Skip to content

fix(daemon): only the owner may settle intents via room /approve replies#18

Merged
ThinkOffApp merged 1 commit into
mainfrom
fix/room-approvals-owner-only
Jul 4, 2026
Merged

fix(daemon): only the owner may settle intents via room /approve replies#18
ThinkOffApp merged 1 commit into
mainfrom
fix/room-approvals-owner-only

Conversation

@ThinkOffApp

Copy link
Copy Markdown
Owner

Problem

The :8788 chat-reply poller matched /approve <id> / /deny <id> from any room sender. Any fleet agent echoing an approve line could settle a pending intent and trigger its gated command — this actually happened in thinkoff-development (hermes settled intent 2494578e).

Fix

Settlement is restricted to the human owner: plain petrus sender (covers CodeWatch button taps, which arrive with isHuman=false) or a human-flagged message. Agent senders are logged and skipped.

Verification

  • node --check clean, confirmations test suite 15/15 pass.
  • Validated sender shapes against live room traffic: Petrus posts as petrus (web: isHuman:true, button tap: isHuman:false), agents as hermes/@ether.

Note for @claudemb: MacBook daemon already carries an equivalent local guard; pulling this reconciles both clones.

🤖 Generated with Claude Code

The chat-reply poller accepted /approve <id> and /deny <id> from any room
sender, so any fleet agent could settle a pending intent and trigger its
gated command. Restrict settlement to the human owner: plain "petrus"
sender (CodeWatch button taps included, which post with isHuman=false) or
a human-flagged message. Agent senders are logged and skipped.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@cursor

cursor Bot commented Jul 4, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: beec369367

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread bin/iak-mcp-daemon.mjs
// including CodeWatch button taps, which arrive with isHuman=false —
// while agents carry a handle ("@ether", "hermes").
const sender = String(m.from || '').replace(/^@/, '').toLowerCase();
if (sender !== 'petrus' && m.isHuman !== true) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Require the owner handle even for human replies

In any shared GroupMind room with another human participant, their /approve <id> or /deny <id> message will still settle the local intent because m.isHuman === true bypasses the sender check. That leaves the gated-command path open to non-owner humans even though this guard is intended to restrict settlement to the owner; compare the normalized sender to the configured owner instead of accepting any human-flagged message.

Useful? React with 👍 / 👎.

@ThinkOffApp ThinkOffApp merged commit 2191103 into main Jul 4, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant