polygram 0.12.0-rc.41 → 0.12.0-rc.42

package/lib/process/channels-tool-dispatcher.js

@@ -301,10 +301,15 @@ function createChannelsToolDispatcher({
  * is the safe default.
  */
 function buildAllowedRoots({ sessionKey, sessionCwd = null, extraRoots = [] }) {
-  const roots = [
-    DEFAULT_ATTACHMENT_BASE,
-    path.join(DEFAULT_ATTACHMENT_BASE, String(sessionKey || '')),
-  ];
+  const roots = [];
+  // SECURITY (review 2026-06-12): allow ONLY this session's own staging subdir,
+  // never the shared DEFAULT_ATTACHMENT_BASE parent. All sessions' claude procs
+  // run as the same uid, so a base-level root let session A send a file staged
+  // under session B (/tmp/polygram-attachments/<B>/…) → cross-chat exfiltration.
+  // A falsy sessionKey would collapse path.join(BASE,'') back to BASE, so skip
+  // the staging root entirely when it's missing (only sessionCwd/extras remain).
+  const sk = String(sessionKey || '');
+  if (sk) roots.push(path.join(DEFAULT_ATTACHMENT_BASE, sk));
   if (sessionCwd) roots.push(sessionCwd);
   if (Array.isArray(extraRoots)) {
     for (const r of extraRoots) {

package/lib/process/cli-process.js

@@ -1150,9 +1150,17 @@ class CliProcess extends Process {
     // acknowledges every <channel> message this reply covers (incl. folds the
     // incidental turn_id echo can't express; the reply schema carries ONE
     // turn_id). Acked entries can never be declared dropped.
-    if (Array.isArray(args.consumed_turn_ids) && args.consumed_turn_ids.length) {
+    //
+    // SECURITY (review 2026-06-12): gate the ack on chat_id matching this
+    // session. The chat_id check lives further down (after dedup/rate-limit);
+    // without this guard a reply carrying a FOREIGN chat_id but naming the live
+    // turn here would mark it resolved/_consumedAcked + arm the finalizer —
+    // "delivered" though nothing reached this chat. The actual reject still
+    // happens at the chat_id guard below.
+    const chatIdMatches = this.chatId == null || String(args.chat_id) === String(this.chatId);
+    if (chatIdMatches && Array.isArray(args.consumed_turn_ids) && args.consumed_turn_ids.length) {
       this._ledgerAckConsumed(args.consumed_turn_ids.filter((x) => typeof x === 'string'));
-    } else if (msg.name === 'reply' && 'consumed_turn_ids' in args) {
+    } else if (chatIdMatches && msg.name === 'reply' && 'consumed_turn_ids' in args) {
       this._lastAckFieldAt = Date.now();   // field present but empty — contract observed
     }
 
@@ -2192,9 +2200,19 @@ class CliProcess extends Process {
     // "I was interrupted" message. If it doesn't (5s grace), resolve pending
     // turns with subtype 'interrupted' instead of letting them wait the full
     // 10-min hardTimer.
+    //
+    // C4 BLOCKER (review 2026-06-12): SNAPSHOT the turns that were in flight at
+    // C-c time and resolve ONLY those. The cancelled turn often finalizes
+    // cleanly DURING the grace (claude acks the C-c) and the user then starts a
+    // NEW turn — the "stop, then redirect" flow cheap-cancel exists for. Without
+    // the snapshot the stale grace iterated pendingTurns LIVE and silently
+    // resolved that fresh turn as 'interrupted' (lost). send() doesn't clear the
+    // grace, so the snapshot is the fix.
+    const interruptedTurnIds = new Set(this.pendingTurns.keys());
     this._interruptGraceTimer = setTimeout(() => {
       let resolvedAny = false;
       for (const [turnId, pending] of this.pendingTurns) {
+        if (!interruptedTurnIds.has(turnId)) continue;   // only the turns in flight at C-c
         // Synthesize an interrupted resolution: empty text, 'interrupted' subtype.
         // Cancel-cheap C3: clear ALL per-pending machinery (mirrors
         // _finalizeTurn) — stray timers/listeners on the kept-warm proc are
@@ -3062,6 +3080,12 @@ class CliProcess extends Process {
   injectUserMessage({ content, priority = 'next', shouldQuery, msgId, source = 'inject' } = {}) {
     if (this.closed) return false;
     if (!this.inFlight) return false;                // base contract: no live turn → caller falls through
+    // C5 (review 2026-06-12): a cancel is in flight (interrupt grace armed) —
+    // inFlight is still true until the grace fires, but merging a follow-up into
+    // work the user just stopped is wrong AND leaks a fresh 'written' ledger
+    // entry the cancel-loop already passed (later re-delivery). Refuse so the
+    // caller queues it as a fresh primary turn instead.
+    if (this._interruptGraceTimer) return false;
     if (!this.bridgeReady) return false;
     if (typeof content !== 'string' || !content) return false;
 

package/lib/session-key.js

@@ -119,10 +119,19 @@ function getTopicConfig(chatConfig, threadId) {
  */
 function getConfigWriteScope(chatConfig, threadId) {
   const tid = (threadId == null || threadId === '') ? null : String(threadId);
-  if (!tid) return { scope: chatConfig, threadId: null };
-  chatConfig.topics = chatConfig.topics || {};
-  chatConfig.topics[tid] = chatConfig.topics[tid] || {};
-  return { scope: chatConfig.topics[tid], threadId: tid };
+  // Mirror getSessionKey's isolation rule: a per-topic override only takes
+  // effect when isolateTopics === true (otherwise every topic shares the
+  // chatId-keyed session and topics[tid].model is silently ignored — the
+  // 2026-06-12 review found the topic-scope fix re-broke /model on the DEFAULT
+  // non-isolated chats and made the card lie). So write the topic scope ONLY
+  // when isolated; otherwise write the chat root (the session that actually
+  // runs), and report threadId:null so the audit row reflects chat-level reach.
+  if (tid && chatConfig?.isolateTopics === true) {
+    chatConfig.topics = chatConfig.topics || {};
+    chatConfig.topics[tid] = chatConfig.topics[tid] || {};
+    return { scope: chatConfig.topics[tid], threadId: tid };
+  }
+  return { scope: chatConfig, threadId: null };
 }
 
 module.exports = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "polygram",
-  "version": "0.12.0-rc.41",
+  "version": "0.12.0-rc.42",
   "description": "Telegram daemon for Claude Code that preserves the OpenClaw per-chat session model. Migration path for OpenClaw users moving to Claude Code.",
   "main": "lib/ipc/client.js",
   "bin": {