@kodelyth/discord 2026.5.42 → 2026.6.1

package/src/runtime.ts

@@ -1,23 +0,0 @@
-import type { PluginRuntime } from "klaw/plugin-sdk/channel-core";
-import { createPluginRuntimeStore } from "klaw/plugin-sdk/runtime-store";
-
-type DiscordChannelRuntime = {
-  messageActions?: typeof import("./channel-actions.js").discordMessageActions;
-  sendMessageDiscord?: typeof import("./send.js").sendMessageDiscord;
-};
-
-export type DiscordRuntime = PluginRuntime & {
-  channel: PluginRuntime["channel"] & {
-    discord?: DiscordChannelRuntime;
-  };
-};
-
-const {
-  setRuntime: setDiscordRuntime,
-  tryGetRuntime: getOptionalDiscordRuntime,
-  getRuntime: getDiscordRuntime,
-} = createPluginRuntimeStore<DiscordRuntime>({
-  pluginId: "discord",
-  errorMessage: "Discord runtime not initialized",
-});
-export { getDiscordRuntime, getOptionalDiscordRuntime, setDiscordRuntime };

package/src/secret-config-contract.ts

@@ -1,140 +0,0 @@
-import {
-  collectNestedChannelFieldAssignments,
-  collectSimpleChannelFieldAssignments,
-  getChannelSurface,
-  isBaseFieldActiveForChannelSurface,
-  isEnabledFlag,
-  isRecord,
-  type ResolverContext,
-  type SecretDefaults,
-  type SecretTargetRegistryEntry,
-} from "klaw/plugin-sdk/channel-secret-basic-runtime";
-import { collectNestedChannelTtsAssignments } from "klaw/plugin-sdk/channel-secret-tts-runtime";
-
-export const secretTargetRegistryEntries: SecretTargetRegistryEntry[] = [
-  {
-    id: "channels.discord.accounts.*.pluralkit.token",
-    targetType: "channels.discord.accounts.*.pluralkit.token",
-    configFile: "klaw.json",
-    pathPattern: "channels.discord.accounts.*.pluralkit.token",
-    secretShape: "secret_input",
-    expectedResolvedValue: "string",
-    includeInPlan: true,
-    includeInConfigure: true,
-    includeInAudit: true,
-  },
-  {
-    id: "channels.discord.accounts.*.token",
-    targetType: "channels.discord.accounts.*.token",
-    configFile: "klaw.json",
-    pathPattern: "channels.discord.accounts.*.token",
-    secretShape: "secret_input",
-    expectedResolvedValue: "string",
-    includeInPlan: true,
-    includeInConfigure: true,
-    includeInAudit: true,
-  },
-  {
-    id: "channels.discord.accounts.*.voice.tts.providers.*.apiKey",
-    targetType: "channels.discord.accounts.*.voice.tts.providers.*.apiKey",
-    configFile: "klaw.json",
-    pathPattern: "channels.discord.accounts.*.voice.tts.providers.*.apiKey",
-    secretShape: "secret_input",
-    expectedResolvedValue: "string",
-    includeInPlan: true,
-    includeInConfigure: true,
-    includeInAudit: true,
-    providerIdPathSegmentIndex: 6,
-  },
-  {
-    id: "channels.discord.pluralkit.token",
-    targetType: "channels.discord.pluralkit.token",
-    configFile: "klaw.json",
-    pathPattern: "channels.discord.pluralkit.token",
-    secretShape: "secret_input",
-    expectedResolvedValue: "string",
-    includeInPlan: true,
