Skip to content

feat(moderation): per-org input moderation setting#22

Merged
albanm merged 12 commits into
mainfrom
feat-moderation-options
Jun 11, 2026
Merged

feat(moderation): per-org input moderation setting#22
albanm merged 12 commits into
mainfrom
feat-moderation-options

Conversation

@albanm

@albanm albanm commented Jun 11, 2026

Copy link
Copy Markdown
Member

Replace the hardwired untrusted-only input moderation (and the admin self-test
toggle) with an org-level setting on account Settings:

  • Enable flag + multi-select of impacted user categories (anonymous,
    external, user, contrib, admin), persisted like quotas.
  • A pure moderationApplies(settings, role) helper is the single source of
    truth for the gate, used by both the gateway and the summary endpoint.
  • The admin in-chat self-test mechanism is removed entirely (header,
    isSelfTestModeration, selfTestModeration, the startModeration selfTest
    branch, and the debug-dialog toggle). The activity-page probe is unchanged.
  • ModerationEvent.role widened to EffectiveRole so moderated trusted roles
    record events/strikes uniformly.

Why: make moderation an explicit per-organization choice (like trace
storage) instead of a hardwired behavior — admins decide whether to moderate
and which user categories are screened.

Regression risks:

  • Off by default. Existing orgs lose automatic anonymous/external moderation
    until an admin enables it per account. Operators must re-enable after deploy.

albanm and others added 11 commits June 11, 2026 09:33
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ckend)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The moderation card rendered before the providers section, so its category
multiselect combobox became getByRole('combobox').first(), breaking the
settings e2e provider-add flow. It is gated on providers?.length like quotas,
so group it next to quotas instead.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Moderation is now configurable per category, so the suites cover trusted
roles too.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The gate (per-message content_filter) applies to every configured category, but
strikes and the 1h cooldown must stay an anti-abuse measure for untrusted
callers (anonymous/external) only. Task 3 over-applied moderationApplies to the
cooldown short-circuits and to strike accrual, so a moderated trusted member
could be locked out. Revert both cooldown checks and strike accrual to
isUntrusted (this also restores summary/router.ts to its original state); the
gate stays on moderationApplies.

Adds an org-member regression test (forwards an org context through axiosAuth).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@albanm albanm merged commit 3bcb405 into main Jun 11, 2026
3 checks passed
@albanm albanm deleted the feat-moderation-options branch June 11, 2026 09:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant