@poolzin/pool-bot 2026.2.8 → 2026.2.10

package/CHANGELOG.md

@@ -1,3 +1,22 @@
+## v2026.2.10 (2026-02-16)
+
+### Fixes
+- Reduce default exec tool timeout from 1800s (30 min) to 120s (2 min) — prevents bot from silently hanging on stuck bash commands; per-call timeout param and config `tools.exec.timeoutSec` still override; new env vars `POOLBOT_EXEC_TIMEOUT_SEC` / `CLAWDBOT_EXEC_TIMEOUT_SEC` for further control
+
+---
+
+## v2026.2.9 (2026-02-15)
+
+### Improvements
+- Security audit hardening: warn on missing auth rate limiting for non-loopback gateways, flag dangerous HTTP tool allow-lists
+- Embedding input limits: new helpers to split oversized text chunks before sending to embedding providers
+- Updated default local embedding model to `embeddinggemma-300m-qat-Q8_0` (quantization-aware trained variant)
+
+### Cleanup
+- Removed 6 dead code files (836 lines) from upstream port f494b78 — ollama-stream, tool-policy-pipeline, tool-mutation, compaction-safety-timeout, compaction-timeout, wait-for-idle-before-flush
+
+---
+
 ## v2026.2.8 (2026-02-15)
 
 ### Features

package/dist/agents/bash-tools.exec.js

@@ -58,6 +58,11 @@ function validateHostEnv(env) {
 const DEFAULT_MAX_OUTPUT = clampNumber(readEnvInt("PI_BASH_MAX_OUTPUT_CHARS"), 200_000, 1_000, 200_000);
 const DEFAULT_PENDING_MAX_OUTPUT = clampNumber(readEnvInt("POOLBOT_BASH_PENDING_MAX_OUTPUT_CHARS") ??
     readEnvInt("CLAWDBOT_BASH_PENDING_MAX_OUTPUT_CHARS"), 200_000, 1_000, 200_000);
+// Default exec timeout: 120s is generous for typical commands (grep, cat, ls, build).
+// The AI can still pass a per-call `timeout` for intentionally long operations,
+// and users can override via config (`tools.exec.timeoutSec`) or env var.
+// Previous default (1800s / 30 min) caused the bot to hang silently on stuck commands.
+const DEFAULT_EXEC_TIMEOUT_SEC = clampNumber(readEnvInt("POOLBOT_EXEC_TIMEOUT_SEC") ?? readEnvInt("CLAWDBOT_EXEC_TIMEOUT_SEC"), 120, 1, 86_400);
 const DEFAULT_PATH = process.env.PATH ?? "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin";
 const DEFAULT_NOTIFY_TAIL_CHARS = 400;
 const DEFAULT_APPROVAL_TIMEOUT_MS = 120_000;
@@ -73,7 +78,7 @@ const execSchema = Type.Object({
     })),
     background: Type.Optional(Type.Boolean({ description: "Run in background immediately" })),
     timeout: Type.Optional(Type.Number({
-        description: "Timeout in seconds (optional, kills process on expiry)",
+        description: "Timeout in seconds (default 120, kills process on expiry). Set higher for long builds/downloads.",
     })),
     pty: Type.Optional(Type.Boolean({
         description: "Run in a pseudo-terminal (PTY) when available (TTY-required CLIs, coding agents)",
@@ -559,7 +564,7 @@ export function createExecTool(defaults) {
     const allowBackground = defaults?.allowBackground ?? true;
     const defaultTimeoutSec = typeof defaults?.timeoutSec === "number" && defaults.timeoutSec > 0
         ? defaults.timeoutSec
-        : 1800;
+        : DEFAULT_EXEC_TIMEOUT_SEC;
     const defaultPathPrepend = normalizePathPrepend(defaults?.pathPrepend);
     const safeBins = resolveSafeBins(defaults?.safeBins);
     const notifyOnExit = defaults?.notifyOnExit !== false;

package/dist/build-info.json

@@ -1,5 +1,5 @@
 {
-  "version": "2026.2.8",
-  "commit": "4f7a76b8949932fd105f49e6b89efd93bc69d3cc",
-  "builtAt": "2026-02-15T16:46:23.867Z"
+  "version": "2026.2.10",
+  "commit": "e66cd57a7cc2217c8fa111edab895a49da8dc5e0",
+  "builtAt": "2026-02-16T05:50:01.218Z"
 }

