add sender allowlist for per-chat access control#705
Merged
gavrielc merged 2 commits intoqwibitai:mainfrom Mar 4, 2026
Merged
Conversation
akshan-main
force-pushed
the
feat/sender-allowlist
branch
from
366799f to
9ab00c3
Compare
6 tasks
gavrielc
reviewed
Mar 4, 2026
|
|
||
| After registering a group, explain the sender allowlist feature to the user: | ||
|
|
||
| > This group can be configured with a sender allowlist to control who can interact with me. There are two modes: |
Collaborator
There was a problem hiding this comment.
Suggested change
| > This group can be configured with a sender allowlist to control who can interact with me. There are two modes: | |
| > This group can be configured with a sender allowlist so only specific members can interact with me. There are two modes: |
gavrielc
reviewed
Mar 4, 2026
| > - **Trigger mode** (default): Everyone's messages are stored for context, but only allowed senders can trigger me with @{AssistantName}. | ||
| > - **Drop mode**: Messages from non-allowed senders are not stored at all. | ||
| > | ||
| > For closed groups with trusted members, I recommend setting up an allow-only list so only specific people can trigger me. Want me to configure that? |
Collaborator
There was a problem hiding this comment.
Suggested change
| > For closed groups with trusted members, I recommend setting up an allow-only list so only specific people can trigger me. Want me to configure that? | |
| > Unless this is a closed groups with only trusted members, I recommend setting up an allow-only list so only specific people can trigger me. Want me to configure that? |
gavrielc
reviewed
Mar 4, 2026
Comment on lines
+218
to
+220
| - Your own messages (`is_from_me`) explicitly bypass the allowlist in trigger checks. Bot messages are filtered out by the database query before trigger evaluation, so they never reach the allowlist. | ||
| - If the config file doesn't exist or is invalid, all senders are allowed (fail-open) | ||
| - The config file is on the host at `~/.config/nanoclaw/sender-allowlist.json`, not inside the container |
Collaborator
There was a problem hiding this comment.
Suggested change
| - Your own messages (`is_from_me`) explicitly bypass the allowlist in trigger checks. Bot messages are filtered out by the database query before trigger evaluation, so they never reach the allowlist. | |
| - If the config file doesn't exist or is invalid, all senders are allowed (fail-open) | |
| - The config file is on the host at `~/.config/nanoclaw/sender-allowlist.json`, not inside the container | |
| - The config file is on the host at `~/.config/nanoclaw/sender-allowlist.json` |
Collaborator
|
@akshan-main Great PR, thank you for the quick turnaround. This is a great addition to NanoClaw's security model and helps make it more robust. |
6 tasks
jenskock
pushed a commit
to jenskock/nanoclaw
that referenced
this pull request
Mar 6, 2026
* feat: add sender allowlist for per-chat access control * style: fix prettier formatting
This was referenced Mar 9, 2026
idgmatrix
pushed a commit
to Gurufin-AI/nanoclaw
that referenced
this pull request
Mar 9, 2026
* feat: add sender allowlist for per-chat access control * style: fix prettier formatting
This was referenced Mar 9, 2026
bebekim
pushed a commit
to bebekim/goodclaw
that referenced
this pull request
Mar 14, 2026
* feat: add sender allowlist for per-chat access control * style: fix prettier formatting
bogdano2
pushed a commit
to bogdano2/nanoclaw
that referenced
this pull request
Mar 17, 2026
* feat: add sender allowlist for per-chat access control * style: fix prettier formatting
moey823
added a commit
to moey823/nanoclaw
that referenced
this pull request
Mar 26, 2026
Merged upstream changes including: - DB query limits (qwibitai#692/qwibitai#735) - Timezone-aware context injection (qwibitai#691) - SDK bump to 0.2.68 - update_task tool and task ID passthrough - Sender allowlist (qwibitai#705) - Atomic task claiming (qwibitai#657) Resolved conflicts in index.ts (sender allowlist + our steering/cancel), ipc.ts (idempotency check + taskId passthrough), and task-scheduler.ts (computeNextRun refactor + our cost tracking/alerting). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
onlyforart
referenced
this pull request
in onlyforart/nanoclaw
Mar 27, 2026
* feat: add sender allowlist for per-chat access control * style: fix prettier formatting
XiRoSe
pushed a commit
to XiRoSe/nova-agent
that referenced
this pull request
Apr 9, 2026
dm-j
pushed a commit
to dm-j/nanoclaw
that referenced
this pull request
Apr 13, 2026
* feat: add sender allowlist for per-chat access control * style: fix prettier formatting
talmosko-code
pushed a commit
to talmosko-code/nanoclaw
that referenced
this pull request
Apr 28, 2026
* feat: add sender allowlist for per-chat access control * style: fix prettier formatting
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Per discussion on discord, this is the core version Gavriel requested.
Sender-based access control at the orchestrator level. Two modes:
Everyone is allowed by default. No behavior change unless the user creates
~/.config/nanoclaw/sender-allowlist.json.Addresses #678
Modified from #679
Type of Change
.claude/skills/Description
Right now any participant in a registered group can trigger the agent by @-mentioning it. In larger groups this burns tokens on unwanted activations.
This adds pre-agent sender filtering. Denied senders never invoke the agent (zero compute cost for their triggers).
Changes:
src/sender-allowlist.ts— config loader,isSenderAllowed,shouldDropMessage,isTriggerAllowedsrc/sender-allowlist.test.ts— 19 testssrc/config.ts—SENDER_ALLOWLIST_PATHconstantsrc/db.ts— addis_from_meto two SELECT projections so trigger checks can bypass for self-sent messagessrc/index.ts— import + two trigger checks + onMessage drop logicgroups/main/CLAUDE.md— registration flow guidance (recommend allow-only for closed groups)Simplified per Gavriel's request (vs #679):
is_from_meexplicitly bypasses in trigger checks.is_bot_messagefiltered by DB query (AND is_bot_message = 0) before reaching trigger evaluation — same end result.How to test
npm run build npm test