@poolzin/pool-bot 2026.1.38 → 2026.1.39

package/CHANGELOG.md

@@ -1,112 +1,14 @@
-# Changelog
+## v2026.1.39 (2026-02-07)
 
-All notable changes to Pool Bot will be documented in this file.
+### Security
+- Upgrade `tar` from 7.5.4 → 7.5.7 fixing 4 high-severity vulnerabilities
+  - Arbitrary File Overwrite via Symlink Poisoning (GHSA-8qq5-rm4j-mr97)
+  - Race Condition via Unicode Ligature Collisions on macOS APFS (GHSA-r6q2-hw4h-h46w)
+  - Arbitrary File Creation/Overwrite via Hardlink Path Traversal (GHSA-34x7-hfp2-rc4v)
 
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
-and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
-
-## [2026.1.38] - 2026-02-07
-
-### 🔒 Security: Bump hono to fix 4 moderate CVEs
-
-- **hono 4.11.4 → 4.11.8** — fixes GHSA-9r54-q6cx-xmh5 (XSS via ErrorBoundary), GHSA-6wqw-2p9w-4vw4 (cache middleware ignores Cache-Control: private), GHSA-r354-f388-2fhh (IPv4 validation bypass in IP restriction middleware), GHSA-w332-q679-j88p (arbitrary key read in serve-static Cloudflare adapter).
-- npm audit: 10 → 6 vulnerabilities (4 moderate hono CVEs eliminated).
-
----
-
-## [2026.1.37] - 2026-02-07
-
-### 🔒 Security: Remove node-llama-cpp, fix tar vulnerability
-
-#### Vulnerabilities Fixed
-- **tar ≤7.5.6 (5× HIGH):** Removed `node-llama-cpp` from `optionalDependencies`, eliminating the entire `tar → cmake-js → node-llama-cpp` vulnerability chain. Updated `tar` override from 7.5.4 → 7.5.7.
-
-#### Changes
-- Removed `node-llama-cpp` 3.15.0 from `optionalDependencies` (matching upstream openclaw approach). Local embeddings still work if users install `node-llama-cpp` manually — the dynamic `import()` fallback to OpenAI/Gemini remains unchanged.
-- Fixed `extensions/memory-core/package.json` — added `poolbot` as `devDependency` to resolve `pnpm install` failure from `autoInstallPeers`.
-- Lockfile: removed ~1,300 lines of native dependency entries (`node-llama-cpp`, `cmake-js`, `@node-llama-cpp/*` platform binaries).
-
-#### Impact
-- npm audit: 15 → 10 vulnerabilities (5 high eliminated)
-- Install size reduced (no more cmake-js + native compilation toolchain)
-- Zero code changes — all source files unchanged; only dependency configuration
-
----
-
-## [2026.1.35] - 2026-02-06
-
-### 📦 Stability Snapshot
-
-**Release Type:** Pre-enhancement checkpoint
-
-#### Summary
-This release is a stable checkpoint before implementing local memory search enhancements.
-
-#### Changes
-- **Version bump:** 2026.1.30 → 2026.1.35
-- **Repository sync:** All repositories clean and synchronized
-- **Backup verification:** Complete backup of configurations and state
-
-#### Technical Details
-- Package: @poolzin/pool-bot
-- Node.js: v22.22.0 compatible
-- Backup: /root/poolbot-backup-20260206-130344.tar.gz (35MB)
-
-#### Next Steps (Post-Release)
-- Implement Ollama integration for local memory_search
-- Complete QMD embeddings (220 pending → 0)
-- Remove auto-study skill (user-managed cron)
-- Enhance memory architecture with local embeddings
-
-#### Maintenance
-- All repositories verified clean
-- Git states documented
-- Gateway status captured
-
----
-
-## v2026.1.30 (2026-02-05)
-
-### 🔒 Security Release - CRITICAL VULNERABILITY FIXES
-
-#### Critical Vulnerabilities Fixed 🔴
-- **Gateway URL Override (CVE-level):** Prevent credential leakage via malicious gateway redirects
-  - Added `validateGatewayUrlSecurity()` requiring explicit token confirmation for custom URLs
-  - Custom URLs now require 32+ character tokens
-  - Validation applied in `src/gateway/client.ts` before connection
-
-- **Discord Prompt Injection (HIGH):** Block arbitrary command injection via channel.topic
-  - Removed `channel.topic` from system prompts in `src/discord/monitor/message-handler.process.ts`
-  - Only admin-controlled metadata is now included
-  - Prevents users with edit permissions from manipulating agent behavior
-
-- **Slack Prompt Injection (HIGH):** Block arbitrary command injection via topic/purpose
-  - Removed `channel.topic` and `channel.purpose` from system prompts
-  - Fixed in `src/slack/monitor/message-handler/prepare.ts` and `src/slack/monitor/slash.ts`
-  - Same attack vector as Discord, now mitigated
-
-#### Security Features Added ✅
-- **Tool Gating System:** Owner-only access to sensitive tools
-  - `validateToolAccess()` function in `src/agents/tool-security.ts`
-  - Protected tools: `whatsapp_login`, `gateway`, `cron`, `sessions_spawn`
-  - Configurable via `security.owners` in poolbot.json
-
-- **Security Utilities:** Prevention and validation functions
-  - Path sanitization utilities in `src/media/path-sanitization.ts`
-  - URL validation in `src/gateway/url-validation.ts`
-  - Security config schema in `src/config/types.security.ts`
-
-#### Documentation
-- **New:** `SECURITY.md` - Complete security policy and vulnerability disclosure
-- Breaking changes documented
-- Security best practices for users and developers
-- Reporting guidelines for security issues
-
-#### Credits
-- Security improvements inspired by [OpenClaw](https://github.com/openclaw/openclaw) security hardening
-- Internal security audit based on OpenClaw v2026.2.4 analysis
-
-**UPGRADE RECOMMENDED:** All users should upgrade to v2026.1.30 due to critical security fixes.
+### Maintenance
+- Reset repository to stable baseline (9ddc7fcec)
+- Remove 52 experimental/unstable commits (PME, tool-usage, progressive-disclosure, security-phase2)
 
