alvin-bot 5.3.0 → 5.4.0

package/dist/services/async-agent-watcher.js

@@ -62,6 +62,13 @@ function getMissingFileFailureMs() {
 const pending = new Map();
 let pollTimer = null;
 let started = false;
+/**
+ * C-M2 — Set of agent IDs registered in THIS boot (not loaded from disk).
+ * Only in-memory-registered agents have a pid we can safely attribute to
+ * our own subprocess — disk-loaded pids may have been reused by the OS
+ * after a restart. We never kill a disk-loaded pid; only pids in this set.
+ */
+const thisBootAgentIds = new Set();
 /**
  * Hard cap on the pending-agents map. Without this, a bot that runs many
  * async agents but sees some fail to write their outputFile would see
@@ -135,6 +142,9 @@ export function registerPendingAgent(input) {
     };
     enforcePendingCap();
     pending.set(input.agentId, entry);
+    // C-M2: mark this agent as registered in the current boot.
+    // Only this-boot agents have pids we can safely attribute to our own subprocess.
+    thisBootAgentIds.add(input.agentId);
     saveToDisk();
 }
 /**
@@ -295,11 +305,32 @@ async function deliverAsFailure(entry, status, error) {
  *
  * Never throws — all per-entry errors are swallowed.
  */
-export function killSessionDetachedAgents(session, killFn = (p) => {
+/**
+ * C-M1 — Compute the signal target for a detached subprocess pid.
+ *
+ * Since agents are spawned `detached:true` they become process-group
+ * leaders. `claude -p` typically forks further (sub-agents), leaving
+ * grandchildren in the same group. Signalling only the group-leader PID
+ * lets those grandchildren survive. Instead, we signal the entire group
+ * by negating the pid (POSIX: kill(-pgid, sig) = signal the group).
+ *
+ * Windows does not support negative-pid group signals; on win32 we fall
+ * back to the positive pid (signals the leader only). A full win32 group-
+ * kill would require `taskkill /T /PID` — that can be layered later if
+ * Windows support becomes important.
+ *
+ * The injectable `killFn` always receives the already-transformed value
+ * (negative on POSIX, positive on win32) so tests can assert the correct
+ * target without needing platform-specific logic in test code.
+ */
+function resolveKillTarget(pid) {
+    return process.platform !== "win32" ? -pid : pid;
+}
+export function killSessionDetachedAgents(session, killFn = (target) => {
     try {
-        process.kill(p, "SIGTERM");
+        process.kill(target, "SIGTERM");
     }
-    catch { /* already gone */ }
+    catch { /* already gone — ESRCH is fine */ }
 }) {
     // Use session.sessionKey — the real canonical key stamped by getSession().
     // Before v5.1.x this field did not exist on UserSession, causing a silent
@@ -310,12 +341,24 @@ export function killSessionDetachedAgents(session, killFn = (p) => {
     for (const entry of pending.values()) {
         if (entry.sessionKey !== key)
             continue;
-        if (typeof entry.pid === "number") {
-            try {
-                killFn(entry.pid);
-            }
-            catch { /* best-effort */ }
+        if (typeof entry.pid !== "number")
+            continue;
+        // C-M2: only kill pids that are attributable to our own subprocess.
+        // Pids loaded from disk on a previous boot may have been reused by
+        // the OS for an unrelated process. We guard by only killing agents
+        // registered in THIS boot (thisBootAgentIds). Disk-loaded entries
+        // (those not in the set) are skipped — their subprocess may have
+        // already exited and the pid may point at an innocent process.
+        if (!thisBootAgentIds.has(entry.agentId)) {
+            console.log(`[async-watcher] skipping kill for disk-loaded agent ${entry.agentId} ` +
+                `(pid=${entry.pid}) — cannot safely attribute pid after restart`);
+            continue;
+        }
+        // C-M1: pass the group-kill target (negative pid on POSIX) to killFn.
