Every command the Discord bot allows, and the gates around it.
author.id != authorized_user
→ ignored. Past that gate, the design is "hardened edge, one powerful interior": the
everyday commands are tightly constrained; two commands (!code,
!page) are deliberately powerful and rest entirely on that one gate.
| Command | Allows | Risk |
|---|---|---|
!ping !help !status | Liveness, help, host uptime/disk/mem from /proc | none |
!run <name> | A host built-in from a fixed whitelist (df, free, ps, who…) | none |
!job <name> · !jobs · !job kill | Run/list/kill background presets | none |
!cat <path> | Read a file under ~/projects | medium |
!logs [id] | A job log, or the bot's journalctl tail | low |
!new project <name> | Scaffold a project dir + git commit | low |
!report · !reload | Bind the daily digest · hot-reload the registry (AST-validated) | low |
!jot !fitness !fastmail !todoist !accountability !weather | The domain tools (read; jot/accountability also write) | low |
!uptime !ingest | Scheduled-tool control + add/query/feed/poll | low |
!page <slug> <request> | LLM-author a page from your signals + deploy to a public Cloudflare URL | HIGH |
!code <project> <task> | Autonomous Claude Code in a git worktree | HIGHEST |
!run/!job are a fixed-argv whitelist with no shell, first-token-only — !run uptime; rm -rf ~ simply fails to match a name. !cat is jailed to ~/projects with secret-name denial. !code can target any project except the bridge itself.!reload AST-validates a registry edit before importing it; a broken edit is refused, not loaded.!code → a branch (no auto-merge/push), LLM HTML → static-only, the curator → a reversible overlay.!code/!page inherit the host env + filesystem. Contained only by A + B + D — named, not hidden.shell=True. The only residual surface is flag-injection into a downstream tool's own CLI, bounded by that tool.!run/!job look up a hardcoded argv by name; no user text ever reaches the process.!code is denied the bridge directory; !reload validates before loading.① !code — unsandboxed RCE, by design.
Runs claude -p <task> --dangerously-skip-permissions as the host user. The
git sparse-checkout scopes what's visible, not what the process can do —
it can read/write anywhere in $HOME, reach the network, even push. The only
boundary is "the authorized user asked for it." Correct for a personal bot; it's the headline
for any security review.
② !page — public egress.
Publishes signal data (emails, tasks, calendar, relocation, fitness) to a guessable
*.pages.dev/<slug> URL. The page is LLM-authored, not reviewed; the
"no-network script" rule for interactive pages is a prompt instruction, not an enforced CSP.
③ !cat — name-based secret block.
Blocks .env*, .pem, names containing "secret" — but misses creds in
non-obvious files (credentials.json, a token literal in a .py). Low
likelihood, real if any tool stores a key that way.