 ---
 

package/dist/agents/tools/memory-tool.js

@@ -32,7 +32,6 @@ export function createMemorySearchTool(options) {
             const query = readStringParam(params, "query", { required: true });
             const maxResults = readNumberParam(params, "maxResults");
             const minScore = readNumberParam(params, "minScore");
-            // Legacy memory search system (PME removed 2026-02-03)
             const { manager, error } = await getMemorySearchManager({
                 cfg,
                 agentId,
@@ -56,7 +55,7 @@ export function createMemorySearchTool(options) {
             }
             catch (err) {
                 const message = err instanceof Error ? err.message : String(err);
-                return jsonResult({ results: [], error: message });
+                return jsonResult({ results: [], disabled: true, error: message });
             }
         },
     };

package/dist/agents/workspace.js

@@ -208,11 +208,7 @@ export async function loadWorkspaceBootstrapFiles(dir) {
             filePath: path.join(resolvedDir, DEFAULT_BOOTSTRAP_FILENAME),
         },
     ];
-    // MEMORY.md is deliberately NOT loaded as a bootstrap file.
-    // Per AGENTS.md guidance: "use memory_search() on demand when user asks about past"
-    // This prevents ~9.8K tokens (~52.7% of bootstrap) from being injected into every conversation.
-    // MEMORY.md remains accessible via the memory_search tool when needed.
-    // entries.push(...(await resolveMemoryBootstrapEntries(resolvedDir)));
+    entries.push(...(await resolveMemoryBootstrapEntries(resolvedDir)));
     const result = [];
     for (const entry of entries) {
         try {

package/dist/build-info.json

@@ -1,5 +1,5 @@
 {
-  "version": "2026.1.38",
-  "commit": "81a36d3e7fbb666876601f4843b977bdde5ddad5",
-  "builtAt": "2026-02-07T23:11:04.554Z"
+  "version": "2026.1.39",
+  "commit": "b6e9117bb588f8f07674dcbde4d25fdf40029bdb",
+  "builtAt": "2026-02-08T02:56:35.333Z"
 }

package/dist/channels/plugins/agent-tools/whatsapp-login.js

@@ -1,14 +1,5 @@
 import { Type } from "@sinclair/typebox";
-import { validateToolAccessResponse } from "../../../agents/tool-security-helpers.js";
-/**
- * Create WhatsApp Login tool
- *
- * SECURITY: This tool is restricted to owners only.
- * Unauthorized access could allow hijacking the WhatsApp instance.
- *
- * @param config - Optional Pool Bot config for security validation
- */
-export function createWhatsAppLoginTool(config) {
+export function createWhatsAppLoginTool() {
     return {
         label: "WhatsApp Login",
         name: "whatsapp_login",
@@ -24,13 +15,6 @@ export function createWhatsAppLoginTool(config) {
             force: Type.Optional(Type.Boolean()),
         }),
         execute: async (_toolCallId, args) => {
-            // SECURITY: Validate owner access
-            // NOTE: sender context integration is pending. For now, sensitive tools
-            // are denied unless explicitly configured with owners list.
-            // TODO: Integrate sender context from session/channel
-            const denied = validateToolAccessResponse("whatsapp_login", config, undefined);
-            if (denied)
-                return denied;
             const { startWebLoginWithQr, waitForWebLogin } = await import("../../../web/login-qr.js");
             const action = args?.action ?? "start";
             if (action === "wait") {

