fix(active-memory): require admin scope for global toggles [AI]

[pgondhi987]

Summary

• Problem: /active-memory on --global and /active-memory off --global wrote gateway-wide config without checking gateway client admin scope.
• Why it matters: gateway-scoped callers should only persist gateway-wide Active Memory changes when they carry operator.admin.
• What changed: added a handler-level admin check around global Active Memory on/off writes and regression coverage for write-scoped, admin-scoped, status, and session toggle paths.
• What did NOT change (scope boundary): /active-memory status --global and session-level /active-memory on|off|status remain available to non-admin write-scoped callers.

Change Type (select all)

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Related: N/A in public PR metadata
• This PR fixes a bug or regression

Real behavior proof (required for external PRs)

• Behavior or issue addressed: gateway-scoped global Active Memory writes now require operator.admin.
• Real environment tested: Not run by this agent; supervisor-owned validation pending.
• Exact steps or command run after this patch: Not run by this agent.
• Evidence after fix (screenshot, recording, terminal capture, console output, redacted runtime log, linked artifact, or copied live output): Regression tests were added but not executed by this agent.
• Observed result after fix: Code path now returns an operator.admin requirement before calling replaceConfigFile for write-scoped global on/off requests.
• What was not tested: Runtime gateway WebSocket flow and full test suite.
• Before evidence (optional but encouraged): N/A.

Root Cause (if applicable)

• Root cause: the Active Memory command guarded global status and global mutations in the same branch, but only status needed to remain read-only while on/off persisted config through replaceConfigFile.
• Missing detection / guardrail: there was no regression coverage for gateway-scoped callers invoking global Active Memory on/off commands.
• Contributing context (if known): command-level requiredScopes would have been too broad because it would also block status and session-level toggles.

Regression Test Plan (if applicable)

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: extensions/active-memory/index.test.ts
• Scenario the test should lock in: write-scoped gateway callers cannot mutate global Active Memory config, admin-scoped callers can, and non-global-write paths remain available.
• Why this is the smallest reliable guardrail: the tests exercise the registered command handler with the same plugin API spy that observes replaceConfigFile calls.
• Existing test that already covers this (if any): existing global toggle coverage checked mutation behavior but did not pass gateway client scopes.
• If no new test is added, why not: N/A.

User-visible / Behavior Changes

Gateway clients with operator.write but not operator.admin now receive an admin-scope requirement when using /active-memory on --global or /active-memory off --global. Session-level toggles and global status are unchanged.

Diagram (if applicable)

Before:
[gateway write-scoped /active-memory off --global] -> [config write]

After:
[gateway write-scoped /active-memory off --global] -> [operator.admin required]
[gateway admin-scoped /active-memory off --global] -> [config write]

Security Impact (required)

• New permissions/capabilities? (Yes/No) No
• Secrets/tokens handling changed? (Yes/No) No
• New/changed network calls? (Yes/No) No
• Command/tool execution surface changed? (Yes/No) Yes
• Data access scope changed? (Yes/No) No
• If any Yes, explain risk + mitigation: global Active Memory on/off commands now require operator.admin for gateway-scoped callers; read-only global status and session-level toggles remain available.

Repro + Verification

Environment

• OS: Not run by this agent
• Runtime/container: Not run by this agent
• Model/provider: N/A
• Integration/channel (if any): Gateway command path, not live-tested by this agent
• Relevant config (redacted): N/A

Steps

1. Invoke the registered Active Memory command with gatewayClientScopes: ["operator.write"] and args: "off --global".
2. Invoke the same command with gatewayClientScopes: ["operator.admin"] and args: "off --global".
3. Invoke global status and session-level off with gatewayClientScopes: ["operator.write"].

Expected

• Write-scoped global on/off requests report that operator.admin is required and do not call replaceConfigFile.
• Admin-scoped global on/off requests still persist the config update.
• Global status and session-level toggles remain available to write-scoped callers.

Actual

• Not run by this agent; regression tests encode the expected behavior.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: Source-level review of the guarded branches and added regression test cases.
• Edge cases checked: admin-scoped global mutation, write-scoped global status, and write-scoped session toggle behavior.
• What you did not verify: Test execution, full changed gate, and live gateway runtime behavior.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

• Backward compatible? (Yes/No) Yes
• Config/env changes? (Yes/No) No
• Migration needed? (Yes/No) No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: command users without admin scope can no longer change the global Active Memory enabled flag through chat command routing.
  • Mitigation: this is limited to persistent global on/off writes; status and session-level controls remain unchanged.

[clawsweeper]

Codex review: needs real behavior proof before merge.

Summary
Adds handler-level admin-scope gating for gateway-originated global Active Memory on/off commands and regression tests for blocked write-scoped, allowed admin-scoped, global status, and session toggle paths.

Reproducibility: yes. by source inspection: invoke the Active Memory command handler on current main with gatewayClientScopes: ["operator.write"] and args: "off --global"; the code reaches replaceConfigFile without an admin check. I did not execute it because this review was read-only.

Real behavior proof
Needs real behavior proof before merge: The PR body explicitly says the patch was not run in a real setup and provides no terminal output, logs, screenshot, recording, or linked artifact showing the after-fix behavior. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, ask a maintainer to comment @clawsweeper re-review.

Next step before merge
Human review is needed because this protected-label external security-hardening PR lacks after-fix real behavior proof; automation cannot supply the contributor's setup evidence.

Security
Cleared: The diff narrows authorization for an existing command path and only touches active-memory code/tests, with no new dependency, workflow, secret, or supply-chain surface.

Review details

Best possible solution:

Land the narrow handler-level authorization fix after maintainer review, redacted real behavior proof, and focused test evidence confirm write-scoped gateway clients cannot change global Active Memory while admin, status, and session paths still work.

Do we have a high-confidence way to reproduce the issue?

Yes by source inspection: invoke the Active Memory command handler on current main with gatewayClientScopes: ["operator.write"] and args: "off --global"; the code reaches replaceConfigFile without an admin check. I did not execute it because this review was read-only.

Is this the best way to solve the issue?

Yes: a handler-level check before the global mutation branches is the narrowest maintainable fix because command-level required scopes would also block read-only global status and session-level toggles.

Acceptance criteria:

• pnpm test extensions/active-memory/index.test.ts
• pnpm check:changed

What I checked:

• current_main_write_path: Current main handles /active-memory on|off --global by calling replaceConfigFile after computing the next config, with no check of ctx.gatewayClientScopes before the write branches. (extensions/active-memory/index.ts:2822, 1831e124b221)
• admin_scope_contract: Gateway operator-scope docs define operator.admin as required for config mutation, while operator.write is for normal mutating operator actions. Public docs: docs/gateway/operator-scopes.md. (docs/gateway/operator-scopes.md:35, 1831e124b221)
• plugin_command_scope_context: Plugin command execution receives params.ctx.GatewayClientScopes, so the active-memory command handler can distinguish gateway clients from ordinary channel callers. (src/auto-reply/reply/commands-plugin.ts:43, 1831e124b221)
• pr_diff_scope: The provided PR diff adds requiresAdminToMutateActiveMemoryGlobal(...) and checks it before global on/off writes, while adding tests for write-scoped denial, admin-scoped success, global status, and session toggles. (extensions/active-memory/index.ts:782, bd6bd55aa7c0)
• real_behavior_proof_missing: The PR body says the change was not run by the agent, regression tests were added but not executed by the agent, and runtime gateway WebSocket flow was not tested. (bd6bd55aa7c0)
• feature_history: Blame/history for the active-memory global toggle code, plugin command scope plumbing, and operator-scope docs points to commit 93747f6 by @vincentkoc. (extensions/active-memory/index.ts:2804, 93747f695539)

Likely related people:

• vincentkoc: Current-main blame/history points the Active Memory global toggle implementation, gateway scope command handling, and operator-scope documentation to the same recent commit, and repository credits list @vincentkoc for agents/security ownership areas. (role: introduced behavior and adjacent maintainer; confidence: high; commits: 93747f695539; files: extensions/active-memory/index.ts, src/auto-reply/reply/commands-plugin.ts, src/plugins/commands.ts)

Remaining risk / open question:

• The external PR currently lacks after-fix real behavior proof; tests, mocks, or source review alone do not satisfy the merge gate.
• The focused active-memory regression test and changed-surface checks were not run during this read-only review.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 1831e124b221.