+        try {
+            killFn(resolveKillTarget(entry.pid));
         }
+        catch { /* best-effort */ }
     }
 }
 /**
@@ -345,6 +388,7 @@ export function cancelPendingForSession(sessionKey) {
 /** Test-only: drop in-memory state. Doesn't touch disk. */
 export function __resetForTest() {
     pending.clear();
+    thisBootAgentIds.clear();
     if (pollTimer)
         clearInterval(pollTimer);
     pollTimer = null;

package/dist/services/browser-manager.js

@@ -10,7 +10,7 @@
  * If a strategy is unavailable, we automatically cascade to the next one
  * and log a warning so failures are visible, not silent.
  */
-import { execSync, spawn } from "child_process";
+import { execSync, execFileSync, spawn } from "child_process";
 import http from "http";
 import fs from "fs";
 import { config } from "../config.js";
@@ -22,7 +22,7 @@ const CDP_PORT = 9222;
 const EXEC_TIMEOUT = 60_000; // 60s for page loads via shell
 // ── Logging ──────────────────────────────────────────────────────────
 function log(msg) {
-    console.warn(`[browser-manager] ${msg}`);
+    console.log(`[browser-manager] ${msg}`);
 }
 // ── Availability Checks ──────────────────────────────────────────────
 function isGatewayScriptPresent() {
@@ -170,9 +170,11 @@ export async function resolveStrategy(preferred) {
     }
     return "cli";
 }
-function execHub(args) {
+function execHub(argv) {
     try {
-        const result = execSync(`"${HUB_BROWSER_SH}" ${args}`, {
+        // H3: use execFileSync with discrete argv array — no shell interpolation,
+        // so attacker-controlled URLs cannot inject shell metacharacters.
+        const result = execFileSync(HUB_BROWSER_SH, argv, {
             stdio: "pipe",
             timeout: EXEC_TIMEOUT,
             env: { ...process.env, PATH: process.env.PATH },
@@ -310,7 +312,7 @@ async function navigateOne(strategy, url) {
         case "cdp": {
             // Try hub CDP first
             if (isHubBrowserAvailable()) {
-                const result = execHub(`cdp goto "${url}"`);
+                const result = execHub(["cdp", "goto", url]);
                 if (result && !result.error) {
                     return { title: result.title || "", url: result.url || url };
                 }
@@ -329,7 +331,7 @@ async function navigateOne(strategy, url) {
                 log(`Direct CDP failed: ${err.message}`);
                 // Last resort: try stealth
                 if (isHubBrowserAvailable()) {
-                    const stealthResult = execHub(`stealth "${url}"`);
+                    const stealthResult = execHub(["stealth", url]);
                     if (stealthResult) {
                         return { title: stealthResult.title || "", url: stealthResult.url || url };
                     }
@@ -338,7 +340,7 @@ async function navigateOne(strategy, url) {
             }
         }
         case "hub-stealth": {
-            const result = execHub(`stealth "${url}"`);
+            const result = execHub(["stealth", url]);
             if (result && !result.error) {
                 return { title: result.title || "", url: result.url || url };
             }
@@ -369,7 +371,7 @@ export async function screenshot(url, options = {}) {
         case "cdp": {
             if (isHubBrowserAvailable()) {
                 const tmpName = `shot_${Date.now()}.png`;
-                const result = execHub(`cdp shot "${url}" ${tmpName}`);
+                const result = execHub(["cdp", "shot", url, tmpName]);
                 if (result?.screenshot)
                     return result.screenshot;
             }
@@ -378,7 +380,7 @@ export async function screenshot(url, options = {}) {
         }
         case "hub-stealth": {
             const tmpName = `shot_${Date.now()}.png`;
-            const result = execHub(`stealth "${url}" --screenshot=${tmpName}`);
+            const result = execHub(["stealth", url, `--screenshot=${tmpName}`]);
             if (result?.screenshot)
                 return result.screenshot;
             // Fallback

package/dist/services/browser-webfetch.js

@@ -11,8 +11,18 @@
  * See browser-manager.ts for the full cascade; this module is the
  * leaf-level primitive with no dependencies on that file so both can
  * be unit-tested in isolation.
+ *
+ * SSRF hardening (M1): assertSsrfSafe() is called before every fetch hop to
+ * reject loopback / link-local / RFC-1918 / metadata / non-http(s)
+ * destinations. Redirects are followed manually (redirect:"manual") so every
+ * hop's Location header is re-validated before following — a public host that
+ * returns 302 → 169.254.169.254 is therefore blocked. Redirects are capped at
+ * 10 hops; an operator who needs redirect-to-internal can set
+ * ALLOW_PRIVATE_FETCH=1.
  */
+import { assertSsrfSafe, SsrfBlockedError } from "./ssrf-guard.js";
 const DEFAULT_TIMEOUT_MS = 15_000;
+const MAX_REDIRECTS = 10;
 const DEFAULT_USER_AGENT = "Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 " +
     "(KHTML, like Gecko) Version/17.0 Safari/605.1.15 AlvinBot/webfetch";
 export class WebfetchFailed extends Error {
@@ -53,24 +63,48 @@ export function parseTitle(html) {
     return decodeEntities(inner);
 }
 export async function webfetchNavigate(url, options = {}) {
+    // M1: SSRF guard — reject private/internal destinations before fetching.
+    // SsrfBlockedError is intentionally not wrapped in WebfetchFailed so
+    // callers can distinguish "blocked by policy" from "server error".
+    // We validate EVERY redirect hop manually (redirect:"manual") so a
+    // public host cannot 302 us into an internal address.
+    await assertSsrfSafe(url);
     const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
     const controller = new AbortController();
     const timer = setTimeout(() => controller.abort(), timeoutMs);
     try {
+        let currentUrl = url;
         let response;
-        try {
-            response = await fetch(url, {
-                method: "GET",
-                headers: {
-                    "User-Agent": options.userAgent ?? DEFAULT_USER_AGENT,
-                    Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
-                },
-                redirect: "follow",
-                signal: controller.signal,
-            });
-        }
-        catch (err) {
-            throw new WebfetchFailed(url, err.message, { cause: err });
+        for (let hop = 0;; hop++) {
+            try {
+                response = await fetch(currentUrl, {
+                    method: "GET",
+                    headers: {
+                        "User-Agent": options.userAgent ?? DEFAULT_USER_AGENT,
+                        Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+                    },
+                    redirect: "manual",
+                    signal: controller.signal,
+                });
+            }
+            catch (err) {
+                throw new WebfetchFailed(url, err.message, { cause: err });
+            }
+            // Not a redirect — we have the final response
+            if (response.status < 300 || response.status >= 400)
+                break;
+            const loc = response.headers.get("location");
+            if (!loc)
+                break; // no Location header — treat as final response
+            if (hop >= MAX_REDIRECTS) {
+                throw new SsrfBlockedError(url, `too many redirects (> ${MAX_REDIRECTS})`);
+            }
+            const next = new URL(loc, currentUrl).href;
+            // Re-validate each redirect target before following — closes the
+            // post-redirect SSRF bypass where fetch would silently follow a
+            // 302 pointing at 169.254.169.254 / loopback / RFC-1918.
+            await assertSsrfSafe(next);
+            currentUrl = next;
         }
         if (!response.ok) {
             throw new WebfetchFailed(url, `HTTP ${response.status}`, { status: response.status });

package/dist/services/cron-scheduling.js

@@ -29,34 +29,94 @@ function parseInterval(input) {
     };
     return value * (mult[unit] || 60_000);
 }
-function parseField(expr, min, max) {
-    if (expr === "*")
-        return Array.from({ length: max - min + 1 }, (_, i) => i + min);
-    if (expr.includes("/")) {
-        const [, step] = expr.split("/");
-        const s = parseInt(step);
-        return Array.from({ length: max - min + 1 }, (_, i) => i + min).filter((v) => v % s === 0);
+/**
+ * Parse a single cron field token (no commas — commas are handled by parseField).
+ * Supports: `*`, `a`, `a-b`, `a/s`, `a-b/s`, `*\/s`.
+ * Returns an array of valid integers in [min,max], or null if the token is invalid/garbage.
