polygram 0.12.0-rc.41 → 0.12.0-rc.43

package/lib/process/channels-tool-dispatcher.js

@@ -38,6 +38,13 @@ const os = require('node:os');
 // additional roots (e.g. a configured uploads dir).
 const DEFAULT_ATTACHMENT_BASE = path.join(os.tmpdir(), 'polygram-attachments');
 
+// Review 2026-06-12 hardening: cap files[] per reply so one (possibly
+// prompt-injected) call can't fan out unlimited uploads past the per-call
+// rate limit; cap the per-session owned-message-id set so the edit-ownership
+// tracker can't grow unbounded on a long-lived session.
+const MAX_FILES_PER_REPLY = 10;
+const OWNED_MSG_CAP = 256;
+
 function isPathUnder(child, parent) {
   const rel = path.relative(parent, child);
   return rel !== '' && !rel.startsWith('..') && !path.isAbsolute(rel);
@@ -125,6 +132,23 @@ function createChannelsToolDispatcher({
   const deliverAgent = processAndDeliverAgentText
     || require('../telegram/process-agent-reply').processAndDeliverAgentText;
 
+  // Per-session set of message_ids THIS session created (via reply/edit).
+  // edit_message may only target an owned bubble — a prompt-injected
+  // edit_message can't tamper with a message it didn't send, or another
+  // session's bubble (review 2026-06-12). Bounded per session (insertion-order
+  // eviction) so a long session can't grow it without limit.
+  const ownedMessageIds = new Map();   // sessionKey → Set<number>
+  const rememberOwned = (sk, id) => {
+    if (id == null || sk == null) return;
+    const n = Number(id);
+    if (!Number.isFinite(n)) return;
+    let set = ownedMessageIds.get(sk);
+    if (!set) { set = new Set(); ownedMessageIds.set(sk, set); }
+    set.add(n);
+    while (set.size > OWNED_MSG_CAP) set.delete(set.values().next().value);
+  };
+  const ownsMessage = (sk, id) => ownedMessageIds.get(sk)?.has(Number(id)) === true;
+
   return async function channelsToolDispatcher(call) {
     const { sessionKey, chatId, threadId, toolName, text, files, sourceMsgId, maxOutboundFileBytes, messageId } = call;
 
@@ -149,10 +173,18 @@ function createChannelsToolDispatcher({
       if (clean.length > maxChunkLen) {
         return { ok: false, error: `edit text too long (${clean.length} > ${maxChunkLen}); a message edit is a single bubble — use reply for long content` };
       }
+      // Ownership gate (review 2026-06-12): only edit a bubble THIS session
+      // created (got its id from a reply/edit result). Blocks a prompt-injected
+      // edit_message from tampering with an arbitrary or cross-session message.
+      if (!ownsMessage(sessionKey, messageId)) {
+        logger.warn?.(`[channels-tool-dispatcher] ${sessionKey} edit_message DENIED: message_id ${messageId} not owned by this session`);
+        return { ok: false, error: `message_id ${messageId} was not created by this session — edit_message can only target a bubble you sent` };
+      }
       try {
         const params = { chat_id: chatId, message_id: messageId, text: clean };
         if (threadId) params.message_thread_id = threadId;
         await send(bot, 'editMessageText', params, { source: 'channels-tool-dispatcher', sessionKey, toolName });
+        rememberOwned(sessionKey, messageId);   // keep ownership across re-edits
         return { ok: true, message_id: messageId };
       } catch (err) {
         logger.error?.(`[channels-tool-dispatcher] ${sessionKey} edit_message failed: ${err.message}`);
@@ -209,6 +241,13 @@ function createChannelsToolDispatcher({
       // tolerate the {message_id} object shape too. null for solo sticker/reaction.
       const firstSent = dr && Array.isArray(dr.sent) ? dr.sent.find(x => x != null) : null;
       const replyMessageId = (firstSent && typeof firstSent === 'object') ? firstSent.message_id : firstSent;
+      // Remember every delivered bubble so claude can edit_message any of them
+      // (the ownership gate above) — not just the first one returned.
+      if (dr && Array.isArray(dr.sent)) {
+        for (const s of dr.sent) {
+          rememberOwned(sessionKey, (s && typeof s === 'object') ? s.message_id : s);
+        }
+      }
 
       // File attachments — sent as separate messages AFTER the text.
       // Photos for image MIMEs, Documents for everything else (matches
@@ -220,12 +259,22 @@ function createChannelsToolDispatcher({
       // keys, and AWS creds can't leak to Telegram.
       const failedAttachments = [];
       if (Array.isArray(files) && files.length > 0) {
+        // Cap the per-reply fan-out (review 2026-06-12): a single (possibly
+        // injected) call attaching dozens of files would bypass the per-call
+        // rate limit. Process the first MAX_FILES_PER_REPLY; surface the rest.
+        let toAttach = files;
+        if (files.length > MAX_FILES_PER_REPLY) {
+          toAttach = files.slice(0, MAX_FILES_PER_REPLY);
+          for (const extra of files.slice(MAX_FILES_PER_REPLY)) {
+            failedAttachments.push({ path: extra, error: `too many files in one reply (max ${MAX_FILES_PER_REPLY}); send the rest in a follow-up` });
+          }
+        }
         const allowedRoots = buildAllowedRoots({
           sessionKey,
           sessionCwd: call.sessionCwd,
           extraRoots: attachmentAllowlist,
         });
-        for (const filePath of files) {
+        for (const filePath of toAttach) {
           const check = validateAttachmentPath(filePath, allowedRoots);
           if (!check.ok) {
             logger.warn?.(
@@ -301,10 +350,15 @@ function createChannelsToolDispatcher({
  * is the safe default.
  */
 function buildAllowedRoots({ sessionKey, sessionCwd = null, extraRoots = [] }) {
-  const roots = [
-    DEFAULT_ATTACHMENT_BASE,
-    path.join(DEFAULT_ATTACHMENT_BASE, String(sessionKey || '')),
-  ];
+  const roots = [];
+  // SECURITY (review 2026-06-12): allow ONLY this session's own staging subdir,
+  // never the shared DEFAULT_ATTACHMENT_BASE parent. All sessions' claude procs
+  // run as the same uid, so a base-level root let session A send a file staged
+  // under session B (/tmp/polygram-attachments/<B>/…) → cross-chat exfiltration.
+  // A falsy sessionKey would collapse path.join(BASE,'') back to BASE, so skip
+  // the staging root entirely when it's missing (only sessionCwd/extras remain).
+  const sk = String(sessionKey || '');
+  if (sk) roots.push(path.join(DEFAULT_ATTACHMENT_BASE, sk));
   if (sessionCwd) roots.push(sessionCwd);
   if (Array.isArray(extraRoots)) {
     for (const r of extraRoots) {

package/lib/process/cli-process.js

@@ -1150,9 +1150,17 @@ class CliProcess extends Process {
     // acknowledges every <channel> message this reply covers (incl. folds the
     // incidental turn_id echo can't express; the reply schema carries ONE
     // turn_id). Acked entries can never be declared dropped.
-    if (Array.isArray(args.consumed_turn_ids) && args.consumed_turn_ids.length) {
+    //
+    // SECURITY (review 2026-06-12): gate the ack on chat_id matching this
+    // session. The chat_id check lives further down (after dedup/rate-limit);
+    // without this guard a reply carrying a FOREIGN chat_id but naming the live
+    // turn here would mark it resolved/_consumedAcked + arm the finalizer —
+    // "delivered" though nothing reached this chat. The actual reject still
+    // happens at the chat_id guard below.
+    const chatIdMatches = this.chatId == null || String(args.chat_id) === String(this.chatId);
+    if (chatIdMatches && Array.isArray(args.consumed_turn_ids) && args.consumed_turn_ids.length) {
       this._ledgerAckConsumed(args.consumed_turn_ids.filter((x) => typeof x === 'string'));
-    } else if (msg.name === 'reply' && 'consumed_turn_ids' in args) {
+    } else if (chatIdMatches && msg.name === 'reply' && 'consumed_turn_ids' in args) {
       this._lastAckFieldAt = Date.now();   // field present but empty — contract observed
     }
 
@@ -2192,9 +2200,19 @@ class CliProcess extends Process {
     // "I was interrupted" message. If it doesn't (5s grace), resolve pending
     // turns with subtype 'interrupted' instead of letting them wait the full
     // 10-min hardTimer.
+    //
+    // C4 BLOCKER (review 2026-06-12): SNAPSHOT the turns that were in flight at
+    // C-c time and resolve ONLY those. The cancelled turn often finalizes
+    // cleanly DURING the grace (claude acks the C-c) and the user then starts a
+    // NEW turn — the "stop, then redirect" flow cheap-cancel exists for. Without
+    // the snapshot the stale grace iterated pendingTurns LIVE and silently
+    // resolved that fresh turn as 'interrupted' (lost). send() doesn't clear the
+    // grace, so the snapshot is the fix.
+    const interruptedTurnIds = new Set(this.pendingTurns.keys());
     this._interruptGraceTimer = setTimeout(() => {
       let resolvedAny = false;
       for (const [turnId, pending] of this.pendingTurns) {
+        if (!interruptedTurnIds.has(turnId)) continue;   // only the turns in flight at C-c
         // Synthesize an interrupted resolution: empty text, 'interrupted' subtype.
         // Cancel-cheap C3: clear ALL per-pending machinery (mirrors
         // _finalizeTurn) — stray timers/listeners on the kept-warm proc are
@@ -3062,6 +3080,12 @@ class CliProcess extends Process {
   injectUserMessage({ content, priority = 'next', shouldQuery, msgId, source = 'inject' } = {}) {
     if (this.closed) return false;
     if (!this.inFlight) return false;                // base contract: no live turn → caller falls through
+    // C5 (review 2026-06-12): a cancel is in flight (interrupt grace armed) —
+    // inFlight is still true until the grace fires, but merging a follow-up into
+    // work the user just stopped is wrong AND leaks a fresh 'written' ledger
+    // entry the cancel-loop already passed (later re-delivery). Refuse so the
+    // caller queues it as a fresh primary turn instead.
+    if (this._interruptGraceTimer) return false;
     if (!this.bridgeReady) return false;
     if (typeof content !== 'string' || !content) return false;
 

package/lib/session-key.js

@@ -119,10 +119,19 @@ function getTopicConfig(chatConfig, threadId) {
  */
 function getConfigWriteScope(chatConfig, threadId) {
   const tid = (threadId == null || threadId === '') ? null : String(threadId);
-  if (!tid) return { scope: chatConfig, threadId: null };
-  chatConfig.topics = chatConfig.topics || {};
-  chatConfig.topics[tid] = chatConfig.topics[tid] || {};
-  return { scope: chatConfig.topics[tid], threadId: tid };
+  // Mirror getSessionKey's isolation rule: a per-topic override only takes
+  // effect when isolateTopics === true (otherwise every topic shares the
+  // chatId-keyed session and topics[tid].model is silently ignored — the
+  // 2026-06-12 review found the topic-scope fix re-broke /model on the DEFAULT
+  // non-isolated chats and made the card lie). So write the topic scope ONLY
+  // when isolated; otherwise write the chat root (the session that actually
+  // runs), and report threadId:null so the audit row reflects chat-level reach.
+  if (tid && chatConfig?.isolateTopics === true) {
+    chatConfig.topics = chatConfig.topics || {};
+    chatConfig.topics[tid] = chatConfig.topics[tid] || {};
+    return { scope: chatConfig.topics[tid], threadId: tid };
+  }
+  return { scope: chatConfig, threadId: null };
 }
 
 module.exports = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "polygram",
-  "version": "0.12.0-rc.41",
+  "version": "0.12.0-rc.43",
   "description": "Telegram daemon for Claude Code that preserves the OpenClaw per-chat session model. Migration path for OpenClaw users moving to Claude Code.",
   "main": "lib/ipc/client.js",
   "bin": {