package/dist/memory/embedding-chunk-limits.js

@@ -0,0 +1,22 @@
+import { estimateUtf8Bytes, splitTextToUtf8ByteLimit } from "./embedding-input-limits.js";
+import { resolveEmbeddingMaxInputTokens } from "./embedding-model-limits.js";
+import { hashText } from "./internal.js";
+export function enforceEmbeddingMaxInputTokens(provider, chunks) {
+    const maxInputTokens = resolveEmbeddingMaxInputTokens(provider);
+    const out = [];
+    for (const chunk of chunks) {
+        if (estimateUtf8Bytes(chunk.text) <= maxInputTokens) {
+            out.push(chunk);
+            continue;
+        }
+        for (const text of splitTextToUtf8ByteLimit(chunk.text, maxInputTokens)) {
+            out.push({
+                startLine: chunk.startLine,
+                endLine: chunk.endLine,
+                text,
+                hash: hashText(text),
+            });
+        }
+    }
+    return out;
+}

package/dist/memory/embedding-input-limits.js

@@ -0,0 +1,56 @@
+// Helpers for enforcing embedding model input size limits.
+//
+// We use UTF-8 byte length as a conservative upper bound for tokenizer output.
+// Tokenizers operate over bytes; a token must contain at least one byte, so
+// token_count <= utf8_byte_length.
+export function estimateUtf8Bytes(text) {
+    if (!text) {
+        return 0;
+    }
+    return Buffer.byteLength(text, "utf8");
+}
+export function splitTextToUtf8ByteLimit(text, maxUtf8Bytes) {
+    if (maxUtf8Bytes <= 0) {
+        return [text];
+    }
+    if (estimateUtf8Bytes(text) <= maxUtf8Bytes) {
+        return [text];
+    }
+    const parts = [];
+    let cursor = 0;
+    while (cursor < text.length) {
+        let low = cursor + 1;
+        let high = Math.min(text.length, cursor + maxUtf8Bytes);
+        let best = cursor;
+        while (low <= high) {
+            const mid = Math.floor((low + high) / 2);
+            const bytes = estimateUtf8Bytes(text.slice(cursor, mid));
+            if (bytes <= maxUtf8Bytes) {
+                best = mid;
+                low = mid + 1;
+            }
+            else {
+                high = mid - 1;
+            }
+        }
+        if (best <= cursor) {
+            best = Math.min(text.length, cursor + 1);
+        }
+        // Avoid splitting inside a surrogate pair.
+        if (best < text.length &&
+            best > cursor &&
+            text.charCodeAt(best - 1) >= 0xd800 &&
+            text.charCodeAt(best - 1) <= 0xdbff &&
+            text.charCodeAt(best) >= 0xdc00 &&
+            text.charCodeAt(best) <= 0xdfff) {
+            best -= 1;
+        }
+        const part = text.slice(cursor, best);
+        if (!part) {
+            break;
+        }
+        parts.push(part);
+        cursor = best;
+    }
+    return parts;
+}

package/dist/memory/embedding-model-limits.js

@@ -0,0 +1,24 @@
+const DEFAULT_EMBEDDING_MAX_INPUT_TOKENS = 8192;
+const KNOWN_EMBEDDING_MAX_INPUT_TOKENS = {
+    "openai:text-embedding-3-small": 8192,
+    "openai:text-embedding-3-large": 8192,
+    "openai:text-embedding-ada-002": 8191,
+    "gemini:text-embedding-004": 2048,
+    "voyage:voyage-3": 32000,
+    "voyage:voyage-3-lite": 16000,
+    "voyage:voyage-code-3": 32000,
+};
+export function resolveEmbeddingMaxInputTokens(provider) {
+    if (typeof provider.maxInputTokens === "number") {
+        return provider.maxInputTokens;
+    }
+    const key = `${provider.id}:${provider.model}`.toLowerCase();
+    const known = KNOWN_EMBEDDING_MAX_INPUT_TOKENS[key];
+    if (typeof known === "number") {
+        return known;
+    }
+    if (provider.id.toLowerCase() === "gemini") {
+        return 2048;
+    }
+    return DEFAULT_EMBEDDING_MAX_INPUT_TOKENS;
+}

package/dist/memory/embeddings.js

@@ -13,7 +13,7 @@ function sanitizeAndNormalizeEmbedding(vec) {
     }
     return sanitized.map((value) => value / magnitude);
 }
-const DEFAULT_LOCAL_MODEL = "hf:ggml-org/embeddinggemma-300M-GGUF/embeddinggemma-300M-Q8_0.gguf";
+export const DEFAULT_LOCAL_MODEL = "hf:ggml-org/embeddinggemma-300m-qat-q8_0-GGUF/embeddinggemma-300m-qat-Q8_0.gguf";
 function canAutoSelectLocal(options) {
     const modelPath = options.local?.modelPath?.trim();
     if (!modelPath) {

