npm - @poolzin/pool-bot - Versions diffs - 2026.2.20 → 2026.2.22 - Mend

@poolzin/pool-bot 2026.2.20 → 2026.2.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (388) hide show

package/CHANGELOG.md +25 -0
package/dist/agents/api-key-rotation.js +47 -0
package/dist/agents/apply-patch-update.js +19 -9
package/dist/agents/apply-patch.js +72 -47
package/dist/agents/bash-tools.exec.js +141 -559
package/dist/agents/cli-backends.js +49 -6
package/dist/agents/cli-runner/helpers.js +69 -152
package/dist/agents/cli-runner.js +70 -19
package/dist/agents/identity.js +20 -1
package/dist/agents/image-sanitization.js +9 -0
package/dist/agents/live-auth-keys.js +123 -26
package/dist/agents/live-model-filter.js +13 -4
package/dist/agents/model-auth.js +12 -0
package/dist/agents/model-catalog.js +40 -9
package/dist/agents/model-fallback.js +24 -0
package/dist/agents/model-forward-compat.js +60 -23
package/dist/agents/model-selection.js +134 -41
package/dist/agents/pi-auth-json.js +2 -2
package/dist/agents/pi-embedded-helpers/bootstrap.js +65 -15
package/dist/agents/pi-embedded-helpers/errors.js +140 -15
package/dist/agents/pi-embedded-helpers/images.js +22 -12
package/dist/agents/pi-embedded-helpers.js +2 -2
package/dist/agents/pi-embedded-runner/abort.js +10 -3
package/dist/agents/pi-embedded-runner/compact.js +230 -32
package/dist/agents/pi-embedded-runner/extra-params.js +203 -12
package/dist/agents/pi-embedded-runner/google.js +109 -19
package/dist/agents/pi-embedded-runner/history.js +35 -17
package/dist/agents/pi-embedded-runner/run/attempt.js +386 -80
package/dist/agents/pi-embedded-runner/run/images.js +81 -55
package/dist/agents/pi-embedded-runner/run/payloads.js +89 -39
package/dist/agents/pi-embedded-runner/run.js +193 -25
package/dist/agents/pi-embedded-runner/run.overflow-compaction.mocks.shared.js +2 -2
package/dist/agents/pi-embedded-runner/runs.js +17 -8
package/dist/agents/pi-embedded-runner/tool-result-context-guard.js +262 -0
package/dist/agents/pi-embedded-runner.js +1 -1
package/dist/agents/pi-embedded-subscribe.handlers.tools.js +180 -10
package/dist/agents/pi-embedded-subscribe.js +37 -0
package/dist/agents/pi-embedded-subscribe.tools.js +127 -30
package/dist/agents/pi-model-discovery.js +9 -2
package/dist/agents/pi-tool-definition-adapter.js +60 -8
package/dist/agents/pi-tools.before-tool-call.js +1 -1
package/dist/agents/pi-tools.js +113 -94
package/dist/agents/pi-tools.read.js +337 -38
package/dist/agents/poolbot-tools.js +14 -5
package/dist/agents/provider/config-loader.js +76 -0
package/dist/agents/provider/index.js +15 -0
package/dist/agents/provider/integration.js +136 -0
package/dist/agents/provider/models-dev.js +129 -0
package/dist/agents/provider/rate-limits.js +458 -0
package/dist/agents/provider/request-monitor.js +449 -0
package/dist/agents/provider/session-binding.js +376 -0
package/dist/agents/provider/token-pool.js +541 -0
package/dist/agents/sandbox/docker.js +10 -5
package/dist/agents/sandbox/registry.js +96 -46
package/dist/agents/sandbox/sanitize-env-vars.js +82 -0
package/dist/agents/sandbox-paths.js +43 -10
package/dist/agents/session-tool-result-guard-wrapper.js +23 -11
package/dist/agents/session-tool-result-guard.js +39 -39
package/dist/agents/session-transcript-repair.js +36 -33
package/dist/agents/session-write-lock.js +62 -44
package/dist/agents/skills/frontmatter.js +49 -88
package/dist/agents/skills/workspace.js +335 -28
package/dist/agents/subagent-announce.js +508 -174
package/dist/agents/subagent-registry.js +45 -4
package/dist/agents/subagent-spawn.js +16 -33
package/dist/agents/system-prompt-report.js +27 -10
package/dist/agents/system-prompt.js +26 -32
package/dist/agents/tool-call-id.js +69 -17
package/dist/agents/tool-display-common.js +1 -1
package/dist/agents/tool-images.js +64 -31
package/dist/agents/tools/canvas-tool.js +17 -11
package/dist/agents/tools/common.js +37 -19
package/dist/agents/tools/cron-tool.js +40 -38
package/dist/agents/tools/gateway.js +70 -2
package/dist/agents/tools/message-tool.js +181 -40
package/dist/agents/tools/nodes-tool.js +128 -36
package/dist/agents/tools/nodes-utils.js +12 -38
package/dist/agents/tools/session-status-tool.js +24 -71
package/dist/agents/tools/sessions-helpers.js +38 -210
package/dist/agents/tools/sessions-spawn-tool.js +28 -198
package/dist/agents/tools/telegram-actions.js +58 -7
package/dist/agents/tools/web-fetch-utils.js +112 -7
package/dist/agents/tools/web-fetch.js +279 -175
package/dist/agents/tools/web-shared.js +71 -8
package/dist/agents/usage.js +25 -16
package/dist/auto-reply/commands-registry.data.js +85 -11
package/dist/auto-reply/dispatch.js +40 -21
package/dist/auto-reply/reply/abort.js +102 -33
package/dist/auto-reply/reply/commands-core.js +82 -33
package/dist/auto-reply/reply/commands-export-session.js +1 -1
package/dist/auto-reply/reply/commands-info.js +41 -12
package/dist/auto-reply/reply/commands-subagents.js +352 -100
package/dist/auto-reply/reply/commands-system-prompt.js +2 -2
package/dist/auto-reply/reply/dispatch-from-config.js +100 -29
package/dist/auto-reply/reply/elevated-unavailable.js +1 -1
package/dist/auto-reply/reply/inbound-meta.js +12 -1
package/dist/auto-reply/reply/mentions.js +18 -11
package/dist/auto-reply/reply/normalize-reply.js +17 -8
package/dist/auto-reply/reply/reply-dispatcher.js +62 -10
package/dist/auto-reply/reply/session.js +102 -21
package/dist/auto-reply/reply/streaming-directives.js +16 -5
package/dist/auto-reply/status.js +73 -50
package/dist/browser/extension-relay.js +3 -3
package/dist/browser/http-auth.js +1 -1
package/dist/browser/paths.js +2 -2
package/dist/build-info.json +3 -3
package/dist/channels/allowlist-match.js +20 -0
package/dist/channels/allowlists/resolve-utils.js +65 -2
package/dist/channels/chat-type.js +8 -4
package/dist/channels/dock.js +127 -35
package/dist/channels/draft-stream-loop.js +6 -2
package/dist/channels/plugins/actions/telegram.js +42 -18
package/dist/channels/plugins/allowlist-match.js +1 -1
package/dist/channels/plugins/group-mentions.js +51 -41
package/dist/channels/plugins/message-action-names.js +2 -0
package/dist/channels/plugins/message-actions.js +24 -5
package/dist/channels/plugins/normalize/discord.js +26 -4
package/dist/channels/plugins/normalize/signal.js +35 -22
package/dist/channels/plugins/onboarding/helpers.js +8 -26
package/dist/channels/plugins/outbound/imessage.js +15 -14
package/dist/channels/registry.js +20 -7
package/dist/cli/acp-cli.js +7 -5
package/dist/cli/browser-cli-extension.js +25 -12
package/dist/cli/browser-cli-state.cookies-storage.js +25 -6
package/dist/cli/browser-cli-state.js +101 -145
package/dist/cli/command-options.js +28 -0
package/dist/cli/completion-cli.js +6 -6
package/dist/cli/cron-cli/register.cron-add.js +25 -1
package/dist/cli/cron-cli/register.cron-edit.js +44 -0
package/dist/cli/cron-cli/shared.js +7 -1
package/dist/cli/daemon-cli/lifecycle-core.js +23 -21
package/dist/cli/daemon-cli/lifecycle.js +23 -247
package/dist/cli/daemon-cli/register-service-commands.js +25 -4
package/dist/cli/daemon-cli.js +1 -0
package/dist/cli/devices-cli.js +33 -20
package/dist/cli/gateway-cli/register.js +37 -105
package/dist/cli/gateway-cli/run.js +49 -11
package/dist/cli/nodes-camera.js +59 -4
package/dist/cli/nodes-cli/register.camera.js +27 -24
package/dist/cli/nodes-cli/rpc.js +21 -38
package/dist/cli/qr-cli.js +2 -2
package/dist/cli/skills-cli.format.js +2 -2
package/dist/cli/update-cli/progress.js +2 -2
package/dist/cli/update-cli/restart-helper.js +28 -7
package/dist/cli/update-cli/shared.js +7 -7
package/dist/cli/update-cli/status.js +1 -1
package/dist/cli/update-cli/update-command.js +14 -8
package/dist/cli/update-cli/wizard.js +2 -2
package/dist/cli/update-cli.js +21 -1027
package/dist/commands/auth-choice.apply.anthropic.js +10 -2
package/dist/commands/channels/add-mutators.js +3 -35
package/dist/commands/channels/add.js +39 -51
package/dist/commands/config-validation.js +1 -1
package/dist/commands/configure.gateway-auth.js +52 -15
package/dist/commands/configure.gateway.js +84 -40
package/dist/commands/doctor-completion.js +3 -3
package/dist/commands/doctor-config-flow.js +536 -16
package/dist/commands/doctor-gateway-services.js +103 -79
package/dist/commands/doctor-memory-search.js +9 -9
package/dist/commands/doctor-platform-notes.js +57 -30
package/dist/commands/doctor-prompter.js +26 -15
package/dist/commands/doctor-session-locks.js +1 -1
package/dist/commands/doctor.js +21 -9
package/dist/commands/model-picker.js +120 -95
package/dist/commands/models/set.js +2 -21
package/dist/commands/models/shared.js +65 -37
package/dist/commands/onboard-helpers.js +81 -39
package/dist/commands/openai-codex-oauth.js +1 -1
package/dist/commands/sessions.js +52 -53
package/dist/commands/status.summary.js +52 -34
package/dist/commands/test-wizard-helpers.js +2 -2
package/dist/config/defaults.js +79 -42
package/dist/config/group-policy.js +50 -18
package/dist/config/includes.js +37 -10
package/dist/config/schema.help.js +5 -4
package/dist/config/schema.hints.js +2 -2
package/dist/config/schema.labels.js +1 -0
package/dist/config/sessions/group.js +12 -11
package/dist/config/sessions/paths.js +137 -11
package/dist/config/sessions/store.js +185 -65
package/dist/config/sessions/types.js +15 -1
package/dist/config/sessions.js +1 -0
package/dist/config/telegram-custom-commands.js +3 -2
package/dist/config/types.js +2 -0
package/dist/config/zod-schema.agent-defaults.js +6 -27
package/dist/config/zod-schema.agent-runtime.js +171 -79
package/dist/config/zod-schema.providers-core.js +138 -65
package/dist/config/zod-schema.session.js +49 -22
package/dist/control-ui/assets/index-HRr1grwl.js.map +1 -1
package/dist/cron/isolated-agent/run.js +224 -57
package/dist/cron/normalize.js +48 -45
package/dist/cron/run-log.js +14 -0
package/dist/cron/service/jobs.js +190 -28
package/dist/cron/service/normalize.js +29 -11
package/dist/cron/service/store.js +30 -44
package/dist/cron/service/timer.js +182 -96
package/dist/cron/service.js +3 -0
package/dist/cron/stagger.js +37 -0
package/dist/daemon/inspect.js +132 -92
package/dist/daemon/runtime-paths.js +25 -4
package/dist/daemon/service-audit.js +47 -16
package/dist/discord/accounts.js +23 -20
package/dist/discord/monitor/agent-components.js +1115 -219
package/dist/discord/monitor/allow-list.js +114 -34
package/dist/discord/monitor/listeners.js +204 -97
package/dist/discord/monitor/message-handler.js +21 -10
package/dist/discord/monitor/message-handler.preflight.js +195 -101
package/dist/discord/monitor/message-handler.process.js +384 -123
package/dist/discord/monitor/message-utils.js +86 -23
package/dist/discord/monitor/native-command.js +77 -57
package/dist/discord/monitor/provider.js +122 -117
package/dist/discord/monitor/reply-context.js +20 -16
package/dist/discord/monitor/reply-delivery.js +40 -8
package/dist/discord/monitor/rest-fetch.js +22 -0
package/dist/discord/monitor/threading.js +117 -24
package/dist/discord/send.js +2 -1
package/dist/discord/send.outbound.js +124 -11
package/dist/discord/send.shared.js +112 -72
package/dist/discord/voice-message.js +3 -3
package/dist/gateway/auth.js +119 -44
package/dist/gateway/call.js +76 -34
package/dist/gateway/channel-health-monitor.js +57 -50
package/dist/gateway/client.js +63 -29
package/dist/gateway/control-ui-contract.js +1 -1
package/dist/gateway/gateway-config-prompts.shared.js +2 -2
package/dist/gateway/net.js +109 -1
package/dist/gateway/protocol/index.js +5 -8
package/dist/gateway/protocol/schema/agent.js +19 -1
package/dist/gateway/protocol/schema/channels.js +21 -0
package/dist/gateway/protocol/schema/cron.js +43 -30
package/dist/gateway/protocol/schema/protocol-schemas.js +6 -11
package/dist/gateway/protocol/schema/sessions.js +5 -1
package/dist/gateway/protocol/schema.js +0 -1
package/dist/gateway/server/presence-events.js +12 -0
package/dist/gateway/server/ws-connection/message-handler.js +203 -212
package/dist/gateway/server/ws-connection.js +58 -21
package/dist/gateway/server-broadcast.js +18 -13
package/dist/gateway/server-cron.js +177 -10
package/dist/gateway/server-methods/agent-job.js +131 -38
package/dist/gateway/server-methods/send.js +60 -14
package/dist/gateway/server-methods/sessions.js +160 -96
package/dist/gateway/server-methods/system.js +5 -7
package/dist/gateway/server-methods-list.js +8 -0
package/dist/gateway/server-methods.js +24 -8
package/dist/gateway/server-node-events.js +278 -68
package/dist/gateway/session-utils.fs.js +316 -75
package/dist/gateway/session-utils.js +224 -70
package/dist/gateway/sessions-patch.js +63 -20
package/dist/gateway/test-temp-config.js +1 -1
package/dist/gateway/tools-invoke-http.js +118 -70
package/dist/gateway/ws-log.js +135 -107
package/dist/hooks/frontmatter.js +36 -82
package/dist/hooks/install.js +149 -139
package/dist/hooks/internal-hooks.js +29 -4
package/dist/hooks/plugin-hooks.js +2 -1
package/dist/imessage/monitor/deliver.js +10 -4
package/dist/imessage/monitor/monitor-provider.js +138 -375
package/dist/imessage/monitor/runtime.js +4 -8
package/dist/imessage/send.js +65 -19
package/dist/infra/exec-approvals-allowlist.js +7 -0
package/dist/infra/exec-approvals.js +35 -920
package/dist/infra/exec-safe-bin-trust.js +64 -0
package/dist/infra/heartbeat-runner.js +207 -134
package/dist/infra/heartbeat-wake.js +183 -22
package/dist/infra/install-source-utils.js +47 -0
package/dist/infra/net/ssrf.js +170 -36
package/dist/infra/outbound/deliver.js +224 -58
package/dist/infra/outbound/message-action-spec.js +12 -5
package/dist/infra/outbound/outbound-session.js +27 -25
package/dist/infra/poolbot-root.js +32 -22
package/dist/infra/ports.js +14 -11
package/dist/infra/skills-remote.js +48 -37
package/dist/infra/system-events.js +25 -11
package/dist/infra/system-presence.js +26 -33
package/dist/infra/tmp-poolbot-dir.js +81 -2
package/dist/infra/wsl.js +37 -1
package/dist/line/bot-message-context.js +163 -191
package/dist/logging/subsystem.js +59 -22
package/dist/markdown/ir.js +124 -50
package/dist/media/store.js +1 -1
package/dist/media-understanding/runner.entries.js +42 -25
package/dist/media-understanding/runner.js +53 -488
package/dist/memory/embeddings-gemini.js +53 -38
package/dist/memory/manager-embedding-ops.js +48 -69
package/dist/pairing/pairing-store.js +178 -119
package/dist/plugin-sdk/index.js +34 -6
package/dist/plugins/hooks.js +135 -14
package/dist/plugins/install.js +190 -152
package/dist/polls.js +11 -0
package/dist/routing/resolve-route.js +190 -56
package/dist/routing/session-key.js +38 -22
package/dist/runtime.js +35 -9
package/dist/security/audit-channel.js +1 -1
package/dist/sessions/session-key-utils.js +29 -11
package/dist/shared/frontmatter.js +5 -5
package/dist/shared/node-list-types.js +1 -0
package/dist/shared/string-normalization.js +15 -0
package/dist/signal/monitor/event-handler.js +68 -36
package/dist/signal/send.js +29 -37
package/dist/slack/monitor/allow-list.js +10 -11
package/dist/slack/monitor/commands.js +14 -3
package/dist/slack/monitor/events/interactions.js +4 -4
package/dist/slack/monitor/media.js +224 -16
package/dist/slack/monitor/message-handler/dispatch.js +247 -13
package/dist/slack/monitor/message-handler/prepare.js +128 -45
package/dist/slack/monitor/slash.js +357 -144
package/dist/slack/streaming.js +77 -0
package/dist/telegram/accounts.js +40 -13
package/dist/telegram/allowed-updates.js +3 -0
package/dist/telegram/bot/delivery.js +129 -66
package/dist/telegram/bot/helpers.js +136 -122
package/dist/telegram/bot-handlers.js +600 -339
package/dist/telegram/bot-message-context.js +115 -73
package/dist/telegram/bot-message-dispatch.js +235 -104
package/dist/telegram/bot-native-command-menu.js +3 -1
package/dist/telegram/bot-native-commands.js +213 -193
package/dist/telegram/bot.js +24 -132
package/dist/telegram/draft-stream.js +84 -75
package/dist/telegram/format.js +150 -6
package/dist/telegram/send.js +415 -255
package/dist/telegram/targets.js +21 -2
package/dist/telegram/update-offset-store.js +19 -3
package/dist/terminal/restore.js +5 -2
package/dist/test-utils/fetch-mock.js +5 -0
package/dist/version.js +18 -5
package/dist/web/auto-reply/monitor/broadcast.js +7 -3
package/dist/web/auto-reply/monitor/on-message.js +6 -3
package/dist/web/inbound/media.js +34 -8
package/dist/web/inbound/monitor.js +34 -17
package/dist/web/inbound/send-api.js +18 -17
package/dist/web/outbound.js +12 -5
package/dist/wizard/clack-prompter.js +40 -7
package/extensions/bluebubbles/package.json +1 -1
package/extensions/copilot-proxy/package.json +1 -1
package/extensions/diagnostics-otel/package.json +1 -1
package/extensions/discord/package.json +1 -1
package/extensions/feishu/package.json +1 -1
package/extensions/google-antigravity-auth/package.json +1 -1
package/extensions/google-gemini-cli-auth/package.json +1 -1
package/extensions/googlechat/package.json +1 -1
package/extensions/imessage/package.json +1 -1
package/extensions/irc/package.json +1 -1
package/extensions/line/package.json +1 -1
package/extensions/llm-task/package.json +1 -1
package/extensions/lobster/package.json +1 -1
package/extensions/matrix/CHANGELOG.md +5 -0
package/extensions/matrix/package.json +1 -1
package/extensions/mattermost/package.json +1 -1
package/extensions/memory-core/package.json +1 -1
package/extensions/memory-lancedb/package.json +1 -1
package/extensions/minimax-portal-auth/package.json +1 -1
package/extensions/msteams/CHANGELOG.md +5 -0
package/extensions/msteams/package.json +1 -1
package/extensions/nextcloud-talk/package.json +1 -1
package/extensions/nostr/CHANGELOG.md +5 -0
package/extensions/nostr/package.json +1 -1
package/extensions/open-prose/package.json +1 -1
package/extensions/openai-codex-auth/package.json +1 -1
package/extensions/signal/package.json +1 -1
package/extensions/slack/package.json +1 -1
package/extensions/telegram/package.json +1 -1
package/extensions/tlon/package.json +1 -1
package/extensions/twitch/CHANGELOG.md +5 -0
package/extensions/twitch/package.json +1 -1
package/extensions/voice-call/CHANGELOG.md +5 -0
package/extensions/voice-call/package.json +1 -1
package/extensions/whatsapp/package.json +1 -1
package/extensions/zalo/CHANGELOG.md +5 -0
package/extensions/zalo/package.json +1 -1
package/extensions/zalouser/CHANGELOG.md +5 -0
package/extensions/zalouser/package.json +1 -1
package/package.json +1 -1
package/skills/apple-reminders/SKILL.md +100 -49
package/skills/coding-agent/SKILL.md +34 -28
package/skills/github/SKILL.md +131 -16
package/skills/imsg/SKILL.md +112 -15
package/skills/openhue/SKILL.md +101 -19
package/skills/plcode-controller/SKILL.md +156 -0
package/skills/plcode-controller/assets/operator-prompts.md +65 -0
package/skills/plcode-controller/references/command-cheatsheet.md +53 -0
package/skills/plcode-controller/references/failure-handling.md +60 -0
package/skills/plcode-controller/references/model-selection.md +57 -0
package/skills/plcode-controller/references/plan-vs-build.md +52 -0
package/skills/plcode-controller/references/question-handling.md +40 -0
package/skills/plcode-controller/references/session-management.md +63 -0
package/skills/plcode-controller/references/workflow.md +35 -0
package/skills/tmux/SKILL.md +111 -79
package/skills/weather/SKILL.md +88 -25

package/dist/infra/heartbeat-wake.js CHANGED Viewed

@@ -1,61 +1,222 @@
 let handler = null;
-let pendingReason = null;
+let handlerGeneration = 0;
+const pendingWakes = new Map();
 let scheduled = false;
 let running = false;
 let timer = null;
+let timerDueAt = null;
+let timerKind = null;
 const DEFAULT_COALESCE_MS = 250;
 const DEFAULT_RETRY_MS = 1_000;
-function schedule(coalesceMs) {
-    if (timer)
+const HOOK_REASON_PREFIX = "hook:";
+const REASON_PRIORITY = {
+    RETRY: 0,
+    INTERVAL: 1,
+    DEFAULT: 2,
+    ACTION: 3,
+};
+function isActionWakeReason(reason) {
+    return reason === "manual" || reason === "exec-event" || reason.startsWith(HOOK_REASON_PREFIX);
+}
+function resolveReasonPriority(reason) {
+    if (reason === "retry") {
+        return REASON_PRIORITY.RETRY;
+    }
+    if (reason === "interval") {
+        return REASON_PRIORITY.INTERVAL;
+    }
+    if (isActionWakeReason(reason)) {
+        return REASON_PRIORITY.ACTION;
+    }
+    return REASON_PRIORITY.DEFAULT;
+}
+function normalizeWakeReason(reason) {
+    if (typeof reason !== "string") {
+        return "requested";
+    }
+    const trimmed = reason.trim();
+    return trimmed.length > 0 ? trimmed : "requested";
+}
+function normalizeWakeTarget(value) {
+    const trimmed = typeof value === "string" ? value.trim() : "";
+    return trimmed || undefined;
+}
+function getWakeTargetKey(params) {
+    const agentId = normalizeWakeTarget(params.agentId);
+    const sessionKey = normalizeWakeTarget(params.sessionKey);
+    return `${agentId ?? ""}::${sessionKey ?? ""}`;
+}
+function queuePendingWakeReason(params) {
+    const requestedAt = params?.requestedAt ?? Date.now();
+    const normalizedReason = normalizeWakeReason(params?.reason);
+    const normalizedAgentId = normalizeWakeTarget(params?.agentId);
+    const normalizedSessionKey = normalizeWakeTarget(params?.sessionKey);
+    const wakeTargetKey = getWakeTargetKey({
+        agentId: normalizedAgentId,
+        sessionKey: normalizedSessionKey,
+    });
+    const next = {
+        reason: normalizedReason,
+        priority: resolveReasonPriority(normalizedReason),
+        requestedAt,
+        agentId: normalizedAgentId,
+        sessionKey: normalizedSessionKey,
+    };
+    const previous = pendingWakes.get(wakeTargetKey);
+    if (!previous) {
+        pendingWakes.set(wakeTargetKey, next);
         return;
+    }
+    if (next.priority > previous.priority) {
+        pendingWakes.set(wakeTargetKey, next);
+        return;
+    }
+    if (next.priority === previous.priority && next.requestedAt >= previous.requestedAt) {
+        pendingWakes.set(wakeTargetKey, next);
+    }
+}
+function schedule(coalesceMs, kind = "normal") {
+    const delay = Number.isFinite(coalesceMs) ? Math.max(0, coalesceMs) : DEFAULT_COALESCE_MS;
+    const dueAt = Date.now() + delay;
+    if (timer) {
+        // Keep retry cooldown as a hard minimum delay. This prevents the
+        // finally-path reschedule (often delay=0) from collapsing backoff.
+        if (timerKind === "retry") {
+            return;
+        }
+        // If existing timer fires sooner or at the same time, keep it.
+        if (typeof timerDueAt === "number" && timerDueAt <= dueAt) {
+            return;
+        }
+        // New request needs to fire sooner — preempt the existing timer.
+        clearTimeout(timer);
+        timer = null;
+        timerDueAt = null;
+        timerKind = null;
+    }
+    timerDueAt = dueAt;
+    timerKind = kind;
     timer = setTimeout(async () => {
         timer = null;
+        timerDueAt = null;
+        timerKind = null;
         scheduled = false;
         const active = handler;
-        if (!active)
+        if (!active) {
             return;
+        }
         if (running) {
             scheduled = true;
-            schedule(coalesceMs);
+            schedule(delay, kind);
             return;
         }
-        const reason = pendingReason;
-        pendingReason = null;
+        const pendingBatch = Array.from(pendingWakes.values());
+        pendingWakes.clear();
         running = true;
         try {
-            const res = await active({ reason: reason ?? undefined });
-            if (res.status === "skipped" && res.reason === "requests-in-flight") {
-                // The main lane is busy; retry soon.
-                pendingReason = reason ?? "retry";
-                schedule(DEFAULT_RETRY_MS);
+            for (const pendingWake of pendingBatch) {
+                const wakeOpts = {
+                    reason: pendingWake.reason ?? undefined,
+                    ...(pendingWake.agentId ? { agentId: pendingWake.agentId } : {}),
+                    ...(pendingWake.sessionKey ? { sessionKey: pendingWake.sessionKey } : {}),
+                };
+                const res = await active(wakeOpts);
+                if (res.status === "skipped" && res.reason === "requests-in-flight") {
+                    // The main lane is busy; retry this wake target soon.
+                    queuePendingWakeReason({
+                        reason: pendingWake.reason ?? "retry",
+                        agentId: pendingWake.agentId,
+                        sessionKey: pendingWake.sessionKey,
+                    });
+                    schedule(DEFAULT_RETRY_MS, "retry");
+                }
             }
         }
         catch {
             // Error is already logged by the heartbeat runner; schedule a retry.
-            pendingReason = reason ?? "retry";
-            schedule(DEFAULT_RETRY_MS);
+            for (const pendingWake of pendingBatch) {
+                queuePendingWakeReason({
+                    reason: pendingWake.reason ?? "retry",
+                    agentId: pendingWake.agentId,
+                    sessionKey: pendingWake.sessionKey,
+                });
+            }
+            schedule(DEFAULT_RETRY_MS, "retry");
         }
         finally {
             running = false;
-            if (pendingReason || scheduled)
-                schedule(coalesceMs);
+            if (pendingWakes.size > 0 || scheduled) {
+                schedule(delay, "normal");
+            }
         }
-    }, coalesceMs);
+    }, delay);
     timer.unref?.();
 }
+/**
+ * Register (or clear) the heartbeat wake handler.
+ * Returns a disposer function that clears this specific registration.
+ * Stale disposers (from previous registrations) are no-ops, preventing
+ * a race where an old runner's cleanup clears a newer runner's handler.
+ */
 export function setHeartbeatWakeHandler(next) {
+    handlerGeneration += 1;
+    const generation = handlerGeneration;
     handler = next;
-    if (handler && pendingReason) {
-        schedule(DEFAULT_COALESCE_MS);
+    if (next) {
+        // New lifecycle starting (e.g. after SIGUSR1 in-process restart).
+        // Clear any timer metadata from the previous lifecycle so stale retry
+        // cooldowns do not delay a fresh handler.
+        if (timer) {
+            clearTimeout(timer);
+        }
+        timer = null;
+        timerDueAt = null;
+        timerKind = null;
+        // Reset module-level execution state that may be stale from interrupted
+        // runs in the previous lifecycle. Without this, `running === true` from
+        // an interrupted heartbeat blocks all future schedule() attempts, and
+        // `scheduled === true` can cause spurious immediate re-runs.
+        running = false;
+        scheduled = false;
+    }
+    if (handler && pendingWakes.size > 0) {
+        schedule(DEFAULT_COALESCE_MS, "normal");
     }
+    return () => {
+        if (handlerGeneration !== generation) {
+            return;
+        }
+        if (handler !== next) {
+            return;
+        }
+        handlerGeneration += 1;
+        handler = null;
+    };
 }
 export function requestHeartbeatNow(opts) {
-    pendingReason = opts?.reason ?? pendingReason ?? "requested";
-    schedule(opts?.coalesceMs ?? DEFAULT_COALESCE_MS);
+    queuePendingWakeReason({
+        reason: opts?.reason,
+        agentId: opts?.agentId,
+        sessionKey: opts?.sessionKey,
+    });
+    schedule(opts?.coalesceMs ?? DEFAULT_COALESCE_MS, "normal");
 }
 export function hasHeartbeatWakeHandler() {
     return handler !== null;
 }
 export function hasPendingHeartbeatWake() {
-    return pendingReason !== null || Boolean(timer) || scheduled;
+    return pendingWakes.size > 0 || Boolean(timer) || scheduled;
+}
+export function resetHeartbeatWakeStateForTests() {
+    if (timer) {
+        clearTimeout(timer);
+    }
+    timer = null;
+    timerDueAt = null;
+    timerKind = null;
+    pendingWakes.clear();
+    scheduled = false;
+    running = false;
+    handlerGeneration += 1;
+    handler = null;
 }

package/dist/infra/install-source-utils.js ADDED Viewed

@@ -0,0 +1,47 @@
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { runCommandWithTimeout } from "../process/exec.js";
+import { resolveUserPath } from "../utils.js";
+import { fileExists, resolveArchiveKind } from "./archive.js";
+export async function withTempDir(prefix, fn) {
+    const tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), prefix));
+    try {
+        return await fn(tmpDir);
+    }
+    finally {
+        await fs.rm(tmpDir, { recursive: true, force: true }).catch(() => undefined);
+    }
+}
+export async function resolveArchiveSourcePath(archivePath) {
+    const resolved = resolveUserPath(archivePath);
+    if (!(await fileExists(resolved))) {
+        return { ok: false, error: `archive not found: ${resolved}` };
+    }
+    if (!resolveArchiveKind(resolved)) {
+        return { ok: false, error: `unsupported archive: ${resolved}` };
+    }
+    return { ok: true, path: resolved };
+}
+export async function packNpmSpecToArchive(params) {
+    const res = await runCommandWithTimeout(["npm", "pack", params.spec, "--ignore-scripts"], {
+        timeoutMs: Math.max(params.timeoutMs, 300_000),
+        cwd: params.cwd,
+        env: {
+            COREPACK_ENABLE_DOWNLOAD_PROMPT: "0",
+            NPM_CONFIG_IGNORE_SCRIPTS: "true",
+        },
+    });
+    if (res.code !== 0) {
+        return { ok: false, error: `npm pack failed: ${res.stderr.trim() || res.stdout.trim()}` };
+    }
+    const packed = (res.stdout || "")
+        .split("\n")
+        .map((line) => line.trim())
+        .filter(Boolean)
+        .pop();
+    if (!packed) {
+        return { ok: false, error: "npm pack produced no archive" };
+    }
+    return { ok: true, archivePath: path.join(params.cwd, packed) };
+}

package/dist/infra/net/ssrf.js CHANGED Viewed

@@ -1,27 +1,44 @@
 import { lookup as dnsLookupCb } from "node:dns";
 import { lookup as dnsLookup } from "node:dns/promises";
 import { Agent } from "undici";
+import { normalizeHostname } from "./hostname.js";
 export class SsrFBlockedError extends Error {
     constructor(message) {
         super(message);
         this.name = "SsrFBlockedError";
     }
 }
-const PRIVATE_IPV6_PREFIXES = ["fe80:", "fec0:", "fc", "fd"];
 const BLOCKED_HOSTNAMES = new Set(["localhost", "metadata.google.internal"]);
-function normalizeHostname(hostname) {
-    const normalized = hostname.trim().toLowerCase().replace(/\.$/, "");
-    if (normalized.startsWith("[") && normalized.endsWith("]")) {
-        return normalized.slice(1, -1);
-    }
-    return normalized;
-}
 function normalizeHostnameSet(values) {
     if (!values || values.length === 0) {
         return new Set();
     }
     return new Set(values.map((value) => normalizeHostname(value)).filter(Boolean));
 }
+function normalizeHostnameAllowlist(values) {
+    if (!values || values.length === 0) {
+        return [];
+    }
+    return Array.from(new Set(values
+        .map((value) => normalizeHostname(value))
+        .filter((value) => value !== "*" && value !== "*." && value.length > 0)));
+}
+function isHostnameAllowedByPattern(hostname, pattern) {
+    if (pattern.startsWith("*.")) {
+        const suffix = pattern.slice(2);
+        if (!suffix || hostname === suffix) {
+            return false;
+        }
+        return hostname.endsWith(`.${suffix}`);
+    }
+    return hostname === pattern;
+}
+function matchesHostnameAllowlist(hostname, allowlist) {
+    if (allowlist.length === 0) {
+        return true;
+    }
+    return allowlist.some((pattern) => isHostnameAllowedByPattern(hostname, pattern));
+}
 function parseIpv4(address) {
     const parts = address.split(".");
     if (parts.length !== 4) {
@@ -33,33 +50,114 @@ function parseIpv4(address) {
     }
     return numbers;
 }
-function parseIpv4FromMappedIpv6(mapped) {
-    if (mapped.includes(".")) {
-        return parseIpv4(mapped);
+function stripIpv6ZoneId(address) {
+    const index = address.indexOf("%");
+    return index >= 0 ? address.slice(0, index) : address;
+}
+function parseIpv6Hextets(address) {
+    let input = stripIpv6ZoneId(address.trim().toLowerCase());
+    if (!input) {
+        return null;
     }
-    const parts = mapped.split(":").filter(Boolean);
-    if (parts.length === 1) {
-        const value = Number.parseInt(parts[0], 16);
-        if (Number.isNaN(value) || value < 0 || value > 0xffff_ffff) {
+    // Handle IPv4-embedded IPv6 like ::ffff:127.0.0.1 by converting the tail to 2 hextets.
+    if (input.includes(".")) {
+        const lastColon = input.lastIndexOf(":");
+        if (lastColon < 0) {
+            return null;
+        }
+        const ipv4 = parseIpv4(input.slice(lastColon + 1));
+        if (!ipv4) {
             return null;
         }
-        return [(value >>> 24) & 0xff, (value >>> 16) & 0xff, (value >>> 8) & 0xff, value & 0xff];
+        const high = (ipv4[0] << 8) + ipv4[1];
+        const low = (ipv4[2] << 8) + ipv4[3];
+        input = `${input.slice(0, lastColon)}:${high.toString(16)}:${low.toString(16)}`;
+    }
+    const doubleColonParts = input.split("::");
+    if (doubleColonParts.length > 2) {
+        return null;
     }
-    if (parts.length !== 2) {
+    const headParts = doubleColonParts[0]?.length > 0 ? doubleColonParts[0].split(":").filter(Boolean) : [];
+    const tailParts = doubleColonParts.length === 2 && doubleColonParts[1]?.length > 0
+        ? doubleColonParts[1].split(":").filter(Boolean)
+        : [];
+    const missingParts = 8 - headParts.length - tailParts.length;
+    if (missingParts < 0) {
         return null;
     }
-    const high = Number.parseInt(parts[0], 16);
-    const low = Number.parseInt(parts[1], 16);
-    if (Number.isNaN(high) ||
-        Number.isNaN(low) ||
-        high < 0 ||
-        low < 0 ||
-        high > 0xffff ||
-        low > 0xffff) {
+    const fullParts = doubleColonParts.length === 1
+        ? input.split(":")
+        : [...headParts, ...Array.from({ length: missingParts }, () => "0"), ...tailParts];
+    if (fullParts.length !== 8) {
         return null;
     }
-    const value = (high << 16) + low;
-    return [(value >>> 24) & 0xff, (value >>> 16) & 0xff, (value >>> 8) & 0xff, value & 0xff];
+    const hextets = [];
+    for (const part of fullParts) {
+        if (!part) {
+            return null;
+        }
+        const value = Number.parseInt(part, 16);
+        if (Number.isNaN(value) || value < 0 || value > 0xffff) {
+            return null;
+        }
+        hextets.push(value);
+    }
+    return hextets;
+}
+function decodeIpv4FromHextets(high, low) {
+    return [(high >>> 8) & 0xff, high & 0xff, (low >>> 8) & 0xff, low & 0xff];
+}
+const EMBEDDED_IPV4_RULES = [
+    {
+        // IPv4-mapped: ::ffff:a.b.c.d and IPv4-compatible ::a.b.c.d.
