openclaw
diff --git a/‎extensions/discord/src/monitor/message-handler.preflight.test.ts‎
Lines changed: 37 additions & 0 deletions b/‎extensions/discord/src/monitor/message-handler.preflight.test.ts‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎extensions/discord/src/monitor/message-handler.preflight.ts‎
Lines changed: 1 addition & 0 deletions b/‎extensions/discord/src/monitor/message-handler.preflight.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎extensions/discord/src/monitor/message-handler.process.test.ts‎
Lines changed: 18 additions & 0 deletions b/‎extensions/discord/src/monitor/message-handler.process.test.ts‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎extensions/discord/src/monitor/native-command-context.test.ts‎
Lines changed: 22 additions & 14 deletions b/‎extensions/discord/src/monitor/native-command-context.test.ts‎
Lines changed: 22 additions & 14 deletions
diff --git a/‎extensions/discord/src/monitor/native-command-context.ts‎
Lines changed: 7 additions & 0 deletions b/‎extensions/discord/src/monitor/native-command-context.ts‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎extensions/discord/src/monitor/native-command.ts‎
Lines changed: 1 addition & 0 deletions b/‎extensions/discord/src/monitor/native-command.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎extensions/discord/src/monitor/sender-identity.test.ts‎
Lines changed: 74 additions & 0 deletions b/‎extensions/discord/src/monitor/sender-identity.test.ts‎
Lines changed: 74 additions & 0 deletions
diff --git a/‎extensions/discord/src/monitor/sender-identity.ts‎
Lines changed: 28 additions & 0 deletions b/‎extensions/discord/src/monitor/sender-identity.ts‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎src/auto-reply/reply/inbound-context.ts‎
Lines changed: 1 addition & 0 deletions b/‎src/auto-reply/reply/inbound-context.ts‎
Lines changed: 1 addition & 0 deletions
@@ -360,6 +360,43 @@ describe("preflightDiscordMessage", () => {
     handleDiscordDmCommandDecisionMock.mockResolvedValue(undefined);
   });
 
+  it("resolves trusted sender principal from configured identity links for guild messages", async () => {
+    const message = createDiscordMessage({
+      id: "m-identity-link",
+      channelId: "channel-1",
+      content: "hello",
+      author: {
+        id: "123",
+        bot: false,
+        username: "alias-attempt",
+      },
+    });
+
+    const result = await runGuildPreflight({
+      channelId: "channel-1",
+      guildId: "guild-1",
+      message,
+      cfg: {
+        ...DEFAULT_PREFLIGHT_CFG,
+        session: {
+          ...DEFAULT_PREFLIGHT_CFG.session,
+          identityLinks: {
+            alice: ["discord:123"],
+          },
+        },
+      },
+      discordConfig: {} as DiscordConfig,
+      guildEntries: {
+        "guild-1": {
+          requireMention: false,
+        },
+      },
+    });
+
+    expect(result?.sender.id).toBe("123");
+    expect(result?.sender.trustedPrincipal).toBe("alice");
+  });
+
   it("drops bound-thread bot system messages to prevent ACP self-loop", async () => {
     const threadBinding = createThreadBinding({
       targetKind: "session",
 
@@ -302,6 +302,7 @@ export async function preflightDiscordMessage(
     author,
     member: params.data.member,
     pluralkitInfo,
+    identityLinks: params.cfg.session?.identityLinks,
   });
 
   if (author.bot) {
 
@@ -451,6 +451,7 @@ function getLastDispatchCtx():
       ThreadStarterBody?: string;
       To?: string;
       Transcript?: string;
+      TrustedSenderPrincipal?: string;
     }
   | undefined {
   const callArgs = dispatchInboundMessage.mock.calls[
@@ -474,6 +475,7 @@ function getLastDispatchCtx():
           ThreadStarterBody?: string;
           To?: string;
           Transcript?: string;
+          TrustedSenderPrincipal?: string;
         };
       }
     | undefined;
@@ -1667,6 +1669,22 @@ describe("processDiscordMessage session routing", () => {
     });
     expect(getLastDispatchCtx()?.ThreadStarterBody).toBeUndefined();
   });
+
+  it("carries trusted sender principal into dispatch context", async () => {
+    const ctx = await createBaseContext({
+      sender: {
+        id: "pk-member-1",
+        label: "Display Name",
+        trustedPrincipal: "alice",
+      },
+    });
+
+    await runProcessDiscordMessage(ctx);
+
+    expect(getLastDispatchCtx()).toMatchObject({
+      TrustedSenderPrincipal: "alice",
+    });
+  });
 });
 
 describe("processDiscordMessage draft streaming", () => {
 
@@ -6,8 +6,8 @@ describe("buildDiscordNativeCommandContext", () => {
     const ctx = buildDiscordNativeCommandContext({
       prompt: "/status",
       commandArgs: {},
-      sessionKey: "agent:codex:discord:slash:user-1",
-      commandTargetSessionKey: "agent:codex:discord:direct:user-1",
+      sessionKey: "agent:codex:discord:slash:123456789",
+      commandTargetSessionKey: "agent:codex:discord:direct:123456789",
       accountId: "default",
       interactionId: "interaction-1",
       channelId: "dm-1",
@@ -17,24 +17,28 @@ describe("buildDiscordNativeCommandContext", () => {
       isGuild: false,
       isThreadChannel: false,
       user: {
-        id: "user-1",
+        id: "123456789",
         username: "tester",
         globalName: "Tester",
       },
       sender: {
-        id: "user-1",
+        id: "123456789",
         tag: "tester#0001",
       },
+      identityLinks: {
+        owner: ["discord:123456789"],
+      },
       timestampMs: 123,
     });
 
-    expect(ctx.From).toBe("discord:user-1");
-    expect(ctx.To).toBe("slash:user-1");
+    expect(ctx.From).toBe("discord:123456789");
+    expect(ctx.To).toBe("slash:123456789");
     expect(ctx.ChatType).toBe("direct");
     expect(ctx.ConversationLabel).toBe("Tester");
-    expect(ctx.SessionKey).toBe("agent:codex:discord:slash:user-1");
-    expect(ctx.CommandTargetSessionKey).toBe("agent:codex:discord:direct:user-1");
-    expect(ctx.OriginatingTo).toBe("user:user-1");
+    expect(ctx.SessionKey).toBe("agent:codex:discord:slash:123456789");
+    expect(ctx.CommandTargetSessionKey).toBe("agent:codex:discord:direct:123456789");
+    expect(ctx.OriginatingTo).toBe("user:123456789");
+    expect(ctx.TrustedSenderPrincipal).toBe("owner");
     expect(ctx.UntrustedContext).toBeUndefined();
     expect(ctx.UntrustedStructuredContext).toBeUndefined();
     expect(ctx.GroupSystemPrompt).toBeUndefined();
@@ -45,7 +49,7 @@ describe("buildDiscordNativeCommandContext", () => {
     const ctx = buildDiscordNativeCommandContext({
       prompt: "/status",
       commandArgs: { values: { model: "gpt-5.2" } },
-      sessionKey: "agent:codex:discord:slash:user-1",
+      sessionKey: "agent:codex:discord:slash:123456789",
       commandTargetSessionKey: "agent:codex:discord:channel:chan-1",
       accountId: "default",
       interactionId: "interaction-1",
@@ -56,7 +60,7 @@ describe("buildDiscordNativeCommandContext", () => {
       channelTopic: "Production alerts only",
       channelConfig: {
         allowed: true,
-        users: ["discord:user-1"],
+        users: ["discord:123456789"],
         systemPrompt: "Use the runbook.",
       },
       guildInfo: {
@@ -69,14 +73,17 @@ describe("buildDiscordNativeCommandContext", () => {
       isGuild: true,
       isThreadChannel: true,
       user: {
-        id: "user-1",
+        id: "123456789",
         username: "tester",
       },
       sender: {
-        id: "user-1",
+        id: "123456789",
         name: "tester",
         tag: "tester#0001",
       },
+      identityLinks: {
+        alice: ["discord:123456789"],
+      },
       timestampMs: 456,
     });
 
@@ -87,7 +94,8 @@ describe("buildDiscordNativeCommandContext", () => {
     expect(ctx.GroupSpace).toBe("guild-1");
     expect(ctx.MemberRoleIds).toEqual(["admin"]);
     expect(ctx.GroupSystemPrompt).toBe("Use the runbook.");
-    expect(ctx.OwnerAllowFrom).toEqual(["user-1"]);
+    expect(ctx.OwnerAllowFrom).toEqual(["123456789"]);
+    expect(ctx.TrustedSenderPrincipal).toBe("alice");
     expect(ctx.MessageThreadId).toBe("chan-1");
     expect(ctx.ThreadParentId).toBe("parent-1");
     expect(ctx.OriginatingTo).toBe("channel:chan-1");
 
@@ -3,6 +3,7 @@ import { finalizeInboundContext } from "openclaw/plugin-sdk/reply-dispatch-runti
 import { resolveDiscordConversationIdentity } from "../conversation-identity.js";
 import { type DiscordChannelConfigResolved, type DiscordGuildEntryResolved } from "./allow-list.js";
 import { buildDiscordInboundAccessContext } from "./inbound-context.js";
+import { resolveDiscordTrustedPrincipalFromUserId } from "./sender-identity.js";
 
 type BuildDiscordNativeCommandContextParams = {
   prompt: string;
@@ -35,10 +36,15 @@ type BuildDiscordNativeCommandContextParams = {
     name?: string;
     tag?: string;
   };
+  identityLinks?: Record<string, string[]>;
   timestampMs?: number;
 };
 
 export function buildDiscordNativeCommandContext(params: BuildDiscordNativeCommandContextParams) {
+  const trustedSenderPrincipal = resolveDiscordTrustedPrincipalFromUserId({
+    userId: params.user.id,
+    identityLinks: params.identityLinks,
+  });
   const conversationLabel = params.isDirectMessage
     ? (params.user.globalName ?? params.user.username)
     : params.channelId;
@@ -80,6 +86,7 @@ export function buildDiscordNativeCommandContext(params: BuildDiscordNativeComma
     SenderId: params.user.id,
     SenderUsername: params.user.username,
     SenderTag: params.sender.tag,
+    TrustedSenderPrincipal: trustedSenderPrincipal,
     Provider: "discord" as const,
     Surface: "discord" as const,
     WasMentioned: true,
 
@@ -700,6 +700,7 @@ async function dispatchDiscordCommandInteraction(params: {
       globalName: user.globalName,
     },
     sender: { id: sender.id, name: sender.name, tag: sender.tag },
+    identityLinks: cfg.session?.identityLinks,
   });
 
   await dispatchDiscordNativeAgentReply({
 
@@ -0,0 +1,74 @@
+import { describe, expect, it } from "vitest";
+import {
+  resolveDiscordSenderIdentity,
+  resolveDiscordTrustedPrincipalFromUserId,
+} from "./sender-identity.js";
+
+describe("resolveDiscordTrustedPrincipalFromUserId", () => {
+  it("resolves canonical principal through identity links", () => {
+    expect(
+      resolveDiscordTrustedPrincipalFromUserId({
+        userId: " 123456789 ",
+        identityLinks: {
+          alice: ["discord:123456789"],
+        },
+      }),
+    ).toBe("alice");
+  });
+
+  it("keeps unmapped user ids unresolved", () => {
+    expect(resolveDiscordTrustedPrincipalFromUserId({ userId: "123456789" })).toBeUndefined();
+  });
+
+  it("keeps malformed user ids unresolved", () => {
+    expect(resolveDiscordTrustedPrincipalFromUserId({ userId: "alice" })).toBeUndefined();
+    expect(resolveDiscordTrustedPrincipalFromUserId({ userId: "" })).toBeUndefined();
+    expect(resolveDiscordTrustedPrincipalFromUserId({ userId: undefined })).toBeUndefined();
+  });
+});
+
+describe("resolveDiscordSenderIdentity", () => {
+  it("resolves trusted principal through identity links for regular users", () => {
+    const sender = resolveDiscordSenderIdentity({
+      author: {
+        id: "111222333",
+        username: "alice",
+        globalName: "Alice",
+      } as never,
+      member: { nickname: "Display Name" },
+      pluralkitInfo: null,
+      identityLinks: {
+        alice: ["discord:111222333"],
+      },
+    });
+
+    expect(sender.id).toBe("111222333");
+    expect(sender.trustedPrincipal).toBe("alice");
+  });
+
+  it("resolves trusted principal through identity links for pluralkit messages", () => {
+    const sender = resolveDiscordSenderIdentity({
+      author: {
+        id: "444555666",
+        username: "relay-bot",
+      } as never,
+      pluralkitInfo: {
+        member: {
+          id: "pk-member-1",
+          display_name: "Proxy Name",
+          name: "proxy",
+        },
+        system: {
+          id: "pk-system-1",
+          name: "System Name",
+        },
+      } as never,
+      identityLinks: {
+        system_owner: ["discord:444555666"],
+      },
+    });
+
+    expect(sender.id).toBe("pk-member-1");
+    expect(sender.trustedPrincipal).toBe("system_owner");
+  });
+});
@@ -1,4 +1,5 @@
 import { normalizeOptionalString } from "openclaw/plugin-sdk/string-coerce-runtime";
+import { resolveCanonicalIdentityFromLinks } from "openclaw/plugin-sdk/routing";
 import type { User } from "../internal/discord.js";
 import type { PluralKitMessageInfo } from "../pluralkit.js";
 import { formatDiscordUserTag } from "./format.js";
@@ -8,6 +9,7 @@ export type DiscordSenderIdentity = {
   name?: string;
   tag?: string;
   label: string;
+  trustedPrincipal?: string;
   isPluralKit: boolean;
   pluralkit?: {
     memberId: string;
@@ -32,11 +34,35 @@ export function resolveDiscordWebhookId(message: DiscordWebhookMessageLike): str
   return typeof candidate === "string" && candidate.trim() ? candidate.trim() : null;
 }
 
+export function resolveDiscordTrustedPrincipalFromUserId(params: {
+  userId: string | undefined | null;
+  identityLinks?: Record<string, string[]>;
+}): string | undefined {
+  if (typeof params.userId !== "string") {
+    return undefined;
+  }
+  const trimmed = params.userId.trim();
+  if (!/^\d+$/.test(trimmed)) {
+    return undefined;
+  }
+  const canonical = resolveCanonicalIdentityFromLinks({
+    identityLinks: params.identityLinks,
+    channel: "discord",
+    peerId: trimmed,
+  });
+  return canonical ?? undefined;
+}
+
 export function resolveDiscordSenderIdentity(params: {
   author: User;
   member?: DiscordMemberLike | null;
   pluralkitInfo?: PluralKitMessageInfo | null;
+  identityLinks?: Record<string, string[]>;
 }): DiscordSenderIdentity {
+  const trustedPrincipal = resolveDiscordTrustedPrincipalFromUserId({
+    userId: params.author.id,
+    identityLinks: params.identityLinks,
+  });
   const pkInfo = params.pluralkitInfo ?? null;
   const pkMember = pkInfo?.member ?? undefined;
   const pkSystem = pkInfo?.system ?? undefined;
@@ -51,6 +77,7 @@ export function resolveDiscordSenderIdentity(params: {
       name: memberName,
       tag: normalizeOptionalString(pkMember?.name),
       label,
+      trustedPrincipal,
       isPluralKit: true,
       pluralkit: {
         memberId,
@@ -76,6 +103,7 @@ export function resolveDiscordSenderIdentity(params: {
     name: params.author.username ?? undefined,
     tag: senderTag,
     label: senderLabel,
+    trustedPrincipal,
     isPluralKit: false,
   };
 }
@@ -50,6 +50,7 @@ export function finalizeInboundContext<T extends Record<string, unknown>>(
   normalized.Transcript = normalizeTextField(normalized.Transcript);
   normalized.ThreadStarterBody = normalizeTextField(normalized.ThreadStarterBody);
   normalized.ThreadHistoryBody = normalizeTextField(normalized.ThreadHistoryBody);
+  normalized.TrustedSenderPrincipal = normalizeTextField(normalized.TrustedSenderPrincipal);
   if (Array.isArray(normalized.UntrustedContext)) {
     const normalizedUntrusted = normalized.UntrustedContext.map((entry) =>
       sanitizeInboundSystemTags(normalizeInboundTextNewlines(entry)),