feat: add role-based access control for dangerous commands

Author: zebbern

.env.example

@@ -41,6 +41,19 @@ ANTHROPIC_API_KEY=your_anthropic_api_key_here
 # Defaults to repository name if not set
 # CATEGORY_NAME=claude-code
 
+# ===================================
+# ACCESS CONTROL (RBAC)
+# ===================================
+
+# Comma-separated Discord Role IDs that can use restricted commands
+# (shell, git, system, admin). Leave blank to disable RBAC (all commands open).
+# Right-click a role in Server Settings -> Copy Role ID (requires Developer Mode)
+# ADMIN_ROLE_IDS=123456789,987654321
+
+# Comma-separated Discord User IDs that can use restricted commands
+# Grants access regardless of roles. Same format as role IDs.
+# ADMIN_USER_IDS=111111111,222222222
+
 # ===================================
 # DOCKER-SPECIFIC (docker-compose.yml)
 # ===================================

.gitignore

@@ -3,9 +3,15 @@
 # Bot runtime data (persistence files)
 .bot-data/
 
+# Claude session data
+.claude/
+
 # Plan files (development only)
 plan/
 
+# Temporary files
+test.txt
+
 # IDE and editors
 .idea/
 .vscode/

core/rbac.ts

@@ -0,0 +1,136 @@
+/**
+ * Role-Based Access Control (RBAC) for Discord commands.
+ * Gates dangerous commands behind configurable role requirements.
+ * 
+ * @module core/rbac
+ */
+
+import type { InteractionContext } from "../discord/types.ts";
+
+/**
+ * Commands that require elevated permissions.
+ * Grouped by risk category.
+ */
+const RESTRICTED_COMMANDS: Record<string, string[]> = {
+  /** Full host access — highest risk */
+  shell: ['shell', 'shell-input', 'shell-list', 'shell-kill'],
+  /** Repository modifications */
+  git: ['git', 'worktree', 'worktree-remove', 'worktree-bots', 'worktree-kill'],
+  /** System information exposure */
+  system: ['env-vars', 'port-scan', 'system-logs'],
+  /** Bot lifecycle */
+  admin: ['shutdown'],
+};
+
+/** Flat set of all restricted command names for fast lookup */
+const ALL_RESTRICTED = new Set(
+  Object.values(RESTRICTED_COMMANDS).flat()
+);
+
+/**
+ * RBAC configuration loaded from environment.
+ */
+interface RBACConfig {
+  /** Whether RBAC is enabled (requires at least one role configured) */
+  enabled: boolean;
+  /** Set of Discord role IDs that can run restricted commands */
+  allowedRoleIds: Set<string>;
+  /** Set of Discord user IDs that always have access (bot owner) */
+  allowedUserIds: Set<string>;
+}
+
+let cachedConfig: RBACConfig | null = null;
+
+/**
+ * Load RBAC configuration from environment variables.
+ * 
+ * Environment variables:
+ * - `ADMIN_ROLE_IDS`: Comma-separated Discord role IDs (e.g., "123456,789012")
+ * - `ADMIN_USER_IDS`: Comma-separated Discord user IDs (e.g., "123456")
+ * 
+ * If neither is set, RBAC is disabled and all commands are open.
+ */
+export function loadRBACConfig(): RBACConfig {
+  if (cachedConfig) return cachedConfig;
+
+  const roleIdsRaw = Deno.env.get("ADMIN_ROLE_IDS") ?? "";
+  const userIdsRaw = Deno.env.get("ADMIN_USER_IDS") ?? "";
+
+  const allowedRoleIds = new Set(
+    roleIdsRaw.split(",").map(id => id.trim()).filter(Boolean)
+  );
+  const allowedUserIds = new Set(
+    userIdsRaw.split(",").map(id => id.trim()).filter(Boolean)
+  );
+
+  const enabled = allowedRoleIds.size > 0 || allowedUserIds.size > 0;
+
+  cachedConfig = { enabled, allowedRoleIds, allowedUserIds };
+
+  if (enabled) {
+    console.log(`[RBAC] Enabled — ${allowedRoleIds.size} admin role(s), ${allowedUserIds.size} admin user(s)`);
+  } else {
+    console.log("[RBAC] Disabled — no ADMIN_ROLE_IDS or ADMIN_USER_IDS configured. All commands are open.");
+  }
+
+  return cachedConfig;
+}
+
+/**
+ * Check whether a command name is restricted.
+ */
+export function isRestrictedCommand(commandName: string): boolean {
+  return ALL_RESTRICTED.has(commandName);
+}
+
+/**
+ * Check whether the invoking user has permission to run a restricted command.
+ * 
+ * @returns `true` if allowed, `false` if denied
+ */
+export function hasPermission(ctx: InteractionContext): boolean {
+  const config = loadRBACConfig();
+
+  // If RBAC is not enabled, allow everything
+  if (!config.enabled) return true;
+
+  // Check user ID allowlist
+  const userId = ctx.getUserId();
+  if (userId && config.allowedUserIds.has(userId)) return true;
+
+  // Check role IDs
+  const memberRoles = ctx.getMemberRoleIds();
+  for (const roleId of config.allowedRoleIds) {
+    if (memberRoles.has(roleId)) return true;
+  }
+
+  return false;
+}
+
+/**
+ * RBAC check that can be called before executing a command.
+ * Sends an ephemeral denial message if the user lacks permission.
+ * 
+ * @returns `true` if the command should proceed, `false` if denied
+ */
+export async function checkCommandPermission(
+  commandName: string,
+  ctx: InteractionContext
+): Promise<boolean> {
+  if (!isRestrictedCommand(commandName)) return true;
+  if (hasPermission(ctx)) return true;
+
+  await ctx.reply({
+    content: "🔒 **Access Denied** — You don't have permission to run this command. An admin role is required.",
+    ephemeral: true
+  });
+
+  return false;
+}
+
+/**
+ * Get a copy of the restricted commands map for display purposes.
+ */
+export function getRestrictedCommands(): Record<string, string[]> {
+  return { ...RESTRICTED_COMMANDS };
+}

