fix(discord): reply on native command auth failures (#53072)

2026-03-24 16:32:29 +00:00 · 2026-03-23 11:20:58 -07:00
parent 1b69d9ee1a
commit cdc8bac466
2 changed files with 55 additions and 0 deletions
--- a/src/auto-reply/reply/command-gates.ts
+++ b/src/auto-reply/reply/command-gates.ts
@@ -6,6 +6,13 @@ import { isInternalMessageChannel } from "../../utils/message-channel.js";
 import type { ReplyPayload } from "../types.js";
 import type { CommandHandlerResult, HandleCommandsParams } from "./commands-types.js";

+function buildNativeCommandGateReply(text: string): CommandHandlerResult {
+  return {
+    shouldContinue: false,
+    reply: { text },
+  };
+}
+
 export function rejectUnauthorizedCommand(
  params: HandleCommandsParams,
  commandLabel: string,
@@ -16,6 +23,9 @@ export function rejectUnauthorizedCommand(
  logVerbose(
    `Ignoring ${commandLabel} from unauthorized sender: ${redactIdentifier(params.command.senderId)}`,
  );
+  if (params.ctx.CommandSource === "native") {
+    return buildNativeCommandGateReply("You are not authorized to use this command.");
+  }
  return { shouldContinue: false };
 }

@@ -29,6 +39,9 @@ export function rejectNonOwnerCommand(
  logVerbose(
    `Ignoring ${commandLabel} from non-owner sender: ${redactIdentifier(params.command.senderId)}`,
  );
+  if (params.ctx.CommandSource === "native") {
+    return buildNativeCommandGateReply("You are not authorized to use this command.");
+  }
  return { shouldContinue: false };
 }

--- a/src/auto-reply/reply/commands.test.ts
+++ b/src/auto-reply/reply/commands.test.ts
@@ -818,6 +818,48 @@ describe("handleCommands owner gating for privileged show commands", () => {
      testCase.assert(result);
    }
  });
+
+  it("returns an explicit unauthorized reply for native privileged commands", async () => {
+    const configParams = buildParams(
+      "/config show",
+      {
+        commands: { config: true, text: true },
+        channels: { discord: { dm: { enabled: true, policy: "open" } } },
+      } as OpenClawConfig,
+      {
+        Provider: "discord",
+        Surface: "discord",
+        CommandSource: "native",
+      },
+    );
+    configParams.command.senderIsOwner = false;
+
+    const configResult = await handleCommands(configParams);
+    expect(configResult).toEqual({
+      shouldContinue: false,
+      reply: { text: "You are not authorized to use this command." },
+    });
+
+    const pluginParams = buildParams(
+      "/plugins list",
+      {
+        commands: { plugins: true, text: true },
+        channels: { discord: { dm: { enabled: true, policy: "open" } } },
+      } as OpenClawConfig,
+      {
+        Provider: "discord",
+        Surface: "discord",
+        CommandSource: "native",
+      },
+    );
+    pluginParams.command.senderIsOwner = false;
+
+    const pluginResult = await handleCommands(pluginParams);
+    expect(pluginResult).toEqual({
+      shouldContinue: false,
+      reply: { text: "You are not authorized to use this command." },
+    });
+  });
 });

 describe("handleCommands /config configWrites gating", () => {