npm - @poolzin/pool-bot - Versions diffs - 2026.2.21 → 2026.2.22 - Mend

@poolzin/pool-bot 2026.2.21 → 2026.2.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (369) hide show

package/CHANGELOG.md +17 -0
package/dist/agents/api-key-rotation.js +47 -0
package/dist/agents/apply-patch-update.js +19 -9
package/dist/agents/apply-patch.js +72 -47
package/dist/agents/bash-tools.exec.js +141 -559
package/dist/agents/cli-backends.js +49 -6
package/dist/agents/cli-runner/helpers.js +69 -152
package/dist/agents/cli-runner.js +70 -19
package/dist/agents/identity.js +20 -1
package/dist/agents/image-sanitization.js +9 -0
package/dist/agents/live-auth-keys.js +123 -26
package/dist/agents/live-model-filter.js +13 -4
package/dist/agents/model-catalog.js +40 -9
package/dist/agents/model-forward-compat.js +60 -23
package/dist/agents/model-selection.js +134 -41
package/dist/agents/pi-auth-json.js +2 -2
package/dist/agents/pi-embedded-helpers/bootstrap.js +65 -15
package/dist/agents/pi-embedded-helpers/errors.js +140 -15
package/dist/agents/pi-embedded-helpers/images.js +22 -12
package/dist/agents/pi-embedded-helpers.js +2 -2
package/dist/agents/pi-embedded-runner/abort.js +10 -3
package/dist/agents/pi-embedded-runner/compact.js +230 -32
package/dist/agents/pi-embedded-runner/extra-params.js +203 -12
package/dist/agents/pi-embedded-runner/google.js +109 -19
package/dist/agents/pi-embedded-runner/history.js +35 -17
package/dist/agents/pi-embedded-runner/run/attempt.js +386 -95
package/dist/agents/pi-embedded-runner/run/images.js +81 -55
package/dist/agents/pi-embedded-runner/run/payloads.js +89 -39
package/dist/agents/pi-embedded-runner/run.js +193 -25
package/dist/agents/pi-embedded-runner/run.overflow-compaction.mocks.shared.js +2 -2
package/dist/agents/pi-embedded-runner/runs.js +17 -8
package/dist/agents/pi-embedded-runner/tool-result-context-guard.js +262 -0
package/dist/agents/pi-embedded-runner.js +1 -1
package/dist/agents/pi-embedded-subscribe.handlers.tools.js +180 -10
package/dist/agents/pi-embedded-subscribe.js +37 -0
package/dist/agents/pi-embedded-subscribe.tools.js +127 -30
package/dist/agents/pi-model-discovery.js +9 -2
package/dist/agents/pi-tool-definition-adapter.js +60 -8
package/dist/agents/pi-tools.before-tool-call.js +1 -1
package/dist/agents/pi-tools.js +113 -94
package/dist/agents/pi-tools.read.js +337 -38
package/dist/agents/poolbot-tools.js +14 -5
package/dist/agents/sandbox/docker.js +10 -5
package/dist/agents/sandbox/registry.js +96 -46
package/dist/agents/sandbox/sanitize-env-vars.js +82 -0
package/dist/agents/sandbox-paths.js +43 -10
package/dist/agents/session-tool-result-guard-wrapper.js +23 -11
package/dist/agents/session-tool-result-guard.js +39 -39
package/dist/agents/session-transcript-repair.js +36 -33
package/dist/agents/session-write-lock.js +62 -44
package/dist/agents/skills/frontmatter.js +49 -88
package/dist/agents/skills/workspace.js +335 -28
package/dist/agents/subagent-announce.js +508 -174
package/dist/agents/subagent-registry.js +45 -4
package/dist/agents/subagent-spawn.js +16 -33
package/dist/agents/system-prompt-report.js +27 -10
package/dist/agents/system-prompt.js +26 -32
package/dist/agents/tool-call-id.js +69 -17
package/dist/agents/tool-display-common.js +1 -1
package/dist/agents/tool-images.js +64 -31
package/dist/agents/tools/canvas-tool.js +17 -11
package/dist/agents/tools/common.js +37 -19
package/dist/agents/tools/cron-tool.js +40 -38
package/dist/agents/tools/gateway.js +70 -2
package/dist/agents/tools/message-tool.js +181 -40
package/dist/agents/tools/nodes-tool.js +128 -36
package/dist/agents/tools/nodes-utils.js +12 -38
package/dist/agents/tools/session-status-tool.js +24 -71
package/dist/agents/tools/sessions-helpers.js +38 -210
package/dist/agents/tools/sessions-spawn-tool.js +28 -198
package/dist/agents/tools/telegram-actions.js +58 -7
package/dist/agents/tools/web-fetch-utils.js +112 -7
package/dist/agents/tools/web-fetch.js +279 -175
package/dist/agents/tools/web-shared.js +71 -8
package/dist/agents/usage.js +25 -16
package/dist/auto-reply/commands-registry.data.js +85 -11
package/dist/auto-reply/dispatch.js +40 -21
package/dist/auto-reply/reply/abort.js +102 -33
package/dist/auto-reply/reply/commands-core.js +82 -33
package/dist/auto-reply/reply/commands-export-session.js +1 -1
package/dist/auto-reply/reply/commands-info.js +41 -12
package/dist/auto-reply/reply/commands-subagents.js +352 -100
package/dist/auto-reply/reply/commands-system-prompt.js +2 -2
package/dist/auto-reply/reply/dispatch-from-config.js +100 -29
package/dist/auto-reply/reply/elevated-unavailable.js +1 -1
package/dist/auto-reply/reply/inbound-meta.js +12 -1
package/dist/auto-reply/reply/mentions.js +18 -11
package/dist/auto-reply/reply/normalize-reply.js +17 -8
package/dist/auto-reply/reply/reply-dispatcher.js +62 -10
package/dist/auto-reply/reply/session.js +102 -21
package/dist/auto-reply/reply/streaming-directives.js +16 -5
package/dist/auto-reply/status.js +73 -50
package/dist/browser/extension-relay.js +3 -3
package/dist/browser/http-auth.js +1 -1
package/dist/browser/paths.js +2 -2
package/dist/build-info.json +3 -3
package/dist/channels/allowlist-match.js +20 -0
package/dist/channels/allowlists/resolve-utils.js +65 -2
package/dist/channels/chat-type.js +8 -4
package/dist/channels/dock.js +127 -35
package/dist/channels/draft-stream-loop.js +6 -2
package/dist/channels/plugins/actions/telegram.js +42 -18
package/dist/channels/plugins/allowlist-match.js +1 -1
package/dist/channels/plugins/group-mentions.js +51 -41
package/dist/channels/plugins/message-action-names.js +2 -0
package/dist/channels/plugins/message-actions.js +24 -5
package/dist/channels/plugins/normalize/discord.js +26 -4
package/dist/channels/plugins/normalize/signal.js +35 -22
package/dist/channels/plugins/onboarding/helpers.js +8 -26
package/dist/channels/plugins/outbound/imessage.js +15 -14
package/dist/channels/registry.js +20 -7
package/dist/cli/acp-cli.js +7 -5
package/dist/cli/browser-cli-extension.js +25 -12
package/dist/cli/browser-cli-state.cookies-storage.js +25 -6
package/dist/cli/browser-cli-state.js +101 -145
package/dist/cli/command-options.js +28 -0
package/dist/cli/completion-cli.js +6 -6
package/dist/cli/cron-cli/register.cron-add.js +25 -1
package/dist/cli/cron-cli/register.cron-edit.js +44 -0
package/dist/cli/cron-cli/shared.js +7 -1
package/dist/cli/daemon-cli/lifecycle-core.js +23 -21
package/dist/cli/daemon-cli/lifecycle.js +23 -247
package/dist/cli/daemon-cli/register-service-commands.js +25 -4
package/dist/cli/daemon-cli.js +1 -0
package/dist/cli/devices-cli.js +33 -20
package/dist/cli/gateway-cli/register.js +37 -105
package/dist/cli/gateway-cli/run.js +49 -11
package/dist/cli/nodes-camera.js +59 -4
package/dist/cli/nodes-cli/register.camera.js +27 -24
package/dist/cli/nodes-cli/rpc.js +21 -38
package/dist/cli/qr-cli.js +2 -2
package/dist/cli/skills-cli.format.js +2 -2
package/dist/cli/update-cli/progress.js +2 -2
package/dist/cli/update-cli/restart-helper.js +28 -7
package/dist/cli/update-cli/shared.js +7 -7
package/dist/cli/update-cli/status.js +1 -1
package/dist/cli/update-cli/update-command.js +14 -8
package/dist/cli/update-cli/wizard.js +2 -2
package/dist/cli/update-cli.js +21 -1027
package/dist/commands/auth-choice.apply.anthropic.js +10 -2
package/dist/commands/channels/add-mutators.js +3 -35
package/dist/commands/channels/add.js +39 -51
package/dist/commands/config-validation.js +1 -1
package/dist/commands/configure.gateway-auth.js +52 -15
package/dist/commands/configure.gateway.js +84 -40
package/dist/commands/doctor-completion.js +3 -3
package/dist/commands/doctor-config-flow.js +536 -16
package/dist/commands/doctor-gateway-services.js +103 -79
package/dist/commands/doctor-memory-search.js +9 -9
package/dist/commands/doctor-platform-notes.js +57 -30
package/dist/commands/doctor-prompter.js +26 -15
package/dist/commands/doctor-session-locks.js +1 -1
package/dist/commands/doctor.js +21 -9
package/dist/commands/model-picker.js +120 -95
package/dist/commands/models/set.js +2 -21
package/dist/commands/models/shared.js +65 -37
package/dist/commands/onboard-helpers.js +81 -39
package/dist/commands/openai-codex-oauth.js +1 -1
package/dist/commands/sessions.js +52 -53
package/dist/commands/status.summary.js +52 -34
package/dist/commands/test-wizard-helpers.js +2 -2
package/dist/config/defaults.js +79 -42
package/dist/config/group-policy.js +50 -18
package/dist/config/includes.js +37 -10
package/dist/config/schema.help.js +5 -4
package/dist/config/schema.hints.js +2 -2
package/dist/config/schema.labels.js +1 -0
package/dist/config/sessions/group.js +12 -11
package/dist/config/sessions/paths.js +137 -11
package/dist/config/sessions/store.js +185 -65
package/dist/config/sessions/types.js +15 -1
package/dist/config/sessions.js +1 -0
package/dist/config/telegram-custom-commands.js +3 -2
package/dist/config/types.js +2 -0
package/dist/config/zod-schema.agent-defaults.js +6 -27
package/dist/config/zod-schema.agent-runtime.js +171 -79
package/dist/config/zod-schema.providers-core.js +138 -65
package/dist/config/zod-schema.session.js +49 -22
package/dist/control-ui/assets/index-HRr1grwl.js.map +1 -1
package/dist/cron/isolated-agent/run.js +224 -57
package/dist/cron/normalize.js +48 -45
package/dist/cron/run-log.js +14 -0
package/dist/cron/service/jobs.js +190 -28
package/dist/cron/service/normalize.js +29 -11
package/dist/cron/service/store.js +30 -44
package/dist/cron/service/timer.js +182 -96
package/dist/cron/service.js +3 -0
package/dist/cron/stagger.js +37 -0
package/dist/daemon/inspect.js +132 -92
package/dist/daemon/runtime-paths.js +25 -4
package/dist/daemon/service-audit.js +47 -16
package/dist/discord/accounts.js +23 -20
package/dist/discord/monitor/agent-components.js +1115 -219
package/dist/discord/monitor/allow-list.js +114 -34
package/dist/discord/monitor/listeners.js +204 -97
package/dist/discord/monitor/message-handler.js +21 -10
package/dist/discord/monitor/message-handler.preflight.js +195 -101
package/dist/discord/monitor/message-handler.process.js +384 -123
package/dist/discord/monitor/message-utils.js +86 -23
package/dist/discord/monitor/native-command.js +77 -57
package/dist/discord/monitor/provider.js +122 -117
package/dist/discord/monitor/reply-context.js +20 -16
package/dist/discord/monitor/reply-delivery.js +40 -8
package/dist/discord/monitor/rest-fetch.js +22 -0
package/dist/discord/monitor/threading.js +117 -24
package/dist/discord/send.js +2 -1
package/dist/discord/send.outbound.js +124 -11
package/dist/discord/send.shared.js +112 -72
package/dist/discord/voice-message.js +3 -3
package/dist/gateway/auth.js +119 -44
package/dist/gateway/call.js +76 -34
package/dist/gateway/channel-health-monitor.js +57 -50
