fix(credentials): Bind delegated credential subjects

Carry a core-signed Slack DM binding with delegated credential subjects so trusted dispatch can verify the subject locally before storing it.

This preserves the scheduler's previously verified Slack requester context without adding dispatch-time Slack API lookups.

Refs #449

Co-Authored-By: GPT-5 Codex <codex@openai.com>

Author: dcramer

packages/junior-plugin-api/src/index.ts

@@ -110,6 +110,7 @@ export interface ToolRegistrationHookContext extends AgentPluginContext {
     canPostToChannel: boolean;
   };
   channelId?: string;
+  credentialSubject?: AgentPluginCredentialSubject;
   messageTs?: string;
   requester?: AgentPluginRequester;
   state: AgentPluginState;
@@ -118,12 +119,20 @@ export interface ToolRegistrationHookContext extends AgentPluginContext {
   userText?: string;
 }
 
-export interface DispatchOptions {
-  credentialSubject?: {
-    type: "user";
-    userId: string;
-    allowedWhen: "private-direct-conversation";
+export interface AgentPluginCredentialSubject {
+  type: "user";
+  userId: string;
+  allowedWhen: "private-direct-conversation";
+  binding: {
+    type: "slack-direct-conversation";
+    teamId: string;
+    channelId: string;
+    signature: string;
   };
+}
+
+export interface DispatchOptions {
+  credentialSubject?: AgentPluginCredentialSubject;
   destination: {
     platform: "slack";
     teamId: string;

packages/junior-scheduler/src/plugin.ts

@@ -47,6 +47,7 @@ function createSchedulerToolContext(
       canPostToChannel: false,
     },
     channelId: ctx.channelId,
+    credentialSubject: ctx.credentialSubject,
     messageTs: ctx.messageTs,
     requester: ctx.requester,
     state: ctx.state,

packages/junior-scheduler/src/schedule-tools.ts

@@ -27,6 +27,7 @@ export interface SchedulerToolContext {
     canPostToChannel: boolean;
   };
   channelId?: string;
+  credentialSubject?: ScheduledTaskCredentialSubject;
   messageTs?: string;
   requester?: AgentPluginRequester;
   state: AgentPluginState;
@@ -126,19 +127,15 @@ function getConversationAccess(
 
 function getCredentialSubject(args: {
   access: ScheduledTaskConversationAccess;
-  requester: ScheduledTaskPrincipal;
+  subject: ScheduledTaskCredentialSubject | undefined;
 }): ScheduledTaskCredentialSubject | undefined {
   if (
     args.access.audience !== "direct" ||
     args.access.visibility !== "private"
   ) {
     return undefined;
   }
-  return {
-    type: "user",
-    userId: args.requester.slackUserId,
-    allowedWhen: "private-direct-conversation",
-  };
+  return args.subject;
 }
 
 function sameDestination(
@@ -340,20 +337,35 @@ export function createSlackScheduleCreateTaskTool(
     inputSchema: Type.Object({
       task: Type.String({ minLength: 1, maxLength: 4000 }),
       schedule: Type.String({ minLength: 1, maxLength: 300 }),
-      timezone: Type.Optional(Type.String({ minLength: 1, maxLength: 80, description: "IANA timezone, e.g. 'America/Los_Angeles'. Defaults to the channel's configured timezone." })),
+      timezone: Type.Optional(
+        Type.String({
+          minLength: 1,
+          maxLength: 80,
+          description:
+            "IANA timezone, e.g. 'America/Los_Angeles'. Defaults to the channel's configured timezone.",
+        }),
+      ),
       next_run_at: Type.Optional(
         Type.String({
           minLength: 1,
           description:
             "Exact next run time as an ISO timestamp, computed from the user's requested schedule.",
         }),
       ),
-      recurrence: Type.Optional(Type.Union([
-        Type.Literal("daily"),
-        Type.Literal("weekly"),
-        Type.Literal("monthly"),
-        Type.Literal("yearly"),
-      ], { description: "Provide only for explicitly repeating schedules; omit for one-time requests like 'in 1 minute', 'tomorrow', or a specific date. Recurring tasks run at most once per day: use daily, weekly, monthly, or yearly only." })),
+      recurrence: Type.Optional(
+        Type.Union(
+          [
+            Type.Literal("daily"),
+            Type.Literal("weekly"),
+            Type.Literal("monthly"),
+            Type.Literal("yearly"),
+          ],
+          {
+            description:
+              "Provide only for explicitly repeating schedules; omit for one-time requests like 'in 1 minute', 'tomorrow', or a specific date. Recurring tasks run at most once per day: use daily, weekly, monthly, or yearly only.",
+          },
+        ),
+      ),
     }),
     execute: async (input) => {
       const destination = requireActiveDestination(context);
@@ -377,7 +389,7 @@ export function createSlackScheduleCreateTaskTool(
       const conversationAccess = getConversationAccess(destination);
       const credentialSubject = getCredentialSubject({
         access: conversationAccess,
-        requester,
+        subject: context.credentialSubject,
       });
 
