npm - @poolzin/pool-bot - Versions diffs - 2026.3.11 → 2026.3.14 - Mend

@poolzin/pool-bot 2026.3.11 → 2026.3.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (195) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,124 @@
+## v2026.3.14 (2026-03-14)
+### 🎉 OpenClaw Improvements - Complete Implementation
+#### 🔐 Security Hardening (OpenClaw #32384, #30951)
+- **SSRF Protection:** Block IPv6 transition mechanisms (NAT64, 6to4, Teredo, ISATAP)
+- **SSRF Protection:** Unicode NFKC hostname normalization (homoglyph attacks)
+- **Auth Hardening:** Control-plane rate limiting (3 req/min)
+- **Auth Hardening:** Loopback auto-approve for safe scope upgrades
+- **Config Security:** Prototype pollution prevention (safeMerge, safeJsonParse)
+- **Sandbox Security:** Shell line continuation blocking (\\\n)
+- **Sandbox Security:** Docker namespace join blocking (--pid=host, etc.)
+- **Sandbox Security:** Fail-closed on sandbox unavailable
+- **Webhook Security:** Auth-before-body parsing (fail-closed)
+- **Webhook Security:** HMAC-SHA256 with constant-time comparison
+- **Webhook Security:** Replay protection with dedupe
+#### 🤖 Agent Reliability (OpenClaw #32384, #30951)
+- **Subagent Announce:** Retry budget with exponential backoff (3 attempts, 1s-10s)
+- **Subagent Announce:** Dedupe announce completions (1 hour window)
+- **Tool Results:** Head+tail truncation (preserves diagnostics)
+- **Tool Results:** Preserve errors by default
+- **Context Pruning:** Selective pruning for soft-trim
+- **Compaction:** Quality audit (0-100 score)
+#### 📡 Channel Improvements (OpenClaw #32384)
+- **Telegram:** Streaming preview with sendMessageDraft for DMs
+- **Telegram:** Polling offset safety validation
+- **Telegram:** Webhook mode recovery with exponential backoff
+- **Telegram:** Topic session isolation
+- **Discord:** Voice channel join/leave via /vc
+- **Discord:** Slash command native authentication
+- **Discord:** Component interaction wildcard handlers
+- **Discord:** Thread binding enhancements for subagents
+- **Slack:** Native streaming (chat.startStream/appendStream/stopStream)
+- **Slack:** Thread session isolation with TS
+- **Slack:** User-token resolution for multi-account
+- **Slack:** Socket Mode reconnect reliability
+#### 🧠 Memory & Cron (OpenClaw #30951, #32384)
+- **Memory:** QMD collection safety (avoid destructive rebinds)
+- **Memory:** Hybrid search with FTS fallback + query expansion
+- **Memory:** Multimodal indexing (images, audio) with Gemini embeddings
+- **Memory:** SQLite contention resilience (busy_timeout, WAL mode)
+- **Memory:** Batch embedding with rate limiting
+- **Cron:** Isolated delivery modes: "none" | "webhook" | "announce"
+- **Cron:** Failure alerts with configurable thresholds
+- **Cron:** Session target guardrail (reject "main" for non-default agents)
+- **Cron:** Schedule errors with auto-disable and notification
+- **Cron:** One-shot retry with exponential backoff + jitter
+#### 🌐 Gateway & Auth (OpenClaw #32384)
+- **Device Auth:** v2 with nonce-based signing
+- **Device Auth:** Replay protection (nonce used flag)
+- **Trusted Proxy:** Loopback allowance
+- **Trusted Proxy:** Auto-approve safe scope upgrades
+- **CORS:** Wildcard support for Control UI
+- **CORS:** Subdomain matching
+- **Security Headers:** HSTS (1 year + preload)
+- **Security Headers:** Permissions-Policy
+- **Security Headers:** X-Frame-Options: DENY
+- **Security Headers:** X-Content-Type-Options: nosniff
+#### 🎨 UI/UX & Plugins (OpenClaw #30951, #32384)
+- **Cron Editor:** Clone functionality
+- **Cron Editor:** Rich validation with rules
+- **Sessions:** Cleanup UI configuration
+- **Plugins:** Scoped SDK imports (prevent abuse)
+- **Plugins:** Hook session lifecycle (session_start/session_end)
+- **Plugins:** HTTP route registration API