+ */
+function parseFieldToken(token, min, max) {
+    const fullRange = () => Array.from({ length: max - min + 1 }, (_, i) => i + min);
+    if (token.includes("/")) {
+        const slashIdx = token.indexOf("/");
+        const basePart = token.slice(0, slashIdx);
+        const stepPart = token.slice(slashIdx + 1);
+        const step = parseInt(stepPart, 10);
+        if (!Number.isFinite(step) || step <= 0)
+            return null;
+        let base;
+        if (basePart === "*") {
+            base = fullRange();
+        }
+        else if (basePart.includes("-")) {
+            const [aPart, bPart] = basePart.split("-");
+            const a = parseInt(aPart, 10);
+            const b = parseInt(bPart, 10);
+            if (!Number.isFinite(a) || !Number.isFinite(b) || a > b || a < min || b > max)
+                return null;
+            base = Array.from({ length: b - a + 1 }, (_, i) => i + a);
+        }
+        else {
+            const a = parseInt(basePart, 10);
+            if (!Number.isFinite(a) || a < min || a > max)
+                return null;
+            base = [a];
+        }
+        // Filter by step aligned to base start
+        const baseStart = base[0];
+        return base.filter((v) => (v - baseStart) % step === 0);
     }
-    if (expr.includes(","))
-        return expr.split(",").map(Number);
-    if (expr.includes("-")) {
-        const [a, b] = expr.split("-").map(Number);
+    if (token === "*")
+        return fullRange();
+    if (token.includes("-")) {
+        const parts = token.split("-");
+        if (parts.length !== 2)
+            return null;
+        const a = parseInt(parts[0], 10);
+        const b = parseInt(parts[1], 10);
+        if (!Number.isFinite(a) || !Number.isFinite(b) || a > b || a < min || b > max)
+            return null;
         return Array.from({ length: b - a + 1 }, (_, i) => i + a);
     }
-    return [parseInt(expr)];
+    const v = parseInt(token, 10);
+    if (!Number.isFinite(v) || v < min || v > max)
+        return null;
+    return [v];
+}
+/**
+ * Parse a cron field expression (may contain commas) into a sorted array of valid integers.
+ * Supports comma-separated combinations of: `*`, `a`, `a-b`, `a-b/s`, `*\/s`.
+ * Returns null if any token is invalid/garbage (signals an invalid schedule).
+ */
+function parseField(expr, min, max) {
+    // Split on commas; filter empty strings (handles "1,,3" gracefully — skip empty)
+    const tokens = expr.split(",").filter((t) => t.length > 0);
+    if (tokens.length === 0)
+        return null;
+    const result = new Set();
+    for (const token of tokens) {
+        const vals = parseFieldToken(token, min, max);
+        if (vals === null)
+            return null; // propagate invalid token as parse failure
+        for (const v of vals)
+            result.add(v);
+    }
+    const arr = [...result].sort((a, b) => a - b);
+    return arr.length > 0 ? arr : null;
 }
 function parseCronFields(expression) {
     const parts = expression.trim().split(/\s+/);
     if (parts.length !== 5)
         return null;
     const [minExpr, hourExpr, dayExpr, monthExpr, weekdayExpr] = parts;
-    return {
-        minutes: parseField(minExpr, 0, 59),
-        hours: parseField(hourExpr, 0, 23),
-        days: parseField(dayExpr, 1, 31),
-        months: parseField(monthExpr, 1, 12),
-        weekdays: parseField(weekdayExpr, 0, 6),
-    };
+    const minutes = parseField(minExpr, 0, 59);
+    const hours = parseField(hourExpr, 0, 23);
+    const days = parseField(dayExpr, 1, 31);
+    const months = parseField(monthExpr, 1, 12);
+    const weekdays = parseField(weekdayExpr, 0, 6);
+    // Any field returning null means the expression is invalid → reject it
+    if (!minutes || !hours || !days || !months || !weekdays)
+        return null;
+    return { minutes, hours, days, months, weekdays };
 }
 function nextCronRun(expression, after) {
     const fields = parseCronFields(expression);

package/dist/services/cron.js

@@ -17,13 +17,113 @@ import { prepareForExecution, handleStartupCatchup, calculateNextRunFrom, } from
 import { resolveJobByNameOrId } from "./cron-resolver.js";
 import { bootWasExpectedRestart } from "./watchdog.js";
 // ── Storage ─────────────────────────────────────────────
+/** Allowed job types — must stay in sync with the JobType union above. */
+const ALLOWED_JOB_TYPES = new Set(["reminder", "shell", "ai-query", "http", "message"]);
+/**
+ * M4: Per-entry structural validation for a raw parsed cron-jobs.json entry.