package/dist/gateway/client.js +63 -29
package/dist/gateway/control-ui-contract.js +1 -1
package/dist/gateway/gateway-config-prompts.shared.js +2 -2
package/dist/gateway/net.js +109 -1
package/dist/gateway/protocol/index.js +5 -8
package/dist/gateway/protocol/schema/agent.js +19 -1
package/dist/gateway/protocol/schema/channels.js +21 -0
package/dist/gateway/protocol/schema/cron.js +43 -30
package/dist/gateway/protocol/schema/protocol-schemas.js +6 -11
package/dist/gateway/protocol/schema/sessions.js +5 -1
package/dist/gateway/protocol/schema.js +0 -1
package/dist/gateway/server/presence-events.js +12 -0
package/dist/gateway/server/ws-connection/message-handler.js +203 -212
package/dist/gateway/server/ws-connection.js +58 -21
package/dist/gateway/server-broadcast.js +18 -13
package/dist/gateway/server-cron.js +177 -10
package/dist/gateway/server-methods/agent-job.js +131 -38
package/dist/gateway/server-methods/send.js +60 -14
package/dist/gateway/server-methods/sessions.js +160 -96
package/dist/gateway/server-methods/system.js +5 -7
package/dist/gateway/server-methods-list.js +8 -0
package/dist/gateway/server-methods.js +24 -8
package/dist/gateway/server-node-events.js +278 -68
package/dist/gateway/session-utils.fs.js +316 -75
package/dist/gateway/session-utils.js +224 -70
package/dist/gateway/sessions-patch.js +63 -20
package/dist/gateway/test-temp-config.js +1 -1
package/dist/gateway/tools-invoke-http.js +118 -70
package/dist/gateway/ws-log.js +135 -107
package/dist/hooks/frontmatter.js +36 -82
package/dist/hooks/install.js +149 -139
package/dist/hooks/internal-hooks.js +29 -4
package/dist/hooks/plugin-hooks.js +2 -1
package/dist/imessage/monitor/deliver.js +10 -4
package/dist/imessage/monitor/monitor-provider.js +138 -375
package/dist/imessage/monitor/runtime.js +4 -8
package/dist/imessage/send.js +65 -19
package/dist/infra/exec-approvals-allowlist.js +7 -0
package/dist/infra/exec-approvals.js +35 -920
package/dist/infra/exec-safe-bin-trust.js +64 -0
package/dist/infra/heartbeat-runner.js +207 -134
package/dist/infra/heartbeat-wake.js +183 -22
package/dist/infra/install-source-utils.js +47 -0
package/dist/infra/net/ssrf.js +170 -36
package/dist/infra/outbound/deliver.js +224 -58
package/dist/infra/outbound/message-action-spec.js +12 -5
package/dist/infra/outbound/outbound-session.js +27 -25
package/dist/infra/poolbot-root.js +32 -22
package/dist/infra/ports.js +14 -11
package/dist/infra/skills-remote.js +48 -37
package/dist/infra/system-events.js +25 -11
package/dist/infra/system-presence.js +26 -33
package/dist/infra/tmp-poolbot-dir.js +81 -2
package/dist/infra/wsl.js +37 -1
package/dist/line/bot-message-context.js +163 -191
package/dist/logging/subsystem.js +59 -22
package/dist/markdown/ir.js +124 -50
package/dist/media/store.js +1 -1
package/dist/media-understanding/runner.entries.js +42 -25
package/dist/media-understanding/runner.js +53 -488
package/dist/memory/embeddings-gemini.js +53 -38
package/dist/memory/manager-embedding-ops.js +48 -69
package/dist/pairing/pairing-store.js +178 -119
package/dist/plugin-sdk/index.js +34 -6
package/dist/plugins/hooks.js +135 -14
package/dist/plugins/install.js +190 -152
package/dist/polls.js +11 -0
package/dist/routing/resolve-route.js +190 -56
package/dist/routing/session-key.js +38 -22
package/dist/runtime.js +35 -9
package/dist/security/audit-channel.js +1 -1
package/dist/sessions/session-key-utils.js +29 -11
package/dist/shared/frontmatter.js +5 -5
package/dist/shared/node-list-types.js +1 -0
package/dist/shared/string-normalization.js +15 -0
package/dist/signal/monitor/event-handler.js +68 -36
package/dist/signal/send.js +29 -37
package/dist/slack/monitor/allow-list.js +10 -11
package/dist/slack/monitor/commands.js +14 -3
package/dist/slack/monitor/events/interactions.js +4 -4
package/dist/slack/monitor/media.js +224 -16
package/dist/slack/monitor/message-handler/dispatch.js +247 -13
package/dist/slack/monitor/message-handler/prepare.js +128 -45
package/dist/slack/monitor/slash.js +357 -144
package/dist/slack/streaming.js +77 -0
package/dist/telegram/accounts.js +40 -13
package/dist/telegram/allowed-updates.js +3 -0
package/dist/telegram/bot/delivery.js +129 -66
package/dist/telegram/bot/helpers.js +136 -122
package/dist/telegram/bot-handlers.js +600 -339
package/dist/telegram/bot-message-context.js +115 -73
package/dist/telegram/bot-message-dispatch.js +235 -104
package/dist/telegram/bot-native-command-menu.js +3 -1
package/dist/telegram/bot-native-commands.js +213 -193
package/dist/telegram/bot.js +24 -132
package/dist/telegram/draft-stream.js +84 -75
package/dist/telegram/format.js +150 -6
package/dist/telegram/send.js +415 -255
package/dist/telegram/targets.js +21 -2
package/dist/telegram/update-offset-store.js +19 -3
package/dist/terminal/restore.js +5 -2
package/dist/test-utils/fetch-mock.js +5 -0
package/dist/version.js +18 -5
package/dist/web/auto-reply/monitor/broadcast.js +7 -3
package/dist/web/auto-reply/monitor/on-message.js +6 -3
package/dist/web/inbound/media.js +34 -8
package/dist/web/inbound/monitor.js +34 -17
package/dist/web/inbound/send-api.js +18 -17
package/dist/web/outbound.js +12 -5
package/dist/wizard/clack-prompter.js +40 -7
package/extensions/bluebubbles/package.json +1 -1
package/extensions/copilot-proxy/package.json +1 -1
package/extensions/diagnostics-otel/package.json +1 -1
package/extensions/discord/package.json +1 -1
package/extensions/feishu/package.json +1 -1
package/extensions/google-antigravity-auth/package.json +1 -1
package/extensions/google-gemini-cli-auth/package.json +1 -1
package/extensions/googlechat/package.json +1 -1
package/extensions/imessage/package.json +1 -1
package/extensions/irc/package.json +1 -1
package/extensions/line/package.json +1 -1
package/extensions/llm-task/package.json +1 -1
package/extensions/lobster/package.json +1 -1
package/extensions/matrix/CHANGELOG.md +5 -0
package/extensions/matrix/package.json +1 -1
package/extensions/mattermost/package.json +1 -1
package/extensions/memory-core/package.json +1 -1
package/extensions/memory-lancedb/package.json +1 -1
package/extensions/minimax-portal-auth/package.json +1 -1
package/extensions/msteams/CHANGELOG.md +5 -0
package/extensions/msteams/package.json +1 -1
package/extensions/nextcloud-talk/package.json +1 -1
package/extensions/nostr/CHANGELOG.md +5 -0
package/extensions/nostr/package.json +1 -1
package/extensions/open-prose/package.json +1 -1
package/extensions/openai-codex-auth/package.json +1 -1
package/extensions/signal/package.json +1 -1
package/extensions/slack/package.json +1 -1
package/extensions/telegram/package.json +1 -1
package/extensions/tlon/package.json +1 -1
package/extensions/twitch/CHANGELOG.md +5 -0
package/extensions/twitch/package.json +1 -1
package/extensions/voice-call/CHANGELOG.md +5 -0
package/extensions/voice-call/package.json +1 -1
package/extensions/whatsapp/package.json +1 -1
package/extensions/zalo/CHANGELOG.md +5 -0
package/extensions/zalo/package.json +1 -1
package/extensions/zalouser/CHANGELOG.md +5 -0
package/extensions/zalouser/package.json +1 -1
package/package.json +1 -1
package/skills/apple-reminders/SKILL.md +100 -49
package/skills/coding-agent/SKILL.md +34 -28
package/skills/github/SKILL.md +131 -16
package/skills/imsg/SKILL.md +112 -15
package/skills/openhue/SKILL.md +101 -19
package/skills/tmux/SKILL.md +111 -79
package/skills/weather/SKILL.md +88 -25

package/dist/gateway/call.js CHANGED Viewed

@@ -1,11 +1,35 @@
 import { randomUUID } from "node:crypto";
 import { loadConfig, resolveConfigPath, resolveGatewayPort, resolveStateDir, } from "../config/config.js";
-import { pickPrimaryTailnetIPv4 } from "../infra/tailnet.js";
 import { loadOrCreateDeviceIdentity } from "../infra/device-identity.js";
-import { GATEWAY_CLIENT_MODES, GATEWAY_CLIENT_NAMES, } from "../utils/message-channel.js";
+import { pickPrimaryTailnetIPv4 } from "../infra/tailnet.js";
 import { loadGatewayTlsRuntime } from "../infra/tls/gateway.js";
+import { GATEWAY_CLIENT_MODES, GATEWAY_CLIENT_NAMES, } from "../utils/message-channel.js";
 import { GatewayClient } from "./client.js";
+import { pickPrimaryLanIPv4 } from "./net.js";
 import { PROTOCOL_VERSION } from "./protocol/index.js";
+export function resolveExplicitGatewayAuth(opts) {
+    const token = typeof opts?.token === "string" && opts.token.trim().length > 0 ? opts.token.trim() : undefined;
+    const password = typeof opts?.password === "string" && opts.password.trim().length > 0
+        ? opts.password.trim()
+        : undefined;
+    return { token, password };
+}
+export function ensureExplicitGatewayAuth(params) {
+    if (!params.urlOverride) {
+        return;
+    }
+    if (params.auth.token || params.auth.password) {
+        return;
+    }
+    const message = [
+        "gateway url override requires explicit credentials",
+        params.errorHint,
+        params.configPath ? `Config: ${params.configPath}` : undefined,
+    ]
+        .filter(Boolean)
+        .join("\n");
+    throw new Error(message);
+}
 export function buildGatewayConnectionDetails(options = {}) {
     const config = options.config ?? loadConfig();
     const configPath = options.configPath ?? resolveConfigPath(process.env, resolveStateDir(process.env));
@@ -16,10 +40,14 @@ export function buildGatewayConnectionDetails(options = {}) {
     const tailnetIPv4 = pickPrimaryTailnetIPv4();
     const bindMode = config.gateway?.bind ?? "loopback";
     const preferTailnet = bindMode === "tailnet" && !!tailnetIPv4;
+    const preferLan = bindMode === "lan";
+    const lanIPv4 = preferLan ? pickPrimaryLanIPv4() : undefined;
     const scheme = tlsEnabled ? "wss" : "ws";
     const localUrl = preferTailnet && tailnetIPv4
         ? `${scheme}://${tailnetIPv4}:${localPort}`
-        : `${scheme}://127.0.0.1:${localPort}`;
+        : preferLan && lanIPv4
+            ? `${scheme}://${lanIPv4}:${localPort}`
+            : `${scheme}://127.0.0.1:${localPort}`;
     const urlOverride = typeof options.url === "string" && options.url.trim().length > 0
         ? options.url.trim()
         : undefined;
@@ -34,7 +62,9 @@ export function buildGatewayConnectionDetails(options = {}) {
                 ? "missing gateway.remote.url (fallback local)"
                 : preferTailnet && tailnetIPv4
                     ? `local tailnet ${tailnetIPv4}`
-                    : "local loopback";
+                    : preferLan && lanIPv4
+                        ? `local lan ${lanIPv4}`
+                        : "local loopback";
     const remoteFallbackNote = remoteMisconfigured
         ? "Warn: gateway.mode=remote but gateway.remote.url is missing; set gateway.remote.url or switch gateway.mode=local."
