npm - @poolzin/pool-bot - Versions diffs - 2026.2.24 → 2026.2.26 - Mend

@poolzin/pool-bot 2026.2.24 → 2026.2.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (646) hide show

package/CHANGELOG.md +21 -0
package/dist/acp/client.js +207 -18
package/dist/acp/event-mapper.js +87 -22
package/dist/acp/meta.js +12 -6
package/dist/acp/secret-file.js +22 -0
package/dist/agents/agent-paths.js +8 -9
package/dist/agents/agent-scope.js +17 -5
package/dist/agents/auth-profiles/oauth.js +148 -64
package/dist/agents/auth-profiles/session-override.js +13 -7
package/dist/agents/bash-process-registry.test-helpers.js +29 -0
package/dist/agents/bash-tools.exec-approval-request.js +20 -0
package/dist/agents/bash-tools.exec-host-gateway.js +240 -0
package/dist/agents/bash-tools.exec-host-node.js +235 -0
package/dist/agents/bash-tools.exec-runtime.js +2 -25
package/dist/agents/bash-tools.exec-types.js +1 -0
package/dist/agents/bash-tools.process.js +224 -218
package/dist/agents/bedrock-discovery.js +3 -1
package/dist/agents/byteplus-models.js +97 -0
package/dist/agents/chutes-oauth.js +1 -0
package/dist/agents/cli-runner/helpers.js +4 -0
package/dist/agents/compaction.js +41 -14
package/dist/agents/content-blocks.js +16 -0
package/dist/agents/doubao-models.js +121 -0
package/dist/agents/failover-error.js +2 -0
package/dist/agents/huggingface-models.js +5 -3
package/dist/agents/live-model-filter.js +5 -0
package/dist/agents/minimax-vlm.js +10 -8
package/dist/agents/model-auth.js +6 -0
package/dist/agents/model-catalog.js +3 -1
package/dist/agents/model-fallback.js +96 -101
package/dist/agents/model-selection.js +7 -1
package/dist/agents/models-config.providers.js +364 -165
package/dist/agents/ollama-stream.js +117 -4
package/dist/agents/opencode-zen-models.js +22 -11
package/dist/agents/pi-embedded-helpers/errors.js +55 -33
package/dist/agents/pi-embedded-helpers/messaging-dedupe.js +10 -5
package/dist/agents/pi-embedded-helpers/thinking.js +10 -5
package/dist/agents/pi-embedded-helpers.js +1 -1
package/dist/agents/pi-embedded-payloads.js +1 -0
package/dist/agents/pi-embedded-runner/compact.js +29 -7
package/dist/agents/pi-embedded-runner/extensions.js +28 -26
package/dist/agents/pi-embedded-runner/google.js +20 -8
package/dist/agents/pi-embedded-runner/run/attempt.js +95 -36
package/dist/agents/pi-embedded-runner/run.js +71 -12
package/dist/agents/pi-embedded-runner/run.overflow-compaction.fixture.js +34 -0
package/dist/agents/pi-embedded-runner/run.overflow-compaction.mocks.shared.js +11 -2
package/dist/agents/pi-embedded-runner/session-manager-cache.js +11 -7
package/dist/agents/pi-embedded-runner/system-prompt.js +2 -0
package/dist/agents/pi-embedded-runner/thinking.js +42 -0
package/dist/agents/pi-embedded-runner/tool-name-allowlist.js +19 -0
package/dist/agents/pi-embedded-runner/utils.js +7 -10
package/dist/agents/pi-embedded-subscribe.handlers.lifecycle.js +45 -56
package/dist/agents/pi-embedded-subscribe.handlers.tools.js +2 -2
package/dist/agents/pi-embedded-subscribe.js +9 -4
package/dist/agents/pi-embedded-subscribe.tools.js +68 -14
package/dist/agents/pi-embedded-utils.js +3 -0
package/dist/agents/pi-extensions/compaction-safeguard-runtime.js +4 -20
package/dist/agents/pi-extensions/compaction-safeguard.js +75 -33
package/dist/agents/pi-settings.js +40 -0
package/dist/agents/pi-tools.policy.js +2 -1
package/dist/agents/provider/config-loader.js +1 -1
package/dist/agents/sandbox/browser.js +170 -33
package/dist/agents/sandbox/config-hash.js +14 -27
package/dist/agents/sandbox/config.js +21 -2
package/dist/agents/sandbox/constants.js +2 -0
package/dist/agents/sandbox/docker.js +16 -2
package/dist/agents/sandbox/novnc-auth.js +62 -0
package/dist/agents/sandbox/sanitize-env-vars.js +1 -1
package/dist/agents/sandbox/shared.js +10 -6
package/dist/agents/sandbox-paths.js +24 -11
package/dist/agents/schema/clean-for-gemini.js +132 -85
package/dist/agents/session-slug.js +10 -5
package/dist/agents/session-tool-result-guard-wrapper.js +1 -0
package/dist/agents/session-tool-result-guard.js +3 -1
package/dist/agents/session-transcript-repair.js +40 -6
package/dist/agents/skills/bundled-dir.js +19 -5
package/dist/agents/skills/env-overrides.js +124 -43
package/dist/agents/skills/frontmatter.js +6 -6
package/dist/agents/skills/plugin-skills.js +14 -7
package/dist/agents/skills/workspace.js +1 -0
package/dist/agents/skills.test-helpers.js +13 -0
package/dist/agents/stable-stringify.js +12 -0
package/dist/agents/subagent-announce.js +251 -49
package/dist/agents/subagent-lifecycle-events.js +19 -0
package/dist/agents/subagent-registry-cleanup.js +31 -0
package/dist/agents/subagent-registry-completion.js +68 -0
package/dist/agents/subagent-registry-queries.js +117 -0
package/dist/agents/subagent-registry-state.js +46 -0
package/dist/agents/subagent-registry.js +252 -221
package/dist/agents/subagent-registry.mocks.shared.js +12 -0
package/dist/agents/subagent-registry.store.js +1 -0
package/dist/agents/subagent-registry.types.js +1 -0
package/dist/agents/subagent-spawn.js +195 -7
package/dist/agents/system-prompt.js +22 -6
package/dist/agents/test-helpers/assistant-message-fixtures.js +29 -0
package/dist/agents/test-helpers/fast-coding-tools.js +1 -18
package/dist/agents/test-helpers/fast-core-tools.js +1 -17
package/dist/agents/test-helpers/pi-tools-sandbox-context.js +27 -0
package/dist/agents/timeout.js +18 -6
package/dist/agents/tool-call-id.js +1 -1
package/dist/agents/tool-display-common.js +162 -29
package/dist/agents/tool-images.js +82 -9
package/dist/agents/tool-policy-shared.js +108 -0
package/dist/agents/tool-policy.js +51 -26
package/dist/agents/tools/browser-tool.js +160 -54
package/dist/agents/tools/canvas-tool.js +27 -1
package/dist/agents/tools/common.js +45 -0
package/dist/agents/tools/cron-tool.test-helpers.js +12 -0
package/dist/agents/tools/discord-actions-guild.js +4 -1
package/dist/agents/tools/discord-actions-moderation-shared.js +27 -0
package/dist/agents/tools/gateway-tool.js +3 -1
package/dist/agents/tools/image-tool.js +214 -99
package/dist/agents/tools/nodes-utils.js +1 -10
package/dist/agents/tools/sessions-history-tool.js +140 -108
package/dist/agents/tools/sessions-send-helpers.js +12 -6
package/dist/agents/tools/sessions-spawn-tool.js +8 -2
package/dist/agents/tools/subagents-tool.js +2 -1
package/dist/agents/tools/whatsapp-actions.js +10 -2
package/dist/agents/tools/whatsapp-target-auth.js +18 -0
package/dist/agents/transcript-policy.js +22 -8