package/dist/security/audit.js

@@ -6,6 +6,7 @@ import { resolveGatewayAuth } from "../gateway/auth.js";
 import { formatCliCommand } from "../cli/command-format.js";
 import { buildGatewayConnectionDetails } from "../gateway/call.js";
 import { probeGateway } from "../gateway/probe.js";
+import { DEFAULT_GATEWAY_HTTP_TOOL_DENY } from "./dangerous-tools.js";
 import { collectAttackSurfaceSummaryFindings, collectExposureMatrixFindings, collectHooksHardeningFindings, collectIncludeFilePermFindings, collectModelHygieneFindings, collectSmallModelRiskFindings, collectPluginsTrustFindings, collectSecretsInConfigFindings, collectStateDeepFilesystemFindings, collectSyncedFolderFindings, readConfigSnapshotForAudit, } from "./audit-extra.js";
 import { readChannelAllowFromStore } from "../pairing/pairing-store.js";
 import { resolveNativeCommandsEnabled, resolveNativeSkillsEnabled } from "../config/commands.js";
@@ -182,6 +183,26 @@ function collectGatewayConfigFindings(cfg, env) {
     const hasSharedSecret = (auth.mode === "token" && hasToken) || (auth.mode === "password" && hasPassword);
     const hasTailscaleAuth = auth.allowTailscale === true && tailscaleMode === "serve";
     const hasGatewayAuth = hasSharedSecret || hasTailscaleAuth;
+    // HTTP /tools/invoke: warn if operators re-enable dangerous tools over HTTP
+    const gatewayCfgAny = cfg.gateway;
+    const toolsCfg = gatewayCfgAny?.tools;
+    const gatewayToolsAllowRaw = Array.isArray(toolsCfg?.allow) ? toolsCfg.allow : [];
+    const gatewayToolsAllow = new Set(gatewayToolsAllowRaw
+        .map((v) => (typeof v === "string" ? v.trim().toLowerCase() : ""))
+        .filter(Boolean));
+    const reenabledOverHttp = DEFAULT_GATEWAY_HTTP_TOOL_DENY.filter((name) => gatewayToolsAllow.has(name));
+    if (reenabledOverHttp.length > 0) {
+        const extraRisk = bind !== "loopback" || tailscaleMode === "funnel";
+        findings.push({
+            checkId: "gateway.tools_invoke_http.dangerous_allow",
+            severity: extraRisk ? "critical" : "warn",
+            title: "Gateway HTTP /tools/invoke re-enables dangerous tools",
+            detail: `gateway.tools.allow includes ${reenabledOverHttp.join(", ")} which removes them from the default HTTP deny list. ` +
+                "This can allow remote session spawning / control-plane actions via HTTP and increases RCE blast radius if the gateway is reachable.",
+            remediation: "Remove these entries from gateway.tools.allow (recommended). " +
+                "If you keep them enabled, keep gateway.bind loopback-only (or tailnet-only), restrict network exposure, and treat the gateway token/password as full-admin.",
+        });
+    }
     if (bind !== "loopback" && !hasSharedSecret) {
         findings.push({
             checkId: "gateway.bind_no_auth",
@@ -256,6 +277,17 @@ function collectGatewayConfigFindings(cfg, env) {
             detail: `gateway auth token is ${token.length} chars; prefer a long random token.`,
         });
     }
+    const authCfgAny = cfg.gateway?.auth;
+    if (bind !== "loopback" && !authCfgAny?.rateLimit) {
+        findings.push({
+            checkId: "gateway.auth_no_rate_limit",
+            severity: "warn",
+            title: "No auth rate limiting configured",
+            detail: "gateway.bind is not loopback but no gateway.auth.rateLimit is configured. " +
+                "Without rate limiting, brute-force auth attacks are not mitigated.",
+            remediation: "Set gateway.auth.rateLimit (e.g. { maxAttempts: 10, windowMs: 60000, lockoutMs: 300000 }).",
+        });
+    }
     return findings;
 }
 function collectBrowserControlFindings(cfg) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@poolzin/pool-bot",
-  "version": "2026.2.8",
+  "version": "2026.2.10",
   "description": "🎱 Pool Bot - AI assistant with PLCODE integrations",
   "keywords": [],
   "license": "MIT",