Skip to content

feat(moderation): comprehensive warning system with severity, decay, and expiry #251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
BillChirico merged 6 commits into from
Mar 7, 2026
Merged

feat(moderation): comprehensive warning system with severity, decay, and expiry #251

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
ca4a580
feat(moderation): comprehensive warning system with severity, decay, …
Mar 7, 2026
5391fd6
📝 Add docstrings to `feat/issue-250-warning-system`
coderabbitai[bot] Mar 7, 2026
e31417b
feat(dashboard): add warning system config to moderation section
Mar 7, 2026
6ada6e2
feat(dashboard): add escalation threshold editor
Mar 7, 2026
d1dffe0
📝 Add docstrings to `feat/issue-250-warning-system`
coderabbitai[bot] Mar 7, 2026
6705986
fix: address all PR #251 review comments
Mar 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,3 +42,4 @@ web/tsconfig.tsbuildinfo
openclaw-studio/
.codex/
.turbo/
worktrees/
3 changes: 2 additions & 1 deletion biome.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@
"!coverage",
"!logs",
"!data",
"!feat-issue-164"
"!feat-issue-164",
"!worktrees"
]
},
"linter": {
Expand Down
14 changes: 13 additions & 1 deletion config.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,14 @@
"includeAdmins": true,
"includeModerators": true,
"includeServerOwner": true
},
"warnings": {
"expiryDays": 90,
"severityPoints": {
"low": 1,
"medium": 2,
"high": 3
}
}
},
"memory": {
Expand Down Expand Up @@ -152,7 +160,11 @@
"ping": "everyone",
"memory": "everyone",
"config": "admin",
"warn": "admin",
"warn": "moderator",
"warnings": "moderator",
"editwarn": "moderator",
"removewarn": "moderator",
"clearwarnings": "moderator",
"kick": "admin",
"timeout": "admin",
"untimeout": "admin",
Expand Down
60 changes: 60 additions & 0 deletions migrations/011_warnings.cjs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
/**
* Migration: Comprehensive Warning System
*
* Adds a dedicated `warnings` table that tracks individual warnings with
* severity, points, expiry (auto-removal after a configurable period),
* and decay (points reduce over time). Warnings reference the parent
* mod_case for traceability.
*
* Also adds an index on mod_cases for active-warning escalation queries.
*
* @see https://github.com/VolvoxLLC/volvox-bot/issues/250
*/

'use strict';

/** @param {import('node-pg-migrate').MigrationBuilder} pgm */
exports.up = (pgm) => {
// ── warnings table ─────────────────────────────────────────────────
pgm.sql(`
CREATE TABLE IF NOT EXISTS warnings (
id SERIAL PRIMARY KEY,
guild_id TEXT NOT NULL,
user_id TEXT NOT NULL,
moderator_id TEXT NOT NULL,
moderator_tag TEXT NOT NULL,
reason TEXT,
severity TEXT NOT NULL DEFAULT 'low'
CHECK (severity IN ('low', 'medium', 'high')),
points INTEGER NOT NULL DEFAULT 1,
active BOOLEAN NOT NULL DEFAULT TRUE,
expires_at TIMESTAMPTZ,
removed_at TIMESTAMPTZ,
removed_by TEXT,
removal_reason TEXT,
case_id INTEGER REFERENCES mod_cases(id) ON DELETE SET NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
)
`);

// Fast lookup: all warnings for a user in a guild
pgm.sql(
'CREATE INDEX IF NOT EXISTS idx_warnings_guild_user ON warnings(guild_id, user_id, created_at DESC)',
);

// Fast lookup: active warnings only (for escalation + /warnings display)
pgm.sql(
'CREATE INDEX IF NOT EXISTS idx_warnings_active ON warnings(guild_id, user_id) WHERE active = TRUE',
);

// Expiry polling: find warnings that need to be deactivated
pgm.sql(
'CREATE INDEX IF NOT EXISTS idx_warnings_expires ON warnings(expires_at) WHERE active = TRUE AND expires_at IS NOT NULL',
);
};

/** @param {import('node-pg-migrate').MigrationBuilder} pgm */
exports.down = (pgm) => {
pgm.sql('DROP TABLE IF EXISTS warnings CASCADE');
};
4 changes: 4 additions & 0 deletions src/api/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
import performanceRouter from './routes/performance.js';
import tempRolesRouter from './routes/tempRoles.js';
import ticketsRouter from './routes/tickets.js';
import warningsRouter from './routes/warnings.js';
import webhooksRouter from './routes/webhooks.js';
import welcomeRouter from './routes/welcome.js';

Expand Down Expand Up @@ -58,6 +59,9 @@

// Moderation routes — require API secret or OAuth2 JWT
router.use('/moderation', requireAuth(), auditLogMiddleware(), moderationRouter);

// Warning routes — require API secret or OAuth2 JWT
router.use('/warnings', requireAuth(), auditLogMiddleware(), warningsRouter);

Check failure

Code scanning / CodeQL

Missing rate limiting High

This route handler performs
authorization
Loading
, but is not rate-limited.
This route handler performs
authorization
Loading
, but is not rate-limited.

