@poolzin/pool-bot 2026.3.4 → 2026.3.6

package/dist/plugin-sdk/windows-spawn.js

@@ -0,0 +1,214 @@
+import { readFileSync, statSync } from "node:fs";
+import path from "node:path";
+function isFilePath(candidate) {
+    try {
+        return statSync(candidate).isFile();
+    }
+    catch {
+        return false;
+    }
+}
+export function resolveWindowsExecutablePath(command, env) {
+    if (command.includes("/") || command.includes("\\") || path.isAbsolute(command)) {
+        return command;
+    }
+    const pathValue = env.PATH ?? env.Path ?? process.env.PATH ?? process.env.Path ?? "";
+    const pathEntries = pathValue
+        .split(";")
+        .map((entry) => entry.trim())
+        .filter(Boolean);
+    const hasExtension = path.extname(command).length > 0;
+    const pathExtRaw = env.PATHEXT ??
+        env.Pathext ??
+        process.env.PATHEXT ??
+        process.env.Pathext ??
+        ".EXE;.CMD;.BAT;.COM";
+    const pathExt = hasExtension
+        ? [""]
+        : pathExtRaw
+            .split(";")
+            .map((ext) => ext.trim())
+            .filter(Boolean)
+            .map((ext) => (ext.startsWith(".") ? ext : `.${ext}`));
+    for (const dir of pathEntries) {
+        for (const ext of pathExt) {
+            for (const candidateExt of [ext, ext.toLowerCase(), ext.toUpperCase()]) {
+                const candidate = path.join(dir, `${command}${candidateExt}`);
+                if (isFilePath(candidate)) {
+                    return candidate;
+                }
+            }
+        }
+    }
+    return command;
+}
+function resolveEntrypointFromCmdShim(wrapperPath) {
+    if (!isFilePath(wrapperPath)) {
+        return null;
+    }
+    try {
+        const content = readFileSync(wrapperPath, "utf8");
+        const candidates = [];
+        for (const match of content.matchAll(/"([^"\r\n]*)"/g)) {
+            const token = match[1] ?? "";
+            const relMatch = token.match(/%~?dp0%?\s*[\\/]*(.*)$/i);
+            const relative = relMatch?.[1]?.trim();
+            if (!relative) {
+                continue;
+            }
+            const normalizedRelative = relative.replace(/[\\/]+/g, path.sep).replace(/^[\\/]+/, "");
+            const candidate = path.resolve(path.dirname(wrapperPath), normalizedRelative);
+            if (isFilePath(candidate)) {
+                candidates.push(candidate);
+            }
+        }
+        const nonNode = candidates.find((candidate) => {
+            const base = path.basename(candidate).toLowerCase();
+            return base !== "node.exe" && base !== "node";
+        });
+        return nonNode ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+function resolveBinEntry(packageName, binField) {
+    if (typeof binField === "string") {
+        const trimmed = binField.trim();
+        return trimmed || null;
+    }
+    if (!binField || typeof binField !== "object") {
+        return null;
+    }
+    if (packageName) {
+        const preferred = binField[packageName];
+        if (typeof preferred === "string" && preferred.trim()) {
+            return preferred.trim();
+        }
+    }
+    for (const value of Object.values(binField)) {
+        if (typeof value === "string" && value.trim()) {
+            return value.trim();
+        }
+    }
+    return null;
+}
+function resolveEntrypointFromPackageJson(wrapperPath, packageName) {
+    if (!packageName) {
+        return null;
+    }
+    const wrapperDir = path.dirname(wrapperPath);
+    const packageDirs = [
+        path.resolve(wrapperDir, "..", packageName),
+        path.resolve(wrapperDir, "node_modules", packageName),
+    ];
+    for (const packageDir of packageDirs) {
+        const packageJsonPath = path.join(packageDir, "package.json");
+        if (!isFilePath(packageJsonPath)) {
+            continue;
+        }
+        try {
+            const packageJson = JSON.parse(readFileSync(packageJsonPath, "utf8"));
+            const entryRel = resolveBinEntry(packageName, packageJson.bin);
+            if (!entryRel) {
+                continue;
+            }
+            const entryPath = path.resolve(packageDir, entryRel);
+            if (isFilePath(entryPath)) {
+                return entryPath;
+            }
+        }
+        catch {
+            // Ignore malformed package metadata.
+        }
+    }
+    return null;
+}
+export function resolveWindowsSpawnProgramCandidate(params) {
+    const platform = params.platform ?? process.platform;
+    const env = params.env ?? process.env;
+    const execPath = params.execPath ?? process.execPath;
+    if (platform !== "win32") {
+        return {
+            command: params.command,
+            leadingArgv: [],
+            resolution: "direct",
+        };
+    }
+    const resolvedCommand = resolveWindowsExecutablePath(params.command, env);
+    const ext = path.extname(resolvedCommand).toLowerCase();
+    if (ext === ".js" || ext === ".cjs" || ext === ".mjs") {
+        return {
+            command: execPath,
+            leadingArgv: [resolvedCommand],
+            resolution: "node-entrypoint",
+            windowsHide: true,
+        };
+    }
+    if (ext === ".cmd" || ext === ".bat") {
+        const entrypoint = resolveEntrypointFromCmdShim(resolvedCommand) ??
+            resolveEntrypointFromPackageJson(resolvedCommand, params.packageName);
+        if (entrypoint) {
+            const entryExt = path.extname(entrypoint).toLowerCase();
+            if (entryExt === ".exe") {
+                return {
+                    command: entrypoint,
+                    leadingArgv: [],
+                    resolution: "exe-entrypoint",
+                    windowsHide: true,
+                };
+            }
+            return {
+                command: execPath,
+                leadingArgv: [entrypoint],
+                resolution: "node-entrypoint",
+                windowsHide: true,
+            };
+        }
+        return {
+            command: resolvedCommand,
+            leadingArgv: [],
+            resolution: "unresolved-wrapper",
+        };
+    }
+    return {
+        command: resolvedCommand,
+        leadingArgv: [],
+        resolution: "direct",
+    };
+}
+export function applyWindowsSpawnProgramPolicy(params) {
+    if (params.candidate.resolution !== "unresolved-wrapper") {
+        return {
+            command: params.candidate.command,
+            leadingArgv: params.candidate.leadingArgv,
+            resolution: params.candidate.resolution,
+            windowsHide: params.candidate.windowsHide,
+        };
+    }
+    if (params.allowShellFallback !== false) {
+        return {
+            command: params.candidate.command,
+            leadingArgv: [],
+            resolution: "shell-fallback",
+            shell: true,
+        };
+    }
+    throw new Error(`${path.basename(params.candidate.command)} wrapper resolved, but no executable/Node entrypoint could be resolved without shell execution.`);
+}
+export function resolveWindowsSpawnProgram(params) {
+    const candidate = resolveWindowsSpawnProgramCandidate(params);
+    return applyWindowsSpawnProgramPolicy({
+        candidate,
+        allowShellFallback: params.allowShellFallback,
+    });
+}
+export function materializeWindowsSpawnProgram(program, argv) {
+    return {
+        command: program.command,
+        argv: [...program.leadingArgv, ...argv],
+        resolution: program.resolution,
+        shell: program.shell,
+        windowsHide: program.windowsHide,
+    };
+}

