feat(discord): auto-register commands in base guilds at terraform apply time (#35)

- Add null_resource.discord_register_commands that PUTs
COMMAND_DESCRIPTORS
  to Discord for each base guild when discord_bot_token and
discord_application_id are set; re-runs on token rotation or command
changes
- Add null provider to required_providers
- Fix DiscordConfigRedacted in api.ts to include baseAllowedGuilds and
  baseAdmins (server already sent them; web type was missing the fields)
- Update GuildsTab to render terraform-managed guilds as locked rows
with a
  Register commands button but no Remove
- Update AdminsTab to show terraform-managed admin lists as a read-only
section

https://claude.ai/code/session_01RDoBVo5enCMbBxJVYvJKzd

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: CoderCoco

app/packages/web/src/api.ts

@@ -85,6 +85,10 @@ export interface DiscordConfigRedacted {
   allowedGuilds: string[];
   admins: DiscordAdmins;
   gamePermissions: Record<string, DiscordGamePermission>;
+  /** Guild IDs locked in by Terraform — non-removable via the UI. */
+  baseAllowedGuilds: string[];
+  /** Admin user/role IDs locked in by Terraform — non-removable via the UI. */
+  baseAdmins: DiscordAdmins;
   botTokenSet: boolean;
   publicKeySet: boolean;
   interactionsEndpointUrl: string | null;

app/packages/web/src/components/DiscordPanel.tsx

@@ -211,6 +211,9 @@ function CredentialsTab({
  * Manage the guild (server) allowlist. Each row also shows a "Register
  * commands" button — operator-triggered re-registration replaces the old
  * always-on bot's automatic registration on `ready`/`guildCreate`.
+ *
+ * Guilds from the Terraform `base_allowed_guilds` variable are shown as locked
+ * rows — they can be registered but not removed via the UI.
  */
 function GuildsTab({
   cfg,
@@ -226,6 +229,7 @@ function GuildsTab({
   onRegister: (g: string) => void;
 }) {
   const [next, setNext] = useState('');
+  const hasAny = cfg.baseAllowedGuilds.length > 0 || cfg.allowedGuilds.length > 0;
   return (
     <div style={{ display: 'grid', gap: '0.6rem' }}>
       <p style={helpStyle}>
@@ -244,10 +248,19 @@ function GuildsTab({
           Add
         </button>
       </div>
-      {cfg.allowedGuilds.length === 0 ? (
+      {!hasAny ? (
         <div style={helpStyle}>No guilds allowlisted yet.</div>
       ) : (
         <ul style={{ listStyle: 'none', padding: 0, margin: 0, display: 'grid', gap: '0.3rem' }}>
+          {cfg.baseAllowedGuilds.map((g) => (
+            <li key={`base:${g}`} style={rowStyle}>
+              <code style={{ fontSize: '0.8rem', flex: 1 }}>{g}</code>
+              <span style={{ fontSize: '0.7rem', color: 'var(--text-dim)', whiteSpace: 'nowrap' }}>terraform-managed</span>
+              <button className="btn-secondary btn-sm" disabled={busy} onClick={() => onRegister(g)}>
+                Register commands
+              </button>
+            </li>
+          ))}
           {cfg.allowedGuilds.map((g) => (
             <li key={g} style={rowStyle}>
               <code style={{ fontSize: '0.8rem', flex: 1 }}>{g}</code>
@@ -268,6 +281,9 @@ function GuildsTab({
 /**
  * Editor for the server-wide admin list — users or roles that bypass the
  * per-game permission check and can run every Discord command.
+ *
+ * Admins set via the Terraform `base_admin_user_ids` / `base_admin_role_ids`
+ * variables are shown as read-only below the editable section.
  */
 function AdminsTab({
   cfg,
@@ -280,6 +296,8 @@ function AdminsTab({
 }) {
   const [userIds, setUserIds] = useState(cfg.admins.userIds.join(', '));
   const [roleIds, setRoleIds] = useState(cfg.admins.roleIds.join(', '));
+  const hasBaseAdmins =
+    cfg.baseAdmins.userIds.length > 0 || cfg.baseAdmins.roleIds.length > 0;
   return (
     <div style={{ display: 'grid', gap: '0.6rem' }}>
       <p style={helpStyle}>
@@ -297,6 +315,29 @@ function AdminsTab({
           Save
         </button>
       </div>
+      {hasBaseAdmins && (
+        <div style={{ borderTop: '1px solid var(--border)', paddingTop: '0.6rem', display: 'grid', gap: '0.4rem' }}>
+          <div style={{ fontSize: '0.72rem', color: 'var(--text-dim)' }}>
+            Terraform-managed (read-only)
+          </div>
+          {cfg.baseAdmins.userIds.length > 0 && (
+            <div>
+              <div style={{ fontSize: '0.72rem', color: 'var(--text-dim)', marginBottom: '0.2rem' }}>Admin User IDs</div>
+              <code style={{ fontSize: '0.78rem', wordBreak: 'break-all' }}>
+                {cfg.baseAdmins.userIds.join(', ')}
+              </code>
+            </div>
+          )}
+          {cfg.baseAdmins.roleIds.length > 0 && (
+            <div>
+              <div style={{ fontSize: '0.72rem', color: 'var(--text-dim)', marginBottom: '0.2rem' }}>Admin Role IDs</div>
+              <code style={{ fontSize: '0.78rem', wordBreak: 'break-all' }}>
+                {cfg.baseAdmins.roleIds.join(', ')}
+              </code>
+            </div>
+          )}
+        </div>
+      )}
     </div>
   );
 }

