Skip to content

fix(commands): add requires_auth guard to Advanced/Debugging handlers#4762

Merged
bug-ops merged 1 commit into
mainfrom
4755-commands-auth-guard
May 30, 2026
Merged

fix(commands): add requires_auth guard to Advanced/Debugging handlers#4762
bug-ops merged 1 commit into
mainfrom
4755-commands-auth-guard

Conversation

@bug-ops
Copy link
Copy Markdown
Owner

@bug-ops bug-ops commented May 30, 2026

Summary

  • Added requires_auth() -> bool { true } override to 10 command handlers that were accessible from remote channels (Telegram, Discord, Slack) without authorization after PR fix(security): add dispatch auth guard and complete URL redaction #4751
  • Added /trajectory and /scope entries to the COMMANDS registry (they were registered in the agent but absent from the command list)

Handlers now guarded

Handler Command Category Risk
LoopCommand /loop Advanced injects recurring prompts (highest risk)
NotifyTestCommand /notify-test Debugging triggers outbound notifications
TrajectoryCommand /trajectory Advanced exposes sentinel state
ScopeCommand /scope Advanced exposes capability scopes
StatusCommand /status Debugging exposes model/token/uptime
GuardrailCommand /guardrail Debugging exposes guardrail config
FocusCommand /focus Advanced read-only status
SideQuestCommand /sidequest Advanced read-only status
LspCommand /lsp Debugging exposes LSP config
CacheStatsCommand /cache-stats Debugging exposes cache internals

HelpCommand remains intentionally public.

Test plan

  • cargo +nightly fmt --check — clean
  • cargo clippy --workspace -- -D warnings — clean
  • RUSTFLAGS="-D warnings" cargo check --workspace --all-targets --features desktop,ide,server,chat,pdf,scheduler — clean
  • cargo nextest run --workspace --lib --bins — 10435/10435 passed

Closes #4755

@github-actions github-actions Bot added bug Something isn't working documentation Improvements or additions to documentation rust Rust code changes size/M Medium PR (51-200 lines) and removed bug Something isn't working labels May 30, 2026
@bug-ops bug-ops enabled auto-merge (squash) May 30, 2026 15:53
@bug-ops
fix(commands): add requires_auth guard to Advanced/Debugging handlers
578dabc 
Override requires_auth() to return true in TrajectoryCommand,
ScopeCommand, LoopCommand, FocusCommand, SideQuestCommand,
StatusCommand, GuardrailCommand, LspCommand, CacheStatsCommand,
and NotifyTestCommand.

Handlers left intentionally public: HelpCommand.

Also adds /trajectory and /scope entries to the COMMANDS registry
(they were registered in the agent but missing from the command list).

Closes #4755
@bug-ops bug-ops force-pushed the 4755-commands-auth-guard branch from 90d9af5 to 578dabc Compare May 30, 2026 15:53
@github-actions github-actions Bot added the bug Something isn't working label May 30, 2026
@bug-ops bug-ops merged commit dabb1df into main May 30, 2026
32 checks passed
@bug-ops bug-ops deleted the 4755-commands-auth-guard branch May 30, 2026 15:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working documentation Improvements or additions to documentation rust Rust code changes size/M Medium PR (51-200 lines)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

security: Advanced/Debugging handlers missing requires_auth guard after #4751

1 participant

@bug-ops