npm - @poolzin/pool-bot - Versions diffs - 2026.2.21 → 2026.2.23 - Mend

@poolzin/pool-bot 2026.2.21 → 2026.2.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (378) hide show

package/CHANGELOG.md +25 -0
package/dist/agents/api-key-rotation.js +47 -0
package/dist/agents/apply-patch-update.js +19 -9
package/dist/agents/apply-patch.js +72 -47
package/dist/agents/bash-tools.exec.js +141 -559
package/dist/agents/cli-backends.js +49 -6
package/dist/agents/cli-runner/helpers.js +69 -152
package/dist/agents/cli-runner.js +70 -19
package/dist/agents/identity.js +20 -1
package/dist/agents/image-sanitization.js +9 -0
package/dist/agents/live-auth-keys.js +123 -26
package/dist/agents/live-model-filter.js +13 -4
package/dist/agents/model-catalog.js +40 -9
package/dist/agents/model-forward-compat.js +60 -23
package/dist/agents/model-selection.js +134 -41
package/dist/agents/pi-auth-json.js +2 -2
package/dist/agents/pi-embedded-helpers/bootstrap.js +65 -15
package/dist/agents/pi-embedded-helpers/errors.js +140 -15
package/dist/agents/pi-embedded-helpers/images.js +22 -12
package/dist/agents/pi-embedded-helpers.js +2 -2
package/dist/agents/pi-embedded-runner/abort.js +10 -3
package/dist/agents/pi-embedded-runner/compact.js +230 -32
package/dist/agents/pi-embedded-runner/extra-params.js +203 -12
package/dist/agents/pi-embedded-runner/google.js +109 -19
package/dist/agents/pi-embedded-runner/history.js +35 -17
package/dist/agents/pi-embedded-runner/run/attempt.js +386 -95
package/dist/agents/pi-embedded-runner/run/images.js +81 -55
package/dist/agents/pi-embedded-runner/run/payloads.js +89 -39
package/dist/agents/pi-embedded-runner/run.js +193 -25
package/dist/agents/pi-embedded-runner/run.overflow-compaction.mocks.shared.js +2 -2
package/dist/agents/pi-embedded-runner/runs.js +17 -8
package/dist/agents/pi-embedded-runner/tool-result-context-guard.js +262 -0
package/dist/agents/pi-embedded-runner.js +1 -1
package/dist/agents/pi-embedded-subscribe.handlers.tools.js +180 -10
package/dist/agents/pi-embedded-subscribe.js +37 -0
package/dist/agents/pi-embedded-subscribe.tools.js +127 -30
package/dist/agents/pi-model-discovery.js +9 -2
package/dist/agents/pi-tool-definition-adapter.js +60 -8
package/dist/agents/pi-tools.before-tool-call.js +1 -1
package/dist/agents/pi-tools.js +113 -94
package/dist/agents/pi-tools.read.js +337 -38
package/dist/agents/poolbot-tools.js +14 -5
package/dist/agents/sandbox/docker.js +10 -5
package/dist/agents/sandbox/registry.js +96 -46
package/dist/agents/sandbox/sanitize-env-vars.js +82 -0
package/dist/agents/sandbox-paths.js +43 -10
package/dist/agents/session-tool-result-guard-wrapper.js +23 -11
package/dist/agents/session-tool-result-guard.js +39 -39
package/dist/agents/session-transcript-repair.js +36 -33
package/dist/agents/session-write-lock.js +62 -44
package/dist/agents/skills/frontmatter.js +49 -88
package/dist/agents/skills/workspace.js +335 -28
package/dist/agents/subagent-announce.js +508 -174
package/dist/agents/subagent-registry.js +45 -4
package/dist/agents/subagent-spawn.js +16 -33
package/dist/agents/system-prompt-report.js +27 -10
package/dist/agents/system-prompt.js +26 -32
package/dist/agents/tool-call-id.js +69 -17
package/dist/agents/tool-display-common.js +1 -1
package/dist/agents/tool-images.js +64 -31
package/dist/agents/tools/canvas-tool.js +17 -11
package/dist/agents/tools/common.js +37 -19
package/dist/agents/tools/cron-tool.js +40 -38
package/dist/agents/tools/gateway.js +70 -2
package/dist/agents/tools/message-tool.js +181 -40
package/dist/agents/tools/nodes-tool.js +128 -36
package/dist/agents/tools/nodes-utils.js +12 -38
package/dist/agents/tools/session-status-tool.js +24 -71
package/dist/agents/tools/sessions-helpers.js +38 -210
package/dist/agents/tools/sessions-spawn-tool.js +28 -198
package/dist/agents/tools/telegram-actions.js +58 -7
package/dist/agents/tools/web-fetch-utils.js +112 -7
package/dist/agents/tools/web-fetch.js +279 -175
package/dist/agents/tools/web-shared.js +71 -8
package/dist/agents/usage.js +25 -16
package/dist/auto-reply/commands-registry.data.js +85 -11
package/dist/auto-reply/dispatch.js +40 -21
package/dist/auto-reply/reply/abort.js +102 -33
package/dist/auto-reply/reply/commands-core.js +82 -33
package/dist/auto-reply/reply/commands-export-session.js +1 -1
package/dist/auto-reply/reply/commands-info.js +41 -12
package/dist/auto-reply/reply/commands-subagents.js +352 -100
package/dist/auto-reply/reply/commands-system-prompt.js +2 -2
package/dist/auto-reply/reply/dispatch-from-config.js +100 -29
package/dist/auto-reply/reply/elevated-unavailable.js +1 -1
package/dist/auto-reply/reply/inbound-meta.js +12 -1
package/dist/auto-reply/reply/mentions.js +18 -11
package/dist/auto-reply/reply/normalize-reply.js +17 -8
package/dist/auto-reply/reply/reply-dispatcher.js +62 -10
package/dist/auto-reply/reply/session.js +102 -21
package/dist/auto-reply/reply/streaming-directives.js +16 -5
package/dist/auto-reply/status.js +73 -50
package/dist/browser/extension-relay.js +3 -3
package/dist/browser/http-auth.js +1 -1
package/dist/browser/paths.js +2 -2
package/dist/build-info.json +3 -3
package/dist/channels/allowlist-match.js +20 -0
package/dist/channels/allowlists/resolve-utils.js +65 -2
package/dist/channels/chat-type.js +8 -4
package/dist/channels/dock.js +127 -35
package/dist/channels/draft-stream-loop.js +6 -2
package/dist/channels/plugins/actions/telegram.js +42 -18
package/dist/channels/plugins/allowlist-match.js +1 -1
package/dist/channels/plugins/group-mentions.js +51 -41
package/dist/channels/plugins/message-action-names.js +2 -0
package/dist/channels/plugins/message-actions.js +24 -5
package/dist/channels/plugins/normalize/discord.js +26 -4
package/dist/channels/plugins/normalize/signal.js +35 -22
package/dist/channels/plugins/onboarding/helpers.js +8 -26
package/dist/channels/plugins/outbound/imessage.js +15 -14
package/dist/channels/registry.js +20 -7
package/dist/cli/acp-cli.js +7 -5
package/dist/cli/browser-cli-extension.js +25 -12
package/dist/cli/browser-cli-state.cookies-storage.js +25 -6
package/dist/cli/browser-cli-state.js +101 -145
package/dist/cli/command-options.js +28 -0
package/dist/cli/completion-cli.js +6 -6
package/dist/cli/cron-cli/register.cron-add.js +25 -1
package/dist/cli/cron-cli/register.cron-edit.js +44 -0
package/dist/cli/cron-cli/shared.js +7 -1
package/dist/cli/daemon-cli/lifecycle-core.js +23 -21
package/dist/cli/daemon-cli/lifecycle.js +23 -247
package/dist/cli/daemon-cli/register-service-commands.js +25 -4
package/dist/cli/daemon-cli.js +1 -0
package/dist/cli/devices-cli.js +33 -20
package/dist/cli/gateway-cli/register.js +37 -105
package/dist/cli/gateway-cli/run.js +49 -11
package/dist/cli/nodes-camera.js +59 -4
package/dist/cli/nodes-cli/register.camera.js +27 -24
package/dist/cli/nodes-cli/rpc.js +21 -38
package/dist/cli/qr-cli.js +2 -2
package/dist/cli/skills-cli.format.js +2 -2
package/dist/cli/update-cli/progress.js +2 -2
package/dist/cli/update-cli/restart-helper.js +28 -7
package/dist/cli/update-cli/shared.js +7 -7
package/dist/cli/update-cli/status.js +1 -1
package/dist/cli/update-cli/update-command.js +14 -8
package/dist/cli/update-cli/wizard.js +2 -2
package/dist/cli/update-cli.js +21 -1027
package/dist/commands/auth-choice.apply.anthropic.js +10 -2
package/dist/commands/channels/add-mutators.js +3 -35
package/dist/commands/channels/add.js +39 -51
package/dist/commands/config-validation.js +1 -1
package/dist/commands/configure.gateway-auth.js +52 -15
package/dist/commands/configure.gateway.js +84 -40
package/dist/commands/doctor-completion.js +3 -3
package/dist/commands/doctor-config-flow.js +536 -16
package/dist/commands/doctor-gateway-services.js +103 -79
package/dist/commands/doctor-memory-search.js +9 -9
package/dist/commands/doctor-platform-notes.js +57 -30
package/dist/commands/doctor-prompter.js +26 -15
package/dist/commands/doctor-session-locks.js +1 -1
package/dist/commands/doctor.js +21 -9
package/dist/commands/model-picker.js +120 -95
package/dist/commands/models/set.js +2 -21
package/dist/commands/models/shared.js +65 -37
package/dist/commands/onboard-helpers.js +81 -39
package/dist/commands/openai-codex-oauth.js +1 -1
package/dist/commands/sessions.js +52 -53
package/dist/commands/status.summary.js +52 -34
package/dist/commands/test-wizard-helpers.js +2 -2
package/dist/config/defaults.js +79 -42
package/dist/config/group-policy.js +50 -18
package/dist/config/includes.js +37 -10
package/dist/config/schema.help.js +5 -4
package/dist/config/schema.hints.js +2 -2
package/dist/config/schema.labels.js +1 -0
package/dist/config/sessions/group.js +12 -11
package/dist/config/sessions/paths.js +137 -11
package/dist/config/sessions/store.js +185 -65
package/dist/config/sessions/types.js +15 -1
package/dist/config/sessions.js +1 -0
package/dist/config/telegram-custom-commands.js +3 -2
package/dist/config/types.js +2 -0
package/dist/config/zod-schema.agent-defaults.js +6 -27
package/dist/config/zod-schema.agent-runtime.js +171 -79
package/dist/config/zod-schema.providers-core.js +138 -65
package/dist/config/zod-schema.session.js +49 -22
package/dist/control-ui/assets/index-HRr1grwl.js.map +1 -1
package/dist/cron/isolated-agent/run.js +224 -57
