From 8b725d7879efe3c5e93a39510efdffb671c8768d Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 15 Mar 2026 15:59:55 -0700
Subject: [PATCH] Discord: gate unauthorized plugin callbacks

---
 .../discord/src/monitor/agent-components.ts   | 25 ++++++++++++++-----
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/extensions/discord/src/monitor/agent-components.ts b/extensions/discord/src/monitor/agent-components.ts
index e28bd17b70e..a5678b67ec6 100644
--- a/extensions/discord/src/monitor/agent-components.ts
+++ b/extensions/discord/src/monitor/agent-components.ts
@@ -863,14 +863,16 @@ async function dispatchPluginDiscordInteractiveEvent(params: {
       senderId: params.interactionCtx.userId,
     });
     let cleared = false;
-    try {
-      await respond.clearComponents();
-      cleared = true;
-    } catch {
+    if (resolved.status !== "expired") {
       try {
-        await respond.acknowledge();
+        await respond.clearComponents();
+        cleared = true;
       } catch {
-        // Interaction may already be acknowledged; continue with best-effort follow-up.
+        try {
+          await respond.acknowledge();
+        } catch {
+          // Interaction may already be acknowledged; continue with best-effort follow-up.
+        }
       }
     }
     try {
@@ -1341,6 +1343,17 @@ async function handleDiscordComponentEvent(params: {
 
   const values = params.values ? mapSelectValues(consumed, params.values) : undefined;
   if (consumed.callbackData) {
+    if (!commandAuthorized) {
+      try {
+        await params.interaction.reply({
+          content: unauthorizedReply,
+          ephemeral: true,
+        });
+      } catch {
+        // Interaction may have expired
+      }
+      return;
+    }
     const pluginDispatch = await dispatchPluginDiscordInteractiveEvent({
       ctx: params.ctx,
       interaction: params.interaction,