feat: improve gateway services and auto-reply commands

src/config/config-paths.test.ts

@@ -14,6 +14,8 @@ describe("config paths", () => {
       error: "Invalid path. Use dot notation (e.g. foo.bar).",
     });
     expect(parseConfigPath("__proto__.polluted").ok).toBe(false);
+    expect(parseConfigPath("constructor.polluted").ok).toBe(false);
+    expect(parseConfigPath("prototype.polluted").ok).toBe(false);
   });
 
   it("sets, gets, and unsets nested values", () => {

src/config/runtime-overrides.test.ts

@@ -39,4 +39,17 @@ describe("runtime overrides", () => {
     expect(removed.removed).toBe(true);
     expect(Object.keys(getConfigOverrides()).length).toBe(0);
   });
+
+  it("rejects prototype pollution paths", () => {
+    const attempts = [
+      "__proto__.polluted",
+      "constructor.polluted",
+      "prototype.polluted",
+    ];
+    for (const path of attempts) {
+      const result = setConfigOverride(path, true);
+      expect(result.ok).toBe(false);
+      expect(Object.keys(getConfigOverrides()).length).toBe(0);
+    }
+  });
 });

src/config/schema.ts

@@ -115,6 +115,8 @@ const FIELD_LABELS: Record<string, string> = {
   "agents.defaults.cliBackends": "CLI Backends",
   "commands.native": "Native Commands",
   "commands.text": "Text Commands",
+  "commands.config": "Allow /config",
+  "commands.debug": "Allow /debug",
   "commands.restart": "Allow Restart",
   "commands.useAccessGroups": "Use Access Groups",
   "ui.seamColor": "Accent Color",
@@ -203,6 +205,10 @@ const FIELD_HELP: Record<string, string> = {
   "commands.native":
     "Register native commands with connectors that support it (Discord/Slack/Telegram).",
   "commands.text": "Allow text command parsing (slash commands only).",
+  "commands.config":
+    "Allow /config chat command to read/write config on disk (default: false).",
+  "commands.debug":
+    "Allow /debug chat command for runtime-only overrides (default: false).",
   "commands.restart":
     "Allow /restart and gateway restart tool actions (default: false).",
   "commands.useAccessGroups":

src/config/types.ts

@@ -1078,6 +1078,10 @@ export type CommandsConfig = {
   native?: boolean;
   /** Enable text command parsing (default: true). */
   text?: boolean;
+  /** Allow /config command (default: false). */
+  config?: boolean;
+  /** Allow /debug command (default: false). */
+  debug?: boolean;
   /** Allow restart commands/tools (default: false). */
   restart?: boolean;
   /** Enforce access-group allowlists/policies for commands (default: true). */

src/config/zod-schema.ts

@@ -685,6 +685,8 @@ const CommandsSchema = z
   .object({
     native: z.boolean().optional(),
     text: z.boolean().optional(),
+    config: z.boolean().optional(),
+    debug: z.boolean().optional(),
     restart: z.boolean().optional(),
     useAccessGroups: z.boolean().optional(),
   })