@poolzin/pool-bot 2026.2.25 → 2026.2.26

package/dist/web/auto-reply/monitor/process-message.js

@@ -1,17 +1,19 @@
 import { resolveIdentityNamePrefix } from "../../../agents/identity.js";
 import { resolveChunkMode, resolveTextChunkLimit } from "../../../auto-reply/chunk.js";
+import { shouldComputeCommandAuthorized } from "../../../auto-reply/command-detection.js";
 import { formatInboundEnvelope, resolveEnvelopeFormatOptions, } from "../../../auto-reply/envelope.js";
 import { buildHistoryContextFromEntries, } from "../../../auto-reply/reply/history.js";
-import { dispatchReplyWithBufferedBlockDispatcher } from "../../../auto-reply/reply/provider-dispatcher.js";
-import { shouldComputeCommandAuthorized } from "../../../auto-reply/command-detection.js";
 import { finalizeInboundContext } from "../../../auto-reply/reply/inbound-context.js";
+import { dispatchReplyWithBufferedBlockDispatcher } from "../../../auto-reply/reply/provider-dispatcher.js";
 import { toLocationContext } from "../../../channels/location.js";
-import { createReplyPrefixContext } from "../../../channels/reply-prefix.js";
-import { readSessionUpdatedAt, recordSessionMetaFromInbound, resolveStorePath, } from "../../../config/sessions.js";
+import { createReplyPrefixOptions } from "../../../channels/reply-prefix.js";
 import { resolveMarkdownTableMode } from "../../../config/markdown-tables.js";
+import { readSessionUpdatedAt, recordSessionMetaFromInbound, resolveStorePath, } from "../../../config/sessions.js";
 import { logVerbose, shouldLogVerbose } from "../../../globals.js";
+import { getAgentScopedMediaLocalRoots } from "../../../media/local-roots.js";
 import { readChannelAllowFromStore } from "../../../pairing/pairing-store.js";
 import { jidToE164, normalizeE164 } from "../../../utils.js";
+import { resolveWhatsAppAccount } from "../../accounts.js";
 import { newConnectionId } from "../../reconnect.js";
 import { formatError } from "../../session.js";
 import { deliverWebReply } from "../deliver-reply.js";
@@ -31,31 +33,39 @@ function normalizeAllowFromE164(values) {
 }
 async function resolveWhatsAppCommandAuthorized(params) {
     const useAccessGroups = params.cfg.commands?.useAccessGroups !== false;
-    if (!useAccessGroups)
+    if (!useAccessGroups) {
         return true;
+    }
     const isGroup = params.msg.chatType === "group";
     const senderE164 = normalizeE164(isGroup ? (params.msg.senderE164 ?? "") : (params.msg.senderE164 ?? params.msg.from ?? ""));
-    if (!senderE164)
+    if (!senderE164) {
         return false;
-    const configuredAllowFrom = params.cfg.channels?.whatsapp?.allowFrom ?? [];
-    const configuredGroupAllowFrom = params.cfg.channels?.whatsapp?.groupAllowFrom ??
