Skip to content

feat: add allowed_users config for per-user access control #107

Closed
#108
Closed
feat: add allowed_users config for per-user access control#107
#108
Labels
featurep1High — address this sprint
@masami-agent

Description

@masami-agent
masami-agent
opened on Apr 7, 2026

Summary

Add an allowed_users config option to restrict which Discord users can trigger the bot.

Motivation

Currently, anyone in an allowed_channel can @mention the bot and interact with it. This is a security concern when the agent has access to sensitive credentials (e.g. GH_TOKEN for GitHub operations) — any user in the channel could instruct the agent to push code, delete branches, etc.

Proposed Design

Config

[discord]
bot_token = "${DISCORD_BOT_TOKEN}"
allowed_channels = ["123456"]
allowed_users = []              # empty = allow all (default, backward compatible)

Behavior

allowed_channels allowed_users Result
empty empty All users, all channels (current default)
set empty Only these channels, all users
empty set All channels, only these users
set set AND — must be in allowed channel AND allowed user
  • Thread messages: also checked against allowed_users
  • Rejected users: bot reacts with 🚫, does not reply
  • Backward compatible: empty allowed_users = no filtering (same as today)

Helm values

discord:
  allowedUsers: []

⚠️ Use --set-string for user IDs to avoid float64 precision loss.

Changes Required

  1. src/config.rs — add allowed_users: Vec<String> to DiscordConfig
  2. src/discord.rs — add user ID check in message handler
  3. charts/openab/values.yaml — add allowedUsers
  4. charts/openab/templates/configmap.yaml — render allowed_users
  5. config.toml.example — add example

Metadata

Metadata

Assignees

No one assigned

    Labels

    featurep1High — address this sprint

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions