Support DISCORD_ALLOWED_ROLES for role-based access control

[parimple]

Feature Description

Allow Discord access control based on Discord roles (e.g., Moderator role) instead of hardcoded user IDs. Currently DISCORD_ALLOWED_USERS only accepts a comma-separated list of user IDs, which requires manual updates when moderator ranks change.

Motivation

Server moderation teams change frequently. Currently when a new moderator is added, someone must manually update DISCORD_ALLOWED_USERS with their Discord user ID. This is error-prone and requires ongoing maintenance.

A role-based approach would let moderators self-serve: grant the role on the server, and access is automatic.

Proposed Solution

Add a new environment variable DISCORD_ALLOWED_ROLES that accepts Discord role IDs:

DISCORD_ALLOWED_ROLES=1493705176387948674
DISCORD_ALLOWED_USERS=413720629

Behavior:

1. If DISCORD_ALLOWED_ROLES is set, resolve the configured roles to members via the Discord API
2. Check if the message author has any of the allowed roles
3. Both DISCORD_ALLOWED_USERS and DISCORD_ALLOWED_ROLES can coexist (union)
4. Resolved role memberships are cached and refreshed periodically (e.g., on gateway restart or on interval)

Implementation notes:

• Use Discord Guild API to resolve roles to member lists
• Placeholder for non-numeric entries in DISCORD_ALLOWED_USERS already exists: _resolve_allowed_usernames()
• A similar _resolve_allowed_roles() method could follow the same pattern

Alternatives Considered

• Sync script — Run an external cron job that syncs role members to DISCORD_ALLOWED_USERS. Works but adds operational complexity and a delay between granting role and granting access.
• Bot mention + role check — Keep current mention-based auth but check roles regardless of user ID. Doesn't solve the maintainability problem.

[teknium1]

Implemented in #11608 — #11608

DISCORD_ALLOWED_ROLES now supports comma-separated Discord role IDs with OR semantics against DISCORD_ALLOWED_USERS. Members with any of the configured roles are authorized automatically — new mods get access as soon as the role is granted on the server.

Implementation accepts role IDs (not names) — IDs avoid name-collision and Guild-API lookup complexity. Mix and match:

DISCORD_ALLOWED_ROLES=1493705176387948674
DISCORD_ALLOWED_USERS=413720629

Thanks for the detailed motivation (moderator team churn) and the _resolve_allowed_usernames analogy — made the scope clear. Credit to @0xyg3n for the implementation in PR #9873.

[0xyg3n]

@parimple friendly heads-up — your "Proposed Solution" section is a printenv dump, which is an interesting way to propose an env var, and also leaked two live credentials into a public issue a week ago:

• GEMINI_API_KEY — Google already auto-revoked it. Just tested: 403 "Your API key was reported as leaked. Please use another API key." Their scraper beat you to the rotation.
• CLOUDFLARE_API_TOKEN — still active as of a minute ago. The /user/tokens/verify endpoint returns "This API Token is valid and active". Token id 1544133639067f32xxxxxxx (redacting). Rotate this one ASAP.
• DISCORD_PUBLIC_API_KEY is fine — that is the Ed25519 interactions public key, meant to be public.

Also visible in the dump: session IDs, home paths, venv paths, model routing env, CJK locale, pnpm prefix. None of that is catastrophic but it is a decent fingerprint.

Please edit the issue body to strip the environment block — right now it's searchable on Google. While you're at it, rotate the Cloudflare token and audit whatever else lives in that shell.

I only verified the tokens with read-only auth-check endpoints (no data read, no usage).

[parimple]

Issue body sanitized. I removed the leaked environment dump from the description and I am rotating the exposed Cloudflare token plus auditing where it is loaded locally.