package/dist/agents/venice-models.js +11 -3
package/dist/agents/workspace.js +222 -46
package/dist/auto-reply/commands-registry.data.js +51 -0
package/dist/auto-reply/commands-registry.js +19 -21
package/dist/auto-reply/fallback-state.js +114 -0
package/dist/auto-reply/group-activation.js +10 -5
package/dist/auto-reply/inbound-debounce.js +10 -5
package/dist/auto-reply/model-runtime.js +68 -0
package/dist/auto-reply/reply/abort.js +1 -1
package/dist/auto-reply/reply/agent-runner-execution.js +40 -5
package/dist/auto-reply/reply/agent-runner.js +165 -39
package/dist/auto-reply/reply/bash-command.js +41 -39
package/dist/auto-reply/reply/command-gates.js +25 -0
package/dist/auto-reply/reply/commands-allowlist.js +111 -72
package/dist/auto-reply/reply/commands-bash.js +6 -5
package/dist/auto-reply/reply/commands-config.js +30 -28
package/dist/auto-reply/reply/commands-core.js +2 -1
package/dist/auto-reply/reply/commands-info.js +1 -0
package/dist/auto-reply/reply/commands-models.js +65 -14
package/dist/auto-reply/reply/commands-session.js +237 -82
package/dist/auto-reply/reply/commands-setunset-standard.js +13 -0
package/dist/auto-reply/reply/commands-setunset.js +45 -0
package/dist/auto-reply/reply/commands-subagents/action-agents.js +44 -0
package/dist/auto-reply/reply/commands-subagents/action-focus.js +64 -0
package/dist/auto-reply/reply/commands-subagents/action-help.js +4 -0
package/dist/auto-reply/reply/commands-subagents/action-info.js +45 -0
package/dist/auto-reply/reply/commands-subagents/action-kill.js +60 -0
package/dist/auto-reply/reply/commands-subagents/action-list.js +44 -0
package/dist/auto-reply/reply/commands-subagents/action-log.js +29 -0
package/dist/auto-reply/reply/commands-subagents/action-send.js +119 -0
package/dist/auto-reply/reply/commands-subagents/action-spawn.js +52 -0
package/dist/auto-reply/reply/commands-subagents/action-unfocus.js +30 -0
package/dist/auto-reply/reply/commands-subagents/shared.js +303 -0
package/dist/auto-reply/reply/commands-subagents.js +51 -587
package/dist/auto-reply/reply/commands-tts.js +10 -5
package/dist/auto-reply/reply/config-value.js +10 -5
package/dist/auto-reply/reply/directive-handling.model-picker.js +12 -6
package/dist/auto-reply/reply/directive-handling.persist.js +9 -21
package/dist/auto-reply/reply/directive-handling.shared.js +24 -4
package/dist/auto-reply/reply/followup-runner.js +1 -0
package/dist/auto-reply/reply/get-reply-directives-utils.js +23 -14
package/dist/auto-reply/reply/get-reply-directives.js +17 -28
package/dist/auto-reply/reply/get-reply-inline-actions.js +1 -0
package/dist/auto-reply/reply/get-reply.js +71 -12
package/dist/auto-reply/reply/model-selection.js +80 -39
package/dist/auto-reply/reply/queue/enqueue.js +10 -5
package/dist/auto-reply/reply/queue/state.js +13 -12
package/dist/auto-reply/reply/reply-payloads.js +67 -36
package/dist/auto-reply/reply/reply-reference.js +9 -8
package/dist/auto-reply/reply/route-reply.js +15 -8
package/dist/auto-reply/reply/session-reset-prompt.js +1 -1
package/dist/auto-reply/reply/session.js +22 -6
package/dist/auto-reply/reply/strip-inbound-meta.js +147 -0
package/dist/auto-reply/reply/subagents-utils.js +56 -30
package/dist/auto-reply/reply/typing.js +46 -21
package/dist/auto-reply/send-policy.js +14 -7
package/dist/auto-reply/status.js +140 -16
package/dist/auto-reply/templating.js +10 -5
package/dist/auto-reply/thinking.js +7 -16
package/dist/auto-reply/tokens.js +21 -5
package/dist/browser/bridge-server.js +36 -20
package/dist/browser/cdp.helpers.js +7 -14
package/dist/browser/cdp.js +35 -15
package/dist/browser/chrome.profile-decoration.js +7 -4
package/dist/browser/config.js +30 -0
package/dist/browser/extension-relay-auth.js +55 -0
package/dist/browser/extension-relay.js +74 -29
package/dist/browser/navigation-guard.js +39 -0
package/dist/browser/paths.js +77 -0
package/dist/browser/profiles.js +13 -8
package/dist/browser/pw-ai-module.js +10 -5
package/dist/browser/pw-session.js +76 -39
package/dist/browser/pw-tools-core.interactions.js +14 -7
package/dist/browser/pw-tools-core.state.js +12 -6
package/dist/browser/routes/agent.act.js +431 -424
package/dist/browser/routes/agent.shared.js +47 -3
package/dist/browser/routes/agent.snapshot.js +122 -116
package/dist/browser/routes/agent.storage.js +303 -297
package/dist/browser/routes/tabs.js +154 -100
package/dist/browser/server-context.js +7 -0
package/dist/browser/server-lifecycle.js +37 -0
package/dist/build-info.json +3 -3
package/dist/channels/allow-from.js +26 -0
package/dist/channels/allowlists/resolve-utils.js +43 -19
package/dist/channels/channel-config.js +14 -7
package/dist/channels/draft-stream-loop.js +7 -0
package/dist/channels/model-overrides.js +82 -0
package/dist/channels/plugins/account-action-gate.js +13 -0
package/dist/channels/plugins/message-actions.js +10 -0
package/dist/channels/plugins/normalize/imessage.js +14 -7
package/dist/channels/plugins/normalize/slack.js +10 -5
package/dist/channels/plugins/normalize/telegram.js +14 -7
package/dist/channels/plugins/outbound/discord.js +80 -8
package/dist/channels/plugins/outbound/signal.js +11 -11
package/dist/channels/plugins/setup-helpers.js +10 -5
package/dist/channels/sender-label.js +14 -7
package/dist/channels/session.js +4 -2
package/dist/channels/status-reactions.js +297 -0
package/dist/channels/telegram/api.js +18 -0
package/dist/cli/argv.js +84 -21
package/dist/cli/banner.js +3 -2
package/dist/cli/browser-cli-actions-input/register.files-downloads.js +65 -56
package/dist/cli/cli-name.js +11 -11
package/dist/cli/cli-utils.js +13 -3
package/dist/cli/command-format.js +1 -1
package/dist/cli/config-cli.js +1 -1
package/dist/cli/daemon-cli/lifecycle-core.js +31 -19
package/dist/cli/daemon-cli/lifecycle.js +64 -2
package/dist/cli/daemon-cli/restart-health.js +126 -0
package/dist/cli/daemon-cli/status.gather.js +9 -13
package/dist/cli/daemon-cli/status.print.js +2 -10
package/dist/cli/deps.js +27 -22
package/dist/cli/exec-approvals-cli.js +92 -124
package/dist/cli/gateway-cli/run-loop.js +23 -5
package/dist/cli/memory-cli.js +158 -61
package/dist/cli/node-cli/register.js +14 -5
package/dist/cli/nodes-cli/register.push.js +63 -0
package/dist/cli/nodes-media-utils.js +26 -0
package/dist/cli/outbound-send-deps.js +2 -9
package/dist/cli/outbound-send-mapping.js +11 -0
package/dist/cli/pairing-cli.js +40 -14
package/dist/cli/plugins-cli.js +250 -73
package/dist/cli/ports.js +11 -10
package/dist/cli/program/build-program.js +3 -1
package/dist/cli/program/command-registry.js +214 -136
package/dist/cli/program/command-tree.js +16 -0
package/dist/cli/program/help.js +43 -12
package/dist/cli/program/preaction.js +13 -9
package/dist/cli/program/register.configure.js +3 -18
package/dist/cli/program/register.maintenance.js +2 -2
package/dist/cli/program/register.onboard.js +2 -0
package/dist/cli/program/register.status-health-sessions.js +16 -17
package/dist/cli/program/register.subclis.js +93 -52
package/dist/cli/route.js +12 -8
package/dist/cli/system-cli.js +36 -46
package/dist/cli/test-runtime-capture.js +24 -0
package/dist/cli/update-cli/shared.js +22 -9
package/dist/cli/update-cli/update-command.js +89 -14
package/dist/cli/update-cli/wizard.js +6 -12
package/dist/commands/agent/run-context.js +18 -5
package/dist/commands/agent/session-store.js +17 -4
package/dist/commands/agent.js +185 -89
package/dist/commands/agents.bindings.js +14 -7
package/dist/commands/agents.commands.add.js +13 -9
package/dist/commands/agents.commands.identity.js +12 -6
package/dist/commands/agents.commands.list.js +11 -6
package/dist/commands/agents.config.js +8 -10
package/dist/commands/agents.providers.js +12 -6
package/dist/commands/auth-choice-options.js +103 -75
package/dist/commands/auth-choice.apply.byteplus.js +55 -0
package/dist/commands/auth-choice.apply.js +4 -0
package/dist/commands/auth-choice.apply.minimax.js +61 -13
package/dist/commands/auth-choice.apply.openai.js +3 -1
package/dist/commands/auth-choice.apply.volcengine.js +55 -0
package/dist/commands/auth-choice.preferred-provider.js +2 -0
package/dist/commands/channels/remove.js +13 -6
package/dist/commands/channels/shared.js +4 -14
package/dist/commands/channels.mock-harness.js +23 -0
package/dist/commands/configure.commands.js +14 -0
package/dist/commands/configure.gateway.js +2 -4
package/dist/commands/configure.js +1 -1
package/dist/commands/configure.shared.js +11 -0
package/dist/commands/daemon-install-helpers.js +2 -2
package/dist/commands/daemon-install-runtime-warning.js +11 -0
package/dist/commands/dashboard.js +12 -10
package/dist/commands/docs.js +14 -8
package/dist/commands/doctor-config-flow.js +11 -9
package/dist/commands/doctor-legacy-config.js +281 -0
package/dist/commands/doctor-state-integrity.js +99 -23
package/dist/commands/doctor-update.js +12 -9
package/dist/commands/models/list.list-command.js +7 -5
package/dist/commands/models/set-image.js +2 -21
package/dist/commands/node-daemon-install-helpers.js +10 -8
package/dist/commands/onboard-auth.config-minimax.js +54 -80
package/dist/commands/onboard-auth.config-opencode.js +2 -18
package/dist/commands/onboard-auth.credentials.js +90 -13
package/dist/commands/onboard-auth.js +1 -1
package/dist/commands/onboard-auth.models.js +6 -5
package/dist/commands/onboard-hooks.js +1 -1
package/dist/commands/onboard-non-interactive/api-keys.js +14 -7
package/dist/commands/onboard-non-interactive/local/auth-choice.js +64 -49
package/dist/commands/onboard-provider-auth-flags.js +14 -0
package/dist/commands/onboard-remote.js +14 -7
package/dist/commands/onboard.js +11 -13
package/dist/commands/sandbox-display.js +6 -5
package/dist/commands/sessions.test-helpers.js +61 -0
package/dist/commands/status-all/diagnosis.js +14 -10
package/dist/commands/status-all/format.js +1 -0
package/dist/commands/status.gateway-probe.js +1 -16
package/dist/commands/systemd-linger.js +12 -6
package/dist/config/agent-limits.js +2 -0
package/dist/config/commands.js +32 -15
package/dist/config/config-paths.js +9 -11
package/dist/config/config.js +1 -1
package/dist/config/defaults.js +22 -2
package/dist/config/discord-preview-streaming.js +104 -0
package/dist/config/env-substitution.js +62 -34
package/dist/config/env-vars.js +45 -7
package/dist/config/includes.js +4 -0
package/dist/config/io.js +656 -171
package/dist/config/legacy.migrations.part-1.js +189 -78
package/dist/config/legacy.shared.js +3 -1
package/dist/config/merge-patch.js +54 -4
package/dist/config/prototype-keys.js +4 -0
package/dist/config/redact-snapshot.js +404 -76
package/dist/config/schema.help.js +44 -7
package/dist/config/schema.js +58 -570
package/dist/config/schema.labels.js +38 -6
package/dist/config/sessions/delivery-info.js +10 -3
package/dist/config/sessions/main-session.js +10 -5
package/dist/config/sessions/session-file.js +33 -0
package/dist/config/sessions/session-key.js +10 -5
package/dist/config/sessions/store.js +1 -1
package/dist/config/sessions.js +1 -0
package/dist/config/validation.js +140 -85
package/dist/config/zod-schema.agent-runtime.js +11 -0
package/dist/config/zod-schema.hooks.js +40 -11
package/dist/config/zod-schema.installs.js +20 -0
package/dist/config/zod-schema.js +156 -20
package/dist/config/zod-schema.providers-core.js +78 -4
package/dist/config/zod-schema.providers.js +6 -1
package/dist/config/zod-schema.session.js +41 -2
package/dist/cron/run-log.js +3 -0
package/dist/cron/schedule.js +21 -10
package/dist/cron/service/ops.js +35 -21
package/dist/cron/service/timer.js +116 -16
package/dist/cron/stagger.js +3 -1
package/dist/daemon/cmd-argv.js +21 -0
package/dist/daemon/cmd-set.js +58 -0
package/dist/daemon/service-types.js +1 -0
package/dist/discord/api.js +12 -6
package/dist/discord/draft-chunking.js +22 -0
package/dist/discord/draft-stream.js +124 -0
package/dist/discord/monitor/agent-components.js +1 -1
package/dist/discord/monitor/commands.js +5 -0
package/dist/discord/monitor/exec-approvals.js +357 -162
package/dist/discord/monitor/gateway-plugin.js +2 -1
package/dist/discord/monitor/listeners.js +37 -27
package/dist/discord/monitor/message-handler.js +4 -1
package/dist/discord/monitor/message-handler.preflight.js +65 -8
package/dist/discord/monitor/message-handler.process.js +246 -217
package/dist/discord/monitor/message-utils.js +143 -6
package/dist/discord/monitor/model-picker-preferences.js +143 -0
package/dist/discord/monitor/model-picker.js +651 -0
package/dist/discord/monitor/native-command.js +573 -16
package/dist/discord/monitor/provider.allowlist.js +223 -0
package/dist/discord/monitor/provider.js +275 -347
package/dist/discord/monitor/provider.lifecycle.js +100 -0
package/dist/discord/monitor/reply-delivery.js +123 -16
package/dist/discord/monitor/thread-bindings.discord-api.js +215 -0
package/dist/discord/monitor/thread-bindings.js +4 -0
package/dist/discord/monitor/thread-bindings.lifecycle.js +177 -0
package/dist/discord/monitor/thread-bindings.manager.js +423 -0
package/dist/discord/monitor/thread-bindings.messages.js +55 -0
package/dist/discord/monitor/thread-bindings.state.js +358 -0
package/dist/discord/monitor/thread-bindings.types.js +6 -0
package/dist/discord/resolve-users.js +33 -21
package/dist/discord/send.channels.js +15 -0
package/dist/discord/send.js +3 -2
package/dist/discord/send.outbound.js +82 -26
package/dist/discord/send.permissions.js +83 -30
package/dist/discord/send.reactions.js +8 -4
package/dist/discord/token.js +10 -5
package/dist/discord/voice/command.js +263 -0
package/dist/discord/voice/manager.js +531 -0
package/dist/gateway/auth.js +72 -13
package/dist/gateway/call.js +152 -83
package/dist/gateway/canvas-capability.js +75 -0
package/dist/gateway/client.js +28 -4
package/dist/gateway/config-reload.js +3 -4
package/dist/gateway/control-plane-audit.js +28 -0
package/dist/gateway/control-plane-rate-limit.js +53 -0
package/dist/gateway/control-ui.js +219 -96
package/dist/gateway/events.js +1 -0
package/dist/gateway/hooks-mapping.js +88 -38
package/dist/gateway/hooks.js +109 -54
package/dist/gateway/http-auth-helpers.js +3 -2
package/dist/gateway/http-common.js +22 -0
package/dist/gateway/http-endpoint-helpers.js +1 -0
package/dist/gateway/method-scopes.js +169 -0
package/dist/gateway/net.js +74 -9
package/dist/gateway/node-invoke-system-run-approval.js +14 -35
package/dist/gateway/node-registry.js +10 -5
package/dist/gateway/openai-http.js +1 -0
package/dist/gateway/openresponses-http.js +121 -110
package/dist/gateway/origin-check.js +1 -18
package/dist/gateway/probe-auth.js +2 -0
package/dist/gateway/protocol/index.js +4 -2
package/dist/gateway/protocol/schema/cron.js +1 -0
package/dist/gateway/protocol/schema/devices.js +1 -0
package/dist/gateway/protocol/schema/protocol-schemas.js +4 -1
package/dist/gateway/protocol/schema/push.js +18 -0
package/dist/gateway/protocol/schema/sessions.js +6 -0
package/dist/gateway/protocol/schema.js +1 -0
package/dist/gateway/role-policy.js +17 -0
package/dist/gateway/server/ws-connection/connect-policy.js +37 -0
package/dist/gateway/server/ws-connection/message-handler.js +175 -148
package/dist/gateway/server-chat.js +83 -25
package/dist/gateway/server-constants.js +10 -9
package/dist/gateway/server-cron.js +1 -0
package/dist/gateway/server-http.js +247 -54
package/dist/gateway/server-maintenance.js +20 -5
package/dist/gateway/server-methods/agent.js +162 -24
package/dist/gateway/server-methods/chat.js +465 -130
package/dist/gateway/server-methods/config.js +193 -152
package/dist/gateway/server-methods/devices.js +17 -3
package/dist/gateway/server-methods/models.js +11 -1
package/dist/gateway/server-methods/nodes.helpers.js +12 -0
package/dist/gateway/server-methods/nodes.js +251 -69
package/dist/gateway/server-methods/push.js +53 -0
package/dist/gateway/server-methods/sessions.js +64 -8
package/dist/gateway/server-methods/usage.js +162 -75
package/dist/gateway/server-node-events.js +29 -0
package/dist/gateway/server-reload-handlers.js +2 -3
package/dist/gateway/server-runtime-config.js +39 -13
package/dist/gateway/server-runtime-state.js +2 -0
package/dist/gateway/server-startup-memory.js +17 -11
package/dist/gateway/server-ws-runtime.js +1 -0
package/dist/gateway/server.impl.js +296 -139
package/dist/gateway/session-preview.test-helpers.js +11 -0
package/dist/gateway/session-utils.fs.js +32 -34
package/dist/gateway/sessions-resolve.js +17 -5
package/dist/gateway/startup-auth.js +126 -0
package/dist/gateway/test-helpers.agent-results.js +15 -0
package/dist/gateway/test-helpers.mocks.js +37 -14
package/dist/gateway/test-helpers.openai-mock.js +14 -7
package/dist/gateway/test-helpers.server.js +161 -77
package/dist/gateway/tools-invoke-http.js +21 -10
package/dist/hooks/bundled/bootstrap-extra-files/handler.js +3 -1
package/dist/hooks/bundled/command-logger/handler.js +7 -2
package/dist/hooks/bundled/session-memory/handler.js +170 -38
package/dist/hooks/frontmatter.js +6 -6
package/dist/hooks/gmail-watcher-lifecycle.js +23 -0
package/dist/hooks/gmail-watcher.js +11 -6
package/dist/hooks/internal-hooks.js +11 -1
package/dist/hooks/llm-slug-generator.js +4 -1
package/dist/hooks/workspace.js +47 -17
package/dist/imessage/accounts.js +9 -20
package/dist/imessage/monitor/inbound-processing.js +2 -1
package/dist/infra/archive-path.js +49 -0
package/dist/infra/archive.js +174 -73
package/dist/infra/control-ui-assets.js +14 -6
package/dist/infra/device-pairing.js +204 -144
package/dist/infra/env.js +10 -5
package/dist/infra/exec-approvals-allowlist.js +141 -70
package/dist/infra/exec-approvals-analysis.js +78 -20
package/dist/infra/exec-approvals.js +5 -17
package/dist/infra/exec-safe-bin-policy.js +277 -0
package/dist/infra/fixed-window-rate-limit.js +33 -0
package/dist/infra/fs-safe.js +71 -39
package/dist/infra/gateway-lock.js +6 -2
package/dist/infra/git-root.js +61 -0
package/dist/infra/heartbeat-active-hours.js +2 -2
package/dist/infra/heartbeat-reason.js +40 -0
package/dist/infra/heartbeat-runner.js +72 -32
package/dist/infra/heartbeat-wake.js +6 -12
package/dist/infra/host-env-security-policy.json +19 -0
package/dist/infra/host-env-security.js +66 -0
package/dist/infra/install-source-utils.js +91 -7
package/dist/infra/net/ssrf.js +131 -38
package/dist/infra/node-pairing.js +50 -105
package/dist/infra/npm-integrity.js +45 -0
package/dist/infra/npm-pack-install.js +40 -0
package/dist/infra/outbound/bound-delivery-router.js +88 -0
package/dist/infra/outbound/channel-adapters.js +20 -7
package/dist/infra/outbound/channel-selection.js +12 -6
package/dist/infra/outbound/envelope.js +1 -1
package/dist/infra/outbound/format.js +12 -6
package/dist/infra/outbound/message-action-runner.js +107 -327
package/dist/infra/outbound/message.js +59 -36
package/dist/infra/outbound/outbound-policy.js +52 -25
package/dist/infra/outbound/outbound-send-service.js +58 -71
package/dist/infra/outbound/payloads.js +14 -7
package/dist/infra/outbound/session-binding-service.js +123 -0
package/dist/infra/pairing-files.js +10 -0
package/dist/infra/path-guards.js +25 -0
package/dist/infra/plain-object.js +9 -0
package/dist/infra/provider-usage.fetch.codex.js +7 -15
package/dist/infra/provider-usage.fetch.gemini.js +14 -11
package/dist/infra/provider-usage.fetch.shared.js +30 -1
package/dist/infra/provider-usage.fetch.zai.js +10 -9
package/dist/infra/push-apns.js +365 -0
package/dist/infra/restart-sentinel.js +16 -1
package/dist/infra/restart.js +229 -26
