refactor(security): harden CommandAuthorized plumbing

2026-01-17 09:01:43 +00:00
parent 31e8ecca10
commit 69ba2765de
16 changed files with 92 additions and 56 deletions
--- a/src/auto-reply/reply/get-reply.ts
+++ b/src/auto-reply/reply/get-reply.ts
@@ -73,25 +73,25 @@ export async function getReplyFromConfig(
    silentToken: SILENT_REPLY_TOKEN,
    log: defaultRuntime.log,
  });
-  opts?.onTypingController?.(typing);
+	  opts?.onTypingController?.(typing);

-  finalizeInboundContext(ctx);
+  const finalized = finalizeInboundContext(ctx);

  await applyMediaUnderstanding({
-    ctx,
+    ctx: finalized,
    cfg,
    agentDir,
    activeModel: { provider, model },
  });

-  const commandAuthorized = ctx.CommandAuthorized ?? false;
+  const commandAuthorized = finalized.CommandAuthorized;
  resolveCommandAuthorization({
-    ctx,
+    ctx: finalized,
    cfg,
    commandAuthorized,
  });
  const sessionState = await initSessionState({
-    ctx,
+    ctx: finalized,
    cfg,
    commandAuthorized,
  });
@@ -113,7 +113,7 @@ export async function getReplyFromConfig(
  } = sessionState;

  const directiveResult = await resolveReplyDirectives({
-    ctx,
+    ctx: finalized,
    cfg,
    agentId,
    agentDir,