       const task: ScheduledTask = {
@@ -450,20 +462,47 @@ export function createSlackScheduleUpdateTaskTool(
     description:
       "Edit, pause, resume, or reschedule an existing Junior scheduled task in the active Slack conversation. Use only task IDs returned for this destination. Do not move scheduled tasks across conversations.",
     inputSchema: Type.Object({
-      task_id: Type.String({ minLength: 1, description: "ID of the task to update. Must be from this active Slack destination." }),
+      task_id: Type.String({
+        minLength: 1,
+        description:
+          "ID of the task to update. Must be from this active Slack destination.",
+      }),
       task: Type.Optional(Type.String({ minLength: 1, maxLength: 4000 })),
       schedule: Type.Optional(Type.String({ minLength: 1, maxLength: 300 })),
       timezone: Type.Optional(Type.String({ minLength: 1, maxLength: 80 })),
-      next_run_at: Type.Optional(Type.String({ minLength: 1, description: "Exact ISO timestamp when changing the next run time." })),
+      next_run_at: Type.Optional(
+        Type.String({
+          minLength: 1,
+          description: "Exact ISO timestamp when changing the next run time.",
+        }),
+      ),
       recurrence: Type.Optional(
-        Type.Union([Type.Literal("daily"), Type.Literal("weekly"), Type.Literal("monthly"), Type.Literal("yearly"), Type.Null()], { description: "Provide only for repeating schedules. Omit for one-time requests. Set to null to convert a recurring task to one-time." }),
+        Type.Union(
+          [
+            Type.Literal("daily"),
+            Type.Literal("weekly"),
+            Type.Literal("monthly"),
+            Type.Literal("yearly"),
+            Type.Null(),
+          ],
+          {
+            description:
+              "Provide only for repeating schedules. Omit for one-time requests. Set to null to convert a recurring task to one-time.",
+          },
+        ),
       ),
       status: Type.Optional(
-        Type.Union([
-          Type.Literal("active"),
-          Type.Literal("paused"),
-          Type.Literal("blocked"),
-        ], { description: "Set to active, paused, or blocked to resume, pause, or block the task." }),
+        Type.Union(
+          [
+            Type.Literal("active"),
+            Type.Literal("paused"),
+            Type.Literal("blocked"),
+          ],
+          {
+            description:
+              "Set to active, paused, or blocked to resume, pause, or block the task.",
+          },
+        ),
       ),
     }),
     execute: async (input) => {
@@ -540,7 +579,11 @@ export function createSlackScheduleDeleteTaskTool(
     description:
       "Delete one scheduled Junior task from the active Slack conversation. Use only task IDs returned for this destination. Do not delete schedules from threads, other channels, or another user's DM.",
     inputSchema: Type.Object({
-      task_id: Type.String({ minLength: 1, description: "ID of the task to delete. Must be from this active Slack destination." }),
+      task_id: Type.String({
+        minLength: 1,
+        description:
+          "ID of the task to delete. Must be from this active Slack destination.",
+      }),
     }),
     execute: async ({ task_id }) => {
       const lookup = await getWritableTask({ context, taskId: task_id });
@@ -571,7 +614,11 @@ export function createSlackScheduleRunTaskNowTool(
     description:
       "Queue an existing active scheduled Junior task to run as soon as possible, without changing its cadence. Use when the user asks to run an existing scheduled task now. Use only task IDs returned for this destination.",
     inputSchema: Type.Object({
-      task_id: Type.String({ minLength: 1, description: "ID of the active task to run now. Must be from this active Slack destination." }),
+      task_id: Type.String({
+        minLength: 1,
+        description:
+          "ID of the active task to run now. Must be from this active Slack destination.",
+      }),
     }),
     execute: async ({ task_id }) => {
       const lookup = await getWritableTask({ context, taskId: task_id });

packages/junior-scheduler/src/types.ts

@@ -1,3 +1,5 @@
+import type { AgentPluginCredentialSubject } from "@sentry/junior-plugin-api";
+
 export type ScheduledTaskStatus = "active" | "paused" | "blocked" | "deleted";
 
 export type ScheduledRunStatus =
@@ -35,11 +37,7 @@ export interface ScheduledTaskConversationAccess {
   visibility: "private" | "public" | "unknown";
 }
 