package/dist/infra/retry-policy.js +4 -2
package/dist/infra/retry.js +9 -5
package/dist/infra/scp-host.js +54 -0
package/dist/infra/session-cost-usage.js +107 -59
package/dist/infra/session-maintenance-warning.js +3 -1
package/dist/infra/shell-env.js +98 -34
package/dist/infra/ssh-config.js +12 -6
package/dist/infra/system-run-command.js +49 -4
package/dist/infra/update-channels.js +10 -5
package/dist/infra/update-startup.js +86 -9
package/dist/line/accounts.js +5 -7
package/dist/line/bot-access.js +8 -20
package/dist/line/bot-handlers.js +3 -1
package/dist/link-understanding/detect.js +15 -7
package/dist/media/constants.js +15 -6
package/dist/media/image-ops.js +7 -0
package/dist/media/inbound-path-policy.js +114 -0
package/dist/media/input-files.js +16 -0
package/dist/media/local-roots.js +3 -2
package/dist/media-understanding/apply.js +4 -1
package/dist/media-understanding/concurrency.js +8 -20
package/dist/memory/backend-config.js +45 -6
package/dist/memory/embeddings.js +10 -4
package/dist/memory/fs-utils.js +23 -0
package/dist/memory/manager-search.js +12 -6
package/dist/memory/manager-sync-ops.js +12 -2
package/dist/memory/qmd-manager.js +466 -53
package/dist/memory/query-expansion.js +167 -3
package/dist/memory/status-format.js +10 -5
package/dist/memory/sync-memory-files.js +1 -1
package/dist/memory/test-manager.js +8 -0
package/dist/node-host/invoke-system-run.js +281 -0
package/dist/node-host/invoke.js +55 -337
package/dist/pairing/pairing-store.js +22 -0
package/dist/plugin-sdk/allow-from.js +1 -1
package/dist/plugin-sdk/command-auth.js +3 -1
package/dist/plugin-sdk/index.js +6 -3
package/dist/plugin-sdk/temp-path.js +47 -0
package/dist/plugin-sdk/webhook-targets.js +32 -0
package/dist/plugins/bundled-dir.js +9 -6
package/dist/plugins/discovery.js +217 -23
package/dist/plugins/hook-runner-global.js +16 -0
package/dist/plugins/hooks.js +50 -0
package/dist/plugins/install.js +28 -16
package/dist/plugins/loader.js +192 -26
package/dist/plugins/logger.js +8 -0
package/dist/plugins/manifest-registry.js +3 -0
package/dist/plugins/path-safety.js +34 -0
package/dist/plugins/registry.js +5 -2
package/dist/plugins/runtime/index.js +271 -206
package/dist/plugins/runtime.js +3 -17
package/dist/plugins/update.js +78 -12
package/dist/process/spawn-utils.js +14 -7
package/dist/providers/github-copilot-models.js +4 -1
package/dist/providers/github-copilot-token.js +11 -6
package/dist/providers/qwen-portal-oauth.js +14 -6
package/dist/routing/account-id.js +30 -0
package/dist/routing/resolve-route.js +3 -7
package/dist/routing/session-key.js +2 -16
package/dist/security/audit-channel.js +100 -20
package/dist/security/audit-extra.async.js +505 -179
package/dist/security/audit-extra.js +12 -2
package/dist/security/audit-extra.sync.js +421 -35
package/dist/security/audit-fs.js +31 -13
package/dist/security/audit.js +180 -370
package/dist/security/dm-policy-shared.js +68 -0
package/dist/security/external-content.js +46 -14
package/dist/security/fix.js +49 -85
package/dist/security/scan-paths.js +20 -0
package/dist/security/secret-equal.js +3 -7
package/dist/security/windows-acl.js +30 -15
package/dist/shared/entry-status.js +6 -0
package/dist/shared/frontmatter.js +5 -5
package/dist/shared/node-list-parse.js +13 -0
package/dist/shared/node-match.js +11 -4
package/dist/shared/operator-scope-compat.js +42 -0
package/dist/shared/text-chunking.js +29 -0
package/dist/signal/accounts.js +7 -20
package/dist/signal/monitor/event-handler.js +3 -1
package/dist/slack/accounts.js +6 -19
package/dist/slack/actions.js +11 -3
package/dist/slack/blocks.test-helpers.js +31 -0
package/dist/slack/monitor/auth.js +1 -1
package/dist/slack/monitor/message-handler/dispatch.js +50 -29
package/dist/slack/monitor/mrkdwn.js +8 -0
package/dist/slack/monitor/replies.js +15 -7
package/dist/slack/monitor/slash.js +22 -13
package/dist/slack/resolve-channels.js +10 -5
package/dist/slack/send.js +102 -12
package/dist/slack/stream-mode.js +10 -0
package/dist/slack/streaming.js +4 -2
package/dist/telegram/accounts.js +19 -14
package/dist/telegram/bot/helpers.js +3 -5
package/dist/telegram/bot-access.js +35 -36
package/dist/telegram/bot-handlers.js +120 -148
package/dist/telegram/bot-message-context.js +68 -9
package/dist/telegram/bot-message-dispatch.js +477 -210
package/dist/telegram/bot-native-commands.js +16 -0
package/dist/telegram/draft-stream.js +44 -8
package/dist/telegram/inline-buttons.js +5 -15
package/dist/telegram/monitor.js +11 -7
package/dist/telegram/network-config.js +19 -7
package/dist/telegram/reasoning-lane-coordinator.js +128 -0
package/dist/telegram/send.js +3 -2
package/dist/telegram/sent-message-cache.js +5 -6
package/dist/telegram/status-reaction-variants.js +208 -0
package/dist/telegram/sticker-cache.js +11 -9
package/dist/terminal/prompt-select-styled.js +9 -0
package/dist/terminal/theme.js +12 -12
package/dist/test-utils/command-runner.js +6 -0
package/dist/test-utils/internal-hook-event-payload.js +10 -0
package/dist/test-utils/model-auth-mock.js +12 -0
package/dist/test-utils/provider-usage-fetch.js +14 -0
package/dist/test-utils/temp-home.js +33 -0
package/dist/tts/tts.js +80 -567
package/dist/tui/components/chat-log.js +50 -8
package/dist/tui/theme/theme.js +10 -12
package/dist/tui/tui-command-handlers.js +36 -27
package/dist/tui/tui-event-handlers.js +122 -32
package/dist/tui/tui-local-shell.js +16 -6
package/dist/tui/tui.js +236 -48
package/dist/utils/account-id.js +2 -4
package/dist/utils/boolean.js +10 -5
package/dist/utils/directive-tags.js +11 -0
package/dist/utils/mask-api-key.js +10 -0
package/dist/utils/queue-helpers.js +67 -12
package/dist/utils/run-with-concurrency.js +39 -0
package/dist/web/auto-reply/deliver-reply.js +8 -4
package/dist/web/auto-reply/mentions.js +10 -5
package/dist/web/auto-reply/monitor/group-members.js +14 -7
package/dist/web/auto-reply/monitor/process-message.js +45 -24
package/dist/web/inbound/access-control.js +5 -2
package/dist/web/login-qr.js +12 -6
package/dist/web/media.js +126 -15
package/docs/tools/slash-commands.md +5 -1
package/extensions/bluebubbles/src/monitor-processing.ts +580 -139
package/extensions/bluebubbles/src/monitor.ts +208 -1950
package/extensions/feishu/src/external-keys.ts +19 -0
package/extensions/lobster/src/windows-spawn.ts +193 -0
package/extensions/matrix/src/matrix/actions/limits.ts +6 -0
package/extensions/mattermost/src/mattermost/reactions.test-helpers.ts +83 -0
package/package.json +1 -1

