Skip to content

fix(pods): carve out §3.7 fan-out on getPodById for agent-dm#381

Open
samxu01 wants to merge 1 commit into
mainfrom
fix/v2-dm-nav-readonly
Open

fix(pods): carve out §3.7 fan-out on getPodById for agent-dm#381
samxu01 wants to merge 1 commit into
mainfrom
fix/v2-dm-nav-readonly

Conversation

@samxu01
Copy link
Copy Markdown
Contributor

@samxu01 samxu01 commented May 16, 2026

Summary

Gap 2 root cause: PR #375 made `getPodById` 404 non-members of all personal pod types so admins wouldn't accidentally land in other users' DMs from the sidebar. That was right for sidebar listings — but it also broke the V2 inspector "Direct messages" list, because clicking an a2a DM row navigates to `/v2/pods/`, the layout fetches the pod, and the 404 prevents the read-only chat from rendering even though `DMService.canViewPod` (used by `/api/messages`, `/api/posts`, etc.) explicitly allows §3.7 fan-out viewers.

Carve-out:

  • agent-dm: defers to `canViewPod` (admins + §3.7 fan-out — users sharing a pod with either DM agent)
  • agent-room: unchanged — strict membership (1:1 user↔agent is private)
  • agent-admin: unchanged — strict membership (ops surface)

Frontend already renders an `isReadOnly` banner in place of the composer for non-member viewers (`V2PodChat.tsx:499/752`), so this backend-only change unblocks the navigation path. Composer write gate on `POST /api/messages/:podId` is unchanged.

Test plan

  • `cd backend && npx jest tests/unit/controllers/podController.test.js` → 20/20 passing (3 new tests: agent-dm allow / agent-dm deny / agent-room still strict).
  • Post-deploy as xcjsam (non-admin, shares a pod with Nova): from V2 inspector, click an a2a DM row in the "Direct messages" list of Nova's profile → `/v2/pods/` opens with read-only banner instead of 404.
  • Post-deploy as a stranger to both DM participants: same click → still 404 (no leak).

Closes

1 of 4 gaps from the "make collab bulletproof" goal.

🤖 Generated with Claude Code

@samxu01
fix(pods): carve out §3.7 fan-out on getPodById for agent-dm only
1646c35 
PR #375 made getPodById 404 non-members of all personal pod types
(agent-room / agent-dm / agent-admin) to prevent admins from accidentally
landing in other users' DMs via the sidebar. That was correct for the
sidebar bug — but it also broke the V2 inspector's "Direct messages"
list: clicking an a2a DM row navigates to /v2/pods/<id>, the layout
fetches the pod, and the 404 prevented the read-only chat from rendering
even though the user has §3.7 fan-out access (canViewPod) to the
underlying messages.

Carve-out:
- agent-dm: defers to DMService.canViewPod (admins + §3.7 fan-out)
- agent-room: unchanged — strict membership (user↔agent is private)
- agent-admin: unchanged — strict membership (ops surface)

The frontend already renders an "isReadOnly" banner in place of the
composer for non-member viewers of agent-dm (V2PodChat.tsx:499/752), so
this purely-backend change unblocks the navigation path. Composer write
gates (POST /api/messages/:podId) keep their existing membership check.

Tests:
- agent-dm + canViewPod true → 200
- agent-dm + canViewPod false → 404 (no leak)
- agent-room non-member still → 404 (strict)

20/20 podController tests pass.
samxu01 added a commit that referenced this pull request May 16, 2026
@samxu01 @claude
fix(pods): carve out §3.7 fan-out on getPodById for agent-dm only (#381)
bbf151a 
PR #375 made getPodById 404 non-members of all personal pod types to
prevent admins accidentally landing in other users' DMs via the sidebar.
That broke V2 inspector's a2a DM navigation — the /v2/pods/<id> layout
404'd even though canViewPod (used by /api/messages, /api/posts, etc.)
allows §3.7 fan-out viewers.

Carve-out:
- agent-dm: defers to canViewPod (admins + §3.7 fan-out)
- agent-room: strict membership (1:1 user↔agent)
- agent-admin: strict membership (ops surface)

Frontend already renders an isReadOnly banner in place of the composer
for non-member viewers. 20/20 podController tests pass (3 new).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@samxu01 samxu01 mentioned this pull request May 16, 2026
Open
samxu01 added a commit that referenced this pull request May 16, 2026
@samxu01 @claude
revert: #388 cloud-codex MCP wiring — codex CLI exec doesn't consume …
8d8bf37 
…MCP servers

Verified empirically 2026-05-15 after merging #388: codex CLI 0.125.0
recognizes [mcp_servers.commonly] in config.toml (`codex mcp list`
shows it enabled), but `codex exec` does NOT actually connect to or
expose tools from configured MCP servers. The model's tool list stays
limited to codex's built-in tools (web, image_gen, exec_command,
apply_patch, ...). list_mcp_resources returns empty regardless.

Per docs/MCP_INTEGRATION.md, the supported codex pattern is to wrap
codex AS an MCP server (codex-as-mcp), not to have codex consume MCP
servers. So #388 adds noise without effect.

For Cody to actually call commonly_react_to_message autonomously, the
real options are:
  - Switch her adapter from codex → claude-code or another MCP-
    consuming host (architectural decision).
  - Add the reaction tool to the openclaw extension's commonly_*
    block (separate Team-Commonly/openclaw PR; out of the
    "make-collab-bulletproof" goal's "no openclaw-coupled fixes"
    constraint).

Keeping the four ship-PRs (#379/#380/#381/#382 + #383/#384/#385/#386
follow-ups) in place — they're all correct. Just removing #388.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@samxu01