package/dist/cron/normalize.js +48 -45
package/dist/cron/run-log.js +14 -0
package/dist/cron/service/jobs.js +190 -28
package/dist/cron/service/normalize.js +29 -11
package/dist/cron/service/store.js +30 -44
package/dist/cron/service/timer.js +182 -96
package/dist/cron/service.js +3 -0
package/dist/cron/stagger.js +37 -0
package/dist/daemon/inspect.js +132 -92
package/dist/daemon/runtime-paths.js +25 -4
package/dist/daemon/service-audit.js +47 -16
package/dist/discord/accounts.js +23 -20
package/dist/discord/monitor/agent-components.js +1115 -219
package/dist/discord/monitor/allow-list.js +114 -34
package/dist/discord/monitor/listeners.js +204 -97
package/dist/discord/monitor/message-handler.js +21 -10
package/dist/discord/monitor/message-handler.preflight.js +195 -101
package/dist/discord/monitor/message-handler.process.js +384 -123
package/dist/discord/monitor/message-utils.js +86 -23
package/dist/discord/monitor/native-command.js +77 -57
package/dist/discord/monitor/provider.js +122 -117
package/dist/discord/monitor/reply-context.js +20 -16
package/dist/discord/monitor/reply-delivery.js +40 -8
package/dist/discord/monitor/rest-fetch.js +22 -0
package/dist/discord/monitor/threading.js +117 -24
package/dist/discord/send.js +2 -1
package/dist/discord/send.outbound.js +124 -11
package/dist/discord/send.shared.js +112 -72
package/dist/discord/voice-message.js +3 -3
package/dist/gateway/auth.js +119 -44
package/dist/gateway/call.js +76 -34
package/dist/gateway/channel-health-monitor.js +57 -50
package/dist/gateway/client.js +63 -29
package/dist/gateway/control-ui-contract.js +1 -1
package/dist/gateway/gateway-config-prompts.shared.js +2 -2
package/dist/gateway/net.js +109 -1
package/dist/gateway/protocol/index.js +5 -8
package/dist/gateway/protocol/schema/agent.js +19 -1
package/dist/gateway/protocol/schema/channels.js +21 -0
package/dist/gateway/protocol/schema/cron.js +43 -30
package/dist/gateway/protocol/schema/protocol-schemas.js +6 -11
package/dist/gateway/protocol/schema/sessions.js +5 -1
package/dist/gateway/protocol/schema.js +0 -1
package/dist/gateway/server/presence-events.js +12 -0
package/dist/gateway/server/ws-connection/message-handler.js +203 -212
package/dist/gateway/server/ws-connection.js +58 -21
package/dist/gateway/server-broadcast.js +18 -13
package/dist/gateway/server-cron.js +177 -10
package/dist/gateway/server-methods/agent-job.js +131 -38
package/dist/gateway/server-methods/send.js +60 -14
package/dist/gateway/server-methods/sessions.js +160 -96
package/dist/gateway/server-methods/system.js +5 -7
package/dist/gateway/server-methods-list.js +8 -0
package/dist/gateway/server-methods.js +24 -8
package/dist/gateway/server-node-events.js +278 -68
package/dist/gateway/session-utils.fs.js +316 -75
package/dist/gateway/session-utils.js +224 -70
package/dist/gateway/sessions-patch.js +63 -20
package/dist/gateway/test-temp-config.js +1 -1
package/dist/gateway/tools-invoke-http.js +118 -70
package/dist/gateway/ws-log.js +135 -107
package/dist/hooks/frontmatter.js +36 -82
package/dist/hooks/install.js +149 -139
package/dist/hooks/internal-hooks.js +29 -4
package/dist/hooks/plugin-hooks.js +2 -1
package/dist/imessage/monitor/deliver.js +10 -4
package/dist/imessage/monitor/monitor-provider.js +138 -375
package/dist/imessage/monitor/runtime.js +4 -8
package/dist/imessage/send.js +65 -19
package/dist/infra/exec-approvals-allowlist.js +7 -0
package/dist/infra/exec-approvals.js +35 -920
package/dist/infra/exec-safe-bin-trust.js +64 -0
package/dist/infra/heartbeat-runner.js +207 -134
package/dist/infra/heartbeat-wake.js +183 -22
package/dist/infra/install-source-utils.js +47 -0
package/dist/infra/net/ssrf.js +170 -36
package/dist/infra/outbound/deliver.js +224 -58
package/dist/infra/outbound/message-action-spec.js +12 -5
package/dist/infra/outbound/outbound-session.js +27 -25
package/dist/infra/poolbot-root.js +32 -22
package/dist/infra/ports.js +14 -11
package/dist/infra/skills-remote.js +48 -37
package/dist/infra/system-events.js +25 -11
package/dist/infra/system-presence.js +26 -33
package/dist/infra/tmp-poolbot-dir.js +81 -2
package/dist/infra/wsl.js +37 -1
package/dist/line/bot-message-context.js +163 -191
package/dist/logging/subsystem.js +59 -22
package/dist/markdown/ir.js +124 -50
package/dist/media/store.js +1 -1
package/dist/media-understanding/runner.entries.js +42 -25
package/dist/media-understanding/runner.js +53 -488
package/dist/memory/embeddings-gemini.js +53 -38
package/dist/memory/manager-embedding-ops.js +48 -69
package/dist/pairing/pairing-store.js +178 -119
package/dist/plugin-sdk/index.js +34 -6
package/dist/plugins/hooks.js +135 -14