         : undefined;
@@ -57,11 +87,19 @@ export function buildGatewayConnectionDetails(options = {}) {
     };
 }
 export async function callGateway(opts) {
-    const timeoutMs = opts.timeoutMs ?? 10_000;
+    const timeoutMs = typeof opts.timeoutMs === "number" && Number.isFinite(opts.timeoutMs) ? opts.timeoutMs : 10_000;
+    const safeTimerTimeoutMs = Math.max(1, Math.min(Math.floor(timeoutMs), 2_147_483_647));
     const config = opts.config ?? loadConfig();
     const isRemoteMode = config.gateway?.mode === "remote";
     const remote = isRemoteMode ? config.gateway?.remote : undefined;
     const urlOverride = typeof opts.url === "string" && opts.url.trim().length > 0 ? opts.url.trim() : undefined;
+    const explicitAuth = resolveExplicitGatewayAuth({ token: opts.token, password: opts.password });
+    ensureExplicitGatewayAuth({
+        urlOverride,
+        auth: explicitAuth,
+        errorHint: "Fix: pass --token or --password (or gatewayToken in tools).",
+        configPath: opts.configPath ?? resolveConfigPath(process.env, resolveStateDir(process.env)),
+    });
     const remoteUrl = typeof remote?.url === "string" && remote.url.trim().length > 0 ? remote.url.trim() : undefined;
     if (isRemoteMode && !urlOverride && !remoteUrl) {
         const configPath = opts.configPath ?? resolveConfigPath(process.env, resolveStateDir(process.env));
@@ -88,30 +126,30 @@ export async function callGateway(opts) {
     const tlsFingerprint = overrideTlsFingerprint ||
         remoteTlsFingerprint ||
         (tlsRuntime?.enabled ? tlsRuntime.fingerprintSha256 : undefined);
-    const token = (typeof opts.token === "string" && opts.token.trim().length > 0
-        ? opts.token.trim()
-        : undefined) ||
-        (isRemoteMode
-            ? typeof remote?.token === "string" && remote.token.trim().length > 0
-                ? remote.token.trim()
-                : undefined
-            : process.env.POOLBOT_GATEWAY_TOKEN?.trim() ||
-                process.env.CLAWDBOT_GATEWAY_TOKEN?.trim() ||
-                (typeof authToken === "string" && authToken.trim().length > 0
-                    ? authToken.trim()
-                    : undefined));
-    const password = (typeof opts.password === "string" && opts.password.trim().length > 0
-        ? opts.password.trim()
-        : undefined) ||
-        process.env.POOLBOT_GATEWAY_PASSWORD?.trim() ||
-        process.env.CLAWDBOT_GATEWAY_PASSWORD?.trim() ||
-        (isRemoteMode
-            ? typeof remote?.password === "string" && remote.password.trim().length > 0
-                ? remote.password.trim()
-                : undefined
-            : typeof authPassword === "string" && authPassword.trim().length > 0
-                ? authPassword.trim()
-                : undefined);
+    const token = explicitAuth.token ||
+        (!urlOverride
+            ? isRemoteMode
+                ? typeof remote?.token === "string" && remote.token.trim().length > 0
+                    ? remote.token.trim()
+                    : undefined
+                : process.env.POOLBOT_GATEWAY_TOKEN?.trim() ||
+                    process.env.CLAWDBOT_GATEWAY_TOKEN?.trim() ||
+                    (typeof authToken === "string" && authToken.trim().length > 0
+                        ? authToken.trim()
+                        : undefined)
+            : undefined);
+    const password = explicitAuth.password ||
+        (!urlOverride
+            ? process.env.POOLBOT_GATEWAY_PASSWORD?.trim() ||
+                process.env.CLAWDBOT_GATEWAY_PASSWORD?.trim() ||
+                (isRemoteMode
+                    ? typeof remote?.password === "string" && remote.password.trim().length > 0
+                        ? remote.password.trim()
+                        : undefined
+                    : typeof authPassword === "string" && authPassword.trim().length > 0
+                        ? authPassword.trim()
+                        : undefined)
+            : undefined);
     const formatCloseError = (code, reason) => {
         const reasonText = reason?.trim() || "no close reason";
         const hint = code === 1006 ? "abnormal closure (no close frame)" : code === 1000 ? "normal closure" : "";
@@ -123,14 +161,17 @@ export async function callGateway(opts) {
         let settled = false;
         let ignoreClose = false;
         const stop = (err, value) => {
-            if (settled)
+            if (settled) {
                 return;
+            }
             settled = true;
             clearTimeout(timer);
-            if (err)
+            if (err) {
                 reject(err);
-            else
+            }
+            else {
                 resolve(value);
+            }
         };
         const client = new GatewayClient({
             url,
@@ -164,8 +205,9 @@ export async function callGateway(opts) {
                 }
             },
             onClose: (code, reason) => {
-                if (settled || ignoreClose)
+                if (settled || ignoreClose) {
                     return;
+                }
                 ignoreClose = true;
                 client.stop();
                 stop(new Error(formatCloseError(code, reason)));
@@ -175,7 +217,7 @@ export async function callGateway(opts) {
             ignoreClose = true;
             client.stop();
             stop(new Error(formatTimeoutError()));
-        }, timeoutMs);
+        }, safeTimerTimeoutMs);
         client.start();
     });
 }

package/dist/gateway/channel-health-monitor.js CHANGED Viewed

@@ -26,71 +26,78 @@ export function startChannelHealthMonitor(deps) {
     const restartRecords = new Map();
     const startedAt = Date.now();
     let stopped = false;
+    let checkInFlight = false;
     let timer = null;
     const rKey = (channelId, accountId) => `${channelId}:${accountId}`;
     function pruneOldRestarts(record, now) {
         record.restartsThisHour = record.restartsThisHour.filter((r) => now - r.at < ONE_HOUR_MS);
     }
     async function runCheck() {
-        if (stopped) {
+        if (stopped || checkInFlight) {
             return;
         }
-        const now = Date.now();
-        if (now - startedAt < startupGraceMs) {
-            return;
-        }
-        const snapshot = channelManager.getRuntimeSnapshot();
-        for (const [channelId, accounts] of Object.entries(snapshot.channelAccounts)) {
-            if (!accounts) {
-                continue;
+        checkInFlight = true;
+        try {
+            const now = Date.now();
+            if (now - startedAt < startupGraceMs) {
+                return;
             }
-            for (const [accountId, status] of Object.entries(accounts)) {
-                if (!status) {
-                    continue;
-                }
-                if (!isManagedAccount(status)) {
-                    continue;
-                }
-                if (channelManager.isManuallyStopped(channelId, accountId)) {
+            const snapshot = channelManager.getRuntimeSnapshot();
+            for (const [channelId, accounts] of Object.entries(snapshot.channelAccounts)) {
+                if (!accounts) {
                     continue;
                 }
-                if (isChannelHealthy(status)) {
-                    continue;
-                }
-                const key = rKey(channelId, accountId);
-                const record = restartRecords.get(key) ?? {
-                    lastRestartAt: 0,
-                    restartsThisHour: [],
-                };
-                if (now - record.lastRestartAt <= cooldownMs) {
-                    continue;
-                }