package/dist/commands/doctor-state-integrity.js

@@ -3,7 +3,7 @@ import os from "node:os";
 import path from "node:path";
 import { resolveDefaultAgentId } from "../agents/agent-scope.js";
 import { resolveOAuthDir, resolveStateDir } from "../config/paths.js";
-import { loadSessionStore, resolveMainSessionKey, resolveSessionFilePath, resolveSessionTranscriptPath, resolveSessionTranscriptsDirForAgent, resolveStorePath, } from "../config/sessions.js";
+import { loadSessionStore, resolveMainSessionKey, resolveSessionFilePath, resolveSessionTranscriptsDirForAgent, resolveStorePath, } from "../config/sessions.js";
 import { note } from "../terminal/note.js";
 import { shortenHomePath } from "../utils.js";
 function existsDir(dir) {
@@ -291,19 +291,7 @@ export async function noteStateIntegrity(cfg, prompter, configPath) {
             const transcriptPath = resolveSessionFilePath(sessionId, entry, {
                 agentId,
             });
-            // Fix: Verificar se o arquivo existe antes de declarar "missing"
-            // Se o arquivo não existe no path esperado, verificar também o path alternativo
-            if (!existsFile(transcriptPath)) {
-                // Tentar verificar se o arquivo existe com o path alternativo (sem sessionFile)
-                const altPath = resolveSessionTranscriptPath(sessionId, agentId);
-                if (existsFile(altPath)) {
-                    // Arquivo existe em path alternativo - atualizar entry se necessário
-                    return false;
-                }
-                // Arquivo realmente não existe em nenhum path
-                return true;
-            }
-            return false;
+            return !existsFile(transcriptPath);
         });
         if (missing.length > 0) {
             warnings.push(`- ${missing.length}/${recent.length} recent sessions are missing transcripts. Check for deleted session files or split state dirs.`);

package/dist/config/types.js

@@ -20,7 +20,6 @@ export * from "./types.msteams.js";
 export * from "./types.plugins.js";
 export * from "./types.queue.js";
 export * from "./types.sandbox.js";
-export * from "./types.security.js";
 export * from "./types.signal.js";
 export * from "./types.skills.js";
 export * from "./types.slack.js";

package/dist/config/zod-schema.js

@@ -436,12 +436,6 @@ export const PoolBotSchema = z
     })
         .strict()
         .optional(),
-    security: z
-        .object({
-        owners: z.array(z.string()).optional(),
-    })
-        .strict()
-        .optional(),
     skills: z
         .object({
         allowBundled: z.array(z.string()).optional(),

package/dist/discord/monitor/message-handler.process.js

@@ -73,10 +73,12 @@ export async function processDiscordMessage(ctx) {
     const forumContextLine = isForumStarter ? `[Forum parent: #${forumParentSlug}]` : null;
     const groupChannel = isGuildMessage && displayChannelSlug ? `#${displayChannelSlug}` : undefined;
     const groupSubject = isDirectMessage ? undefined : groupChannel;
-    // SECURITY: Do NOT include channel topic/description in system prompt
-    // Channel metadata is user-controlled and can cause prompt injection
-    // Only include channelConfig.systemPrompt (admin-controlled)
-    const groupSystemPrompt = channelConfig?.systemPrompt?.trim() || undefined;
+    const channelDescription = channelInfo?.topic?.trim();
+    const systemPromptParts = [
+        channelDescription ? `Channel topic: ${channelDescription}` : null,
+        channelConfig?.systemPrompt?.trim() || null,
+    ].filter((entry) => Boolean(entry));
+    const groupSystemPrompt = systemPromptParts.length > 0 ? systemPromptParts.join("\n\n") : undefined;
     const storePath = resolveStorePath(cfg.session?.store, {
         agentId: route.agentId,
     });

