@poolzin/pool-bot 2026.3.22 → 2026.3.24

package/dist/control-ui/index.html

@@ -6,7 +6,7 @@
     <title>Poolbot Control</title>
     <meta name="color-scheme" content="dark light" />
     <link rel="icon" href="./favicon.ico" sizes="any" />
-    <script type="module" crossorigin src="./assets/index-Dvkl4Xlx.js"></script>
+    <script type="module" crossorigin src="./assets/index-D7shnQwQ.js"></script>
     <link rel="stylesheet" crossorigin href="./assets/index-CSfXd2LO.css">
   </head>
   <body>

package/dist/cron/cron-filters.js

@@ -0,0 +1,150 @@
+/**
+ * Advanced Cron Filters
+ * Filter cron jobs by channel, user, session, and other criteria
+ */
+/**
+ * Check if a cron job matches a filter
+ */
+export function matchesFilter(job, filter) {
+    if (!filter.enabled) {
+        return true; // Disabled filters don't block
+    }
+    const criteria = filter.criteria;
+    // Channel filters
+    if (criteria.channelId && job.channelId !== criteria.channelId) {
+        return false;
+    }
+    if (criteria.channelIds && !criteria.channelIds.includes(job.channelId || "")) {
+        return false;
+    }
+    if (criteria.channelType) {
+        // Would need channel type from job metadata
+        const jobType = job.metadata?.channelType || "";
+        if (jobType !== criteria.channelType) {
+            return false;
+        }
+    }
+    // User filters
+    if (criteria.userId && job.userId !== criteria.userId) {
+        return false;
+    }
+    if (criteria.userIds && !criteria.userIds.includes(job.userId || "")) {
+        return false;
+    }
+    if (criteria.userRole) {
+        const jobRole = job.metadata?.userRole || "";
+        if (jobRole !== criteria.userRole) {
+            return false;
+        }
+    }
+    // Session filters
+    if (criteria.sessionId && job.sessionId !== criteria.sessionId) {
+        return false;
+    }
+    if (criteria.sessionIds && !criteria.sessionIds.includes(job.sessionId || "")) {
+        return false;
+    }
+    if (criteria.sessionMode) {
+        const jobMode = job.metadata?.sessionMode || "normal";
+        if (jobMode !== criteria.sessionMode) {
+            return false;
+        }
+    }
+    // Agent filters
+    if (criteria.agentId && job.agentId !== criteria.agentId) {
+        return false;
+    }
+    if (criteria.agentIds && !criteria.agentIds.includes(job.agentId || "")) {
+        return false;
+    }
+    // Custom filters
+    if (criteria.custom) {
+        for (const [key, value] of Object.entries(criteria.custom)) {
+            const jobValue = job.metadata?.[key];
+            if (jobValue !== value) {
+                return false;
+            }
+        }
+    }
+    return true;
+}
+/**
+ * Filter cron jobs by multiple filters
+ */
+export function filterCronJobs(jobs, filters) {
+    return jobs.filter((job) => {
+        // Job must match ALL enabled filters
+        for (const filter of filters) {
+            if (!matchesFilter(job, filter)) {
+                return false;
+            }
+        }
+        return true;
+    });
+}
+/**
+ * Create a new cron filter
+ */
+export function createCronFilter(type, criteria, enabled = true) {
+    return {
+        id: `filter_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`,
+        type,
+        enabled,
+        criteria,
+        createdAt: Date.now(),
+    };
+}
+/**
+ * Update an existing cron filter
+ */
+export function updateCronFilter(filter, updates) {
+    return {
+        ...filter,
+        ...updates,
+        updatedAt: Date.now(),
+    };
+}
+/**
+ * Validate a cron filter
+ */
+export function validateCronFilter(filter) {
+    const errors = [];
+    // Check required fields
+    if (!filter.id) {
+        errors.push("Filter ID is required");
+    }
+    if (!filter.type) {
+        errors.push("Filter type is required");
+    }
+    if (!["channel", "user", "session", "agent", "custom"].includes(filter.type)) {
+        errors.push(`Invalid filter type: ${filter.type}`);
+    }
+    // Check criteria based on type
+    if (filter.type === "channel" && !filter.criteria.channelId && !filter.criteria.channelIds) {
+        errors.push("Channel filter requires channelId or channelIds");
+    }
+    if (filter.type === "user" && !filter.criteria.userId && !filter.criteria.userIds) {
+        errors.push("User filter requires userId or userIds");
+    }
+    if (filter.type === "session" && !filter.criteria.sessionId && !filter.criteria.sessionIds) {
+        errors.push("Session filter requires sessionId or sessionIds");
+    }
+    return {
+        valid: errors.length === 0,
+        errors,
+    };
+}
+/**
+ * Get filter statistics
+ */
+export function getFilterStats(filters) {
+    return {
+        total: filters.length,
+        enabled: filters.filter((f) => f.enabled).length,
+        disabled: filters.filter((f) => !f.enabled).length,
+        byType: filters.reduce((acc, f) => {
+            acc[f.type] = (acc[f.type] || 0) + 1;
+            return acc;
+        }, {}),
+    };
+}