package/dist/plugins/update.js CHANGED Viewed

@@ -18,14 +18,17 @@ function resolveBundledPluginSources(params) {
     const discovery = discoverPoolBotPlugins({ workspaceDir: params.workspaceDir });
     const bundled = new Map();
     for (const candidate of discovery.candidates) {
-        if (candidate.origin !== "bundled")
+        if (candidate.origin !== "bundled") {
             continue;
+        }
         const manifest = loadPluginManifest(candidate.rootDir);
-        if (!manifest.ok)
+        if (!manifest.ok) {
             continue;
+        }
         const pluginId = manifest.manifest.id;
-        if (bundled.has(pluginId))
+        if (bundled.has(pluginId)) {
             continue;
+        }
         const npmSpec = candidate.packagePoolbot?.install?.npmSpec?.trim() ||
             candidate.packageName?.trim() ||
             undefined;
@@ -38,8 +41,9 @@ function resolveBundledPluginSources(params) {
     return bundled;
 }
 function pathsEqual(left, right) {
-    if (!left || !right)
+    if (!left || !right) {
         return false;
+    }
     return resolveUserPath(left) === resolveUserPath(right);
 }
 function buildLoadPathHelpers(existing) {
@@ -49,16 +53,18 @@ function buildLoadPathHelpers(existing) {
     let changed = false;
     const addPath = (value) => {
         const normalized = resolveUserPath(value);
-        if (resolved.has(normalized))
+        if (resolved.has(normalized)) {
             return;
+        }
         paths.push(value);
         resolved.add(normalized);
         changed = true;
     };
     const removePath = (value) => {
         const normalized = resolveUserPath(value);
-        if (!resolved.has(normalized))
+        if (!resolved.has(normalized)) {
             return;
+        }
         paths = paths.filter((entry) => resolveUserPath(entry) !== normalized);
         resolved = resolveSet();
         changed = true;
@@ -74,6 +80,24 @@ function buildLoadPathHelpers(existing) {
         },
     };
 }
+function createPluginUpdateIntegrityDriftHandler(params) {
+    return async (drift) => {
+        const payload = {
+            pluginId: params.pluginId,
+            spec: drift.spec,
+            expectedIntegrity: drift.expectedIntegrity,
+            actualIntegrity: drift.actualIntegrity,
+            resolvedSpec: drift.resolution.resolvedSpec,
+            resolvedVersion: drift.resolution.version,
+            dryRun: params.dryRun,
+        };
+        if (params.onIntegrityDrift) {
+            return await params.onIntegrityDrift(payload);
+        }
+        params.logger.warn?.(`Integrity drift for "${params.pluginId}" (${payload.resolvedSpec ?? payload.spec}): expected ${payload.expectedIntegrity}, got ${payload.actualIntegrity}`);
+        return true;
+    };
+}
 export async function updateNpmInstalledPlugins(params) {
     const logger = params.logger ?? {};
     const installs = params.config.plugins?.installs ?? {};
@@ -115,7 +139,18 @@ export async function updateNpmInstalledPlugins(params) {
             });
             continue;
         }
-        const installPath = record.installPath ?? resolvePluginInstallDir(pluginId);
+        let installPath;
+        try {
+            installPath = record.installPath ?? resolvePluginInstallDir(pluginId);
+        }
+        catch (err) {
+            outcomes.push({
+                pluginId,
+                status: "error",
+                message: `Invalid install path for "${pluginId}": ${String(err)}`,
+            });
+            continue;
+        }
         const currentVersion = await readInstalledPackageVersion(installPath);
         if (params.dryRun) {
             let probe;
@@ -125,6 +160,13 @@ export async function updateNpmInstalledPlugins(params) {
                     mode: "update",
                     dryRun: true,
                     expectedPluginId: pluginId,
+                    expectedIntegrity: record.integrity,
+                    onIntegrityDrift: createPluginUpdateIntegrityDriftHandler({
+                        pluginId,
+                        dryRun: true,
+                        logger,
+                        onIntegrityDrift: params.onIntegrityDrift,
+                    }),
                     logger,
                 });
             }
@@ -172,6 +214,13 @@ export async function updateNpmInstalledPlugins(params) {
                 spec: record.spec,
                 mode: "update",
                 expectedPluginId: pluginId,
+                expectedIntegrity: record.integrity,
+                onIntegrityDrift: createPluginUpdateIntegrityDriftHandler({
+                    pluginId,
+                    dryRun: false,
+                    logger,
+                    onIntegrityDrift: params.onIntegrityDrift,
+                }),
                 logger,
             });
         }
@@ -198,6 +247,12 @@ export async function updateNpmInstalledPlugins(params) {
             spec: record.spec,
             installPath: result.targetDir,
             version: nextVersion,
+            resolvedName: result.npmResolution?.name,
+            resolvedVersion: result.npmResolution?.version,
+            resolvedSpec: result.npmResolution?.resolvedSpec,
+            integrity: result.npmResolution?.integrity,
+            shasum: result.npmResolution?.shasum,
+            resolvedAt: result.npmResolution?.resolvedAt,
         });
         changed = true;
         const currentLabel = currentVersion ?? "unknown";
@@ -241,12 +296,14 @@ export async function syncPluginsForUpdateChannel(params) {
     if (params.channel === "dev") {
         for (const [pluginId, record] of Object.entries(installs)) {
             const bundledInfo = bundled.get(pluginId);
-            if (!bundledInfo)
+            if (!bundledInfo) {
                 continue;
+            }
             loadHelpers.addPath(bundledInfo.localPath);
             const alreadyBundled = record.source === "path" && pathsEqual(record.sourcePath, bundledInfo.localPath);
-            if (alreadyBundled)
+            if (alreadyBundled) {
                 continue;
+            }
             next = recordPluginInstall(next, {
                 pluginId,
                 source: "path",
@@ -262,16 +319,19 @@ export async function syncPluginsForUpdateChannel(params) {
     else {
         for (const [pluginId, record] of Object.entries(installs)) {
             const bundledInfo = bundled.get(pluginId);
-            if (!bundledInfo)
+            if (!bundledInfo) {
                 continue;
+            }
             if (record.source === "npm") {
                 loadHelpers.removePath(bundledInfo.localPath);
                 continue;
             }
-            if (record.source !== "path")
+            if (record.source !== "path") {
                 continue;
-            if (!pathsEqual(record.sourcePath, bundledInfo.localPath))
+            }
+            if (!pathsEqual(record.sourcePath, bundledInfo.localPath)) {
                 continue;
+            }
             const spec = record.spec ?? bundledInfo.npmSpec;
             if (!spec) {
                 summary.warnings.push(`Missing npm spec for ${pluginId}; keeping local path.`);
@@ -300,6 +360,12 @@ export async function syncPluginsForUpdateChannel(params) {
                 spec,
                 installPath: result.targetDir,
                 version: result.version,
+                resolvedName: result.npmResolution?.name,
+                resolvedVersion: result.npmResolution?.version,
+                resolvedSpec: result.npmResolution?.resolvedSpec,
+                integrity: result.npmResolution?.integrity,
+                shasum: result.npmResolution?.shasum,
+                resolvedAt: result.npmResolution?.resolvedAt,
                 sourcePath: undefined,
             });
             summary.switchedToNpm.push(pluginId);

package/dist/process/spawn-utils.js CHANGED Viewed

@@ -5,19 +5,24 @@ export function resolveCommandStdio(params) {
     return [stdin, "pipe", "pipe"];
 }
 export function formatSpawnError(err) {
-    if (!(err instanceof Error))
+    if (!(err instanceof Error)) {
         return String(err);
+    }
     const details = err;
     const parts = [];
     const message = err.message?.trim();
-    if (message)
+    if (message) {
         parts.push(message);
-    if (details.code && !message?.includes(details.code))
+    }
+    if (details.code && !message?.includes(details.code)) {
         parts.push(details.code);
-    if (details.syscall)
+    }
+    if (details.syscall) {
         parts.push(`syscall=${details.syscall}`);
-    if (typeof details.errno === "number")
+    }
+    if (typeof details.errno === "number") {
         parts.push(`errno=${details.errno}`);
+    }
     return parts.join(" ");
 }
 function shouldRetry(err, codes) {
@@ -33,15 +38,17 @@ async function spawnAndWaitForSpawn(spawnImpl, argv, options) {
             child.removeListener("spawn", onSpawn);
         };
         const finishResolve = () => {
-            if (settled)
+            if (settled) {
                 return;
+            }
             settled = true;
             cleanup();
             resolve(child);
         };
         const onError = (err) => {
-            if (settled)
+            if (settled) {
                 return;
+            }
             settled = true;
             cleanup();
             reject(err);

package/dist/providers/github-copilot-models.js CHANGED Viewed

@@ -4,6 +4,8 @@ const DEFAULT_MAX_TOKENS = 8192;
 // We keep this list intentionally broad; if a model isn't available Copilot will
 // return an error and users can remove it from their config.
 const DEFAULT_MODEL_IDS = [
+    "claude-sonnet-4.6",
+    "claude-sonnet-4.5",
     "gpt-4o",
     "gpt-4.1",
     "gpt-4.1-mini",
@@ -17,8 +19,9 @@ export function getDefaultCopilotModelIds() {
 }
 export function buildCopilotModelDefinition(modelId) {
     const id = modelId.trim();
-    if (!id)
+    if (!id) {
         throw new Error("Model id required");
+    }
     return {
         id,
         name: id,

package/dist/providers/github-copilot-token.js CHANGED Viewed

@@ -39,25 +39,30 @@ function parseCopilotTokenResponse(value) {
 export const DEFAULT_COPILOT_API_BASE_URL = "https://api.individual.githubcopilot.com";
 export function deriveCopilotApiBaseUrlFromToken(token) {
     const trimmed = token.trim();
-    if (!trimmed)
+    if (!trimmed) {
         return null;
+    }
     // The token returned from the Copilot token endpoint is a semicolon-delimited
     // set of key/value pairs. One of them is `proxy-ep=...`.
     const match = trimmed.match(/(?:^|;)\s*proxy-ep=([^;\s]+)/i);
     const proxyEp = match?.[1]?.trim();
-    if (!proxyEp)
+    if (!proxyEp) {
         return null;
+    }
     // pi-ai expects converting proxy.* -> api.*
     // (see upstream getGitHubCopilotBaseUrl).
     const host = proxyEp.replace(/^https?:\/\//, "").replace(/^proxy\./i, "api.");
-    if (!host)
+    if (!host) {
         return null;
+    }
     return `https://${host}`;
 }
 export async function resolveCopilotApiToken(params) {
     const env = params.env ?? process.env;
-    const cachePath = resolveCopilotTokenCachePath(env);
-    const cached = loadJsonFile(cachePath);
+    const cachePath = params.cachePath?.trim() || resolveCopilotTokenCachePath(env);
+    const loadJsonFileFn = params.loadJsonFileImpl ?? loadJsonFile;
+    const saveJsonFileFn = params.saveJsonFileImpl ?? saveJsonFile;
+    const cached = loadJsonFileFn(cachePath);
     if (cached && typeof cached.token === "string" && typeof cached.expiresAt === "number") {
         if (isTokenUsable(cached)) {
             return {
@@ -85,7 +90,7 @@ export async function resolveCopilotApiToken(params) {
         expiresAt: json.expiresAt,
         updatedAt: Date.now(),
     };
-    saveJsonFile(cachePath, payload);
+    saveJsonFileFn(cachePath, payload);
     return {
         token: payload.token,
         expiresAt: payload.expiresAt,