-    includeInConfigure: true,
-    includeInAudit: true,
-  },
-  {
-    id: "channels.discord.token",
-    targetType: "channels.discord.token",
-    configFile: "klaw.json",
-    pathPattern: "channels.discord.token",
-    secretShape: "secret_input",
-    expectedResolvedValue: "string",
-    includeInPlan: true,
-    includeInConfigure: true,
-    includeInAudit: true,
-  },
-  {
-    id: "channels.discord.voice.tts.providers.*.apiKey",
-    targetType: "channels.discord.voice.tts.providers.*.apiKey",
-    configFile: "klaw.json",
-    pathPattern: "channels.discord.voice.tts.providers.*.apiKey",
-    secretShape: "secret_input",
-    expectedResolvedValue: "string",
-    includeInPlan: true,
-    includeInConfigure: true,
-    includeInAudit: true,
-    providerIdPathSegmentIndex: 4,
-  },
-];
-
-export function collectRuntimeConfigAssignments(params: {
-  config: { channels?: Record<string, unknown> };
-  defaults?: SecretDefaults;
-  context: ResolverContext;
-}): void {
-  const resolved = getChannelSurface(params.config, "discord");
-  if (!resolved) {
-    return;
-  }
-  const { channel: discord, surface } = resolved;
-  collectSimpleChannelFieldAssignments({
-    channelKey: "discord",
-    field: "token",
-    channel: discord,
-    surface,
-    defaults: params.defaults,
-    context: params.context,
-    topInactiveReason: "no enabled account inherits this top-level Discord token.",
-    accountInactiveReason: "Discord account is disabled.",
-  });
-  collectNestedChannelFieldAssignments({
-    channelKey: "discord",
-    nestedKey: "pluralkit",
-    field: "token",
-    channel: discord,
-    surface,
-    defaults: params.defaults,
-    context: params.context,
-    topLevelActive:
-      isBaseFieldActiveForChannelSurface(surface, "pluralkit") &&
-      isRecord(discord.pluralkit) &&
-      isEnabledFlag(discord.pluralkit),
-    topInactiveReason:
-      "no enabled Discord surface inherits this top-level PluralKit config or PluralKit is disabled.",
-    accountActive: ({ account, enabled }) =>
-      enabled && isRecord(account.pluralkit) && isEnabledFlag(account.pluralkit),
-    accountInactiveReason: "Discord account is disabled or PluralKit is disabled for this account.",
-  });
-  collectNestedChannelTtsAssignments({
-    channelKey: "discord",
-    nestedKey: "voice",
-    channel: discord,
-    surface,
-    defaults: params.defaults,
-    context: params.context,
-    topLevelActive:
-      isBaseFieldActiveForChannelSurface(surface, "voice") &&
-      isRecord(discord.voice) &&
-      isEnabledFlag(discord.voice),
-    topInactiveReason:
-      "no enabled Discord surface inherits this top-level voice config or voice is disabled.",
-    accountActive: ({ account, enabled }) =>
-      enabled && isRecord(account.voice) && isEnabledFlag(account.voice),
-    accountInactiveReason: "Discord account is disabled or voice is disabled for this account.",
-  });
-}

package/src/security-audit.runtime.ts

@@ -1 +0,0 @@
-export { collectDiscordSecurityAuditFindings } from "./security-audit.js";

package/src/security-audit.test.ts

@@ -1,245 +0,0 @@
-import { describe, expect, it, vi } from "vitest";
-import type { ResolvedDiscordAccount } from "./accounts.js";
-import type { KlawConfig } from "./runtime-api.js";
-import { collectDiscordSecurityAuditFindings } from "./security-audit.js";
-
-type DiscordAccountConfig = ResolvedDiscordAccount["config"];
-
-const { readChannelAllowFromStoreMock } = vi.hoisted(() => ({
-  readChannelAllowFromStoreMock: vi.fn(async () => [] as string[]),
-}));
-
-vi.mock("klaw/plugin-sdk/conversation-runtime", () => ({
-  readChannelAllowFromStore: readChannelAllowFromStoreMock,
-}));
-
-function createAccount(
-  config: DiscordAccountConfig,
-  accountId = "default",
-): ResolvedDiscordAccount {
-  return {
-    accountId,
-    enabled: true,
-    token: "t",
-    tokenSource: "config",
-    tokenStatus: "available",
-    config,
-  };
-}
-
-async function collectFindings(params: {
-  cfg: KlawConfig;
-  config: DiscordAccountConfig;
-  accountId?: string;
-  orderedAccountIds?: string[];
-  hasExplicitAccountPath?: boolean;
-  storeAllowFrom?: string[];
-}) {
-  readChannelAllowFromStoreMock.mockResolvedValue(params.storeAllowFrom ?? []);
-  return await collectDiscordSecurityAuditFindings({
-    cfg: params.cfg,
-    account: createAccount(params.config, params.accountId),
-    accountId: params.accountId ?? "default",
-    orderedAccountIds: params.orderedAccountIds ?? ["default"],
-    hasExplicitAccountPath: params.hasExplicitAccountPath ?? false,
-  });
-}
-
-describe("Discord security audit findings", () => {
-  it("flags slash commands when access-group enforcement is disabled and no users allowlist exists", async () => {
-    const cfg: KlawConfig = {
-      commands: { native: true, useAccessGroups: false },
-      channels: {
-        discord: {
-          enabled: true,
-          token: "t",
-          groupPolicy: "allowlist",
-          guilds: {
-            "123": {
-              channels: {
-                general: { enabled: true },
-              },
-            },
-          },
-        },
-      },
-    };
-
-    const discordConfig = cfg.channels?.discord;
-    if (!discordConfig) {
-      throw new Error("discord config required");
-    }
-    const findings = await collectFindings({
-      cfg,
-      config: discordConfig,
-    });
-
-    const unrestrictedFinding = findings.find(
-      (finding) => finding.checkId === "channels.discord.commands.native.unrestricted",
-    );
-    expect(unrestrictedFinding?.severity).toBe("critical");
-  });
-
-  it.each([
-    {
-      name: "flags missing guild user allowlists",
-      cfg: {
-        commands: { native: true },
-        channels: {
-          discord: {
-            enabled: true,
-            token: "t",
-            groupPolicy: "allowlist",
-            guilds: {
-              "123": {
-                channels: {
-                  general: { enabled: true },
-                },
-              },
-            },
-          },
-        },
-      } satisfies KlawConfig,
-      expectFinding: true,
-    },
-    {
-      name: "does not flag when dm.allowFrom includes a Discord snowflake id",
-      cfg: {
-        commands: { native: true },
-        channels: {
-          discord: {
-            enabled: true,
-            token: "t",
-            dm: { allowFrom: ["387380367612706819"] },
-            groupPolicy: "allowlist",
-            guilds: {
-              "123": {
-                channels: {
-                  general: { enabled: true },
-                },
-              },
-            },
-          },
-        },
-      } satisfies KlawConfig,
-      expectFinding: false,
-    },
-  ])("$name", async (testCase) => {
-    const findings = await collectFindings({
-      cfg: testCase.cfg,
-      config: testCase.cfg.channels.discord,
-    });
-
-    expect(
-      findings.some(
-        (finding) => finding.checkId === "channels.discord.commands.native.no_allowlists",
-      ),
-    ).toBe(testCase.expectFinding);
-  });
-
-  it.each([
-    {
-      name: "warns when Discord allowlists contain name-based entries",
-      config: {
-        enabled: true,
-        token: "t",
-        allowFrom: ["Alice#1234", "<@123456789012345678>"],
-        guilds: {
-          "123": {
-            users: ["trusted.operator"],
-            channels: {
-              general: {
-                users: ["987654321098765432", "security-team"],
-              },
-            },
-          },
-        },
-      } satisfies DiscordAccountConfig,
-      storeAllowFrom: ["team.owner"],
-      expectNameBasedSeverity: "warn",
-      detailIncludes: [
-        "channels.discord.allowFrom:Alice#1234",
-        "channels.discord.guilds.123.users:trusted.operator",
-        "channels.discord.guilds.123.channels.general.users:security-team",
-        "~/.klaw/credentials/discord-allowFrom.json:team.owner",
-      ],
-      detailExcludes: ["<@123456789012345678>"],
-    },
-    {
-      name: "marks Discord name-based allowlists as break-glass when dangerous matching is enabled",
-      config: {
-        enabled: true,
-        token: "t",
-        dangerouslyAllowNameMatching: true,
-        allowFrom: ["Alice#1234"],
-      } satisfies DiscordAccountConfig,
-      expectNameBasedSeverity: "info",
-      detailIncludes: ["out-of-scope"],
-    },
-    {
-      name: "audits name-based allowlists on non-default Discord accounts",
-      accountId: "beta",
-      orderedAccountIds: ["alpha", "beta"],
-      hasExplicitAccountPath: true,
-      config: {
-        enabled: true,
-        token: "b",
-        allowFrom: ["Alice#1234"],
-      } satisfies DiscordAccountConfig,
-      expectNameBasedSeverity: "warn",
-      detailIncludes: ["channels.discord.accounts.beta.allowFrom:Alice#1234"],
-    },
-    {
-      name: "does not warn when Discord allowlists use ID-style entries only",
-      config: {
-        enabled: true,
-        token: "t",
-        allowFrom: [
-          "123456789012345678",
-          "<@223456789012345678>",
-          "user:323456789012345678",
-          "discord:423456789012345678",
-          "pk:member-123",
-        ],
-        guilds: {
-          "123": {
-            users: ["523456789012345678", "<@623456789012345678>", "pk:member-456"],
-            channels: {
-              general: {
-                users: ["723456789012345678", "user:823456789012345678"],
-              },
-            },
-          },
-        },
-      } satisfies DiscordAccountConfig,
-      expectNoNameBasedFinding: true,
-    },
-  ])("$name", async (testCase) => {
-    const findings = await collectFindings({
-      cfg: { channels: { discord: testCase.config } },
-      config: testCase.config,
-      accountId: testCase.accountId,
-      orderedAccountIds: testCase.orderedAccountIds,
-      hasExplicitAccountPath: testCase.hasExplicitAccountPath,
-      storeAllowFrom: testCase.storeAllowFrom,
-    });
-    const nameBasedFinding = findings.find(
-      (entry) => entry.checkId === "channels.discord.allowFrom.name_based_entries",
-    );
-
-    if (testCase.expectNoNameBasedFinding) {
-      expect(nameBasedFinding).toBeUndefined();
-    } else {
-      if (!nameBasedFinding) {
-        throw new Error(`expected name-based finding for ${testCase.name}`);
-      }
-      expect(nameBasedFinding.severity).toBe(testCase.expectNameBasedSeverity);
-      for (const snippet of testCase.detailIncludes ?? []) {
-        expect(nameBasedFinding.detail).toContain(snippet);
-      }
-      for (const snippet of testCase.detailExcludes ?? []) {
-        expect(nameBasedFinding.detail).not.toContain(snippet);
-      }
-    }
-  });
-});

package/src/security-audit.ts

@@ -1,208 +0,0 @@
-import { coerceNativeSetting, normalizeAllowFromList } from "klaw/plugin-sdk/channel-policy";
-import { readChannelAllowFromStore } from "klaw/plugin-sdk/conversation-runtime";
-import { isDangerousNameMatchingEnabled } from "klaw/plugin-sdk/dangerous-name-runtime";
-import {
-  resolveNativeCommandsEnabled,
-  resolveNativeSkillsEnabled,
-} from "klaw/plugin-sdk/native-command-config-runtime";
-import type { ResolvedDiscordAccount } from "./accounts.js";
-import type { KlawConfig } from "./runtime-api.js";
-import { isDiscordMutableAllowEntry } from "./security-doctor.js";
-
-function normalizeOptionalString(value: string | null | undefined): string | undefined {
-  const normalized = value?.trim();
-  return normalized ? normalized : undefined;
-}
-
-function addDiscordNameBasedEntries(params: {
-  target: Set<string>;
-  values: unknown;
-  source: string;
-}) {
-  if (!Array.isArray(params.values)) {
-    return;
-  }
-  for (const value of params.values) {
-    if (!isDiscordMutableAllowEntry(String(value))) {
-      continue;
-    }
-    const text = normalizeOptionalString(String(value)) ?? "";
-    if (!text) {
-      continue;
-    }
-    params.target.add(`${params.source}:${text}`);
-  }
-}
-
-export async function collectDiscordSecurityAuditFindings(params: {
-  cfg: KlawConfig;
-  accountId?: string | null;
-  account: ResolvedDiscordAccount;
-  orderedAccountIds: string[];
-  hasExplicitAccountPath: boolean;
-}) {
-  const findings: Array<{
-    checkId: string;
-    severity: "info" | "warn" | "critical";
-    title: string;
-    detail: string;
-    remediation?: string;
-  }> = [];
-  const discordCfg = params.account.config ?? {};
-  const accountId =
-    normalizeOptionalString(params.accountId) ?? params.account.accountId ?? "default";
-  const dangerousNameMatchingEnabled = isDangerousNameMatchingEnabled(discordCfg);
-  const storeAllowFrom = await readChannelAllowFromStore("discord", process.env, accountId).catch(
-    () => [],
-  );
-  const discordNameBasedAllowEntries = new Set<string>();
-  const discordPathPrefix =
-    params.orderedAccountIds.length > 1 || params.hasExplicitAccountPath
-      ? `channels.discord.accounts.${accountId}`
-      : "channels.discord";
-
-  addDiscordNameBasedEntries({
-    target: discordNameBasedAllowEntries,
-    values: discordCfg.allowFrom,
-    source: `${discordPathPrefix}.allowFrom`,
-  });
-  addDiscordNameBasedEntries({
-    target: discordNameBasedAllowEntries,
-    values: (discordCfg.dm as { allowFrom?: unknown } | undefined)?.allowFrom,
-    source: `${discordPathPrefix}.dm.allowFrom`,
-  });
-  addDiscordNameBasedEntries({
-    target: discordNameBasedAllowEntries,
-    values: storeAllowFrom,
-    source: "~/.klaw/credentials/discord-allowFrom.json",
-  });
-
-  const guildEntries = (discordCfg.guilds as Record<string, unknown> | undefined) ?? {};
-  for (const [guildKey, guildValue] of Object.entries(guildEntries)) {
-    if (!guildValue || typeof guildValue !== "object") {
-      continue;
-    }
-    const guild = guildValue as Record<string, unknown>;
-    addDiscordNameBasedEntries({
-      target: discordNameBasedAllowEntries,
-      values: guild.users,
-      source: `${discordPathPrefix}.guilds.${guildKey}.users`,
-    });
-    const channels = guild.channels;
-    if (!channels || typeof channels !== "object") {
-      continue;
-    }
-    for (const [channelKey, channelValue] of Object.entries(channels as Record<string, unknown>)) {
-      if (!channelValue || typeof channelValue !== "object") {
-        continue;
-      }
-      const channel = channelValue as Record<string, unknown>;
-      addDiscordNameBasedEntries({
-        target: discordNameBasedAllowEntries,
-        values: channel.users,
-        source: `${discordPathPrefix}.guilds.${guildKey}.channels.${channelKey}.users`,
-      });
-    }
-  }
-
-  if (discordNameBasedAllowEntries.size > 0) {
-    const examples = Array.from(discordNameBasedAllowEntries).slice(0, 5);
-    const more =
-      discordNameBasedAllowEntries.size > examples.length
-        ? ` (+${discordNameBasedAllowEntries.size - examples.length} more)`
-        : "";
-    findings.push({
-      checkId: "channels.discord.allowFrom.name_based_entries",
-      severity: dangerousNameMatchingEnabled ? "info" : "warn",
-      title: dangerousNameMatchingEnabled
