polygram 0.12.0-rc.13 → 0.12.0-rc.15

package/lib/handlers/download.js

@@ -24,7 +24,7 @@
 const fs = require('fs');
 const path = require('path');
 const { redactBotToken } = require('../error/net');
-const { MAX_FILE_BYTES } = require('../attachments');
+const { MAX_FILE_BYTES, resolveFileCaps } = require('../attachments');
 
 const ATTACHMENT_DOWNLOAD_CONCURRENCY_DEFAULT = 6;
 
@@ -60,76 +60,119 @@ function createDownloadAttachments({
       } catch { /* fall through to refetch */ }
     }
     try {
+      // Inbound per-file cap is BACKEND-derived: 20 MB on cloud Telegram
+      // (Telegram's own getFile ceiling), 2 GB with the local Bot API server.
+      // rc.15: previously hardcoded to MAX_FILE_BYTES (20 MB), which rejected
+      // large lossless tracks even when the local server could handle them.
+      const cap = resolveFileCaps({ localApi: !!config.bot?.apiRoot }).inBytes;
+
       const fileInfo = await bot.api.getFile(att.file_id);
       if (!fileInfo?.file_path) throw new Error('no file_path from getFile');
-      const url = `https://api.telegram.org/file/bot${token}/${fileInfo.file_path}`;
-      const res = await fetchImpl(url);
-      if (!res.ok) throw new Error(`HTTP ${res.status}`);
-      // Three-layer size enforcement, in order of cheapness:
-      //   1. Content-Length header — fail-fast before reading body.
-      //   2. Streaming accumulator — abort the moment cumulative byte
-      //      count crosses the cap. Defends against attackers omitting
-      //      Content-Length: pre-cap the whole body could pin RSS.
-      //   3. Final post-buffer check — defense in depth.
-      const cl = parseInt(res.headers.get('content-length') || '0', 10);
-      if (cl > MAX_FILE_BYTES) {
-        throw new Error(`content-length ${cl} exceeds per-file cap ${MAX_FILE_BYTES}`);
-      }
-      let total = 0;
-      const chunks = [];
-      if (res.body && typeof res.body.getReader === 'function') {
-        const reader = res.body.getReader();
-        while (true) {
-          const { done, value } = await reader.read();
-          if (done) break;
-          total += value.byteLength;
-          if (total > MAX_FILE_BYTES) {
-            try { await reader.cancel(); } catch {}
-            throw new Error(`stream ${total}+ bytes exceeds per-file cap ${MAX_FILE_BYTES}`);
-          }
-          chunks.push(value);
-        }
-      } else {
-        // Fallback for runtimes without WHATWG streams (shouldn't fire
-        // on Node 22+).
-        const ab = await res.arrayBuffer();
-        if (ab.byteLength > MAX_FILE_BYTES) {
-          throw new Error(`body ${ab.byteLength} bytes exceeds per-file cap ${MAX_FILE_BYTES}`);
-        }
-        chunks.push(new Uint8Array(ab));
-        total = ab.byteLength;
-      }
-      const buf = Buffer.concat(chunks.map((c) => Buffer.from(c.buffer, c.byteOffset, c.byteLength)));
-      if (buf.length > MAX_FILE_BYTES) {
-        throw new Error(`body ${buf.length} bytes exceeds per-file cap ${MAX_FILE_BYTES}`);
-      }
+
       const safeName = sanitizeFilename(att.name);
       // Embed file_unique_id so two attachments with the same msg_id+name
       // (album, resend) can't silently overwrite each other.
       const uniq = att.file_unique_id ? `-${att.file_unique_id}` : '';
       const localName = `${msg.message_id}${uniq}-${safeName}`;
       const localPath = path.join(chatDir, localName);
-      // Atomic write: temp file + rename. A crash mid-write leaves a
-      // .tmp.* file (swept later) rather than a truncated canonical
-      // file the EEXIST dedup branch would happily serve next time.
-      if (fs.existsSync(localPath)) {
-        logger.log?.(`[attach] ${chatId} ← ${att.kind} ${safeName} (already on disk, reusing)`);
+
+      let size;
+
+      if (path.isAbsolute(fileInfo.file_path)) {
+        // ── Local Bot API server ────────────────────────────────────────
+        // rc.15: in `--local` mode getFile returns a LOCAL ABSOLUTE PATH —
+        // the server has already downloaded the file to its own disk. The
+        // previous code built a cloud URL (https://api.telegram.org/file/...)
+        // and HTTP-fetched it, which is nonsensical for a local path and
+        // failed every inbound file once apiRoot was set. Instead, link the
+        // file into the inbox directly (no HTTP, no buffering a 2 GB file
+        // through RAM). A hardlink is instant and shares the inode, so it
+        // survives the server pruning its own copy; fall back to a byte copy
+        // across filesystems.
+        const srcStat = fs.statSync(fileInfo.file_path);
+        if (srcStat.size > cap) {
