-docker.sh",
-    "protocol:gen": "node --import tsx scripts/protocol-gen.ts",
-    "protocol:gen:swift": "node --import tsx scripts/protocol-gen-swift.ts",
-    "protocol:check": "pnpm protocol:gen && pnpm protocol:gen:swift && git diff --exit-code -- dist/protocol.schema.json apps/macos/Sources/ClawdbotProtocol/GatewayModels.swift",
-    "canvas:a2ui:bundle": "bash scripts/bundle-a2ui.sh",
-    "check:loc": "node --import tsx scripts/check-ts-max-loc.ts --max 500"
   }
-}
+}