-        ? "Discord allowlist uses break-glass name/tag matching"
-        : "Discord allowlist contains name or tag entries",
-      detail: dangerousNameMatchingEnabled
-        ? "Discord name/tag allowlist matching is explicitly enabled via dangerouslyAllowNameMatching. This mutable-identity mode is operator-selected break-glass behavior and out-of-scope for vulnerability reports by itself. " +
-          `Found: ${examples.join(", ")}${more}.`
-        : "Discord name/tag allowlist matching uses normalized slugs and can collide across users. " +
-          `Found: ${examples.join(", ")}${more}.`,
-      remediation: dangerousNameMatchingEnabled
-        ? "Prefer stable Discord IDs (or <@id>/user:<id>/pk:<id>), then disable dangerouslyAllowNameMatching."
-        : "Prefer stable Discord IDs (or <@id>/user:<id>/pk:<id>) in channels.discord.allowFrom and channels.discord.guilds.*.users, or explicitly opt in with dangerouslyAllowNameMatching=true if you accept the risk.",
-    });
-  }
-
-  const nativeEnabled = resolveNativeCommandsEnabled({
-    providerId: "discord",
-    providerSetting: coerceNativeSetting(
-      (discordCfg.commands as { native?: unknown } | undefined)?.native,
-    ),
-    globalSetting: params.cfg.commands?.native,
-  });
-  const nativeSkillsEnabled = resolveNativeSkillsEnabled({
-    providerId: "discord",
-    providerSetting: coerceNativeSetting(
-      (discordCfg.commands as { nativeSkills?: unknown } | undefined)?.nativeSkills,
-    ),
-    globalSetting: params.cfg.commands?.nativeSkills,
-  });
-  if (!nativeEnabled && !nativeSkillsEnabled) {
-    return findings;
-  }
-
-  const defaultGroupPolicy = params.cfg.channels?.defaults?.groupPolicy;
-  const groupPolicy =
-    (discordCfg.groupPolicy as string | undefined) ?? defaultGroupPolicy ?? "allowlist";
-  const guildsConfigured = Object.keys(guildEntries).length > 0;
-  const hasAnyUserAllowlist = Object.values(guildEntries).some((guild) => {
-    if (!guild || typeof guild !== "object") {
-      return false;
-    }
-    const record = guild as Record<string, unknown>;
-    if (Array.isArray(record.users) && record.users.length > 0) {
-      return true;
-    }
-    const channels = record.channels;
-    if (!channels || typeof channels !== "object") {
-      return false;
-    }
-    return Object.values(channels as Record<string, unknown>).some((channel) => {
-      if (!channel || typeof channel !== "object") {
-        return false;
-      }
-      const channelRecord = channel as Record<string, unknown>;
-      return Array.isArray(channelRecord.users) && channelRecord.users.length > 0;
-    });
-  });
-  const dmAllowFromRaw = (discordCfg.dm as { allowFrom?: unknown } | undefined)?.allowFrom;
-  const dmAllowFrom = Array.isArray(dmAllowFromRaw) ? dmAllowFromRaw : [];
-  const ownerAllowFromConfigured =
-    normalizeAllowFromList([...dmAllowFrom, ...storeAllowFrom]).length > 0;
-  const useAccessGroups = params.cfg.commands?.useAccessGroups !== false;
-
-  if (!useAccessGroups && groupPolicy !== "disabled" && guildsConfigured && !hasAnyUserAllowlist) {
-    findings.push({
-      checkId: "channels.discord.commands.native.unrestricted",
-      severity: "critical",
-      title: "Discord slash commands are unrestricted",
-      detail:
-        "commands.useAccessGroups=false disables sender allowlists for Discord slash commands unless a per-guild/channel users allowlist is configured; with no users allowlist, any user in allowed guild channels can invoke /… commands.",
-      remediation:
-        "Set commands.useAccessGroups=true (recommended), or configure channels.discord.guilds.<id>.users (or channels.discord.guilds.<id>.channels.<channel>.users).",
-    });
-  } else if (
-    useAccessGroups &&
-    groupPolicy !== "disabled" &&
-    guildsConfigured &&
-    !ownerAllowFromConfigured &&
-    !hasAnyUserAllowlist
-  ) {
-    findings.push({
-      checkId: "channels.discord.commands.native.no_allowlists",
-      severity: "warn",
-      title: "Discord slash commands have no allowlists",
-      detail:
-        "Discord slash commands are enabled, but neither an owner allowFrom list nor any per-guild/channel users allowlist is configured; /… commands will be rejected for everyone.",
-      remediation:
-        "Add your user id to channels.discord.allowFrom (or approve yourself via pairing), or configure channels.discord.guilds.<id>.users.",
-    });
-  }
-
-  return findings;
-}