-        (configuredAllowFrom.length > 0 ? configuredAllowFrom : undefined);
+    }
+    const account = resolveWhatsAppAccount({ cfg: params.cfg, accountId: params.msg.accountId });
+    const dmPolicy = account.dmPolicy ?? "pairing";
+    const configuredAllowFrom = account.allowFrom ?? [];
+    const configuredGroupAllowFrom = account.groupAllowFrom ?? (configuredAllowFrom.length > 0 ? configuredAllowFrom : undefined);
     if (isGroup) {
-        if (!configuredGroupAllowFrom || configuredGroupAllowFrom.length === 0)
+        if (!configuredGroupAllowFrom || configuredGroupAllowFrom.length === 0) {
             return false;
-        if (configuredGroupAllowFrom.some((v) => String(v).trim() === "*"))
+        }
+        if (configuredGroupAllowFrom.some((v) => String(v).trim() === "*")) {
             return true;
+        }
         return normalizeAllowFromE164(configuredGroupAllowFrom).includes(senderE164);
     }
-    const storeAllowFrom = await readChannelAllowFromStore("whatsapp").catch(() => []);
+    const storeAllowFrom = dmPolicy === "allowlist"
+        ? []
+        : await readChannelAllowFromStore("whatsapp", process.env, params.msg.accountId).catch(() => []);
     const combinedAllowFrom = Array.from(new Set([...(configuredAllowFrom ?? []), ...storeAllowFrom]));
     const allowFrom = combinedAllowFrom.length > 0
         ? combinedAllowFrom
         : params.msg.selfE164
             ? [params.msg.selfE164]
             : [];
-    if (allowFrom.some((v) => String(v).trim() === "*"))
+    if (allowFrom.some((v) => String(v).trim() === "*")) {
         return true;
+    }
     return normalizeAllowFromE164(allowFrom).includes(senderE164);
 }
 export async function processMessage(params) {
@@ -83,21 +93,17 @@ export async function processMessage(params) {
                 sender: m.sender,
                 body: m.body,
                 timestamp: m.timestamp,
-                messageId: m.id,
             }));
             combinedBody = buildHistoryContextFromEntries({
                 entries: historyEntries,
                 currentMessage: combinedBody,
                 excludeLast: false,
                 formatEntry: (entry) => {
-                    const bodyWithId = entry.messageId
-                        ? `${entry.body}\n[message_id: ${entry.messageId}]`
-                        : entry.body;
                     return formatInboundEnvelope({
                         channel: "WhatsApp",
                         from: conversationId,
                         timestamp: entry.timestamp,
-                        body: bodyWithId,
+                        body: entry.body,
                         chatType: "group",
                         senderLabel: entry.sender,
                         envelope: envelopeOptions,
@@ -147,11 +153,13 @@ export async function processMessage(params) {
     }
     const dmRouteTarget = params.msg.chatType !== "group"
         ? (() => {
-            if (params.msg.senderE164)
+            if (params.msg.senderE164) {
                 return normalizeE164(params.msg.senderE164);
+            }
             // In direct chats, `msg.from` is already the canonical conversation id.
-            if (params.msg.from.includes("@"))
+            if (params.msg.from.includes("@")) {
                 return jidToE164(params.msg.from);
+            }
             return normalizeE164(params.msg.from);
         })()
         : undefined;
@@ -162,25 +170,37 @@ export async function processMessage(params) {
         channel: "whatsapp",
         accountId: params.route.accountId,
     });
+    const mediaLocalRoots = getAgentScopedMediaLocalRoots(params.cfg, params.route.agentId);
     let didLogHeartbeatStrip = false;
     let didSendReply = false;
     const commandAuthorized = shouldComputeCommandAuthorized(params.msg.body, params.cfg)
         ? await resolveWhatsAppCommandAuthorized({ cfg: params.cfg, msg: params.msg })
         : undefined;
     const configuredResponsePrefix = params.cfg.messages?.responsePrefix;
-    const prefixContext = createReplyPrefixContext({
+    const { onModelSelected, ...prefixOptions } = createReplyPrefixOptions({
         cfg: params.cfg,
         agentId: params.route.agentId,
+        channel: "whatsapp",
+        accountId: params.route.accountId,
     });
     const isSelfChat = params.msg.chatType !== "group" &&
         Boolean(params.msg.selfE164) &&
         normalizeE164(params.msg.from) === normalizeE164(params.msg.selfE164 ?? "");
-    const responsePrefix = prefixContext.responsePrefix ??
+    const responsePrefix = prefixOptions.responsePrefix ??
         (configuredResponsePrefix === undefined && isSelfChat
             ? (resolveIdentityNamePrefix(params.cfg, params.route.agentId) ?? "[poolbot]")
             : undefined);
+    const inboundHistory = params.msg.chatType === "group"
+        ? (params.groupHistory ?? params.groupHistories.get(params.groupHistoryKey) ?? []).map((entry) => ({
+            sender: entry.sender,
+            body: entry.body,
+            timestamp: entry.timestamp,
+        }))
+        : undefined;
     const ctxPayload = finalizeInboundContext({
         Body: combinedBody,
+        BodyForAgent: params.msg.body,
+        InboundHistory: inboundHistory,
         RawBody: params.msg.body,
         CommandBody: params.msg.body,
         From: params.msg.from,
@@ -243,8 +263,8 @@ export async function processMessage(params) {
         cfg: params.cfg,
         replyResolver: params.replyResolver,
         dispatcherOptions: {
+            ...prefixOptions,
             responsePrefix,
-            responsePrefixContextProvider: prefixContext.responsePrefixContextProvider,
             onHeartbeatStrip: () => {
                 if (!didLogHeartbeatStrip) {
                     didLogHeartbeatStrip = true;
@@ -255,6 +275,7 @@ export async function processMessage(params) {
                 await deliverWebReply({
                     replyResult: payload,
                     msg: params.msg,
+                    mediaLocalRoots,
                     maxMediaBytes: params.maxMediaBytes,
                     textLimit,
                     chunkMode,
@@ -299,7 +320,7 @@ export async function processMessage(params) {
             disableBlockStreaming: typeof params.cfg.channels?.whatsapp?.blockStreaming === "boolean"
                 ? !params.cfg.channels.whatsapp.blockStreaming
                 : undefined,
-            onModelSelected: prefixContext.onModelSelected,
+            onModelSelected,
         },
     });
     if (!queuedFinal) {

package/dist/web/inbound/access-control.js

@@ -11,9 +11,11 @@ export async function checkInboundAccessControl(params) {
         cfg,
         accountId: params.accountId,
     });
-    const dmPolicy = cfg.channels?.whatsapp?.dmPolicy ?? "pairing";
+    const dmPolicy = account.dmPolicy ?? "pairing";
     const configuredAllowFrom = account.allowFrom;
-    const storeAllowFrom = await readChannelAllowFromStore("whatsapp").catch(() => []);
+    const storeAllowFrom = dmPolicy === "allowlist"
+        ? []
+        : await readChannelAllowFromStore("whatsapp", process.env, account.accountId).catch(() => []);
     // Without user config, default to self-only DM access so the owner can talk to themselves.
     const combinedAllowFrom = Array.from(new Set([...(configuredAllowFrom ?? []), ...storeAllowFrom]));
     const defaultAllowFrom = combinedAllowFrom.length === 0 && params.selfE164 ? [params.selfE164] : undefined;
@@ -107,6 +109,7 @@ export async function checkInboundAccessControl(params) {
                         const { code, created } = await upsertChannelPairingRequest({
                             channel: "whatsapp",
                             id: candidate,
+                            accountId: account.accountId,
                             meta: { name: (params.pushName ?? "").trim() || undefined },
                         });
                         if (created) {

package/dist/web/login-qr.js

@@ -34,20 +34,23 @@ function attachLoginWaiter(accountId, login) {
     login.waitPromise = waitForWaConnection(login.sock)
         .then(() => {
         const current = activeLogins.get(accountId);
-        if (current?.id === login.id)
+        if (current?.id === login.id) {
             current.connected = true;
+        }
     })
         .catch((err) => {
         const current = activeLogins.get(accountId);
-        if (current?.id !== login.id)
+        if (current?.id !== login.id) {
             return;
+        }
         current.error = formatError(err);
