feat(config): gate channel config writes

2026-01-15 01:41:11 +00:00
parent f65668cb5f
commit ad8799522c
28 changed files with 576 additions and 2 deletions
--- a/src/auto-reply/reply/commands-config-writes.test.ts
+++ b/src/auto-reply/reply/commands-config-writes.test.ts
@@ -0,0 +1,57 @@
+import { describe, expect, it } from "vitest";
+
+import type { ClawdbotConfig } from "../../config/config.js";
+import type { MsgContext } from "../templating.js";
+import { buildCommandContext, handleCommands } from "./commands.js";
+import { parseInlineDirectives } from "./directive-handling.js";
+
+function buildParams(commandBody: string, cfg: ClawdbotConfig, ctxOverrides?: Partial<MsgContext>) {
+  const ctx = {
+    Body: commandBody,
+    CommandBody: commandBody,
+    CommandSource: "text",
+    CommandAuthorized: true,
+    Provider: "whatsapp",
+    Surface: "whatsapp",
+    ...ctxOverrides,
+  } as MsgContext;
+
+  const command = buildCommandContext({
+    ctx,
+    cfg,
+    isGroup: false,
+    triggerBodyNormalized: commandBody.trim().toLowerCase(),
+    commandAuthorized: true,
+  });
+
+  return {
+    ctx,
+    cfg,
+    command,
+    directives: parseInlineDirectives(commandBody),
+    elevated: { enabled: true, allowed: true, failures: [] },
+    sessionKey: "agent:main:main",
+    workspaceDir: "/tmp",
+    defaultGroupActivation: () => "mention",
+    resolvedVerboseLevel: "off" as const,
+    resolvedReasoningLevel: "off" as const,
+    resolveDefaultThinkingLevel: async () => undefined,
+    provider: "whatsapp",
+    model: "test-model",
+    contextTokens: 0,
+    isGroup: false,
+  };
+}
+
+describe("handleCommands /config configWrites gating", () => {
+  it("blocks /config set when channel config writes are disabled", async () => {
+    const cfg = {
+      commands: { config: true, text: true },
+      channels: { whatsapp: { allowFrom: ["*"], configWrites: false } },
+    } as ClawdbotConfig;
+    const params = buildParams("/config set messages.ackReaction=\":)\"", cfg);
+    const result = await handleCommands(params);
+    expect(result.shouldContinue).toBe(false);
+    expect(result.reply?.text).toContain("Config writes are disabled");
+  });
+});
--- a/src/auto-reply/reply/commands-config.ts
+++ b/src/auto-reply/reply/commands-config.ts
@@ -15,6 +15,8 @@ import {
  setConfigOverride,
  unsetConfigOverride,
 } from "../../config/runtime-overrides.js";
+import { resolveChannelConfigWrites } from "../../channels/plugins/config-writes.js";
+import { normalizeChannelId } from "../../channels/registry.js";
 import { logVerbose } from "../../globals.js";
 import type { CommandHandler } from "./commands-types.js";
 import { parseConfigCommand } from "./config-commands.js";
@@ -44,6 +46,28 @@ export const handleConfigCommand: CommandHandler = async (params, allowTextComma
      reply: { text: `⚠️ ${configCommand.message}` },
    };
  }
+
+  if (configCommand.action === "set" || configCommand.action === "unset") {
+    const channelId = params.command.channelId ?? normalizeChannelId(params.command.channel);
+    const allowWrites = resolveChannelConfigWrites({
+      cfg: params.cfg,
+      channelId,
+      accountId: params.ctx.AccountId,
+    });
+    if (!allowWrites) {
+      const channelLabel = channelId ?? "this channel";
+      const hint = channelId
+        ? `channels.${channelId}.configWrites=true`
+        : "channels.<channel>.configWrites=true";
+      return {
+        shouldContinue: false,
+        reply: {
+          text: `⚠️ Config writes are disabled for ${channelLabel}. Set ${hint} to enable.`,
+        },
+      };
+    }
+  }
+
  const snapshot = await readConfigFileSnapshot();
  if (!snapshot.valid || !snapshot.parsed || typeof snapshot.parsed !== "object") {
    return {