polygram 0.8.0-rc.4 → 0.8.0-rc.40

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "$schema": "https://anthropic.com/claude-code/plugin.schema.json",
   "name": "polygram",
-  "version": "0.8.0-rc.4",
+  "version": "0.8.0-rc.40",
   "description": "Telegram integration for Claude Code that preserves the OpenClaw per-chat session model. Migration target for OpenClaw users. Multi-bot, multi-chat, per-topic isolation; SQLite transcripts; inline-keyboard approvals. Bundles /polygram:status|logs|pair-code|approvals admin commands and a history skill.",
   "keywords": [
     "telegram",

package/lib/abort-grace.js

@@ -0,0 +1,62 @@
+/**
+ * Abort-grace tracker — per-session timestamps marking "user just
+ * /stop'd this session, suppress the next batch of generic error
+ * replies".
+ *
+ * Why this exists: when the user types /stop (or natural-language
+ * "стоп"), polygram calls pm.kill(sessionKey). The kill SIGTERM's
+ * the in-flight process — every pending in the queue rejects with
+ * "Process killed" or INTERRUPTED. WITHOUT abort-grace, polygram
+ * would post "💥 Hit a snag" for each rejected pending, even though
+ * the user already saw the /stop ack and these errors are caused
+ * by their own action.
+ *
+ * Timestamp model (vs the earlier "delete after first read" Set):
+ * a single /stop can drain many pendings, so we mark a TS and let
+ * every error within ABORT_GRACE_MS see "yes, aborted, stay quiet".
+ *
+ * Closes v6 plan §7.1 G11 unit gate.
+ */
+
+'use strict';
+
+const DEFAULT_ABORT_GRACE_MS = 15_000;
+
+/**
+ * @param {object} [opts]
+ * @param {number} [opts.windowMs]   — grace window (default 15s)
+ * @param {() => number} [opts.now]  — clock injection for tests
+ */
+function createAbortGrace({ windowMs = DEFAULT_ABORT_GRACE_MS, now = () => Date.now() } = {}) {
+  const aborted = new Map();        // sessionKey → ts of abort
+
+  function mark(sessionKey) {
+    if (!sessionKey) return;
+    const ts = now();
+    aborted.set(sessionKey, ts);
+    // Sweep old entries opportunistically. Use 2× window so a
+    // session that's marked-and-checked at the boundary doesn't
+    // disappear before the check completes.
+    for (const [k, t] of aborted) {
+      if (ts - t > windowMs * 2) aborted.delete(k);
+    }
+  }
+
+  function isRecent(sessionKey) {
+    const ts = aborted.get(sessionKey);
+    return ts != null && (now() - ts) < windowMs;
+  }
+
+  function clear(sessionKey) {
+    aborted.delete(sessionKey);
+  }
+
+  return {
+    mark,
+    isRecent,
+    clear,
+    get size() { return aborted.size; },
+  };
+}
+
+module.exports = { createAbortGrace, DEFAULT_ABORT_GRACE_MS };

package/lib/agent-loader.js

@@ -3,18 +3,26 @@
  * v4 plan §6.5.5).
  *
  * Background: today's CLI pm passes `--agent <name>` on spawn; the
- * Claude CLI then loads that agent's directory under
- * `~/.claude/agents/<name>/` (system prompt from `CLAUDE.md`,
- * skills, mcpServers from settings.json). Phase 0 gate 15 is DEFER —
- * the SDK's `Options.agents` is for in-memory subagent definitions
- * (the Task tool), NOT a "run THIS query AS this agent" mechanism.
+ * Claude CLI then loads that agent's content. Phase 0 gate 15 was
+ * DEFER — the SDK's `Options.agents` is for in-memory subagent
+ * definitions (the Task tool), NOT a "run THIS query AS this agent"
+ * mechanism. So polygram reads the agent file itself and passes its
+ * content as `systemPrompt`.
  *
- * This module provides a polygram-side loader so buildSdkOptions
- * can compose the per-chat agent's settings into the chat's
- * SdkOptions: read the agent's CLAUDE.md (system prompt), enumerate
- * its skills, pick up its mcpServers from settings.json. Then merge
- * into the per-chat SdkOptions with chat-level overrides taking
- * precedence (chatConfig wins over agent wins over defaults).
+ * Search order (rc.13+ — supports BOTH Claude Code's standard
+ * single-file convention AND polygram's pre-0.8.0 directory layout):
+ *
+ *   1. `<cwd>/.claude/agents/<name>.md`          — Claude Code project-level
+ *   2. `<homeDir>/.claude/agents/<name>.md`      — Claude Code user-level
+ *   3. `<cwd>/.claude/agents/<name>/CLAUDE.md`   — polygram convention
+ *      (also `AGENTS.md`, `system-prompt.txt`)
+ *   4. `<homeDir>/.claude/agents/<name>/CLAUDE.md` — polygram legacy
+ *      (also `AGENTS.md`, `system-prompt.txt`)
+ *
+ * Single-file Claude Code agents may have YAML frontmatter; we strip
+ * it before using the body as systemPrompt. Frontmatter `model` /
+ * `effort` are merged into the bundle.raw so composeSdkOptions can
+ * use them as agent-level defaults.
  *
  * Used by `polygram.js` `buildSdkOptions(sessionKey, ctx)` —
  * Phase 1 step 14.
@@ -31,92 +39,245 @@
 const fs = require('fs');
 const path = require('path');
 
