@poolzin/pool-bot 2026.2.0 → 2026.2.2

package/dist/security/skill-scanner.js

@@ -0,0 +1,330 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import { hasErrnoCode } from "../infra/errors.js";
+// ---------------------------------------------------------------------------
+// Scannable extensions
+// ---------------------------------------------------------------------------
+const SCANNABLE_EXTENSIONS = new Set([
+    ".js",
+    ".ts",
+    ".mjs",
+    ".cjs",
+    ".mts",
+    ".cts",
+    ".jsx",
+    ".tsx",
+]);
+const DEFAULT_MAX_SCAN_FILES = 500;
+const DEFAULT_MAX_FILE_BYTES = 1024 * 1024;
+export function isScannable(filePath) {
+    return SCANNABLE_EXTENSIONS.has(path.extname(filePath).toLowerCase());
+}
+const LINE_RULES = [
+    {
+        ruleId: "dangerous-exec",
+        severity: "critical",
+        message: "Shell command execution detected (child_process)",
+        pattern: /\b(exec|execSync|spawn|spawnSync|execFile|execFileSync)\s*\(/,
+        requiresContext: /child_process/,
+    },
+    {
+        ruleId: "dynamic-code-execution",
+        severity: "critical",
+        message: "Dynamic code execution detected",
+        pattern: /\beval\s*\(|new\s+Function\s*\(/,
+    },
+    {
+        ruleId: "crypto-mining",
+        severity: "critical",
+        message: "Possible crypto-mining reference detected",
+        pattern: /stratum\+tcp|stratum\+ssl|coinhive|cryptonight|xmrig/i,
+    },
+    {
+        ruleId: "suspicious-network",
+        severity: "warn",
+        message: "WebSocket connection to non-standard port",
+        pattern: /new\s+WebSocket\s*\(\s*["']wss?:\/\/[^"']*:(\d+)/,
+    },
+];
+const STANDARD_PORTS = new Set([80, 443, 8080, 8443, 3000]);
+const SOURCE_RULES = [
+    {
+        ruleId: "potential-exfiltration",
+        severity: "warn",
+        message: "File read combined with network send — possible data exfiltration",
+        pattern: /readFileSync|readFile/,
+        requiresContext: /\bfetch\b|\bpost\b|http\.request/i,
+    },
+    {
+        ruleId: "obfuscated-code",
+        severity: "warn",
+        message: "Hex-encoded string sequence detected (possible obfuscation)",
+        pattern: /(\\x[0-9a-fA-F]{2}){6,}/,
+    },
+    {
+        ruleId: "obfuscated-code",
+        severity: "warn",
+        message: "Large base64 payload with decode call detected (possible obfuscation)",
+        pattern: /(?:atob|Buffer\.from)\s*\(\s*["'][A-Za-z0-9+/=]{200,}["']/,
+    },
+    {
+        ruleId: "env-harvesting",
+        severity: "critical",
+        message: "Environment variable access combined with network send — possible credential harvesting",
+        pattern: /process\.env/,
+        requiresContext: /\bfetch\b|\bpost\b|http\.request/i,
+    },
+];
+// ---------------------------------------------------------------------------
+// Core scanner
+// ---------------------------------------------------------------------------
+function truncateEvidence(evidence, maxLen = 120) {
+    if (evidence.length <= maxLen) {
+        return evidence;
+    }
+    return `${evidence.slice(0, maxLen)}…`;
+}
+export function scanSource(source, filePath) {
+    const findings = [];
+    const lines = source.split("\n");
+    const matchedLineRules = new Set();
+    // --- Line rules ---
+    for (const rule of LINE_RULES) {
+        if (matchedLineRules.has(rule.ruleId)) {
+            continue;
+        }
+        // Skip rule entirely if context requirement not met
+        if (rule.requiresContext && !rule.requiresContext.test(source)) {
+            continue;
+        }
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            const match = rule.pattern.exec(line);
+            if (!match) {
+                continue;
+            }
+            // Special handling for suspicious-network: check port
+            if (rule.ruleId === "suspicious-network") {
+                const port = parseInt(match[1], 10);
+                if (STANDARD_PORTS.has(port)) {
+                    continue;
+                }
+            }
+            findings.push({
+                ruleId: rule.ruleId,
+                severity: rule.severity,
+                file: filePath,
+                line: i + 1,
+                message: rule.message,
+                evidence: truncateEvidence(line.trim()),
+            });
+            matchedLineRules.add(rule.ruleId);
+            break; // one finding per line-rule per file
+        }
+    }
+    // --- Source rules ---
+    const matchedSourceRules = new Set();
+    for (const rule of SOURCE_RULES) {
+        // Allow multiple findings for different messages with the same ruleId
+        // but deduplicate exact (ruleId+message) combos
+        const ruleKey = `${rule.ruleId}::${rule.message}`;
+        if (matchedSourceRules.has(ruleKey)) {
+            continue;
+        }
+        if (!rule.pattern.test(source)) {
+            continue;
+        }
+        if (rule.requiresContext && !rule.requiresContext.test(source)) {
+            continue;
+        }
+        // Find the first matching line for evidence + line number
+        let matchLine = 0;
+        let matchEvidence = "";
+        for (let i = 0; i < lines.length; i++) {
+            if (rule.pattern.test(lines[i])) {
+                matchLine = i + 1;
+                matchEvidence = lines[i].trim();
+                break;
+            }
+        }
+        // For source rules, if we can't find a line match the pattern might span
+        // lines. Report line 0 with truncated source as evidence.
+        if (matchLine === 0) {
+            matchLine = 1;
+            matchEvidence = source.slice(0, 120);
+        }
+        findings.push({
+            ruleId: rule.ruleId,
+            severity: rule.severity,
+            file: filePath,
+            line: matchLine,
+            message: rule.message,
+            evidence: truncateEvidence(matchEvidence),
+        });
+        matchedSourceRules.add(ruleKey);
+    }
+    return findings;
+}
+// ---------------------------------------------------------------------------
+// Directory scanner
+// ---------------------------------------------------------------------------
+function normalizeScanOptions(opts) {
+    return {
+        includeFiles: opts?.includeFiles ?? [],
+        maxFiles: Math.max(1, opts?.maxFiles ?? DEFAULT_MAX_SCAN_FILES),
+        maxFileBytes: Math.max(1, opts?.maxFileBytes ?? DEFAULT_MAX_FILE_BYTES),
+    };
+}
+function isPathInside(basePath, candidatePath) {
+    const base = path.resolve(basePath);
+    const candidate = path.resolve(candidatePath);
+    const rel = path.relative(base, candidate);
+    return rel === "" || (!rel.startsWith(`..${path.sep}`) && rel !== ".." && !path.isAbsolute(rel));
+}
+async function walkDirWithLimit(dirPath, maxFiles) {
+    const files = [];
+    const stack = [dirPath];
+    while (stack.length > 0 && files.length < maxFiles) {
+        const currentDir = stack.pop();
+        if (!currentDir) {
+            break;
+        }
+        const entries = await fs.readdir(currentDir, { withFileTypes: true });
+        for (const entry of entries) {
+            if (files.length >= maxFiles) {
+                break;
+            }
+            // Skip hidden dirs and node_modules
+            if (entry.name.startsWith(".") || entry.name === "node_modules") {
+                continue;
+            }
+            const fullPath = path.join(currentDir, entry.name);
+            if (entry.isDirectory()) {
+                stack.push(fullPath);
+            }
+            else if (isScannable(entry.name)) {
+                files.push(fullPath);
+            }
+        }
+    }
+    return files;
+}
+async function resolveForcedFiles(params) {
+    if (params.includeFiles.length === 0) {
+        return [];
+    }
+    const seen = new Set();
+    const out = [];
+    for (const rawIncludePath of params.includeFiles) {
+        const includePath = path.resolve(params.rootDir, rawIncludePath);
+        if (!isPathInside(params.rootDir, includePath)) {
+            continue;
+        }
+        if (!isScannable(includePath)) {
+            continue;
+        }
+        if (seen.has(includePath)) {
+            continue;
+        }
+        let st = null;
+        try {
+            st = await fs.stat(includePath);