package/dist/shared/net/ip-test-fixtures.js

@@ -0,0 +1 @@
+export const blockedIpv6MulticastLiterals = ["ff02::1", "ff05::1:3", "[ff02::1]"];

package/dist/shared/net/ip.js

@@ -0,0 +1,303 @@
+import ipaddr from "ipaddr.js";
+const BLOCKED_IPV4_SPECIAL_USE_RANGES = new Set([
+    "unspecified",
+    "broadcast",
+    "multicast",
+    "linkLocal",
+    "loopback",
+    "carrierGradeNat",
+    "private",
+    "reserved",
+]);
+const PRIVATE_OR_LOOPBACK_IPV4_RANGES = new Set([
+    "loopback",
+    "private",
+    "linkLocal",
+    "carrierGradeNat",
+]);
+const BLOCKED_IPV6_SPECIAL_USE_RANGES = new Set([
+    "unspecified",
+    "loopback",
+    "linkLocal",
+    "uniqueLocal",
+    "multicast",
+]);
+const RFC2544_BENCHMARK_PREFIX = [ipaddr.IPv4.parse("198.18.0.0"), 15];
+const EMBEDDED_IPV4_SENTINEL_RULES = [
+    {
+        // IPv4-compatible form ::w.x.y.z (deprecated, but still seen in parser edge-cases).
+        matches: (parts) => parts[0] === 0 &&
+            parts[1] === 0 &&
+            parts[2] === 0 &&
+            parts[3] === 0 &&
+            parts[4] === 0 &&
+            parts[5] === 0,
+        toHextets: (parts) => [parts[6], parts[7]],
+    },
+    {
+        // NAT64 local-use prefix: 64:ff9b:1::/48.
+        matches: (parts) => parts[0] === 0x0064 &&
+            parts[1] === 0xff9b &&
+            parts[2] === 0x0001 &&
+            parts[3] === 0 &&
+            parts[4] === 0 &&
+            parts[5] === 0,
+        toHextets: (parts) => [parts[6], parts[7]],
+    },
+    {
+        // 6to4 prefix: 2002::/16 (IPv4 lives in hextets 1..2).
+        matches: (parts) => parts[0] === 0x2002,
+        toHextets: (parts) => [parts[1], parts[2]],
+    },
+    {
+        // Teredo prefix: 2001:0000::/32 (client IPv4 XOR 0xffff in hextets 6..7).
+        matches: (parts) => parts[0] === 0x2001 && parts[1] === 0x0000,
+        toHextets: (parts) => [parts[6] ^ 0xffff, parts[7] ^ 0xffff],
+    },
+    {
+        // ISATAP IID marker: ....:0000:5efe:w.x.y.z with u/g bits allowed in hextet 4.
+        matches: (parts) => (parts[4] & 0xfcff) === 0 && parts[5] === 0x5efe,
+        toHextets: (parts) => [parts[6], parts[7]],
+    },
+];
+function stripIpv6Brackets(value) {
+    if (value.startsWith("[") && value.endsWith("]")) {
+        return value.slice(1, -1);
+    }
+    return value;
+}
+function isNumericIpv4LiteralPart(value) {
+    return /^[0-9]+$/.test(value) || /^0x[0-9a-f]+$/i.test(value);
+}
+function parseIpv6WithEmbeddedIpv4(raw) {
+    if (!raw.includes(":") || !raw.includes(".")) {
+        return undefined;
+    }
+    const match = /^(.*:)([^:%]+(?:\.[^:%]+){3})(%[0-9A-Za-z]+)?$/i.exec(raw);
+    if (!match) {
+        return undefined;
+    }
+    const [, prefix, embeddedIpv4, zoneSuffix = ""] = match;
+    if (!ipaddr.IPv4.isValidFourPartDecimal(embeddedIpv4)) {
+        return undefined;
+    }
+    const octets = embeddedIpv4.split(".").map((part) => Number.parseInt(part, 10));
+    const high = ((octets[0] << 8) | octets[1]).toString(16);
+    const low = ((octets[2] << 8) | octets[3]).toString(16);
+    const normalizedIpv6 = `${prefix}${high}:${low}${zoneSuffix}`;
+    if (!ipaddr.IPv6.isValid(normalizedIpv6)) {
+        return undefined;
+    }
+    return ipaddr.IPv6.parse(normalizedIpv6);
+}
+export function isIpv4Address(address) {