package/dist/cron/heartbeat-policy.js

@@ -0,0 +1,26 @@
+import { stripHeartbeatToken } from "../auto-reply/heartbeat.js";
+export function shouldSkipHeartbeatOnlyDelivery(payloads, ackMaxChars) {
+    if (payloads.length === 0) {
+        return true;
+    }
+    const hasAnyMedia = payloads.some((payload) => (payload.mediaUrls?.length ?? 0) > 0 || Boolean(payload.mediaUrl));
+    if (hasAnyMedia) {
+        return false;
+    }
+    return payloads.some((payload) => {
+        const result = stripHeartbeatToken(payload.text, {
+            mode: "heartbeat",
+            maxAckChars: ackMaxChars,
+        });
+        return result.shouldSkip;
+    });
+}
+export function shouldEnqueueCronMainSummary(params) {
+    const summaryText = params.summaryText?.trim();
+    return Boolean(summaryText &&
+        params.isCronSystemEvent(summaryText) &&
+        params.deliveryRequested &&
+        !params.delivered &&
+        params.deliveryAttempted !== true &&
+        !params.suppressMainSummary);
+}

package/dist/gateway/device-pairing-security.js

@@ -0,0 +1,197 @@
+/**
+ * Device Pairing Security Hardening
+ *
+ * Security fixes for device pairing:
+ * - Single-use bootstrap setup codes
+ * - Short-lived bootstrap tokens
+ * - Fail-closed for reused tokens
+ */
+import crypto from "node:crypto";
+const DEFAULT_EXPIRY_MS = 5 * 60 * 1000; // 5 minutes
+const CLEANUP_INTERVAL_MS = 60 * 1000; // 1 minute
+/**
+ * Generate a secure single-use setup code
+ *
+ * Format: XXXX-YYYY (8 chars, 2 groups for readability)
+ * Entropy: ~36 bits (sufficient for short-lived codes)
+ */
+export function generateSetupCode() {
+    const bytes = crypto.randomBytes(4);
+    const part1 = bytes.readUInt16BE(0) % 10000;
+    const part2 = bytes.readUInt16BE(2) % 10000;
+    return `${part1.toString().padStart(4, '0')}-${part2.toString().padStart(4, '0')}`;
+}
+/**
+ * Create a new single-use bootstrap token
+ */
+export function createBootstrapToken(params) {
+    const expiryMs = params?.expiryMs ?? DEFAULT_EXPIRY_MS;
+    const purpose = params?.purpose ?? "pairing";
+    const now = Date.now();
+    return {
+        id: crypto.randomUUID(),
+        code: generateSetupCode(),
+        createdAt: now,
+        expiresAt: now + expiryMs,
+        used: false,
+        purpose,
+    };
+}
+/**
+ * Initialize bootstrap token store with automatic cleanup
+ */
+export function createBootstrapTokenStore() {
+    const store = {
+        tokens: new Map(),
+    };
+    // Start automatic cleanup
+    store.cleanupInterval = setInterval(() => {
+        cleanupExpiredTokens(store);
+    }, CLEANUP_INTERVAL_MS);
+    // Cleanup on process exit
+    process.on("exit", () => {
+        if (store.cleanupInterval) {
+            clearInterval(store.cleanupInterval);
+        }
+    });
+    return store;
+}
+/**
+ * Add a bootstrap token to the store
+ */
+export function addBootstrapToken(store, token) {
+    store.tokens.set(token.id, token);
+}
+/**
+ * Validate and consume a bootstrap token (single-use)
+ *
+ * Returns true if token is valid and was consumed, false otherwise
+ * Marks token as used to prevent reuse
+ */
+export function validateAndConsumeBootstrapToken(params) {
+    const { store, tokenId, deviceId } = params;
+    const token = store.tokens.get(tokenId);
+    if (!token) {
+        return false;
+    }
+    const now = Date.now();
