alvin-bot 5.3.0 → 5.5.0

package/dist/init-data-dir.js

@@ -9,6 +9,12 @@ import { DATA_DIR, MEMORY_DIR, USERS_DIR, RUNTIME_DIR, WHATSAPP_AUTH, BACKUP_DIR
 /**
  * Create the directory structure only (no file seeding).
  * Must run BEFORE migration so directories exist for copying.
+ *
+ * M5: DATA_DIR is created with mode 0700 (owner-only traverse) so that
+ * even before the per-file chmod audit runs, any file written by the bot
+ * is not accessible by other users on multi-user systems. On Windows,
+ * chmod is a no-op — we skip it silently to avoid alarming log output,
+ * mirroring how the file-permissions audit handles win32.
  */
 export function ensureDataDirs() {
     const dirs = [
@@ -27,6 +33,17 @@ export function ensureDataDirs() {
             fs.mkdirSync(dir, { recursive: true });
         }
     }
+    // M5: Ensure the DATA_DIR itself is 0700 (owner-only). New dirs are
+    // created without an explicit mode above (inherits umask), so we chmod
+    // after creation. Windows doesn't support POSIX modes — skip silently.
+    if (process.platform !== "win32") {
+        try {
+            fs.chmodSync(DATA_DIR, 0o700);
+        }
+        catch {
+            // Best-effort — some network filesystems may not support chmod
+        }
+    }
 }
 /**
  * Seed default files for a fresh install (only if they don't exist yet).

package/dist/middleware/auth.js

@@ -1,4 +1,5 @@
 import fs from "fs";
+import crypto from "crypto";
 import { InlineKeyboard } from "grammy";
 import { config } from "../config.js";
 import { APPROVED_USERS_FILE } from "../paths.js";
@@ -43,7 +44,7 @@ export function isApprovedUser(userId) {
 const MAX_PENDING = 3;
 const pendingPairings = new Map(); // code → pairing
 function generateCode() {
-    return String(Math.floor(100000 + Math.random() * 900000));
+    return String(crypto.randomInt(100000, 1000000));
 }
 function cleanExpired() {
     const now = Date.now();
@@ -211,5 +212,22 @@ export async function authMiddleware(ctx, next) {
         return;
     }
     // ── Callback queries (inline keyboards) ─────────
+    // Only allowedUsers may trigger admin action callbacks (approve/deny).
+    // Other callbacks (e.g. pairing-mode approved users) continue through.
+    if (userId && config.allowedUsers.includes(userId)) {
+        await next();
+        return;
+    }
+    // Unknown users: silently drop admin-action callbacks to prevent
+    // approval forgery / self-approval. Non-admin callbacks from pairing-
+    // approved users in "pairing" mode are also gated here intentionally;
+    // the approve flow is an admin-only action.
+    const callbackData = ctx.callbackQuery?.data || "";
+    const isAdminCallback = /^(pair|access|wa):(approve|deny|block):/.test(callbackData);
+    if (isAdminCallback) {
+        // Silently drop — no answer (grammy will time-out the spinner client-side)
+        return;
+    }
+    // Non-admin callbacks from unknown users: pass through (e.g. inline mode)
     await next();
 }