+    return address.kind() === "ipv4";
+}
+export function isIpv6Address(address) {
+    return address.kind() === "ipv6";
+}
+function normalizeIpv4MappedAddress(address) {
+    if (!isIpv6Address(address)) {
+        return address;
+    }
+    if (!address.isIPv4MappedAddress()) {
+        return address;
+    }
+    return address.toIPv4Address();
+}
+export function parseCanonicalIpAddress(raw) {
+    const trimmed = raw?.trim();
+    if (!trimmed) {
+        return undefined;
+    }
+    const normalized = stripIpv6Brackets(trimmed);
+    if (!normalized) {
+        return undefined;
+    }
+    if (ipaddr.IPv4.isValid(normalized)) {
+        if (!ipaddr.IPv4.isValidFourPartDecimal(normalized)) {
+            return undefined;
+        }
+        return ipaddr.IPv4.parse(normalized);
+    }
+    if (ipaddr.IPv6.isValid(normalized)) {
+        return ipaddr.IPv6.parse(normalized);
+    }
+    return parseIpv6WithEmbeddedIpv4(normalized);
+}
+export function parseLooseIpAddress(raw) {
+    const trimmed = raw?.trim();
+    if (!trimmed) {
+        return undefined;
+    }
+    const normalized = stripIpv6Brackets(trimmed);
+    if (!normalized) {
+        return undefined;
+    }
+    if (ipaddr.isValid(normalized)) {
+        return ipaddr.parse(normalized);
+    }
+    return parseIpv6WithEmbeddedIpv4(normalized);
+}
+export function normalizeIpAddress(raw) {
+    const parsed = parseCanonicalIpAddress(raw);
+    if (!parsed) {
+        return undefined;
+    }
+    const normalized = normalizeIpv4MappedAddress(parsed);
+    return normalized.toString().toLowerCase();
+}
+export function isCanonicalDottedDecimalIPv4(raw) {
+    const trimmed = raw?.trim();
+    if (!trimmed) {
+        return false;
+    }
+    const normalized = stripIpv6Brackets(trimmed);
+    if (!normalized) {
+        return false;
+    }
+    return ipaddr.IPv4.isValidFourPartDecimal(normalized);
+}
+export function isLegacyIpv4Literal(raw) {
+    const trimmed = raw?.trim();
+    if (!trimmed) {
+        return false;
+    }
+    const normalized = stripIpv6Brackets(trimmed);
+    if (!normalized || normalized.includes(":")) {
+        return false;
+    }
+    if (isCanonicalDottedDecimalIPv4(normalized)) {
+        return false;
+    }
+    const parts = normalized.split(".");
+    if (parts.length === 0 || parts.length > 4) {
+        return false;
+    }
+    if (parts.some((part) => part.length === 0)) {
+        return false;
+    }
+    if (!parts.every((part) => isNumericIpv4LiteralPart(part))) {
+        return false;
+    }
+    return true;
+}
+export function isLoopbackIpAddress(raw) {
+    const parsed = parseCanonicalIpAddress(raw);
+    if (!parsed) {
+        return false;
+    }
+    const normalized = normalizeIpv4MappedAddress(parsed);
+    return normalized.range() === "loopback";
+}
+export function isPrivateOrLoopbackIpAddress(raw) {
+    const parsed = parseCanonicalIpAddress(raw);
+    if (!parsed) {
+        return false;
+    }
+    const normalized = normalizeIpv4MappedAddress(parsed);
+    if (isIpv4Address(normalized)) {
+        return PRIVATE_OR_LOOPBACK_IPV4_RANGES.has(normalized.range());
+    }
+    return isBlockedSpecialUseIpv6Address(normalized);
+}
+export function isBlockedSpecialUseIpv6Address(address) {
+    if (BLOCKED_IPV6_SPECIAL_USE_RANGES.has(address.range())) {
+        return true;
+    }
+    // ipaddr.js does not classify deprecated site-local fec0::/10 as private.
+    return (address.parts[0] & 0xffc0) === 0xfec0;
+}
+export function isRfc1918Ipv4Address(raw) {
+    const parsed = parseCanonicalIpAddress(raw);
+    if (!parsed || !isIpv4Address(parsed)) {
+        return false;
+    }
+    return parsed.range() === "private";
+}
+export function isCarrierGradeNatIpv4Address(raw) {
+    const parsed = parseCanonicalIpAddress(raw);
+    if (!parsed || !isIpv4Address(parsed)) {
+        return false;
+    }
+    return parsed.range() === "carrierGradeNat";
+}
+export function isBlockedSpecialUseIpv4Address(address, options = {}) {
+    const inRfc2544BenchmarkRange = address.match(RFC2544_BENCHMARK_PREFIX);
+    if (inRfc2544BenchmarkRange && options.allowRfc2544BenchmarkRange === true) {
+        return false;
+    }
+    return BLOCKED_IPV4_SPECIAL_USE_RANGES.has(address.range()) || inRfc2544BenchmarkRange;
+}
+function decodeIpv4FromHextets(high, low) {
+    const octets = [
+        (high >>> 8) & 0xff,
+        high & 0xff,
+        (low >>> 8) & 0xff,
+        low & 0xff,
+    ];
+    return ipaddr.IPv4.parse(octets.join("."));
+}
+export function extractEmbeddedIpv4FromIpv6(address) {
+    if (address.isIPv4MappedAddress()) {
+        return address.toIPv4Address();
+    }
+    if (address.range() === "rfc6145") {
+        return decodeIpv4FromHextets(address.parts[6], address.parts[7]);
+    }
+    if (address.range() === "rfc6052") {
+        return decodeIpv4FromHextets(address.parts[6], address.parts[7]);
+    }
+    for (const rule of EMBEDDED_IPV4_SENTINEL_RULES) {
+        if (!rule.matches(address.parts)) {
+            continue;
+        }
+        const [high, low] = rule.toHextets(address.parts);
+        return decodeIpv4FromHextets(high, low);
+    }
+    return undefined;
+}
+export function isIpInCidr(ip, cidr) {
+    const normalizedIp = parseCanonicalIpAddress(ip);
+    if (!normalizedIp) {
+        return false;
+    }
+    const candidate = cidr.trim();
+    if (!candidate) {
+        return false;
+    }
+    const comparableIp = normalizeIpv4MappedAddress(normalizedIp);
+    if (!candidate.includes("/")) {
+        const exact = parseCanonicalIpAddress(candidate);
+        if (!exact) {
+            return false;
+        }
+        const comparableExact = normalizeIpv4MappedAddress(exact);
+        return (comparableIp.kind() === comparableExact.kind() &&
+            comparableIp.toString() === comparableExact.toString());
+    }
+    let parsedCidr;
+    try {
+        parsedCidr = ipaddr.parseCIDR(candidate);
+    }
+    catch {
+        return false;
+    }
+    const [baseAddress, prefixLength] = parsedCidr;
+    const comparableBase = normalizeIpv4MappedAddress(baseAddress);
+    if (comparableIp.kind() !== comparableBase.kind()) {
+        return false;
+    }
+    try {
+        if (isIpv4Address(comparableIp) && isIpv4Address(comparableBase)) {
+            return comparableIp.match([comparableBase, prefixLength]);
+        }
+        if (isIpv6Address(comparableIp) && isIpv6Address(comparableBase)) {
+            return comparableIp.match([comparableBase, prefixLength]);
+        }
+        return false;
+    }
+    catch {
+        return false;
+    }
+}

