#19011: fix(discord): enforce owner checks for privileged message actions

## Fix Summary This change enforces owner-only authorization for privileged Discord guild-administration and moderation message actions exposed through the `message` tool path. Non-owner senders are now denied before dispatch for destructive/admin actions. ## Issue Linkage Fixes #19008 ## Security Snapshot - CVSS v3.1: 7.6 (High) - CVSS v4.0: 7.2 (High) ## Implementation Details ### Files Changed - `src/agents/openclaw-tools.ts` (+3/-0) - `src/agents/pi-tools.ts` (+1/-0) - `src/agents/tools/message-tool.ts` (+3/-0) - `src/channels/plugins/actions/actions.test.ts` (+122/-0) - `src/channels/plugins/actions/discord.ts` (+2/-2) - `src/channels/plugins/actions/discord/handle-action.guild-admin.ts` (+30/-1) - `src/channels/plugins/actions/discord/handle-action.ts` (+4/-1) - `src/channels/plugins/types.core.ts` (+2/-0) - `src/infra/outbound/message-action-runner.ts` (+3/-0) ### Technical Analysis - Added an explicit privileged-action allowlist in Discord guild-admin action handling and enforced `senderIsOwner === true` before dispatch. - Propagated `senderIsOwner` through the message-action execution path so authorization context reaches Discord action handlers. - Added regression coverage asserting privileged actions are rejected for non-owners and allowed for owners, while read-only actions remain accessible. ## Validation Evidence - Command: `pnpm build` - Status: passed ## Risk and Compatibility Non-breaking behavior change for authorized owners. Intentional access restriction for non-owner senders on privileged Discord actions; read-only actions remain unchanged. ## AI-Assisted Disclosure - AI-assisted: yes - Model: GPT-5.3-Codex <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR closes a privilege escalation vulnerability (CVSS 7.2-7.6) where non-owner senders could execute destructive Discord guild-administration and moderation actions (channel/category CRUD, role management, emoji/sticker uploads, kicks, bans, timeouts) through the `message` tool path. - Adds an explicit `OWNER_ONLY_GUILD_ACTIONS` allowlist in `handle-action.guild-admin.ts` covering 16 privileged actions, enforcing `senderIsOwner === true` before dispatch - Propagates `senderIsOwner` through the full execution chain: `pi-tools` → `openclaw-tools` → `message-tool` → `message-action-runner` → `dispatchChannelMessageAction` → Discord plugin handler - Uses strict `!== true` comparison, treating `undefined` as unauthorized (secure-by-default) - Read-only actions (`member-info`, `role-info`, `channel-info`, `channel-list`, `emoji-list`, `voice-status`, `event-list`, `search`) remain accessible to non-owner senders - Adds comprehensive regression tests (84 passing) covering all privileged action rejection/allowance, undefined-as-unauthorized, and read-only action accessibility <h3>Confidence Score: 5/5</h3> - This PR is safe to merge — it adds a security-critical authorization check with comprehensive test coverage and no breaking changes for authorized users. - Score of 5 reflects: (1) clean, minimal changes scoped precisely to the security fix, (2) complete propagation of senderIsOwner through the entire execution chain verified by code review, (3) comprehensive regression tests covering all 16 privileged actions plus edge cases, (4) secure-by-default design treating undefined as unauthorized, (5) non-breaking for authorized owners, and (6) existing tests updated correctly for the new authorization requirement. - No files require special attention. All changes are well-structured and consistent. _{Last reviewed commit: e7f2ea5} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->