-                pruneOldRestarts(record, now);
-                if (record.restartsThisHour.length >= maxRestartsPerHour) {
-                    log.warn?.(`[${channelId}:${accountId}] health-monitor: hit ${maxRestartsPerHour} restarts/hour limit, skipping`);
-                    continue;
-                }
-                const reason = !status.running
-                    ? status.reconnectAttempts && status.reconnectAttempts >= 10
-                        ? "gave-up"
-                        : "stopped"
-                    : "stuck";
-                log.info?.(`[${channelId}:${accountId}] health-monitor: restarting (reason: ${reason})`);
-                try {
-                    if (status.running) {
-                        await channelManager.stopChannel(channelId, accountId);
+                for (const [accountId, status] of Object.entries(accounts)) {
+                    if (!status) {
+                        continue;
+                    }
+                    if (!isManagedAccount(status)) {
+                        continue;
+                    }
+                    if (channelManager.isManuallyStopped(channelId, accountId)) {
+                        continue;
+                    }
+                    if (isChannelHealthy(status)) {
+                        continue;
+                    }
+                    const key = rKey(channelId, accountId);
+                    const record = restartRecords.get(key) ?? {
+                        lastRestartAt: 0,
+                        restartsThisHour: [],
+                    };
+                    if (now - record.lastRestartAt <= cooldownMs) {
+                        continue;
+                    }
+                    pruneOldRestarts(record, now);
+                    if (record.restartsThisHour.length >= maxRestartsPerHour) {
+                        log.warn?.(`[${channelId}:${accountId}] health-monitor: hit ${maxRestartsPerHour} restarts/hour limit, skipping`);
+                        continue;
+                    }
+                    const reason = !status.running
+                        ? status.reconnectAttempts && status.reconnectAttempts >= 10
+                            ? "gave-up"
+                            : "stopped"
+                        : "stuck";
+                    log.info?.(`[${channelId}:${accountId}] health-monitor: restarting (reason: ${reason})`);
+                    try {
+                        if (status.running) {
+                            await channelManager.stopChannel(channelId, accountId);
+                        }
+                        channelManager.resetRestartAttempts(channelId, accountId);
+                        await channelManager.startChannel(channelId, accountId);
+                        record.lastRestartAt = now;
+                        record.restartsThisHour.push({ at: now });
+                        restartRecords.set(key, record);
+                    }
+                    catch (err) {
+                        log.error?.(`[${channelId}:${accountId}] health-monitor: restart failed: ${String(err)}`);
                     }
-                    channelManager.resetRestartAttempts(channelId, accountId);
-                    await channelManager.startChannel(channelId, accountId);
-                    record.lastRestartAt = now;
-                    record.restartsThisHour.push({ at: now });
-                    restartRecords.set(key, record);
-                }
-                catch (err) {
-                    log.error?.(`[${channelId}:${accountId}] health-monitor: restart failed: ${String(err)}`);
                 }
             }
         }
+        finally {
+            checkInFlight = false;
+        }
     }
     function stop() {
         stopped = true;

package/dist/gateway/client.js CHANGED Viewed

@@ -1,10 +1,10 @@
 import { randomUUID } from "node:crypto";
 import { WebSocket } from "ws";
+import { clearDeviceAuthToken, loadDeviceAuthToken, storeDeviceAuthToken, } from "../infra/device-auth-store.js";
+import { loadOrCreateDeviceIdentity, publicKeyRawBase64UrlFromPem, signDevicePayload, } from "../infra/device-identity.js";
 import { normalizeFingerprint } from "../infra/tls/fingerprint.js";
 import { rawDataToString } from "../infra/ws.js";
 import { logDebug, logError } from "../logger.js";
-import { loadOrCreateDeviceIdentity, publicKeyRawBase64UrlFromPem, signDevicePayload, } from "../infra/device-identity.js";
-import { clearDeviceAuthToken, loadDeviceAuthToken, storeDeviceAuthToken, } from "../infra/device-auth-store.js";
 import { GATEWAY_CLIENT_MODES, GATEWAY_CLIENT_NAMES, } from "../utils/message-channel.js";
 import { buildDeviceAuthPayload } from "./device-auth.js";
 import { PROTOCOL_VERSION, validateEventFrame, validateRequestFrame, validateResponseFrame, } from "./protocol/index.js";
@@ -38,8 +38,9 @@ export class GatewayClient {
         };
     }
     start() {
-        if (this.closed)
+        if (this.closed) {
             return;
+        }
         const url = this.opts.url ?? "ws://127.0.0.1:18789";
         if (this.opts.tlsFingerprint && !url.startsWith("wss://")) {
             this.opts.onConnectError?.(new Error("gateway tls fingerprint requires wss:// gateway url"));
@@ -67,6 +68,7 @@ export class GatewayClient {
                     return new Error("gateway tls fingerprint mismatch");
                 }
                 return undefined;
+                // oxlint-disable-next-line typescript/no-explicit-any
             });
         }
         this.ws = new WebSocket(url, wsOptions);
@@ -85,6 +87,19 @@ export class GatewayClient {
         this.ws.on("close", (code, reason) => {
             const reasonText = rawDataToString(reason);
             this.ws = null;
+            // If closed due to device token mismatch, clear the stored token so next attempt can get a fresh one
+            if (code === 1008 &&
+                reasonText.toLowerCase().includes("device token mismatch") &&
+                this.opts.deviceIdentity) {
+                const role = this.opts.role ?? "operator";
+                try {
+                    clearDeviceAuthToken({ deviceId: this.opts.deviceIdentity.deviceId, role });
+                    logDebug(`cleared stale device-auth token for device ${this.opts.deviceIdentity.deviceId}`);
+                }
+                catch (err) {
+                    logDebug(`failed clearing stale device-auth token for device ${this.opts.deviceIdentity.deviceId}: ${String(err)}`);
+                }
+            }
             this.flushPendingErrors(new Error(`gateway closed (${code}): ${reasonText}`));
             this.scheduleReconnect();
             this.opts.onClose?.(code, reasonText);
@@ -107,8 +122,9 @@ export class GatewayClient {
         this.flushPendingErrors(new Error("gateway client stopped"));
     }
     sendConnect() {
-        if (this.connectSent)
+        if (this.connectSent) {
             return;
+        }
         this.connectSent = true;
         if (this.connectTimer) {
             clearTimeout(this.connectTimer);
@@ -118,8 +134,9 @@ export class GatewayClient {
         const storedToken = this.opts.deviceIdentity
             ? loadDeviceAuthToken({ deviceId: this.opts.deviceIdentity.deviceId, role })?.token
             : null;
-        const authToken = storedToken ?? this.opts.token ?? undefined;
-        const canFallbackToShared = Boolean(storedToken && this.opts.token);
+        // Prefer explicitly provided credentials (e.g. CLI `--token`) over any persisted
+        // device-auth tokens. Persisted tokens are only used when no token is provided.
