@poolzin/pool-bot 2026.2.21 → 2026.2.22

package/dist/commands/auth-choice.apply.anthropic.js

@@ -1,7 +1,9 @@
 import { upsertAuthProfile } from "../agents/auth-profiles.js";
 import { formatApiKeyPreview, normalizeApiKeyInput, validateApiKeyInput, } from "./auth-choice.api-key.js";
 import { buildTokenProfileId, validateAnthropicSetupToken } from "./auth-token.js";
+import { applyAgentDefaultModelPrimary } from "./onboard-auth.config-shared.js";
 import { applyAuthProfileConfig, setAnthropicApiKey } from "./onboard-auth.js";
+const DEFAULT_ANTHROPIC_MODEL = "anthropic/claude-sonnet-4-6";
 export async function applyAuthChoiceAnthropic(params) {
     if (params.authChoice === "setup-token" ||
         params.authChoice === "oauth" ||
@@ -12,7 +14,7 @@ export async function applyAuthChoiceAnthropic(params) {
             message: "Paste Anthropic setup-token",
             validate: (value) => validateAnthropicSetupToken(String(value ?? "")),
         });
-        const token = String(tokenRaw).trim();
+        const token = String(tokenRaw ?? "").trim();
         const profileNameRaw = await params.prompter.text({
             message: "Token name (blank = default)",
             placeholder: "default",
@@ -36,6 +38,9 @@ export async function applyAuthChoiceAnthropic(params) {
             provider,
             mode: "token",
         });
+        if (params.setDefaultModel) {
+            nextConfig = applyAgentDefaultModelPrimary(nextConfig, DEFAULT_ANTHROPIC_MODEL);
+        }
         return { config: nextConfig };
     }
     if (params.authChoice === "apiKey") {
@@ -64,13 +69,16 @@ export async function applyAuthChoiceAnthropic(params) {
                 message: "Enter Anthropic API key",
                 validate: validateApiKeyInput,
             });
-            await setAnthropicApiKey(normalizeApiKeyInput(String(key)), params.agentDir);
+            await setAnthropicApiKey(normalizeApiKeyInput(String(key ?? "")), params.agentDir);
         }
         nextConfig = applyAuthProfileConfig(nextConfig, {
             profileId: "anthropic:default",
             provider: "anthropic",
             mode: "api_key",
         });
+        if (params.setDefaultModel) {
+            nextConfig = applyAgentDefaultModelPrimary(nextConfig, DEFAULT_ANTHROPIC_MODEL);
+        }
         return { config: nextConfig };
     }
     return null;

package/dist/commands/channels/add-mutators.js

@@ -10,40 +10,8 @@ export function applyChannelAccountConfig(params) {
     const accountId = normalizeAccountId(params.accountId);
     const plugin = getChannelPlugin(params.channel);
     const apply = plugin?.setup?.applyAccountConfig;
-    if (!apply)
+    if (!apply) {
         return params.cfg;
-    const input = {
-        name: params.name,
-        token: params.token,
-        tokenFile: params.tokenFile,
-        botToken: params.botToken,
-        appToken: params.appToken,
-        signalNumber: params.signalNumber,
-        cliPath: params.cliPath,
-        dbPath: params.dbPath,
-        service: params.service,
-        region: params.region,
-        authDir: params.authDir,
-        httpUrl: params.httpUrl,
-        httpHost: params.httpHost,
-        httpPort: params.httpPort,
-        webhookPath: params.webhookPath,
-        webhookUrl: params.webhookUrl,
-        audienceType: params.audienceType,
-        audience: params.audience,
-        useEnv: params.useEnv,
-        homeserver: params.homeserver,
-        userId: params.userId,
-        accessToken: params.accessToken,
-        password: params.password,
-        deviceName: params.deviceName,
-        initialSyncLimit: params.initialSyncLimit,
-        ship: params.ship,
-        url: params.url,
-        code: params.code,
-        groupChannels: params.groupChannels,
-        dmAllowlist: params.dmAllowlist,
-        autoDiscoverChannels: params.autoDiscoverChannels,
-    };
-    return apply({ cfg: params.cfg, accountId, input });
+    }
+    return apply({ cfg: params.cfg, accountId, input: params.input });
 }