package/src/security-contract.ts

@@ -1,47 +0,0 @@
-import { isRecord } from "klaw/plugin-sdk/string-coerce-runtime";
-
-type UnsupportedSecretRefConfigCandidate = {
-  path: string;
-  value: unknown;
-};
-
-export const unsupportedSecretRefSurfacePatterns = [
-  "channels.discord.threadBindings.webhookToken",
-  "channels.discord.accounts.*.threadBindings.webhookToken",
-] as const;
-
-export function collectUnsupportedSecretRefConfigCandidates(
-  raw: unknown,
-): UnsupportedSecretRefConfigCandidate[] {
-  if (!isRecord(raw)) {
-    return [];
-  }
-  if (!isRecord(raw.channels) || !isRecord(raw.channels.discord)) {
-    return [];
-  }
-
-  const candidates: UnsupportedSecretRefConfigCandidate[] = [];
-  const discord = raw.channels.discord;
-  const threadBindings = isRecord(discord.threadBindings) ? discord.threadBindings : null;
-  if (threadBindings) {
-    candidates.push({
-      path: "channels.discord.threadBindings.webhookToken",
-      value: threadBindings.webhookToken,
-    });
-  }
-
-  const accounts = isRecord(discord.accounts) ? discord.accounts : null;
-  if (!accounts) {
-    return candidates;
-  }
-  for (const [accountId, account] of Object.entries(accounts)) {
-    if (!isRecord(account) || !isRecord(account.threadBindings)) {
-      continue;
-    }
-    candidates.push({
-      path: `channels.discord.accounts.${accountId}.threadBindings.webhookToken`,
-      value: account.threadBindings.webhookToken,
-    });
-  }
-  return candidates;
-}

package/src/security-doctor.test.ts

@@ -1,25 +0,0 @@
-import { describe, expect, it } from "vitest";
-import { isDiscordMutableAllowEntry } from "./security-doctor.js";
-
-describe("discord security doctor helpers", () => {
-  it("rejects stable ids and wildcard forms", () => {
-    expect(isDiscordMutableAllowEntry("*")).toBe(false);
-    expect(isDiscordMutableAllowEntry("123456789")).toBe(false);
-    expect(isDiscordMutableAllowEntry("<@123456789>")).toBe(false);
-    expect(isDiscordMutableAllowEntry("user:123456789")).toBe(false);
-    expect(isDiscordMutableAllowEntry("pk:123456789")).toBe(false);
-  });
-
-  it("flags freeform names but not prefixed stable-id namespaces", () => {
-    expect(isDiscordMutableAllowEntry("alice")).toBe(true);
-    expect(isDiscordMutableAllowEntry("discord:alice")).toBe(false);
-    expect(isDiscordMutableAllowEntry("user:alice")).toBe(false);
-    expect(isDiscordMutableAllowEntry("pk:alice")).toBe(false);
-  });
-
-  it("treats empty prefixed entries as mutable placeholders", () => {
-    expect(isDiscordMutableAllowEntry("discord:")).toBe(true);
-    expect(isDiscordMutableAllowEntry("user:")).toBe(true);
-    expect(isDiscordMutableAllowEntry("pk:")).toBe(true);
-  });
-});