@poolzin/pool-bot 2026.3.4 → 2026.3.7

package/dist/cli/security-cli.js

@@ -1,7 +1,8 @@
-import { loadConfig } from "../config/config.js";
+import { loadConfig, writeConfigFile } from "../config/config.js";
 import { defaultRuntime } from "../runtime.js";
 import { runSecurityAudit } from "../security/audit.js";
 import { fixSecurityFootguns } from "../security/fix.js";
+import { CAPABILITY_TYPES } from "../security/capability.js";
 import { formatDocsLink } from "../terminal/links.js";
 import { isRich, theme } from "../terminal/theme.js";
 import { shortenHomeInString, shortenHomePath } from "../utils.js";
@@ -17,10 +18,24 @@ function formatSummary(summary) {
     parts.push(rich ? theme.muted(`${i} info`) : `${i} info`);
     return parts.join(" · ");
 }
+function formatCapability(cap) {
+    let result = cap.type;
+    if ("pattern" in cap && cap.pattern)
+        result += ` pattern="${cap.pattern}"`;
+    if ("toolId" in cap && cap.toolId)
+        result += ` tool="${cap.toolId}"`;
+    if ("limit" in cap && cap.limit)
+        result += ` limit=${cap.limit}`;
+    if ("scope" in cap && cap.scope)
+        result += ` scope="${cap.scope}"`;
+    if ("port" in cap && cap.port)
+        result += ` port=${cap.port}`;
+    return result;
+}
 export function registerSecurityCli(program) {
     const security = program
         .command("security")
-        .description("Security tools (audit)")
+        .description("Security tools (audit, capabilities)")
         .addHelpText("after", () => `\n${theme.muted("Docs:")} ${formatDocsLink("/cli/security", "docs.molt.bot/cli/security")}\n`);
     security
         .command("audit")
@@ -120,4 +135,198 @@ export function registerSecurityCli(program) {
         render("info");
         defaultRuntime.log(lines.join("\n"));
     });
+    // Capability management commands
+    const capabilities = security
+        .command("capabilities")
+        .description("Manage agent capabilities (permission system)");
+    capabilities
+        .command("grant")
+        .description("Grant a capability to an agent or pattern")
+        .argument("<type>", `Capability type (${CAPABILITY_TYPES.join(", ")})`)
+        .option("-a, --agent <pattern>", "Agent ID pattern (e.g., 'agent-*', 'coder')", "*")
+        .option("-p, --pattern <glob>", "File path pattern for file:* capabilities")
+        .option("-t, --tool <name>", "Tool name for tool:invoke capability")
+        .option("-h, --host <hostname>", "Host pattern for net:connect capability")
+        .option("-m, --max-tokens <n>", "Max tokens for llm:maxTokens capability")
+        .option("--json", "Print JSON output")
+        .action(async (type, opts) => {
+        const rich = isRich();
+        const cfg = loadConfig();
+        // Validate capability type
+        if (!CAPABILITY_TYPES.includes(type)) {
+            defaultRuntime.log(rich
+                ? theme.error(`Invalid capability type: ${type}`)
+                : `Invalid capability type: ${type}`);
+            defaultRuntime.log(`Valid types: ${CAPABILITY_TYPES.join(", ")}`);
+            process.exit(1);
+        }
+        // Build capability object
+        const capability = { type: type };
+        if (opts.pattern && (type.startsWith("file:") || type === "shell:exec")) {
+            capability.pattern = opts.pattern;
+        }
+        if (opts.tool && type === "tool:invoke") {
+            capability.toolId = opts.tool;
+        }
+        if (opts.host && type === "net:connect") {
+            capability.pattern = opts.host;
+        }
+        if (opts.maxTokens && type === "llm:maxTokens") {
+            capability.limit = parseInt(opts.maxTokens, 10);
+        }
+        // Initialize security config if needed
+        if (!cfg.security) {
+            cfg.security = { enabled: true };
+        }
+        if (!cfg.security.agents) {
+            cfg.security.agents = [];
+        }
+        // Find or create agent entry
+        const agentId = opts.agent || "*";
+        let agentEntry = cfg.security.agents.find((a) => a.agentId === agentId);
+        if (!agentEntry) {
+            agentEntry = { agentId, capabilities: [] };
+            cfg.security.agents.push(agentEntry);
+        }
+        // Add capability
+        agentEntry.capabilities.push(capability);
+        // Write config
+        await writeConfigFile(cfg);
+        if (opts.json) {
+            defaultRuntime.log(JSON.stringify({ success: true, capability, agentId }, null, 2));
+            return;
+        }
+        defaultRuntime.log(rich
+            ? theme.success(`Granted ${type} to agent "${agentId}"`)
+            : `Granted ${type} to agent "${agentId}"`);
+        defaultRuntime.log(formatCapability(capability));
+    });
+    capabilities
+        .command("revoke")
+        .description("Revoke capabilities from an agent")
+        .argument("[type]", `Capability type to revoke (omit to revoke all)`)
+        .option("-a, --agent <pattern>", "Agent ID pattern", "*")
+        .option("--json", "Print JSON output")
+        .action(async (type, opts) => {
+        const rich = isRich();
+        const cfg = loadConfig();
+        if (!cfg.security?.agents || cfg.security.agents.length === 0) {
+            if (opts.json) {
+                defaultRuntime.log(JSON.stringify({ success: true, removed: 0 }));
+            }
+            else {
+                defaultRuntime.log(rich ? theme.muted("No capabilities configured") : "No capabilities configured");
+            }
+            return;
+        }
+        const agentId = opts.agent || "*";
+        const agentEntry = cfg.security.agents.find((a) => a.agentId === agentId);
+        if (!agentEntry) {
+            if (opts.json) {
+                defaultRuntime.log(JSON.stringify({ success: true, removed: 0 }));
+            }
+            else {
+                defaultRuntime.log(rich
+                    ? theme.muted(`No capabilities found for agent "${agentId}"`)
+                    : `No capabilities found for agent "${agentId}"`);
+            }
+            return;
+        }
+        const beforeCount = agentEntry.capabilities.length;
+        if (type) {
+            agentEntry.capabilities = agentEntry.capabilities.filter((c) => c.type !== type);
+        }
+        else {
+            agentEntry.capabilities = [];
+        }
+        const removed = beforeCount - agentEntry.capabilities.length;
+        // Remove empty agent entries
+        cfg.security.agents = cfg.security.agents.filter((a) => a.capabilities.length > 0);
+        await writeConfigFile(cfg);
+        if (opts.json) {
+            defaultRuntime.log(JSON.stringify({ success: true, removed }));
+            return;
+        }
+        if (removed === 0) {
+            defaultRuntime.log(rich ? theme.muted("No matching capabilities found") : "No matching capabilities found");
+        }
+        else {
+            defaultRuntime.log(rich
+                ? theme.success(`Revoked ${removed} capability(s) from agent "${agentId}"`)
+                : `Revoked ${removed} capability(s) from agent "${agentId}"`);
+        }
+    });
+    capabilities
+        .command("list")
+        .description("List agent capabilities")
+        .option("-a, --agent <pattern>", "Filter by agent ID pattern")
+        .option("--json", "Print JSON output")
+        .action(async (opts) => {
+        const rich = isRich();
+        const cfg = loadConfig();
+        const agents = cfg.security?.agents || [];
+        const filtered = opts.agent
+            ? agents.filter((a) => a.agentId === opts.agent || (opts.agent && a.agentId.includes(opts.agent)))
+            : agents;
+        if (opts.json) {
+            defaultRuntime.log(JSON.stringify({ enabled: cfg.security?.enabled ?? false, agents: filtered }, null, 2));
+            return;
+        }
+        if (filtered.length === 0) {
+            defaultRuntime.log(rich ? theme.muted("No capabilities configured") : "No capabilities configured");
+            defaultRuntime.log(`\nEnable capability system: ${formatCliCommand("poolbot config set security.enabled true")}`);
+            return;
+        }
+        const lines = [];
+        lines.push(rich ? theme.heading("Agent Capabilities") : "Agent Capabilities");
+        lines.push(rich
+            ? theme.muted(`Security enabled: ${cfg.security?.enabled ?? false}`)
+            : `Security enabled: ${cfg.security?.enabled ?? false}`);
+        lines.push("");
+        for (const agent of filtered) {
+            lines.push(rich ? theme.heading(agent.agentId) : agent.agentId);
+            for (const cap of agent.capabilities) {
+                lines.push(`  ${formatCapability(cap)}`);
+            }
+            lines.push("");
+        }
+        defaultRuntime.log(lines.join("\n"));
+    });
+    capabilities
+        .command("enable")
+        .description("Enable the capability security system")
+        .option("--json", "Print JSON output")
+        .action(async (opts) => {
+        const cfg = loadConfig();
+        cfg.security = cfg.security || {};
+        cfg.security.enabled = true;
+        await writeConfigFile(cfg);
+        if (opts.json) {
+            defaultRuntime.log(JSON.stringify({ success: true, enabled: true }));
+        }
+        else {
+            defaultRuntime.log(isRich()
+                ? theme.success("Capability security system enabled")
+                : "Capability security system enabled");
+            defaultRuntime.log(`Run ${formatCliCommand("poolbot security capabilities list")} to view current grants`);
+        }
+    });
+    capabilities
+        .command("disable")
+        .description("Disable the capability security system (permissive mode)")
+        .option("--json", "Print JSON output")
+        .action(async (opts) => {
+        const cfg = loadConfig();
+        cfg.security = cfg.security || {};
+        cfg.security.enabled = false;
+        await writeConfigFile(cfg);
+        if (opts.json) {
+            defaultRuntime.log(JSON.stringify({ success: true, enabled: false }));
+        }
+        else {
+            defaultRuntime.log(isRich()
+                ? theme.warn("Capability security system disabled (permissive mode)")
+                : "Capability security system disabled (permissive mode)");
+        }
+    });
 }

