polygram 0.12.7 → 0.12.9

package/lib/db/events-retention.js

@@ -23,6 +23,9 @@
  */
 
 const DAY_MS = 86_400_000;
+// A few minutes of grace so rows written ~now (between Date.now() capture and the
+// COUNT) don't read as "future". Genuine backward-clock detection is fraction-based.
+const CLOCK_SKEW_TOLERANCE_MS = 60_000;
 
 const DEFAULT_POLICY = {
   enabled: true,
@@ -65,6 +68,25 @@ function resolveRetentionPolicy(config) {
 
 /** Fail loud on a misconfigured policy. Called at load and defensively per-run. */
 function validatePolicy(policy) {
+  // Numeric sanity. An unvalidated batchSize<=0 makes batchedDelete spin forever
+  // (DELETE LIMIT 0 deletes 0, `0 < 0` is false) and wedges the synchronous
+  // daemon — the "a config typo must never take down the bot" promise depends on
+  // catching it here, before the loop.
+  if (!Number.isInteger(policy.batchSize) || policy.batchSize < 1) {
+    throw new Error(`events_retention: batchSize must be a positive integer (got ${policy.batchSize})`);
+  }
+  if (!Number.isInteger(policy.maxPerKind) || policy.maxPerKind < 1) {
+    throw new Error(`events_retention: maxPerKind must be a positive integer (got ${policy.maxPerKind})`);
+  }
+  if (!(typeof policy.maxDeleteFraction === 'number' && policy.maxDeleteFraction > 0 && policy.maxDeleteFraction <= 1)) {
+    throw new Error(`events_retention: maxDeleteFraction must be in (0,1] (got ${policy.maxDeleteFraction})`);
+  }
+  for (const f of ['diagnosticDays', 'defaultDays']) {
+    if (!(typeof policy[f] === 'number' && policy[f] > 0)) {
+      throw new Error(`events_retention: ${f} must be a positive number (got ${policy[f]})`);
+    }
+  }
+
   const diag = policy.diagnosticKinds || [];
   const keep = policy.keepForeverKinds || [];
   for (const k of [...diag, ...keep]) {
@@ -98,7 +120,10 @@ function batchedDelete(rawDb, sql, params, batchSize) {
   for (;;) {
     const r = stmt.run(...params, batchSize);
     deleted += r.changes;
-    if (r.changes < batchSize) break;
+    // `=== 0` is the belt-and-suspenders against a pathological LIMIT (e.g. a
+    // negative LIMIT = unlimited, which would otherwise loop on the empty set);
+    // validatePolicy already rejects batchSize<1, so this is defense-in-depth.
+    if (r.changes < batchSize || r.changes === 0) break;
   }
   return deleted;
 }
@@ -117,37 +142,57 @@ function pruneEvents(rawDb, now, policy) {
   const diagSet = new Set(policy.diagnosticKinds);
   const keepSet = new Set(policy.keepForeverKinds);
 
-  const before = rawDb.prepare('SELECT count(*) c, max(ts) mx FROM events').get();
-  const totalBefore = before.c;
+  const totalBefore = rawDb.prepare('SELECT count(*) c FROM events').get().c;
   if (totalBefore === 0) {
-    return { deleted: { default: 0, diagnostic: 0, cap: 0, total: 0 }, before: 0, after: 0 };
+    return policy.dryRun
+      ? { dryRun: true, preview: { default: 0, diagnostic: 0, cap: 0, total: 0 }, before: 0 }
+      : { deleted: { default: 0, diagnostic: 0, cap: 0, total: 0 }, before: 0, after: 0 };
   }
 
-  // Clock-backward guard: newest row is in the future relative to `now` ⇒ the
-  // system clock can't be trusted, don't delete on it.
-  if (before.mx != null && now < before.mx) {
-    return { skipped: true, reason: `clock-backward (now ${now} < max ts ${before.mx})` };
+  // Clock-suspect guard. A genuine backward clock makes a LARGE fraction of rows
+  // read as "future" relative to `now` — pruning under it would delete recent
+  // data. But a SINGLE skewed/imported future row must NOT disable pruning, so
+  // this is fraction-based, not max(ts)-based (review finding #3: one outlier
+  // poisoning MAX(ts) silently stopped all pruning).
+  const future = rawDb.prepare('SELECT count(*) c FROM events WHERE ts > ?').get(now + CLOCK_SKEW_TOLERANCE_MS).c;
+  if (future > 0 && future / totalBefore > policy.maxDeleteFraction) {
+    return { skipped: true, reason: `clock-suspect (${future}/${totalBefore} rows future-dated > ${policy.maxDeleteFraction})` };
   }
 
   const diagCut = now - policy.diagnosticDays * DAY_MS;
   const defCut = now - policy.defaultDays * DAY_MS;
 
