Summary

• Problem: a recent auth change treated any identified direct-message sender as an owner when commands.ownerAllowFrom was unset, which widened access to ownerOnly tools.
• Why it matters: shared or misconfigured messaging surfaces could expose owner-only command/tool paths beyond explicitly authorized owners.
• What changed: owner resolution now only trusts explicit owner matches, wildcard owner config, or internal operator.admin sessions; overlapping skill env overrides are now reference-counted so ACP child-process env stripping remains active until all overlapping restores complete.
• What did NOT change (scope boundary): default command authorization behavior and non-skill host env handling remain unchanged.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related #

User-visible / Behavior Changes

• Direct-message senders are no longer implicitly treated as owners when commands.ownerAllowFrom is unset.
• Overlapping skill env overrides keep ACP secret stripping active until all overrides have been restored.

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (Yes)
• New/changed network calls? (No)
• Command/tool execution surface changed? (Yes)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:
  This narrows owner-only tool eligibility back to explicit owner signals and hardens skill env cleanup so overlapping runs cannot prematurely stop ACP env stripping for injected credentials.

Repro + Verification

Environment

• OS: macOS
• Runtime/container: local checkout with pnpm
• Model/provider: N/A
• Integration/channel (if any): Discord auth path and ACP harness
• Relevant config (redacted): default command auth config; skill entry with apiKey override

Steps

1. Run pnpm exec vitest run src/auto-reply/command-auth.owner-default.test.ts src/auto-reply/command-control.test.ts src/agents/skills.test.ts src/acp/client.test.ts.
2. Run pnpm check.
3. Confirm direct-message senders without ownerAllowFrom are not owners and overlapping env restores keep getActiveSkillEnvKeys() populated until the final restore.

Expected

• Owner-only gating stays tied to explicit owner authorization.
• ACP env stripping stays active across overlapping skill env overrides.

Actual

• Verified after the fix.

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios: focused Vitest coverage for auth ownership, command control, skills env overrides, and ACP client spawning; full pnpm check.
• Edge cases checked: direct/group senders without owner allowlists, wildcard/internal admin owner resolution, overlapping env override restore ordering.
• What you did not verify: full pnpm test suite on this branch.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: revert the two commits on this branch.
• Files/config to restore: src/auto-reply/command-auth.ts, src/agents/skills/env-overrides.ts, and their targeted tests.
• Known bad symptoms reviewers should watch for: owner-only tools becoming unavailable for explicit owners, or skill env overrides not restoring to baseline after nested use.

Risks and Mitigations

• Risk: overlapping overrides with different values still preserve the first active injected value for the lifetime of the overlap.
  • Mitigation: current skill env injection semantics only apply when the env var is otherwise unset, and the added regression test locks the no-leak restore behavior that ACP depends on.