-const cache = new Map();                       // agentName → AgentBundle
+const cache = new Map();                       // cacheKey → AgentBundle
+
+// Resolve agent file by checking each search path in order.
+// Returns { kind: 'file'|'dir', path, dir | null } or null.
+// Restrict agent names to a conservative charset so they can't
+// path-traverse out of the `.claude/agents/` directory. Pre-fix, an
+// agent name like `../../etc/passwd` silently resolved to whatever
+// existed at that path, loading arbitrary file content as the
+// system prompt. Chat configs are operator-controlled (not user
+// input), so the practical threat is operator typos — but pinning
+// the contract removes the foot-gun.
+//
+// Allowed: alphanumerics, hyphen, underscore, single dots inside
+// (e.g. "shumabit-finance.v2"). Forbidden: leading/trailing dot,
+// consecutive dots, slashes, NUL.
+const AGENT_NAME_RE = /^[A-Za-z0-9_]+(?:[.-][A-Za-z0-9_]+)*$/;
+
+function resolveAgentLocation(agentName, homeDir, cwd) {
+  if (typeof agentName !== 'string' || !AGENT_NAME_RE.test(agentName)) {
+    return null;
+  }
+  const fileCandidates = [];
+  if (cwd) fileCandidates.push(path.join(cwd, '.claude', 'agents', agentName + '.md'));
+  fileCandidates.push(path.join(homeDir, '.claude', 'agents', agentName + '.md'));
+  for (const p of fileCandidates) {
+    if (fs.existsSync(p)) return { kind: 'file', path: p, dir: null };
+  }
+  const dirCandidates = [];
+  if (cwd) dirCandidates.push(path.join(cwd, '.claude', 'agents', agentName));
+  dirCandidates.push(path.join(homeDir, '.claude', 'agents', agentName));
+  for (const d of dirCandidates) {
+    if (fs.existsSync(d) && fs.statSync(d).isDirectory()) {
+      return { kind: 'dir', path: d, dir: d };
+    }
+  }
+  return null;
+}
+
+// Strip leading YAML frontmatter (---\n...\n---\n) from markdown.
+function stripFrontmatter(content) {
+  if (typeof content !== 'string' || !content.startsWith('---\n')) return content;
+  const end = content.indexOf('\n---\n', 4);
+  if (end === -1) return content;
+  return content.slice(end + 5);
+}
+
+// Recursively expand Claude Code @<file> import directives. A line
+// starting with `@<path>` is replaced with the file's contents
+// (frontmatter stripped, imports recursively expanded). Paths
+// resolve relative to the importing file's directory FIRST, then
+// fall back to cwd. Cycle detection via visited Set.
+//
+// rc.15: pre-rc.15 the literal "@_shumabit-base.md" reached the
+// model verbatim because polygram's loader didn't process imports.
+// Symptom: agent appeared loaded but the system prompt was
+// effectively empty (just an unresolved import directive).
+function expandImports(content, importingFile, cwd, visited, logger) {
+  if (typeof content !== 'string' || !content) return content;
+  const lines = content.split('\n');
+  const out = [];
+  for (const line of lines) {
+    const m = /^@(\S+)\s*$/.exec(line);
+    if (!m) {
+      out.push(line);
+      continue;
+    }
+    const ref = m[1];
+    const importingDir = path.dirname(importingFile);
+    // Resolution order: relative to importing file's dir; relative
+    // to cwd; absolute path as-is.
+    const candidates = [];
+    if (path.isAbsolute(ref)) {
+      candidates.push(ref);
+    } else {
+      candidates.push(path.join(importingDir, ref));
+      if (cwd) candidates.push(path.join(cwd, ref));
+    }
+    let resolved = null;
+    for (const c of candidates) {
+      if (fs.existsSync(c)) { resolved = c; break; }
+    }
+    if (!resolved) {
+      logger?.warn?.(`[agent-loader] @-import not found: ${ref} (in ${importingFile})`);
+      out.push(line);
+      continue;
+    }
+    if (visited.has(resolved)) {
+      logger?.warn?.(`[agent-loader] @-import cycle: ${resolved}`);
+      continue;
+    }
+    visited.add(resolved);
+    let imported = '';
+    try {
+      imported = fs.readFileSync(resolved, 'utf8');
+    } catch (err) {
+      logger?.error?.(`[agent-loader] reading @-import ${resolved}: ${err.message}`);
+      out.push(line);
+      continue;
+    }
+    // Strip frontmatter from imported file (same convention as
+    // top-level agent file) and recursively expand its imports.
+    imported = stripFrontmatter(imported);
+    imported = expandImports(imported, resolved, cwd, visited, logger);
+    out.push(imported);
+  }
+  return out.join('\n');
+}
+
+// Parse a tiny subset of YAML frontmatter (key: value lines).
+function parseFrontmatter(content) {
+  if (typeof content !== 'string' || !content.startsWith('---\n')) return {};
+  const end = content.indexOf('\n---\n', 4);
+  if (end === -1) return {};
+  const block = content.slice(4, end);
+  const out = {};
+  for (const line of block.split('\n')) {
+    const m = /^([A-Za-z_][A-Za-z0-9_-]*)\s*:\s*(.*)$/.exec(line);
+    if (!m) continue;
+    let v = m[2].trim();
+    if ((v.startsWith('"') && v.endsWith('"')) || (v.startsWith("'") && v.endsWith("'"))) {
+      v = v.slice(1, -1);
+    }
+    out[m[1]] = v;
+  }
+  return out;
+}
 