         current.errorStatus = getStatusCode(err);
     });
 }
 async function restartLoginSocket(login, runtime) {
-    if (login.restartAttempted)
+    if (login.restartAttempted) {
         return false;
+    }
     login.restartAttempted = true;
     runtime.log(info("WhatsApp asked for a restart after pairing (code 515); retrying connection once…"));
     closeSocket(login.sock);
@@ -103,12 +106,14 @@ export async function startWebLoginWithQr(opts = {}) {
         sock = await createWaSocket(false, Boolean(opts.verbose), {
             authDir: account.authDir,
             onQr: (qr) => {
-                if (pendingQr)
+                if (pendingQr) {
                     return;
+                }
                 pendingQr = qr;
                 const current = activeLogins.get(account.accountId);
-                if (current && !current.qr)
+                if (current && !current.qr) {
                     current.qr = qr;
+                }
                 clearTimeout(qrTimer);
                 runtime.log(info("WhatsApp QR received."));
                 resolveQr?.(qr);
@@ -135,8 +140,9 @@ export async function startWebLoginWithQr(opts = {}) {
         verbose: Boolean(opts.verbose),
     };
     activeLogins.set(account.accountId, login);
-    if (pendingQr && !login.qr)
+    if (pendingQr && !login.qr) {
         login.qr = pendingQr;
+    }
     attachLoginWaiter(account.accountId, login);
     let qr;
     try {

package/dist/web/media.js

@@ -2,15 +2,71 @@ import fs from "node:fs/promises";
 import path from "node:path";
 import { fileURLToPath } from "node:url";
 import { logVerbose, shouldLogVerbose } from "../globals.js";
+import { SafeOpenError, readLocalFileSafely } from "../infra/fs-safe.js";
 import { maxBytesForKind, mediaKindFromMime } from "../media/constants.js";
-import { resolveUserPath } from "../utils.js";
 import { fetchRemoteMedia } from "../media/fetch.js";
-import { getDefaultMediaLocalRoots } from "../media/local-roots.js";
 import { convertHeicToJpeg, hasAlphaChannel, optimizeImageToPng, resizeToJpeg, } from "../media/image-ops.js";
+import { getDefaultMediaLocalRoots } from "../media/local-roots.js";
 import { detectMime, extensionForMime } from "../media/mime.js";
+import { resolveUserPath } from "../utils.js";
+export class LocalMediaAccessError extends Error {
+    code;
+    constructor(code, message, options) {
+        super(message, options);
+        this.code = code;
+        this.name = "LocalMediaAccessError";
+    }
+}
 export function getDefaultLocalRoots() {
     return getDefaultMediaLocalRoots();
 }
+async function assertLocalMediaAllowed(mediaPath, localRoots) {
+    if (localRoots === "any") {
+        return;
+    }
+    const roots = localRoots ?? getDefaultLocalRoots();
+    // Resolve symlinks so a symlink under /tmp pointing to /etc/passwd is caught.
+    let resolved;
+    try {
+        resolved = await fs.realpath(mediaPath);
+    }
+    catch {
+        resolved = path.resolve(mediaPath);
+    }
+    // Hardening: the default allowlist includes the Pool Bot temp dir, and tests/CI may
+    // override the state dir into tmp. Avoid accidentally allowing per-agent
+    // `workspace-*` state roots via the temp-root prefix match; require explicit
+    // localRoots for those.
+    if (localRoots === undefined) {
+        const workspaceRoot = roots.find((root) => path.basename(root) === "workspace");
+        if (workspaceRoot) {
+            const stateDir = path.dirname(workspaceRoot);
+            const rel = path.relative(stateDir, resolved);
+            if (rel && !rel.startsWith("..") && !path.isAbsolute(rel)) {
+                const firstSegment = rel.split(path.sep)[0] ?? "";
+                if (firstSegment.startsWith("workspace-")) {
+                    throw new LocalMediaAccessError("path-not-allowed", `Local media path is not under an allowed directory: ${mediaPath}`);
+                }
