feat: per-command Discord slash permissions, Docker defaults, repo allowlist

- Add discord.command_permissions and unrestricted_slash_commands (testing)
- Legacy fallback to assignments.issue_assignees when a command is omitted
- Apply checks to assign-issue, issue-requests, sync; clearer error messages
- Config examples and docker-compose; optional github.repos allowlist in aussie.yaml
- Extend .gitignore for local venvs and .pydeps
- Add unit tests for permission helpers

Single commit on current main; no committed virtualenv or dependency trees.

Made-with: Cursor

Author: shubham5080

.gitignore

@@ -2,6 +2,9 @@
 .env.*
 !.env.example
 .venv/
+.venv*/
+.pydeps/
+.ci-venv/
 __pycache__/
 *.sqlite
 *.db

config/aussie.yaml

@@ -5,7 +5,7 @@
 runtime:
   mode: "active"
   log_level: "INFO"
-  data_dir: "./data/aussie"
+  data_dir: "/data"
   github_adapter: "ghdcbot.adapters.github.rest:GitHubRestAdapter"
   discord_adapter: "ghdcbot.adapters.discord.api:DiscordApiAdapter"
   storage_adapter: "ghdcbot.adapters.storage.sqlite:SqliteStorage"
@@ -21,13 +21,34 @@ github:
     read: true
     write: true
   user_fallback: false
+  # Repo allowlist: only these repositories are scanned (sync/run-once). Uses short repo names under the org (not "org/name").
+  # Omit this block entirely to include all org repos (slower on large orgs). mode "deny" excludes listed names instead.
+  repos:
+    mode: allow
+    names:
+      - "Gitcord-GithubDiscordBot"
+      # Add more repos as needed, e.g.:
+      # - "another-repo"
 
 discord:
   guild_id: "1022871757289422898"
   token: "${DISCORD_TOKEN}"
   permissions:
     read: true
     write: true
+  # TESTING: set false in production — when true, any server member may use /assign-issue, /issue-requests, /sync.
+  unrestricted_slash_commands: true
+  # Per-command slash access (role_ids stable; role_names optional). Admins may use these when enabled below.
+  command_permissions:
+    assign-issue:
+      role_names: ["Mentor"]
+      allow_discord_administrators: true
+    issue-requests:
+      role_names: ["Mentor"]
+      allow_discord_administrators: true
+    sync:
+      role_names: ["Mentor"]
+      allow_discord_administrators: true
   activity_channel_id: null
   pr_preview_channels: []
   # Verified GitHub → Discord DMs (or channel if channel_id is set). Requires linked users (/link + /verify-link).

config/config.yaml

@@ -2,7 +2,7 @@
 runtime:
   mode: "active"
   log_level: "INFO"
-  data_dir: "./data"
+  data_dir: "/data"
   github_adapter: "ghdcbot.adapters.github.rest:GitHubRestAdapter"
   discord_adapter: "ghdcbot.adapters.discord.api:DiscordApiAdapter"
   storage_adapter: "ghdcbot.adapters.storage.sqlite:SqliteStorage"

config/docker-example.yaml

@@ -24,6 +24,18 @@ discord:
   permissions:
     read: true
     write: false
+  # Who may run /assign-issue, /issue-requests, /sync (add role_ids from Discord for stable checks).
+  # Omit this block to fall back to assignments.issue_assignees for those commands.
+  command_permissions:
+    assign-issue:
+      role_names: ["Mentor"]
+      allow_discord_administrators: true
+    issue-requests:
+      role_names: ["Mentor"]
+      allow_discord_administrators: true
+    sync:
+      role_names: ["Mentor"]
+      allow_discord_administrators: true
   activity_channel_id: null
   pr_preview_channels: []
 
@@ -42,6 +54,7 @@ role_mappings:
 assignments:
   review_roles:
     - "Maintainer"
+  # Fallback if discord.command_permissions is omitted; also used for org issue assignment planning.
   issue_assignees:
     - "Mentor"
   issue_request_eligible_roles: []

config/example.yaml

@@ -33,6 +33,18 @@ discord:
   # Optional: channel names where PR URLs trigger passive preview (requires message content intent)
   # Example: ["mentor-chat", "review-queue"]
   pr_preview_channels: []
+  # Who may run /assign-issue, /issue-requests, /sync (role_ids preferred; role_names optional).
+  # If you omit this block entirely, the bot uses assignments.issue_assignees (role names) for those commands.
+  command_permissions:
+    assign-issue:
+      role_names: ["Mentor"]
+      allow_discord_administrators: true
+    issue-requests:
+      role_names: ["Mentor"]
+      allow_discord_administrators: true
+    sync:
+      role_names: ["Mentor"]
+      allow_discord_administrators: true
   # Optional: verified-only GitHub → Discord notifications (issue assigned, PR review, merged, etc.)
   # notifications:
   #   enabled: true
@@ -60,7 +72,7 @@ role_mappings:
 assignments:
   review_roles:
     - "Maintainer"
-  # Discord role(s) that can use /assign-issue, /sync, and /issue-requests (e.g. "Mentor")
+  # Fallback for slash-command access if discord.command_permissions is omitted; also used for org issue assignment planning.
   issue_assignees:
     - "Mentor"
   # Optional: roles required for a contributor to be "eligible" for issue assignment (empty = any verified user)