-export interface ScheduledTaskCredentialSubject {
-  type: "user";
-  userId: string;
-  allowedWhen: "private-direct-conversation";
-}
+export type ScheduledTaskCredentialSubject = AgentPluginCredentialSubject;
 
 export type ScheduledCalendarFrequency =
   | "daily"

packages/junior/src/chat/agent-dispatch/context.ts

@@ -1,19 +1,21 @@
 import type { HeartbeatHookContext } from "@sentry/junior-plugin-api";
 import { createAgentPluginLogger } from "@/chat/plugins/logging";
 import { createPluginState } from "@/chat/plugins/state";
+import { createSlackDirectCredentialSubject } from "@/chat/credentials/subject";
 import {
   createOrGetDispatch,
   getPluginDispatchProjection,
   isTerminalDispatchStatus,
 } from "./store";
 import { scheduleDispatchCallback } from "./signing";
-import type { DispatchRecord } from "./types";
+import type { DispatchOptions, DispatchRecord } from "./types";
 import {
   validateDispatchOptions,
   verifyDispatchCredentialSubjectAccess,
 } from "./validation";
 
 const MAX_DISPATCHES_PER_HEARTBEAT = 25;
+const SCHEDULER_PLUGIN_NAME = "scheduler";
 
 function shouldScheduleDispatch(
   record: DispatchRecord,
@@ -29,6 +31,34 @@ function shouldScheduleDispatch(
   );
 }
 
+function bindLegacySchedulerCredentialSubject(args: {
+  options: DispatchOptions;
+  plugin: string;
+}): DispatchOptions {
+  const { credentialSubject } = args.options;
+  if (
+    args.plugin !== SCHEDULER_PLUGIN_NAME ||
+    !credentialSubject ||
+    credentialSubject.binding
+  ) {
+    return args.options;
+  }
+
+  const boundSubject = createSlackDirectCredentialSubject({
+    channelId: args.options.destination.channelId,
+    teamId: args.options.destination.teamId,
+    userId: credentialSubject.userId,
+  });
+  if (!boundSubject) {
+    return args.options;
+  }
+
+  return {
+    ...args.options,
+    credentialSubject: boundSubject,
+  };
+}
+
 /** Build the plugin-scoped heartbeat context that gates durable dispatch access. */
 export function createHeartbeatContext(args: {
   legacyStatePrefixes?: string[];
@@ -45,14 +75,18 @@ export function createHeartbeatContext(args: {
     log: createAgentPluginLogger(args.plugin),
     agent: {
       async dispatch(options) {
-        validateDispatchOptions(options);
+        const dispatchOptions = bindLegacySchedulerCredentialSubject({
+          plugin: args.plugin,
+          options,
+        });
+        validateDispatchOptions(dispatchOptions);
         if (dispatchCount >= MAX_DISPATCHES_PER_HEARTBEAT) {
           throw new Error("Plugin heartbeat exceeded the dispatch limit");
         }
-        await verifyDispatchCredentialSubjectAccess(options);
+        await verifyDispatchCredentialSubjectAccess(dispatchOptions);
         const result = await createOrGetDispatch({
           plugin: args.plugin,
-          options,
+          options: dispatchOptions,
           nowMs: args.nowMs,
         });
         dispatchCount += 1;

packages/junior/src/chat/agent-dispatch/validation.ts

@@ -1,5 +1,5 @@
 import type { DispatchOptions } from "./types";
-import { isSlackDirectConversationForUser } from "@/chat/slack/channel";
+import { verifySlackDirectCredentialSubject } from "@/chat/credentials/subject";
 import { isDmChannel } from "@/chat/slack/client";
 import { isSlackConversationId, isSlackTeamId } from "@/chat/slack/ids";
 
@@ -80,9 +80,10 @@ export async function verifyDispatchCredentialSubjectAccess(
     return;
   }
 
-  const verified = await isSlackDirectConversationForUser({
+  const verified = verifySlackDirectCredentialSubject({
     channelId: options.destination.channelId,
-    userId: options.credentialSubject.userId,
+    teamId: options.destination.teamId,
+    subject: options.credentialSubject,
   });
   if (!verified) {
     throw new Error(

packages/junior/src/chat/credentials/context.ts

@@ -1,13 +1,11 @@
+import type { AgentPluginCredentialSubject } from "@sentry/junior-plugin-api";
+
 export type CredentialSystemActor = {
   type: "system";
   id: string;
 };
 
-export type CredentialSubject = {
-  type: "user";
-  userId: string;
-  allowedWhen: "private-direct-conversation";
-};
+export type CredentialSubject = AgentPluginCredentialSubject;
 
 export type CredentialContext =
   | {
@@ -93,12 +91,32 @@ function parseSubject(
       record.type === "user" &&
       typeof record.userId === "string" &&
       record.userId &&
-      record.allowedWhen === "private-direct-conversation"
+      record.allowedWhen === "private-direct-conversation" &&
+      record.binding &&
+      typeof record.binding === "object"
     ) {
+      const binding = record.binding as Partial<CredentialSubject["binding"]>;
+      if (
+        binding.type !== "slack-direct-conversation" ||
+        typeof binding.teamId !== "string" ||
+        !binding.teamId ||
+        typeof binding.channelId !== "string" ||
+        !binding.channelId ||
+        typeof binding.signature !== "string" ||
+        !binding.signature
+      ) {
+        return undefined;
+      }
       return {
         type: "user",
         userId: record.userId,
         allowedWhen: "private-direct-conversation",
+        binding: {
+          type: "slack-direct-conversation",
+          teamId: binding.teamId,
+          channelId: binding.channelId,
+          signature: binding.signature,
+        },
       };
     }
   }