clarify directive persistence policy

pgondhi987 · pgondhi987 · commit 8ca082283d79 · 2026-05-28T08:44:16.000Z
diff --git a/docs/tools/exec.md b/docs/tools/exec.md
@@ -164,9 +164,10 @@ Example:
 ## Authorization model
 
 `/exec` is only honored for **authorized senders** (channel allowlists/pairing plus `commands.useAccessGroups`).
-It updates **session state only** and does not write config. To hard-disable exec, deny it via tool
-policy (`tools.deny: ["exec"]` or per-agent). Host approvals still apply unless you explicitly set
-`security=full` and `ask=off`.
+It updates **session state only** and does not write config. Authorized external channel senders may
+set these session defaults. Internal gateway/webchat clients need `operator.admin` to persist them.
+To hard-disable exec, deny it via tool policy (`tools.deny: ["exec"]` or per-agent). Host approvals
+still apply unless you explicitly set `security=full` and `ask=off`.
 
 ## Exec approvals (companion app / node host)
 
diff --git a/src/auto-reply/reply/directive-handling.impl.ts b/src/auto-reply/reply/directive-handling.impl.ts
@@ -20,8 +20,7 @@ import { maybeHandleModelDirectiveInfo } from "./directive-handling.model.js";
 import type { HandleDirectiveOnlyParams } from "./directive-handling.params.js";
 import { maybeHandleQueueDirective } from "./directive-handling.queue-validation.js";
 import {
-  canPersistInternalExecDirective,
-  canPersistInternalVerboseDirective,
+  canPersistSessionDirectiveDefaults,
   formatDirectiveAck,
   formatElevatedRuntimeHint,
   formatElevatedUnavailableText,
@@ -82,14 +81,14 @@ export async function handleDirectiveOnly(
     }),
   }).sandboxed;
   const shouldHintDirectRuntime = directives.hasElevatedDirective && !runtimeIsSandboxed;
-  const allowInternalExecPersistence = canPersistInternalExecDirective({
+  const allowInternalExecPersistence = canPersistSessionDirectiveDefaults({
     messageProvider: params.messageProvider,
     surface: params.surface,
     gatewayClientScopes: params.gatewayClientScopes,
     commandAuthorized: params.commandAuthorized,
     senderIsOwner: params.senderIsOwner,
   });
-  const allowInternalVerbosePersistence = canPersistInternalVerboseDirective({
+  const allowInternalVerbosePersistence = canPersistSessionDirectiveDefaults({
     messageProvider: params.messageProvider,
     surface: params.surface,
     gatewayClientScopes: params.gatewayClientScopes,
diff --git a/src/auto-reply/reply/directive-handling.mixed-inline.test.ts b/src/auto-reply/reply/directive-handling.mixed-inline.test.ts
@@ -196,7 +196,7 @@ describe("mixed inline directives", () => {
     expect(sessionEntry.reasoningLevel).toBe("off");
   });
 
-  it("uses provider metadata when acknowledging mixed exec persistence denial", async () => {
+  it("persists mixed exec defaults for authorized external senders with empty gateway scopes", async () => {
     const directives = parseInlineDirectives(
       "please reply\n/exec host=node security=allowlist ask=always node=worker-1",
     );
@@ -240,8 +240,8 @@ describe("mixed inline directives", () => {
       },
     });
 
-    expect(fastLane.directiveAck?.text).toContain("operator.admin");
-    expect(fastLane.directiveAck?.text).not.toContain("Exec defaults set");
+    expect(fastLane.directiveAck?.text).toContain("Exec defaults set");
+    expect(fastLane.directiveAck?.text).not.toContain("operator.admin");
 
     await persistInlineDirectives({
       directives,
@@ -263,12 +263,13 @@ describe("mixed inline directives", () => {
       agentCfg: cfg.agents?.defaults,
       messageProvider: "telegram",
       gatewayClientScopes: [],
+      commandAuthorized: true,
     });
 
-    expect(sessionEntry.execHost).toBeUndefined();
-    expect(sessionEntry.execSecurity).toBeUndefined();
-    expect(sessionEntry.execAsk).toBeUndefined();
-    expect(sessionEntry.execNode).toBeUndefined();
+    expect(sessionEntry.execHost).toBe("node");
+    expect(sessionEntry.execSecurity).toBe("allowlist");
+    expect(sessionEntry.execAsk).toBe("always");
+    expect(sessionEntry.execNode).toBe("worker-1");
   });
 
   it("does not persist trace directives for unauthorized mixed messages", async () => {
diff --git a/src/auto-reply/reply/directive-handling.model.test.ts b/src/auto-reply/reply/directive-handling.model.test.ts
@@ -1838,7 +1838,7 @@ describe("handleDirectiveOnly model persist behavior (fixes #1435)", () => {
   });
 });
 
-describe("persistInlineDirectives internal exec scope gate", () => {
+describe("persistInlineDirectives session directive persistence policy", () => {
   it("skips exec persistence for internal operator.write callers", async () => {
     const sessionEntry = await persistInternalOperatorWriteDirective(
       "/exec host=node security=allowlist ask=always node=worker-1",
@@ -1856,7 +1856,7 @@ describe("persistInlineDirectives internal exec scope gate", () => {
     expect(sessionEntry.verboseLevel).toBeUndefined();
   });
 
-  it("skips exec persistence for non-webchat gateway callers without operator.admin", async () => {
+  it("skips exec persistence for unauthorized external callers even when gateway scopes are empty", async () => {
     const sessionEntry = await persistInternalOperatorWriteDirective(
       "/exec host=node security=allowlist ask=always node=worker-1",
       {
@@ -1872,7 +1872,7 @@ describe("persistInlineDirectives internal exec scope gate", () => {
     expect(sessionEntry.execNode).toBeUndefined();
   });
 
-  it("skips verbose persistence for non-webchat gateway callers without operator.admin", async () => {
+  it("skips verbose persistence for unauthorized external callers even when gateway scopes are empty", async () => {
     const sessionEntry = await persistInternalOperatorWriteDirective("/verbose full", {
       messageProvider: "telegram",
       surface: "telegram",
@@ -1882,13 +1882,14 @@ describe("persistInlineDirectives internal exec scope gate", () => {
     expect(sessionEntry.verboseLevel).toBeUndefined();
   });
 
-  it("allows non-webchat gateway callers with operator.admin to persist exec defaults", async () => {
+  it("allows authorized external callers with empty gateway scopes to persist exec defaults", async () => {
     const sessionEntry = await persistInternalOperatorWriteDirective(
       "/exec host=node security=allowlist ask=always node=worker-1",
       {
         messageProvider: "telegram",
         surface: "telegram",
-        gatewayClientScopes: ["operator.admin"],
+        gatewayClientScopes: [],
+        commandAuthorized: true,
       },
     );
 
@@ -1898,6 +1899,17 @@ describe("persistInlineDirectives internal exec scope gate", () => {
     expect(sessionEntry.execNode).toBe("worker-1");
   });
 
+  it("allows authorized external callers with empty gateway scopes to persist verbose defaults", async () => {
+    const sessionEntry = await persistInternalOperatorWriteDirective("/verbose full", {
+      messageProvider: "telegram",
+      surface: "telegram",
+      gatewayClientScopes: [],
+      commandAuthorized: true,
+    });
+
+    expect(sessionEntry.verboseLevel).toBe("full");
+  });
+
   it("skips exec persistence for non-webchat channel callers without gateway scopes", async () => {
     const sessionEntry = await persistInternalOperatorWriteDirective(
       "/exec host=node security=allowlist ask=always node=worker-1",
diff --git a/src/auto-reply/reply/directive-handling.persist.ts b/src/auto-reply/reply/directive-handling.persist.ts
@@ -19,8 +19,7 @@ import { isThinkingLevelSupported, resolveSupportedThinkingLevel } from "../thin
 import { resolveModelSelectionFromDirective } from "./directive-handling.model-selection.js";
 import type { InlineDirectives } from "./directive-handling.parse.js";
 import {
-  canPersistInternalExecDirective,
-  canPersistInternalVerboseDirective,
+  canPersistSessionDirectiveDefaults,
   enqueueModeSwitchEvents,
 } from "./directive-handling.shared.js";
 import type { ElevatedLevel, ReasoningLevel, ThinkLevel } from "./directives.js";
@@ -122,14 +121,14 @@ export async function persistInlineDirectives(params: {
   } = params;
   let { provider, model } = params;
   let thinkingRemap: PersistedThinkingLevelRemap | undefined;
-  const allowInternalExecPersistence = canPersistInternalExecDirective({
+  const allowInternalExecPersistence = canPersistSessionDirectiveDefaults({
     messageProvider: params.messageProvider,
     surface: params.surface,
     gatewayClientScopes: params.gatewayClientScopes,
     commandAuthorized: params.commandAuthorized,
     senderIsOwner: params.senderIsOwner,
   });
-  const allowInternalVerbosePersistence = canPersistInternalVerboseDirective({
+  const allowInternalVerbosePersistence = canPersistSessionDirectiveDefaults({
     messageProvider: params.messageProvider,
     surface: params.surface,
     gatewayClientScopes: params.gatewayClientScopes,
diff --git a/src/auto-reply/reply/directive-handling.shared.ts b/src/auto-reply/reply/directive-handling.shared.ts
@@ -23,24 +23,28 @@ export const formatInternalVerbosePersistenceDeniedText = () =>
 export const formatInternalVerboseCurrentReplyOnlyText = () =>
   "Verbose logging set for the current reply only.";
 
-function canPersistInternalDirective(params: {
+export function canPersistSessionDirectiveDefaults(params: {
   messageProvider?: string;
   surface?: string;
   gatewayClientScopes?: string[];
   commandAuthorized?: boolean;
   senderIsOwner?: boolean;
 }): boolean {
-  if (params.gatewayClientScopes === undefined) {
-    const hasChannelContext =
-      normalizeOptionalString(params.messageProvider) !== undefined ||
-      normalizeOptionalString(params.surface) !== undefined;
-    return !hasChannelContext || params.commandAuthorized === true || params.senderIsOwner === true;
+  const messageProvider = normalizeOptionalString(params.messageProvider);
+  const surface = normalizeOptionalString(params.surface);
+  const hasChannelContext = messageProvider !== undefined || surface !== undefined;
+  const isInternalGatewayCaller = messageProvider === "webchat" || surface === "webchat";
+
+  if (isInternalGatewayCaller) {
+    return params.gatewayClientScopes?.includes("operator.admin") === true;
   }
-  return params.gatewayClientScopes.includes("operator.admin");
-}
 
-export const canPersistInternalExecDirective = canPersistInternalDirective;
-export const canPersistInternalVerboseDirective = canPersistInternalDirective;
+  if (hasChannelContext) {
+    return params.commandAuthorized === true || params.senderIsOwner === true;
+  }
+
+  return true;
+}
 
 const formatElevatedEvent = (level: ElevatedLevel) => {
   if (level === "full") {