package/dist/cli/tagline.js

@@ -191,6 +191,13 @@ export function activeTaglines(options = {}) {
     return filtered.length > 0 ? filtered : TAGLINES;
 }
 export function pickTagline(options = {}) {
+    const mode = options.mode;
+    if (mode === "off") {
+        return "";
+    }
+    if (mode === "default") {
+        return DEFAULT_TAGLINE;
+    }
     const env = options.env ?? process.env;
     const override = env?.POOLBOT_TAGLINE_INDEX ?? env?.CLAWDBOT_TAGLINE_INDEX;
     if (override !== undefined) {

package/dist/config/types.cli.js

@@ -0,0 +1 @@
+export {};

package/dist/config/types.security.js

@@ -0,0 +1,33 @@
+/** Default permissive capabilities (when security is disabled). */
+export const PERMISSIVE_CAPABILITIES = [
+    { type: "file:read", pattern: "*" },
+    { type: "file:write", pattern: "*" },
+    { type: "net:connect", pattern: "*" },
+    { type: "tool:all" },
+    { type: "llm:query", pattern: "*" },
+    { type: "llm:maxTokens", limit: Number.MAX_SAFE_INTEGER },
+    { type: "agent:spawn" },
+    { type: "agent:message", pattern: "*" },
+    { type: "agent:kill", pattern: "*" },
+    { type: "memory:read", scope: "*" },
+    { type: "memory:write", scope: "*" },
+    { type: "shell:exec", pattern: "*" },
+    { type: "env:read", pattern: "*" },
+    { type: "gateway:admin" },
+    { type: "gateway:channels:read" },
+    { type: "gateway:channels:write", pattern: "*" },
+    { type: "econ:spend", limit: Number.MAX_SAFE_INTEGER },
+    { type: "econ:earn" },
+    { type: "econ:transfer", pattern: "*" },
+];
+/** Restricted capabilities for untrusted agents. */
+export const RESTRICTED_CAPABILITIES = [
+    { type: "file:read", pattern: "/data/*" },
+    { type: "net:connect", pattern: "*.openai.com:443" },
+    { type: "tool:invoke", toolId: "web_search" },
+    { type: "tool:invoke", toolId: "file_read" },
+    { type: "llm:query", pattern: "gpt-4*" },
+    { type: "llm:maxTokens", limit: 10000 },
+    { type: "memory:read", scope: "session/*" },
+    { type: "memory:write", scope: "session/*" },
+];