+          throw new Error(`file ${srcStat.size} exceeds per-file cap ${cap}`);
+        }
+        if (fs.existsSync(localPath)) {
+          logger.log?.(`[attach] ${chatId} ← ${att.kind} ${safeName} (already on disk, reusing)`);
+        } else {
+          try {
+            fs.linkSync(fileInfo.file_path, localPath);
+          } catch (e) {
+            if (e.code === 'EEXIST') {
+              logger.log?.(`[attach] ${chatId} ← ${att.kind} ${safeName} (race: already on disk)`);
+            } else if (e.code === 'EXDEV') {
+              fs.copyFileSync(fileInfo.file_path, localPath);   // cross-device fallback
+            } else {
+              throw e;
+            }
+          }
+        }
+        size = srcStat.size;
+        logger.log?.(`[attach] ${chatId} ← ${att.kind} ${safeName} (${size} bytes, local-api) → ${localPath}`);
       } else {
-        const tmpPath = `${localPath}.tmp.${process.pid}.${Date.now()}`;
-        try {
-          fs.writeFileSync(tmpPath, buf, { flag: 'wx' });
-          fs.renameSync(tmpPath, localPath);
-        } catch (e) {
-          try { fs.unlinkSync(tmpPath); } catch {}
-          if (e.code !== 'EEXIST') throw e;
-          logger.log?.(`[attach] ${chatId} ← ${att.kind} ${safeName} (race: already on disk)`);
+        // ── Cloud Telegram ──────────────────────────────────────────────
+        // getFile returns a RELATIVE path; download it over HTTPS with the
+        // three-layer size guard (header → streaming accumulator → final).
+        const url = `https://api.telegram.org/file/bot${token}/${fileInfo.file_path}`;
+        const res = await fetchImpl(url);
+        if (!res.ok) throw new Error(`HTTP ${res.status}`);
+        const cl = parseInt(res.headers.get('content-length') || '0', 10);
+        if (cl > cap) {
+          throw new Error(`content-length ${cl} exceeds per-file cap ${cap}`);
         }
+        let total = 0;
+        const chunks = [];
+        if (res.body && typeof res.body.getReader === 'function') {
+          const reader = res.body.getReader();
+          while (true) {
+            const { done, value } = await reader.read();
+            if (done) break;
+            total += value.byteLength;
+            if (total > cap) {
+              try { await reader.cancel(); } catch {}
+              throw new Error(`stream ${total}+ bytes exceeds per-file cap ${cap}`);
+            }
+            chunks.push(value);
+          }
+        } else {
+          // Fallback for runtimes without WHATWG streams (shouldn't fire
+          // on Node 22+).
+          const ab = await res.arrayBuffer();
+          if (ab.byteLength > cap) {
+            throw new Error(`body ${ab.byteLength} bytes exceeds per-file cap ${cap}`);
+          }
+          chunks.push(new Uint8Array(ab));
+          total = ab.byteLength;
+        }
+        const buf = Buffer.concat(chunks.map((c) => Buffer.from(c.buffer, c.byteOffset, c.byteLength)));
+        if (buf.length > cap) {
+          throw new Error(`body ${buf.length} bytes exceeds per-file cap ${cap}`);
+        }
+        // Atomic write: temp file + rename. A crash mid-write leaves a
+        // .tmp.* file (swept later) rather than a truncated canonical
+        // file the EEXIST dedup branch would happily serve next time.
+        if (fs.existsSync(localPath)) {
+          logger.log?.(`[attach] ${chatId} ← ${att.kind} ${safeName} (already on disk, reusing)`);
+        } else {
+          const tmpPath = `${localPath}.tmp.${process.pid}.${Date.now()}`;
+          try {
+            fs.writeFileSync(tmpPath, buf, { flag: 'wx' });
+            fs.renameSync(tmpPath, localPath);
+          } catch (e) {
+            try { fs.unlinkSync(tmpPath); } catch {}
+            if (e.code !== 'EEXIST') throw e;
+            logger.log?.(`[attach] ${chatId} ← ${att.kind} ${safeName} (race: already on disk)`);
+          }
+        }
+        size = buf.length;
+        logger.log?.(`[attach] ${chatId} ← ${att.kind} ${safeName} (${size} bytes) → ${localPath}`);
       }
-      logger.log?.(`[attach] ${chatId} ← ${att.kind} ${safeName} (${buf.length} bytes) → ${localPath}`);
+
       dbWrite(() => db.markAttachmentDownloaded(att.id, {
-        local_path: localPath, size_bytes: att.size_bytes || buf.length,
+        local_path: localPath, size_bytes: att.size_bytes || size,
       }), `markAttachmentDownloaded ${att.id}`);
-      return { ...att, path: localPath, size: att.size_bytes || buf.length, error: null };
+      return { ...att, path: localPath, size: att.size_bytes || size, error: null };
     } catch (err) {
       // Don't drop the attachment silently — push it through with the
       // failure noted. buildAttachmentTags renders this as