+        }
+        catch (err) {
+            if (hasErrnoCode(err, "ENOENT")) {
+                continue;
+            }
+            throw err;
+        }
+        if (!st?.isFile()) {
+            continue;
+        }
+        out.push(includePath);
+        seen.add(includePath);
+    }
+    return out;
+}
+async function collectScannableFiles(dirPath, opts) {
+    const forcedFiles = await resolveForcedFiles({
+        rootDir: dirPath,
+        includeFiles: opts.includeFiles,
+    });
+    if (forcedFiles.length >= opts.maxFiles) {
+        return forcedFiles.slice(0, opts.maxFiles);
+    }
+    const walkedFiles = await walkDirWithLimit(dirPath, opts.maxFiles);
+    const seen = new Set(forcedFiles.map((f) => path.resolve(f)));
+    const out = [...forcedFiles];
+    for (const walkedFile of walkedFiles) {
+        if (out.length >= opts.maxFiles) {
+            break;
+        }
+        const resolved = path.resolve(walkedFile);
+        if (seen.has(resolved)) {
+            continue;
+        }
+        out.push(walkedFile);
+        seen.add(resolved);
+    }
+    return out;
+}
+async function readScannableSource(filePath, maxFileBytes) {
+    let st = null;
+    try {
+        st = await fs.stat(filePath);
+    }
+    catch (err) {
+        if (hasErrnoCode(err, "ENOENT")) {
+            return null;
+        }
+        throw err;
+    }
+    if (!st?.isFile() || st.size > maxFileBytes) {
+        return null;
+    }
+    try {
+        return await fs.readFile(filePath, "utf-8");
+    }
+    catch (err) {
+        if (hasErrnoCode(err, "ENOENT")) {
+            return null;
+        }
+        throw err;
+    }
+}
+export async function scanDirectory(dirPath, opts) {
+    const scanOptions = normalizeScanOptions(opts);
+    const files = await collectScannableFiles(dirPath, scanOptions);
+    const allFindings = [];
+    for (const file of files) {
+        const source = await readScannableSource(file, scanOptions.maxFileBytes);
+        if (source == null) {
+            continue;
+        }
+        const findings = scanSource(source, file);
+        allFindings.push(...findings);
+    }
+    return allFindings;
+}
+export async function scanDirectoryWithSummary(dirPath, opts) {
+    const scanOptions = normalizeScanOptions(opts);
+    const files = await collectScannableFiles(dirPath, scanOptions);
+    const allFindings = [];
+    let scannedFiles = 0;
+    for (const file of files) {
+        const source = await readScannableSource(file, scanOptions.maxFileBytes);
+        if (source == null) {
+            continue;
+        }
+        scannedFiles += 1;
+        const findings = scanSource(source, file);
+        allFindings.push(...findings);
+    }
+    return {
+        scannedFiles,
+        critical: allFindings.filter((f) => f.severity === "critical").length,
+        warn: allFindings.filter((f) => f.severity === "warn").length,
+        info: allFindings.filter((f) => f.severity === "info").length,
+        findings: allFindings,
+    };
+}

package/dist/sessions/session-key-utils.js

@@ -13,6 +13,13 @@ export function parseAgentSessionKey(sessionKey) {
         return null;
     return { agentId, rest };
 }
+export function isCronRunSessionKey(sessionKey) {
+    const parsed = parseAgentSessionKey(sessionKey);
+    if (!parsed) {
+        return false;
+    }
+    return /^cron:[^:]+:run:[^:]+$/.test(parsed.rest);
+}
 export function isSubagentSessionKey(sessionKey) {
     const raw = (sessionKey ?? "").trim();
     if (!raw)

package/dist/signal/monitor/event-handler.js

@@ -3,14 +3,17 @@ import { hasControlCommand } from "../../auto-reply/command-detection.js";
 import { formatInboundEnvelope, formatInboundFromLabel, resolveEnvelopeFormatOptions, } from "../../auto-reply/envelope.js";
 import { createInboundDebouncer, resolveInboundDebounceMs, } from "../../auto-reply/inbound-debounce.js";
 import { dispatchInboundMessage } from "../../auto-reply/dispatch.js";
-import { buildPendingHistoryContextFromMap, clearHistoryEntriesIfEnabled, } from "../../auto-reply/reply/history.js";
