feat: add allowed_users config for per-user access control (#108)

* feat: add allowed_users config for per-user access control

- Add allowed_users field to DiscordConfig (serde default = empty)
- Add user ID check in discord message handler; react 🚫 if denied
- Extract parse_id_set() helper to DRY up channel/user ID parsing
- Fail closed when all configured IDs are invalid
- Log tracing::warn on 🚫 reaction failure and invalid ID entries
- Helm: use toJson for both allowedChannels and allowedUsers
- Helm: add regexMatch validation for allowedUsers (--set mangling)
- Consistent rendering: both lists always rendered (no if-condition)

Closes #107

* refactor: improve logging and style for allowed_users

- Upgrade denied user log from debug to info (security audit)
- Add parsed allowlist count log after parse_id_set
- Simplify ReactionType::Unicode path via import

* docs: add allowed_users setup guide and config examples

- discord-bot-howto.md: add User ID setup (step 7), allowed_users
  config example, access control behavior table
- README.md: add allowed_users to Quick Start and config reference

* fix: add trailing newline to main.rs

---------

Co-authored-by: masami-agent <masami-agent@users.noreply.github.com>

Author: masami-agent

README.md

@@ -50,6 +50,7 @@ Edit `config.toml`:
 [discord]
 bot_token = "${DISCORD_BOT_TOKEN}"
 allowed_channels = ["YOUR_CHANNEL_ID"]
+# allowed_users = ["YOUR_USER_ID"]  # optional: restrict who can use the bot
 
 [agent]
 command = "kiro-cli"
@@ -164,6 +165,7 @@ env = { GEMINI_API_KEY = "${GEMINI_API_KEY}" }
 [discord]
 bot_token = "${DISCORD_BOT_TOKEN}"   # supports env var expansion
 allowed_channels = ["123456789"]      # channel ID allowlist
+# allowed_users = ["987654321"]       # user ID allowlist (empty = all users)
 
 [agent]
 command = "kiro-cli"                  # CLI command

charts/openab/templates/configmap.yaml

@@ -17,7 +17,13 @@ data:
     {{- fail (printf "discord.allowedChannels contains a mangled ID: %s — use --set-string instead of --set for channel IDs" (toString .)) }}
     {{- end }}
     {{- end }}
-    allowed_channels = [{{ range $i, $ch := $cfg.discord.allowedChannels }}{{ if $i }}, {{ end }}"{{ $ch }}"{{ end }}]
+    allowed_channels = {{ $cfg.discord.allowedChannels | default list | toJson }}
+    {{- range $cfg.discord.allowedUsers }}
+    {{- if regexMatch "e\\+|E\\+" (toString .) }}
+    {{- fail (printf "discord.allowedUsers contains a mangled ID: %s — use --set-string instead of --set for user IDs" (toString .)) }}
+    {{- end }}
+    {{- end }}
+    allowed_users = {{ $cfg.discord.allowedUsers | default list | toJson }}
 
     [agent]
     command = "{{ $cfg.command }}"

charts/openab/values.yaml

@@ -28,6 +28,7 @@ agents:
     #     # ⚠️ Use --set-string for channel IDs to avoid float64 precision loss
     #     allowedChannels:
     #       - "YOUR_CHANNEL_ID"
+    #     allowedUsers: []
     #   workingDir: /home/agent
     #   env: {}
     #   envFrom: []
@@ -57,6 +58,8 @@ agents:
       # ⚠️ Use --set-string for channel IDs to avoid float64 precision loss
       allowedChannels:
         - "YOUR_CHANNEL_ID"
+      # ⚠️ Use --set-string for user IDs to avoid float64 precision loss
+      allowedUsers: []  # empty = allow all users (default)
     workingDir: /home/agent
     env: {}
     envFrom: []

config.toml.example

@@ -1,6 +1,7 @@
 [discord]
 bot_token = "${DISCORD_BOT_TOKEN}"
 allowed_channels = ["1234567890"]
+# allowed_users = ["<YOUR_DISCORD_USER_ID>"]  # empty or omitted = allow all users
 
 [agent]
 command = "kiro-cli"

docs/discord-bot-howto.md

@@ -47,7 +47,14 @@ Step-by-step guide to create and configure a Discord bot for openab.
 3. Click **Copy Channel ID**
 4. Use this ID in `allowed_channels` in your config
 
-## 7. Configure openab
+## 7. Get Your User ID (optional)
+
+1. Make sure **Developer Mode** is enabled (see step 6)
+2. Right-click your own username (in a message or the member list)
+3. Click **Copy User ID**
+4. Use this ID in `allowed_users` to restrict who can interact with the bot
+
+## 8. Configure openab
 