docker-compose.yml

@@ -23,7 +23,7 @@ services:
       - ./config:/app/config:ro
       # Persist SQLite state, reports, and audit logs between restarts.
       - gitcord_data:/data
-    command: ["ghdcbot", "--config", "/app/config/config.yaml", "bot"]
+    command: ["ghdcbot", "--config", "/app/config/aussie.yaml", "bot"]
     restart: unless-stopped
 
 volumes:

src/ghdcbot/bot.py

@@ -50,6 +50,15 @@
 )
 from ghdcbot.logging.setup import configure_logging
 from ghdcbot.plugins.registry import build_adapter
+from ghdcbot.discord_command_permissions import (
+    format_slash_command_permission_denied,
+    slash_command_allowed,
+)
+
+# Slash command names used for permission checks (must match @tree.command name=...)
+SLASH_CMD_ASSIGN_ISSUE = "assign-issue"
+SLASH_CMD_ISSUE_REQUESTS = "issue-requests"
+SLASH_CMD_SYNC = "sync"
 
 
 def run_bot(config_path: str) -> None:
@@ -888,24 +897,20 @@ async def cancel_assignment(self, interaction: discord.Interaction, button: disc
                 except Exception:
                     pass
 
-    # Create a check function for mentor-only commands
-    def mentor_check(interaction: discord.Interaction) -> bool:
-        """Check if user has mentor role."""
-        mentor_roles = getattr(config, "assignments", None)
-        if not mentor_roles:
-            return False
-        issue_assignee_roles = getattr(mentor_roles, "issue_assignees", [])
-        if not issue_assignee_roles:
-            return False
-        user_roles = [role.name for role in interaction.user.roles]
-        return any(role in issue_assignee_roles for role in user_roles)
+    def command_permission_check(command_name: str):
+        """Restrict slash commands via discord.command_permissions or legacy issue_assignees."""
+
+        def check(interaction: discord.Interaction) -> bool:
+            return slash_command_allowed(interaction, config, command_name)
+
+        return check
 
     @tree.command(
         name="assign-issue",
         description="Assign a GitHub issue to a Discord user (mentor-only, requires confirmation)",
         guild=discord.Object(id=guild_id),
     )
-    @app_commands.check(mentor_check)
+    @app_commands.check(command_permission_check(SLASH_CMD_ASSIGN_ISSUE))
     @app_commands.describe(
         issue_url="GitHub issue URL (e.g., https://github.com/owner/repo/issues/123)",
         assignee="Discord user to assign the issue to"
@@ -1579,7 +1584,7 @@ async def request_issue_cmd(interaction: discord.Interaction, issue_url: str) ->
         description="List pending issue assignment requests (mentor-only); pick a repo first.",
         guild=discord.Object(id=guild_id),
     )
-    @app_commands.check(mentor_check)
+    @app_commands.check(command_permission_check(SLASH_CMD_ISSUE_REQUESTS))
     async def issue_requests_cmd(interaction: discord.Interaction) -> None:
         await interaction.response.defer(ephemeral=True)
         pending = getattr(storage, "list_pending_issue_requests", None)
@@ -1684,7 +1689,7 @@ async def on_message(message: discord.Message) -> None:
         description="Sync GitHub events and send notifications (mentor-only)",
         guild=discord.Object(id=guild_id),
     )
-    @app_commands.check(mentor_check)
+    @app_commands.check(command_permission_check(SLASH_CMD_SYNC))
     async def sync_cmd(interaction: discord.Interaction) -> None:
         """Manually trigger run-once to sync GitHub events and send notifications."""
         await interaction.response.defer(ephemeral=True)
@@ -1751,17 +1756,13 @@ async def on_app_command_error(interaction: discord.Interaction, error: app_comm
         """Handle app command errors, including check failures."""
         if isinstance(error, app_commands.CheckFailure):
             try:
-                mentor_roles = getattr(config, "assignments", None)
-                issue_assignee_roles = getattr(mentor_roles, "issue_assignees", []) if mentor_roles else []
-                role_list = ', '.join(issue_assignee_roles) if issue_assignee_roles else 'configure issue_assignees'
-                error_message = f"❌ Permission denied. Only mentors with roles **{role_list}** can use this command."
-                
+                cmd_name = interaction.command.name if interaction.command else "unknown"
+                error_message = format_slash_command_permission_denied(config, cmd_name)
                 logger.info(
-                    "Check failure for user %s (%s) on command %s. Required roles: %s",
+                    "Check failure for user %s (%s) on command %s.",
                     interaction.user.name,
                     interaction.user.id,
-                    interaction.command.name if interaction.command else "unknown",
-                    role_list,
+                    cmd_name,
                 )
 
