@poolzin/pool-bot 2026.3.22 → 2026.3.24

package/dist/security/external-content.js

@@ -7,6 +7,11 @@ import { randomBytes } from "node:crypto";
  *
  * SECURITY: External content should NEVER be directly interpolated into
  * system prompts or treated as trusted instructions.
+ *
+ * SECURITY HARDENING (GHSA-external-content-markers):
+ * - Zero-width character stripping from boundary markers
+ * - Soft-hyphen character removal
+ * - Unicode format character escaping
  */
 /**
  * Patterns that may indicate prompt injection attempts.
@@ -110,8 +115,53 @@ function foldMarkerChar(char) {
     }
     return char;
 }
+/**
+ * Unicode invisible/format characters that can be used for spoofing boundary markers.
+ * GHSA-external-content-markers: Strip these to prevent marker bypass attacks.
+ */
+const INVISIBLE_UNICODE_RANGES = [
+    [0x0000, 0x001f], // C0 control characters
+    [0x007f, 0x009f], // Delete and C1 control
+    [0x00ad, 0x00ad], // Soft hyphen
+    [0x0600, 0x0605], // Arabic number signs
+    [0x061c, 0x061c], // Arabic letter mark
+    [0x06dd, 0x06dd], // Ayah
+    [0x070f, 0x070f], // Syriac abbreviation
+    [0x180e, 0x180e], // Mongolian vowel separator
+    [0x200b, 0x200f], // Zero-width chars
+    [0x2028, 0x202e], // Line/paragraph separators
+    [0x2060, 0x206f], // Invisible operators
+    [0xfeff, 0xfeff], // BOM/zero-width no-break space
+    [0xfff0, 0xfff8], // Specials
+    [0xd800, 0xdfff], // Surrogate pairs
+];
+/**
+ * Strip invisible Unicode characters from content.
+ *
+ * SECURITY: Prevents spoofing of boundary markers via zero-width characters.
+ * GHSA-external-content-markers
+ */
+function stripInvisibleUnicode(text) {
+    let result = "";
+    for (const char of text) {
+        const code = char.codePointAt(0) ?? 0;
+        let isInvisible = false;
+        for (const [start, end] of INVISIBLE_UNICODE_RANGES) {
+            if (code >= start && code <= end) {
+                isInvisible = true;
+                break;
+            }
+        }
+        if (!isInvisible) {
+            result += char;
+        }
+    }
+    return result;
+}
 function foldMarkerText(input) {
-    return input.replace(/[\uFF21-\uFF3A\uFF41-\uFF5A\uFF1C\uFF1E\u2329\u232A\u3008\u3009\u2039\u203A\u27E8\u27E9\uFE64\uFE65]/g, (char) => foldMarkerChar(char));
+    // SECURITY HARDENING: Strip invisible Unicode before folding
+    const stripped = stripInvisibleUnicode(input);
+    return stripped.replace(/[\uFF21-\uFF3A\uFF41-\uFF5A\uFF1C\uFF1E\u2329\u232A\u3008\u3009\u2039\u203A\u27E8\u27E9\uFE64\uFE65]/g, (char) => foldMarkerChar(char));
 }
 function replaceMarkers(content) {
     const folded = foldMarkerText(content);

package/dist/sessions/session-costs.js

@@ -0,0 +1,228 @@
+/**
+ * Session Cost Tracking
+ * Track token costs, time costs, and generate cost reports
+ */
+/**
+ * Calculate total cost from cost units
+ */
+export function calculateTotalCost(costs, rates) {
+    const defaultRates = {
+        tokens: 0.00002, // $0.00002 per token
+        time: 0.001, // $0.001 per second
+        api_calls: 0.001, // $0.001 per API call
+        custom: 0,
+    };
+    const effectiveRates = { ...defaultRates, ...rates };
+    return costs.reduce((total, cost) => {
+        const rate = effectiveRates[cost.type] || 0;
+        return total + cost.amount * rate;
+    }, 0);
+}
+/**
+ * Track session costs
+ */
+export class SessionCostTracker {
+    sessions = new Map();
+    rates = {};
+    constructor(rates) {
+        if (rates) {
+            this.rates = rates;
+        }
+    }
+    /**
+     * Start tracking a session
+     */
+    startSession(sessionId, agentId, channelId) {
+        this.sessions.set(sessionId, {
+            sessionId,
+            agentId,
+            channelId,
+            costs: [],
+            startTime: Date.now(),
+            metadata: {},
+        });
+    }
+    /**
+     * Add cost to a session
+     */
+    addCost(sessionId, cost) {
+        const session = this.sessions.get(sessionId);
+        if (!session) {
+            throw new Error(`Session ${sessionId} not found`);
+        }
+        session.costs.push(cost);
+        session.totalCost = calculateTotalCost(session.costs, this.rates);
+    }
+    /**
+     * Add token cost
+     */
+    addTokenCost(sessionId, tokens, metadata) {
+        this.addCost(sessionId, {
+            type: "tokens",
+            amount: tokens,
+            metadata,
+        });
+    }
+    /**
+     * Add time cost
+     */
+    addTimeCost(sessionId, seconds, metadata) {
+        this.addCost(sessionId, {
+            type: "time",
+            amount: seconds,
+            metadata,
+        });
+    }
+    /**
+     * Add API call cost
+     */
+    addApiCallCost(sessionId, count = 1, metadata) {
+        this.addCost(sessionId, {
+            type: "api_calls",
+            amount: count,
+            metadata,
+        });
+    }
+    /**
+     * End session tracking
+     */
+    endSession(sessionId) {
+        const session = this.sessions.get(sessionId);
+        if (!session) {
+            return undefined;
+        }
+        session.endTime = Date.now();
+        // Add final time cost
+        const durationSeconds = (session.endTime - session.startTime) / 1000;
+        this.addTimeCost(sessionId, durationSeconds, { type: "session_duration" });
+        return session;
+    }
+    /**
+     * Get session cost
+     */
+    getSessionCost(sessionId) {
+        return this.sessions.get(sessionId);
+    }
+    /**
+     * Get cost breakdown
+     */
+    getCostBreakdown(sessionIds) {
+        const sessions = sessionIds
+            ? sessionIds.map((id) => this.sessions.get(id)).filter((s) => !!s)
+            : Array.from(this.sessions.values());
+        const breakdown = {
+            byType: {},
+            byAgent: {},
+            byChannel: {},
+            bySession: {},
+            total: 0,
+        };
+        for (const session of sessions) {
+            const sessionTotal = calculateTotalCost(session.costs, this.rates);
+            // By type
+            for (const cost of session.costs) {
+                breakdown.byType[cost.type] =
+                    (breakdown.byType[cost.type] || 0) + cost.amount * (this.rates[cost.type] || 0);
+            }
+            // By agent
+            if (session.agentId) {
+                breakdown.byAgent[session.agentId] =
+                    (breakdown.byAgent[session.agentId] || 0) + sessionTotal;
+            }
+            // By channel