package/dist/plugins/install.js +190 -152
package/dist/polls.js +11 -0
package/dist/routing/resolve-route.js +190 -56
package/dist/routing/session-key.js +38 -22
package/dist/runtime.js +35 -9
package/dist/security/audit-channel.js +1 -1
package/dist/sessions/session-key-utils.js +29 -11
package/dist/shared/frontmatter.js +5 -5
package/dist/shared/node-list-types.js +1 -0
package/dist/shared/string-normalization.js +15 -0
package/dist/signal/monitor/event-handler.js +68 -36
package/dist/signal/send.js +29 -37
package/dist/slack/monitor/allow-list.js +10 -11
package/dist/slack/monitor/commands.js +14 -3
package/dist/slack/monitor/events/interactions.js +4 -4
package/dist/slack/monitor/media.js +224 -16
package/dist/slack/monitor/message-handler/dispatch.js +247 -13
package/dist/slack/monitor/message-handler/prepare.js +128 -45
package/dist/slack/monitor/slash.js +357 -144
package/dist/slack/streaming.js +77 -0
package/dist/telegram/accounts.js +40 -13
package/dist/telegram/allowed-updates.js +3 -0
package/dist/telegram/bot/delivery.js +129 -66
package/dist/telegram/bot/helpers.js +136 -122
package/dist/telegram/bot-handlers.js +600 -339
package/dist/telegram/bot-message-context.js +115 -73
package/dist/telegram/bot-message-dispatch.js +235 -104
package/dist/telegram/bot-native-command-menu.js +3 -1
package/dist/telegram/bot-native-commands.js +213 -193
package/dist/telegram/bot.js +24 -132
package/dist/telegram/draft-stream.js +84 -75
package/dist/telegram/format.js +150 -6
package/dist/telegram/send.js +415 -255
package/dist/telegram/targets.js +21 -2
package/dist/telegram/update-offset-store.js +19 -3
package/dist/terminal/restore.js +5 -2
package/dist/test-utils/fetch-mock.js +5 -0
package/dist/version.js +18 -5
package/dist/web/auto-reply/monitor/broadcast.js +7 -3
package/dist/web/auto-reply/monitor/on-message.js +6 -3
package/dist/web/inbound/media.js +34 -8
package/dist/web/inbound/monitor.js +34 -17
package/dist/web/inbound/send-api.js +18 -17
package/dist/web/outbound.js +12 -5
package/dist/wizard/clack-prompter.js +40 -7
package/extensions/bluebubbles/package.json +1 -1
package/extensions/copilot-proxy/package.json +1 -1
package/extensions/device-pair/index.ts +2 -2
package/extensions/diagnostics-otel/package.json +1 -1
package/extensions/discord/package.json +1 -1
package/extensions/feishu/package.json +1 -1
package/extensions/google-antigravity-auth/package.json +1 -1
package/extensions/google-gemini-cli-auth/package.json +1 -1
package/extensions/googlechat/package.json +1 -1
package/extensions/imessage/package.json +1 -1
package/extensions/irc/package.json +1 -1
package/extensions/irc/src/accounts.ts +1 -1
package/extensions/irc/src/onboarding.ts +4 -4
package/extensions/line/package.json +1 -1
package/extensions/llm-task/package.json +1 -1
package/extensions/lobster/package.json +1 -1
package/extensions/matrix/CHANGELOG.md +10 -0
package/extensions/matrix/package.json +1 -1
package/extensions/mattermost/package.json +1 -1
package/extensions/memory-core/package.json +1 -1
package/extensions/memory-lancedb/package.json +1 -1
package/extensions/minimax-portal-auth/package.json +1 -1
package/extensions/msteams/CHANGELOG.md +10 -0
package/extensions/msteams/package.json +1 -1
package/extensions/nextcloud-talk/package.json +1 -1
package/extensions/nostr/CHANGELOG.md +10 -0
package/extensions/nostr/package.json +1 -1
package/extensions/open-prose/package.json +1 -1
package/extensions/openai-codex-auth/package.json +1 -1
package/extensions/signal/package.json +1 -1
package/extensions/slack/package.json +1 -1
package/extensions/telegram/package.json +1 -1
package/extensions/tlon/package.json +1 -1
package/extensions/twitch/CHANGELOG.md +10 -0
package/extensions/twitch/package.json +1 -1
package/extensions/voice-call/CHANGELOG.md +10 -0
package/extensions/voice-call/package.json +1 -1
package/extensions/whatsapp/package.json +1 -1
package/extensions/zalo/CHANGELOG.md +10 -0
package/extensions/zalo/package.json +1 -1
package/extensions/zalouser/CHANGELOG.md +10 -0
package/extensions/zalouser/package.json +1 -1
package/package.json +1 -1
package/skills/apple-reminders/SKILL.md +100 -49
package/skills/coding-agent/SKILL.md +34 -28
package/skills/github/SKILL.md +131 -16
package/skills/imsg/SKILL.md +112 -15
package/skills/openhue/SKILL.md +101 -19
package/skills/tmux/SKILL.md +111 -79
package/skills/weather/SKILL.md +88 -25
package/dist/agents/openclaw-tools.js +0 -151
package/dist/agents/tool-security.js +0 -96
package/dist/gateway/url-validation.js +0 -94
package/dist/infra/openclaw-root.js +0 -109
package/dist/infra/tmp-openclaw-dir.js +0 -81