+import { buildPendingHistoryContextFromMap, clearHistoryEntriesIfEnabled, recordPendingHistoryEntryIfEnabled, } from "../../auto-reply/reply/history.js";
+import { buildMentionRegexes, matchesMentionPatterns } from "../../auto-reply/reply/mentions.js";
 import { finalizeInboundContext } from "../../auto-reply/reply/inbound-context.js";
 import { createReplyDispatcherWithTyping } from "../../auto-reply/reply/reply-dispatcher.js";
 import { logInboundDrop, logTypingFailure } from "../../channels/logging.js";
+import { resolveMentionGatingWithBypass } from "../../channels/mention-gating.js";
 import { createReplyPrefixContext } from "../../channels/reply-prefix.js";
 import { recordInboundSession } from "../../channels/session.js";
 import { createTypingCallbacks } from "../../channels/typing.js";
 import { readSessionUpdatedAt, resolveStorePath } from "../../config/sessions.js";
+import { resolveChannelGroupRequireMention } from "../../config/group-policy.js";
 import { danger, logVerbose, shouldLogVerbose } from "../../globals.js";
 import { enqueueSystemEvent } from "../../infra/system-events.js";
 import { mediaKindFromMime } from "../../media/constants.js";
@@ -79,8 +82,17 @@ export function createSignalEventHandler(deps) {
             });
         }
         const signalTo = entry.isGroup ? `group:${entry.groupId}` : `signal:${entry.senderRecipient}`;
+        const inboundHistory = entry.isGroup && historyKey && deps.historyLimit > 0
+            ? (deps.groupHistories.get(historyKey) ?? []).map((historyEntry) => ({
+                sender: historyEntry.sender,
+                body: historyEntry.body,
+                timestamp: historyEntry.timestamp,
+            }))
+            : undefined;
         const ctxPayload = finalizeInboundContext({
             Body: combinedBody,
+            BodyForAgent: entry.bodyText,
+            InboundHistory: inboundHistory,
             RawBody: entry.bodyText,
             CommandBody: entry.bodyText,
             From: entry.isGroup
@@ -101,6 +113,7 @@ export function createSignalEventHandler(deps) {
             MediaPath: entry.mediaPath,
             MediaType: entry.mediaType,
             MediaUrl: entry.mediaPath,
+            WasMentioned: entry.isGroup ? entry.wasMentioned === true : undefined,
             CommandAuthorized: entry.commandAuthorized,
             OriginatingChannel: "signal",
             OriginatingTo: signalTo,
@@ -417,6 +430,71 @@ export function createSignalEventHandler(deps) {
             });
             return;
         }
+        const route = resolveAgentRoute({
+            cfg: deps.cfg,
+            channel: "signal",
+            accountId: deps.accountId,
+            peer: {
+                kind: isGroup ? "group" : "dm",
+                id: isGroup ? (groupId ?? "unknown") : senderPeerId,
+            },
+        });
+        const mentionRegexes = buildMentionRegexes(deps.cfg, route.agentId);
+        const wasMentioned = isGroup && matchesMentionPatterns(messageText, mentionRegexes);
+        const requireMention = isGroup &&
+            resolveChannelGroupRequireMention({
+                cfg: deps.cfg,
+                channel: "signal",
+                groupId,
+                accountId: deps.accountId,
+            });
+        const canDetectMention = mentionRegexes.length > 0;
+        const mentionGate = resolveMentionGatingWithBypass({
+            isGroup,
+            requireMention: Boolean(requireMention),
+            canDetectMention,
+            wasMentioned,
+            implicitMention: false,
+            hasAnyMention: false,
+            allowTextCommands: true,
+            hasControlCommand: hasControlCommandInMessage,
+            commandAuthorized,
+        });
+        const effectiveWasMentioned = mentionGate.effectiveWasMentioned;
+        if (isGroup && requireMention && canDetectMention && mentionGate.shouldSkip) {
+            logInboundDrop({
+                log: logVerbose,
+                channel: "signal",
+                reason: "no mention",
+                target: senderDisplay,
+            });
+            const quoteText = dataMessage.quote?.text?.trim() || "";
+            const pendingPlaceholder = (() => {