-  // Default-bucket predicate: old AND not diagnostic AND not keep-forever.
-  // Explicit ?-placeholders — better-sqlite3 does NOT expand a JS array from one
-  // param, and `NOT IN (…, NULL)` is a 3-valued-logic trap. validatePolicy
-  // already guarantees no NULL members.
+  // Default-bucket predicate (for the actual bulk delete): old AND not diagnostic
+  // AND not keep-forever. Explicit ?-placeholders — better-sqlite3 does NOT expand
+  // a JS array from one param, and `NOT IN (…, NULL)` is a 3-valued-logic trap;
+  // validatePolicy already guarantees no NULL members.
   const excluded = [...diagSet, ...keepSet];
   const ph = excluded.map(() => '?').join(',');
   const defWhere = `ts < ?${excluded.length ? ` AND kind NOT IN (${ph})` : ''}`;
 
   // ---- estimate (drives dryRun + the mass-delete guard) ----
-  const estDefault = rawDb.prepare(`SELECT count(*) c FROM events WHERE ${defWhere}`).get(defCut, ...excluded).c;
-  let estDiag = 0;
-  const diagCountStmt = rawDb.prepare('SELECT count(*) c FROM events WHERE kind = ? AND ts < ?');
-  for (const k of diagSet) estDiag += diagCountStmt.get(k, diagCut).c;
+  // Per-kind so the cap estimate counts SURVIVORS after the time-delete, not raw
+  // counts. Otherwise a kind that is both old AND over-cap is counted twice
+  // (time bucket + cap bucket), inflating estTotal past the real delete count and
+  // tripping the mass-delete guard against the exact high-volume prune it exists
+  // for — self-defeating (review finding #1). Each row is counted at most once.
+  const cntOlder = rawDb.prepare('SELECT count(*) c FROM events WHERE kind = ? AND ts < ?');
   const kinds = rawDb.prepare('SELECT kind, count(*) c FROM events GROUP BY kind').all();
+  let estDefault = 0;
+  let estDiag = 0;
   let estCap = 0;
-  for (const { c } of kinds) if (c > policy.maxPerKind) estCap += c - policy.maxPerKind;
+  for (const { kind, c } of kinds) {
+    let timeDel = 0;
+    if (keepSet.has(kind)) {
+      timeDel = 0; // keep-forever: no time delete
+    } else if (diagSet.has(kind)) {
+      timeDel = cntOlder.get(kind, diagCut).c; estDiag += timeDel;
+    } else {
+      timeDel = cntOlder.get(kind, defCut).c; estDefault += timeDel;
+    }
+    const survivors = c - timeDel;
+    if (survivors > policy.maxPerKind) estCap += survivors - policy.maxPerKind;
+  }
   const estTotal = estDefault + estDiag + estCap;
 
   // dryRun returns the preview regardless of the mass-delete guard (you want to

package/lib/db/pairings.js

@@ -190,13 +190,22 @@ function createStore(rawDb, now = () => Date.now()) {
         return { ok: false, reason: 'wrong-chat' };
       }
 
+      // Every pairing MUST be chat-scoped. A chat_id=NULL pairing bypasses
+      // requireMention in EVERY group the bot is in — the all-chats footgun that
+      // let a colleague (Lin) trigger shumabit in the UMI working group without a
+      // mention (2026-06-16). Scope to the code's chat if it was issued scoped,
+      // else to the chat where it's redeemed. If neither exists, refuse (and DON'T
+      // consume the code) rather than create a global pairing.
+      const pairChatId = row.chat_id || (chat_id != null ? String(chat_id) : null);
+      if (!pairChatId) return { ok: false, reason: 'no-chat-scope' };
+
       const tx = rawDb.transaction(() => {
         const upd = markCodeUsedStmt.run({ code: norm, user_id: claimer_user_id, ts: now() });
         if (upd.changes === 0) throw new Error('race: code claimed by another user');
         insertPairingStmt.run({
           bot_name: row.bot_name,
           user_id: claimer_user_id,
-          chat_id: row.chat_id || null,
+          chat_id: pairChatId,
           granted_ts: now(),
           granted_by_user_id: row.issued_by_user_id,
           note: row.note,
@@ -211,7 +220,7 @@ function createStore(rawDb, now = () => Date.now()) {
       return {
         ok: true,
         bot_name: row.bot_name,
-        chat_id: row.chat_id,
+        chat_id: pairChatId,
         scope: row.scope,
         note: row.note,
       };

