Fix: remove agent from pool immediately on completion and add Matrix bot user allowlist

2026-02-25 14:59:20 +00:00
parent 93eaac3ab9
commit ebcd627a45
5 changed files with 140 additions and 296 deletions
--- a/server/src/matrix/bot.rs
+++ b/server/src/matrix/bot.rs
@@ -25,6 +25,7 @@ pub struct BotContext {
    pub bot_user_id: OwnedUserId,
    pub target_room_id: OwnedRoomId,
    pub project_root: PathBuf,
+    pub allowed_users: Vec<String>,
 }

 /// Connect to the Matrix homeserver, join the configured room, and start
@@ -73,10 +74,24 @@ pub async fn run_bot(config: BotConfig, project_root: PathBuf) -> Result<(), Str
        Err(_) => slog!("[matrix-bot] Join room timed out (may already be a member)"),
    }

+    if config.allowed_users.is_empty() {
+        return Err(
+            "allowed_users is empty in bot.toml — refusing to start (fail-closed). \
+             Add at least one Matrix user ID to allowed_users."
+                .to_string(),
+        );
+    }
+
+    slog!(
+        "[matrix-bot] Allowed users: {:?}",
+        config.allowed_users
+    );
+
    let ctx = BotContext {
        bot_user_id,
        target_room_id,
        project_root,
+        allowed_users: config.allowed_users,
    };

    // Register event handler and inject shared context
@@ -119,6 +134,15 @@ async fn on_room_message(
        return;
    }

+    // Only respond to users on the allowlist (fail-closed)
+    if !ctx.allowed_users.iter().any(|u| u == ev.sender.as_str()) {
+        slog!(
+            "[matrix-bot] Ignoring message from unauthorised user: {}",
+            ev.sender
+        );
+        return;
+    }
+
    // Only handle plain text messages
    let MessageType::Text(text_content) = ev.content.msgtype else {
        return;
--- a/server/src/matrix/config.rs
+++ b/server/src/matrix/config.rs
@@ -15,6 +15,10 @@ pub struct BotConfig {
    /// Set to `true` to enable the bot (default: false)
    #[serde(default)]
    pub enabled: bool,
+    /// Matrix user IDs allowed to interact with the bot.
+    /// If empty or omitted, the bot ignores ALL messages (fail-closed).
+    #[serde(default)]
+    pub allowed_users: Vec<String>,
    /// Previously used to select an Anthropic model. Now ignored — the bot
    /// uses Claude Code which manages its own model selection. Kept for
    /// backwards compatibility so existing bot.toml files still parse.