+            if (session.channelId) {
+                breakdown.byChannel[session.channelId] =
+                    (breakdown.byChannel[session.channelId] || 0) + sessionTotal;
+            }
+            // By session
+            breakdown.bySession[session.sessionId] = sessionTotal;
+            // Total
+            breakdown.total += sessionTotal;
+        }
+        return breakdown;
+    }
+    /**
+     * Export costs to different formats
+     */
+    exportCosts(format, sessionIds) {
+        const sessions = sessionIds
+            ? sessionIds.map((id) => this.getSessionCost(id)).filter((s) => !!s)
+            : Array.from(this.sessions.values());
+        switch (format) {
+            case "csv":
+                return this.exportToCSV(sessions);
+            case "json":
+                return JSON.stringify(sessions, null, 2);
+            case "markdown":
+                return this.exportToMarkdown(sessions);
+            default:
+                throw new Error(`Unknown format: ${format}`);
+        }
+    }
+    exportToCSV(sessions) {
+        const lines = [
+            "Session ID,Agent ID,Channel ID,Start Time,End Time,Total Cost,Token Cost,Time Cost,API Calls",
+        ];
+        for (const session of sessions) {
+            const tokenCost = session.costs
+                .filter((c) => c.type === "tokens")
+                .reduce((sum, c) => sum + c.amount, 0);
+            const timeCost = session.costs
+                .filter((c) => c.type === "time")
+                .reduce((sum, c) => sum + c.amount, 0);
+            const apiCalls = session.costs
+                .filter((c) => c.type === "api_calls")
+                .reduce((sum, c) => sum + c.amount, 0);
+            lines.push(`${session.sessionId},${session.agentId || ""},${session.channelId || ""},${session.startTime},${session.endTime || ""},${session.totalCost || 0},${tokenCost},${timeCost},${apiCalls}`);
+        }
+        return lines.join("\n");
+    }
+    exportToMarkdown(sessions) {
+        const lines = ["# Session Cost Report", ""];
+        const breakdown = this.getCostBreakdown(sessions.map((s) => s.sessionId));
+        lines.push("## Summary", "");
+        lines.push(`- **Total Cost**: $${breakdown.total.toFixed(4)}`);
+        lines.push(`- **Sessions**: ${sessions.length}`);
+        lines.push("");
+        lines.push("## By Type", "");
+        lines.push("| Type | Cost |");
+        lines.push("|------|------|");
+        for (const [type, cost] of Object.entries(breakdown.byType)) {
+            lines.push(`| ${type} | $${cost.toFixed(4)} |`);
+        }
+        lines.push("");
+        lines.push("## Sessions", "");
+        lines.push("| Session | Agent | Channel | Total Cost |");
+        lines.push("|---------|-------|---------|------------|");
+        for (const session of sessions) {
+            lines.push(`| ${session.sessionId} | ${session.agentId || "N/A"} | ${session.channelId || "N/A"} | $${(session.totalCost || 0).toFixed(4)} |`);
+        }
+        return lines.join("\n");
+    }
+    /**
+     * Clear all sessions
+     */
+    clear() {
+        this.sessions.clear();
+    }
+    /**
+     * Get statistics
+     */
+    getStats() {
+        const sessions = Array.from(this.sessions.values());
+        const _activeSessions = sessions.filter((s) => !s.endTime).length;
+        const _totalCost = sessions.reduce((sum, s) => sum + (s.totalCost || 0), 0);
+        return {
+            totalSessions: sessions.length,
+            activeSessions: _activeSessions,
+            totalCost: _totalCost,
+            avgCostPerSession: sessions.length > 0 ? _totalCost / sessions.length : 0,
+        };
+    }
+}
+/**
+ * Create default cost tracker
+ */
+export function createSessionCostTracker(rates) {
+    return new SessionCostTracker(rates);
+}