package/dist/providers/tool-executor.js

@@ -9,8 +9,10 @@
  */
 import { execSync } from "child_process";
 import fs from "fs";
-import { resolve } from "path";
+import os from "os";
+import { resolve, join as pathJoin } from "path";
 import { isSelfRestartCommand, scheduleGracefulRestart } from "../services/restart.js";
+import { checkExecAllowed } from "../services/exec-guard.js";
 // ── Tool Definitions (OpenAI function calling format) ───────────────────────
 export const AGENT_TOOLS = [
     {
@@ -227,7 +229,18 @@ function executeShell(command, cwd) {
         scheduleGracefulRestart();
         return { name: "run_shell", result: "Bot restart scheduled. Grammy will commit the Telegram offset before exiting." };
     }
-    // Security: block obviously dangerous commands
+    // Exec-guard: enforce EXEC_SECURITY on this non-SDK provider path.
+    // checkExecAllowed reads config.execSecurity (deny → reject all;
+    // allowlist → reject metachars + non-allowlisted bins; full → pass).
+    const guardResult = checkExecAllowed(command);
+    if (!guardResult.allowed) {
+        return {
+            name: "run_shell",
+            result: `Command not allowed: ${guardResult.reason ?? "exec execution denied"}`,
+            error: true,
+        };
+    }
+    // Security: block obviously dangerous commands (belt-and-suspenders)
     const blocked = ["rm -rf /", "mkfs", "dd if=/dev/zero", "> /dev/sda"];
     if (blocked.some(b => command.includes(b))) {
         return { name: "run_shell", result: "Command blocked for safety.", error: true };
@@ -395,9 +408,21 @@ function executeListDirectory(dirPath, recursive, cwd) {
     }
 }
 function executePython(code, cwd) {
+    // Exec-guard: enforce EXEC_SECURITY before writing or executing anything.
+    // Use "python3" as the representative binary — deny blocks all execution;
+    // allowlist allows python3 (it is in SAFE_BINS) unless globally denied.
+    const guardResult = checkExecAllowed("python3");
+    if (!guardResult.allowed) {
+        return {
+            name: "python_execute",
+            result: `Python execution not allowed: ${guardResult.reason ?? "exec execution denied"}`,
+            error: true,
+        };
+    }
     try {
-        // Write code to temp file to avoid shell escaping issues
-        const tmpFile = `/tmp/alvin-bot-py-${Date.now()}.py`;
+        // Write code to temp file to avoid shell escaping issues.
+        // os.tmpdir() is cross-platform (works on Windows/Linux/macOS).
+        const tmpFile = pathJoin(os.tmpdir(), `alvin-bot-py-${Date.now()}.py`);
         fs.writeFileSync(tmpFile, code);
         try {
             const output = execSync(`python3 "${tmpFile}"`, {

package/dist/services/async-agent-watcher.js

@@ -27,6 +27,25 @@ import { dirname } from "path";
 import { parseOutputFileStatus } from "./async-agent-parser.js";
 import { ASYNC_AGENTS_STATE_FILE } from "../paths.js";
 import { getAllSessions } from "./session.js";
+/**
+ * B3 — Detect a permanent "target chat does not exist" delivery failure
+ * (Telegram 400 "Bad Request: chat not found"), e.g. the stale chat_id:1
+ * test agent. Such an agent must be abandoned, not retried forever.
+ *
+ * Kept as a local predicate (mirrors isChatNotFoundError in
+ * subagent-delivery.ts) so the watcher does NOT take a new hard
+ * dependency on a fresh subagent-delivery export — many test suites mock
+ * that module with only deliverSubAgentResult, and a destructured import
+ * of a non-mocked symbol would throw. Matched narrowly on the
+ * chat-not-found signature only.
+ */
+function isChatNotFoundError(err) {
+    if (!err || typeof err !== "object")
+        return false;
+    const e = err;
+    const haystack = `${e.message ?? ""} ${e.description ?? ""}`;
+    return /chat not found/i.test(haystack);
+}
 /** How often the polling loop runs against each pending agent. */
 const POLL_INTERVAL_MS = 15_000;
 /** Hard ceiling per agent — 12h. After this, give up and deliver
@@ -62,6 +81,13 @@ function getMissingFileFailureMs() {
 const pending = new Map();
 let pollTimer = null;
 let started = false;
+/**
+ * C-M2 — Set of agent IDs registered in THIS boot (not loaded from disk).
+ * Only in-memory-registered agents have a pid we can safely attribute to
+ * our own subprocess — disk-loaded pids may have been reused by the OS
+ * after a restart. We never kill a disk-loaded pid; only pids in this set.
+ */
+const thisBootAgentIds = new Set();
 /**
  * Hard cap on the pending-agents map. Without this, a bot that runs many
  * async agents but sees some fail to write their outputFile would see
@@ -135,6 +161,9 @@ export function registerPendingAgent(input) {
     };
     enforcePendingCap();
     pending.set(input.agentId, entry);
+    // C-M2: mark this agent as registered in the current boot.
+    // Only this-boot agents have pids we can safely attribute to our own subprocess.
+    thisBootAgentIds.add(input.agentId);
     saveToDisk();
 }
 /**
@@ -189,22 +218,38 @@ export async function pollOnce() {
     const now = Date.now();
     const toRemove = [];
     const missingFileFailureMs = getMissingFileFailureMs();
+    // B3 — when a delivery attempt proves the target chat is permanently
+    // invalid ("chat not found", e.g. the stale chat_id:1 test agent),
+    // abandon the agent so the watcher never retries it. Without this, a
+    // pending agent with an invalid target spams stderr on every poll
+    // cycle (inflating errors_24h) and lingers until the 12h giveUpAt.
+    const abandonIfInvalidTarget = (entry, outcome) => {
+        if (!outcome.chatNotFound)
+            return;
+        if (!toRemove.includes(entry.agentId))
+            toRemove.push(entry.agentId);
+        console.warn(`[async-watcher] abandoning agent ${entry.agentId} — delivery target ` +
+            `chat ${String(entry.chatId)} not found (invalid/stale); will not retry`);
+    };
     for (const entry of pending.values()) {
         entry.lastCheckedAt = now;
         // Timeout check first — if the agent is past its giveUpAt, give up
         // regardless of whether the file shows progress.
         if (now >= entry.giveUpAt) {
-            await deliverAsFailure(entry, "timeout", "Agent ran longer than 12h — giving up");
+            const outcome = await deliverAsFailure(entry, "timeout", "Agent ran longer than 12h — giving up");
+            abandonIfInvalidTarget(entry, outcome);
             toRemove.push(entry.agentId);
             continue;
         }
         const status = await parseOutputFileStatus(entry.outputFile);
         if (status.state === "completed") {
-            await deliverAsCompleted(entry, status.output, status.tokensUsed);
+            const outcome = await deliverAsCompleted(entry, status.output, status.tokensUsed);
+            abandonIfInvalidTarget(entry, outcome);
             toRemove.push(entry.agentId);
         }
         else if (status.state === "failed") {
-            await deliverAsFailure(entry, "error", status.error);
+            const outcome = await deliverAsFailure(entry, "error", status.error);
+            abandonIfInvalidTarget(entry, outcome);
             toRemove.push(entry.agentId);
         }
         else if (status.state === "missing" &&
@@ -212,7 +257,8 @@ export async function pollOnce() {
             // v4.14.2 — Zombie guard: the subprocess never created its
             // output file within `missingFileFailureMs` (default 10 min).
             // Declare failed instead of polling until the 12h giveUpAt.
-            await deliverAsFailure(entry, "error", `Dispatched subprocess never wrote its output file (${Math.round((now - entry.startedAt) / 60_000)}m after start). Likely crashed before initializing, or the file was removed externally.`);
+            const outcome = await deliverAsFailure(entry, "error", `Dispatched subprocess never wrote its output file (${Math.round((now - entry.startedAt) / 60_000)}m after start). Likely crashed before initializing, or the file was removed externally.`);
+            abandonIfInvalidTarget(entry, outcome);
             toRemove.push(entry.agentId);
         }
         // running / missing-but-young → keep polling next cycle
@@ -244,13 +290,20 @@ async function deliverAsCompleted(entry, output, tokensUsed) {
         tokensUsed: tokensUsed ?? { input: 0, output: 0 },
         duration: Date.now() - entry.startedAt,
     };
+    let chatNotFound = false;
     try {
-        await deliverSubAgentResult(info, result);
+        const outcome = await deliverSubAgentResult(info, result);
+        chatNotFound = !!outcome?.chatNotFound;
     }
     catch (err) {
         console.error(`[async-watcher] delivery failed for ${entry.agentId}:`, err);
+        // deliverSubAgentResult normally swallows send errors and reports
+        // chatNotFound via its return value; if it ever throws, still detect
+        // the permanent invalid-target case here.
+        chatNotFound = isChatNotFoundError(err);
     }
     decrementPendingCount(entry.sessionKey);
+    return { chatNotFound };
 }
 async function deliverAsFailure(entry, status, error) {
     const { deliverSubAgentResult } = await import("./subagent-delivery.js");
@@ -273,13 +326,17 @@ async function deliverAsFailure(entry, status, error) {
         duration: Date.now() - entry.startedAt,
         error,
     };
+    let chatNotFound = false;
     try {
-        await deliverSubAgentResult(info, result);
+        const outcome = await deliverSubAgentResult(info, result);
+        chatNotFound = !!outcome?.chatNotFound;
     }
     catch (err) {
         console.error(`[async-watcher] failure delivery failed for ${entry.agentId}:`, err);
+        chatNotFound = isChatNotFoundError(err);
     }
     decrementPendingCount(entry.sessionKey);
+    return { chatNotFound };
 }
 // ── Test helpers ──────────────────────────────────────────────────
 /**
@@ -295,11 +352,32 @@ async function deliverAsFailure(entry, status, error) {
  *
  * Never throws — all per-entry errors are swallowed.
  */
-export function killSessionDetachedAgents(session, killFn = (p) => {
+/**
+ * C-M1 — Compute the signal target for a detached subprocess pid.
+ *
+ * Since agents are spawned `detached:true` they become process-group
+ * leaders. `claude -p` typically forks further (sub-agents), leaving
+ * grandchildren in the same group. Signalling only the group-leader PID
+ * lets those grandchildren survive. Instead, we signal the entire group
+ * by negating the pid (POSIX: kill(-pgid, sig) = signal the group).
+ *
+ * Windows does not support negative-pid group signals; on win32 we fall
+ * back to the positive pid (signals the leader only). A full win32 group-
+ * kill would require `taskkill /T /PID` — that can be layered later if
+ * Windows support becomes important.
+ *
+ * The injectable `killFn` always receives the already-transformed value
+ * (negative on POSIX, positive on win32) so tests can assert the correct
+ * target without needing platform-specific logic in test code.
+ */
+function resolveKillTarget(pid) {
+    return process.platform !== "win32" ? -pid : pid;
+}
+export function killSessionDetachedAgents(session, killFn = (target) => {
     try {
-        process.kill(p, "SIGTERM");
+        process.kill(target, "SIGTERM");
     }
-    catch { /* already gone */ }
+    catch { /* already gone — ESRCH is fine */ }
 }) {
     // Use session.sessionKey — the real canonical key stamped by getSession().
     // Before v5.1.x this field did not exist on UserSession, causing a silent
@@ -310,12 +388,24 @@ export function killSessionDetachedAgents(session, killFn = (p) => {
     for (const entry of pending.values()) {
         if (entry.sessionKey !== key)
             continue;
-        if (typeof entry.pid === "number") {
-            try {
-                killFn(entry.pid);
-            }
-            catch { /* best-effort */ }
+        if (typeof entry.pid !== "number")
+            continue;
+        // C-M2: only kill pids that are attributable to our own subprocess.
+        // Pids loaded from disk on a previous boot may have been reused by
+        // the OS for an unrelated process. We guard by only killing agents
+        // registered in THIS boot (thisBootAgentIds). Disk-loaded entries
+        // (those not in the set) are skipped — their subprocess may have
+        // already exited and the pid may point at an innocent process.
+        if (!thisBootAgentIds.has(entry.agentId)) {
+            console.log(`[async-watcher] skipping kill for disk-loaded agent ${entry.agentId} ` +
+                `(pid=${entry.pid}) — cannot safely attribute pid after restart`);
+            continue;
+        }
+        // C-M1: pass the group-kill target (negative pid on POSIX) to killFn.
+        try {
+            killFn(resolveKillTarget(entry.pid));
         }
+        catch { /* best-effort */ }
     }
 }
 /**
@@ -345,6 +435,7 @@ export function cancelPendingForSession(sessionKey) {
 /** Test-only: drop in-memory state. Doesn't touch disk. */
 export function __resetForTest() {
     pending.clear();
+    thisBootAgentIds.clear();
     if (pollTimer)
         clearInterval(pollTimer);
     pollTimer = null;

package/dist/services/browser-manager.js

@@ -10,7 +10,7 @@
  * If a strategy is unavailable, we automatically cascade to the next one
  * and log a warning so failures are visible, not silent.
  */
-import { execSync, spawn } from "child_process";
+import { execSync, execFileSync, spawn } from "child_process";
 import http from "http";
 import fs from "fs";
 import { config } from "../config.js";
@@ -22,7 +22,7 @@ const CDP_PORT = 9222;
 const EXEC_TIMEOUT = 60_000; // 60s for page loads via shell
 // ── Logging ──────────────────────────────────────────────────────────
 function log(msg) {
-    console.warn(`[browser-manager] ${msg}`);
+    console.log(`[browser-manager] ${msg}`);
 }
 // ── Availability Checks ──────────────────────────────────────────────
 function isGatewayScriptPresent() {
@@ -170,9 +170,11 @@ export async function resolveStrategy(preferred) {
     }
     return "cli";
 }
-function execHub(args) {
+function execHub(argv) {
     try {
-        const result = execSync(`"${HUB_BROWSER_SH}" ${args}`, {
+        // H3: use execFileSync with discrete argv array — no shell interpolation,
+        // so attacker-controlled URLs cannot inject shell metacharacters.
+        const result = execFileSync(HUB_BROWSER_SH, argv, {
             stdio: "pipe",
             timeout: EXEC_TIMEOUT,
             env: { ...process.env, PATH: process.env.PATH },
@@ -310,7 +312,7 @@ async function navigateOne(strategy, url) {
         case "cdp": {
             // Try hub CDP first
             if (isHubBrowserAvailable()) {
-                const result = execHub(`cdp goto "${url}"`);
+                const result = execHub(["cdp", "goto", url]);
                 if (result && !result.error) {
                     return { title: result.title || "", url: result.url || url };
                 }
@@ -329,7 +331,7 @@ async function navigateOne(strategy, url) {
                 log(`Direct CDP failed: ${err.message}`);
                 // Last resort: try stealth
                 if (isHubBrowserAvailable()) {
-                    const stealthResult = execHub(`stealth "${url}"`);
+                    const stealthResult = execHub(["stealth", url]);
                     if (stealthResult) {
                         return { title: stealthResult.title || "", url: stealthResult.url || url };
                     }
@@ -338,7 +340,7 @@ async function navigateOne(strategy, url) {
             }
         }
         case "hub-stealth": {
-            const result = execHub(`stealth "${url}"`);
+            const result = execHub(["stealth", url]);
             if (result && !result.error) {
                 return { title: result.title || "", url: result.url || url };
             }
@@ -369,7 +371,7 @@ export async function screenshot(url, options = {}) {
         case "cdp": {
             if (isHubBrowserAvailable()) {
                 const tmpName = `shot_${Date.now()}.png`;
-                const result = execHub(`cdp shot "${url}" ${tmpName}`);
+                const result = execHub(["cdp", "shot", url, tmpName]);
                 if (result?.screenshot)
                     return result.screenshot;
             }
@@ -378,7 +380,7 @@ export async function screenshot(url, options = {}) {
         }
         case "hub-stealth": {
             const tmpName = `shot_${Date.now()}.png`;
-            const result = execHub(`stealth "${url}" --screenshot=${tmpName}`);
+            const result = execHub(["stealth", url, `--screenshot=${tmpName}`]);
             if (result?.screenshot)
                 return result.screenshot;
             // Fallback

package/dist/services/browser-webfetch.js

@@ -11,8 +11,18 @@
  * See browser-manager.ts for the full cascade; this module is the
  * leaf-level primitive with no dependencies on that file so both can
  * be unit-tested in isolation.
+ *
+ * SSRF hardening (M1): assertSsrfSafe() is called before every fetch hop to
+ * reject loopback / link-local / RFC-1918 / metadata / non-http(s)
+ * destinations. Redirects are followed manually (redirect:"manual") so every
+ * hop's Location header is re-validated before following — a public host that
+ * returns 302 → 169.254.169.254 is therefore blocked. Redirects are capped at
+ * 10 hops; an operator who needs redirect-to-internal can set
+ * ALLOW_PRIVATE_FETCH=1.
  */
+import { assertSsrfSafe, SsrfBlockedError } from "./ssrf-guard.js";
 const DEFAULT_TIMEOUT_MS = 15_000;
+const MAX_REDIRECTS = 10;
 const DEFAULT_USER_AGENT = "Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 " +
     "(KHTML, like Gecko) Version/17.0 Safari/605.1.15 AlvinBot/webfetch";
 export class WebfetchFailed extends Error {
@@ -53,24 +63,48 @@ export function parseTitle(html) {
     return decodeEntities(inner);
 }
 export async function webfetchNavigate(url, options = {}) {
+    // M1: SSRF guard — reject private/internal destinations before fetching.
+    // SsrfBlockedError is intentionally not wrapped in WebfetchFailed so
+    // callers can distinguish "blocked by policy" from "server error".
+    // We validate EVERY redirect hop manually (redirect:"manual") so a
+    // public host cannot 302 us into an internal address.
+    await assertSsrfSafe(url);
     const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
     const controller = new AbortController();
     const timer = setTimeout(() => controller.abort(), timeoutMs);
     try {
+        let currentUrl = url;
         let response;
-        try {
-            response = await fetch(url, {
-                method: "GET",
-                headers: {
-                    "User-Agent": options.userAgent ?? DEFAULT_USER_AGENT,
-                    Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
-                },
-                redirect: "follow",
-                signal: controller.signal,
-            });
-        }
-        catch (err) {
-            throw new WebfetchFailed(url, err.message, { cause: err });
+        for (let hop = 0;; hop++) {
+            try {
+                response = await fetch(currentUrl, {
+                    method: "GET",
+                    headers: {
+                        "User-Agent": options.userAgent ?? DEFAULT_USER_AGENT,
+                        Accept: "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+                    },
+                    redirect: "manual",
+                    signal: controller.signal,
+                });
+            }
+            catch (err) {
+                throw new WebfetchFailed(url, err.message, { cause: err });
+            }
+            // Not a redirect — we have the final response
+            if (response.status < 300 || response.status >= 400)
+                break;
+            const loc = response.headers.get("location");
+            if (!loc)
+                break; // no Location header — treat as final response
+            if (hop >= MAX_REDIRECTS) {
+                throw new SsrfBlockedError(url, `too many redirects (> ${MAX_REDIRECTS})`);
+            }
+            const next = new URL(loc, currentUrl).href;
+            // Re-validate each redirect target before following — closes the
+            // post-redirect SSRF bypass where fetch would silently follow a
+            // 302 pointing at 169.254.169.254 / loopback / RFC-1918.
+            await assertSsrfSafe(next);
+            currentUrl = next;
         }
         if (!response.ok) {
             throw new WebfetchFailed(url, `HTTP ${response.status}`, { status: response.status });