                 # Check if response is already sent (shouldn't happen for check failures, but be safe)

src/ghdcbot/config/models.py

@@ -58,6 +58,18 @@ class GitHubConfig(BaseModel):
     user_fallback: bool = False
 
 
+class SlashCommandPermissionRule(BaseModel):
+    """Who may run a restricted slash command (e.g. assign-issue, issue-requests, sync).
+
+    If a command is omitted from ``discord.command_permissions``, the bot falls back to
+    ``assignments.issue_assignees`` (role name match), for backward compatibility.
+    """
+
+    role_ids: list[str] = Field(default_factory=list)
+    role_names: list[str] = Field(default_factory=list)
+    allow_discord_administrators: bool = False
+
+
 class NotificationConfig(BaseModel):
     """Configuration for verified-only GitHub → Discord notifications."""
     enabled: bool = True
@@ -89,6 +101,10 @@ class DiscordConfig(BaseModel):
     pr_preview_channels: list[str] = Field(default_factory=list)
     # Optional: verified-only GitHub → Discord notifications
     notifications: NotificationConfig | None = None
+    # Optional: per-command slash permission (keys: assign-issue, issue-requests, sync). See SlashCommandPermissionRule.
+    command_permissions: dict[str, SlashCommandPermissionRule] | None = None
+    # TESTING ONLY: if true, any guild member may run assign-issue / issue-requests / sync. Turn off for production.
+    unrestricted_slash_commands: bool = False
 
 
 class QualityAdjustmentsConfig(BaseModel):

src/ghdcbot/discord_command_permissions.py

@@ -0,0 +1,90 @@
+"""Per-slash-command permission checks (Discord roles + optional Administrator bypass)."""
+
+from __future__ import annotations
+
+import discord
+
+from ghdcbot.config.models import BotConfig, SlashCommandPermissionRule
+
+
+def _legacy_issue_assignee_allowed(member: discord.Member, config: BotConfig) -> bool:
+    """Backward compatible: assignments.issue_assignees matched by role name."""
+    mentor_roles = getattr(config, "assignments", None)
+    if not mentor_roles:
+        return False
+    issue_assignee_roles = getattr(mentor_roles, "issue_assignees", [])
+    if not issue_assignee_roles:
+        return False
+    user_roles = [role.name for role in member.roles]
+    return any(role in issue_assignee_roles for role in user_roles)
+
+
+def _is_guild_member_like(user: object) -> bool:
+    """True for Discord Member in a guild (has roles + guild_permissions). Duck-typed for tests."""
+    return hasattr(user, "roles") and hasattr(user, "guild_permissions")
+
+
+def slash_command_allowed(
+    interaction: discord.Interaction,
+    config: BotConfig,
+    command_name: str,
+) -> bool:
+    """Return True if the member may run this slash command."""
+    member = interaction.user
+    if not _is_guild_member_like(member):
+        return False
+
+    if getattr(config.discord, "unrestricted_slash_commands", False):
+        return True
+
+    perms = getattr(config.discord, "command_permissions", None)
+    rule: SlashCommandPermissionRule | None = None
+    if perms and command_name in perms:
+        rule = perms[command_name]
+
+    if rule is None:
+        return _legacy_issue_assignee_allowed(member, config)
+
+    if rule.allow_discord_administrators and member.guild_permissions.administrator:
+        return True
+
+    id_allow = {str(rid).strip() for rid in rule.role_ids if str(rid).strip()}
+    for role in member.roles:
+        if str(role.id) in id_allow:
+            return True
+
+    if rule.role_names:
+        allowed_names = set(rule.role_names)
+        user_role_names = {r.name for r in member.roles}
+        if user_role_names & allowed_names:
+            return True
+
+    return False
+
+
+def format_slash_command_permission_denied(config: BotConfig, command_name: str) -> str:
+    """User-facing message listing who may use the command."""
+    perms = getattr(config.discord, "command_permissions", None)
+    rule: SlashCommandPermissionRule | None = None
+    if perms and command_name in perms:
+        rule = perms[command_name]
+
+    if rule is None:
+        mentor_roles = getattr(config, "assignments", None)
+        issue_assignee_roles = getattr(mentor_roles, "issue_assignees", []) if mentor_roles else []
+        role_list = ", ".join(issue_assignee_roles) if issue_assignee_roles else "configure assignments.issue_assignees"
+        return (
+            f"❌ Permission denied. Only members with roles **{role_list}** "
+            f"can use `/{command_name}` (or set `discord.command_permissions`)."
+        )
+
+    bits: list[str] = []
+    if rule.role_ids:
+        bits.append("role ID(s): " + ", ".join(str(r) for r in rule.role_ids))
+    if rule.role_names:
+        bits.append("role name(s): " + ", ".join(rule.role_names))
+    if rule.allow_discord_administrators:
+        bits.append("Discord Administrators")
+    if not bits:
+        return f"❌ Permission denied. Nobody is allowed to use `/{command_name}` with the current rule (fix `discord.command_permissions`)."
+    return f"❌ Permission denied for `/{command_name}`. Allowed: {', '.join(bits)}."