feat: add admin/owner permission system

Hostmask-based admin controls with automatic IRCOP detection via WHO. Permission enforcement in the central dispatch path denies restricted commands to non-admins. Includes !whoami and !admins commands, marks load/reload/unload as admin-only. Also lands previously-implemented SASL PLAIN auth, token-bucket rate limiting, and CTCP VERSION/TIME/PING responses that were staged but uncommitted. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-15 02:24:56 +01:00
parent 36b21e2463
commit f96224afb1
9 changed files with 408 additions and 18 deletions
--- a/docs/CHEATSHEET.md
+++ b/docs/CHEATSHEET.md
@@ -13,6 +13,24 @@ derp -v               # Verbose/debug mode
 derp --cprofile       # Profile to derp.prof
 ```

+## SASL Authentication
+
+```toml
+# In config/derp.toml
+[server]
+sasl_user = "account"
+sasl_pass = "password"
+```
+
+## Rate Limiting
+
+```toml
+# In config/derp.toml (defaults shown)
+[bot]
+rate_limit = 2.0     # Messages per second
+rate_burst = 5       # Burst capacity
+```
+
 ## Container

 ```bash
@@ -35,13 +53,28 @@ make logs             # Follow logs
 !h                 # Shorthand (any unambiguous prefix works)
 ```

-## Plugin Management
+## Admin
+
+```
+!whoami            # Show your hostmask + admin status
+!admins            # Show admin patterns + detected opers (admin)
+```
+
+```toml
+# config/derp.toml
+[bot]
+admins = ["*!~user@trusted.host", "ops!*@*.ops.net"]
+```
+
+IRC operators are auto-detected via WHO. Hostmask patterns use fnmatch.
+
+## Plugin Management (admin)

 ```
 !plugins           # List loaded plugins
-!load <plugin>     # Hot-load a plugin
-!reload <plugin>   # Reload a changed plugin
-!unload <plugin>   # Remove a plugin
+!load <plugin>     # Hot-load a plugin (admin)
+!reload <plugin>   # Reload a changed plugin (admin)
+!unload <plugin>   # Remove a plugin (admin)
 ```

 ## OSINT
--- a/docs/USAGE.md
+++ b/docs/USAGE.md
@@ -33,11 +33,16 @@ nick = "derp"                 # Bot nickname
 user = "derp"                 # Username (ident)
 realname = "derp IRC bot"     # Real name field
 password = ""                 # Server password (optional)
+sasl_user = ""                # SASL PLAIN username (optional)
+sasl_pass = ""                # SASL PLAIN password (optional)

 [bot]
 prefix = "!"                  # Command prefix character
 channels = ["#test"]          # Channels to join on connect
 plugins_dir = "plugins"       # Plugin directory path
+rate_limit = 2.0              # Max messages per second (default: 2.0)
+rate_burst = 5                # Burst capacity (default: 5)
+admins = []                   # Hostmask patterns (fnmatch), IRCOPs auto-detected

 [logging]
 level = "info"                # Logging level: debug, info, warning, error
@@ -55,9 +60,11 @@ level = "info"                # Logging level: debug, info, warning, error
 | `!uptime` | Show how long the bot has been running |
 | `!echo <text>` | Echo back text (example plugin) |
 | `!cert <domain> [...]` | Lookup CT logs for up to 5 domains |
-| `!load <plugin>` | Hot-load a plugin from the plugins directory |
-| `!reload <plugin>` | Reload a plugin, picking up file changes |
-| `!unload <plugin>` | Unload a plugin, removing its handlers |
+| `!whoami` | Show your hostmask and admin status |
+| `!load <plugin>` | Hot-load a plugin (admin) |
+| `!reload <plugin>` | Reload a plugin (admin) |
+| `!unload <plugin>` | Unload a plugin (admin) |
+| `!admins` | Show admin patterns and detected opers (admin) |
 | `!plugins` | List loaded plugins with handler counts |
 | `!dns <target> [type]` | DNS lookup (A, AAAA, MX, NS, TXT, CNAME, PTR, SOA) |
 | `!encode <fmt> <text>` | Encode text (b64, hex, url, rot13) |
@@ -114,6 +121,40 @@ broken.test -- error: timeout
 - crt.sh can be slow; the bot confirms receipt before querying
 - Live cert check runs only when expired CT entries exist

+## Admin System
+
+Commands marked as `admin` require elevated permissions. Admin access is
+granted via:
+
+1. **IRC operator status** -- detected automatically via `WHO` on channel join
+2. **Hostmask patterns** -- configured in `[bot] admins`, fnmatch-style
+
+```toml
+[bot]
+admins = [
+    "*!~user@trusted.host",
+    "ops!*@*.ops.net",
+]
+```
+
+Empty by default -- only IRC operators get admin access unless patterns
+are configured.
+
+| Command | Description |
+|---------|-------------|
+| `!whoami` | Show your hostmask and admin status |
+| `!admins` | Show configured patterns and detected opers (admin) |
+
+Admin-restricted commands: `!load`, `!reload`, `!unload`, `!admins`.
+
+### Writing Admin Commands
+
+```python
+@command("dangerous", help="Admin-only action", admin=True)
+async def cmd_dangerous(bot, message):
+    ...
+```
+
 ## Plugin Management

 Plugins can be loaded, unloaded, and reloaded at runtime without