package/dist/gateway/client.js

@@ -3,7 +3,6 @@ import { WebSocket } from "ws";
 import { normalizeFingerprint } from "../infra/tls/fingerprint.js";
 import { rawDataToString } from "../infra/ws.js";
 import { logDebug, logError } from "../logger.js";
-import { validateGatewayUrlSecurity } from "./url-validation.js";
 import { loadOrCreateDeviceIdentity, publicKeyRawBase64UrlFromPem, signDevicePayload, } from "../infra/device-identity.js";
 import { clearDeviceAuthToken, loadDeviceAuthToken, storeDeviceAuthToken, } from "../infra/device-auth-store.js";
 import { GATEWAY_CLIENT_MODES, GATEWAY_CLIENT_NAMES, } from "../utils/message-channel.js";
@@ -42,19 +41,6 @@ export class GatewayClient {
         if (this.closed)
             return;
         const url = this.opts.url ?? "ws://127.0.0.1:18789";
-        // SECURITY: Validate gateway URL override
-        // Prevents credential leakage via redirects to untrusted gateways
-        try {
-            validateGatewayUrlSecurity({
-                url,
-                token: this.opts.token,
-                requireExplicitToken: this.opts.requireExplicitToken,
-            });
-        }
-        catch (err) {
-            this.opts.onConnectError?.(err instanceof Error ? err : new Error(String(err)));
-            return;
-        }
         if (this.opts.tlsFingerprint && !url.startsWith("wss://")) {
             this.opts.onConnectError?.(new Error("gateway tls fingerprint requires wss:// gateway url"));
             return;

package/dist/gateway/server.impl.js

@@ -27,7 +27,6 @@ import { createExecApprovalHandlers } from "./server-methods/exec-approval.js";
 import { createExecApprovalForwarder } from "../infra/exec-approval-forwarder.js";
 import { createChannelManager } from "./server-channels.js";
 import { createAgentEventHandler } from "./server-chat.js";
-import { startLifecycleHooksIntegration } from "./hooks/lifecycle-hooks-integration.js";
 import { createGatewayCloseHandler } from "./server-close.js";
 import { buildGatewayCronService } from "./server-cron.js";
 import { applyGatewayLaneConcurrency } from "./server-lanes.js";
@@ -264,9 +263,6 @@ export async function startGatewayServer(port = 18789, opts = {}) {
         resolveSessionKeyForRun,
         clearAgentRunContext,
     }));
-    // Lifecycle Hooks Integration (POC Day 1.5)
-    const lifecycleHooksUnsub = startLifecycleHooksIntegration();
-    logHooks.info("Lifecycle hooks integration started");
     const heartbeatUnsub = onHeartbeatEvent((evt) => {
         broadcast("heartbeat", evt, { dropIfSlow: true });
     });

package/dist/memory/index.js

@@ -1,6 +1 @@
-/**
- * Memory Search - Public Exports
- * Legacy system only (PME removed 2026-02-03)
- */
-// Legacy memory search system
 export { getMemorySearchManager } from "./search-manager.js";

package/dist/memory/manager.js

@@ -157,7 +157,6 @@ export class MemoryIndexManager {
             this.sessionWarm.add(key);
     }
     async search(query, opts) {
-        const searchStart = Date.now();
         void this.warmSession(opts?.sessionKey);
         if (this.settings.sync.onSearch && (this.dirty || this.sessionsDirty)) {
             void this.sync({ reason: "search" }).catch((err) => {
@@ -180,17 +179,7 @@ export class MemoryIndexManager {
             ? await this.searchVector(queryVec, candidates).catch(() => [])
             : [];
         if (!hybrid.enabled) {
-            const results = vectorResults.filter((entry) => entry.score >= minScore).slice(0, maxResults);
-            const searchDuration = Date.now() - searchStart;
-            log.debug("memory search performance", {
-                query: cleaned.substring(0, 50),
-                durationMs: searchDuration,
-                resultCount: results.length,
-                provider: this.provider.id,
-                model: this.provider.model,
-                hybrid: false,
-            });
-            return results;
+            return vectorResults.filter((entry) => entry.score >= minScore).slice(0, maxResults);
         }
         const merged = this.mergeHybridResults({
             vector: vectorResults,
@@ -198,19 +187,7 @@ export class MemoryIndexManager {
             vectorWeight: hybrid.vectorWeight,
             textWeight: hybrid.textWeight,
         });
-        const results = merged.filter((entry) => entry.score >= minScore).slice(0, maxResults);
-        const searchDuration = Date.now() - searchStart;
-        log.debug("memory search performance", {
-            query: cleaned.substring(0, 50),
-            durationMs: searchDuration,
-            resultCount: results.length,
-            provider: this.provider.id,
-            model: this.provider.model,
-            hybrid: true,
-            keywordResults: keywordResults.length,
-            vectorResults: vectorResults.length,
-        });
-        return results;
+        return merged.filter((entry) => entry.score >= minScore).slice(0, maxResults);
     }
     async searchVector(queryVec, limit) {
         const results = await searchVector({

package/dist/slack/monitor/message-handler/prepare.js

@@ -350,10 +350,16 @@ export async function prepareSlackMessage(params) {
         });
     }
     const slackTo = isDirectMessage ? `user:${message.user}` : `channel:${message.channel}`;
-    // SECURITY: Do NOT include channel topic/purpose in system prompt
-    // Channel metadata is user-controlled and can cause prompt injection
-    // Only include channelConfig.systemPrompt (admin-controlled)
-    const groupSystemPrompt = channelConfig?.systemPrompt?.trim() || undefined;
+    const channelDescription = [channelInfo?.topic, channelInfo?.purpose]
+        .map((entry) => entry?.trim())
+        .filter((entry) => Boolean(entry))
+        .filter((entry, index, list) => list.indexOf(entry) === index)
+        .join("\n");
+    const systemPromptParts = [
+        channelDescription ? `Channel description: ${channelDescription}` : null,
+        channelConfig?.systemPrompt?.trim() || null,
+    ].filter((entry) => Boolean(entry));
+    const groupSystemPrompt = systemPromptParts.length > 0 ? systemPromptParts.join("\n\n") : undefined;
     let threadStarterBody;
     let threadLabel;
     let threadStarterMedia = null;

package/dist/slack/monitor/slash.js

@@ -288,10 +288,16 @@ export function registerSlackMonitorSlashCommands(params) {
                     id: isDirectMessage ? command.user_id : command.channel_id,
                 },
             });
-            // SECURITY: Do NOT include channel topic/purpose in system prompt
-            // Channel metadata is user-controlled and can cause prompt injection
-            // Only include channelConfig.systemPrompt (admin-controlled)
-            const groupSystemPrompt = channelConfig?.systemPrompt?.trim() || undefined;
+            const channelDescription = [channelInfo?.topic, channelInfo?.purpose]
+                .map((entry) => entry?.trim())
+                .filter((entry) => Boolean(entry))
+                .filter((entry, index, list) => list.indexOf(entry) === index)
+                .join("\n");
+            const systemPromptParts = [
+                channelDescription ? `Channel description: ${channelDescription}` : null,
+                channelConfig?.systemPrompt?.trim() || null,
+            ].filter((entry) => Boolean(entry));
+            const groupSystemPrompt = systemPromptParts.length > 0 ? systemPromptParts.join("\n\n") : undefined;
             const ctxPayload = finalizeInboundContext({
                 Body: prompt,
                 RawBody: prompt,

package/extensions/memory-core/package.json

@@ -8,9 +8,6 @@
       "./index.ts"
     ]
   },
-  "devDependencies": {
-    "poolbot": "workspace:*"
-  },
   "peerDependencies": {
     "poolbot": ">=2026.1.26"
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@poolzin/pool-bot",
-  "version": "2026.1.38",
+  "version": "2026.1.39",
   "description": "🎱 Pool Bot - AI assistant with PLCODE integrations",
   "type": "module",
   "main": "dist/index.js",
@@ -184,7 +184,7 @@
     "express": "^5.2.1",
     "file-type": "^21.3.0",
     "grammy": "^1.39.3",
-    "hono": "4.11.8",
+    "hono": "4.11.4",
     "jiti": "^2.6.1",
     "json5": "^2.2.3",
     "jszip": "^3.10.1",
@@ -207,7 +207,8 @@
     "zod": "^4.3.6"
   },
   "optionalDependencies": {
-    "@napi-rs/canvas": "^0.1.88"
+    "@napi-rs/canvas": "^0.1.88",
+    "node-llama-cpp": "3.15.0"
   },
   "devDependencies": {
     "@grammyjs/types": "^3.23.0",
@@ -245,7 +246,7 @@
     "minimumReleaseAge": 2880,
     "overrides": {
       "@sinclair/typebox": "0.34.47",
-      "hono": "4.11.8",
+      "hono": "4.11.4",
       "tar": "7.5.7"
     }
   },