package/dist/providers/qwen-portal-oauth.js CHANGED Viewed

@@ -3,7 +3,8 @@ const QWEN_OAUTH_BASE_URL = "https://chat.qwen.ai";
 const QWEN_OAUTH_TOKEN_ENDPOINT = `${QWEN_OAUTH_BASE_URL}/api/v1/oauth2/token`;
 const QWEN_OAUTH_CLIENT_ID = "f0304373b74a44d2b584a3fb70ca9e56";
 export async function refreshQwenPortalCredentials(credentials) {
-    if (!credentials.refresh?.trim()) {
+    const refreshToken = credentials.refresh?.trim();
+    if (!refreshToken) {
         throw new Error("Qwen OAuth refresh token missing; re-authenticate.");
     }
     const response = await fetch(QWEN_OAUTH_TOKEN_ENDPOINT, {
@@ -14,7 +15,7 @@ export async function refreshQwenPortalCredentials(credentials) {
         },
         body: new URLSearchParams({
             grant_type: "refresh_token",
-            refresh_token: credentials.refresh,
+            refresh_token: refreshToken,
             client_id: QWEN_OAUTH_CLIENT_ID,
         }),
     });
@@ -26,13 +27,20 @@ export async function refreshQwenPortalCredentials(credentials) {
         throw new Error(`Qwen OAuth refresh failed: ${text || response.statusText}`);
     }
     const payload = (await response.json());
-    if (!payload.access_token || !payload.expires_in) {
+    const accessToken = payload.access_token?.trim();
+    const newRefreshToken = payload.refresh_token?.trim();
+    const expiresIn = payload.expires_in;
+    if (!accessToken) {
         throw new Error("Qwen OAuth refresh response missing access token.");
     }
+    if (typeof expiresIn !== "number" || !Number.isFinite(expiresIn) || expiresIn <= 0) {
+        throw new Error("Qwen OAuth refresh response missing or invalid expires_in.");
+    }
     return {
         ...credentials,
-        access: payload.access_token,
-        refresh: payload.refresh_token || credentials.refresh,
-        expires: Date.now() + payload.expires_in * 1000,
+        access: accessToken,
+        // RFC 6749 section 6: new refresh token is optional; if present, replace old.
+        refresh: newRefreshToken || refreshToken,
+        expires: Date.now() + expiresIn * 1000,
     };
 }

package/dist/routing/account-id.js ADDED Viewed

@@ -0,0 +1,30 @@
+export const DEFAULT_ACCOUNT_ID = "default";
+const VALID_ID_RE = /^[a-z0-9][a-z0-9_-]{0,63}$/i;
+const INVALID_CHARS_RE = /[^a-z0-9_-]+/g;
+const LEADING_DASH_RE = /^-+/;
+const TRAILING_DASH_RE = /-+$/;
+function canonicalizeAccountId(value) {
+    if (VALID_ID_RE.test(value)) {
+        return value.toLowerCase();
+    }
+    return value
+        .toLowerCase()
+        .replace(INVALID_CHARS_RE, "-")
+        .replace(LEADING_DASH_RE, "")
+        .replace(TRAILING_DASH_RE, "")
+        .slice(0, 64);
+}
+export function normalizeAccountId(value) {
+    const trimmed = (value ?? "").trim();
+    if (!trimmed) {
+        return DEFAULT_ACCOUNT_ID;
+    }
+    return canonicalizeAccountId(trimmed) || DEFAULT_ACCOUNT_ID;
+}
+export function normalizeOptionalAccountId(value) {
+    const trimmed = (value ?? "").trim();
+    if (!trimmed) {
+        return undefined;
+    }
+    return canonicalizeAccountId(trimmed) || undefined;
+}

package/dist/routing/resolve-route.js CHANGED Viewed

@@ -3,7 +3,7 @@ import { normalizeChatType } from "../channels/chat-type.js";
 import { shouldLogVerbose } from "../globals.js";
 import { logDebug } from "../logger.js";
 import { listBindings } from "./bindings.js";
-import { buildAgentMainSessionKey, buildAgentPeerSessionKey, DEFAULT_ACCOUNT_ID, DEFAULT_MAIN_KEY, normalizeAgentId, sanitizeAgentId, } from "./session-key.js";
+import { buildAgentMainSessionKey, buildAgentPeerSessionKey, DEFAULT_ACCOUNT_ID, DEFAULT_MAIN_KEY, normalizeAccountId as normalizeAccountIdShared, normalizeAgentId, sanitizeAgentId, } from "./session-key.js";
 export { DEFAULT_ACCOUNT_ID, DEFAULT_AGENT_ID } from "./session-key.js";
 function normalizeToken(value) {
     return (value ?? "").trim().toLowerCase();
@@ -17,10 +17,6 @@ function normalizeId(value) {
     }
     return "";
 }
-function normalizeAccountId(value) {
-    const trimmed = (value ?? "").trim();
-    return trimmed ? trimmed : DEFAULT_ACCOUNT_ID;
-}
 function matchesAccountId(match, actual) {
     const trimmed = (match ?? "").trim();
     if (!trimmed) {
@@ -29,7 +25,7 @@ function matchesAccountId(match, actual) {
     if (trimmed === "*") {
         return true;
     }
-    return trimmed === actual;
+    return normalizeAccountIdShared(trimmed) === actual;
 }
 export function buildAgentSessionKey(params) {
     const channel = normalizeToken(params.channel) || "unknown";
@@ -164,7 +160,7 @@ function matchesBindingScope(match, scope) {
 }
 export function resolveAgentRoute(input) {
     const channel = normalizeToken(input.channel);
-    const accountId = normalizeAccountId(input.accountId);
+    const accountId = normalizeAccountIdShared(input.accountId);
     const peer = input.peer ? { kind: input.peer.kind, id: normalizeId(input.peer.id) } : null;
     const guildId = normalizeId(input.guildId);
     const teamId = normalizeId(input.teamId);

package/dist/routing/session-key.js CHANGED Viewed

@@ -1,8 +1,9 @@
 import { parseAgentSessionKey } from "../sessions/session-key-utils.js";
+import { normalizeAccountId } from "./account-id.js";
 export { getSubagentDepth, isCronSessionKey, isAcpSessionKey, isSubagentSessionKey, parseAgentSessionKey, } from "../sessions/session-key-utils.js";
+export { DEFAULT_ACCOUNT_ID, normalizeAccountId, normalizeOptionalAccountId, } from "./account-id.js";
 export const DEFAULT_AGENT_ID = "main";
 export const DEFAULT_MAIN_KEY = "main";
-export const DEFAULT_ACCOUNT_ID = "default";
 // Pre-compiled regex
 const VALID_ID_RE = /^[a-z0-9][a-z0-9_-]{0,63}$/i;
 const INVALID_CHARS_RE = /[^a-z0-9_-]+/g;
@@ -82,21 +83,6 @@ export function sanitizeAgentId(value) {
         .replace(TRAILING_DASH_RE, "")
         .slice(0, 64) || DEFAULT_AGENT_ID);
 }
-export function normalizeAccountId(value) {
-    const trimmed = (value ?? "").trim();
-    if (!trimmed) {
-        return DEFAULT_ACCOUNT_ID;
-    }
-    if (VALID_ID_RE.test(trimmed)) {
-        return trimmed.toLowerCase();
-    }
-    return (trimmed
-        .toLowerCase()
-        .replace(INVALID_CHARS_RE, "-")
-        .replace(LEADING_DASH_RE, "")
-        .replace(TRAILING_DASH_RE, "")
-        .slice(0, 64) || DEFAULT_ACCOUNT_ID);
-}
 export function buildAgentMainSessionKey(params) {
     const agentId = normalizeAgentId(params.agentId);
     const mainKey = normalizeMainKey(params.mainKey);