package/dist/commands/channels/add.js

@@ -4,14 +4,17 @@ import { getChannelPlugin, normalizeChannelId } from "../../channels/plugins/ind
 import { writeConfigFile } from "../../config/config.js";
 import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "../../routing/session-key.js";
 import { defaultRuntime } from "../../runtime.js";
+import { resolveTelegramAccount } from "../../telegram/accounts.js";
+import { deleteTelegramUpdateOffset } from "../../telegram/update-offset-store.js";
 import { createClackPrompter } from "../../wizard/clack-prompter.js";
 import { setupChannels } from "../onboard-channels.js";
 import { ensureOnboardingPluginInstalled, reloadOnboardingPluginRegistry, } from "../onboarding/plugin-install.js";
 import { applyAccountName, applyChannelAccountConfig } from "./add-mutators.js";
 import { channelLabel, requireValidConfig, shouldUseWizard } from "./shared.js";
 function parseList(value) {
-    if (!value?.trim())
+    if (!value?.trim()) {
         return undefined;
+    }
     const parsed = value
         .split(/[\n,;]+/g)
         .map((entry) => entry.trim())
@@ -20,19 +23,22 @@ function parseList(value) {
 }
 function resolveCatalogChannelEntry(raw, cfg) {
     const trimmed = raw.trim().toLowerCase();
-    if (!trimmed)
+    if (!trimmed) {
         return undefined;
+    }
     const workspaceDir = cfg ? resolveAgentWorkspaceDir(cfg, resolveDefaultAgentId(cfg)) : undefined;
     return listChannelPluginCatalogEntries({ workspaceDir }).find((entry) => {
-        if (entry.id.toLowerCase() === trimmed)
+        if (entry.id.toLowerCase() === trimmed) {
             return true;
+        }
         return (entry.meta.aliases ?? []).some((alias) => alias.trim().toLowerCase() === trimmed);
     });
 }
 export async function channelsAddCommand(opts, runtime = defaultRuntime, params) {
     const cfg = await requireValidConfig(runtime);
-    if (!cfg)
+    if (!cfg) {
         return;
+    }
     let nextConfig = cfg;
     const useWizard = shouldUseWizard(params);
     if (useWizard) {
@@ -98,8 +104,9 @@ export async function channelsAddCommand(opts, runtime = defaultRuntime, params)
             workspaceDir,
         });
         nextConfig = result.cfg;
-        if (!result.installed)
+        if (!result.installed) {
             return;
+        }
         reloadOnboardingPluginRegistry({ cfg: nextConfig, runtime, workspaceDir });
         channel = normalizeChannelId(catalogEntry.id) ?? catalogEntry.id;
     }
@@ -127,52 +134,7 @@ export async function channelsAddCommand(opts, runtime = defaultRuntime, params)
             : undefined;
     const groupChannels = parseList(opts.groupChannels);
     const dmAllowlist = parseList(opts.dmAllowlist);
-    const validationError = plugin.setup.validateInput?.({
-        cfg: nextConfig,
-        accountId,
-        input: {
-            name: opts.name,
-            token: opts.token,
-            tokenFile: opts.tokenFile,
-            botToken: opts.botToken,
-            appToken: opts.appToken,
-            signalNumber: opts.signalNumber,
-            cliPath: opts.cliPath,
-            dbPath: opts.dbPath,
-            service: opts.service,
-            region: opts.region,
-            authDir: opts.authDir,
-            httpUrl: opts.httpUrl,
-            httpHost: opts.httpHost,
-            httpPort: opts.httpPort,
-            webhookPath: opts.webhookPath,
-            webhookUrl: opts.webhookUrl,
-            audienceType: opts.audienceType,
-            audience: opts.audience,
-            homeserver: opts.homeserver,
-            userId: opts.userId,
-            accessToken: opts.accessToken,
-            password: opts.password,
-            deviceName: opts.deviceName,
-            initialSyncLimit,
-            useEnv,
-            ship: opts.ship,
-            url: opts.url,
-            code: opts.code,
-            groupChannels,
-            dmAllowlist,
-            autoDiscoverChannels: opts.autoDiscoverChannels,
-        },
-    });
-    if (validationError) {
-        runtime.error(validationError);
-        runtime.exit(1);
-        return;
-    }
-    nextConfig = applyChannelAccountConfig({
-        cfg: nextConfig,
-        channel,
-        accountId,
+    const input = {
         name: opts.name,
         token: opts.token,
         tokenFile: opts.tokenFile,
@@ -204,7 +166,33 @@ export async function channelsAddCommand(opts, runtime = defaultRuntime, params)
         groupChannels,
         dmAllowlist,
         autoDiscoverChannels: opts.autoDiscoverChannels,
+    };
+    const validationError = plugin.setup.validateInput?.({
+        cfg: nextConfig,
+        accountId,
+        input,
+    });
+    if (validationError) {
+        runtime.error(validationError);
+        runtime.exit(1);
+        return;
+    }
+    const previousTelegramToken = channel === "telegram"
+        ? resolveTelegramAccount({ cfg: nextConfig, accountId }).token.trim()
+        : "";
+    nextConfig = applyChannelAccountConfig({
+        cfg: nextConfig,
+        channel,
+        accountId,
+        input,
     });
+    if (channel === "telegram") {
+        const nextTelegramToken = resolveTelegramAccount({ cfg: nextConfig, accountId }).token.trim();
+        if (previousTelegramToken !== nextTelegramToken) {
+            // Clear stale polling offsets after Telegram token rotation.
+            await deleteTelegramUpdateOffset({ accountId });
+        }
+    }
     await writeConfigFile(nextConfig);
     runtime.log(`Added ${channelLabel(channel)} account "${accountId}".`);
 }

package/dist/commands/config-validation.js

@@ -7,7 +7,7 @@ export async function requireValidConfigSnapshot(runtime) {
             ? snapshot.issues.map((issue) => `- ${issue.path}: ${issue.message}`).join("\n")
             : "Unknown validation issue.";
         runtime.error(`Config invalid:\n${issues}`);
-        runtime.error(`Fix the config or run ${formatCliCommand("openclaw doctor")}.`);
+        runtime.error(`Fix the config or run ${formatCliCommand("poolbot doctor")}.`);
         runtime.exit(1);
         return null;
     }

package/dist/commands/configure.gateway-auth.js

@@ -1,8 +1,23 @@
 import { ensureAuthProfileStore } from "../agents/auth-profiles.js";
-import { applyAuthChoice, resolvePreferredProviderForAuthChoice } from "./auth-choice.js";
 import { promptAuthChoiceGrouped } from "./auth-choice-prompt.js";
+import { applyAuthChoice, resolvePreferredProviderForAuthChoice } from "./auth-choice.js";
 import { applyModelAllowlist, applyModelFallbacksFromSelection, applyPrimaryModel, promptDefaultModel, promptModelAllowlist, } from "./model-picker.js";
+import { promptCustomApiConfig } from "./onboard-custom.js";
+import { randomToken } from "./onboard-helpers.js";
+/** Reject undefined, empty, and common JS string-coercion artifacts for token auth. */
+function sanitizeTokenValue(value) {
+    if (typeof value !== "string") {
+        return undefined;
+    }
+    const trimmed = value.trim();
+    if (!trimmed || trimmed === "undefined" || trimmed === "null") {
+        return undefined;
+    }
+    return trimmed;
+}
 const ANTHROPIC_OAUTH_MODEL_KEYS = [
+    "anthropic/claude-sonnet-4-6",
+    "anthropic/claude-opus-4-6",
     "anthropic/claude-opus-4-5",
     "anthropic/claude-sonnet-4-5",
     "anthropic/claude-haiku-4-5",
@@ -10,12 +25,25 @@ const ANTHROPIC_OAUTH_MODEL_KEYS = [
 export function buildGatewayAuthConfig(params) {
     const allowTailscale = params.existing?.allowTailscale;
     const base = {};
-    if (typeof allowTailscale === "boolean")
+    if (typeof allowTailscale === "boolean") {
         base.allowTailscale = allowTailscale;
+    }
     if (params.mode === "token") {
-        return { ...base, mode: "token", token: params.token };
+        // Keep token mode always valid: treat empty/undefined/"undefined"/"null" as missing and generate a token.
+        const token = sanitizeTokenValue(params.token) ?? randomToken();
+        return { ...base, mode: "token", token };
+    }
+    if (params.mode === "password") {
+        const password = params.password?.trim();
+        return { ...base, mode: "password", ...(password && { password }) };
+    }
+    if (params.mode === "trusted-proxy") {
+        if (!params.trustedProxy) {
+            throw new Error("trustedProxy config is required when mode is trusted-proxy");
+        }
+        return { ...base, mode: "trusted-proxy", trustedProxy: params.trustedProxy };
     }
-    return { ...base, mode: "password", password: params.password };
+    return base;
 }
 export async function promptAuthConfig(cfg, runtime, prompter) {
     const authChoice = await promptAuthChoiceGrouped({
@@ -26,7 +54,11 @@ export async function promptAuthConfig(cfg, runtime, prompter) {
         includeSkip: true,
     });
     let next = cfg;
-    if (authChoice !== "skip") {
+    if (authChoice === "custom-api-key") {
+        const customResult = await promptCustomApiConfig({ prompter, runtime, config: next });
+        next = customResult.config;
+    }
+    else if (authChoice !== "skip") {
         const applied = await applyAuthChoice({
             authChoice,
             config: next,
@@ -44,21 +76,26 @@ export async function promptAuthConfig(cfg, runtime, prompter) {
             ignoreAllowlist: true,
             preferredProvider: resolvePreferredProviderForAuthChoice(authChoice),
         });
+        if (modelSelection.config) {
+            next = modelSelection.config;
+        }
         if (modelSelection.model) {
             next = applyPrimaryModel(next, modelSelection.model);
         }
     }
     const anthropicOAuth = authChoice === "setup-token" || authChoice === "token" || authChoice === "oauth";
-    const allowlistSelection = await promptModelAllowlist({
-        config: next,
-        prompter,
-        allowedKeys: anthropicOAuth ? ANTHROPIC_OAUTH_MODEL_KEYS : undefined,
-        initialSelections: anthropicOAuth ? ["anthropic/claude-opus-4-5"] : undefined,
-        message: anthropicOAuth ? "Anthropic OAuth models" : undefined,
-    });
-    if (allowlistSelection.models) {
-        next = applyModelAllowlist(next, allowlistSelection.models);
-        next = applyModelFallbacksFromSelection(next, allowlistSelection.models);
+    if (authChoice !== "custom-api-key") {
+        const allowlistSelection = await promptModelAllowlist({
+            config: next,
+            prompter,
+            allowedKeys: anthropicOAuth ? ANTHROPIC_OAUTH_MODEL_KEYS : undefined,
+            initialSelections: anthropicOAuth ? ["anthropic/claude-sonnet-4-6"] : undefined,
+            message: anthropicOAuth ? "Anthropic OAuth models" : undefined,
+        });
+        if (allowlistSelection.models) {
+            next = applyModelAllowlist(next, allowlistSelection.models);
+            next = applyModelFallbacksFromSelection(next, allowlistSelection.models);
+        }
     }
     return next;
 }

package/dist/commands/configure.gateway.js

@@ -1,9 +1,11 @@
 import { resolveGatewayPort } from "../config/config.js";
+import { TAILSCALE_DOCS_LINES, TAILSCALE_EXPOSURE_OPTIONS, TAILSCALE_MISSING_BIN_NOTE_LINES, } from "../gateway/gateway-config-prompts.shared.js";
 import { findTailscaleBinary } from "../infra/tailscale.js";
+import { validateIPv4AddressInput } from "../shared/net/ipv4.js";
 import { note } from "../terminal/note.js";
 import { buildGatewayAuthConfig } from "./configure.gateway-auth.js";
 import { confirm, select, text } from "./configure.shared.js";
-import { guardCancel, randomToken } from "./onboard-helpers.js";
+import { guardCancel, normalizeGatewayTokenInput, randomToken, validateGatewayPasswordInput, } from "./onboard-helpers.js";
 export async function promptGatewayConfig(cfg, runtime) {
     const portRaw = guardCancel(await text({
         message: "Gateway port",
@@ -46,20 +48,7 @@ export async function promptGatewayConfig(cfg, runtime) {
         const input = guardCancel(await text({
             message: "Custom IP address",
             placeholder: "192.168.1.100",
-            validate: (value) => {
-                if (!value)
-                    return "IP address is required for custom bind mode";
-                const trimmed = value.trim();
-                const parts = trimmed.split(".");
-                if (parts.length !== 4)
-                    return "Invalid IPv4 address (e.g., 192.168.1.100)";
-                if (parts.every((part) => {
-                    const n = parseInt(part, 10);
-                    return !Number.isNaN(n) && n >= 0 && n <= 255 && part === String(n);
-                }))
-                    return undefined;
-                return "Invalid IPv4 address (each octet must be 0-255)";
-            },
+            validate: validateIPv4AddressInput,
         }), runtime);
         customBindHost = typeof input === "string" ? input : undefined;
     }
@@ -68,41 +57,28 @@ export async function promptGatewayConfig(cfg, runtime) {
         options: [
             { value: "token", label: "Token", hint: "Recommended default" },
             { value: "password", label: "Password" },
+            {
+                value: "trusted-proxy",
+                label: "Trusted Proxy",
+                hint: "Behind reverse proxy (Pomerium, Caddy, Traefik, etc.)",
+            },
         ],
         initialValue: "token",
     }), runtime);
-    const tailscaleMode = guardCancel(await select({
+    let tailscaleMode = guardCancel(await select({
         message: "Tailscale exposure",
-        options: [
-            { value: "off", label: "Off", hint: "No Tailscale exposure" },
-            {
-                value: "serve",
-                label: "Serve",
-                hint: "Private HTTPS for your tailnet (devices on Tailscale)",
-            },
-            {
-                value: "funnel",
-                label: "Funnel",
-                hint: "Public HTTPS via Tailscale Funnel (internet)",
-            },
-        ],
+        options: [...TAILSCALE_EXPOSURE_OPTIONS],
     }), runtime);
     // Detect Tailscale binary before proceeding with serve/funnel setup.
     if (tailscaleMode !== "off") {
         const tailscaleBin = await findTailscaleBinary();
         if (!tailscaleBin) {
-            note([
-                "Tailscale binary not found in PATH or /Applications.",
-                "Ensure Tailscale is installed from:",
-                "  https://tailscale.com/download/mac",
-                "",
-                "You can continue setup, but serve/funnel will fail at runtime.",
-            ].join("\n"), "Tailscale Warning");
+            note(TAILSCALE_MISSING_BIN_NOTE_LINES.join("\n"), "Tailscale Warning");
         }
     }
     let tailscaleResetOnExit = false;
     if (tailscaleMode !== "off") {
-        note(["Docs:", "https://docs.molt.bot/gateway/tailscale", "https://docs.molt.bot/web"].join("\n"), "Tailscale");
+        note(TAILSCALE_DOCS_LINES.join("\n"), "Tailscale");
         tailscaleResetOnExit = Boolean(guardCancel(await confirm({
             message: "Reset Tailscale serve/funnel on exit?",
             initialValue: false,
@@ -116,28 +92,95 @@ export async function promptGatewayConfig(cfg, runtime) {
         note("Tailscale funnel requires password auth.", "Note");
         authMode = "password";
     }
+    if (authMode === "trusted-proxy" && bind === "loopback") {
+        note("Trusted proxy auth requires network bind. Adjusting bind to lan.", "Note");
+        bind = "lan";
+    }
+    if (authMode === "trusted-proxy" && tailscaleMode !== "off") {
+        note("Trusted proxy auth is incompatible with Tailscale serve/funnel. Disabling Tailscale.", "Note");
+        tailscaleMode = "off";
+        tailscaleResetOnExit = false;
+    }
     let gatewayToken;
     let gatewayPassword;
+    let trustedProxyConfig;
+    let trustedProxies;
     let next = cfg;
     if (authMode === "token") {
         const tokenInput = guardCancel(await text({
             message: "Gateway token (blank to generate)",
             initialValue: randomToken(),
         }), runtime);
-        gatewayToken = String(tokenInput).trim() || randomToken();
+        gatewayToken = normalizeGatewayTokenInput(tokenInput) || randomToken();
     }
     if (authMode === "password") {
         const password = guardCancel(await text({
             message: "Gateway password",
-            validate: (value) => (value?.trim() ? undefined : "Required"),
+            validate: validateGatewayPasswordInput,
+        }), runtime);
+        gatewayPassword = String(password ?? "").trim();
+    }
+    if (authMode === "trusted-proxy") {
+        note([
+            "Trusted proxy mode: Pool Bot trusts user identity from a reverse proxy.",
+            "The proxy must authenticate users and pass identity via headers.",
+            "Only requests from specified proxy IPs will be trusted.",
+            "",
+            "Common use cases: Pomerium, Caddy + OAuth, Traefik + forward auth",
+            "Docs: https://docs.poolbot.dev/gateway/trusted-proxy-auth",
+        ].join("\n"), "Trusted Proxy Auth");
+        const userHeader = guardCancel(await text({
+            message: "Header containing user identity",
+            placeholder: "x-forwarded-user",
+            initialValue: "x-forwarded-user",
+            validate: (value) => (value?.trim() ? undefined : "User header is required"),
+        }), runtime);
+        const requiredHeadersRaw = guardCancel(await text({
+            message: "Required headers (comma-separated, optional)",
+            placeholder: "x-forwarded-proto,x-forwarded-host",
+        }), runtime);
+        const requiredHeaders = requiredHeadersRaw
+            ? String(requiredHeadersRaw)
+                .split(",")
+                .map((h) => h.trim())
+                .filter(Boolean)
+            : [];
+        const allowUsersRaw = guardCancel(await text({
+            message: "Allowed users (comma-separated, blank = all authenticated users)",
+            placeholder: "nick@example.com,admin@company.com",
+        }), runtime);
+        const allowUsers = allowUsersRaw
+            ? String(allowUsersRaw)
+                .split(",")
+                .map((u) => u.trim())
+                .filter(Boolean)
+            : [];
+        const trustedProxiesRaw = guardCancel(await text({
+            message: "Trusted proxy IPs (comma-separated)",
+            placeholder: "10.0.1.10,192.168.1.5",
+            validate: (value) => {
+                if (!value || String(value).trim() === "") {
+                    return "At least one trusted proxy IP is required";
+                }
+                return undefined;
+            },
         }), runtime);
-        gatewayPassword = String(password).trim();
+        trustedProxies = String(trustedProxiesRaw)
+            .split(",")
+            .map((ip) => ip.trim())
+            .filter(Boolean);
+        trustedProxyConfig = {
+            userHeader: String(userHeader).trim(),
+            requiredHeaders: requiredHeaders.length > 0 ? requiredHeaders : undefined,
+            allowUsers: allowUsers.length > 0 ? allowUsers : undefined,
+        };
     }
     const authConfig = buildGatewayAuthConfig({
         existing: next.gateway?.auth,
         mode: authMode,
         token: gatewayToken,
         password: gatewayPassword,
+        trustedProxy: trustedProxyConfig,
     });
     next = {
         ...next,
@@ -148,6 +191,7 @@ export async function promptGatewayConfig(cfg, runtime) {
             bind,
             auth: authConfig,
             ...(customBindHost && { customBindHost }),
+            ...(trustedProxies && { trustedProxies }),
             tailscale: {
                 ...next.gateway?.tailscale,
                 mode: tailscaleMode,

package/dist/commands/doctor-completion.js

@@ -2,11 +2,11 @@ import { spawnSync } from "node:child_process";
 import path from "node:path";
 import { resolveCliName } from "../cli/cli-name.js";
 import { completionCacheExists, installCompletion, isCompletionInstalled, resolveCompletionCachePath, resolveShellFromEnv, usesSlowDynamicCompletion, } from "../cli/completion-cli.js";
-import { resolveOpenClawPackageRoot } from "../infra/openclaw-root.js";
+import { resolvePoolBotPackageRoot } from "../infra/poolbot-root.js";
 import { note } from "../terminal/note.js";
 /** Generate the completion cache by spawning the CLI. */
 async function generateCompletionCache() {
-    const root = await resolveOpenClawPackageRoot({
+    const root = await resolvePoolBotPackageRoot({
         moduleUrl: import.meta.url,
         argv1: process.argv[1],
         cwd: process.cwd(),
@@ -14,7 +14,7 @@ async function generateCompletionCache() {
     if (!root) {
         return false;
     }
-    const binPath = path.join(root, "openclaw.mjs");
+    const binPath = path.join(root, "poolbot.mjs");
     const result = spawnSync(process.execPath, [binPath, "completion", "--write-state"], {
         cwd: root,
         env: process.env,