docs/docs/components/terraform.md

@@ -19,7 +19,7 @@ step 3 of the [setup guide](/setup) for details.
 | `watchdog.tf` | `watchdog` Lambda with its IAM, EventBridge schedule at `rate(${watchdog_interval_minutes} minute(s))`. |
 | `interactions.tf` | `interactions` Lambda with IAM + Function URL (`auth_type = NONE`, CORS for `https://discord.com`). Exposes `interactions_invoke_url`. |
 | `followup.tf` | `followup` Lambda with IAM (`ecs:RunTask`, `StopTask`, `DescribeTasks`, `iam:PassRole`, `dynamodb:GetItem`/`PutItem`, `ec2:DescribeNetworkInterfaces`). Async-invoked by interactions. |
-| `discord_store.tf` | DynamoDB table (pk+sk, TTL on `expiresAt`), two Secrets Manager secrets (`${project_name}/discord/bot-token`, `/discord/public-key`) with `recovery_window_in_days = 0` and `lifecycle.ignore_changes` on seeded secret values. Optional `CONFIG#discord` DynamoDB item seeded from tfvars. Optional `BASE#discord` item holding the Terraform-managed base allowlist/admins (see `base_allowed_guilds` / `base_admin_*` variables). |
+| `discord_store.tf` | DynamoDB table (pk+sk, TTL on `expiresAt`), two Secrets Manager secrets (`${project_name}/discord/bot-token`, `/discord/public-key`) with `recovery_window_in_days = 0` and `lifecycle.ignore_changes` on seeded secret values. Optional `CONFIG#discord` DynamoDB item seeded from tfvars. Optional `BASE#discord` item holding the Terraform-managed base allowlist/admins (see `base_allowed_guilds` / `base_admin_*` variables). When `discord_bot_token`, `discord_application_id`, and at least one `base_allowed_guilds` entry are set, a `null_resource` runs `curl` to register slash commands in each base guild during apply; re-runs on token rotation or command-descriptor changes. |
 | `variables.tf` | Every configurable input. See the table below. |
 | `outputs.tf` | Every value the management app (and humans) consume. |
 | `terraform.tfvars.example` | Starting point for your `terraform.tfvars`. |

docs/docs/setup.md

@@ -333,6 +333,11 @@ connect it to a Discord application.
    base_admin_role_ids = []
    ```
 
+   When `discord_bot_token`, `discord_application_id`, **and** at least one
+   entry in `base_allowed_guilds` are all set, `terraform apply` also
+   registers the slash commands in each base guild automatically — no manual
+   "Register commands" click needed for those guilds.
+
 3. **Copy the interactions endpoint URL** (the `interactions_invoke_url`
    Terraform output, also shown in the dashboard Credentials tab) into the
    Discord Developer Portal under **General Information → Interactions
@@ -353,10 +358,12 @@ connect it to a Discord application.
    **Copy ID**.
 
 6. **In the dashboard's Discord Bot panel:**
-   - **Guilds tab**: add the guild ID and click **Register commands** so
-     Discord learns about `/server-start`, `/server-stop`, `/server-status`,
-     `/server-list`. This is a per-guild REST call; there are no global
-     commands.
+   - **Guilds tab**: guilds in `base_allowed_guilds` have their slash commands
+     registered automatically by `terraform apply` (provided the bot token and
+     application ID were set in tfvars). For any guild added via the UI, click
+     **Register commands** to install `/server-start`, `/server-stop`,
+     `/server-status`, `/server-list`. This is always a per-guild REST call;
+     there are no global commands.
    - **Admins tab**: user IDs and/or role IDs that can run everything on
      everything.
    - **Per-Game Permissions tab**: for each game, which users/roles can
@@ -407,7 +414,7 @@ hitting "already scheduled for deletion".
 | Dashboard says **terraform not applied** in the Discord panel | `interactions_invoke_url` output missing | Re-run `cd app && npm run build:lambdas && cd ../terraform && terraform apply`. |
 | Dashboard says **awaiting credentials** | Secrets still contain the Terraform `"placeholder"` seed | Paste the real bot token + public key in the Credentials tab and Save. |
 | Discord rejects the interactions URL with "invalid interactions endpoint URL" | Public key in Secrets Manager doesn't match Discord's | Re-copy the Application Public Key from the Developer Portal and Save. |
-| `/server-*` slash commands don't appear in Discord | Per-guild registration not done | Guilds tab → **Register commands** next to the guild ID. |
+| `/server-*` slash commands don't appear in Discord | Per-guild registration not done | For base guilds: ensure `discord_bot_token`, `discord_application_id`, and `base_allowed_guilds` are all set in tfvars, then re-run `terraform apply`. For UI-added guilds: Guilds tab → **Register commands** next to the guild ID. |
 | `/server-start` says "You don't have permission" | Your user/role isn't in admins or per-game permissions, or the `start` action isn't ticked | Admins tab or Per-Game Permissions tab, then retry. |
 | Task reaches RUNNING but DNS never updates | update-dns Lambda errored; EventBridge rule might be disabled | Check the Lambda's CloudWatch logs; verify the EventBridge rule is enabled. |
 | Watchdog stops tasks too aggressively | Low `watchdog_min_packets`, short `watchdog_interval_minutes`, or low `watchdog_idle_checks` | Tune the three knobs via the dashboard **Server Config** panel and re-apply. |

