polygram 0.8.0-rc.25 → 0.8.0-rc.26

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://anthropic.com/claude-code/plugin.schema.json",
   "name": "polygram",
-  "version": "0.8.0-rc.25",
+  "version": "0.8.0-rc.26",
   "description": "Telegram integration for Claude Code that preserves the OpenClaw per-chat session model. Migration target for OpenClaw users. Multi-bot, multi-chat, per-topic isolation; SQLite transcripts; inline-keyboard approvals. Bundles /polygram:status|logs|pair-code|approvals admin commands and a history skill.",
   "keywords": [
     "telegram",

package/lib/abort-grace.js

@@ -0,0 +1,62 @@
+/**
+ * Abort-grace tracker — per-session timestamps marking "user just
+ * /stop'd this session, suppress the next batch of generic error
+ * replies".
+ *
+ * Why this exists: when the user types /stop (or natural-language
+ * "стоп"), polygram calls pm.kill(sessionKey). The kill SIGTERM's
+ * the in-flight process — every pending in the queue rejects with
+ * "Process killed" or INTERRUPTED. WITHOUT abort-grace, polygram
+ * would post "💥 Hit a snag" for each rejected pending, even though
+ * the user already saw the /stop ack and these errors are caused
+ * by their own action.
+ *
+ * Timestamp model (vs the earlier "delete after first read" Set):
+ * a single /stop can drain many pendings, so we mark a TS and let
+ * every error within ABORT_GRACE_MS see "yes, aborted, stay quiet".
+ *
+ * Closes v6 plan §7.1 G11 unit gate.
+ */
+
+'use strict';
+
+const DEFAULT_ABORT_GRACE_MS = 15_000;
+
+/**
+ * @param {object} [opts]
+ * @param {number} [opts.windowMs]   — grace window (default 15s)
+ * @param {() => number} [opts.now]  — clock injection for tests
+ */
+function createAbortGrace({ windowMs = DEFAULT_ABORT_GRACE_MS, now = () => Date.now() } = {}) {
+  const aborted = new Map();        // sessionKey → ts of abort
+
+  function mark(sessionKey) {
+    if (!sessionKey) return;
+    const ts = now();
+    aborted.set(sessionKey, ts);
+    // Sweep old entries opportunistically. Use 2× window so a
+    // session that's marked-and-checked at the boundary doesn't
+    // disappear before the check completes.
+    for (const [k, t] of aborted) {
+      if (ts - t > windowMs * 2) aborted.delete(k);
+    }
+  }
+
+  function isRecent(sessionKey) {
+    const ts = aborted.get(sessionKey);
+    return ts != null && (now() - ts) < windowMs;
+  }
+
+  function clear(sessionKey) {
+    aborted.delete(sessionKey);
+  }
+
+  return {
+    mark,
+    isRecent,
+    clear,
+    get size() { return aborted.size; },
+  };
+}
+
+module.exports = { createAbortGrace, DEFAULT_ABORT_GRACE_MS };

package/lib/agent-loader.js

@@ -43,7 +43,23 @@ const cache = new Map();                       // cacheKey → AgentBundle
 
 // Resolve agent file by checking each search path in order.
 // Returns { kind: 'file'|'dir', path, dir | null } or null.
+// Restrict agent names to a conservative charset so they can't
+// path-traverse out of the `.claude/agents/` directory. Pre-fix, an
+// agent name like `../../etc/passwd` silently resolved to whatever
+// existed at that path, loading arbitrary file content as the
+// system prompt. Chat configs are operator-controlled (not user
+// input), so the practical threat is operator typos — but pinning
+// the contract removes the foot-gun.
+//
+// Allowed: alphanumerics, hyphen, underscore, single dots inside
+// (e.g. "shumabit-finance.v2"). Forbidden: leading/trailing dot,
+// consecutive dots, slashes, NUL.
+const AGENT_NAME_RE = /^[A-Za-z0-9_]+(?:[.-][A-Za-z0-9_]+)*$/;
+
 function resolveAgentLocation(agentName, homeDir, cwd) {
+  if (typeof agentName !== 'string' || !AGENT_NAME_RE.test(agentName)) {
+    return null;
+  }
   const fileCandidates = [];
   if (cwd) fileCandidates.push(path.join(cwd, '.claude', 'agents', agentName + '.md'));
   fileCandidates.push(path.join(homeDir, '.claude', 'agents', agentName + '.md'));

package/lib/approval-waiters.js

@@ -110,6 +110,13 @@ function createApprovalWaiters({
         parkedAt: Date.now(),
         sessionKey,
       });
+
+      // If the signal was ALREADY aborted before we attached the
+      // listener, addEventListener never fires — the waiter would
+      // sit in the map until timeout-sweep / shutdown picked it up.
+      // Trigger the cleanup manually so the parked promise rejects
+      // immediately (matches "abort fired during park" semantics).
+      if (signal && signal.aborted) sigCleanup();
     });
   }
 