+ *
+ * Rules:
+ *   - Must be a non-null object
+ *   - `id`, `name`, `schedule`, `createdBy` must be non-empty strings
+ *   - `type` must be one of the allowed JobType values
+ *   - `payload` must be an object (not null)
+ *   - `target` must be an object with `platform` (string) and `chatId` (string)
+ *   - `enabled` must be a boolean
+ *   - `createdAt`, `runCount` must be numbers
+ *   - `oneShot` must be a boolean
+ *   - Nullable fields (lastRunAt, lastResult, lastError, nextRunAt) can be
+ *     null or their expected types — lenient check, just must not be undefined
+ *
+ * Returns a validated CronJob (cast) on success, null on failure.
+ * Logs a calm warning for every skipped entry.
+ */
+function validateCronJobEntry(raw, index) {
+    if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+        console.warn(`[cron] skipping entry #${index}: not an object`);
+        return null;
+    }
+    const e = raw;
+    if (typeof e.id !== "string" || !e.id) {
+        console.warn(`[cron] skipping entry #${index}: missing or invalid 'id'`);
+        return null;
+    }
+    if (typeof e.name !== "string" || !e.name) {
+        console.warn(`[cron] skipping entry #${index} (id=${e.id}): missing or invalid 'name'`);
+        return null;
+    }
+    if (typeof e.type !== "string" || !ALLOWED_JOB_TYPES.has(e.type)) {
+        console.warn(`[cron] skipping entry #${index} (id=${e.id}): unknown or missing job type '${e.type}'`);
+        return null;
+    }
+    if (typeof e.schedule !== "string" || !e.schedule) {
+        console.warn(`[cron] skipping entry #${index} (id=${e.id}): missing or invalid 'schedule'`);
+        return null;
+    }
+    if (!e.payload || typeof e.payload !== "object" || Array.isArray(e.payload)) {
+        console.warn(`[cron] skipping entry #${index} (id=${e.id}): 'payload' must be an object`);
+        return null;
+    }
+    if (!e.target || typeof e.target !== "object" || Array.isArray(e.target)) {
+        console.warn(`[cron] skipping entry #${index} (id=${e.id}): 'target' must be an object`);
+        return null;
+    }
+    const t = e.target;
+    if (typeof t.platform !== "string" || typeof t.chatId !== "string") {
+        console.warn(`[cron] skipping entry #${index} (id=${e.id}): 'target.platform' and 'target.chatId' must be strings`);
+        return null;
+    }
+    if (typeof e.enabled !== "boolean") {
+        console.warn(`[cron] skipping entry #${index} (id=${e.id}): 'enabled' must be a boolean`);
+        return null;
+    }
+    if (typeof e.createdAt !== "number") {
+        console.warn(`[cron] skipping entry #${index} (id=${e.id}): 'createdAt' must be a number`);
+        return null;
+    }
+    if (typeof e.runCount !== "number") {
+        console.warn(`[cron] skipping entry #${index} (id=${e.id}): 'runCount' must be a number`);
+        return null;
+    }
+    if (typeof e.oneShot !== "boolean") {
+        console.warn(`[cron] skipping entry #${index} (id=${e.id}): 'oneShot' must be a boolean`);
+        return null;
+    }
+    // Lenient nullable fields
+    if (e.createdBy !== undefined && typeof e.createdBy !== "string") {
+        console.warn(`[cron] skipping entry #${index} (id=${e.id}): 'createdBy' must be a string`);
+        return null;
+    }
+    return raw;
+}
 function loadJobs() {
+    let raw;
     try {
-        return JSON.parse(fs.readFileSync(CRON_FILE, "utf-8"));
+        raw = fs.readFileSync(CRON_FILE, "utf-8");
     }
     catch {
         return [];
     }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch (err) {
+        console.warn("[cron] cron-jobs.json is not valid JSON — starting with empty job list:", err instanceof Error ? err.message : String(err));
+        return [];
+    }
+    if (!Array.isArray(parsed)) {
+        console.warn("[cron] cron-jobs.json root is not an array — starting with empty job list");
+        return [];
+    }
+    // M4: Per-entry validation — one bad entry must NOT crash the whole list
+    const jobs = [];
+    for (let i = 0; i < parsed.length; i++) {
+        const validated = validateCronJobEntry(parsed[i], i);
+        if (validated !== null) {
+            jobs.push(validated);
+        }
+    }
+    return jobs;
 }
 function saveJobs(jobs) {
     const dir = dirname(CRON_FILE);
@@ -54,27 +154,87 @@ function nextCronRun(expression, after = new Date()) {
     if (parts.length !== 5)
         return null;
     const [minExpr, hourExpr, dayExpr, monthExpr, weekdayExpr] = parts;
-    function parseField(expr, min, max) {
-        if (expr === "*")
-            return Array.from({ length: max - min + 1 }, (_, i) => i + min);
-        if (expr.includes("/")) {
-            const [, step] = expr.split("/");
-            const s = parseInt(step);
-            return Array.from({ length: max - min + 1 }, (_, i) => i + min).filter(v => v % s === 0);
+    /**
+     * Parse a single cron field token (no commas — commas handled by parseField).