+    // Check if already used (single-use enforcement)
+    if (token.used) {
+        return false;
+    }
+    // Check if expired
+    if (now > token.expiresAt) {
+        // Remove expired token
+        store.tokens.delete(tokenId);
+        return false;
+    }
+    // Mark as used
+    token.used = true;
+    token.usedAt = now;
+    token.deviceId = deviceId; // Store for audit trail (marked as _deviceId to satisfy linter)
+    const _deviceId = deviceId; // Keep for future audit log expansion
+    return true;
+}
+/**
+ * Validate a bootstrap token without consuming it (for status checks)
+ */
+export function validateBootstrapToken(params) {
+    const { store, tokenId } = params;
+    const token = store.tokens.get(tokenId);
+    if (!token) {
+        return { valid: false, reason: "token_not_found" };
+    }
+    const now = Date.now();
+    if (token.used) {
+        return { valid: false, reason: "token_already_used" };
+    }
+    if (now > token.expiresAt) {
+        return { valid: false, reason: "token_expired" };
+    }
+    return { valid: true };
+}
+/**
+ * Remove a bootstrap token from the store
+ */
+export function removeBootstrapToken(store, tokenId) {
+    return store.tokens.delete(tokenId);
+}
+/**
+ * Cleanup expired and used tokens
+ */
+export function cleanupExpiredTokens(store) {
+    const now = Date.now();
+    let removed = 0;
+    for (const [tokenId, token] of store.tokens.entries()) {
+        // Remove if expired or used (single-use tokens are one-time only)
+        if (now > token.expiresAt || token.used) {
+            store.tokens.delete(tokenId);
+            removed++;
+        }
+    }
+    return removed;
+}
+/**
+ * Get statistics about bootstrap tokens
+ */
+export function getBootstrapTokenStats(store) {
+    const now = Date.now();
+    let unused = 0;
+    let used = 0;
+    let expired = 0;
+    for (const token of store.tokens.values()) {
+        if (token.used) {
+            used++;
+        }
+        else if (now > token.expiresAt) {
+            expired++;
+        }
+        else {
+            unused++;
+        }
+    }
+    return {
+        total: store.tokens.size,
+        unused,
+        used,
+        expired,
+    };
+}
+/**
+ * Create a secure device pairing session
+ */
+export function createSecureDevicePairing(store) {
+    const token = createBootstrapToken({
+        expiryMs: DEFAULT_EXPIRY_MS,
+        purpose: "pairing",
+    });
+    addBootstrapToken(store, token);
+    return {
+        setupCode: token.code,
+        tokenId: token.id,
+        expiresAt: token.expiresAt,
+        isSingleUse: true,
+        securityLevel: "high",
+    };
+}
+/**
+ * Validate device pairing request with security checks
+ */
+export function validateDevicePairingRequest(params) {
+    const { store, tokenId, deviceId, setupCode } = params;
+    // First validate the token
+    const tokenValidation = validateBootstrapToken({ store, tokenId });
+    if (!tokenValidation.valid) {
+        return tokenValidation;
+    }
+    // Get the token and verify setup code
+    const token = store.tokens.get(tokenId);
+    if (!token) {
+        return { valid: false, reason: "token_not_found" };
+    }
+    // Verify setup code matches
+    if (token.code !== setupCode) {
+        return { valid: false, reason: "setup_code_mismatch" };
+    }
+    return { valid: true };
+}

package/dist/gateway/event-deduplication.js

@@ -0,0 +1,167 @@
+/**
+ * Event Deduplication Layer
+ *
+ * Prevents duplicate event processing within a configurable time window.
+ * Uses LRU-style eviction to prevent memory leaks.
+ */
+export class EventDeduplicator {
+    seen = new Map();
+    TTL_MS;
+    MAX_SIZE;
+    cleanupInterval = null;
+    constructor(options) {
+        this.TTL_MS = options?.ttlMs ?? 5000; // 5 segundos default
+        this.MAX_SIZE = options?.maxSize ?? 10000;
+        if (options?.autoCleanup !== false) {
+            this.startCleanupInterval();
+        }
+    }
+    /**
+     * Check if event is duplicate and mark as seen
+     * @param eventId - Unique event identifier
+     * @returns true if duplicate (seen within TTL), false if new
+     */
+    isDuplicate(eventId) {
+        const now = Date.now();
+        const existing = this.seen.get(eventId);
+        if (existing && now - existing.timestamp < this.TTL_MS) {
+            existing.count++;
+            return true;
+        }
+        // Evict oldest if at capacity
+        if (this.seen.size >= this.MAX_SIZE) {
+            this.evictOldest();
+        }
+        this.seen.set(eventId, { timestamp: now, count: 1 });
+        return false;
+    }
+    /**
+     * Check if event was seen without marking it
+     */
+    hasSeen(eventId) {
+        const existing = this.seen.get(eventId);
+        if (!existing)
+            return false;
+        return Date.now() - existing.timestamp < this.TTL_MS;
+    }
+    /**
+     * Get duplicate count for an event
+     */
+    getDuplicateCount(eventId) {
+        const existing = this.seen.get(eventId);
+        return existing?.count ?? 0;
+    }
+    /**
+     * Clear specific event from seen set
+     */
+    clear(eventId) {
+        this.seen.delete(eventId);
+    }
+    /**
+     * Clear all seen events
+     */
+    clearAll() {
+        this.seen.clear();
+    }
+    /**
+     * Get statistics about deduplication
+     */
+    getStats() {
+        let duplicates = 0;
+        let oldest = null;
+        for (const event of this.seen.values()) {
+            if (event.count > 1) {
+                duplicates += event.count - 1;
+            }
+            if (!oldest || event.timestamp < oldest) {
+                oldest = event.timestamp;
+            }
+        }
+        return {
+            totalEvents: this.seen.size,
+            oldestEvent: oldest,
+            duplicates,
+        };
+    }
+    /**
+     * Cleanup expired events
+     */
+    cleanup() {
+        const now = Date.now();
+        let removed = 0;
+        for (const [eventId, event] of this.seen.entries()) {
+            if (now - event.timestamp > this.TTL_MS) {
+                this.seen.delete(eventId);
+                removed++;
+            }
+        }
+        return removed;
+    }
+    /**
+     * Get count of active events being tracked
+     */
+    get activeEventCount() {
+        return this.seen.size;
+    }
+    /**
+     * Destroy deduplicator and stop cleanup interval
+     */
+    destroy() {
+        if (this.cleanupInterval) {
+            clearInterval(this.cleanupInterval);
+            this.cleanupInterval = null;
+        }
+        this.clearAll();
+    }
+    startCleanupInterval() {
+        // Cleanup a cada 1/4 do TTL
+        const cleanupIntervalMs = Math.max(1000, this.TTL_MS / 4);
+        this.cleanupInterval = setInterval(() => {
+            this.cleanup();
+        }, cleanupIntervalMs);
+        // Unref para não impedir o processo de sair
+        this.cleanupInterval.unref();
+    }
+    evictOldest() {
+        let oldestId = null;
+        let oldestTime = Infinity;
+        for (const [eventId, event] of this.seen.entries()) {
+            if (event.timestamp < oldestTime) {
+                oldestTime = event.timestamp;
+                oldestId = eventId;
+            }
+        }
+        if (oldestId) {
+            this.seen.delete(oldestId);
+        }
+    }
+}
+/**
+ * Generate unique event ID for deduplication
+ */
+export function generateEventId(params) {
+    const { type, sessionId, runId, payload } = params;
+    const parts = [type];
+    if (sessionId)
+        parts.push(sessionId);
+    if (runId)
+        parts.push(runId);
+    // Include payload hash if available
+    if (payload) {
+        const hash = quickHash(JSON.stringify(payload));
+        parts.push(hash.toString());
+    }
+    return parts.join(":");
+}
+/**
+ * Quick hash function for strings (not cryptographically secure)
+ */
+function quickHash(str) {
+    let hash = 0;
+    for (let i = 0; i < str.length; i++) {
+        const char = str.charCodeAt(i);
+        hash = (hash << 5) - hash + char;
+        hash = hash & hash; // Convert to 32bit integer
+    }
+    return Math.abs(hash);
+}

package/dist/gateway/hooks-mapping.js

@@ -1,6 +1,7 @@
+import fs from "node:fs";
 import path from "node:path";
-import { pathToFileURL } from "node:url";
 import { CONFIG_PATH } from "../config/config.js";
+import { importFileModule, resolveFunctionModuleExport } from "../hooks/module-loader.js";
 const hookPresetMappings = {
     gmail: [
         {
@@ -204,15 +205,18 @@ async function loadTransform(transform) {
     if (cached) {
         return cached;
     }
-    const url = pathToFileURL(transform.modulePath).href;
-    const mod = (await import(url));
+    const mod = await importFileModule({ modulePath: transform.modulePath });
     const fn = resolveTransformFn(mod, transform.exportName);
     transformCache.set(cacheKey, fn);
     return fn;
 }
 function resolveTransformFn(mod, exportName) {
-    const candidate = exportName ? mod[exportName] : (mod.default ?? mod.transform);
-    if (typeof candidate !== "function") {
+    const candidate = resolveFunctionModuleExport({
+        mod,
+        exportName,
+        fallbackExportNames: ["default", "transform"],
+    });
+    if (!candidate) {
         throw new Error("hook transform module must export a function");
     }
     return candidate;
@@ -223,6 +227,32 @@ function resolvePath(baseDir, target) {
     }
     return path.isAbsolute(target) ? path.resolve(target) : path.resolve(baseDir, target);
 }
+function escapesBase(baseDir, candidate) {
+    const relative = path.relative(baseDir, candidate);
+    return relative === ".." || relative.startsWith(`..${path.sep}`) || path.isAbsolute(relative);
+}
+function safeRealpathSync(candidate) {
+    try {
+        const nativeRealpath = fs.realpathSync.native;
+        return nativeRealpath ? nativeRealpath(candidate) : fs.realpathSync(candidate);
+    }
+    catch {
+        return null;
+    }
+}
+function resolveExistingAncestor(candidate) {
+    let current = path.resolve(candidate);
+    while (true) {
+        if (fs.existsSync(current)) {
+            return current;
+        }
+        const parent = path.dirname(current);
+        if (parent === current) {
+            return null;
+        }
+        current = parent;
+    }
+}
 function resolveContainedPath(baseDir, target, label) {
     const base = path.resolve(baseDir);
     const trimmed = target?.trim();
@@ -230,8 +260,17 @@ function resolveContainedPath(baseDir, target, label) {
         throw new Error(`${label} module path is required`);
     }
     const resolved = resolvePath(base, trimmed);
-    const relative = path.relative(base, resolved);
-    if (relative === ".." || relative.startsWith(`..${path.sep}`) || path.isAbsolute(relative)) {
+    if (escapesBase(base, resolved)) {
+        throw new Error(`${label} module path must be within ${base}: ${target}`);
+    }
+    // Block symlink escapes for existing path segments while preserving current
+    // behavior for not-yet-created files.
+    const baseRealpath = safeRealpathSync(base);
+    const existingAncestor = resolveExistingAncestor(resolved);
+    const existingAncestorRealpath = existingAncestor ? safeRealpathSync(existingAncestor) : null;
+    if (baseRealpath &&
+        existingAncestorRealpath &&
+        escapesBase(baseRealpath, existingAncestorRealpath)) {
         throw new Error(`${label} module path must be within ${base}: ${target}`);
     }
     return resolved;