+            }
+        }
+    }
+    for (const root of roots) {
+        let resolvedRoot;
+        try {
+            resolvedRoot = await fs.realpath(root);
+        }
+        catch {
+            resolvedRoot = path.resolve(root);
+        }
+        if (resolvedRoot === path.parse(resolvedRoot).root) {
+            throw new LocalMediaAccessError("invalid-root", `Invalid localRoots entry (refuses filesystem root): ${root}. Pass a narrower directory.`);
+        }
+        if (resolved === resolvedRoot || resolved.startsWith(resolvedRoot + path.sep)) {
+            return;
+        }
+    }
+    throw new LocalMediaAccessError("path-not-allowed", `Local media path is not under an allowed directory: ${mediaPath}`);
+}
 const HEIC_MIME_RE = /^image\/hei[cf]$/i;
 const HEIC_EXT_RE = /\.(heic|heif)$/i;
 const MB = 1024 * 1024;
@@ -24,18 +80,22 @@ function formatCapReduce(label, cap, size) {
     return `${label} could not be reduced below ${formatMb(cap, 0)}MB (got ${formatMb(size)}MB)`;
 }
 function isHeicSource(opts) {
-    if (opts.contentType && HEIC_MIME_RE.test(opts.contentType.trim()))
+    if (opts.contentType && HEIC_MIME_RE.test(opts.contentType.trim())) {
         return true;
-    if (opts.fileName && HEIC_EXT_RE.test(opts.fileName.trim()))
+    }
+    if (opts.fileName && HEIC_EXT_RE.test(opts.fileName.trim())) {
         return true;
+    }
     return false;
 }
 function toJpegFileName(fileName) {
-    if (!fileName)
+    if (!fileName) {
         return undefined;
+    }
     const trimmed = fileName.trim();
-    if (!trimmed)
+    if (!trimmed) {
         return fileName;
+    }
     const parsed = path.parse(trimmed);
     if (!parsed.ext || HEIC_EXT_RE.test(parsed.ext)) {
         return path.format({ dir: parsed.dir, name: parsed.name || trimmed, ext: ".jpg" });
@@ -43,10 +103,12 @@ function toJpegFileName(fileName) {
     return path.format({ dir: parsed.dir, name: parsed.name, ext: ".jpg" });
 }
 function logOptimizedImage(params) {
-    if (!shouldLogVerbose())
+    if (!shouldLogVerbose()) {
         return;
-    if (params.optimized.optimizedSize >= params.originalSize)
+    }
+    if (params.optimized.optimizedSize >= params.originalSize) {
         return;
+    }
     if (params.optimized.format === "png") {
         logVerbose(`Optimized PNG (preserving alpha) from ${formatMb(params.originalSize)}MB to ${formatMb(params.optimized.optimizedSize)}MB (side≤${params.optimized.resizeSide}px)`);
         return;
@@ -70,14 +132,17 @@ async function optimizeImageWithFallback(params) {
     return { ...optimized, format: "jpeg" };
 }
 async function loadWebMediaInternal(mediaUrl, options = {}) {
-    const { maxBytes, optimizeImages = true } = options;
+    const { maxBytes, optimizeImages = true, ssrfPolicy, localRoots, sandboxValidated = false, readFile: readFileOverride, } = options;
+    // Strip MEDIA: prefix used by agent tools (e.g. TTS) to tag media paths.
+    // Be lenient: LLM output may add extra whitespace (e.g. "  MEDIA :  /tmp/x.png").
+    mediaUrl = mediaUrl.replace(/^\s*MEDIA\s*:\s*/i, "");
     // Use fileURLToPath for proper handling of file:// URLs (handles file://localhost/path, etc.)
     if (mediaUrl.startsWith("file://")) {
         try {
             mediaUrl = fileURLToPath(mediaUrl);
         }
         catch {
-            throw new Error(`Invalid file:// URL: ${mediaUrl}`);
+            throw new LocalMediaAccessError("invalid-file-url", `Invalid file:// URL: ${mediaUrl}`);
         }
     }
     const optimizeAndClampImage = async (buffer, cap, meta) => {
@@ -133,7 +198,15 @@ async function loadWebMediaInternal(mediaUrl, options = {}) {
         };
     };
     if (/^https?:\/\//i.test(mediaUrl)) {
-        const fetched = await fetchRemoteMedia({ url: mediaUrl });
+        // Enforce a download cap during fetch to avoid unbounded memory usage.
+        // For optimized images, allow fetching larger payloads before compression.