 /**
  * Load an agent bundle from disk.
  *
- * @param {string} agentName — e.g. 'shumabit-finance'
+ * @param {string} agentName
  * @param {object} opts
  * @param {string} [opts.homeDir] — defaults to process.env.HOME.
- *   Resolves agent at `${homeDir}/.claude/agents/${agentName}/`.
+ * @param {string} [opts.cwd] — chat's working directory; checked
+ *   FIRST for Claude Code project-level agent discovery.
  * @param {object} [opts.logger] — error logger.
- *
- * @returns {AgentBundle}
- *   { agentName, agentDir, systemPrompt, skills: string[],
- *     mcpServers: object, raw: settingsJson }
- *
- * Throws `{ code: 'AGENT_NOT_FOUND' }` if the agent dir doesn't
- * exist. Does NOT throw on partial agents (missing CLAUDE.md or
- * skills/ etc — fields just default to null/empty).
  */
-function loadAgent(agentName, { homeDir = process.env.HOME, logger = console } = {}) {
-  if (cache.has(agentName)) return cache.get(agentName);
+function loadAgent(agentName, { homeDir = process.env.HOME, cwd = null, logger = console } = {}) {
+  // Cache key includes cwd because the same agentName can resolve
+  // to different files when called from different chats with
+  // different cwds (e.g. shumabit-claude vs shumabit-partners).
+  const cacheKey = agentName + '\x00' + (cwd || '');
+  if (cache.has(cacheKey)) return cache.get(cacheKey);
 
-  const agentDir = path.join(homeDir, '.claude', 'agents', agentName);
-  if (!fs.existsSync(agentDir)) {
+  const loc = resolveAgentLocation(agentName, homeDir, cwd);
+  if (!loc) {
+    const looked = [
+      cwd ? cwd + '/.claude/agents/' + agentName + '.md' : null,
+      homeDir + '/.claude/agents/' + agentName + '.md',
+      cwd ? cwd + '/.claude/agents/' + agentName + '/' : null,
+      homeDir + '/.claude/agents/' + agentName + '/',
+    ].filter(Boolean).join(', ');
     throw Object.assign(
-      new Error(`agent not found: ${agentName} (looked in ${agentDir})`),
-      { code: 'AGENT_NOT_FOUND', agentDir },
+      new Error('agent not found: ' + agentName + ' (looked in ' + looked + ')'),
+      { code: 'AGENT_NOT_FOUND', searchPaths: looked },
     );
   }
 
-  // System prompt: prefer CLAUDE.md (the standard polygram convention),
-  // fall back to AGENTS.md (OpenClaw legacy), then to a single-line
-  // file `system-prompt.txt` if either of the markdown files is
-  // absent. Whichever is present, read as UTF-8 string.
   let systemPrompt = null;
-  for (const fname of ['CLAUDE.md', 'AGENTS.md', 'system-prompt.txt']) {
-    const p = path.join(agentDir, fname);
-    if (fs.existsSync(p)) {
-      try {
-        systemPrompt = fs.readFileSync(p, 'utf8');
-        break;
-      } catch (err) {
-        logger.error?.(`[agent-loader] reading ${p}: ${err.message}`);
+  let frontmatter = {};
+  let agentPath = loc.path;
+
+  if (loc.kind === 'file') {
+    // Claude Code single-file format. Read whole file, parse and
+    // strip frontmatter, body becomes systemPrompt. Then expand
+    // any @<file> import directives recursively (rc.15).
+    try {
+      const raw = fs.readFileSync(loc.path, 'utf8');
+      frontmatter = parseFrontmatter(raw);
+      const stripped = stripFrontmatter(raw);
+      const visited = new Set([loc.path]);
+      systemPrompt = expandImports(stripped, loc.path, cwd, visited, logger);
+    } catch (err) {
+      logger.error?.('[agent-loader] reading ' + loc.path + ': ' + err.message);
+    }
+  } else {
+    // polygram directory layout. CLAUDE.md > AGENTS.md > system-prompt.txt.
+    for (const fname of ['CLAUDE.md', 'AGENTS.md', 'system-prompt.txt']) {
+      const p = path.join(loc.dir, fname);
+      if (fs.existsSync(p)) {
+        try {
+          const raw = fs.readFileSync(p, 'utf8');
+          // Expand @-imports for directory-layout agents too —
+          // their content might also reference shared base files.
+          const visited = new Set([p]);
+          systemPrompt = expandImports(raw, p, cwd, visited, logger);
+          agentPath = p;
+          break;
+        } catch (err) {
+          logger.error?.('[agent-loader] reading ' + p + ': ' + err.message);
+        }
       }
     }
   }
 
-  // Settings: optional `settings.json` for per-agent overrides
-  // (mcpServers, model, effort defaults, etc.).
+  // Settings.json — only meaningful for directory-layout agents.
   let settings = {};
-  const settingsPath = path.join(agentDir, 'settings.json');
-  if (fs.existsSync(settingsPath)) {
-    try {
-      settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8'));
-    } catch (err) {
-      logger.error?.(`[agent-loader] parsing ${settingsPath}: ${err.message}`);
+  if (loc.dir) {
+    const settingsPath = path.join(loc.dir, 'settings.json');
+    if (fs.existsSync(settingsPath)) {
+      try {
+        settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8'));
+      } catch (err) {
+        logger.error?.('[agent-loader] parsing ' + settingsPath + ': ' + err.message);
+      }
     }
   }
 
-  // Skills: enumerate `${agentDir}/skills/*` directories. SDK's
-  // `Options.skills` accepts a string[] of skill names.
-  const skillsDir = path.join(agentDir, 'skills');
+  // Skills (only for directory layout).
   let skills = [];
-  if (fs.existsSync(skillsDir)) {
-    try {
-      skills = fs.readdirSync(skillsDir, { withFileTypes: true })
-        .filter((d) => d.isDirectory())
-        .map((d) => d.name);
-    } catch (err) {
-      logger.error?.(`[agent-loader] enumerating ${skillsDir}: ${err.message}`);
+  if (loc.dir) {
+    const skillsDir = path.join(loc.dir, 'skills');
+    if (fs.existsSync(skillsDir)) {
+      try {
+        skills = fs.readdirSync(skillsDir, { withFileTypes: true })
+          .filter((d) => d.isDirectory())
+          .map((d) => d.name);
+      } catch (err) {
+        logger.error?.('[agent-loader] enumerating ' + skillsDir + ': ' + err.message);
+      }
     }
   }
 
   const mcpServers = settings.mcpServers ?? {};
 
+  // Frontmatter merged with settings — composeSdkOptions can pick up
+  // model/effort overrides from either source.
+  const raw = { ...frontmatter, ...settings };
+
   const bundle = {
     agentName,
-    agentDir,
+    agentPath,
+    agentDir: loc.dir,
     systemPrompt,
     skills,
     mcpServers,
-    // Pass through extra settings for callers that want them
-    // (e.g. agent-level model/effort defaults).
-    raw: settings,
+    raw,
   };
-  cache.set(agentName, bundle);
+  cache.set(cacheKey, bundle);
   return bundle;
 }
 
@@ -166,4 +327,14 @@ function clearCache() {
   cache.clear();
 }
 
-module.exports = { loadAgent, composeSdkOptions, clearCache, _cache: cache };
+module.exports = {
+  loadAgent,
+  composeSdkOptions,
+  clearCache,
+  // Internals for tests.
+  _resolveAgentLocation: resolveAgentLocation,
+  _stripFrontmatter: stripFrontmatter,
+  _parseFrontmatter: parseFrontmatter,
+  _expandImports: expandImports,
+  _cache: cache,
+};