terraform/discord_store.tf

@@ -109,6 +109,93 @@ resource "aws_secretsmanager_secret_version" "discord_public_key" {
 # The resource is skipped entirely when all three lists are empty so a
 # UI-only deployment doesn't end up with a stray empty row.
 
+# ─ Slash-command descriptors ──────────────────────────────────────────────────
+# Must be kept in sync with COMMAND_DESCRIPTORS in
+# app/packages/shared/src/commands.ts. The sha256 of this value is used as a
+# trigger so `null_resource.discord_register_commands` re-runs whenever the
+# command set changes.
+locals {
+  discord_command_descriptors = jsonencode([
+    {
+      name        = "server-start"
+      description = "Start a game server"
+      options = [{
+        type         = 3
+        name         = "game"
+        description  = "Game to start"
+        required     = true
+        autocomplete = true
+      }]
+    },
+    {
+      name        = "server-stop"
+      description = "Stop a running game server"
+      options = [{
+        type         = 3
+        name         = "game"
+        description  = "Game to stop"
+        required     = true
+        autocomplete = true
+      }]
+    },
+    {
+      name        = "server-status"
+      description = "Show status of a game server (or all if omitted)"
+      options = [{
+        type         = 3
+        name         = "game"
+        description  = "Game to check"
+        required     = false
+        autocomplete = true
+      }]
+    },
+    {
+      name        = "server-list"
+      description = "List all configured game servers and their state"
+    }
+  ])
+}
+
+# ─ Auto-register slash commands ───────────────────────────────────────────────
+# When discord_bot_token, discord_application_id, and base_allowed_guilds are
+# all set, this registers the slash commands in each base guild during
+# `terraform apply`. Re-runs whenever the application ID, token, or command
+# descriptors change (tracked via triggers_replace). Guilds added later via the
+# management UI still require the "Register commands" button in the Guilds tab.
+#
+# Uses terraform_data (built into Terraform ≥1.4; no extra provider needed).
+# The bot token is passed via environment variable (not a shell argument) so it
+# never appears in the process list. nonsensitive() is required because
+# sensitive values are not permitted in for_each or trigger keys.
+resource "terraform_data" "discord_register_commands" {
+  for_each = (nonsensitive(var.discord_bot_token) != "" && var.discord_application_id != "") ? toset(var.base_allowed_guilds) : toset([])
+
+  triggers_replace = {
+    application_id    = var.discord_application_id
+    guild_id          = each.value
+    token_hash        = sha256(nonsensitive(var.discord_bot_token))
+    commands_checksum = sha256(local.discord_command_descriptors)
+  }
+
+  provisioner "local-exec" {
+    command = <<-EOT
+      curl -sSf -X PUT \
+        "https://discord.com/api/v10/applications/${var.discord_application_id}/guilds/${each.value}/commands" \
+        -H "Authorization: Bot $DISCORD_BOT_TOKEN" \
+        -H "Content-Type: application/json" \
+        -d '${local.discord_command_descriptors}'
+    EOT
+    environment = {
+      DISCORD_BOT_TOKEN = var.discord_bot_token
+    }
+  }
+
+  depends_on = [
+    aws_dynamodb_table_item.discord_base_config,
+    aws_secretsmanager_secret_version.discord_bot_token,
+  ]
+}
+
 resource "aws_dynamodb_table_item" "discord_base_config" {
   count = (length(var.base_allowed_guilds) + length(var.base_admin_user_ids) + length(var.base_admin_role_ids)) > 0 ? 1 : 0
 

terraform/main.tf

@@ -10,6 +10,7 @@ terraform {
       source  = "hashicorp/archive"
       version = "~> 2.4"
     }
+
   }
 
   # Backend config is supplied at `terraform init` time by setup.sh so the