diff --git a/docs/chat-commands.md b/docs/chat-commands.md index 15317c1d4..123386c8f 100644 --- a/docs/chat-commands.md +++ b/docs/chat-commands.md @@ -15,8 +15,25 @@ These commands work inside chat channels and interactive agent sessions: | `/dream-log ` | Show a specific Dream memory change | | `/dream-restore` | List recent Dream memory versions | | `/dream-restore ` | Restore memory to the state before a specific change | +| `/pairing` | List pending pairing requests | +| `/pairing approve ` | Approve a pairing code | +| `/pairing deny ` | Deny a pending pairing request | +| `/pairing revoke ` | Revoke a previously approved user on the current channel | +| `/pairing revoke ` | Revoke a previously approved user on a specific channel | | `/help` | Show available in-chat commands | +## Pairing + +When someone sends a DM to the bot and isn't on the allowlist — whether it's a new user or an existing user on a new channel — nanobot automatically replies with a **pairing code** (like `ABCD-EFGH`) that expires in 10 minutes. To grant them access: + +```text +/pairing approve ABCD-EFGH +``` + +To see who's waiting, use `/pairing`. To remove someone later, use `/pairing revoke ` — you can find user IDs in the `/pairing list` output. + +See [Configuration: Pairing](./configuration.md#pairing) for the full setup guide. + ## Model Presets Use `/model` to inspect the current runtime model: diff --git a/docs/configuration.md b/docs/configuration.md index 3f7f39709..74a8e3ac0 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -1117,6 +1117,71 @@ MCP tools are automatically discovered and registered on startup. The LLM can us **Docker security**: The official Docker image runs as a non-root user (`nanobot`, UID 1000) with bubblewrap pre-installed. When using `docker-compose.yml`, the container drops all Linux capabilities except `SYS_ADMIN` (required for bwrap's namespace isolation). +## Pairing + +Pairing lets users get access to the bot through a simple code exchange — no config editing required. This works for both new users and existing users connecting from a new channel (e.g. someone already approved on Telegram now setting up Discord). + +### How it works + +1. A user sends a DM to the bot on any channel (Telegram, Discord, Slack, etc.) where they aren't yet approved. +2. The bot replies with a pairing code (like `ABCD-EFGH`) and tells them to forward it to you. +3. You approve the code: + +```text +/pairing approve ABCD-EFGH +``` + +4. The user can now chat with the bot normally. + +Pairing only works in **DMs** — unapproved users in group chats are silently ignored. + +### Pairing-only mode + +By default, if you don't set `allowFrom`, anyone who isn't approved yet will get a pairing code when they DM the bot. This means you can skip `allowFrom` entirely and manage all access through pairing: + +```json +{ + "channels": { + "telegram": { + "enabled": true + } + } +} +``` + +If you prefer to allow everyone without approval: + +```json +{ + "channels": { + "telegram": { + "enabled": true, + "allowFrom": ["*"] + } + } +} +``` + +### Managing access + +| Command | What it does | +|---------|-------------| +| `/pairing` | Show all pending pairing requests | +| `/pairing approve ` | Approve a request — the sender can now chat | +| `/pairing deny ` | Reject a pending request | +| `/pairing revoke ` | Remove a previously approved user from the current channel | +| `/pairing revoke ` | Remove a user from a specific channel | + +You can find user IDs in the output of `/pairing list`. + +From the terminal: + +```bash +nanobot agent -m "/pairing list" +nanobot agent -m "/pairing approve ABCD-EFGH" +``` + + ## Subagent Concurrency By default, nanobot only allows one spawned subagent at a time. When the limit is