fix(discord): require sender for moderation actions [AI]

[eleqtrizit]

Summary

Discord moderation actions now use the existing trusted requester sender guard in tool-driven Discord contexts.

Changes

• Add timeout, kick, and ban to the Discord trusted requester sender action set.
• Extend the Discord channel action regression test to cover those moderation actions while preserving the existing non-Discord and unprivileged-action behavior.

Validation

Behavior addressed: tool-driven Discord moderation actions require trusted requester sender metadata before entering the Discord action runtime.

Real environment tested: local OpenClaw checkout on branch 725 after rebasing onto current upstream/main.

Exact steps or command run after this patch: node scripts/run-vitest.mjs extensions/discord/src/channel-actions.test.ts src/channels/plugins/message-actions.security.test.ts

Evidence after fix: the focused Vitest wrapper passed 2 shards: extensions/discord/src/channel-actions.test.ts (28 tests) and src/channels/plugins/message-actions.security.test.ts (3 tests).

Observed result after fix: Discord channel-delete, timeout, kick, and ban return true from requiresTrustedRequesterSender for Discord tool contexts; non-Discord contexts and read remain unchanged.

What was not tested: live Discord moderation against a real server; no live Discord credentials were used.

Additional checks:

• git diff --check
• .agents/skills/autoreview/scripts/autoreview --mode local

Notes

• No config, API, migration, or changelog changes.
• USER.md was updated locally with the requested worklog and intentionally left out of the commit.
• AI-assisted by Codex.

[clawsweeper]

Codex review: needs real behavior proof before merge. Reviewed June 9, 2026, 2:50 PM ET / 18:50 UTC.

Summary
Review failed before ClawSweeper could summarize the requested change.

PR surface: Source +3, Tests +2. Total +5 across 2 files.

Reproducibility: unclear. The review failed before ClawSweeper could establish a reproduction path.

Review metrics: none identified.

Merge readiness
Overall: 🌊 off-meta tidepool
Proof: 🌊 off-meta tidepool
Patch quality: 🌊 off-meta tidepool
Result: rating does not apply to this item.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Risk before merge

• [P1] No close action taken because the review did not complete.

Maintainer options:

1. Decide the mitigation before merge
   Retry the Codex review after fixing the execution failure.
2. Pause or close
   Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

• [P1] Review did not complete, so no work-lane recommendation was made.

Review details

Best possible solution:

Retry the Codex review after fixing the execution failure.

Do we have a high-confidence way to reproduce the issue?

Unclear. The review failed before ClawSweeper could establish a reproduction path.

Is this the best way to solve the issue?

Unclear. Retry the review first so ClawSweeper can evaluate the actual issue and fix direction.

AGENTS.md: unclear because the file could not be read completely.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 8b84e951e5a6.

Label changes

Label changes:

• add rating: 🌊 off-meta tidepool: Overall readiness is 🌊 off-meta tidepool; proof is 🌊 off-meta tidepool and patch quality is 🌊 off-meta tidepool.

Label justifications:

• rating: 🌊 off-meta tidepool: Overall readiness is 🌊 off-meta tidepool; proof is 🌊 off-meta tidepool and patch quality is 🌊 off-meta tidepool.

Evidence reviewed

PR surface:

Source +3, Tests +2. Total +5 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	3	0	+3
Tests	1	8	6	+2
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	2	11	6	+5

What I checked:

• failure reason: timeout.
• codex failure detail: Codex review failed for this PR: spawnSync codex ETIMEDOUT.
• codex stdout: Per-item Codex failure; continuing with the rest of the shard.

Likely related people:

• unknown: Codex failed before it could trace repository history. (role: review did not complete; confidence: low)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[eleqtrizit]

Behavioral Proof

ClawSweeper asked for real behavior proof because its Codex review timed out before it could establish a reproduction path. I re-read the tracking issue, the GHSA payload, and the current PR surface, then verified the behavior on this branch.

Proof target: Discord timeout, kick, and ban are tool-exposed moderation actions, so tool-driven Discord calls must require trusted requester sender metadata before the moderation runtime can execute without a sender identity.

What the code now does:

• extensions/discord/src/channel-actions.ts adds timeout, kick, and ban to trustedRequesterGuildAdminActions.
• The same file exposes those three actions only when Discord moderation is enabled, so the protected set now matches the moderation tool surface.
• src/channels/plugins/message-action-dispatch.ts rejects a tool-driven action before handleAction when requiresTrustedRequesterSender(ctx) is true and ctx.requesterSenderId is blank.
• extensions/discord/src/actions/runtime.ts routes timeout, kick, and ban into handleDiscordModerationAction.
• extensions/discord/src/actions/runtime.moderation.ts still preserves the manual/CLI behavior by only checking Discord sender permissions when senderUserId is present. The dispatcher guard is therefore the behavior that protects tool-driven Discord turns with missing requester identity.

Real behavior exercised:

• extensions/discord/src/channel-actions.test.ts now asserts requiresTrustedRequesterSender returns true for Discord channel-delete, timeout, kick, and ban tool contexts.
• The same test asserts non-Discord contexts and unprivileged Discord read still return false.
• src/channels/plugins/message-actions.security.test.ts exercises the dispatcher behavior: missing trusted sender identity throws before action handling, while a populated requesterSenderId allows the action to proceed.
• extensions/discord/src/actions/runtime.moderation.authz.test.ts exercises the downstream Discord moderation permission checks for ban, kick, and timeout when sender identity is present.

Commands run after this patch:

node scripts/run-vitest.mjs extensions/discord/src/channel-actions.test.ts src/channels/plugins/message-actions.security.test.ts extensions/discord/src/actions/runtime.moderation.authz.test.ts
git diff --check

Observed result:

[test] passed 2 Vitest shards in 8.32s
Test Files  2 passed (2)
Tests       33 passed (33)
Test Files  1 passed (1)
Tests       3 passed (3)

git diff --check produced no output.

Scope proof:

• Current origin/main has the trusted requester set ending at event-create; this branch adds only timeout, kick, and ban to that existing Discord set.
• Source search found timeout/kick/ban as moderation actions in the Discord plugin path, not equivalent exposed moderation actions in the other named channel plugins. That matches the tracking issue triage: the confirmed vulnerable scope is Discord moderation; the broader multi-plugin claim is not supported by current source.

What was not tested: live Discord moderation against a real server. This proof uses the repo's behavior tests and mocked Discord runtime calls, so it verifies the OpenClaw trust gate without sending live moderation requests.

[eleqtrizit]

Relevance

Three separate relevance checks confirmed the vulnerability is real and in scope. The Discord moderation actions timeout, kick, and ban were exposed when moderation was enabled but were missing from the trustedRequesterGuildAdminActions set, allowing tool-driven agent calls to bypass the trusted requester sender verification. The broader claim about other channels being similarly affected was not supported by current source — those plugins do not expose Discord-style moderation actions.

Compatibility

A dedicated compatibility check confirmed zero compatibility risk. No exported symbols, types, import paths, package exports, SDK surfaces, gateway protocol, plugin boundaries, config schemas, defaults, migrations, CLI commands, or documentation were changed. The fix is purely additive to an existing allowlist, making the security check stricter only for tool-driven Discord contexts. Manual and CLI moderation flows are unaffected.

ClawSweeper

ClawSweeper dispatched a review, but the review engine timed out due to an infrastructure/network failure. The timeout produced no code findings, no actionable feedback, and no work-lane recommendation. All CI checks passed independently.

Code Reviews Completed

Multiple code reviews confirmed the fix is correct, complete, and minimal. The three action names added are exactly those exposed when Discord moderation is enabled, routed to the moderation handler, and gated by the same requiresTrustedRequesterSender hook used by the 12 existing privileged actions. The fix follows the existing security architecture: the dispatcher rejects tool-driven calls without a requester sender identity before they reach the moderation runtime, while the moderation runtime's early return for missing sender identity correctly handles legitimate manual and CLI flows. The change stays entirely within the Discord plugin boundary with no cross-boundary imports or core internals touched.

Proof

All CI checks passed, including security, lint, type, dependency, and security analysis lanes. Focused test runs covering the changed Discord action hook, the shared dispatcher security behavior, and moderation authorization all passed. The git diff --check passed clean. The behavioral proof was posted to the PR, confirming the fix closes the gap by adding the three missing moderation actions to the trusted requester sender set.