package/dist/shared/param-key.js

@@ -0,0 +1,16 @@
+export function toSnakeCaseKey(key) {
+    return key
+        .replace(/([A-Z]+)([A-Z][a-z])/g, "$1_$2")
+        .replace(/([a-z0-9])([A-Z])/g, "$1_$2")
+        .toLowerCase();
+}
+export function readSnakeCaseParamRaw(params, key) {
+    if (Object.hasOwn(params, key)) {
+        return params[key];
+    }
+    const snakeKey = toSnakeCaseKey(key);
+    if (snakeKey !== key && Object.hasOwn(params, snakeKey)) {
+        return params[snakeKey];
+    }
+    return undefined;
+}

package/dist/shared/poll-params.js

@@ -0,0 +1,58 @@
+import { readSnakeCaseParamRaw } from "./param-key.js";
+export const POLL_CREATION_PARAM_DEFS = {
+    pollQuestion: { kind: "string" },
+    pollOption: { kind: "stringArray" },
+    pollDurationHours: { kind: "number" },
+    pollMulti: { kind: "boolean" },
+    pollDurationSeconds: { kind: "number", telegramOnly: true },
+    pollAnonymous: { kind: "boolean", telegramOnly: true },
+    pollPublic: { kind: "boolean", telegramOnly: true },
+};
+export const POLL_CREATION_PARAM_NAMES = Object.keys(POLL_CREATION_PARAM_DEFS);
+function readPollParamRaw(params, key) {
+    return readSnakeCaseParamRaw(params, key);
+}
+export function resolveTelegramPollVisibility(params) {
+    if (params.pollAnonymous && params.pollPublic) {
+        throw new Error("pollAnonymous and pollPublic are mutually exclusive");
+    }
+    return params.pollAnonymous ? true : params.pollPublic ? false : undefined;
+}
+export function hasPollCreationParams(params) {
+    for (const key of POLL_CREATION_PARAM_NAMES) {
+        const def = POLL_CREATION_PARAM_DEFS[key];
+        const value = readPollParamRaw(params, key);
+        if (def.kind === "string" && typeof value === "string" && value.trim().length > 0) {
+            return true;
+        }
+        if (def.kind === "stringArray") {
+            if (Array.isArray(value) &&
+                value.some((entry) => typeof entry === "string" && entry.trim())) {
+                return true;
+            }
+            if (typeof value === "string" && value.trim().length > 0) {
+                return true;
+            }
+        }
+        if (def.kind === "number") {
+            if (typeof value === "number" && Number.isFinite(value)) {
+                return true;
+            }
+            if (typeof value === "string") {
+                const trimmed = value.trim();
+                if (trimmed.length > 0 && Number.isFinite(Number(trimmed))) {
+                    return true;
+                }
+            }
+        }
+        if (def.kind === "boolean") {
+            if (value === true) {
+                return true;
+            }
+            if (typeof value === "string" && value.trim().toLowerCase() === "true") {
+                return true;
+            }
+        }
+    }
+    return false;
+}

package/dist/shared/polls.js

@@ -0,0 +1,55 @@
+export function resolvePollMaxSelections(optionCount, allowMultiselect) {
+    return allowMultiselect ? Math.max(2, optionCount) : 1;
+}
+export function normalizePollInput(input, options = {}) {
+    const question = input.question.trim();
+    if (!question) {
+        throw new Error("Poll question is required");
+    }
+    const pollOptions = (input.options ?? []).map((option) => option.trim());
+    const cleaned = pollOptions.filter(Boolean);
+    if (cleaned.length < 2) {
+        throw new Error("Poll requires at least 2 options");
+    }
+    if (options.maxOptions !== undefined && cleaned.length > options.maxOptions) {
+        throw new Error(`Poll supports at most ${options.maxOptions} options`);
+    }
+    const maxSelectionsRaw = input.maxSelections;
+    const maxSelections = typeof maxSelectionsRaw === "number" && Number.isFinite(maxSelectionsRaw)
+        ? Math.floor(maxSelectionsRaw)
+        : 1;
+    if (maxSelections < 1) {
+        throw new Error("maxSelections must be at least 1");
+    }
+    if (maxSelections > cleaned.length) {
+        throw new Error("maxSelections cannot exceed option count");
+    }
+    const durationSecondsRaw = input.durationSeconds;
+    const durationSeconds = typeof durationSecondsRaw === "number" && Number.isFinite(durationSecondsRaw)
+        ? Math.floor(durationSecondsRaw)
+        : undefined;
+    if (durationSeconds !== undefined && durationSeconds < 1) {
+        throw new Error("durationSeconds must be at least 1");
+    }
+    const durationRaw = input.durationHours;
+    const durationHours = typeof durationRaw === "number" && Number.isFinite(durationRaw)
+        ? Math.floor(durationRaw)
+        : undefined;
+    if (durationHours !== undefined && durationHours < 1) {
+        throw new Error("durationHours must be at least 1");
+    }
+    if (durationSeconds !== undefined && durationHours !== undefined) {
+        throw new Error("durationSeconds and durationHours are mutually exclusive");
+    }
+    return {
+        question,
+        options: cleaned,
+        maxSelections,
+        durationSeconds,
+        durationHours,
+    };
+}
+export function normalizePollDurationHours(value, options) {
+    const base = typeof value === "number" && Number.isFinite(value) ? Math.floor(value) : options.defaultHours;
+    return Math.min(Math.max(base, 1), options.maxHours);
+}