package/lib/approval-ui.js

@@ -0,0 +1,135 @@
+/**
+ * Pure UI builders for the approval flow's Telegram surface.
+ *
+ *   - 2-button keyboard (CLI pm IPC approval-hook flow)
+ *   - 4-button keyboard (rc.6 SDK pm canUseTool flow with persisted
+ *     "Always allow / Always deny" via chat_tool_decisions)
+ *   - Card text with friendly heading + clipped tool_input body
+ *
+ * No runtime dependencies — these are pure transforms suitable for
+ * unit-testing in isolation. The polygram.js side wires them to
+ * `tg(bot, 'sendMessage', ...)` / `editMessageText`.
+ */
+
+'use strict';
+
+/**
+ * 2-button keyboard for the legacy IPC approval flow.
+ * @param {number|string} approvalId
+ * @param {string} token
+ */
+function buildApprovalKeyboard(approvalId, token) {
+  return {
+    inline_keyboard: [[
+      { text: '✅ Approve', callback_data: `approve:${approvalId}:${token}` },
+      { text: '❌ Deny',    callback_data: `deny:${approvalId}:${token}` },
+    ]],
+  };
+}
+
+/**
+ * 4-button keyboard for the SDK canUseTool flow (rc.6 Phase 2 step 6).
+ * "Always allow" / "Always deny" rows persist the decision into
+ * `chat_tool_decisions` so subsequent invocations of the same tool
+ * with the same input short-circuit.
+ *
+ * Callback_data conventions:
+ *   approve:<id>:<token>          — one-time allow
+ *   deny:<id>:<token>             — one-time deny
+ *   approve-always:<id>:<token>   — allow + persist
+ *   deny-always:<id>:<token>      — deny + persist
+ *
+ * @param {number|string} approvalId
+ * @param {string} token
+ */
+function buildApprovalKeyboardWithAlways(approvalId, token) {
+  return {
+    inline_keyboard: [
+      [
+        { text: '✅ Approve', callback_data: `approve:${approvalId}:${token}` },
+        { text: '❌ Deny',    callback_data: `deny:${approvalId}:${token}` },
+      ],
+      [
+        { text: '🔁 Always allow', callback_data: `approve-always:${approvalId}:${token}` },
+        { text: '🚫 Always deny',  callback_data: `deny-always:${approvalId}:${token}` },
+      ],
+    ],
+  };
+}
+
+/**
+ * Format a tool_input value for the inline-keyboard card body.
+ * Clips aggressively so the whole card stays under Telegram's
+ * 4096-char limit (approval card has surrounding metadata too).
+ *
+ * @param {unknown} input — string OR any JSON-able object
+ * @returns {string}
+ */
+function formatToolInputForCard(input) {
+  let s;
+  try {
+    s = typeof input === 'string' ? input : JSON.stringify(input, null, 2);
+  } catch {
+    s = String(input);
+  }
+  // JSON.stringify(undefined) returns undefined, and objects with
+  // a circular toJSON could surface odd values too. Fall back to
+  // String() so we always operate on a real string.
+  if (typeof s !== 'string') s = String(input);
+  if (s.length <= 1200) return s;
+  return s.slice(0, 900) + '\n…[clipped]…\n' + s.slice(-200);
+}
+
+/**
+ * Approval card text. Plain-text only (NO parse_mode) — tool_input
+ * originates from Claude and could contain Markdown specials or
+ * tg:// links crafted for phishing.
+ *
+ * @param {object} row             — approval row from the approvals store
+ * @param {string} row.tool_name
+ * @param {number|string|null} row.turn_id
+ * @param {string} row.requester_chat_id
+ * @param {object|string|null} [row.tool_input_json]
+ * @param {object|string|null} [row.tool_input]    — alias for tool_input_json
+ * @param {number} row.timeout_ts  — unix ms when the row expires
+ * @param {object} [opts]
+ * @param {string} [opts.resolvedBy] — heading override for resolved cards
+ *                                     (e.g. "✓ Approved by ivan").
+ *                                     When set, footer is dropped.
+ *                                     When unset, heading is "Approval needed — <tool>"
+ *                                     and footer shows seconds-to-expire.
+ * @param {() => number} [opts.now]  — clock injection for tests
+ *
+ * @returns {string}
+ */
+function approvalCardText(row, opts = {}) {
+  const now = (typeof opts.now === 'function' ? opts.now : Date.now)();
+  const heading = opts.resolvedBy
+    ? opts.resolvedBy
+    : `Approval needed — ${row.tool_name}`;
+  // tool_input may arrive as a parsed object OR a JSON string under
+  // either key name depending on the call site.
+  const inputSource = row.tool_input_json !== undefined
+    ? row.tool_input_json
+    : row.tool_input;
+  const parsed = typeof inputSource === 'string'
+    ? safeParse(inputSource)
+    : inputSource;
+  const body = formatToolInputForCard(parsed);
+  const ttl = Math.max(0, Math.round((row.timeout_ts - now) / 1000));
+  const footer = opts.resolvedBy ? '' : `\n\n⏱ expires in ${ttl}s`;
+  return `${heading}\nChat: ${row.requester_chat_id}\nTurn: ${row.turn_id || '-'}\n\n${body}${footer}`;
+}
+
+function safeParse(s) {
+  try { return JSON.parse(s); } catch { return s; }
+}
+
+module.exports = {
+  buildApprovalKeyboard,
+  buildApprovalKeyboardWithAlways,
+  formatToolInputForCard,
+  approvalCardText,
+  // Internals exposed for tests
+  _safeParse: safeParse,
+};

