polygram 0.6.4 → 0.6.6

package/lib/db.js

@@ -337,10 +337,23 @@ function wrap(db) {
     // Dedupe check: did we already send an outbound reply to this inbound?
     // Prevents double-processing if a redelivered/replayed message has
     // already been answered.
+    //
+    // We also count rows in the special 'failed crashed-mid-send' state
+    // as "probably sent" for dedupe. Those rows were created when polygram
+    // crashed AFTER inserting the pending row but before marking it sent
+    // — the API call may or may not have actually reached Telegram. The
+    // boot-time markStalePending sweep flips them to 'failed' with the
+    // 'crashed-mid-send' sentinel error. Treating them as un-replied
+    // (status='sent' only) caused boot replay to re-dispatch and Telegram
+    // delivered the SAME answer twice. Treating them as replied risks the
+    // opposite (the user never got a reply because the API truly failed
+    // before reaching Telegram), but a missed reply is recoverable —
+    // the user resends — while a duplicate reply is not.
     hasOutboundReplyTo({ chat_id, msg_id }) {
       const row = db.prepare(`
         SELECT 1 FROM messages
-         WHERE chat_id = ? AND direction = 'out' AND reply_to_id = ? AND status = 'sent'
+         WHERE chat_id = ? AND direction = 'out' AND reply_to_id = ?
+           AND (status = 'sent' OR (status = 'failed' AND error = 'crashed-mid-send'))
          LIMIT 1
       `).get(chat_id, msg_id);
       return !!row;

package/lib/prompt.js

@@ -32,17 +32,6 @@ function truncateReplyText(s, max = REPLY_TO_MAX_CHARS) {
   return `${s.slice(0, head)}…${s.slice(-tail)}`;
 }
 
-/**
- * Attachment summary for reply-to (never embed full content).
- */
-function summarizeReplyAttachments(attachmentsJson) {
-  if (!attachmentsJson) return '';
-  let items;
-  try { items = JSON.parse(attachmentsJson); } catch { return ''; }
-  if (!Array.isArray(items) || !items.length) return '';
-  return items.map((a) => `[${a.kind}: ${a.name}]`).join(' ');
-}
-
 /**
  * Build a reply-to block. Callers pass either:
  *   - { telegram: msg.reply_to_message } (canonical Telegram payload), or
@@ -71,15 +60,22 @@ ${xmlEscape(body)}
   }
 
   if (dbRow) {
+    // Attachment summary for the reply-to block used to read
+    // dbRow.attachments_json, but that column was dropped in migration
+    // 008. Per-attachment rows live in the `attachments` table now;
+    // building a summary here would need a separate join. For reply-to
+    // context Claude already sees the canonical Telegram payload via
+    // the `telegram` branch above (the DB-row path is only the fallback
+    // for resurrected/replayed messages where the live payload is
+    // unavailable). Skipping the summary here is acceptable — text
+    // alone is enough context for "this is what they replied to".
     const ts = dbRow.ts ? new Date(dbRow.ts).toISOString() : '';
     const text = truncateReplyText(dbRow.text || '');
-    const attachSummary = summarizeReplyAttachments(dbRow.attachments_json);
-    const body = [text, attachSummary].filter(Boolean).join('\n');
     const editedAttr = dbRow.edited_ts
       ? ` edited_ts="${new Date(dbRow.edited_ts).toISOString()}"`
       : '';
     return `<reply_to msg_id="${dbRow.msg_id}" user="${xmlEscape(dbRow.user || 'Unknown')}" ts="${ts}"${editedAttr} source="bridge-db">
-${xmlEscape(body)}
+${xmlEscape(text)}
 </reply_to>`;
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "polygram",
-  "version": "0.6.4",
+  "version": "0.6.6",
   "description": "Telegram daemon for Claude Code that preserves the OpenClaw per-chat session model. Migration path for OpenClaw users moving to Claude Code.",
   "main": "lib/ipc-client.js",
   "bin": {

package/polygram.js

@@ -487,7 +487,15 @@ async function downloadAttachments(bot, token, chatId, msg, rows) {
       // <attachment-failed reason="..." /> so claude tells the user
       // "I couldn't see your <kind>" instead of pretending it received
       // text only.
-      const reason = (err.message || 'unknown').slice(0, 200);
+      //
+      // Token redaction: the fetch URL embeds bot${TOKEN} (Telegram CDN
+      // requirement) and some undici/network error variants stringify
+      // the request including the URL into err.message. Persisting that
+      // raw to attachments.download_error or stderr would leak the bot
+      // token to anyone with DB or log access. Strip any `bot<token>`
+      // pattern from the reason before storing/logging.
+      const raw = (err.message || 'unknown').slice(0, 200);
+      const reason = raw.replace(/bot\d+:[A-Za-z0-9_-]+/g, 'bot<redacted>');
       console.error(`[attach] download failed for ${att.name}: ${reason}`);
       results.push({ ...att, path: null, error: reason });
       dbWrite(() => db.markAttachmentFailed(att.id, reason),
@@ -756,12 +764,6 @@ function dispatchHandleMessage(sessionKey, chatId, msg, bot) {
   });
 }
 
