npm - @poolzin/pool-bot - Versions diffs - 2026.3.13 → 2026.3.15 - Mend

@poolzin/pool-bot 2026.3.13 → 2026.3.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (186) hide show

package/dist/cron/cron-improvements.js ADDED Viewed

@@ -0,0 +1,195 @@
+/**
+ * Cron Improvements
+ *
+ * Implements OpenClaw improvements:
+ * - Isolated delivery with delivery.mode: "none" | "webhook" | "announce"
+ * - Failure alerts configurable (thresholds, cooldowns)
+ * - Session target guardrail (reject sessionTarget: "main" for non-default agents)
+ * - Schedule errors with auto-disable and notification
+ * - One-shot retry with backoff configurable
+ *
+ * OpenClaw #32384, #30951
+ */
+export const DEFAULT_CRON_DELIVERY_CONFIG = {
+    mode: "none", // Default to no delivery (silent)
+    timeoutMs: 30_000, // 30 seconds
+    retryOnFailure: true,
+    maxRetries: 3,
+    retryDelayMs: 5000,
+};
+export const DEFAULT_CRON_FAILURE_ALERT_CONFIG = {
+    enabled: true,
+    failureThreshold: 3, // Alert after 3 consecutive failures
+    cooldownMs: 60 * 60 * 1000, // 1 hour cooldown
+    channels: ["log"], // Default to log only
+    includeErrorDetails: true,
+    includeJobMetadata: true,
+};
+const cronJobFailureStates = new Map();
+/**
+ * Get or create cron job failure state
+ */
+export function getOrCreateCronJobFailureState(jobId) {
+    const existing = cronJobFailureStates.get(jobId);
+    if (existing) {
+        return existing;
+    }
+    const newState = {
+        consecutiveFailures: 0,
+        alertSuppressed: false,
+    };
+    cronJobFailureStates.set(jobId, newState);
+    return newState;
+}
+/**
+ * Record cron job failure and check if alert should be triggered
+ */
+export function recordCronJobFailure(params) {
+    const { jobId, error, config } = params;
+    const state = getOrCreateCronJobFailureState(jobId);
+    state.consecutiveFailures += 1;
+    state.lastFailureAt = Date.now();
+    state.lastError = error;
+    if (!config.enabled) {
+        return { shouldAlert: false, suppressed: false };
+    }
+    // Check cooldown
+    const now = Date.now();
+    if (state.lastAlertAt && now - state.lastAlertAt < config.cooldownMs) {
+        state.alertSuppressed = true;
+        return { shouldAlert: false, suppressed: true };
+    }
+    // Check threshold
+    if (state.consecutiveFailures < config.failureThreshold) {
+        return { shouldAlert: false, suppressed: false };
+    }
+    state.alertSuppressed = false;
+    state.lastAlertAt = now;
+    return { shouldAlert: true, suppressed: false };
+}
+/**
+ * Record cron job success (resets failure count)
+ */
+export function recordCronJobSuccess(jobId) {
+    const state = cronJobFailureStates.get(jobId);
+    if (state) {
+        state.consecutiveFailures = 0;
+        state.alertSuppressed = false;
+    }
+}
+export const DEFAULT_SESSION_TARGET_GUARDRAIL_CONFIG = {
+    enabled: true,
+    rejectMainForNonDefault: true,
+    allowExplicitOverride: true,
+    warnOnly: false,
+};
+/**
+ * Validate session target for cron job
+ */
+export function validateSessionTarget(params) {
+    const { agentId, sessionTarget, defaultAgentId, config } = params;
+    if (!config.enabled) {
+        return { valid: true };
+    }
+    // Check if targeting "main" for non-default agent
+    if (config.rejectMainForNonDefault && sessionTarget === "main" && agentId !== defaultAgentId) {
+        const reason = `Cannot use sessionTarget "main" for non-default agent "${agentId}"`;