package/lib/process/cli-process.js

@@ -120,16 +120,17 @@ const STREAMING_HINT_RE = /esc to interrupt/i;
 // — false positives surface as no-op telemetry, false negatives surface
 // as the idle-ceiling timeout (~10min).
 const UNKNOWN_PROMPT_HEURISTIC_RE = /(\?\s*$|\(y\/N\)|Yes\/No|❯\s|^\s*[12345]\.\s)/im;
-// Dead-bridge signal. Claude Code prints "<source>  no MCP server configured
-// with that name" when a channel source references an MCP server that isn't
-// registered. Music topic incident (2026-06-01): seen mid-turn after an
-// auto-/compact of a large resumed session redrew the TUI and dropped the
-// `server:polygram-bridge` binding — the turn could no longer deliver its
-// reply and hung. The bridge name precedes the error on the same line, so
-// anchor on it: matching the bare phrase risks a false hit on prose that
-// merely quotes the error, while the healthy "polygram-bridge: <polygram-info>
-// …" connection line never contains "no MCP server configured".
-const BRIDGE_DEAD_RE = /polygram-bridge[^\n]*no MCP server configured/i;
+// rc.14: a previous rc (rc.11) had a BRIDGE_DEAD_RE here that matched the pane
+// line "server:polygram-bridge  no MCP server configured with that name" and
+// treated it as a dead bridge to recover from. That was a MISDIAGNOSIS: this
+// line is a BENIGN, persistent banner that `--dangerously-load-development-
+// channels` + `--strict-mcp-config` prints on EVERY healthy session — the
+// channel still delivers messages and the reply tool still works (reproduced
+// 2026-06-01 with a test MCP server that demonstrably functions). The pane
+// matcher therefore false-fired ~5s into every channels turn and KILLED
+// healthy sessions (the Music-topic "mid-turn detach" regression). Real bridge
+// loss is caught by the socket-close path (bridgeServer 'bridge-disconnected'
+// → _handleBridgeDisconnected). There is no reliable pane signal — removed.
 // Per-pattern rate limit so a dialog that lingers across multiple polls
 // doesn't spam sendControl/event emissions. Aligned with the 5s poll cadence.
 const MID_TURN_DEDUP_WINDOW_MS = 30_000;
@@ -2411,35 +2412,14 @@ class CliProcess extends Process {
     }
     if (!pane) return;
 
-    // Wedge recovery (Music topic incident, 2026-06-01). Claude Code's
-    // channel source can lose its MCP-server registration mid-turn — most
-    // often after an auto-/compact of a large resumed session redraws the
-    // TUI and the `server:polygram-bridge` binding fails to re-resolve
-    // ("polygram-bridge  no MCP server configured with that name"). The
-    // bridge SOCKET stays up, so the socket-close path
-    // (bridgeServer 'bridge-disconnected' → _handleBridgeDisconnected) never
-    // fires — but claude can no longer deliver the reply, so the turn
-    // orphans and would hang until the wall-clock cap while this watchdog
-    // logged cli-mid-turn-unknown-prompt every 30s and recovered nothing.
-    // Detect it from the pane and route through the SAME recovery as a real
-    // socket disconnect: reject pending turns (user gets the 🔌 resend
-    // message via BRIDGE_DISCONNECTED) and emit 'bridge-disconnected' so
-    // process-manager kills + lazy-respawns the dead instance (next msg
-    // recovers the conversation via `claude --resume`). Gated on
-    // pendingTurns.size>0 by the early return above, so it can't fire on an
-    // idle session that merely has the string in scrollback.
-    if (BRIDGE_DEAD_RE.test(pane)) {
-      this.logger.warn?.(
-        `[${this.label}] cli: channels MCP registration lost mid-turn ` +
-        `(pane-detected) — recovering ${this.pendingTurns.size} orphaned turn(s)`,
-      );
-      this._logEvent('cli-bridge-detached-midturn', {
-        pending_count: this.pendingTurns.size,
-        session_id: this.claudeSessionId,
-      });
-      this._handleBridgeDisconnected('mcp-registration-lost');
-      return;
-    }
+    // rc.14: removed the rc.11 pane-based "dead bridge" detection here. It
+    // matched the BENIGN banner "server:polygram-bridge  no MCP server
+    // configured with that name" — a cosmetic line that
+    // `--dangerously-load-development-channels` + `--strict-mcp-config` prints
+    // on EVERY healthy session (channel still delivers; reply tool still
+    // works). The matcher false-fired ~5s into every channels turn and killed
+    // healthy sessions. Real bridge loss is the socket-close path
+    // (_handleBridgeDisconnected), not anything observable in the pane.
 
     const now = Date.now();
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "polygram",
-  "version": "0.12.0-rc.13",
+  "version": "0.12.0-rc.15",
   "description": "Telegram daemon for Claude Code that preserves the OpenClaw per-chat session model. Migration path for OpenClaw users moving to Claude Code.",
   "main": "lib/ipc/client.js",
   "bin": {

package/polygram.js

@@ -1698,7 +1698,14 @@ function createBot(token) {
   const apiRoot = config.bot?.apiRoot;
   const bot = new Bot(token, {
     client: {
-      timeoutSeconds: 60,
+      // rc.15: with the local Bot API server, getFile DOWNLOADS the file
+      // synchronously (server fetches it from Telegram's DC, then responds) —
+      // a large lossless WAV can take >60s, so the cloud-tuned 60s timeout
+      // fired before the download finished (the file still landed on the
+      // server's disk, but polygram's getFile call already errored). The
+      // local server is localhost, so non-download calls stay fast; the
+      // higher ceiling only matters for big getFile downloads.
+      timeoutSeconds: apiRoot ? 180 : 60,
       ...(apiRoot ? { apiRoot } : {}),
     },
   });