package/dist/services/cron-scheduling.js

@@ -29,34 +29,94 @@ function parseInterval(input) {
     };
     return value * (mult[unit] || 60_000);
 }
-function parseField(expr, min, max) {
-    if (expr === "*")
-        return Array.from({ length: max - min + 1 }, (_, i) => i + min);
-    if (expr.includes("/")) {
-        const [, step] = expr.split("/");
-        const s = parseInt(step);
-        return Array.from({ length: max - min + 1 }, (_, i) => i + min).filter((v) => v % s === 0);
+/**
+ * Parse a single cron field token (no commas — commas are handled by parseField).
+ * Supports: `*`, `a`, `a-b`, `a/s`, `a-b/s`, `*\/s`.
+ * Returns an array of valid integers in [min,max], or null if the token is invalid/garbage.
+ */
+function parseFieldToken(token, min, max) {
+    const fullRange = () => Array.from({ length: max - min + 1 }, (_, i) => i + min);
+    if (token.includes("/")) {
+        const slashIdx = token.indexOf("/");
+        const basePart = token.slice(0, slashIdx);
+        const stepPart = token.slice(slashIdx + 1);
+        const step = parseInt(stepPart, 10);
+        if (!Number.isFinite(step) || step <= 0)
+            return null;
+        let base;
+        if (basePart === "*") {
+            base = fullRange();
+        }
+        else if (basePart.includes("-")) {
+            const [aPart, bPart] = basePart.split("-");
+            const a = parseInt(aPart, 10);
+            const b = parseInt(bPart, 10);
+            if (!Number.isFinite(a) || !Number.isFinite(b) || a > b || a < min || b > max)
+                return null;
+            base = Array.from({ length: b - a + 1 }, (_, i) => i + a);
+        }
+        else {
+            const a = parseInt(basePart, 10);
+            if (!Number.isFinite(a) || a < min || a > max)
+                return null;
+            base = [a];
+        }
+        // Filter by step aligned to base start
+        const baseStart = base[0];
+        return base.filter((v) => (v - baseStart) % step === 0);
     }
-    if (expr.includes(","))
-        return expr.split(",").map(Number);
-    if (expr.includes("-")) {
-        const [a, b] = expr.split("-").map(Number);
+    if (token === "*")
+        return fullRange();
+    if (token.includes("-")) {
+        const parts = token.split("-");
+        if (parts.length !== 2)
+            return null;
+        const a = parseInt(parts[0], 10);
+        const b = parseInt(parts[1], 10);
+        if (!Number.isFinite(a) || !Number.isFinite(b) || a > b || a < min || b > max)
+            return null;
         return Array.from({ length: b - a + 1 }, (_, i) => i + a);
     }
-    return [parseInt(expr)];
+    const v = parseInt(token, 10);
+    if (!Number.isFinite(v) || v < min || v > max)
+        return null;
+    return [v];
+}
+/**
+ * Parse a cron field expression (may contain commas) into a sorted array of valid integers.
+ * Supports comma-separated combinations of: `*`, `a`, `a-b`, `a-b/s`, `*\/s`.
+ * Returns null if any token is invalid/garbage (signals an invalid schedule).
+ */
+function parseField(expr, min, max) {
+    // Split on commas; filter empty strings (handles "1,,3" gracefully — skip empty)
+    const tokens = expr.split(",").filter((t) => t.length > 0);
+    if (tokens.length === 0)
+        return null;
+    const result = new Set();
+    for (const token of tokens) {
+        const vals = parseFieldToken(token, min, max);
+        if (vals === null)
+            return null; // propagate invalid token as parse failure
+        for (const v of vals)
+            result.add(v);
+    }
+    const arr = [...result].sort((a, b) => a - b);
+    return arr.length > 0 ? arr : null;
 }
 function parseCronFields(expression) {
     const parts = expression.trim().split(/\s+/);
     if (parts.length !== 5)
         return null;
     const [minExpr, hourExpr, dayExpr, monthExpr, weekdayExpr] = parts;
-    return {
-        minutes: parseField(minExpr, 0, 59),
-        hours: parseField(hourExpr, 0, 23),
-        days: parseField(dayExpr, 1, 31),
-        months: parseField(monthExpr, 1, 12),
-        weekdays: parseField(weekdayExpr, 0, 6),
-    };
+    const minutes = parseField(minExpr, 0, 59);
+    const hours = parseField(hourExpr, 0, 23);
+    const days = parseField(dayExpr, 1, 31);
+    const months = parseField(monthExpr, 1, 12);
+    const weekdays = parseField(weekdayExpr, 0, 6);
+    // Any field returning null means the expression is invalid → reject it
+    if (!minutes || !hours || !days || !months || !weekdays)
+        return null;
+    return { minutes, hours, days, months, weekdays };
 }
 function nextCronRun(expression, after) {
     const fields = parseCronFields(expression);