package/lib/handlers/slash-commands.js

@@ -286,7 +286,7 @@ function createSlashCommands({
           chat_id: out.chat_id, note: out.note,
         });
         const ttlLabel = args.ttl || '10m';
-        const chatLabel = out.chat_id ? `chat ${out.chat_id}` : 'any chat';
+        const chatLabel = out.chat_id ? `chat ${out.chat_id}` : 'the chat where it is redeemed';
         await sendReply(
           `Code: ${out.code}\nexpires: ${ttlLabel}\nscope: ${out.scope} (${chatLabel})${out.note ? `\nnote: ${out.note}` : ''}\n\nShare with user:\n/pair ${out.code}`,
         );
@@ -341,7 +341,7 @@ function createSlashCommands({
         ok: res.ok, reason: res.reason,
       });
       if (res.ok) {
-        const chatLabel = res.chat_id ? `chat ${res.chat_id}` : `every chat ${botName} is in`;
+        const chatLabel = res.chat_id ? `chat ${res.chat_id}` : 'this chat';
         await sendReply(`Paired. You can use me in ${chatLabel}.${res.note ? `\n(${res.note})` : ''}`);
         return true;
       }

package/lib/history-preload.js

@@ -57,6 +57,19 @@ function formatRow(row) {
   return `[${ts}] ${who}: ${prefix}${text}`;
 }
 
+/**
+ * The `<polygram-history …>` opening tag. All string attribute values are
+ * xmlEscaped — defense-in-depth, matching lib/prompt.js's convention. Today
+ * chat_id/thread_id are Telegram integers and since is a constant ('7d'), so
+ * this isn't currently exploitable, but the #10 body-escape fix shouldn't leave
+ * the attribute axis as the one unescaped breakout sink. `count` is rows.length
+ * (a number) — no escape needed.
+ */
+function openTag(chatId, threadId, count, since) {
+  const t = threadId ? ` thread_id="${xmlEscape(threadId)}"` : '';
+  return `<polygram-history chat_id="${xmlEscape(chatId)}"${t} preloaded="${count}" since="${xmlEscape(since)}">`;
+}
+
 /**
  * Build the SessionStart hook callback.
  *
@@ -122,7 +135,7 @@ function makeSessionStartHook({
       const lines = rows.map(formatRow).join('\n');
 
       const additionalContext = [
-        `<polygram-history chat_id="${chatId}"${threadId ? ` thread_id="${threadId}"` : ''} preloaded="${rows.length}" since="${since}">`,
+        openTag(chatId, threadId, rows.length, since),
         lines,
         `</polygram-history>`,
         '',
@@ -208,9 +221,8 @@ function buildHistoryBlock({
   }
   if (rows.length === 0) return '';
   const lines = rows.map(formatRow).join('\n');
-  const attrs = `chat_id="${chatId}"${threadId ? ` thread_id="${threadId}"` : ''} preloaded="${rows.length}" since="${since}"`;
   return [
-    `<polygram-history ${attrs}>`,
+    openTag(chatId, threadId, rows.length, since),
     lines,
     `</polygram-history>`,
     '',
@@ -228,6 +240,7 @@ module.exports = {
   buildHistoryBlock,
   // Internals for tests
   _formatRow: formatRow,
+  _openTag: openTag,
   DEFAULT_PRELOAD_LIMIT,
   DEFAULT_PRELOAD_SINCE,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "polygram",
-  "version": "0.12.7",
+  "version": "0.12.9",
   "description": "Telegram daemon for Claude Code that preserves the OpenClaw per-chat session model. Migration path for OpenClaw users moving to Claude Code.",
   "main": "lib/ipc/client.js",
   "bin": {

package/skills/history/scripts/query.js

@@ -21,7 +21,14 @@ const fs = require('fs');
 const path = require('path');
 const Database = require('better-sqlite3');
 
-const history = require('../lib/history');
+// The history helpers live at the PACKAGE ROOT lib/ (one source of truth, shared
+// with the daemon's history-preload) — NOT a skill-local copy. The old
+// `../lib/history` pointed at skills/history/lib/history.js, which has never
+// existed in the repo or the published package, so EVERY `query.js` invocation
+// crashed with MODULE_NOT_FOUND (the history skill was entirely non-functional;
+// found in the 0.12.5–0.12.7 ultra-review). `../../../lib` = <pkg-root>/lib in
+// both the repo and the npm install (which ships skills/ + lib/ as siblings).
+const history = require('../../../lib/history');
 
 const POLYGRAM_DIR = process.env.POLYGRAM_DIR || path.resolve(__dirname, '../../../../polygram');
 const CONFIG_PATH = process.env.POLYGRAM_CONFIG || path.join(POLYGRAM_DIR, 'config.json');
@@ -281,4 +288,8 @@ function main() {
   }
 }
 
-main();
+// Exported for tests (the #4 scope-derivation security boundary needs a
+// regression pin). Only auto-run when invoked as the CLI, not when require()'d.
+module.exports = { deriveBotScope, resolveDbPaths, loadConfig };
+
+if (require.main === module) main();