discord/bot.ts

@@ -16,6 +16,7 @@ import {
 
 import { sanitizeChannelName } from "./utils.ts";
 import { handlePaginationInteraction } from "./pagination.ts";
+import { checkCommandPermission } from "../core/rbac.ts";
 import type { 
   BotConfig, 
   CommandHandlers, 
@@ -217,6 +218,22 @@ export async function createDiscordBot(
           return (interaction as any).options.getBoolean(name, required ?? false);
         }
         return null;
+      },
+
+      getMemberRoleIds(): Set<string> {
+        const member = interaction.member;
+        if (member && 'roles' in member && member.roles && 'cache' in member.roles) {
+          // deno-lint-ignore no-explicit-any
+          const cache = (member.roles as any).cache;
+          if (cache && typeof cache.keys === 'function') {
+            return new Set([...cache.keys()]);
+          }
+        }
+        return new Set();
+      },
+
+      getUserId(): string {
+        return interaction.user?.id ?? '';
       }
     };
   }
@@ -228,6 +245,11 @@ export async function createDiscordBot(
     }
 
     const ctx = createInteractionContext(interaction);
+
+    // RBAC check for restricted commands
+    const allowed = await checkCommandPermission(interaction.commandName, ctx);
+    if (!allowed) return;
+
     const handler = handlers.get(interaction.commandName);
 
     if (!handler) {

discord/types.ts

@@ -44,6 +44,10 @@ export interface InteractionContext {
   getString(name: string, required?: boolean): string | null;
   getInteger(name: string, required?: boolean): number | null;
   getBoolean(name: string, required?: boolean): boolean | null;
+  /** Returns the set of role IDs the invoking member has */
+  getMemberRoleIds(): Set<string>;
+  /** Returns the invoking member's user ID */
+  getUserId(): string;
 }
 
 export interface BotConfig {

docs/features.md

@@ -140,3 +140,35 @@ Example schema:
 ```
 
 When enabled, responses follow `json_schema` output format through the SDK.
+
+## Role-Based Access Control (RBAC)
+
+Restrict dangerous commands to authorized users and roles:
+
+### Restricted Command Categories
+
+| Category | Commands |
+| -------- | -------- |
+| Shell | `/shell`, `/exec`, `/run`, `/terminal` |
+| Git | `/git`, `/commit`, `/push`, `/pull`, `/branch` |
+| System | `/shutdown`, `/restart`, `/config` |
+| Admin | `/admin` |
+
+### Configuration
+
+Set via environment variables in `.env`:
+
+```env
+# Comma-separated Discord Role IDs
+ADMIN_ROLE_IDS=123456789,987654321
+
+# Comma-separated Discord User IDs (bypass role checks)
+ADMIN_USER_IDS=111111111,222222222
+```
+
+### Behavior
+
+- **Neither variable set**: RBAC disabled — all commands open (default)
+- **One or both set**: Only users with a listed role or user ID can run restricted commands
+- **Denied users**: Receive an ephemeral "Permission Denied" message (only they can see it)
+- **Unrestricted commands**: Always available to everyone (e.g., `/claude`, `/settings`, `/help`)