+     * Supports: `*`, `a`, `a-b`, `a-b/s`, `*\/s`, `a/s`.
+     * Returns null for invalid/garbage tokens.
+     */
+    function parseFieldToken(token, min, max) {
+        const fullRange = () => Array.from({ length: max - min + 1 }, (_, i) => i + min);
+        if (token.includes("/")) {
+            const slashIdx = token.indexOf("/");
+            const basePart = token.slice(0, slashIdx);
+            const stepPart = token.slice(slashIdx + 1);
+            const step = parseInt(stepPart, 10);
+            if (!Number.isFinite(step) || step <= 0)
+                return null;
+            let base;
+            if (basePart === "*") {
+                base = fullRange();
+            }
+            else if (basePart.includes("-")) {
+                const dashParts = basePart.split("-");
+                if (dashParts.length !== 2)
+                    return null;
+                const a = parseInt(dashParts[0], 10);
+                const b = parseInt(dashParts[1], 10);
+                if (!Number.isFinite(a) || !Number.isFinite(b) || a > b || a < min || b > max)
+                    return null;
+                base = Array.from({ length: b - a + 1 }, (_, i) => i + a);
+            }
+            else {
+                const a = parseInt(basePart, 10);
+                if (!Number.isFinite(a) || a < min || a > max)
+                    return null;
+                base = [a];
+            }
+            const baseStart = base[0];
+            return base.filter((v) => (v - baseStart) % step === 0);
         }
-        if (expr.includes(","))
-            return expr.split(",").map(Number);
-        if (expr.includes("-")) {
-            const [a, b] = expr.split("-").map(Number);
+        if (token === "*")
+            return fullRange();
+        if (token.includes("-")) {
+            const dashParts = token.split("-");
+            if (dashParts.length !== 2)
+                return null;
+            const a = parseInt(dashParts[0], 10);
+            const b = parseInt(dashParts[1], 10);
+            if (!Number.isFinite(a) || !Number.isFinite(b) || a > b || a < min || b > max)
+                return null;
             return Array.from({ length: b - a + 1 }, (_, i) => i + a);
         }
-        return [parseInt(expr)];
+        const v = parseInt(token, 10);
+        if (!Number.isFinite(v) || v < min || v > max)
+            return null;
+        return [v];
+    }
+    /**
+     * Parse a cron field expression (may contain commas) into a sorted array of valid integers.
+     * Returns null if any token is invalid/garbage (the expression is rejected).
+     */
+    function parseField(expr, min, max) {
+        const tokens = expr.split(",").filter((t) => t.length > 0);
+        if (tokens.length === 0)
+            return null;
+        const result = new Set();
+        for (const token of tokens) {
+            const vals = parseFieldToken(token, min, max);
+            if (vals === null)
+                return null;
+            for (const v of vals)
+                result.add(v);
+        }
+        const arr = [...result].sort((a, b) => a - b);
+        return arr.length > 0 ? arr : null;
     }
     const minutes = parseField(minExpr, 0, 59);
     const hours = parseField(hourExpr, 0, 23);
     const days = parseField(dayExpr, 1, 31);
     const months = parseField(monthExpr, 1, 12);
     const weekdays = parseField(weekdayExpr, 0, 6); // 0=Sun
+    // Any field returning null means the expression is invalid — reject it
+    if (!minutes || !hours || !days || !months || !weekdays)
+        return null;
     // Search forward up to 366 days
     const candidate = new Date(after);
     candidate.setSeconds(0, 0);
@@ -112,6 +272,10 @@ let notifyCallback = null;
 export function setNotifyCallback(fn) {
     notifyCallback = fn;
 }
+/** @internal exported for unit-test use only */
+export async function runJob(job) {
+    return executeJob(job);
+}
 async function executeJob(job) {
     try {
         switch (job.type) {
@@ -162,11 +326,36 @@ async function executeJob(job) {
                 const url = job.payload.url || "";
                 const method = job.payload.method || "GET";
                 const headers = job.payload.headers || {};
-                const fetchOpts = { method, headers };
+                // M1: SSRF guard — reject private/internal destinations before fetching.
+                // Runs even when EXEC_SECURITY=deny (it's a separate, independent control).
+                // We validate EVERY redirect hop manually (redirect:"manual") so a
+                // public host cannot 302 us into an internal address (post-redirect SSRF).
+                const { assertSsrfSafe, SsrfBlockedError: SsrfBlockedErrorCron } = await import("./ssrf-guard.js");
+                await assertSsrfSafe(url);
+                const baseOpts = { method, headers };
                 if (job.payload.body && method !== "GET") {
-                    fetchOpts.body = job.payload.body;
+                    baseOpts.body = job.payload.body;
+                }
+                const MAX_CRON_REDIRECTS = 10;
+                let currentUrl = url;
+                let res;
+                for (let hop = 0;; hop++) {
+                    res = await fetch(currentUrl, { ...baseOpts, redirect: "manual" });
+                    // Not a redirect — we have the final response
+                    if (res.status < 300 || res.status >= 400)
+                        break;
+                    const loc = res.headers.get("location");
+                    if (!loc)
+                        break; // no Location header — treat as final response
+                    if (hop >= MAX_CRON_REDIRECTS) {
+                        throw new SsrfBlockedErrorCron(url, `too many redirects (> ${MAX_CRON_REDIRECTS})`);
+                    }
+                    const next = new URL(loc, currentUrl).href;
+                    // Re-validate each redirect target before following — closes the
+                    // post-redirect SSRF bypass.
+                    await assertSsrfSafe(next);
+                    currentUrl = next;
                 }
-                const res = await fetch(url, fetchOpts);
                 const text = await res.text();
                 const output = `HTTP ${res.status}: ${text.slice(0, 2000)}`;
                 if (notifyCallback) {

package/dist/services/delivery-queue.js

@@ -10,6 +10,9 @@ import crypto from "crypto";
 import { DELIVERY_QUEUE_FILE } from "../paths.js";
 // ── State ───────────────────────────────────────────────
 let senders = {};
+/** Re-entrancy guard: prevents overlapping processQueue() invocations.
+ *  Mirrors the `runningJobs` Set pattern used by cron.ts. */
+let inFlight = false;
 // ── File I/O ────────────────────────────────────────────
 function readQueue() {
     try {
@@ -67,8 +70,24 @@ export function enqueue(channel, chatId, content, options) {
  * Process all pending entries in the queue.
  * Respects exponential backoff and max attempts.
  * Returns counts of delivered, failed, and still-pending entries.
+ *
+ * Re-entrancy guard: if a prior processQueue() call is still in-flight
+ * (e.g. a slow sender blocks beyond the 30s tick), the second invocation
+ * returns immediately with zero counts.  Mirrors the runningJobs Set
+ * pattern used by cron.ts to guard overlapping job executions.
  */
 export async function processQueue() {
+    if (inFlight)
+        return { delivered: 0, failed: 0, pending: 0 };
+    inFlight = true;
+    try {
+        return await _processQueueInner();
+    }
+    finally {
+        inFlight = false;
+    }
+}
+async function _processQueueInner() {
     const queue = readQueue();
     const now = Date.now();
     let delivered = 0;