-// drainQueuesForChat is retained as a no-op for backwards compat with
-// call sites in /model, /effort, chat-migration, and abort handlers.
-// Returns 0 always; a drain isn't meaningful in the concurrent model —
-// callers that want to abort should rely on pm.killChat.
-const drainQueuesForChat = (_chatId) => 0;
-
 // Per-session lock ordering stdin writes. Module is I/O-pure.
 const stdinLock = createAsyncLock();
 
@@ -1161,17 +1163,17 @@ async function handleConfigCallback(ctx) {
     user: cmdUser, user_id: cmdUserId, source: 'inline-button',
   }), `log ${setting} change`);
 
-  // Graceful respawn across all sessionKeys for this chat (matches the
-  // text-command flow in handleMessage).
+  // Graceful respawn of the topic's session that the card is in. With
+  // isolateTopics=false sessionKey is the chat (one shared session). With
+  // isolateTopics=true sessionKey carries the topic, so other topics'
+  // in-flight turns are not disturbed and the card update + button toast
+  // only affect the user's own context. Mirrors the text-command flow in
+  // handleMessage's requestRespawnForSession.
+  const callbackThreadId = ctx.callbackQuery.message?.message_thread_id?.toString() || null;
+  const callbackSessionKey = getSessionKey(chatId, callbackThreadId, chatConfig);
   const reason = setting === 'model' ? 'model-change' : 'effort-change';
-  const prefix = chatId;
-  let anyActive = false;
-  for (const key of pm.keys()) {
-    if (key === prefix || key.startsWith(prefix + ':')) {
-      const res = pm.requestRespawn(key, reason);
-      if (!res.killed) anyActive = true;
-    }
-  }
+  const respawn = pm.requestRespawn(callbackSessionKey, reason);
+  const anyActive = !respawn.killed;
 
   // Re-render the card with updated ✓ + the same help text shown initially.
   // Detect original card type (model-only / effort-only / both) by counting
@@ -1307,23 +1309,17 @@ async function handleMessage(sessionKey, chatId, msg, bot) {
     await sendReply(info, { params: { reply_markup } });
     return;
   }
-  // Helper: request respawn across ALL sessionKeys owned by this chat (one
-  // per topic if isolateTopics=true, otherwise just the single chat-level
-  // key). Graceful: in-flight turns drain on old settings, new turns use
-  // the new settings. Returns total pending turns across all keys so the
-  // reply can tell the user.
-  const requestRespawnForChat = (reason) => {
-    const prefix = String(chatId);
-    let totalQueued = 0;
-    let anyActive = false;
-    for (const key of pm.keys()) {
-      if (key === prefix || key.startsWith(prefix + ':')) {
-        const res = pm.requestRespawn(key, reason);
-        totalQueued += res.queued;
-        if (!res.killed) anyActive = true;
-      }
-    }
-    return { queued: totalQueued, anyActive };
+  // Graceful respawn of the user's CURRENT session only. With
+  // isolateTopics=false the sessionKey is just the chat (one shared
+  // session for the whole chat — every topic respawns implicitly).
+  // With isolateTopics=true each topic is a separate session, and a
+  // /model in topic A should NOT disturb topic B's in-flight turn or
+  // post a phantom "✓ Using sonnet now" in a topic that didn't ask.
+  // Pre-0.6.5 this iterated pm.keys() by chat prefix and incorrectly
+  // fanned out across all topics under isolateTopics=true.
+  const requestRespawnForSession = (reason) => {
+    const res = pm.requestRespawn(sessionKey, reason);
+    return { queued: res.queued, anyActive: !res.killed };
   };
 
   if (botAllowsCommands && text.startsWith('/model ')) {
@@ -1337,7 +1333,7 @@ async function handleMessage(sessionKey, chatId, msg, bot) {
         old_value: oldModel, new_value: newModel,
         user: cmdUser, user_id: cmdUserId, source: 'command',
       }), 'log model change');
-      const { anyActive } = requestRespawnForChat('model-change');
+      const { anyActive } = requestRespawnForSession('model-change');
       const ver = MODEL_VERSIONS[newModel] || newModel;
       const suffix = anyActive ? ` — I'll switch when I finish` : '';
       await sendReply(`Model → ${newModel} (${ver})${suffix}`);
@@ -1357,7 +1353,7 @@ async function handleMessage(sessionKey, chatId, msg, bot) {
         old_value: oldEffort, new_value: newEffort,
         user: cmdUser, user_id: cmdUserId, source: 'command',
       }), 'log effort change');
-      const { anyActive } = requestRespawnForChat('effort-change');
+      const { anyActive } = requestRespawnForSession('effort-change');
       const suffix = anyActive ? ` — I'll switch when I finish` : '';
       await sendReply(`Effort → ${newEffort}${suffix}`);
     } else {
@@ -1507,7 +1503,19 @@ async function handleMessage(sessionKey, chatId, msg, bot) {
         chat_id: chatId, text: `Attachment(s) skipped: ${summary.slice(0, 300)}`,
         ...replyOpts(threadId),
       }, { source: 'attachment-skipped', botName: BOT_NAME });
-    } catch {}
+    } catch (err) {
+      // Surface the failure: claude is about to reply as if the photo
+      // was processed (because filterAttachments dropped it before
+      // download), and the user would otherwise have no signal that
+      // their attachment was rejected. They'd assume claude saw it
+      // and is just answering oddly.
+      console.error(`[${label}] failed to notify user of skipped attachments: ${err.message}`);
+      dbWrite(() => db.logEvent('attachment-skip-notice-failed', {
+        chat_id: chatId, msg_id: msg.message_id,
+        error: err.message?.slice(0, 200),
+        rejected_count: rejected.length,
+      }), 'log attachment-skip-notice-failed');
+    }
   }
 
   await transcribeVoiceAttachments(downloaded, {
@@ -1870,16 +1878,24 @@ function createBot(token) {
       const threadId = msg.message_thread_id?.toString();
       const sessionKey = getSessionKey(chatId, threadId, chatConfig);
       const hadActive = pm.has(sessionKey) && !!pm.get(sessionKey)?.inFlight;
-      const dropped = drainQueuesForChat(chatId);
       // Mark BEFORE killing: the 'close' event fires almost immediately
       // after SIGTERM, and processQueue's catch needs to see the flag to
       // skip the generic error-reply. If we marked after, there'd be a
       // race where the error-reply slips through.
       if (hadActive) markSessionAborted(sessionKey);
-      await pm.killChat(chatId).catch(() => {});
+      // Kill ONLY the user's own session, not every topic in the chat.
+      // Pre-0.6.5 this was pm.killChat(chatId) which fanned out across
+      // all topics under isolateTopics=true: the user typed "stop" in
+      // topic A and the bot tore down topic B's in-flight turn, surfacing
+      // a 💥 reply to topic B's user (whose key was never marked aborted,
+      // so the abort grace window didn't apply). With isolateTopics=false
+      // the sessionKey is the chat itself, so killing one session is the
+      // same as killing the chat — behavior unchanged for the common case.
+      await pm.kill(sessionKey).catch((err) =>
+        console.error(`[${BOT_NAME}] abort kill failed: ${err.message}`));
       dbWrite(() => db.logEvent('abort-requested', {
         chat_id: chatId, user_id: msg.from?.id || null,
-        had_active: hadActive, queued_dropped: dropped,
+        had_active: hadActive,
         trigger: cleanText.slice(0, 40),
       }), 'log abort-requested');
       // Reply in the same language the user aborted in. Cyrillic-detection
@@ -2088,8 +2104,10 @@ function createBot(token) {
       config.chats[newChatId] = { ...config.chats[oldChatId] };
       delete config.chats[oldChatId];
       saveConfig();
-      const droppedMigrate = drainQueuesForChat(oldChatId);
-      if (droppedMigrate) dbWrite(() => db.logEvent('queue-drained', { chat_id: oldChatId, reason: 'chat-migrated', dropped: droppedMigrate }), 'log queue-drained');
+      // Chat migration is the one legit chat-wide kill: every session
+      // (every topic) under the old chat_id is stale and must restart
+      // under the new chat_id. Other respawn/abort paths target a
+      // single sessionKey, but here ALL sessions are invalid.
       await pm.killChat(oldChatId);
     }
   });