[pgondhi987]

Not applicable to this automation stage; changelog/release-note and external real behavior proof requirements are handled outside auto-pr stages.

Quoted comment from @clawsweeper:

Codex review: needs real behavior proof before merge.

Summary
Adds handler-level admin-scope gating for gateway-originated global Active Memory on/off commands and regression tests for blocked write-scoped, allowed admin-scoped, global status, and session toggle paths.

Reproducibility: yes. by source inspection: invoke the Active Memory command handler on current main with gatewayClientScopes: ["operator.write"] and args: "off --global"; the code reaches replaceConfigFile without an admin check. I did not execute it because this review was read-only.

Real behavior proof
Needs real behavior proof before merge: The PR body explicitly says the patch was not run in a real setup and provides no terminal output, logs, screenshot, recording, or linked artifact showing the after-fix behavior. After adding proof, update the PR body; ClawSweeper should re-review automatically. If it does not, ask a maintainer to comment @clawsweeper re-review.

Next step before merge
Human review is needed because this protected-label external security-hardening PR lacks after-fix real behavior proof; automation cannot supply the contributor's setup evidence.

Security
Cleared: The diff narrows authorization for an existing command path and only touches active-memory code/tests, with no new dependency, workflow, secret, or supply-chain surface.

Review details

Best possible solution:

Land the narrow handler-level authorization fix after maintainer review, redacted real behavior proof, and focused test evidence confirm write-scoped gateway clients cannot change global Active Memory while admin, status, and session paths still work.

Do we have a high-confidence way to reproduce the issue?

Yes by source inspection: invoke the Active Memory command handler on current main with gatewayClientScopes: ["operator.write"] and args: "off --global"; the code reaches replaceConfigFile without an admin check. I did not execute it because this review was read-only.

Is this the best way to solve the issue?

Yes: a handler-level check before the global mutation branches is the narrowest maintainable fix because command-level required scopes would also block read-only global status and session-level toggles.

Acceptance criteria:

• pnpm test extensions/active-memory/index.test.ts
• pnpm check:changed

What I checked:

• current_main_write_path: Current main handles /active-memory on|off --global by calling replaceConfigFile after computing the next config, with no check of ctx.gatewayClientScopes before the write branches. (extensions/active-memory/index.ts:2822, 1831e124b221)
• admin_scope_contract: Gateway operator-scope docs define operator.admin as required for config mutation, while operator.write is for normal mutating operator actions. Public docs: docs/gateway/operator-scopes.md. (docs/gateway/operator-scopes.md:35, 1831e124b221)
• plugin_command_scope_context: Plugin command execution receives params.ctx.GatewayClientScopes, so the active-memory command handler can distinguish gateway clients from ordinary channel callers. (src/auto-reply/reply/commands-plugin.ts:43, 1831e124b221)
• pr_diff_scope: The provided PR diff adds requiresAdminToMutateActiveMemoryGlobal(...) and checks it before global on/off writes, while adding tests for write-scoped denial, admin-scoped success, global status, and session toggles. (extensions/active-memory/index.ts:782, bd6bd55aa7c0)
• real_behavior_proof_missing: The PR body says the change was not run by the agent, regression tests were added but not executed by the agent, and runtime gateway WebSocket flow was not tested. (bd6bd55aa7c0)
• feature_history: Blame/history for the active-memory global toggle code, plugin command scope plumbing, and operator-scope docs points to commit 93747f6 by @vincentkoc. (extensions/active-memory/index.ts:2804, 93747f695539)

Likely related people:

• vincentkoc: Current-main blame/history points the Active Memory global toggle implementation, gateway scope command handling, and operator-scope documentation to the same recent commit, and repository credits list @vincentkoc for agents/security ownership areas. (role: introduced behavior and adjacent maintainer; confidence: high; commits: 93747f695539; files: extensions/active-memory/index.ts, src/auto-reply/reply/commands-plugin.ts, src/plugins/commands.ts)

Remaining risk / open question:

• The external PR currently lacks after-fix real behavior proof; tests, mocks, or source review alone do not satisfy the merge gate.
• The focused active-memory regression test and changed-surface checks were not run during this read-only review.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 1831e124b221.