package/lib/approval-waiters.js

@@ -110,6 +110,13 @@ function createApprovalWaiters({
         parkedAt: Date.now(),
         sessionKey,
       });
+
+      // If the signal was ALREADY aborted before we attached the
+      // listener, addEventListener never fires — the waiter would
+      // sit in the map until timeout-sweep / shutdown picked it up.
+      // Trigger the cleanup manually so the parked promise rejects
+      // immediately (matches "abort fired during park" semantics).
+      if (signal && signal.aborted) sigCleanup();
     });
   }
 

package/lib/approvals.js

@@ -11,6 +11,7 @@
  */
 
 const crypto = require('crypto');
+const { canonicalizeToolInput } = require('./canonical-json');
 
 const DEFAULT_TIMEOUT_MS = 5 * 60 * 1000;
 // 16 random bytes → 22 base64url chars ≈ 128 bits of entropy. Prevents
@@ -19,7 +20,14 @@ const DEFAULT_TIMEOUT_MS = 5 * 60 * 1000;
 const TOKEN_BYTES = 16;
 
 function digestInput(input) {
-  const json = typeof input === 'string' ? input : JSON.stringify(input);
+  // Canonicalise object inputs so key-order doesn't change the digest.
+  // Pre-fix `JSON.stringify({a:1,b:2})` and `JSON.stringify({b:2,a:1})`
+  // produced different hashes — the dedup contract assumed logical
+  // equivalence but the impl was order-sensitive, so an SDK that
+  // re-serialised the input between turns would dedup-miss.
+  const json = typeof input === 'string'
+    ? input
+    : JSON.stringify(canonicalizeToolInput(input));
   return crypto.createHash('sha256').update(json).digest('hex').slice(0, 16);
 }
 

package/lib/async-lock.js

@@ -22,13 +22,21 @@ function createAsyncLock() {
       const prev = chains.get(key) || Promise.resolve();
       let release;
       const next = new Promise((resolve) => { release = resolve; });
-      chains.set(key, prev.then(() => next));
+      // Save the chain-entry promise so the cleanup branch can compare
+      // against the SAME reference. Pre-fix this re-evaluated
+      // `prev.then(() => next)` (a fresh promise each call), so the
+      // === compare was always false and the Map leaked one entry per
+      // unique key.
+      const myEntry = prev.then(() => next);
+      chains.set(key, myEntry);
       await prev;
       // Return a wrapper that also clears the chain entry when this is
       // the last holder — avoids the Map growing unbounded across the
-      // lifetime of the process.
+      // lifetime of the process. Idempotent: a double-release call is
+      // harmless (release() is a Promise resolver; calling resolve
+      // twice is a no-op).
       return () => {
-        if (chains.get(key) === prev.then(() => next)) {
+        if (chains.get(key) === myEntry) {
           chains.delete(key);
         }
         release();