fix(daemon): only the owner may settle intents via room /approve replies#18
Conversation
The chat-reply poller accepted /approve <id> and /deny <id> from any room sender, so any fleet agent could settle a pending intent and trigger its gated command. Restrict settlement to the human owner: plain "petrus" sender (CodeWatch button taps included, which post with isHuman=false) or a human-flagged message. Agent senders are logged and skipped. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: beec369367
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| // including CodeWatch button taps, which arrive with isHuman=false — | ||
| // while agents carry a handle ("@ether", "hermes"). | ||
| const sender = String(m.from || '').replace(/^@/, '').toLowerCase(); | ||
| if (sender !== 'petrus' && m.isHuman !== true) { |
There was a problem hiding this comment.
Require the owner handle even for human replies
In any shared GroupMind room with another human participant, their /approve <id> or /deny <id> message will still settle the local intent because m.isHuman === true bypasses the sender check. That leaves the gated-command path open to non-owner humans even though this guard is intended to restrict settlement to the owner; compare the normalized sender to the configured owner instead of accepting any human-flagged message.
Useful? React with 👍 / 👎.
Problem
The :8788 chat-reply poller matched
/approve <id>//deny <id>from any room sender. Any fleet agent echoing an approve line could settle a pending intent and trigger its gated command — this actually happened in thinkoff-development (hermes settled intent2494578e).Fix
Settlement is restricted to the human owner: plain
petrussender (covers CodeWatch button taps, which arrive withisHuman=false) or a human-flagged message. Agent senders are logged and skipped.Verification
node --checkclean, confirmations test suite 15/15 pass.petrus(web:isHuman:true, button tap:isHuman:false), agents ashermes/@ether.Note for @claudemb: MacBook daemon already carries an equivalent local guard; pulling this reconciles both clones.
🤖 Generated with Claude Code