+        const authToken = this.opts.token ?? storedToken ?? undefined;
         const auth = authToken || this.opts.password
             ? {
                 token: authToken,
@@ -130,8 +147,9 @@ export class GatewayClient {
         const nonce = this.connectNonce ?? undefined;
         const scopes = this.opts.scopes ?? ["operator.admin"];
         const device = (() => {
-            if (!this.opts.deviceIdentity)
+            if (!this.opts.deviceIdentity) {
                 return undefined;
+            }
             const payload = buildDeviceAuthPayload({
                 deviceId: this.opts.deviceIdentity.deviceId,
                 clientId: this.opts.clientName ?? GATEWAY_CLIENT_NAMES.GATEWAY_CLIENT,
@@ -194,18 +212,14 @@ export class GatewayClient {
             this.opts.onHelloOk?.(helloOk);
         })
             .catch((err) => {
-            if (canFallbackToShared && this.opts.deviceIdentity) {
-                clearDeviceAuthToken({
-                    deviceId: this.opts.deviceIdentity.deviceId,
-                    role,
-                });
-            }
             this.opts.onConnectError?.(err instanceof Error ? err : new Error(String(err)));
             const msg = `gateway connect failed: ${String(err)}`;
-            if (this.opts.mode === GATEWAY_CLIENT_MODES.PROBE)
+            if (this.opts.mode === GATEWAY_CLIENT_MODES.PROBE) {
                 logDebug(msg);
-            else
+            }
+            else {
                 logError(msg);
+            }
             this.ws?.close(1008, "connect failed");
         });
     }
@@ -238,8 +252,9 @@ export class GatewayClient {
             }
             if (validateResponseFrame(parsed)) {
                 const pending = this.pending.get(parsed.id);
-                if (!pending)
+                if (!pending) {
                     return;
+                }
                 // If the payload is an ack with status accepted, keep waiting for final.
                 const payload = parsed.payload;
                 const status = payload?.status;
@@ -247,10 +262,12 @@ export class GatewayClient {
                     return;
                 }
                 this.pending.delete(parsed.id);
-                if (parsed.ok)
+                if (parsed.ok) {
                     pending.resolve(parsed.payload);
-                else
+                }
+                else {
                     pending.reject(new Error(parsed.error?.message ?? "unknown error"));
+                }
             }
         }
         catch (err) {
@@ -260,15 +277,21 @@ export class GatewayClient {
     queueConnect() {
         this.connectNonce = null;
         this.connectSent = false;
-        if (this.connectTimer)
+        const rawConnectDelayMs = this.opts.connectDelayMs;
+        const connectDelayMs = typeof rawConnectDelayMs === "number" && Number.isFinite(rawConnectDelayMs)
+            ? Math.max(0, Math.min(5_000, rawConnectDelayMs))
+            : 750;
+        if (this.connectTimer) {
             clearTimeout(this.connectTimer);
+        }
         this.connectTimer = setTimeout(() => {
             this.sendConnect();
-        }, 750);
+        }, connectDelayMs);
     }
     scheduleReconnect() {
-        if (this.closed)
+        if (this.closed) {
             return;
+        }
         if (this.tickTimer) {
             clearInterval(this.tickTimer);
             this.tickTimer = null;
@@ -284,14 +307,21 @@ export class GatewayClient {
         this.pending.clear();
     }
     startTickWatch() {
-        if (this.tickTimer)
+        if (this.tickTimer) {
             clearInterval(this.tickTimer);
-        const interval = Math.max(this.tickIntervalMs, 1000);
+        }
+        const rawMinInterval = this.opts.tickWatchMinIntervalMs;
+        const minInterval = typeof rawMinInterval === "number" && Number.isFinite(rawMinInterval)
+            ? Math.max(1, Math.min(30_000, rawMinInterval))
+            : 1000;
+        const interval = Math.max(this.tickIntervalMs, minInterval);
         this.tickTimer = setInterval(() => {
-            if (this.closed)
+            if (this.closed) {
                 return;
-            if (!this.lastTick)
+            }
+            if (!this.lastTick) {
                 return;
+            }
             const gap = Date.now() - this.lastTick;
             if (gap > this.tickIntervalMs * 2) {
                 this.ws?.close(4000, "tick timeout");
@@ -299,21 +329,25 @@ export class GatewayClient {
         }, interval);
     }
     validateTlsFingerprint() {
-        if (!this.opts.tlsFingerprint || !this.ws)
+        if (!this.opts.tlsFingerprint || !this.ws) {
             return null;
+        }
         const expected = normalizeFingerprint(this.opts.tlsFingerprint);
-        if (!expected)
+        if (!expected) {
             return new Error("gateway tls fingerprint missing");
+        }
         const socket = this.ws._socket;
         if (!socket || typeof socket.getPeerCertificate !== "function") {
             return new Error("gateway tls fingerprint unavailable");
         }
         const cert = socket.getPeerCertificate();
         const fingerprint = normalizeFingerprint(cert?.fingerprint256 ?? "");
-        if (!fingerprint)
+        if (!fingerprint) {
             return new Error("gateway tls fingerprint unavailable");
-        if (fingerprint !== expected)
+        }
+        if (fingerprint !== expected) {
             return new Error("gateway tls fingerprint mismatch");
+        }
         return null;
     }
     async request(method, params, opts) {

package/dist/gateway/control-ui-contract.js CHANGED Viewed

	@@ -1 +1 @@
1	- export const CONTROL_UI_BOOTSTRAP_CONFIG_PATH = "/~~__openclaw~~/control-ui-config.json";
1	+ export const CONTROL_UI_BOOTSTRAP_CONFIG_PATH = "/__poolbot/control-ui-config.json";

package/dist/gateway/gateway-config-prompts.shared.js CHANGED Viewed

@@ -20,6 +20,6 @@ export const TAILSCALE_MISSING_BIN_NOTE_LINES = [
 ];
 export const TAILSCALE_DOCS_LINES = [
     "Docs:",
-    "https://docs.openclaw.ai/gateway/tailscale",
-    "https://docs.openclaw.ai/web",
+    "https://docs.poolbot.dev/gateway/tailscale",
+    "https://docs.poolbot.dev/web",
 ];

package/dist/gateway/net.js CHANGED Viewed

@@ -23,6 +23,27 @@ export function pickPrimaryLanIPv4() {
     }
     return undefined;
 }
+export function normalizeHostHeader(hostHeader) {
+    return (hostHeader ?? "").trim().toLowerCase();
+}
+export function resolveHostName(hostHeader) {
+    const host = normalizeHostHeader(hostHeader);
+    if (!host) {
+        return "";
+    }
+    if (host.startsWith("[")) {
+        const end = host.indexOf("]");
+        if (end !== -1) {
+            return host.slice(1, end);
+        }
+    }
+    // Unbracketed IPv6 host (e.g. "::1") has no port and should be returned as-is.
+    if (net.isIP(host) === 6) {
+        return host;
+    }
+    const [name] = host.split(":");
+    return name ?? "";
+}
 export function isLoopbackAddress(ip) {
     if (!ip) {
         return false;
@@ -41,6 +62,47 @@ export function isLoopbackAddress(ip) {
     }
     return false;
 }
+/**
+ * Returns true if the IP belongs to a private or loopback network range.
+ * Private ranges: RFC1918, link-local, ULA IPv6, and CGNAT (100.64/10), plus loopback.
+ */
+export function isPrivateOrLoopbackAddress(ip) {
+    if (!ip) {
+        return false;
+    }
+    if (isLoopbackAddress(ip)) {
+        return true;
+    }
+    const normalized = normalizeIPv4MappedAddress(ip.trim().toLowerCase());
+    const family = net.isIP(normalized);
+    if (!family) {
+        return false;
+    }
+    if (family === 4) {
+        const octets = normalized.split(".").map((value) => Number.parseInt(value, 10));
+        if (octets.length !== 4 || octets.some((value) => Number.isNaN(value))) {
+            return false;
+        }
+        const [o1, o2] = octets;
+        // RFC1918 IPv4 private ranges.
+        if (o1 === 10 || (o1 === 172 && o2 >= 16 && o2 <= 31) || (o1 === 192 && o2 === 168)) {
+            return true;
+        }
+        // IPv4 link-local and CGNAT (commonly used by Tailnet-like networks).
+        if ((o1 === 169 && o2 === 254) || (o1 === 100 && o2 >= 64 && o2 <= 127)) {
+            return true;
+        }
+        return false;
+    }
+    // IPv6 unique-local and link-local ranges.
+    if (normalized.startsWith("fc") || normalized.startsWith("fd")) {
+        return true;
+    }
+    if (/^fe[89ab]/.test(normalized)) {
+        return true;
+    }
+    return false;
+}
 function normalizeIPv4MappedAddress(ip) {
     if (ip.startsWith("::ffff:")) {
         return ip.slice("::ffff:".length);
@@ -87,12 +149,58 @@ function parseRealIp(realIp) {
     }
     return normalizeIp(stripOptionalPort(raw));
 }
+/**
+ * Check if an IP address matches a CIDR block.
+ * Supports IPv4 CIDR notation (e.g., "10.42.0.0/24").
+ *
+ * @param ip - The IP address to check (e.g., "10.42.0.59")
+ * @param cidr - The CIDR block (e.g., "10.42.0.0/24")
+ * @returns True if the IP is within the CIDR block
+ */
+function ipMatchesCIDR(ip, cidr) {
+    // Handle exact IP match (no CIDR notation)
+    if (!cidr.includes("/")) {
+        return ip === cidr;
+    }
+    const [subnet, prefixLenStr] = cidr.split("/");
+    const prefixLen = parseInt(prefixLenStr, 10);
+    // Validate prefix length
+    if (Number.isNaN(prefixLen) || prefixLen < 0 || prefixLen > 32) {
+        return false;
+    }
+    // Convert IPs to 32-bit integers
+    const ipParts = ip.split(".").map((p) => parseInt(p, 10));
+    const subnetParts = subnet.split(".").map((p) => parseInt(p, 10));
+    // Validate IP format
+    if (ipParts.length !== 4 ||
+        subnetParts.length !== 4 ||
+        ipParts.some((p) => Number.isNaN(p) || p < 0 || p > 255) ||
+        subnetParts.some((p) => Number.isNaN(p) || p < 0 || p > 255)) {
+        return false;
+    }
+    const ipInt = (ipParts[0] << 24) | (ipParts[1] << 16) | (ipParts[2] << 8) | ipParts[3];
+    const subnetInt = (subnetParts[0] << 24) | (subnetParts[1] << 16) | (subnetParts[2] << 8) | subnetParts[3];
+    // Create mask and compare
+    const mask = prefixLen === 0 ? 0 : (-1 >>> (32 - prefixLen)) << (32 - prefixLen);
+    return (ipInt & mask) === (subnetInt & mask);
+}
 export function isTrustedProxyAddress(ip, trustedProxies) {
     const normalized = normalizeIp(ip);
     if (!normalized || !trustedProxies || trustedProxies.length === 0) {
         return false;
     }
-    return trustedProxies.some((proxy) => normalizeIp(proxy) === normalized);
+    return trustedProxies.some((proxy) => {
+        const candidate = proxy.trim();
+        if (!candidate) {
+            return false;
+        }
+        // Handle CIDR notation
+        if (candidate.includes("/")) {
+            return ipMatchesCIDR(normalized, candidate);
+        }
+        // Exact IP match
+        return normalizeIp(candidate) === normalized;
+    });
 }
 export function resolveGatewayClientIp(params) {
     const remote = normalizeIp(params.remoteAddr);