package/dist/security/audit-channel.js CHANGED Viewed

@@ -3,11 +3,44 @@ import { isNumericTelegramUserId, normalizeTelegramAllowFromEntry, } from "../ch
 import { formatCliCommand } from "../cli/command-format.js";
 import { resolveNativeCommandsEnabled, resolveNativeSkillsEnabled } from "../config/commands.js";
 import { readChannelAllowFromStore } from "../pairing/pairing-store.js";
+import { normalizeStringEntries } from "../shared/string-normalization.js";
+import { resolveDmAllowState } from "./dm-policy-shared.js";
 function normalizeAllowFromList(list) {
-    if (!Array.isArray(list)) {
-        return [];
+    return normalizeStringEntries(Array.isArray(list) ? list : undefined);
+}
+const DISCORD_ALLOWLIST_ID_PREFIXES = ["discord:", "user:", "pk:"];
+function isDiscordNameBasedAllowEntry(raw) {
+    const text = String(raw).trim();
+    if (!text || text === "*") {
+        return false;
+    }
+    const maybeId = text.replace(/^<@!?/, "").replace(/>$/, "");
+    if (/^\d+$/.test(maybeId)) {
+        return false;
+    }
+    const prefixed = DISCORD_ALLOWLIST_ID_PREFIXES.find((prefix) => text.startsWith(prefix));
+    if (prefixed) {
+        const candidate = text.slice(prefixed.length);
+        if (candidate) {
+            return false;
+        }
+    }
+    return true;
+}
+function addDiscordNameBasedEntries(params) {
+    if (!Array.isArray(params.values)) {
+        return;
+    }
+    for (const value of params.values) {
+        if (!isDiscordNameBasedAllowEntry(value)) {
+            continue;
+        }
+        const text = String(value).trim();
+        if (!text) {
+            continue;
+        }
+        params.target.add(`${params.source}:${text}`);
     }
-    return list.map((v) => String(v).trim()).filter(Boolean);
 }
 function classifyChannelWarningSeverity(message) {
     const s = message.toLowerCase();
@@ -40,22 +73,12 @@ export async function collectChannelSecurityFindings(params) {
     };
     const warnDmPolicy = async (input) => {
         const policyPath = input.policyPath ?? `${input.allowFromPath}policy`;
-        const configAllowFrom = normalizeAllowFromList(input.allowFrom);
-        const hasWildcard = configAllowFrom.includes("*");
+        const { hasWildcard, isMultiUserDm } = await resolveDmAllowState({
+            provider: input.provider,
+            allowFrom: input.allowFrom,
+            normalizeEntry: input.normalizeEntry,
+        });
         const dmScope = params.cfg.session?.dmScope ?? "main";
-        const storeAllowFrom = await readChannelAllowFromStore(input.provider).catch(() => []);
-        const normalizeEntry = input.normalizeEntry ?? ((value) => value);
-        const normalizedCfg = configAllowFrom
-            .filter((value) => value !== "*")
-            .map((value) => normalizeEntry(value))
-            .map((value) => value.trim())
-            .filter(Boolean);
-        const normalizedStore = storeAllowFrom
-            .map((value) => normalizeEntry(value))
-            .map((value) => value.trim())
-            .filter(Boolean);
-        const allowCount = Array.from(new Set([...normalizedCfg, ...normalizedStore])).length;
-        const isMultiUserDm = hasWildcard || allowCount > 1;
         if (input.dmPolicy === "open") {
             const allowFromKey = `${input.allowFromPath}allowFrom`;
             findings.push({
@@ -119,6 +142,64 @@ export async function collectChannelSecurityFindings(params) {
         if (plugin.id === "discord") {
             const discordCfg = account?.config ??
                 {};
+            const storeAllowFrom = await readChannelAllowFromStore("discord").catch(() => []);
+            const discordNameBasedAllowEntries = new Set();
+            addDiscordNameBasedEntries({
+                target: discordNameBasedAllowEntries,
+                values: discordCfg.allowFrom,
+                source: "channels.discord.allowFrom",
+            });
+            addDiscordNameBasedEntries({
+                target: discordNameBasedAllowEntries,
+                values: discordCfg.dm?.allowFrom,
+                source: "channels.discord.dm.allowFrom",
+            });
+            addDiscordNameBasedEntries({
+                target: discordNameBasedAllowEntries,
+                values: storeAllowFrom,
+                source: "~/.poolbot/credentials/discord-allowFrom.json",
+            });
+            const discordGuildEntries = discordCfg.guilds ?? {};
+            for (const [guildKey, guildValue] of Object.entries(discordGuildEntries)) {
+                if (!guildValue || typeof guildValue !== "object") {
+                    continue;
+                }
+                const guild = guildValue;
+                addDiscordNameBasedEntries({
+                    target: discordNameBasedAllowEntries,
+                    values: guild.users,
+                    source: `channels.discord.guilds.${guildKey}.users`,
+                });
+                const channels = guild.channels;
+                if (!channels || typeof channels !== "object") {
+                    continue;
+                }
+                for (const [channelKey, channelValue] of Object.entries(channels)) {
+                    if (!channelValue || typeof channelValue !== "object") {
+                        continue;
+                    }
+                    const channel = channelValue;
+                    addDiscordNameBasedEntries({
+                        target: discordNameBasedAllowEntries,
+                        values: channel.users,
+                        source: `channels.discord.guilds.${guildKey}.channels.${channelKey}.users`,
+                    });
+                }
+            }
+            if (discordNameBasedAllowEntries.size > 0) {
+                const examples = Array.from(discordNameBasedAllowEntries).slice(0, 5);
+                const more = discordNameBasedAllowEntries.size > examples.length
+                    ? ` (+${discordNameBasedAllowEntries.size - examples.length} more)`
+                    : "";
+                findings.push({
+                    checkId: "channels.discord.allowFrom.name_based_entries",
+                    severity: "warn",
+                    title: "Discord allowlist contains name or tag entries",
+                    detail: "Discord name/tag allowlist matching uses normalized slugs and can collide across users. " +
+                        `Found: ${examples.join(", ")}${more}.`,
+                    remediation: "Prefer stable Discord IDs (or <@id>/user:<id>/pk:<id>) in channels.discord.allowFrom and channels.discord.guilds.*.users.",
+                });
+            }
             const nativeEnabled = resolveNativeCommandsEnabled({
                 providerId: "discord",
                 providerSetting: coerceNativeSetting(discordCfg.commands?.native),
@@ -133,7 +214,7 @@ export async function collectChannelSecurityFindings(params) {
             if (slashEnabled) {
                 const defaultGroupPolicy = params.cfg.channels?.defaults?.groupPolicy;
                 const groupPolicy = discordCfg.groupPolicy ?? defaultGroupPolicy ?? "allowlist";
-                const guildEntries = discordCfg.guilds ?? {};
+                const guildEntries = discordGuildEntries;
                 const guildsConfigured = Object.keys(guildEntries).length > 0;
                 const hasAnyUserAllowlist = Object.values(guildEntries).some((guild) => {
                     if (!guild || typeof guild !== "object") {
@@ -157,7 +238,6 @@ export async function collectChannelSecurityFindings(params) {
                 });
                 const dmAllowFromRaw = discordCfg.dm?.allowFrom;
                 const dmAllowFrom = Array.isArray(dmAllowFromRaw) ? dmAllowFromRaw : [];
-                const storeAllowFrom = await readChannelAllowFromStore("discord").catch(() => []);
                 const ownerAllowFromConfigured = normalizeAllowFromList([...dmAllowFrom, ...storeAllowFrom]).length > 0;
                 const useAccessGroups = params.cfg.commands?.useAccessGroups !== false;
                 if (!useAccessGroups &&