 Set the bot token and channel ID:
 
@@ -61,15 +68,28 @@ In `config.toml`:
 [discord]
 bot_token = "${DISCORD_BOT_TOKEN}"
 allowed_channels = ["your-channel-id-from-step-6"]
+# allowed_users = ["your-user-id-from-step-7"]  # optional: restrict who can use the bot
 ```
 
+### Access control behavior
+
+| `allowed_channels` | `allowed_users` | Result |
+|---|---|---|
+| empty | empty | All users, all channels (default) |
+| set | empty | Only these channels, all users |
+| empty | set | All channels, only these users |
+| set | set | **AND** — must be in allowed channel AND allowed user |
+
+- Empty `allowed_users` (default) = no user filtering, fully backward compatible
+- Denied users get a 🚫 reaction and no reply
+
 For Kubernetes:
 ```bash
 kubectl create secret generic openab-secret \
   --from-literal=discord-bot-token="your-token-from-step-3"
 ```
 
-## 8. Test
+## 9. Test
 
 In the allowed channel, mention the bot:
 

src/config.rs

@@ -18,6 +18,8 @@ pub struct DiscordConfig {
     pub bot_token: String,
     #[serde(default)]
     pub allowed_channels: Vec<String>,
+    #[serde(default)]
+    pub allowed_users: Vec<String>,
 }
 
 #[derive(Debug, Deserialize)]

src/discord.rs

@@ -3,7 +3,7 @@ use crate::config::ReactionsConfig;
 use crate::format;
 use crate::reactions::StatusReactionController;
 use serenity::async_trait;
-use serenity::model::channel::Message;
+use serenity::model::channel::{Message, ReactionType};
 use serenity::model::gateway::Ready;
 use serenity::model::id::{ChannelId, MessageId};
 use serenity::prelude::*;
@@ -15,6 +15,7 @@ use tracing::{error, info};
 pub struct Handler {
     pub pool: Arc<SessionPool>,
     pub allowed_channels: HashSet<u64>,
+    pub allowed_users: HashSet<u64>,
     pub reactions_config: ReactionsConfig,
 }
 
@@ -64,6 +65,14 @@ impl EventHandler for Handler {
             return;
         }
 
+        if !self.allowed_users.is_empty() && !self.allowed_users.contains(&msg.author.id.get()) {
+            tracing::info!(user_id = %msg.author.id, "denied user, ignoring");
+            if let Err(e) = msg.react(&ctx.http, ReactionType::Unicode("🚫".into())).await {
+                tracing::warn!(error = %e, "failed to react with 🚫");
+            }
+            return;
+        }
+
         let prompt = if is_mentioned {
             strip_mention(&msg.content)
         } else {

src/main.rs

@@ -29,23 +29,22 @@ async fn main() -> anyhow::Result<()> {
         agent_cmd = %cfg.agent.command,
         pool_max = cfg.pool.max_sessions,
         channels = ?cfg.discord.allowed_channels,
+        users = ?cfg.discord.allowed_users,
         reactions = cfg.reactions.enabled,
         "config loaded"
     );
 
     let pool = Arc::new(acp::SessionPool::new(cfg.agent, cfg.pool.max_sessions));
     let ttl_secs = cfg.pool.session_ttl_hours * 3600;
 
-    let allowed_channels: HashSet<u64> = cfg
-        .discord
-        .allowed_channels
-        .iter()
-        .filter_map(|s| s.parse().ok())
-        .collect();
+    let allowed_channels = parse_id_set(&cfg.discord.allowed_channels, "allowed_channels")?;
+    let allowed_users = parse_id_set(&cfg.discord.allowed_users, "allowed_users")?;
+    info!(channels = allowed_channels.len(), users = allowed_users.len(), "parsed allowlists");
 
     let handler = discord::Handler {
         pool: pool.clone(),
         allowed_channels,
+        allowed_users,
         reactions_config: cfg.reactions,
     };
 
@@ -84,3 +83,20 @@ async fn main() -> anyhow::Result<()> {
     info!("openab shut down");
     Ok(())
 }
+
+fn parse_id_set(raw: &[String], label: &str) -> anyhow::Result<HashSet<u64>> {
+    let set: HashSet<u64> = raw
+        .iter()
+        .filter_map(|s| match s.parse() {
+            Ok(id) => Some(id),
+            Err(_) => {
+                tracing::warn!(value = %s, label = label, "ignoring invalid entry");
+                None
+            }
+        })
+        .collect();
+    if !raw.is_empty() && set.is_empty() {
+        anyhow::bail!("all {label} entries failed to parse — refusing to start with an empty allowlist");
+    }
+    Ok(set)
+}