+                if (!dataMessage.attachments?.length) {
+                    return "";
+                }
+                if (deps.ignoreAttachments) {
+                    return "<media:attachment>";
+                }
+                const firstContentType = dataMessage.attachments?.[0]?.contentType;
+                const pendingKind = mediaKindFromMime(firstContentType ?? undefined);
+                return pendingKind ? `<media:${pendingKind}>` : "<media:attachment>";
+            })();
+            const pendingBodyText = messageText || pendingPlaceholder || quoteText;
+            const historyKey = groupId ?? "unknown";
+            recordPendingHistoryEntryIfEnabled({
+                historyMap: deps.groupHistories,
+                historyKey,
+                limit: deps.historyLimit,
+                entry: {
+                    sender: envelope.sourceName ?? senderDisplay,
+                    body: pendingBodyText,
+                    timestamp: envelope.timestamp ?? undefined,
+                    messageId: typeof envelope.timestamp === "number" ? String(envelope.timestamp) : undefined,
+                },
+            });
+            return;
+        }
         let mediaPath;
         let mediaType;
         let placeholder = "";
@@ -487,6 +565,7 @@ export function createSignalEventHandler(deps) {
             mediaPath,
             mediaType,
             commandAuthorized,
+            wasMentioned: effectiveWasMentioned,
         });
     };
 }

package/dist/slack/monitor/media.js

@@ -1,14 +1,77 @@
 import { fetchRemoteMedia } from "../../media/fetch.js";
 import { saveMediaBuffer } from "../../media/store.js";
+function normalizeHostname(hostname) {
+    const normalized = hostname.trim().toLowerCase().replace(/\.$/, "");
+    if (normalized.startsWith("[") && normalized.endsWith("]")) {
+        return normalized.slice(1, -1);
+    }
+    return normalized;
+}
+function isSlackHostname(hostname) {
+    const normalized = normalizeHostname(hostname);
+    if (!normalized) {
+        return false;
+    }
+    // Slack-hosted files typically come from *.slack.com and redirect to Slack CDN domains.
+    // Include a small allowlist of known Slack domains to avoid leaking tokens if a file URL
+    // is ever spoofed or mishandled.
+    const allowedSuffixes = ["slack.com", "slack-edge.com", "slack-files.com"];
+    return allowedSuffixes.some((suffix) => normalized === suffix || normalized.endsWith(`.${suffix}`));
+}
+function assertSlackFileUrl(rawUrl) {
+    let parsed;
+    try {
+        parsed = new URL(rawUrl);
+    }
+    catch {
+        throw new Error(`Invalid Slack file URL: ${rawUrl}`);
+    }
+    if (parsed.protocol !== "https:") {
+        throw new Error(`Refusing Slack file URL with non-HTTPS protocol: ${parsed.protocol}`);
+    }
+    if (!isSlackHostname(parsed.hostname)) {
+        throw new Error(`Refusing to send Slack token to non-Slack host "${parsed.hostname}" (url: ${rawUrl})`);
+    }
+    return parsed;
+}
+function resolveRequestUrl(input) {
+    if (typeof input === "string") {
+        return input;
+    }
+    if (input instanceof URL) {
+        return input.toString();
+    }
+    if ("url" in input && typeof input.url === "string") {
+        return input.url;
+    }
+    throw new Error("Unsupported fetch input: expected string, URL, or Request");
+}
+function createSlackMediaFetch(token) {
+    let includeAuth = true;
+    return async (input, init) => {
+        const url = resolveRequestUrl(input);
+        const { headers: initHeaders, redirect: _redirect, ...rest } = init ?? {};
+        const headers = new Headers(initHeaders);
+        if (includeAuth) {
+            includeAuth = false;
+            const parsed = assertSlackFileUrl(url);
+            headers.set("Authorization", `Bearer ${token}`);
+            return fetch(parsed.href, { ...rest, headers, redirect: "manual" });
+        }
+        headers.delete("Authorization");
+        return fetch(url, { ...rest, headers, redirect: "manual" });
+    };
+}
 /**
  * Fetches a URL with Authorization header, handling cross-origin redirects.