package/dist/media/path-sanitization.js +0 -78

package/dist/plugins/install.js CHANGED Viewed

@@ -1,28 +1,32 @@
 import fs from "node:fs/promises";
-import os from "node:os";
 import path from "node:path";
-import { LEGACY_MANIFEST_KEY } from "../compat/legacy-names.js";
-import { runCommandWithTimeout } from "../process/exec.js";
-import { CONFIG_DIR, resolveUserPath } from "../utils.js";
+import { MANIFEST_KEY } from "../compat/legacy-names.js";
 import { extractArchive, fileExists, readJsonFile, resolveArchiveKind, resolvePackedRootDir, } from "../infra/archive.js";
+import { installPackageDir } from "../infra/install-package-dir.js";
+import { resolveSafeInstallDir, safeDirName, unscopedPackageName, } from "../infra/install-safe-path.js";
+import { packNpmSpecToArchive, resolveArchiveSourcePath, withTempDir, } from "../infra/install-source-utils.js";
+import { validateRegistryNpmSpec } from "../infra/npm-registry-spec.js";
+import { extensionUsesSkippedScannerPath, isPathInside } from "../security/scan-paths.js";
+import * as skillScanner from "../security/skill-scanner.js";
+import { CONFIG_DIR, resolveUserPath } from "../utils.js";
 const defaultLogger = {};
-function unscopedPackageName(name) {
-    const trimmed = name.trim();
-    if (!trimmed)
-        return trimmed;
-    return trimmed.includes("/") ? (trimmed.split("/").pop() ?? trimmed) : trimmed;
-}
-function safeDirName(input) {
-    const trimmed = input.trim();
-    if (!trimmed)
-        return trimmed;
-    return trimmed.replaceAll("/", "__");
-}
 function safeFileName(input) {
     return safeDirName(input);
 }
+function validatePluginId(pluginId) {
+    if (!pluginId) {
+        return "invalid plugin name: missing";
+    }
+    if (pluginId === "." || pluginId === "..") {
+        return "invalid plugin name: reserved path segment";
+    }
+    if (pluginId.includes("/") || pluginId.includes("\\")) {
+        return "invalid plugin name: path separators not allowed";
+    }
+    return null;
+}
 async function ensurePoolbotExtensions(manifest) {
-    const extensions = manifest.poolbot?.extensions ?? manifest[LEGACY_MANIFEST_KEY]?.extensions;
+    const extensions = manifest[MANIFEST_KEY]?.extensions;
     if (!Array.isArray(extensions)) {
         throw new Error("package.json missing poolbot.extensions");
     }
@@ -32,17 +36,49 @@ async function ensurePoolbotExtensions(manifest) {
     }
     return list;
 }
+function resolvePluginInstallModeOptions(params) {
+    return {
+        logger: params.logger ?? defaultLogger,
+        mode: params.mode ?? "install",
+        dryRun: params.dryRun ?? false,
+    };
+}
+function resolveTimedPluginInstallModeOptions(params) {
+    return {
+        ...resolvePluginInstallModeOptions(params),
+        timeoutMs: params.timeoutMs ?? 120_000,
+    };
+}
+function buildFileInstallResult(pluginId, targetFile) {
+    return {
+        ok: true,
+        pluginId,
+        targetDir: targetFile,
+        manifestName: undefined,
+        version: undefined,
+        extensions: [path.basename(targetFile)],
+    };
+}
 export function resolvePluginInstallDir(pluginId, extensionsDir) {
     const extensionsBase = extensionsDir
         ? resolveUserPath(extensionsDir)
         : path.join(CONFIG_DIR, "extensions");
-    return path.join(extensionsBase, safeDirName(pluginId));
+    const pluginIdError = validatePluginId(pluginId);
+    if (pluginIdError) {
+        throw new Error(pluginIdError);
+    }
+    const targetDirResult = resolveSafeInstallDir({
+        baseDir: extensionsBase,
+        id: pluginId,
+        invalidNameMessage: "invalid plugin name: path traversal detected",
+    });
+    if (!targetDirResult.ok) {
+        throw new Error(targetDirResult.error);
+    }
+    return targetDirResult.path;
 }
 async function installPluginFromPackageDir(params) {
-    const logger = params.logger ?? defaultLogger;
-    const timeoutMs = params.timeoutMs ?? 120_000;
-    const mode = params.mode ?? "install";
-    const dryRun = params.dryRun ?? false;
+    const { logger, timeoutMs, mode, dryRun } = resolveTimedPluginInstallModeOptions(params);
     const manifestPath = path.join(params.packageDir, "package.json");
     if (!(await fileExists(manifestPath))) {
         return { ok: false, error: "extracted package missing package.json" };
@@ -63,17 +99,61 @@ async function installPluginFromPackageDir(params) {
     }
     const pkgName = typeof manifest.name === "string" ? manifest.name : "";
     const pluginId = pkgName ? unscopedPackageName(pkgName) : "plugin";
+    const pluginIdError = validatePluginId(pluginId);