package/lib/canonical-json.js

@@ -31,11 +31,29 @@ function canonicalizeToolInput(input) {
   if (input == null || typeof input !== 'object') {
     return JSON.stringify(input);
   }
+  // Track in-flight (currently-on-stack) nodes to detect circular
+  // references. WeakSet membership marks "we are still inside this
+  // node"; we drop the entry after finishing recursion so DAG
+  // shapes (shared subtrees that aren't cycles) round-trip fine.
+  // Pre-fix sortRec recursed forever on `{a: 1, self: <self>}`
+  // and crashed the daemon — DoS path if any tool ever produces
+  // self-referencing input. Now throws a clean TypeError matching
+  // JSON.stringify's own "Converting circular structure to JSON".
+  const onStack = new WeakSet();
   const sortRec = (v) => {
-    if (Array.isArray(v)) return v.map(sortRec);
+    if (Array.isArray(v)) {
+      if (onStack.has(v)) throw new TypeError('Converting circular structure to JSON');
+      onStack.add(v);
+      const result = v.map(sortRec);
+      onStack.delete(v);
+      return result;
+    }
     if (v == null || typeof v !== 'object') return v;
+    if (onStack.has(v)) throw new TypeError('Converting circular structure to JSON');
+    onStack.add(v);
     const out = {};
     for (const k of Object.keys(v).sort()) out[k] = sortRec(v[k]);
+    onStack.delete(v);
     return out;
   };
   return JSON.stringify(sortRec(input));

package/lib/pm-router.js

@@ -73,6 +73,33 @@ function makeRouterPolicy({ useSdkAll = false, sdkChats = [], getChatIdFromKey }
  * @param {object|null} opts.sdkPm
  * @param {(sessionKey: string) => 'sdk'|'cli'} opts.pickPmKindFor
  */
+/**
+ * Broadcast helper for killChat / shutdown. Awaits every task to
+ * settlement (success OR rejection), then throws an aggregate error
+ * if any task rejected. Single rejections re-throw the original
+ * error untouched (no AggregateError noise); multiple rejections
+ * surface as `AggregateError` with all causes preserved.
+ *
+ * Each task entry is `[label, () => Promise]`; the label appears in
+ * AggregateError messages so a debugger can tell which pm failed.
+ */
+async function broadcastSettle(method, tasks) {
+  const results = await Promise.allSettled(tasks.map(([, fn]) => fn()));
+  const errors = [];
+  results.forEach((r, i) => {
+    if (r.status === 'rejected') {
+      const tag = tasks[i][0];
+      const err = r.reason instanceof Error ? r.reason : new Error(String(r.reason));
+      err.pmTag = tag;
+      errors.push(err);
+    }
+  });
+  if (errors.length === 1) throw errors[0];
+  if (errors.length > 1) {
+    throw new AggregateError(errors, `${method} failed in ${errors.length} pms`);
+  }
+}
+
 function createPmRouter({ cliPm, sdkPm = null, pickPmKindFor } = {}) {
   if (!cliPm) throw new TypeError('cliPm required');
   if (typeof pickPmKindFor !== 'function') {
@@ -98,15 +125,20 @@ function createPmRouter({ cliPm, sdkPm = null, pickPmKindFor } = {}) {
 
     // Lifecycle methods broadcast to both pms because a chat may
     // have spawned sessions on either side at different times.
-    async killChat(chatId) {
-      const tasks = [cliPm.killChat(chatId)];
-      if (sdkPm) tasks.push(sdkPm.killChat(chatId));
-      await Promise.all(tasks);
+    // Promise.allSettled (NOT Promise.all) so a rejection from one
+    // pm doesn't abandon the other mid-tear-down. Both must always
+    // complete; we then surface aggregated errors. Pre-fix, a cliPm
+    // rejection let sdkPm's Query.close() get GC'd with handles
+    // still open.
+    killChat(chatId) {
+      const tasks = [['cli', () => cliPm.killChat(chatId)]];
+      if (sdkPm) tasks.push(['sdk', () => sdkPm.killChat(chatId)]);
+      return broadcastSettle('killChat', tasks);
     },
-    async shutdown() {
-      const tasks = [cliPm.shutdown()];
-      if (sdkPm) tasks.push(sdkPm.shutdown());
-      await Promise.all(tasks);
+    shutdown() {
+      const tasks = [['cli', () => cliPm.shutdown()]];
+      if (sdkPm) tasks.push(['sdk', () => sdkPm.shutdown()]);
+      return broadcastSettle('shutdown', tasks);
     },
 