+        const suggestion = `Use explicit session key or target default agent "${defaultAgentId}"`;
+        if (config.warnOnly) {
+            // Log warning but allow
+            return { valid: true };
+        }
+        return { valid: false, reason, suggestion };
+    }
+    return { valid: true };
+}
+export const DEFAULT_SCHEDULE_ERROR_CONFIG = {
+    enabled: true,
+    autoDisableAfterErrors: 5,
+    errorWindowMs: 60 * 60 * 1000, // 1 hour window
+    notifyOnDisable: true,
+    notificationChannels: ["log"],
+};
+const scheduleErrorStates = new Map();
+/**
+ * Get or create schedule error state
+ */
+export function getOrCreateScheduleErrorState(scheduleId) {
+    const existing = scheduleErrorStates.get(scheduleId);
+    if (existing) {
+        return existing;
+    }
+    const newState = {
+        errorTimestamps: [],
+        disabled: false,
+    };
+    scheduleErrorStates.set(scheduleId, newState);
+    return newState;
+}
+/**
+ * Record schedule error and check if auto-disable should trigger
+ */
+export function recordScheduleError(params) {
+    const { scheduleId, error: _error, config } = params;
+    const state = getOrCreateScheduleErrorState(scheduleId);
+    if (state.disabled) {
+        return { shouldDisable: false, shouldNotify: false };
+    }
+    const now = Date.now();
+    // Clean old errors outside window
+    state.errorTimestamps = state.errorTimestamps.filter((ts) => now - ts < config.errorWindowMs);
+    // Add new error
+    state.errorTimestamps.push(now);
+    if (!config.enabled) {
+        return { shouldDisable: false, shouldNotify: false };
+    }
+    // Check if should auto-disable
+    if (state.errorTimestamps.length >= config.autoDisableAfterErrors) {
+        state.disabled = true;
+        state.disabledAt = now;
+        state.disableReason = `Auto-disabled after ${state.errorTimestamps.length} errors in ${config.errorWindowMs / 1000}s`;
+        return { shouldDisable: true, shouldNotify: config.notifyOnDisable };
+    }
+    return { shouldDisable: false, shouldNotify: false };
+}
+/**
+ * Reset schedule error state (manual re-enable)
+ */
+export function resetScheduleErrorState(scheduleId) {
+    const state = scheduleErrorStates.get(scheduleId);
+    if (state) {
+        state.errorTimestamps = [];
+        state.disabled = false;
+        state.disabledAt = undefined;
+        state.disableReason = undefined;
+    }
+}
+export const DEFAULT_ONESHOT_RETRY_CONFIG = {
+    enabled: true,
+    maxRetries: 3,
+    baseDelayMs: 1000,
+    maxDelayMs: 60_000, // 1 minute
+    backoffMultiplier: 2,
+    jitterFactor: 0.1, // 10% jitter
+};
+/**
+ * Calculate retry delay with exponential backoff and jitter
+ */
+export function calculateRetryDelay(attempt, config = DEFAULT_ONESHOT_RETRY_CONFIG) {
+    if (!config.enabled || attempt >= config.maxRetries) {
+        return 0;
+    }
+    // Exponential backoff
+    const exponentialDelay = config.baseDelayMs * Math.pow(config.backoffMultiplier, attempt);
+    // Cap at max delay
+    const cappedDelay = Math.min(exponentialDelay, config.maxDelayMs);
+    // Add jitter
+    const jitter = cappedDelay * config.jitterFactor * (Math.random() * 2 - 1);
+    return Math.max(0, Math.floor(cappedDelay + jitter));
+}
+/**
+ * Check if retry is allowed
+ */
+export function canRetry(attempt, config = DEFAULT_ONESHOT_RETRY_CONFIG) {
+    return config.enabled && attempt < config.maxRetries;
+}

package/dist/discord/discord-improvements.js ADDED Viewed

@@ -0,0 +1,167 @@
+/**
+ * Discord Channel Improvements
+ *
+ * Implements OpenClaw improvements:
+ * - Thread-bound subagent sessions (enhanced)
+ * - Status reactions configuráveis
+ * - Voice channel join/leave via /vc
+ * - Native slash command auth
+ * - Component interactions with wildcard handlers
+ *
+ * OpenClaw #32384, #30951
+ */
+export const DEFAULT_VOICE_CHANNEL_CONFIG = {
+    enabled: true,
+    autoJoin: false,
+    autoLeaveAfterSilenceMs: 5 * 60 * 1000, // 5 minutes
+    maxChannelsPerGuild: 5,
+    enableTts: false,
+};
+const voiceChannelSessions = new Map();
+/**
+ * Get or create voice channel session
+ */
+export function getOrCreateVoiceChannelSession(params) {
+    const { channelId, guildId, ttsEnabled = false } = params;
+    const key = `${guildId}:${channelId}`;
+    const existing = voiceChannelSessions.get(key);
+    if (existing) {
+        return existing;
+    }
+    const session = {
+        channelId,
+        guildId,
+        joinedAt: Date.now(),
+        lastActivityAt: Date.now(),
+        ttsEnabled,
+    };
+    voiceChannelSessions.set(key, session);
+    return session;
+}
+/**
+ * Update voice channel session activity
+ */
+export function updateVoiceChannelActivity(channelId, guildId) {
+    const key = `${guildId}:${channelId}`;
+    const session = voiceChannelSessions.get(key);
+    if (session) {
+        session.lastActivityAt = Date.now();
+    }
+}
+/**
+ * Remove voice channel session
+ */
+export function removeVoiceChannelSession(channelId, guildId) {
+    const key = `${guildId}:${channelId}`;
+    return voiceChannelSessions.delete(key);
+}
+/**
+ * Check for stale voice channel sessions
+ */
+export function getStaleVoiceChannelSessions(config = DEFAULT_VOICE_CHANNEL_CONFIG) {
+    const now = Date.now();
+    const stale = [];
+    for (const session of voiceChannelSessions.values()) {
+        if (now - session.lastActivityAt > config.autoLeaveAfterSilenceMs) {
+            stale.push(session);
+        }
+    }
+    return stale;
+}
+export const DEFAULT_SLASH_COMMAND_AUTH_CONFIG = {
+    enabled: true,
+    requireAuthForAll: false,
+    protectedCommands: ["admin", "config", "pair", "auth"],
+    allowLoopback: true,
+    authTimeoutMs: 5 * 60 * 1000, // 5 minutes
+};
+/**
+ * Check if a slash command requires authentication
+ */
+export function isSlashCommandProtected(commandName, config = DEFAULT_SLASH_COMMAND_AUTH_CONFIG) {
+    if (!config.enabled) {
+        return false;
+    }
+    if (config.requireAuthForAll) {
+        return true;
+    }
+    return config.protectedCommands.includes(commandName.toLowerCase());
+}
+export const DEFAULT_COMPONENT_INTERACTION_CONFIG = {
+    enabled: true,
+    wildcardPatterns: ["action:*", "button:*", "select:*", "modal:*"],
+    rateLimitPerMinute: 60,
+    responseTimeoutMs: 3000, // Discord requires response within 3 seconds
+};
+/**
+ * Match custom ID against wildcard patterns
+ */
+export function matchWildcardPattern(customId, config = DEFAULT_COMPONENT_INTERACTION_CONFIG) {
+    if (!config.enabled) {
+        return null;
+    }
+    for (const pattern of config.wildcardPatterns) {
+        // Convert wildcard pattern to regex
+        // * matches any characters except :
+        const regexPattern = pattern.replace(/\*/g, "[^:]*");
+        const regex = new RegExp(`^${regexPattern}$`);
+        if (regex.test(customId)) {
+            return pattern;
+        }
+    }
+    return null;
+}
+/**
+ * Component interaction rate limiting
+ */
+const interactionCounts = new Map();
+/**
+ * Check if component interaction is rate limited
+ */
+export function checkComponentInteractionRateLimit(userId, config = DEFAULT_COMPONENT_INTERACTION_CONFIG) {
+    const now = Date.now();
+    const windowMs = 60_000; // 1 minute
+    const timestamps = interactionCounts.get(userId) ?? [];
+    const recentTimestamps = timestamps.filter((ts) => now - ts < windowMs);
+    if (recentTimestamps.length >= config.rateLimitPerMinute) {
+        const oldestTimestamp = recentTimestamps[0];
+        const retryAfterMs = windowMs - (now - oldestTimestamp);
+        return { allowed: false, retryAfterMs };
+    }
+    recentTimestamps.push(now);
+    interactionCounts.set(userId, recentTimestamps);
+    return { allowed: true };
+}
+export const DEFAULT_THREAD_BINDING_ENHANCEMENT = {
+    autoBindSubagents: true,
+    threadTtlMs: 60 * 60 * 1000, // 1 hour
+    autoUnbindOnSessionEnd: true,
+    maxThreadsPerSession: 10,
+};
+export const DEFAULT_DISCORD_STATUS_REACTION_CONFIG = {
+    enabled: true,
+    showInThreads: true,
+    showInChannels: false, // Don't spam channels by default
+    useEmojiReactions: true,
+    useEmbedStatus: false,
+    emojis: {
+        queued: "👀",
+        thinking: "🤔",
+        tool: "⚡",
+        coding: "👨‍💻",
+        web: "🌐",
+        done: "✅",
+        error: "❌",
+        stallSoft: "⏳",
+        stallHard: "⚠️",
+    },
+};
+/**
+ * Get status reaction emoji for a given status
+ */
+export function getStatusReactionEmoji(status, config = DEFAULT_DISCORD_STATUS_REACTION_CONFIG) {
+    if (!config.enabled) {
+        return null;
+    }
+    return config.emojis[status.toLowerCase()] ?? null;
+}