package/dist/config/zod-schema.js

@@ -6,6 +6,7 @@ import { HexColorSchema, ModelsConfigSchema } from "./zod-schema.core.js";
 import { HookMappingSchema, HooksGmailSchema, InternalHooksSchema } from "./zod-schema.hooks.js";
 import { InstallRecordShape } from "./zod-schema.installs.js";
 import { ChannelsSchema } from "./zod-schema.providers.js";
+import { SecuritySchema } from "./zod-schema.security.js";
 import { sensitive } from "./zod-schema.sensitive.js";
 import { CommandsSchema, MessagesSchema, SessionSchema, SessionSendPolicySchema, } from "./zod-schema.session.js";
 const BrowserSnapshotDefaultsSchema = z
@@ -641,6 +642,20 @@ export const PoolBotSchema = z
     })
         .strict()
         .optional(),
+    cli: z
+        .object({
+        banner: z
+            .object({
+            taglineMode: z
+                .union([z.literal("random"), z.literal("default"), z.literal("off")])
+                .optional(),
+        })
+            .strict()
+            .optional(),
+    })
+        .strict()
+        .optional(),
+    security: SecuritySchema,
 })
     .strict()
     .superRefine((cfg, ctx) => {

package/dist/config/zod-schema.providers-core.js

@@ -583,6 +583,7 @@ export const SlackAccountSchema = z
     heartbeat: ChannelHeartbeatVisibilitySchema,
     responsePrefix: z.string().optional(),
     ackReaction: z.string().optional(),
+    typingReaction: z.string().optional(),
 })
     .strict()
     .superRefine((value, ctx) => {

package/dist/config/zod-schema.security.js

@@ -0,0 +1,113 @@
+/**
+ * Zod schema for security configuration.
+ */
+import { z } from "zod";
+/** Capability type schema - matches the TypeScript Capability type. */
+const CapabilitySchema = z.union([
+    // File capabilities
+    z.object({
+        type: z.literal("file:read"),
+        pattern: z.string(),
+    }),
+    z.object({
+        type: z.literal("file:write"),
+        pattern: z.string(),
+    }),
+    // Network capabilities
+    z.object({
+        type: z.literal("net:connect"),
+        pattern: z.string(),
+    }),
+    // Tool capabilities
+    z.object({
+        type: z.literal("tool:invoke"),
+        toolId: z.string(),
+    }),
+    z.object({
+        type: z.literal("tool:all"),
+    }),
+    // LLM capabilities
+    z.object({
+        type: z.literal("llm:query"),
+        pattern: z.string(),
+    }),
+    z.object({
+        type: z.literal("llm:maxTokens"),
+        limit: z.number().int().positive(),
+    }),
+    // Agent capabilities
+    z.object({
+        type: z.literal("agent:spawn"),
+    }),
+    z.object({
+        type: z.literal("agent:message"),
+        pattern: z.string(),
+    }),
+    z.object({
+        type: z.literal("agent:kill"),
+        pattern: z.string(),
+    }),
+    // Memory capabilities
+    z.object({
+        type: z.literal("memory:read"),
+        scope: z.string(),
+    }),
+    z.object({
+        type: z.literal("memory:write"),
+        scope: z.string(),
+    }),
+    // Shell capabilities
+    z.object({
+        type: z.literal("shell:exec"),
+        pattern: z.string(),
+    }),
+    // Environment capabilities
+    z.object({
+        type: z.literal("env:read"),
+        pattern: z.string(),
+    }),
+    // Gateway capabilities
+    z.object({
+        type: z.literal("gateway:admin"),
+    }),
+    z.object({
+        type: z.literal("gateway:channels:read"),
+    }),
+    z.object({
+        type: z.literal("gateway:channels:write"),
+        pattern: z.string(),
+    }),
+    // Economic capabilities
+    z.object({
+        type: z.literal("econ:spend"),
+        limit: z.number().int().nonnegative(),
+    }),
+    z.object({
+        type: z.literal("econ:earn"),
+    }),
+    z.object({
+        type: z.literal("econ:transfer"),
+        pattern: z.string(),
+    }),
+]);
+/** Agent capability configuration schema. */
+const AgentCapabilityConfigSchema = z
+    .object({
+    agentId: z.string(),
+    capabilities: z.array(CapabilitySchema),
+})
+    .strict();
+/** Security configuration schema. */
+export const SecuritySchema = z
+    .object({
+    /** Enable capability enforcement. Default: false (permissive mode). */
+    enabled: z.boolean().optional(),
+    /** Default capabilities for agents without explicit config. */
+    defaultCapabilities: z.array(CapabilitySchema).optional(),
+    /** Per-agent capability configurations. */
+    agents: z.array(AgentCapabilityConfigSchema).optional(),
+    /** Capabilities for the system/root agent. */
+    systemCapabilities: z.array(CapabilitySchema).optional(),
+})
+    .strict()
+    .optional();

package/dist/cron/normalize.js

@@ -351,6 +351,9 @@ export function normalizeCronJobInput(raw, options = DEFAULT_OPTIONS) {
     if (isRecord(base.delivery)) {
         next.delivery = coerceDelivery(base.delivery);
     }
+    if (isRecord(base.onFailure)) {
+        next.onFailure = coerceDelivery(base.onFailure);
+    }
     if ("isolation" in next) {
         delete next.isolation;
     }

package/dist/cron/service/jobs.js

@@ -68,6 +68,22 @@ function assertDeliverySupport(job) {
         throw new Error('cron channel delivery config is only supported for sessionTarget="isolated"');
     }
 }
+function assertFailureAlertSupport(job) {
+    if (!job.onFailure) {
+        return;
+    }
+    if (job.onFailure.mode === "webhook") {
+        const target = normalizeHttpWebhookUrl(job.onFailure.to);
+        if (!target) {
+            throw new Error("cron onFailure webhook requires onFailure.to to be a valid http(s) URL");
+        }
+        job.onFailure.to = target;
+        return;
+    }
+    if (job.sessionTarget !== "isolated") {
+        throw new Error('cron onFailure announce config is only supported for sessionTarget="isolated"');
+    }
+}
 export function findJobOrThrow(state, id) {
     const job = state.store?.jobs.find((j) => j.id === id);
     if (!job) {
@@ -285,12 +301,14 @@ export function createJob(state, input) {
         wakeMode: input.wakeMode,
         payload: input.payload,
         delivery: input.delivery,
+        onFailure: input.onFailure,
         state: {
             ...input.state,
         },
     };
     assertSupportedJobSpec(job);
     assertDeliverySupport(job);
+    assertFailureAlertSupport(job);
     job.state.nextRunAtMs = computeJobNextRunAtMs(job, now);
     return job;
 }
@@ -352,6 +370,12 @@ export function applyJobPatch(job, patch) {
     if (job.sessionTarget === "main" && job.delivery?.mode !== "webhook") {
         job.delivery = undefined;
     }
+    if (patch.onFailure) {
+        job.onFailure = mergeCronFailureAlert(job.onFailure, patch.onFailure);
+    }
+    if (job.sessionTarget === "main" && job.onFailure?.mode !== "webhook") {
+        job.onFailure = undefined;
+    }
     if (patch.state) {
         job.state = { ...job.state, ...patch.state };
     }
@@ -363,6 +387,7 @@ export function applyJobPatch(job, patch) {
     }
     assertSupportedJobSpec(job);
     assertDeliverySupport(job);
+    assertFailureAlertSupport(job);
 }
 function mergeCronPayload(existing, patch) {
     if (patch.kind !== existing.kind) {
@@ -488,6 +513,29 @@ function mergeCronDelivery(existing, patch) {
     }
     return next;
 }
+function mergeCronFailureAlert(existing, patch) {
+    const next = {
+        mode: existing?.mode ?? "none",
+        channel: existing?.channel,
+        to: existing?.to,
+        bestEffort: existing?.bestEffort,
+    };
+    if (typeof patch.mode === "string") {
+        next.mode = patch.mode === "deliver" ? "announce" : patch.mode;
+    }
+    if ("channel" in patch) {
+        const channel = typeof patch.channel === "string" ? patch.channel.trim() : "";
+        next.channel = channel ? channel : undefined;
+    }
+    if ("to" in patch) {
+        const to = typeof patch.to === "string" ? patch.to.trim() : "";
+        next.to = to ? to : undefined;
+    }
+    if (typeof patch.bestEffort === "boolean") {
+        next.bestEffort = patch.bestEffort;
+    }
+    return next;
+}
 export function isJobDue(job, nowMs, opts) {
     if (!job.state) {
         job.state = {};