  * Node.js fetch strips Authorization headers on cross-origin redirects for security.
- * Slack's files.slack.com URLs redirect to CDN domains with pre-signed URLs that
- * don't need the Authorization header, so we handle the initial auth request manually.
+ * Slack's file URLs redirect to CDN domains with pre-signed URLs that don't need the
+ * Authorization header, so we handle the initial auth request manually.
  */
 export async function fetchWithSlackAuth(url, token) {
+    const parsed = assertSlackFileUrl(url);
     // Initial request with auth and manual redirect handling
-    const initialRes = await fetch(url, {
+    const initialRes = await fetch(parsed.href, {
         headers: { Authorization: `Bearer ${token}` },
         redirect: "manual",
     });
@@ -22,31 +85,36 @@ export async function fetchWithSlackAuth(url, token) {
         return initialRes;
     }
     // Resolve relative URLs against the original
-    const resolvedUrl = new URL(redirectUrl, url).toString();
+    const resolvedUrl = new URL(redirectUrl, parsed.href);
+    // Only follow safe protocols (we do NOT include Authorization on redirects).
+    if (resolvedUrl.protocol !== "https:") {
+        return initialRes;
+    }
     // Follow the redirect without the Authorization header
     // (Slack's CDN URLs are pre-signed and don't need it)
-    return fetch(resolvedUrl, { redirect: "follow" });
+    return fetch(resolvedUrl.toString(), { redirect: "follow" });
 }
 export async function resolveSlackMedia(params) {
     const files = params.files ?? [];
     for (const file of files) {
         const url = file.url_private_download ?? file.url_private;
-        if (!url)
+        if (!url) {
             continue;
+        }
         try {
-            // Note: We ignore init options because fetchWithSlackAuth handles
-            // redirect behavior specially. fetchRemoteMedia only passes the URL.
-            const fetchImpl = (input) => {
-                const inputUrl = typeof input === "string" ? input : input instanceof URL ? input.href : input.url;
-                return fetchWithSlackAuth(inputUrl, params.token);
-            };
+            // Note: fetchRemoteMedia calls fetchImpl(url) with the URL string today and
+            // handles size limits internally. Provide a fetcher that uses auth once, then lets
+            // the redirect chain continue without credentials.
+            const fetchImpl = createSlackMediaFetch(params.token);
             const fetched = await fetchRemoteMedia({
                 url,
                 fetchImpl,
                 filePathHint: file.name,
+                maxBytes: params.maxBytes,
             });
-            if (fetched.buffer.byteLength > params.maxBytes)
+            if (fetched.buffer.byteLength > params.maxBytes) {
                 continue;
+            }
             const saved = await saveMediaBuffer(fetched.buffer, fetched.contentType ?? file.mimetype, "inbound", params.maxBytes);
             const label = fetched.fileName ?? file.name;
             return {
@@ -65,8 +133,9 @@ const THREAD_STARTER_CACHE = new Map();
 export async function resolveSlackThreadStarter(params) {
     const cacheKey = `${params.channelId}:${params.threadTs}`;
     const cached = THREAD_STARTER_CACHE.get(cacheKey);
-    if (cached)
+    if (cached) {
         return cached;
+    }
     try {
         const response = (await params.client.conversations.replies({
             channel: params.channelId,
@@ -76,8 +145,9 @@ export async function resolveSlackThreadStarter(params) {
         }));
         const message = response?.messages?.[0];
         const text = (message?.text ?? "").trim();
-        if (!message || !text)
+        if (!message || !text) {
             return null;
+        }
         const starter = {
             text,
             userId: message.user,

package/dist/tailscale/detect.js

@@ -65,8 +65,7 @@ async function getTailscaleStatus() {
             canFunnel: self.Capabilities?.map.includes("funnel") ?? false,
         };
     }
-    catch (err) {
-        // If command fails, return minimal info
+    catch {
         return {
             installed: await isTailscaleInstalled(),
             running: false,