@greptile-apps please review

@greptile-apps please review

Greptile Summary

Fixed authentication logic to correctly treat users as owners in single-user setups (no commands.ownerAllowFrom configured). Previously, senderIsOwner was always false when no owner allowlist was configured, which silently hid ownerOnly tools (cron, gateway, whatsapp_login) even for the sole authorized user.

• Modified senderIsOwner calculation in src/auto-reply/command-auth.ts:350 to default to true when no owner allowlist is configured and a valid senderId exists
• Added comprehensive test coverage with 4 test cases covering default, non-matching, matching, and wildcard owner scenarios
• When ownerAllowFrom IS configured, behavior remains unchanged (only matched senders are owners)
• All existing tests pass (24 command-control tests, 3 whatsapp-login-gating tests)

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The fix is well-scoped, thoroughly tested, and addresses a clear bug without introducing security concerns. The logic correctly handles the default single-user case while preserving existing behavior for configured multi-user setups. The code includes helpful comments explaining the change, and all existing tests pass.
• No files require special attention

_{Last reviewed commit: 20c7859}

This pull request has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

🔒 Aisle Security Analysis

We found 1 potential security issue(s) in this PR:

1. 🔴 Owner-only tool privilege escalation: any direct-chat sender treated as owner when owner allowlist unset

Description

The new default-owner logic in resolveCommandAuthorization marks any identified direct-chat sender as an owner whenever no explicit owner allowlist is configured:

• senderIsOwner becomes true when !ownerAllowlistConfigured && isDirectChat && Boolean(senderId)
• senderId can be derived from ctx.SenderId or fallback candidates (including ctx.From in direct chats)
• This owner flag is then used to permit owner-only tools (e.g., gateway, cron, whatsapp_login) via applyOwnerOnlyToolPolicy.

This enables privilege escalation in realistic deployments where direct messages are not single-user in the security sense:

• Discord: with dmPolicy="open", any user can DM the bot; commandAuthorized becomes true for open DMs, and with this change the sender also becomes senderIsOwner, enabling owner-only tools.
• Slack: with dmPolicy="open", any user can DM the bot; even if CommandAuthorized remains false, the owner-only tool filter uses only senderIsOwner, so owner-only tools can still be exposed to arbitrary DM senders.
• Pairing flows / multi-user deployments: if multiple users become DM-authorized (via pairing store, wildcard allowFrom, etc.), every such DM sender becomes an “owner” under this default.

Vulnerable code (introduced behavior):

const senderIsOwner =
  senderIsOwnerByIdentity ||
  senderIsOwnerByScope ||
  ownerAllowAll ||
  (!ownerAllowlistConfigured && isDirectChat && Boolean(senderId));

Security impact:

• Owner-only tools include gateway (restart, config.apply/config.patch, update.run) and cron (manage scheduled jobs), which are highly sensitive and can lead to full service compromise.

Recommendation

Do not infer owner privileges from ChatType="direct" alone.

Safer options:

1. Require explicit owner allowlisting for owner-only tools (recommended default):

• Revert to senderIsOwner = senderIsOwnerByIdentity || senderIsOwnerByScope || ownerAllowAll.
• Keep direct-chat usability by documenting that deployments must set commands.ownerAllowFrom (or an equivalent explicit owner identity) to enable owner-only tools.

2. If you need a “single-user DM default” mode, gate it behind an explicit config flag and a single-identity guarantee, e.g.:

• Only enable if the DM access allowlist resolves to exactly one normalized identity (and no wildcard), and it matches the sender.
• Additionally require commandAuthorized === true so unauthenticated DMs cannot become owners.

Example safer logic sketch:

const allowSingleUserDmOwner = cfg.commands?.assumeSingleUserDirectChatOwner === true;
const senderIsOwner =
  senderIsOwnerByIdentity ||
  senderIsOwnerByScope ||
  ownerAllowAll ||
  (allowSingleUserDmOwner && commandAuthorized && isDirectChat && senderMatchesSoleConfiguredDmOwner);

Also ensure the owner-only tool filtering uses senderIsOwner && isAuthorizedSender (or equivalent) when applicable, so unauthorized senders cannot access owner-only tools even if misclassified.

Analyzed PR: #26331 at commit 1fbe1c7

_{Last updated on: 2026-03-07T00:24:54Z}

Merged via squash.

• Prepared head SHA: 1fbe1c7
• Merge commit: 48b3c4a

Thanks @widingmarcus-cyber!