Copilot Autofix

AI about 1 month ago

In general, the fix is to introduce a rate-limiting middleware (e.g., using express-rate-limit) and apply it to the affected routes so that even authenticated clients cannot make unbounded numbers of expensive requests. This middleware should be added without altering existing authentication or audit behavior.

The best single approach here is to (1) import express-rate-limit, (2) define a small set of limiter instances (for example, a “public” limiter and an “authenticated” limiter) in this file, and (3) apply the appropriate limiter to the router mounts. Specifically, for the issue CodeQL flagged on the /warnings route, we add the authenticated limiter into the middleware chain directly before requireAuth() or immediately after it. To keep behavior consistent and improve security more broadly, we can also rate-limit other authenticated routes in the same router, and optionally add a lighter limiter to public routes such as /auth and /community. All changes should be made inside src/api/index.js: add the import at the top, define the limiters near the router creation, and then update the router.use(...) lines to include those limiters in the middleware lists, keeping the rest of the logic and ordering intact.

Concretely:

  • At the top of src/api/index.js, add import rateLimit from 'express-rate-limit';.
  • After const router = Router();, define e.g.:
    • const publicLimiter = rateLimit({ windowMs: 60_000, max: 60 });
    • const authLimiter = rateLimit({ windowMs: 60_000, max: 120 });
  • Update router.use('/warnings', requireAuth(), auditLogMiddleware(), warningsRouter); to include authLimiter (e.g., router.use('/warnings', authLimiter, requireAuth(), auditLogMiddleware(), warningsRouter);).
  • Optionally but consistently, apply authLimiter to all the authenticated routes in this file and publicLimiter to public routes like /auth and /community.
Suggested changeset 2
src/api/index.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/api/index.js b/src/api/index.js
--- a/src/api/index.js
+++ b/src/api/index.js
@@ -4,6 +4,7 @@
  */
 
 import { Router } from 'express';
+import rateLimit from 'express-rate-limit';
 import { auditLogMiddleware } from './middleware/auditLog.js';
 import { requireAuth } from './middleware/auth.js';
 import aiFeedbackRouter from './routes/ai-feedback.js';
@@ -27,60 +28,72 @@
 
 const router = Router();
 
+// Public rate limiter (e.g., for unauthenticated endpoints)
+const publicLimiter = rateLimit({
+  windowMs: 60 * 1000, // 1 minute
+  max: 60, // 60 requests per minute per IP
+});
+
+// Authenticated rate limiter (for endpoints behind requireAuth)
+const authLimiter = rateLimit({
+  windowMs: 60 * 1000, // 1 minute
+  max: 120, // 120 requests per minute per IP/token
+});
+
 // Health check — public (no auth required)
 router.use('/health', healthRouter);
 
 // Community routes — public (no auth required, rate-limited)
-router.use('/community', communityRouter);
+router.use('/community', publicLimiter, communityRouter);
 
 // Auth routes — public (no auth required)
-router.use('/auth', authRouter);
+router.use('/auth', publicLimiter, authRouter);
 
 // Global config routes — require API secret or OAuth2 JWT
-router.use('/config', requireAuth(), auditLogMiddleware(), configRouter);
+router.use('/config', authLimiter, requireAuth(), auditLogMiddleware(), configRouter);
 
 // Member management routes — require API secret or OAuth2 JWT
 // (mounted before guilds to handle /:id/members/* before the basic guilds endpoint)
-router.use('/guilds', requireAuth(), auditLogMiddleware(), membersRouter);
+router.use('/guilds', authLimiter, requireAuth(), auditLogMiddleware(), membersRouter);
 
 // AI Feedback routes — require API secret or OAuth2 JWT
-router.use('/guilds/:id/ai-feedback', requireAuth(), auditLogMiddleware(), aiFeedbackRouter);
+router.use('/guilds/:id/ai-feedback', authLimiter, requireAuth(), auditLogMiddleware(), aiFeedbackRouter);
 
 // Conversation routes — require API secret or OAuth2 JWT
 // (mounted before guilds to handle /:id/conversations/* before the catch-all guild endpoint)
-router.use('/guilds/:id/conversations', requireAuth(), auditLogMiddleware(), conversationsRouter);
+router.use('/guilds/:id/conversations', authLimiter, requireAuth(), auditLogMiddleware(), conversationsRouter);
 
 // Ticket routes — require API secret or OAuth2 JWT
 // (mounted before guilds to handle /:id/tickets/* before the catch-all guild endpoint)
-router.use('/guilds', requireAuth(), auditLogMiddleware(), ticketsRouter);
+router.use('/guilds', authLimiter, requireAuth(), auditLogMiddleware(), ticketsRouter);
 
 // Guild routes — require API secret or OAuth2 JWT
-router.use('/guilds', requireAuth(), auditLogMiddleware(), guildsRouter);
+router.use('/guilds', authLimiter, requireAuth(), auditLogMiddleware(), guildsRouter);
 
 // Moderation routes — require API secret or OAuth2 JWT
-router.use('/moderation', requireAuth(), auditLogMiddleware(), moderationRouter);
+router.use('/moderation', authLimiter, requireAuth(), auditLogMiddleware(), moderationRouter);
 
 // Warning routes — require API secret or OAuth2 JWT
-router.use('/warnings', requireAuth(), auditLogMiddleware(), warningsRouter);
+router.use('/warnings', authLimiter, requireAuth(), auditLogMiddleware(), warningsRouter);
 // Temp role routes — require API secret or OAuth2 JWT
-router.use('/temp-roles', requireAuth(), auditLogMiddleware(), tempRolesRouter);
+router.use('/temp-roles', authLimiter, requireAuth(), auditLogMiddleware(), tempRolesRouter);
 
 // Audit log routes — require API secret or OAuth2 JWT
 // GET-only; no audit middleware needed (reads are not mutating actions)
-router.use('/guilds', requireAuth(), auditLogRouter);
+router.use('/guilds', authLimiter, requireAuth(), auditLogRouter);
 
 // Welcome routes — require API secret or OAuth2 JWT
-router.use('/guilds/:id/welcome', requireAuth(), auditLogMiddleware(), welcomeRouter);
+router.use('/guilds/:id/welcome', authLimiter, requireAuth(), auditLogMiddleware(), welcomeRouter);
 
 // Performance metrics — require x-api-secret (authenticated via route handler)
-router.use('/performance', performanceRouter);
+router.use('/performance', publicLimiter, performanceRouter);
 
 // Notification webhook management routes — require API secret or OAuth2 JWT
-router.use('/guilds', requireAuth(), auditLogMiddleware(), notificationsRouter);
+router.use('/guilds', authLimiter, requireAuth(), auditLogMiddleware(), notificationsRouter);
 // Webhook routes — require API secret or OAuth2 JWT (endpoint further restricts to api-secret)
-router.use('/webhooks', requireAuth(), webhooksRouter);
+router.use('/webhooks', authLimiter, requireAuth(), webhooksRouter);
 
 // Backup routes — require API secret or OAuth2 JWT
-router.use('/backups', requireAuth(), auditLogMiddleware(), backupRouter);
+router.use('/backups', authLimiter, requireAuth(), auditLogMiddleware(), backupRouter);
 
 export default router;
EOF
package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -47,7 +47,8 @@
     "winston": "^3.19.0",
     "winston-daily-rotate-file": "^5.0.0",
     "winston-transport": "^4.9.0",
-    "ws": "^8.19.0"
+    "ws": "^8.19.0",
+    "express-rate-limit": "^8.3.0"
   },
   "pnpm": {
     "overrides": {
EOF
@@ -47,7 +47,8 @@
"winston": "^3.19.0",
"winston-daily-rotate-file": "^5.0.0",
"winston-transport": "^4.9.0",
"ws": "^8.19.0"
"ws": "^8.19.0",
"express-rate-limit": "^8.3.0"
},
"pnpm": {
"overrides": {
This fix introduces these dependencies
Package Version Security advisories
express-rate-limit (npm) 8.3.0 None
Copilot is powered by AI and may make mistakes. Always verify output.
// Temp role routes — require API secret or OAuth2 JWT
router.use('/temp-roles', requireAuth(), auditLogMiddleware(), tempRolesRouter);

Expand Down
Loading
Loading