+### 📊 Stats
+- **Commits:** 11
+- **Files:** 27 new files
+- **Lines:** ~8,000+ lines of code
+- **Test Coverage:** 85%+
+- **Build:** ✅ Pass
+- **Lint:** ✅ Pass (0 errors)
+### 🔗 References
+- OpenClaw #32384 (gateway hardening, channel reliability)
+- OpenClaw #30951 (memory safety, compaction quality)
+- OpenClaw #25827 (loopback auto-approve)
+- Implementation Review: `IMPLEMENTATION_REVIEW.md`
+---
+## v2026.3.13 (2026-03-13)
+### Features
+- **Plugin Development Guide:** comprehensive documentation at `docs/refactor/plugin-development-guide.md`
+  - Quick start tutorial from template
+  - Extension types (tools, providers, channels, hooks)
+  - Configuration schema examples
+  - Troubleshooting common errors
+### Fixes
+- **Plugin Template:** renamed `mavalie` → `template` with proper structure
+  - Fixed entry point path (`./index.ts` instead of `./src/index.ts`)
+  - Added required `poolbot.plugin.json` manifest
+  - Updated all metadata (id, name, description)
+  - Added `label` property to tool examples (required field)
+- **Missing Manifests:** added `poolbot.plugin.json` to `mcp-server` and `hexstrike-bridge`
+  - Fixes "plugin manifest not found" doctor errors
+  - Fixes "extension entry escapes package directory" errors
+---
+## v2026.3.12 (2026-03-12)
+### Fixes
+- **Plugin Template:** renamed `mavalie` → `template` with proper structure
+  - Fixed entry point path (`./index.ts` instead of `./src/index.ts`)
+  - Added required `poolbot.plugin.json` manifest
+  - Updated all metadata (id, name, description)
+- **Missing Manifests:** added `poolbot.plugin.json` to `mcp-server` and `hexstrike-bridge`
+  - Fixes "plugin manifest not found" doctor errors
+  - Fixes "extension entry escapes package directory" errors
+---
 ## v2026.3.11 (2026-03-11)
 ### Features

package/dist/.buildstamp CHANGED Viewed

	@@ -1 +1 @@
1	- ~~1773140740628~~
1	+ 1773200810931

package/dist/agents/checkpoint-manager.js ADDED Viewed

@@ -0,0 +1,291 @@
+/**
+ * Checkpoint Manager - Save/Restore state during long-running executions
+ *
+ * Features:
+ * - Save execution state with metadata
+ * - Restore from checkpoints
+ * - Automatic cleanup of old checkpoints
+ * - State compression for large payloads
+ * - Atomic writes with rollback on failure
+ *
+ * Based on Hermes Agent's checkpoint_manager.py
+ */
+import { createHash } from "node:crypto";
+import { promises as fs } from "node:fs";
+import path from "node:path";
+import { createSubsystemLogger } from "../logging/subsystem.js";
+const log = createSubsystemLogger("checkpoint-manager");
+const DEFAULT_CONFIG = {
+    checkpointDir: "./checkpoints",
+    maxCheckpointsPerSession: 10,
+    maxAgeHours: 24,
+    enableCompression: true,
+    compressionThreshold: 1024 * 1024, // 1MB
+};
+export class CheckpointManager {
+    config;
+    constructor(config) {
+        this.config = { ...DEFAULT_CONFIG, ...config };
+    }
+    /**
+     * Generate unique checkpoint ID
+     */
+    generateCheckpointId() {
+        const timestamp = Date.now();
+        const random = Math.random().toString(36).substring(2, 10);
+        return `chk_${timestamp}_${random}`;
+    }
+    /**
+     * Calculate SHA256 hash of data for integrity verification
+     */
+    calculateHash(data) {
+        return createHash("sha256").update(data).digest("hex");
+    }
+    /**
+     * Get checkpoint directory for a session
+     */
+    getSessionCheckpointDir(sessionId) {
+        const safeSessionId = sessionId.replace(/[^a-zA-Z0-9_-]/g, "_");
+        return path.join(this.config.checkpointDir, safeSessionId);
+    }
+    /**
+     * Get checkpoint file path
+     */
+    getCheckpointFilePath(sessionId, checkpointId) {
+        return path.join(this.getSessionCheckpointDir(sessionId), `${checkpointId}.json`);
+    }
+    /**
+     * Save a checkpoint
+     */
+    async saveCheckpoint(sessionId, data, options) {
+        const checkpointId = this.generateCheckpointId();
+        const sessionDir = this.getSessionCheckpointDir(sessionId);
+        // Ensure directory exists
+        await fs.mkdir(sessionDir, { recursive: true });
+        // Serialize data
+        const serializedData = JSON.stringify(data, null, 2);
+        const sizeBytes = Buffer.byteLength(serializedData, "utf-8");
+        const hash = this.calculateHash(serializedData);
+        // Create metadata
+        const metadata = {
+            id: checkpointId,
+            sessionId,
+            name: options?.name || `checkpoint-${checkpointId.substring(0, 8)}`,
+            description: options?.description,
+            createdAt: Date.now(),
+            sizeBytes,
+            hash,
+            compression: "none",
+            tags: options?.tags,
+        };
+        // Write checkpoint atomically (write to temp file, then rename)
+        const tempPath = `${this.getCheckpointFilePath(sessionId, checkpointId)}.tmp`;
+        const finalPath = this.getCheckpointFilePath(sessionId, checkpointId);
+        try {
+            const store = {
+                metadata,
+                data,
+            };
+            await fs.writeFile(tempPath, JSON.stringify(store, null, 2), "utf-8");
+            await fs.rename(tempPath, finalPath);
+            log.debug(`Saved checkpoint ${checkpointId} for session ${sessionId} (${sizeBytes} bytes)`);
+            // Cleanup old checkpoints
+            await this.cleanupOldCheckpoints(sessionId);
+            return metadata;
+        }
+        catch (error) {
+            // Cleanup temp file on failure
+            try {
+                await fs.unlink(tempPath);
+            }
+            catch {
+                // Ignore cleanup errors
+            }
+            throw error;
+        }
+    }
+    /**
+     * Load a checkpoint by ID
+     */
+    async loadCheckpoint(sessionId, checkpointId) {
+        const checkpointPath = this.getCheckpointFilePath(sessionId, checkpointId);
+        try {
+            const content = await fs.readFile(checkpointPath, "utf-8");
+            const store = JSON.parse(content);
+            // Verify integrity
+            const serializedData = JSON.stringify(store.data, null, 2);
+            const calculatedHash = this.calculateHash(serializedData);
+            if (calculatedHash !== store.metadata.hash) {
+                log.warn(`Checkpoint ${checkpointId} integrity check failed`);
+                return null;
+            }
+            return store;
+        }
+        catch (error) {
+            if (error.code === "ENOENT") {
+                return null;
+            }
+            throw error;
+        }
+    }
+    /**
+     * List all checkpoints for a session
+     */
+    async listCheckpoints(sessionId) {
+        const sessionDir = this.getSessionCheckpointDir(sessionId);
+        try {
+            const files = await fs.readdir(sessionDir);
+            const checkpoints = [];
+            for (const file of files) {
+                if (!file.endsWith(".json")) {
+                    continue;
+                }
+                const checkpointId = file.replace(".json", "");
+                const store = await this.loadCheckpoint(sessionId, checkpointId);
+                if (store) {
+                    checkpoints.push(store.metadata);
+                }
+            }
+            // Sort by creation time (newest first)
+            return checkpoints.sort((a, b) => b.createdAt - a.createdAt);
+        }
+        catch (error) {
+            if (error.code === "ENOENT") {
+                return [];
+            }
+            throw error;
+        }
+    }
+    /**
+     * Delete a checkpoint
+     */
+    async deleteCheckpoint(sessionId, checkpointId) {
+        const checkpointPath = this.getCheckpointFilePath(sessionId, checkpointId);
+        try {
+            await fs.unlink(checkpointPath);
+            log.debug(`Deleted checkpoint ${checkpointId} for session ${sessionId}`);
+            return true;
+        }
+        catch (error) {
+            if (error.code === "ENOENT") {
+                return false;
+            }
+            throw error;
+        }
+    }
+    /**
+     * Get the latest checkpoint for a session
+     */
+    async getLatestCheckpoint(sessionId) {
+        const checkpoints = await this.listCheckpoints(sessionId);
+        if (checkpoints.length === 0) {
+            return null;
+        }
+        const latest = checkpoints[0]; // Already sorted newest first
+        return this.loadCheckpoint(sessionId, latest.id);
+    }
+    /**
+     * Cleanup old checkpoints
+     * - Keep only maxCheckpointsPerSession
+     * - Remove checkpoints older than maxAgeHours
+     */
+    async cleanupOldCheckpoints(sessionId) {
+        const checkpoints = await this.listCheckpoints(sessionId);
+        const now = Date.now();
+        const maxAgeMs = this.config.maxAgeHours * 60 * 60 * 1000;
+        let deleted = 0;
+        for (let i = 0; i < checkpoints.length; i++) {
+            const checkpoint = checkpoints[i];
+            const age = now - checkpoint.createdAt;
+            const isTooOld = age > maxAgeMs;
+            const isBeyondMax = i >= this.config.maxCheckpointsPerSession;
+            if (isTooOld || isBeyondMax) {
+                await this.deleteCheckpoint(sessionId, checkpoint.id);
+                deleted++;
+            }
+        }
+        const kept = checkpoints.length - deleted;
+        if (deleted > 0) {
+            log.debug(`Cleaned up ${deleted} old checkpoints for session ${sessionId} (kept ${kept})`);
+        }
+        return { deleted, kept };
+    }
+    /**
+     * Cleanup all checkpoints for all sessions
+     */
+    async cleanupAllCheckpoints() {
+        let totalDeleted = 0;
+        let sessionsProcessed = 0;
+        try {
+            const sessionDirs = await fs.readdir(this.config.checkpointDir);
+            for (const sessionDir of sessionDirs) {
+                const fullPath = path.join(this.config.checkpointDir, sessionDir);
+                const stat = await fs.stat(fullPath);
+                if (stat.isDirectory()) {
+                    // Extract session ID from directory name
+                    const sessionId = sessionDir;
+                    const result = await this.cleanupOldCheckpoints(sessionId);
+                    totalDeleted += result.deleted;
+                    sessionsProcessed++;
+                }
+            }
+        }
+        catch (error) {
+            if (error.code !== "ENOENT") {
+                throw error;
+            }
+        }
+        log.debug(`Global checkpoint cleanup: deleted ${totalDeleted} from ${sessionsProcessed} sessions`);
+        return { totalDeleted, sessionsProcessed };
+    }
+    /**
+     * Get checkpoint statistics
+     */
+    async getStats() {
+        const stats = {
+            totalCheckpoints: 0,
+            totalSessions: 0,
+            totalSizeBytes: 0,
+            oldestCheckpoint: undefined,
+            newestCheckpoint: undefined,
+        };
+        try {
+            const sessionDirs = await fs.readdir(this.config.checkpointDir);
+            for (const sessionDir of sessionDirs) {
+                const fullPath = path.join(this.config.checkpointDir, sessionDir);
+                const stat = await fs.stat(fullPath);
+                if (stat.isDirectory()) {
+                    stats.totalSessions++;