+        const defaultFetchCap = maxBytesForKind("unknown");
+        const fetchCap = maxBytes === undefined
+            ? defaultFetchCap
+            : optimizeImages
+                ? Math.max(maxBytes, defaultFetchCap)
+                : maxBytes;
+        const fetched = await fetchRemoteMedia({ url: mediaUrl, maxBytes: fetchCap, ssrfPolicy });
         const { buffer, contentType, fileName } = fetched;
         const kind = mediaKindFromMime(contentType);
         return await clampAndFinalize({ buffer, contentType, kind, fileName });
@@ -142,15 +215,45 @@ async function loadWebMediaInternal(mediaUrl, options = {}) {
     if (mediaUrl.startsWith("~")) {
         mediaUrl = resolveUserPath(mediaUrl);
     }
+    if ((sandboxValidated || localRoots === "any") && !readFileOverride) {
+        throw new LocalMediaAccessError("unsafe-bypass", "Refusing localRoots bypass without readFile override. Use sandboxValidated with readFile, or pass explicit localRoots.");
+    }
+    // Guard local reads against allowed directory roots to prevent file exfiltration.
+    if (!(sandboxValidated || localRoots === "any")) {
+        await assertLocalMediaAllowed(mediaUrl, localRoots);
+    }
     // Local path
-    const data = await fs.readFile(mediaUrl);
+    let data;
+    if (readFileOverride) {
+        data = await readFileOverride(mediaUrl);
+    }
+    else {
+        try {
+            data = (await readLocalFileSafely({ filePath: mediaUrl })).buffer;
+        }
+        catch (err) {
+            if (err instanceof SafeOpenError) {
+                if (err.code === "not-found") {
+                    throw new LocalMediaAccessError("not-found", `Local media file not found: ${mediaUrl}`, {
+                        cause: err,
+                    });
+                }
+                if (err.code === "not-file") {
+                    throw new LocalMediaAccessError("not-file", `Local media path is not a file: ${mediaUrl}`, { cause: err });
+                }
+                throw new LocalMediaAccessError("invalid-path", `Local media path is not safe to read: ${mediaUrl}`, { cause: err });
+            }
+            throw err;
+        }
+    }
     const mime = await detectMime({ buffer: data, filePath: mediaUrl });
     const kind = mediaKindFromMime(mime);
     let fileName = path.basename(mediaUrl) || undefined;
     if (fileName && !path.extname(fileName) && mime) {
         const ext = extensionForMime(mime);
-        if (ext)
+        if (ext) {
             fileName = `${fileName}${ext}`;
+        }
     }
     return await clampAndFinalize({
         buffer: data,
@@ -159,11 +262,13 @@ async function loadWebMediaInternal(mediaUrl, options = {}) {
         fileName,
     });
 }
-export async function loadWebMedia(mediaUrl, maxBytesOrOptions) {
+export async function loadWebMedia(mediaUrl, maxBytesOrOptions, options) {
     if (typeof maxBytesOrOptions === "number" || maxBytesOrOptions === undefined) {
         return await loadWebMediaInternal(mediaUrl, {
             maxBytes: maxBytesOrOptions,
             optimizeImages: true,
+            ssrfPolicy: options?.ssrfPolicy,
+            localRoots: options?.localRoots,
         });
     }
     return await loadWebMediaInternal(mediaUrl, {
@@ -171,11 +276,13 @@ export async function loadWebMedia(mediaUrl, maxBytesOrOptions) {
         optimizeImages: maxBytesOrOptions.optimizeImages ?? true,
     });
 }
-export async function loadWebMediaRaw(mediaUrl, maxBytesOrOptions) {
+export async function loadWebMediaRaw(mediaUrl, maxBytesOrOptions, options) {
     if (typeof maxBytesOrOptions === "number" || maxBytesOrOptions === undefined) {
         return await loadWebMediaInternal(mediaUrl, {
             maxBytes: maxBytesOrOptions,
             optimizeImages: false,
+            ssrfPolicy: options?.ssrfPolicy,
+            localRoots: options?.localRoots,
         });
     }
     return await loadWebMediaInternal(mediaUrl, {
@@ -191,7 +298,7 @@ export async function optimizeImageToJpeg(buffer, maxBytes, opts = {}) {
             source = await convertHeicToJpeg(buffer);
         }
         catch (err) {
-            throw new Error(`HEIC image conversion failed: ${String(err)}`);
+            throw new Error(`HEIC image conversion failed: ${String(err)}`, { cause: err });
         }
     }
     const sides = [2048, 1536, 1280, 1024, 800];