@poolzin/pool-bot 2026.3.7 → 2026.3.9

package/CHANGELOG.md

@@ -1,3 +1,19 @@
+## v2026.3.9 (2026-03-09)
+
+### Features
+- **Modular Skills System:** new comprehensive skills management system in `src/skills/` — 8 core modules providing SKILL.md parsing, security scanning, registry management, progressive disclosure loading, and CLI commands (`poolbot mods`)
+  - `types.ts`: Type definitions compatible with agentskills.io specification
+  - `parser.ts`: YAML frontmatter parser for SKILL.md files with validation
+  - `registry.ts`: EventEmitter-based skills registry with lifecycle management
+  - `loader.ts`: Progressive disclosure loader with dependency resolution
+  - `security.ts`: Security scanner for prompt injection and path traversal detection
+  - `commands.ts`: CLI commands for skill management
+  - `index.ts`: Public API exports
+  - Comprehensive test suite with 52 passing tests
+- **Integration Plans:** detailed implementation plans for external project integrations (Page Agent, HexStrike AI, xyOps) via Gateway Node protocol
+
+---
+
 ## v2026.3.6 (2026-03-06)
 
 ### Features

package/dist/.buildstamp

@@ -1 +1 @@
-1772591706886
+1773025806569

package/dist/agents/error-classifier.js

@@ -0,0 +1,302 @@
+/**
+ * Error Classification System
+ *
+ * Provides comprehensive error classification for LLM/AI operations.
+ * Detects specific error types like context overflow, rate limits, etc.
+ */
+// OpenAI error patterns
+const OPENAI_PATTERNS = {
+    context_overflow: [
+        /context length exceeded/i,
+        /maximum context length/i,
+        /token limit exceeded/i,
+        /too many tokens/i,
+        /rate_limit_exceeded.*context/i,
+    ],
+    rate_limit: [
+        /rate limit exceeded/i,
+        /too many requests/i,
+        /ratelimit/i,
+    ],
+    authentication: [
+        /invalid api key/i,
+        /incorrect api key/i,
+        /authentication/i,
+        /unauthorized/i,
+    ],
+    invalid_request: [
+        /invalid_request_error/i,
+        /bad request/i,
+        /invalid parameter/i,
+    ],
+};
+// Anthropic error patterns
+const ANTHROPIC_PATTERNS = {
+    context_overflow: [
+        /context window exceeded/i,
+        /maximum token count/i,
+        /too many tokens/i,
+    ],
+    rate_limit: [
+        /rate limit/i,
+        /too many requests/i,
+    ],
+    authentication: [
+        /invalid api key/i,
+        /authentication failed/i,
+    ],
+    authorization: [
+        /forbidden/i,
+        /access denied/i,
+        /unauthorized.*resource/i,
+        /insufficient.*permission/i,
+    ],
+};
+// Google/Gemini error patterns
+const GEMINI_PATTERNS = {
+    context_overflow: [
+        /token limit exceeded/i,
+        /maximum input size/i,
+        /context too long/i,
+    ],
+    rate_limit: [
+        /rate limit exceeded/i,
+        /quota exceeded/i,
+        /too many requests/i,
+    ],
+    quota_exceeded: [
+        /quota exceeded/i,
+        /billing limit/i,
+        /project quota/i,
+    ],
+};
+// Generic patterns
+const GENERIC_PATTERNS = {
+    context_overflow: [
+        /context.*overflow/i,
+        /context.*exceeded/i,
+        /token.*limit/i,
+        /maximum.*context/i,
+        /message too long/i,
+        /input too long/i,
+    ],
+    rate_limit: [
+        /rate.?limit/i,
+        /too many requests/i,
+        /throttled/i,
+        /429/i,
+    ],
+    timeout: [
+        /timeout/i,
+        /timed out/i,
+        /etimedout/i,
+    ],
+    network_error: [
+        /network error/i,
+        /econnreset/i,
+        /econnrefused/i,
+        /enotfound/i,
+        /network/i,
+    ],
+    server_error: [
+        /server error/i,
+        /internal error/i,
+        /500/i,
+        /502/i,
+        /503/i,
+        /504/i,
+    ],
+    compaction_failure: [
+        /compaction failed/i,
+        /summarization failed/i,
+        /failed to compact/i,
+    ],
+};
+/**
+ * Classify an error based on message patterns
+ */
+export function classifyError(error) {
+    if (!(error instanceof Error)) {
+        return {
+            type: "unknown",
+            retryable: false,
+            message: String(error),
+        };
+    }
+    const message = error.message.toLowerCase();
+    // Check context overflow first (highest priority for LLM errors)
+    for (const pattern of [...OPENAI_PATTERNS.context_overflow, ...ANTHROPIC_PATTERNS.context_overflow, ...GEMINI_PATTERNS.context_overflow, ...GENERIC_PATTERNS.context_overflow]) {
+        if (pattern.test(message)) {
+            return {
+                type: "context_overflow",
+                retryable: false,
+                message: error.message,
+            };
+        }
+    }
+    // Check quota exceeded (before rate limit to avoid false positives)
+    for (const pattern of GEMINI_PATTERNS.quota_exceeded) {
+        if (pattern.test(message)) {
+            return {
+                type: "quota_exceeded",