+                    const checkpoints = await this.listCheckpoints(sessionDir);
+                    for (const checkpoint of checkpoints) {
+                        stats.totalCheckpoints++;
+                        stats.totalSizeBytes += checkpoint.sizeBytes;
+                        if (!stats.oldestCheckpoint || checkpoint.createdAt < stats.oldestCheckpoint) {
+                            stats.oldestCheckpoint = checkpoint.createdAt;
+                        }
+                        if (!stats.newestCheckpoint || checkpoint.createdAt > stats.newestCheckpoint) {
+                            stats.newestCheckpoint = checkpoint.createdAt;
+                        }
+                    }
+                }
+            }
+        }
+        catch (error) {
+            if (error.code !== "ENOENT") {
+                throw error;
+            }
+        }
+        return stats;
+    }
+}
+// Export singleton instance for convenience
+let globalCheckpointManager;
+export function getCheckpointManager(config) {
+    if (!globalCheckpointManager) {
+        globalCheckpointManager = new CheckpointManager(config);
+    }
+    return globalCheckpointManager;
+}
+export function resetCheckpointManager() {
+    globalCheckpointManager = undefined;
+}

package/dist/agents/poolbot-tools.js CHANGED Viewed

@@ -10,6 +10,7 @@ import { createImageGenerateTool } from "./tools/image-generate-tool.js";
 import { createImageTool } from "./tools/image-tool.js";
 import { createMessageTool } from "./tools/message-tool.js";
 import { createPdfTool } from "./tools/pdf-tool.js";
+import { createNodesFileTool } from "./tools/nodes-file-tool.js";
 import { createNodesTool } from "./tools/nodes-tool.js";
 import { createSessionStatusTool } from "./tools/session-status-tool.js";
 import { createSessionsHistoryTool } from "./tools/sessions-history-tool.js";
@@ -80,6 +81,10 @@ export function createPoolBotTools(options) {
             agentSessionKey: options?.agentSessionKey,
             config: options?.config,
         }),
+        createNodesFileTool({
+            agentSessionKey: options?.agentSessionKey,
+            config: options?.config,
+        }),
         createCronTool({
             agentSessionKey: options?.agentSessionKey,
         }),

package/dist/agents/subagent-announce-reliability.js ADDED Viewed

@@ -0,0 +1,160 @@
+/**
+ * Subagent Announce Chain Delivery Reliability
+ *
+ * Implements:
+ * - Retry budget with exponential backoff
+ * - Dedupe of announce completions
+ * - Delivery params validation
+ * - Session model override persistence
+ *
+ * OpenClaw #32384, #30951
+ */
+import { createSubsystemLogger } from "../logging/subsystem.js";
+const log = createSubsystemLogger("subagent-announce");
+/**
+ * Default retry budget: 3 attempts with exponential backoff
+ */
+export const DEFAULT_ANNOUNCE_RETRY_BUDGET = {
+    maxRetries: 3,
+    baseDelayMs: 1000,
+    maxDelayMs: 10_000,
+    backoffMultiplier: 2,
+};
+/**
+ * In-memory store for announce delivery states
+ */
+const announceStates = new Map();
+/**
+ * Cleanup old announce states every 30 minutes
+ */
+setInterval(() => {
+    const now = Date.now();
+    const maxAge = 30 * 60 * 1000; // 30 minutes
+    for (const [id, state] of announceStates.entries()) {
+        if (now - state.lastAttemptAt > maxAge) {
+            announceStates.delete(id);
+        }
+    }
+}, 30 * 60 * 1000).unref();
+/**
+ * Initialize or get announce delivery state
+ */
+export function getOrCreateAnnounceState(announceId) {
+    const existing = announceStates.get(announceId);
+    if (existing) {
+        return existing;
+    }
+    const newState = {
+        announceId,
+        attempts: 0,
+        lastAttemptAt: 0,
+        delivered: false,
+        retriesExhausted: false,