package/dist/shared/net/ipv4.js

@@ -1,17 +1,14 @@
-export function validateIPv4AddressInput(value) {
+import { isCanonicalDottedDecimalIPv4 } from "./ip.js";
+export function validateDottedDecimalIPv4Input(value) {
     if (!value) {
         return "IP address is required for custom bind mode";
     }
-    const trimmed = value.trim();
-    const parts = trimmed.split(".");
-    if (parts.length !== 4) {
-        return "Invalid IPv4 address (e.g., 192.168.1.100)";
-    }
-    if (parts.every((part) => {
-        const n = parseInt(part, 10);
-        return !Number.isNaN(n) && n >= 0 && n <= 255 && part === String(n);
-    })) {
+    if (isCanonicalDottedDecimalIPv4(value)) {
         return undefined;
     }
-    return "Invalid IPv4 address (each octet must be 0-255)";
+    return "Invalid IPv4 address (e.g., 192.168.1.100)";
+}
+// Backward-compatible alias for callers using the old helper name.
+export function validateIPv4AddressInput(value) {
+    return validateDottedDecimalIPv4Input(value);
 }

package/dist/shared/pid-alive.js

@@ -1,12 +1,69 @@
+import fsSync from "node:fs";
+function isValidPid(pid) {
+    return Number.isInteger(pid) && pid > 0;
+}
+/**
+ * Check if a process is a zombie on Linux by reading /proc/<pid>/status.
+ * Returns false on non-Linux platforms or if the proc file can't be read.
+ */
+function isZombieProcess(pid) {
+    if (process.platform !== "linux") {
+        return false;
+    }
+    try {
+        const status = fsSync.readFileSync(`/proc/${pid}/status`, "utf8");
+        const stateMatch = status.match(/^State:\s+(\S)/m);
+        return stateMatch?.[1] === "Z";
+    }
+    catch {
+        return false;
+    }
+}
 export function isPidAlive(pid) {
-    if (!Number.isFinite(pid) || pid <= 0) {
+    if (!isValidPid(pid)) {
         return false;
     }
     try {
         process.kill(pid, 0);
-        return true;
     }
     catch {
         return false;
     }
+    if (isZombieProcess(pid)) {
+        return false;
+    }
+    return true;
+}
+/**
+ * Read the process start time (field 22 "starttime") from /proc/<pid>/stat.
+ * Returns the value in clock ticks since system boot, or null on non-Linux
+ * platforms or if the proc file can't be read.
+ *
+ * This is used to detect PID recycling: if two readings for the same PID
+ * return different starttimes, the PID has been reused by a different process.
+ */
+export function getProcessStartTime(pid) {
+    if (process.platform !== "linux") {
+        return null;
+    }
+    if (!isValidPid(pid)) {
+        return null;
+    }
+    try {
+        const stat = fsSync.readFileSync(`/proc/${pid}/stat`, "utf8");
+        const commEndIndex = stat.lastIndexOf(")");
+        if (commEndIndex < 0) {
+            return null;
+        }
+        // The comm field (field 2) is wrapped in parens and can contain spaces,
+        // so split after the last ")" to get fields 3..N reliably.
+        const afterComm = stat.slice(commEndIndex + 1).trimStart();
+        const fields = afterComm.split(/\s+/);
+        // field 22 (starttime) = index 19 after the comm-split (field 3 is index 0).
+        const starttime = Number(fields[19]);
+        return Number.isInteger(starttime) && starttime >= 0 ? starttime : null;
+    }
+    catch {
+        return null;
+    }
 }

package/dist/test-helpers/ssrf.js

@@ -0,0 +1,13 @@
+import { vi } from "vitest";
+import * as ssrf from "../infra/net/ssrf.js";
+export function mockPinnedHostnameResolution(addresses = ["93.184.216.34"]) {
+    return vi.spyOn(ssrf, "resolvePinnedHostname").mockImplementation(async (hostname) => {
+        const normalized = hostname.trim().toLowerCase().replace(/\.$/, "");
+        const pinnedAddresses = [...addresses];
+        return {
+            hostname: normalized,
+            addresses: pinnedAddresses,
+            lookup: ssrf.createPinnedLookup({ hostname: normalized, addresses: pinnedAddresses }),
+        };
+    });
+}

package/dist/tui/tui.js

@@ -1,4 +1,4 @@
-import { CombinedAutocompleteProvider, Container, Key, Loader, matchesKey, ProcessTerminal, Text, TUI, } from "@mariozechner/pi-tui";
+import { CombinedAutocompleteProvider, Container, Key, Loader, matchesKey, ProcessTerminal, Text, TUI, truncateToWidth, } from "@mariozechner/pi-tui";
 import { resolveDefaultAgentId } from "../agents/agent-scope.js";
 import { loadConfig } from "../config/config.js";
 import { buildAgentMainSessionKey, normalizeAgentId, normalizeMainKey, parseAgentSessionKey, } from "../routing/session-key.js";
@@ -398,7 +398,9 @@ export async function runTui(opts) {
     const updateHeader = () => {
         const sessionLabel = formatSessionKey(currentSessionKey);
         const agentLabel = formatAgentLabel(currentAgentId);
-        header.setText(theme.header(`poolbot tui - ${client.connection.url} - agent ${agentLabel} - session ${sessionLabel}`));
+        const headerText = `poolbot tui - ${client.connection.url} - agent ${agentLabel} - session ${sessionLabel}`;
+        const maxHeaderWidth = Math.max(1, (process.stdout.columns ?? 120) - 2);
+        header.setText(theme.header(truncateToWidth(headerText, maxHeaderWidth, "…")));
     };
     const busyStates = new Set(["sending", "waiting", "streaming", "running"]);
     let statusText = null;
@@ -520,7 +522,8 @@ export async function runTui(opts) {
             statusLoader = null;
             ensureStatusText();
             const text = activityStatus ? `${connectionStatus} | ${activityStatus}` : connectionStatus;
-            statusText?.setText(theme.dim(text));
+            const maxStatusWidth = Math.max(1, (process.stdout.columns ?? 120) - 2);
+            statusText?.setText(theme.dim(truncateToWidth(text, maxStatusWidth, "…")));
         }
         lastActivityStatus = activityStatus;
     };
@@ -566,7 +569,9 @@ export async function runTui(opts) {
             reasoningLabel,
             tokens,
         ].filter(Boolean);
-        footer.setText(theme.dim(footerParts.join(" | ")));
+        const footerText = footerParts.join(" | ");
+        const maxFooterWidth = Math.max(1, (process.stdout.columns ?? 120) - 2);
+        footer.setText(theme.dim(truncateToWidth(footerText, maxFooterWidth, "…")));
     };
     const { openOverlay, closeOverlay } = createOverlayHandlers(tui, editor);
     const initialSessionAgentId = (() => {

package/dist/utils/fetch-timeout.js

@@ -1,3 +1,14 @@
+/**
+ * Relay abort without forwarding the Event argument as the abort reason.
+ * Using .bind() avoids closure scope capture (memory leak prevention).
+ */
+function relayAbort() {
+    this.abort();
+}
+/** Returns a bound abort relay for use as an event listener. */
+export function bindAbortRelay(controller) {
+    return relayAbort.bind(controller);
+}
 /**
  * Fetch wrapper that adds timeout support via AbortController.
  *
@@ -10,7 +21,7 @@
  */
 export async function fetchWithTimeout(url, init, timeoutMs, fetchFn = fetch) {
     const controller = new AbortController();
-    const timer = setTimeout(() => controller.abort(), Math.max(1, timeoutMs));
+    const timer = setTimeout(controller.abort.bind(controller), Math.max(1, timeoutMs));
     try {
         return await fetchFn(url, { ...init, signal: controller.signal });
     }