package/dist/discord/monitor/message-handler.preflight.js

@@ -66,7 +66,8 @@ export async function preflightDiscordMessage(params) {
         logVerbose(`discord: drop message ${message.id} (missing channel id)`);
         return null;
     }
-    const allowBots = params.discordConfig?.allowBots ?? false;
+    const allowBotsSetting = params.discordConfig?.allowBots;
+    const allowBotsMode = allowBotsSetting === "mentions" ? "mentions" : allowBotsSetting === true ? "all" : "off";
     if (params.botUserId && author.id === params.botUserId) {
         // Always ignore own messages to prevent self-reply loops
         return null;
@@ -92,7 +93,7 @@ export async function preflightDiscordMessage(params) {
         pluralkitInfo,
     });
     if (author.bot) {
-        if (!allowBots && !sender.isPluralKit) {
+        if (allowBotsMode === "off" && !sender.isPluralKit) {
             logVerbose("discord: drop bot message (allowBots=false)");
             return null;
         }
@@ -523,6 +524,14 @@ export async function preflightDiscordMessage(params) {
         });
         return null;
     }
+    if (author.bot && !sender.isPluralKit && allowBotsMode === "mentions") {
+        const botMentioned = isDirectMessage || wasMentioned || implicitMention;
+        if (!botMentioned) {
+            logDebug(`[discord-preflight] drop: bot message missing mention (allowBots=mentions)`);
+            logVerbose("discord: drop bot message (allowBots=mentions, missing mention)");
+            return null;
+        }
+    }
     if (!messageText) {
         logDebug(`[discord-preflight] drop: empty content`);
         logVerbose(`discord: drop message ${message.id} (empty content)`);

package/dist/gateway/http-common.js

@@ -5,9 +5,14 @@ import { readJsonBody } from "./hooks.js";
  * Content-Security-Policy are intentionally omitted here because some handlers
  * (canvas host, A2UI) serve content that may be loaded inside frames.
  */
-export function setDefaultSecurityHeaders(res) {
+export function setDefaultSecurityHeaders(res, opts) {
     res.setHeader("X-Content-Type-Options", "nosniff");
     res.setHeader("Referrer-Policy", "no-referrer");
+    res.setHeader("Permissions-Policy", "camera=(), microphone=(), geolocation=()");
+    const strictTransportSecurity = opts?.strictTransportSecurity;
+    if (typeof strictTransportSecurity === "string" && strictTransportSecurity.length > 0) {
+        res.setHeader("Strict-Transport-Security", strictTransportSecurity);
+    }
 }
 export function sendJson(res, status, body) {
     res.statusCode = status;

package/dist/gateway/protocol/schema/cron.js

@@ -99,6 +99,7 @@ export const CronJobSchema = Type.Object({
     wakeMode: Type.Union([Type.Literal("next-heartbeat"), Type.Literal("now")]),
     payload: CronPayloadSchema,
     delivery: Type.Optional(CronDeliverySchema),
+    onFailure: Type.Optional(CronDeliverySchema),
     state: CronJobStateSchema,
 }, { additionalProperties: false });
 export const CronListParamsSchema = Type.Object({
@@ -117,6 +118,7 @@ export const CronAddParamsSchema = Type.Object({
     wakeMode: Type.Union([Type.Literal("next-heartbeat"), Type.Literal("now")]),
     payload: CronPayloadSchema,
     delivery: Type.Optional(CronDeliverySchema),
+    onFailure: Type.Optional(CronDeliverySchema),
 }, { additionalProperties: false });
 export const CronJobPatchSchema = Type.Object({
     name: Type.Optional(NonEmptyString),
@@ -130,6 +132,7 @@ export const CronJobPatchSchema = Type.Object({
     wakeMode: Type.Optional(Type.Union([Type.Literal("next-heartbeat"), Type.Literal("now")])),
     payload: Type.Optional(CronPayloadPatchSchema),
     delivery: Type.Optional(CronDeliveryPatchSchema),
+    onFailure: Type.Optional(CronDeliveryPatchSchema),
     state: Type.Optional(Type.Partial(CronJobStateSchema)),
 }, { additionalProperties: false });
 export const CronUpdateParamsSchema = Type.Union([