fix(security): harden toolsBySender sender-key matching

2026-05-10 06:42:44 +00:00 · 2026-02-22 21:03:09 +01:00
parent 3461dda880
commit 5547a2275c
10 changed files with 324 additions and 36 deletions
--- a/src/channels/plugins/group-mentions.test.ts
+++ b/src/channels/plugins/group-mentions.test.ts
@@ -20,7 +20,7 @@ const cfg = {
          requireMention: false,
          tools: { allow: ["message.send"] },
          toolsBySender: {
-            "user:alice": { allow: ["sessions.list"] },
+            "id:user:alice": { allow: ["sessions.list"] },
          },
        },
        "*": {
@@ -109,14 +109,14 @@ describe("group mentions (discord)", () => {
              requireMention: false,
              tools: { allow: ["message.guild"] },
              toolsBySender: {
-                "user:guild-admin": { allow: ["sessions.list"] },
+                "id:user:guild-admin": { allow: ["sessions.list"] },
              },
              channels: {
                "123": {
                  requireMention: true,
                  tools: { allow: ["message.channel"] },
                  toolsBySender: {
-                    "user:channel-admin": { deny: ["exec"] },
+                    "id:user:channel-admin": { deny: ["exec"] },
                  },
                },
              },