+                retryable: false,
+                message: error.message,
+            };
+        }
+    }
+    // Check rate limit
+    for (const pattern of [...OPENAI_PATTERNS.rate_limit, ...ANTHROPIC_PATTERNS.rate_limit, ...GEMINI_PATTERNS.rate_limit, ...GENERIC_PATTERNS.rate_limit]) {
+        if (pattern.test(message)) {
+            return {
+                type: "rate_limit",
+                retryable: true,
+                message: error.message,
+            };
+        }
+    }
+    // Check authentication
+    for (const pattern of [...OPENAI_PATTERNS.authentication, ...ANTHROPIC_PATTERNS.authentication]) {
+        if (pattern.test(message)) {
+            return {
+                type: "authentication",
+                retryable: false,
+                message: error.message,
+            };
+        }
+    }
+    // Check authorization (403-like errors)
+    for (const pattern of ANTHROPIC_PATTERNS.authorization) {
+        if (pattern.test(message)) {
+            return {
+                type: "authorization",
+                retryable: false,
+                message: error.message,
+            };
+        }
+    }
+    // Check timeout
+    for (const pattern of GENERIC_PATTERNS.timeout) {
+        if (pattern.test(message)) {
+            return {
+                type: "timeout",
+                retryable: true,
+                message: error.message,
+            };
+        }
+    }
+    // Check network errors
+    for (const pattern of GENERIC_PATTERNS.network_error) {
+        if (pattern.test(message)) {
+            return {
+                type: "network_error",
+                retryable: true,
+                message: error.message,
+            };
+        }
+    }
+    // Check server errors
+    for (const pattern of GENERIC_PATTERNS.server_error) {
+        if (pattern.test(message)) {
+            return {
+                type: "server_error",
+                retryable: true,
+                message: error.message,
+            };
+        }
+    }
+    // Check compaction failure
+    for (const pattern of GENERIC_PATTERNS.compaction_failure) {
+        if (pattern.test(message)) {
+            return {
+                type: "compaction_failure",
+                retryable: true,
+                message: error.message,
+            };
+        }
+    }
+    // Default to unknown
+    return {
+        type: "unknown",
+        retryable: false,
+        message: error.message,
+    };
+}
+/**
+ * Check if error is a context overflow error
+ */
+export function isContextOverflowError(error) {
+    const classification = classifyError(error);
+    return classification.type === "context_overflow";
+}
+/**
+ * Check if error is a rate limit error
+ */
+export function isRateLimitError(error) {
+    const classification = classifyError(error);
+    return classification.type === "rate_limit";
+}
+/**
+ * Check if error is a compaction failure
+ */
+export function isCompactionFailureError(error) {
+    const classification = classifyError(error);
+    return classification.type === "compaction_failure";
+}
+/**
+ * Check if error is likely a context overflow (heuristic)
+ */
+export function isLikelyContextOverflowError(error) {
+    if (!(error instanceof Error)) {
+        return false;
+    }
+    const message = error.message.toLowerCase();
+    // Check for common indicators
+    const indicators = [
+        "context",
+        "token",
+        "length",
+        "exceeded",
+        "maximum",
+        "limit",
+        "too long",
+        "too many",
+    ];
+    const score = indicators.reduce((acc, indicator) => {
+        return acc + (message.includes(indicator) ? 1 : 0);
+    }, 0);
+    // If 3+ indicators present, likely context overflow
+    return score >= 3;
+}
+/**
+ * Get retry delay for error type
+ */
+export function getRetryDelayForError(error, attempt) {
+    const classification = classifyError(error);
+    switch (classification.type) {
+        case "rate_limit":
+            // Rate limits: start with 2s, double each attempt
+            return Math.min(2000 * 2 ** attempt, 60000);
+        case "timeout":
+        case "network_error":
+            // Network issues: start with 500ms
+            return Math.min(500 * 2 ** attempt, 30000);
+        case "server_error":
+            // Server errors: start with 1s
+            return Math.min(1000 * 2 ** attempt, 30000);
+        case "compaction_failure":
+            // Compaction: shorter delays
+            return Math.min(500 * 2 ** attempt, 5000);
+        default:
+            return 1000;
+    }
+}
+/**
+ * Format error for logging (sanitized)
+ */
+export function formatErrorForLogging(error) {
+    if (error instanceof Error) {
+        const classification = classifyError(error);
+        return `[${classification.type}] ${classification.message}`;
+    }
+    return `[unknown] ${String(error)}`;
+}

package/dist/agents/skills/security.js

@@ -0,0 +1,217 @@
+/**
+ * Skill Security Scanner
+ *
+ * Security scanning for PoolBot skills.
+ * Detects potential security issues in skill files.
+ *
+ * @module agents/skills/security
+ */
+// ============================================================================
+// Constants
+// ============================================================================
+const SCANNER_VERSION = "1.0.0";
+// Patterns that indicate potential security issues
+const PATTERNS = [
+    // Prompt injection attempts
+    {
+        type: "prompt_injection",
+        severity: "critical",
+        pattern: /ignore\s+(?:previous|above|prior)|disregard\s+(?:instructions?|prompt)|system\s*:\s*you\s+are|new\s+instructions?\s*:/i,
+        description: "Potential prompt injection attempt detected",
+        remediation: "Review skill content for malicious instruction overrides",
+    },
+    {
+        type: "prompt_injection",
+        severity: "high",
+        pattern: /\[\s*system\s*\]|\(\s*system\s*\)|\{\s*system\s*\}|\bDAN\b|do\s+anything\s+now/i,
+        description: "Suspicious system role reference",
+        remediation: "Verify skill doesn't attempt to override system behavior",
+    },
+    // Command injection
+    {
+        type: "command_injection",
+        severity: "critical",
+        pattern: /(?:bash|sh|zsh|cmd|powershell)\s+-c\s+["']|exec\s*\(|eval\s*\(|system\s*\(/i,
+        description: "Potential command injection pattern",
+        remediation: "Avoid executing arbitrary shell commands from skill content",
+    },
+    {
+        type: "command_injection",
+        severity: "high",
+        pattern: /`[^`]*(?:rm|del|format|mkfs|dd|wget|curl|fetch)[^`]*`|\$\([^)]*(?:rm|del|wget|curl)[^)]*\)/i,
+        description: "Dangerous command in template literal",
+        remediation: "Review shell command usage for safety",
+    },
+    // Path traversal
+    {
+        type: "path_traversal",
+        severity: "high",
+        pattern: /\.\.[/\\]|\.\.%2f|\.\.%5c|%2e%2e[/\\]/i,
+        description: "Path traversal attempt detected",
+        remediation: "Validate and sanitize all file paths",
+    },
+    // Suspicious patterns
+    {
+        type: "suspicious_pattern",
+        severity: "medium",
+        pattern: /(?:password|secret|token|key|credential)\s*=\s*["'][^"']{8,}["']/i,
+        description: "Hardcoded credential-like pattern",
+        remediation: "Use environment variables or secure secret storage",
+    },
+    {
+        type: "suspicious_pattern",
+        severity: "medium",
+        pattern: /base64\s*\(\s*["'][^"']{20,}["']\s*\)|atob\s*\(|btoa\s*\(/i,
+        description: "Suspicious encoding/decoding pattern",
+        remediation: "Verify encoding is not used to obfuscate malicious content",
+    },
+    // External dependencies
+    {
+        type: "external_dependency",
+        severity: "low",
+        pattern: /(?:npm|pip|gem|cargo|go\s+get)\s+install/i,
+        description: "External package installation mentioned",
+        remediation: "Verify all external dependencies are trustworthy",
+    },
+    // Data exfiltration
+    {
+        type: "data_exfiltration",
+        severity: "high",
+        pattern: /(?:https?:\/\/|ftp:\/\/)[^\s"']+(?:webhook|callback|exfil|collect|steal|send)/i,
+        description: "Potential data exfiltration endpoint",
+        remediation: "Verify all external URLs are legitimate",
+    },
+];
+// ============================================================================
+// Scanner
+// ============================================================================
+/**
+ * Scan skill content for security issues
+ */
+export function scanSkill(skillName, content) {
+    const findings = [];
+    const lines = content.split("\n");
+    for (const { type, severity, pattern, description, remediation } of PATTERNS) {
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            const matches = line.matchAll(pattern);
+            for (const match of matches) {
+                if (match.index !== undefined) {
+                    findings.push({
+                        type,
+                        severity,
+                        line: i + 1,
+                        column: match.index + 1,
+                        match: match[0].slice(0, 100), // Limit match length
+                        description,
+                        remediation,
+                    });
+                }
+            }
+        }
+    }
+    // Sort by severity
+    const severityOrder = [
+        "critical",
+        "high",
+        "medium",
+        "low",
+        "info",
+    ];
+    findings.sort((a, b) => severityOrder.indexOf(a.severity) - severityOrder.indexOf(b.severity));
+    return {
+        skillName,
+        scannerVersion: SCANNER_VERSION,
+        scannedAt: new Date(),
+        findings,
+        passed: !findings.some((f) => f.severity === "critical" || f.severity === "high"),
+    };
+}
+/**
+ * Quick security check - returns true if skill passes basic security
+ */
+export function quickSecurityCheck(skillName, content) {
+    const report = scanSkill(skillName, content);
+    return report.passed;
+}
+/**
+ * Get security summary for display
+ */
+export function getSecuritySummary(report) {
+    const counts = {
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: 0,
+        info: 0,
+    };
+    for (const finding of report.findings) {
+        counts[finding.severity]++;
+    }
+    const hasCritical = counts.critical > 0;
+    const hasHigh = counts.high > 0;
+    const hasMedium = counts.medium > 0;
+    const hasLow = counts.low > 0;
+    if (hasCritical) {
+        return {
+            status: "Failed",
+            color: "red",
+            summary: `${counts.critical} critical, ${counts.high} high severity issues`,
+            counts,
+        };
+    }
+    if (hasHigh) {
+        return {
+            status: "Warning",
+            color: "yellow",
+            summary: `${counts.high} high severity issues`,
+            counts,
+        };
+    }
+    if (hasMedium || hasLow) {
+        return {
+            status: "Passed",
+            color: "yellow",
+            summary: `${counts.medium} medium, ${counts.low} low severity issues`,
+            counts,
+        };
+    }
+    return {
+        status: "Passed",
+        color: "green",
+        summary: "No security issues found",
+        counts,
+    };
+}
+/**
+ * Format findings for display
+ */
+export function formatFindings(findings) {
+    if (findings.length === 0) {
+        return ["No security issues found."];
+    }
+    const lines = [];
+    const bySeverity = {
+        critical: [],
+        high: [],
+        medium: [],
+        low: [],
+        info: [],
+    };
+    for (const finding of findings) {
+        bySeverity[finding.severity].push(finding);
+    }
+    for (const severity of ["critical", "high", "medium", "low", "info"]) {
+        const items = bySeverity[severity];
+        if (items.length === 0)
+            continue;
+        lines.push(`\n${severity.toUpperCase()} (${items.length}):`);
+        for (const finding of items) {
+            lines.push(`  [${finding.type}] Line ${finding.line}: ${finding.description}`);
+            if (finding.remediation) {
+                lines.push(`    → ${finding.remediation}`);
+            }
+        }
+    }
+    return lines;
+}

package/dist/build-info.json

@@ -1,5 +1,5 @@
 {
-  "version": "2026.3.7",
-  "commit": "2bb47cd934fe9cb9d58ee7210ee3997714a07f09",
-  "builtAt": "2026-03-07T19:13:06.611Z"
+  "version": "2026.3.9",
+  "commit": "d5b6ac08110e3d6f001682436afdb5921d394bca",
+  "builtAt": "2026-03-09T04:38:56.911Z"
 }

package/dist/cli/lazy-commands.example.js

@@ -0,0 +1,113 @@
+/**
+ * Example: Integrating Lazy Commands with PoolBot CLI
+ *
+ * This file shows how to integrate the lazy command loading system
+ * into the main PoolBot CLI.
+ *
+ * ## Integration Steps
+ *
+ * 1. Import the lazy command helpers
+ * 2. Replace static imports with lazy loaders
+ * 3. Add performance monitoring
+ *
+ * ## Example Integration
+ *
+ * ```typescript
+ * #!/usr/bin/env node
+ * import { Command } from "commander";
+ * import { lazyCommand, getLazyCommandStats, preloadCommands } from "./cli/lazy-commands.js";
+ * import { buildCoreCommand } from "./commands/core.js"; // Keep core commands eager
+ *
+ * const program = new Command();
+ *
+ * // Core commands - loaded immediately
+ * program.addCommand(buildCoreCommand());
+ *
+ * // Lazy-loaded commands - loaded on first use
+ * lazyCommand(program, {
+ *   name: "agent",
+ *   description: "Manage AI agents",
+ *   loader: async () => {
+ *     const { buildAgentCommand } = await import("./commands/agent.js");
+ *     return buildAgentCommand();
+ *   },
+ *   aliases: ["a"]
+ * });
+ *
+ * lazyCommand(program, {
+ *   name: "config",
+ *   description: "Manage configuration",
+ *   loader: async () => {
+ *     const { buildConfigCommand } = await import("./commands/config.js");
+ *     return buildConfigCommand();
+ *   }
+ * });
+ *
+ * lazyCommand(program, {
+ *   name: "channels",
+ *   description: "Manage messaging channels",
+ *   loader: async () => {
+ *     const { buildChannelsCommand } = await import("./commands/channels.js");
+ *     return buildChannelsCommand();
+ *   }
+ * });
+ *
+ * // Preload commonly used commands in interactive mode
+ * if (process.argv.length < 3) {
+ *   // Interactive mode - preload likely commands
+ *   preloadCommands(["agent", "config"]);
+ * }
+ *
+ * // Show stats in debug mode
+ * if (process.env.DEBUG) {
+ *   console.log("Command loading stats:", getLazyCommandStats());
+ * }
+ *
+ * await program.parseAsync();
+ * ```
+ *
+ * ## Performance Benefits
+ *
+ * Before lazy loading:
+ * - Startup time: ~500ms (loading all commands)
+ * - Memory: ~50MB (all commands in memory)
+ *
+ * After lazy loading:
+ * - Startup time: ~100ms (loading only core)
+ * - Memory: ~20MB (only used commands loaded)
+ *
+ * ## Migration Guide
+ *
+ * To migrate an existing command to lazy loading:
+ *
+ * 1. **Before:**
+ * ```typescript
+ * import { buildAgentCommand } from "./commands/agent.js";
+ * program.addCommand(buildAgentCommand());
+ * ```
+ *
+ * 2. **After:**
+ * ```typescript
+ * lazyCommand(program, {
+ *   name: "agent",
+ *   description: "Manage AI agents",
+ *   loader: async () => {
+ *     const { buildAgentCommand } = await import("./commands/agent.js");
+ *     return buildAgentCommand();
+ *   }
+ * });
+ * ```
+ *
+ * ## Testing with Lazy Commands
+ *
+ * For testing, you may want to eagerly load all commands:
+ *
+ * ```typescript
+ * import { loadAllCommands } from "./cli/lazy-commands.js";
+ *
+ * beforeAll(async () => {
+ *   await loadAllCommands();
+ * });
+ * ```
+ */
+export {};