+        matches: (hextets) => hextets[0] === 0 &&
+            hextets[1] === 0 &&
+            hextets[2] === 0 &&
+            hextets[3] === 0 &&
+            hextets[4] === 0 &&
+            (hextets[5] === 0xffff || hextets[5] === 0),
+        extract: (hextets) => [hextets[6], hextets[7]],
+    },
+    {
+        // NAT64 well-known prefix: 64:ff9b::/96.
+        matches: (hextets) => hextets[0] === 0x0064 &&
+            hextets[1] === 0xff9b &&
+            hextets[2] === 0 &&
+            hextets[3] === 0 &&
+            hextets[4] === 0 &&
+            hextets[5] === 0,
+        extract: (hextets) => [hextets[6], hextets[7]],
+    },
+    {
+        // NAT64 local-use prefix: 64:ff9b:1::/48.
+        matches: (hextets) => hextets[0] === 0x0064 &&
+            hextets[1] === 0xff9b &&
+            hextets[2] === 0x0001 &&
+            hextets[3] === 0 &&
+            hextets[4] === 0 &&
+            hextets[5] === 0,
+        extract: (hextets) => [hextets[6], hextets[7]],
+    },
+    {
+        // 6to4 prefix: 2002::/16 where hextets[1..2] carry IPv4.
+        matches: (hextets) => hextets[0] === 0x2002,
+        extract: (hextets) => [hextets[1], hextets[2]],
+    },
+    {
+        // Teredo prefix: 2001:0000::/32 with client IPv4 obfuscated via XOR 0xffff.
+        matches: (hextets) => hextets[0] === 0x2001 && hextets[1] === 0x0000,
+        extract: (hextets) => [hextets[6] ^ 0xffff, hextets[7] ^ 0xffff],
+    },
+];
+function extractIpv4FromEmbeddedIpv6(hextets) {
+    for (const rule of EMBEDDED_IPV4_RULES) {
+        if (!rule.matches(hextets)) {
+            continue;
+        }
+        const [high, low] = rule.extract(hextets);
+        return decodeIpv4FromHextets(high, low);
+    }
+    return null;
 }
 function isPrivateIpv4(parts) {
     const [octet1, octet2] = parts;
@@ -94,18 +192,50 @@ export function isPrivateIpAddress(address) {
     if (!normalized) {
         return false;
     }
-    if (normalized.startsWith("::ffff:")) {
-        const mapped = normalized.slice("::ffff:".length);
-        const ipv4 = parseIpv4FromMappedIpv6(mapped);
-        if (ipv4) {
-            return isPrivateIpv4(ipv4);
-        }
-    }
     if (normalized.includes(":")) {
-        if (normalized === "::" || normalized === "::1") {
+        const hextets = parseIpv6Hextets(normalized);
+        if (!hextets) {
+            // Security-critical parse failures should fail closed.
+            return true;
+        }
+        const isUnspecified = hextets[0] === 0 &&
+            hextets[1] === 0 &&
+            hextets[2] === 0 &&
+            hextets[3] === 0 &&
+            hextets[4] === 0 &&
+            hextets[5] === 0 &&
+            hextets[6] === 0 &&
+            hextets[7] === 0;
+        const isLoopback = hextets[0] === 0 &&
+            hextets[1] === 0 &&
+            hextets[2] === 0 &&
+            hextets[3] === 0 &&
+            hextets[4] === 0 &&
+            hextets[5] === 0 &&
+            hextets[6] === 0 &&
+            hextets[7] === 1;
+        if (isUnspecified || isLoopback) {
+            return true;
+        }
+        const embeddedIpv4 = extractIpv4FromEmbeddedIpv6(hextets);
+        if (embeddedIpv4) {
+            return isPrivateIpv4(embeddedIpv4);
+        }
+        // IPv6 private/internal ranges
+        // - link-local: fe80::/10
+        // - site-local (deprecated, but internal): fec0::/10
+        // - unique local: fc00::/7
+        const first = hextets[0];
+        if ((first & 0xffc0) === 0xfe80) {
+            return true;
+        }
+        if ((first & 0xffc0) === 0xfec0) {
+            return true;
+        }
+        if ((first & 0xfe00) === 0xfc00) {
             return true;
         }
-        return PRIVATE_IPV6_PREFIXES.some((prefix) => normalized.startsWith(prefix));
+        return false;
     }
     const ipv4 = parseIpv4(normalized);
     if (!ipv4) {
@@ -171,7 +301,11 @@ export async function resolvePinnedHostnameWithPolicy(hostname, params = {}) {
     }
     const allowPrivateNetwork = Boolean(params.policy?.allowPrivateNetwork);
     const allowedHostnames = normalizeHostnameSet(params.policy?.allowedHostnames);
+    const hostnameAllowlist = normalizeHostnameAllowlist(params.policy?.hostnameAllowlist);
     const isExplicitAllowed = allowedHostnames.has(normalized);
+    if (!matchesHostnameAllowlist(normalized, hostnameAllowlist)) {
+        throw new SsrFBlockedError(`Blocked hostname (not in allowlist): ${hostname}`);
+    }
     if (!allowPrivateNetwork && !isExplicitAllowed) {
         if (isBlockedHostname(normalized)) {
             throw new SsrFBlockedError(`Blocked hostname: ${hostname}`);