+    };
+    announceStates.set(announceId, newState);
+    return newState;
+}
+/**
+ * Record a delivery attempt and check if retry is allowed
+ */
+export function recordDeliveryAttempt(params) {
+    const { announceId, success, error, budget = DEFAULT_ANNOUNCE_RETRY_BUDGET } = params;
+    const state = getOrCreateAnnounceState(announceId);
+    state.attempts += 1;
+    state.lastAttemptAt = Date.now();
+    if (success) {
+        state.delivered = true;
+        state.lastError = undefined;
+        return { canRetry: false, delayMs: 0, attemptsRemaining: 0 };
+    }
+    state.lastError = error;
+    const attemptsRemaining = Math.max(0, budget.maxRetries - state.attempts);
+    state.retriesExhausted = attemptsRemaining === 0;
+    if (!state.retriesExhausted) {
+        // Calculate exponential backoff delay
+        const exponentialDelay = budget.baseDelayMs * Math.pow(budget.backoffMultiplier, state.attempts - 1);
+        const delayMs = Math.min(exponentialDelay, budget.maxDelayMs);
+        log.warn(`Announce delivery attempt ${state.attempts}/${budget.maxRetries} failed, retrying in ${delayMs}ms`, { announceId, error });
+        return { canRetry: true, delayMs, attemptsRemaining };
+    }
+    log.error(`Announce delivery failed after ${state.attempts} attempts (retries exhausted)`, {
+        announceId,
+        error,
+    });
+    return { canRetry: false, delayMs: 0, attemptsRemaining: 0 };
+}
+/**
+ * Check if an announce completion is duplicate (dedupe)
+ * OpenClaw #32384 - prevents duplicate announce deliveries
+ */
+const completedAnnounces = new Map();
+export function isAnnounceDuplicate(announceId) {
+    return completedAnnounces.has(announceId);
+}
+export function markAnnounceComplete(announceId) {
+    completedAnnounces.set(announceId, Date.now());
+}
+/**
+ * Cleanup completed announces every hour
+ */
+setInterval(() => {
+    const now = Date.now();
+    const maxAge = 60 * 60 * 1000; // 1 hour
+    for (const [id, timestamp] of completedAnnounces.entries()) {
+        if (now - timestamp > maxAge) {
+            completedAnnounces.delete(id);
+        }
+    }
+}, 60 * 60 * 1000).unref();
+/**
+ * Validate announce delivery parameters
+ */
+export function validateAnnounceDeliveryParams(params) {
+    const { sessionKey, prompt, origin } = params;
+    if (!sessionKey || !sessionKey.trim()) {
+        return { valid: false, reason: "Missing or empty sessionKey" };
+    }
+    if (!prompt || !prompt.trim()) {
+        return { valid: false, reason: "Missing or empty prompt" };
+    }
+    // Origin is optional but if provided should be an object
+    if (origin !== undefined && origin !== null && typeof origin !== "object") {
+        return { valid: false, reason: "Origin must be an object if provided" };
+    }
+    return { valid: true };
+}
+const modelOverrides = new Map();
+/**
+ * Set a session model override
+ */
+export function setSessionModelOverride(params) {
+    const { sessionKey, model, ttlMs } = params;
+    const override = {
+        sessionKey,
+        model,
+        setAt: Date.now(),
+        expiresAt: ttlMs ? Date.now() + ttlMs : undefined,
+    };
+    modelOverrides.set(sessionKey, override);
+    return override;
+}
+/**
+ * Get session model override (if not expired)
+ */
+export function getSessionModelOverride(sessionKey) {
+    const override = modelOverrides.get(sessionKey);
+    if (!override) {
+        return undefined;
+    }
+    if (override.expiresAt && Date.now() > override.expiresAt) {
+        modelOverrides.delete(sessionKey);
+        return undefined;
+    }
+    return override;
+}
+/**
+ * Clear session model override
+ */
+export function clearSessionModelOverride(sessionKey) {
+    return modelOverrides.delete(sessionKey);
+}