+    if (pluginIdError) {
+        return { ok: false, error: pluginIdError };
+    }
     if (params.expectedPluginId && params.expectedPluginId !== pluginId) {
         return {
             ok: false,
             error: `plugin id mismatch: expected ${params.expectedPluginId}, got ${pluginId}`,
         };
     }
+    const packageDir = path.resolve(params.packageDir);
+    const forcedScanEntries = [];
+    for (const entry of extensions) {
+        const resolvedEntry = path.resolve(packageDir, entry);
+        if (!isPathInside(packageDir, resolvedEntry)) {
+            logger.warn?.(`extension entry escapes plugin directory and will not be scanned: ${entry}`);
+            continue;
+        }
+        if (extensionUsesSkippedScannerPath(entry)) {
+            logger.warn?.(`extension entry is in a hidden/node_modules path and will receive targeted scan coverage: ${entry}`);
+        }
+        forcedScanEntries.push(resolvedEntry);
+    }
+    // Scan plugin source for dangerous code patterns (warn-only; never blocks install)
+    try {
+        const scanSummary = await skillScanner.scanDirectoryWithSummary(params.packageDir, {
+            includeFiles: forcedScanEntries,
+        });
+        if (scanSummary.critical > 0) {
+            const criticalDetails = scanSummary.findings
+                .filter((f) => f.severity === "critical")
+                .map((f) => `${f.message} (${f.file}:${f.line})`)
+                .join("; ");
+            logger.warn?.(`WARNING: Plugin "${pluginId}" contains dangerous code patterns: ${criticalDetails}`);
+        }
+        else if (scanSummary.warn > 0) {
+            logger.warn?.(`Plugin "${pluginId}" has ${scanSummary.warn} suspicious code pattern(s). Run "poolbot security audit --deep" for details.`);
+        }
+    }
+    catch (err) {
+        logger.warn?.(`Plugin "${pluginId}" code safety scan failed (${String(err)}). Installation continues; run "poolbot security audit --deep" after install.`);
+    }
     const extensionsDir = params.extensionsDir
         ? resolveUserPath(params.extensionsDir)
         : path.join(CONFIG_DIR, "extensions");
     await fs.mkdir(extensionsDir, { recursive: true });
-    const targetDir = path.join(extensionsDir, safeDirName(pluginId));
+    const targetDirResult = resolveSafeInstallDir({
+        baseDir: extensionsDir,
+        id: pluginId,
+        invalidNameMessage: "invalid plugin name: path traversal detected",
+    });
+    if (!targetDirResult.ok) {
+        return { ok: false, error: targetDirResult.error };
+    }
+    const targetDir = targetDirResult.path;
     if (mode === "install" && (await fileExists(targetDir))) {
         return {
             ok: false,
@@ -90,49 +170,32 @@ async function installPluginFromPackageDir(params) {
             extensions,
         };
     }
-    logger.info?.(`Installing to ${targetDir}…`);
-    let backupDir = null;
-    if (mode === "update" && (await fileExists(targetDir))) {
-        backupDir = `${targetDir}.backup-${Date.now()}`;
-        await fs.rename(targetDir, backupDir);
-    }
-    try {
-        await fs.cp(params.packageDir, targetDir, { recursive: true });
-    }
-    catch (err) {
-        if (backupDir) {
-            await fs.rm(targetDir, { recursive: true, force: true }).catch(() => undefined);
-            await fs.rename(backupDir, targetDir).catch(() => undefined);
-        }
-        return { ok: false, error: `failed to copy plugin: ${String(err)}` };
-    }
-    for (const entry of extensions) {
-        const resolvedEntry = path.resolve(targetDir, entry);
-        if (!(await fileExists(resolvedEntry))) {
-            logger.warn?.(`extension entry not found: ${entry}`);
-        }
-    }
     const deps = manifest.dependencies ?? {};
     const hasDeps = Object.keys(deps).length > 0;
-    if (hasDeps) {
-        logger.info?.("Installing plugin dependencies…");
-        const npmRes = await runCommandWithTimeout(["npm", "install", "--omit=dev", "--silent"], {
-            timeoutMs: Math.max(timeoutMs, 300_000),
-            cwd: targetDir,
-        });
-        if (npmRes.code !== 0) {
-            if (backupDir) {
-                await fs.rm(targetDir, { recursive: true, force: true }).catch(() => undefined);
-                await fs.rename(backupDir, targetDir).catch(() => undefined);
+    const installRes = await installPackageDir({
+        sourceDir: params.packageDir,
+        targetDir,
+        mode,
+        timeoutMs,
+        logger,
+        copyErrorPrefix: "failed to copy plugin",
+        hasDeps,
+        depsLogMessage: "Installing plugin dependencies…",
+        afterCopy: async () => {
+            for (const entry of extensions) {
+                const resolvedEntry = path.resolve(targetDir, entry);
+                if (!isPathInside(targetDir, resolvedEntry)) {
+                    logger.warn?.(`extension entry escapes plugin directory: ${entry}`);
+                    continue;
+                }
+                if (!(await fileExists(resolvedEntry))) {
+                    logger.warn?.(`extension entry not found: ${entry}`);
+                }
             }
-            return {
-                ok: false,
-                error: `npm install failed: ${npmRes.stderr.trim() || npmRes.stdout.trim()}`,
-            };
-        }
-    }
-    if (backupDir) {
-        await fs.rm(backupDir, { recursive: true, force: true }).catch(() => undefined);
+        },
+    });
+    if (!installRes.ok) {
+        return installRes;
     }
     return {
         ok: true,
@@ -147,43 +210,42 @@ export async function installPluginFromArchive(params) {
     const logger = params.logger ?? defaultLogger;
     const timeoutMs = params.timeoutMs ?? 120_000;
     const mode = params.mode ?? "install";
-    const archivePath = resolveUserPath(params.archivePath);
-    if (!(await fileExists(archivePath))) {
-        return { ok: false, error: `archive not found: ${archivePath}` };
-    }
-    if (!resolveArchiveKind(archivePath)) {
-        return { ok: false, error: `unsupported archive: ${archivePath}` };
-    }
-    const tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), "poolbot-plugin-"));
-    const extractDir = path.join(tmpDir, "extract");
-    await fs.mkdir(extractDir, { recursive: true });
-    logger.info?.(`Extracting ${archivePath}…`);
-    try {
-        await extractArchive({
-            archivePath,
-            destDir: extractDir,
+    const archivePathResult = await resolveArchiveSourcePath(params.archivePath);
+    if (!archivePathResult.ok) {
+        return archivePathResult;
+    }
+    const archivePath = archivePathResult.path;
+    return await withTempDir("poolbot-plugin-", async (tmpDir) => {
+        const extractDir = path.join(tmpDir, "extract");
+        await fs.mkdir(extractDir, { recursive: true });
+        logger.info?.(`Extracting ${archivePath}…`);
+        try {
+            await extractArchive({
+                archivePath,
+                destDir: extractDir,
+                timeoutMs,
+                logger,
+            });
+        }
+        catch (err) {
+            return { ok: false, error: `failed to extract archive: ${String(err)}` };
+        }
+        let packageDir = "";
+        try {
+            packageDir = await resolvePackedRootDir(extractDir);
+        }
+        catch (err) {
+            return { ok: false, error: String(err) };
+        }
+        return await installPluginFromPackageDir({
+            packageDir,
+            extensionsDir: params.extensionsDir,
             timeoutMs,
             logger,
+            mode,
+            dryRun: params.dryRun,
+            expectedPluginId: params.expectedPluginId,
         });
-    }
-    catch (err) {
-        return { ok: false, error: `failed to extract archive: ${String(err)}` };
-    }
-    let packageDir = "";
-    try {
-        packageDir = await resolvePackedRootDir(extractDir);
-    }
-    catch (err) {
-        return { ok: false, error: String(err) };
-    }
-    return await installPluginFromPackageDir({
-        packageDir,
-        extensionsDir: params.extensionsDir,
-        timeoutMs,
-        logger,
-        mode,
-        dryRun: params.dryRun,
-        expectedPluginId: params.expectedPluginId,
     });
 }
 export async function installPluginFromDir(params) {
@@ -206,9 +268,7 @@ export async function installPluginFromDir(params) {
     });
 }
 export async function installPluginFromFile(params) {
-    const logger = params.logger ?? defaultLogger;
-    const mode = params.mode ?? "install";
-    const dryRun = params.dryRun ?? false;
+    const { logger, mode, dryRun } = resolvePluginInstallModeOptions(params);
     const filePath = resolveUserPath(params.filePath);
     if (!(await fileExists(filePath))) {
         return { ok: false, error: `file not found: ${filePath}` };
@@ -219,70 +279,48 @@ export async function installPluginFromFile(params) {
     await fs.mkdir(extensionsDir, { recursive: true });
     const base = path.basename(filePath, path.extname(filePath));
     const pluginId = base || "plugin";
+    const pluginIdError = validatePluginId(pluginId);
+    if (pluginIdError) {
+        return { ok: false, error: pluginIdError };
+    }
     const targetFile = path.join(extensionsDir, `${safeFileName(pluginId)}${path.extname(filePath)}`);
     if (mode === "install" && (await fileExists(targetFile))) {
         return { ok: false, error: `plugin already exists: ${targetFile} (delete it first)` };
     }
     if (dryRun) {
-        return {
-            ok: true,
-            pluginId,
-            targetDir: targetFile,
-            manifestName: undefined,
-            version: undefined,
-            extensions: [path.basename(targetFile)],
-        };
+        return buildFileInstallResult(pluginId, targetFile);
     }
     logger.info?.(`Installing to ${targetFile}…`);
     await fs.copyFile(filePath, targetFile);
-    return {
-        ok: true,
-        pluginId,
-        targetDir: targetFile,
-        manifestName: undefined,
-        version: undefined,
-        extensions: [path.basename(targetFile)],
-    };
+    return buildFileInstallResult(pluginId, targetFile);
 }
 export async function installPluginFromNpmSpec(params) {
-    const logger = params.logger ?? defaultLogger;
-    const timeoutMs = params.timeoutMs ?? 120_000;
-    const mode = params.mode ?? "install";
-    const dryRun = params.dryRun ?? false;
+    const { logger, timeoutMs, mode, dryRun } = resolveTimedPluginInstallModeOptions(params);
     const expectedPluginId = params.expectedPluginId;
     const spec = params.spec.trim();
-    if (!spec)
-        return { ok: false, error: "missing npm spec" };
-    const tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), "poolbot-npm-pack-"));
-    logger.info?.(`Downloading ${spec}…`);
-    const res = await runCommandWithTimeout(["npm", "pack", spec], {
-        timeoutMs: Math.max(timeoutMs, 300_000),
-        cwd: tmpDir,
-        env: { COREPACK_ENABLE_DOWNLOAD_PROMPT: "0" },
-    });
-    if (res.code !== 0) {
-        return {
-            ok: false,
-            error: `npm pack failed: ${res.stderr.trim() || res.stdout.trim()}`,
-        };
-    }
-    const packed = (res.stdout || "")
-        .split("\n")
-        .map((l) => l.trim())
-        .filter(Boolean)
-        .pop();
-    if (!packed) {
-        return { ok: false, error: "npm pack produced no archive" };
-    }
-    const archivePath = path.join(tmpDir, packed);
-    return await installPluginFromArchive({
-        archivePath,
-        extensionsDir: params.extensionsDir,
-        timeoutMs,
-        logger,
-        mode,
-        dryRun,
-        expectedPluginId,
+    const specError = validateRegistryNpmSpec(spec);
+    if (specError) {
+        return { ok: false, error: specError };
+    }
+    return await withTempDir("poolbot-npm-pack-", async (tmpDir) => {
+        logger.info?.(`Downloading ${spec}…`);
+        const packedResult = await packNpmSpecToArchive({
+            spec,
+            timeoutMs,
+            cwd: tmpDir,
+        });
+        if (!packedResult.ok) {
+            return packedResult;
+        }
+        return await installPluginFromArchive({
+            archivePath: packedResult.archivePath,
+            extensionsDir: params.extensionsDir,
+            timeoutMs,
+            logger,
+            mode,
+            dryRun,
+            expectedPluginId,
+        });
     });
 }
 export async function installPluginFromPath(params) {

package/dist/polls.js CHANGED Viewed

@@ -21,6 +21,13 @@ export function normalizePollInput(input, options = {}) {
     if (maxSelections > cleaned.length) {
         throw new Error("maxSelections cannot exceed option count");
     }
+    const durationSecondsRaw = input.durationSeconds;
+    const durationSeconds = typeof durationSecondsRaw === "number" && Number.isFinite(durationSecondsRaw)
+        ? Math.floor(durationSecondsRaw)
+        : undefined;
+    if (durationSeconds !== undefined && durationSeconds < 1) {
+        throw new Error("durationSeconds must be at least 1");
+    }
     const durationRaw = input.durationHours;
     const durationHours = typeof durationRaw === "number" && Number.isFinite(durationRaw)
         ? Math.floor(durationRaw)
@@ -28,10 +35,14 @@ export function normalizePollInput(input, options = {}) {
     if (durationHours !== undefined && durationHours < 1) {
         throw new Error("durationHours must be at least 1");
     }
+    if (durationSeconds !== undefined && durationHours !== undefined) {
+        throw new Error("durationSeconds and durationHours are mutually exclusive");
+    }
     return {
         question,
         options: cleaned,
         maxSelections,
+        durationSeconds,
         durationHours,
     };
 }