     // Optional methods — forward when the routed pm implements

package/lib/process-manager-sdk.js

@@ -224,6 +224,9 @@ class ProcessManagerSdk {
   // ─── Spawn / pool ────────────────────────────────────────────────
 
   async getOrSpawn(sessionKey, spawnContext) {
+    if (this._shuttingDown) {
+      throw new Error('shutdown');
+    }
     const existing = this.procs.get(sessionKey);
     if (existing && !existing.closed) return existing;
 
@@ -232,6 +235,7 @@ class ProcessManagerSdk {
       if (!evicted) {
         // All entries in-flight — park.
         await this._awaitLruSlot();
+        if (this._shuttingDown) throw new Error('shutdown');
         return this.getOrSpawn(sessionKey, spawnContext);
       }
     }
@@ -899,18 +903,23 @@ class ProcessManagerSdk {
   }
 
   async shutdown() {
+    // Set flag FIRST so any LRU-waiter unparked by _closeEntry's
+    // iteration-finally doesn't recurse into a fresh spawn (which
+    // would leave an orphaned entry after `procs.clear()` below).
+    // Reject parked waiters immediately so their getOrSpawn callers
+    // unwind cleanly rather than racing the shutdown.
+    this._shuttingDown = true;
+    while (this._lruWaiters.length) {
+      const w = this._lruWaiters.shift();
+      clearTimeout(w.timer);
+      w.reject(new Error('shutdown'));
+    }
     const entries = [...this.procs.values()];
     await Promise.allSettled(entries.map((e) => {
       this.drainQueue(e.sessionKey, 'SHUTDOWN');
       return this._closeEntry(e, 'shutdown');
     }));
     this.procs.clear();
-    // Reject any remaining LRU waiters.
-    while (this._lruWaiters.length) {
-      const w = this._lruWaiters.shift();
-      clearTimeout(w.timer);
-      w.reject(new Error('shutdown'));
-    }
   }
 
   // ─── Helpers ────────────────────────────────────────────────────

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "polygram",
-  "version": "0.8.0-rc.25",
+  "version": "0.8.0-rc.26",
   "description": "Telegram daemon for Claude Code that preserves the OpenClaw per-chat session model. Migration path for OpenClaw users moving to Claude Code.",
   "main": "lib/ipc-client.js",
   "bin": {

package/polygram.js

@@ -44,6 +44,7 @@ const {
 const { makeSessionStartHook } = require('./lib/history-preload');
 const { formatContextReply, maybeContextFullHint } = require('./lib/context-format');
 const { appendDisplayHint, appendDisplayHintCliArgs } = require('./lib/telegram-prompt');
+const { createAbortGrace } = require('./lib/abort-grace');
 const agentLoader = require('./lib/agent-loader');
 const USE_SDK = process.env.POLYGRAM_USE_SDK === '1';
 const { createSender } = require('./lib/telegram');
@@ -1101,30 +1102,16 @@ function errorReplyText(err) {
   return userMessage; // may be null — caller must handle
 }
 
-// Sessions the operator just /stop'd (or natural-language "стоп"). Keyed
-// by sessionKey → timestamp of abort. ANY pending that rejects within
-// ABORT_GRACE_MS of the mark is considered abort-caused — its generic
-// error reply is suppressed and the streamer warning is skipped.
-//
-// Timestamp model (vs the earlier "delete after first read" Set) fixes
-// the case where multiple pendings were in-flight at abort time: all of
-// them reject with "Process killed", all of them should be silent, not
-// just the first one.
-const ABORT_GRACE_MS = 15_000;
-const abortedSessions = new Map();
-
-function markSessionAborted(sessionKey) {
-  abortedSessions.set(sessionKey, Date.now());
-  // Sweep old entries opportunistically.
-  for (const [k, ts] of abortedSessions) {
-    if (Date.now() - ts > ABORT_GRACE_MS * 2) abortedSessions.delete(k);
-  }
-}
+// Sessions the operator just /stop'd (or natural-language "стоп").
+// rc.25: extracted to lib/abort-grace.js so the timestamp/window
+// logic has its own unit tests. Behaviour identical: any pending
+// rejected within the grace window is considered abort-caused —
+// its generic error reply is suppressed and the streamer warning
+// is skipped.
+const abortGrace = createAbortGrace();
 
-function isSessionRecentlyAborted(sessionKey) {
-  const ts = abortedSessions.get(sessionKey);
-  return ts != null && (Date.now() - ts) < ABORT_GRACE_MS;
-}
+function markSessionAborted(sessionKey) { abortGrace.mark(sessionKey); }
+function isSessionRecentlyAborted(sessionKey) { return abortGrace.isRecent(sessionKey); }
 
 // Called by bot.on('message') for every regular (non-admin, non-pair)
 // message. Runs handleMessage in a fire-and-forget manner with centralised