polygram 0.12.8 → 0.12.10

package/lib/db/pairings.js

@@ -190,13 +190,22 @@ function createStore(rawDb, now = () => Date.now()) {
         return { ok: false, reason: 'wrong-chat' };
       }
 
+      // Every pairing MUST be chat-scoped. A chat_id=NULL pairing bypasses
+      // requireMention in EVERY group the bot is in — the all-chats footgun that
+      // let a colleague (Lin) trigger shumabit in the UMI working group without a
+      // mention (2026-06-16). Scope to the code's chat if it was issued scoped,
+      // else to the chat where it's redeemed. If neither exists, refuse (and DON'T
+      // consume the code) rather than create a global pairing.
+      const pairChatId = row.chat_id || (chat_id != null ? String(chat_id) : null);
+      if (!pairChatId) return { ok: false, reason: 'no-chat-scope' };
+
       const tx = rawDb.transaction(() => {
         const upd = markCodeUsedStmt.run({ code: norm, user_id: claimer_user_id, ts: now() });
         if (upd.changes === 0) throw new Error('race: code claimed by another user');
         insertPairingStmt.run({
           bot_name: row.bot_name,
           user_id: claimer_user_id,
-          chat_id: row.chat_id || null,
+          chat_id: pairChatId,
           granted_ts: now(),
           granted_by_user_id: row.issued_by_user_id,
           note: row.note,
@@ -211,7 +220,7 @@ function createStore(rawDb, now = () => Date.now()) {
       return {
         ok: true,
         bot_name: row.bot_name,
-        chat_id: row.chat_id,
+        chat_id: pairChatId,
         scope: row.scope,
         note: row.note,
       };

package/lib/handlers/slash-commands.js

@@ -286,7 +286,7 @@ function createSlashCommands({
           chat_id: out.chat_id, note: out.note,
         });
         const ttlLabel = args.ttl || '10m';
-        const chatLabel = out.chat_id ? `chat ${out.chat_id}` : 'any chat';
+        const chatLabel = out.chat_id ? `chat ${out.chat_id}` : 'the chat where it is redeemed';
         await sendReply(
           `Code: ${out.code}\nexpires: ${ttlLabel}\nscope: ${out.scope} (${chatLabel})${out.note ? `\nnote: ${out.note}` : ''}\n\nShare with user:\n/pair ${out.code}`,
         );
@@ -341,7 +341,7 @@ function createSlashCommands({
         ok: res.ok, reason: res.reason,
       });
       if (res.ok) {
-        const chatLabel = res.chat_id ? `chat ${res.chat_id}` : `every chat ${botName} is in`;
+        const chatLabel = res.chat_id ? `chat ${res.chat_id}` : 'this chat';
         await sendReply(`Paired. You can use me in ${chatLabel}.${res.note ? `\n(${res.note})` : ''}`);
         return true;
       }

package/lib/process/cli-process.js

@@ -807,8 +807,12 @@ class CliProcess extends Process {
       '### Sending FILES (tracks, images, docs) to the user',
       '',
       'The `mcp__polygram-bridge__reply` tool takes an optional `files` array of',
-      'absolute paths. This is the ONLY way to send a file. Do NOT use Bash,',
-      'curl, the Telegram Bot API, or polygram-ipc to send files — those fail.',
+      'absolute paths. This is the ONLY correct way to send a file: reply delivers',
+      "it to the user's CURRENT topic/thread automatically. Do NOT use Bash, curl,",
+      'the Telegram Bot API, or polygram-ipc to send files: they do NOT know your',
+      'current thread, so they deliver to the WRONG topic (and skip size/safety',
+      'checks). A raw Bot API call may LOOK like it worked — the upload returns 200 —',
+      "but it lands in the wrong topic the user isn't looking at. Always use reply(files).",
       '',
       ...(this.attachmentStagingDir ? [
         `To send a file: COPY it into the staging dir \`${this.attachmentStagingDir}\`,`,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "polygram",
-  "version": "0.12.8",
+  "version": "0.12.10",
   "description": "Telegram daemon for Claude Code that preserves the OpenClaw per-chat session model. Migration path for OpenClaw users moving to Claude Code.",
   "main": "lib/ipc/client.js",
   "bin": {