package/dist/gateway/auth-rate-limit.js CHANGED Viewed

@@ -26,6 +26,12 @@ const DEFAULT_MAX_ATTEMPTS = 10;
 const DEFAULT_WINDOW_MS = 60_000; // 1 minute
 const DEFAULT_LOCKOUT_MS = 300_000; // 5 minutes
 const PRUNE_INTERVAL_MS = 60_000; // prune stale entries every minute
+// Control-plane rate limiting: 3 requests per minute per device+IP
+// OpenClaw #32384 - prevents abuse of control-plane endpoints
+export const CONTROL_PLANE_MAX_ATTEMPTS = 3;
+export const CONTROL_PLANE_WINDOW_MS = 60_000; // 1 minute
+export const CONTROL_PLANE_LOCKOUT_MS = 300_000; // 5 minutes
+export const AUTH_RATE_LIMIT_SCOPE_CONTROL_PLANE = "control-plane";
 // ---------------------------------------------------------------------------
 // Implementation
 // ---------------------------------------------------------------------------
@@ -134,3 +140,16 @@ export function createAuthRateLimiter(config) {
     }
     return { check, recordFailure, reset, size, prune, dispose };
 }
+/**
+ * Create a rate limiter specifically for control-plane operations.
+ * Uses stricter limits (3 req/min) to prevent abuse of sensitive endpoints.
+ * OpenClaw #32384
+ */
+export function createControlPlaneRateLimiter() {
+    return createAuthRateLimiter({
+        maxAttempts: CONTROL_PLANE_MAX_ATTEMPTS,
+        windowMs: CONTROL_PLANE_WINDOW_MS,
+        lockoutMs: CONTROL_PLANE_LOCKOUT_MS,
+        exemptLoopback: true, // Always exempt loopback for local development
+    });
+}

package/dist/gateway/auth.js CHANGED Viewed

@@ -222,6 +222,47 @@ function authorizeTrustedProxy(params) {
 function shouldAllowTailscaleHeaderAuth(authSurface) {
     return authSurface === "ws-control-ui";
 }
+/**
+ * Check if a request is from loopback (localhost) for auto-approve scenarios.
+ * OpenClaw #32384 - loopback requests get auto-approved for pairing scope upgrades.
+ */
+export function isLoopbackRequest(req) {
+    if (!req?.socket?.remoteAddress) {
+        return false;
+    }
+    return isLoopbackAddress(req.socket.remoteAddress);
+}
+/**
+ * Auto-approve scope upgrades for loopback requests.
+ * This allows tokenless local development while maintaining security for remote requests.
+ * OpenClaw #32384
+ */
+export function shouldAutoApproveScopeUpgrade(params) {
+    const { req, requestedScopes, currentScopes } = params;
+    // Only auto-approve for loopback requests
+    if (!isLoopbackRequest(req)) {
+        return false;
+    }
+    // Check if requested scopes are strictly greater than current scopes
+    const currentSet = new Set(currentScopes.map((s) => s.trim().toLowerCase()));
+    const newScopes = requestedScopes.filter((s) => !currentSet.has(s.trim().toLowerCase()));
+    // Auto-approve if all new scopes are "safe" (non-destructive operations)
+    const safeScopes = new Set([
+        "read",
+        "read:config",
+        "read:status",
+        "write",
+        "write:config",
+        "execute",
+        "execute:tool",
+    ]);
+    return newScopes.every((scope) => {
+        const normalized = scope.trim().toLowerCase();
+        return (safeScopes.has(normalized) ||
+            normalized.startsWith("read:") ||
+            normalized.startsWith("execute:"));
+    });
+}
 export async function authorizeGatewayConnect(params) {
     const { auth, connectAuth, req, trustedProxies } = params;
     const tailscaleWhois = params.tailscaleWhois ?? readTailscaleWhoisIdentity;