From 21f63ffc1027df36b81454123c434cb5cc20e524 Mon Sep 17 00:00:00 2001
From: Remon Oldenbeuving <remon@kilocode.ai>
Date: Mon, 2 Mar 2026 15:32:23 +0100
Subject: [PATCH 1/4] Add Discord account-link auth flow for team members

Route unlinked Discord users through a secure link button flow that enforces Kilo sign-in and owner/org access before redirecting to Discord OAuth. This lets org members authorize themselves without falling back to an internal bot user.
---
 .../(app)/integrations/discord/link/route.ts  |  75 ++++++++++
 src/app/(app)/integrations/discord/page.tsx   |   5 +-
 .../[id]/integrations/discord/page.tsx        |   2 +-
 .../integrations/discord/callback/route.ts    |  38 ++++-
 src/app/discord/webhook/route.ts              |   6 +
 .../DiscordIntegrationDetails.tsx             |  10 ++
 src/lib/discord-bot.ts                        |  30 +++-
 src/lib/discord/auth.test.ts                  | 136 +++++++++++++++++
 src/lib/discord/auth.ts                       |  78 +++++++---
 src/lib/discord/authorized-users.test.ts      |  44 ++++++
 src/lib/discord/authorized-users.ts           |  50 +++++++
 src/lib/integrations/discord-service.ts       | 137 ++++++++++++++++--
 src/routers/discord-router.ts                 |  11 ++
 13 files changed, 579 insertions(+), 43 deletions(-)
 create mode 100644 src/app/(app)/integrations/discord/link/route.ts
 create mode 100644 src/lib/discord/auth.test.ts
 create mode 100644 src/lib/discord/authorized-users.test.ts
 create mode 100644 src/lib/discord/authorized-users.ts

diff --git a/src/app/(app)/integrations/discord/link/route.ts b/src/app/(app)/integrations/discord/link/route.ts
new file mode 100644
index 000000000..bcbe6e56d
--- /dev/null
+++ b/src/app/(app)/integrations/discord/link/route.ts
@@ -0,0 +1,75 @@
+import type { NextRequest } from 'next/server';
+import { NextResponse } from 'next/server';
+import * as z from 'zod';
+import { APP_URL } from '@/lib/constants';
+import { getUserFromAuth } from '@/lib/user.server';
+import { createOAuthState } from '@/lib/integrations/oauth-state';
+import { getDiscordUserLinkOAuthUrl, getInstallation } from '@/lib/integrations/discord-service';
+import { isOrganizationMember } from '@/lib/organizations/organizations';
+import type { Owner } from '@/lib/integrations/core/types';
+
+const LinkRequestSchema = z.discriminatedUnion('ownerType', [
+  z.object({ ownerType: z.literal('org'), ownerId: z.uuid() }),
+  z.object({ ownerType: z.literal('user'), ownerId: z.string().min(1) }),
+]);
+
+function buildIntegrationPath(owner: Owner, queryParam?: string): string {
+  const basePath =
+    owner.type === 'org'
+      ? `/organizations/${owner.id}/integrations/discord`
+      : '/integrations/discord';
+
+  return queryParam ? `${basePath}?${queryParam}` : basePath;
+}
+
+function buildSignInPath(callbackPath: string): string {
+  return `/users/sign_in?callbackPath=${encodeURIComponent(callbackPath)}`;
+}
+
+export async function GET(request: NextRequest) {
+  const parsed = LinkRequestSchema.safeParse({
+    ownerType: request.nextUrl.searchParams.get('ownerType'),
+    ownerId: request.nextUrl.searchParams.get('ownerId'),
+  });
+
+  if (!parsed.success) {
+    return NextResponse.redirect(new URL('/integrations/discord?error=invalid_link', APP_URL));
+  }
+
+  const owner: Owner =
+    parsed.data.ownerType === 'org'
+      ? { type: 'org', id: parsed.data.ownerId }
+      : { type: 'user', id: parsed.data.ownerId };
+
+  const callbackPath = `${request.nextUrl.pathname}${request.nextUrl.search}`;
+  const authResult = await getUserFromAuth({ adminOnly: false });
+  if (!authResult.user) {
+    return NextResponse.redirect(new URL(buildSignInPath(callbackPath), APP_URL));
+  }
+
+  if (owner.type === 'org' && !authResult.user.is_admin) {
+    const isMember = await isOrganizationMember(owner.id, authResult.user.id);
+    if (!isMember) {
+      return NextResponse.redirect(
+        new URL(buildIntegrationPath(owner, 'error=unauthorized'), APP_URL)
+      );
+    }
+  }
+
+  if (owner.type === 'user' && authResult.user.id !== owner.id) {
+    return NextResponse.redirect(
+      new URL(buildIntegrationPath(owner, 'error=unauthorized'), APP_URL)
+    );
+  }
+
+  const installation = await getInstallation(owner);
+  if (!installation) {
+    return NextResponse.redirect(
+      new URL(buildIntegrationPath(owner, 'error=installation_missing'), APP_URL)
+    );
+  }
+
+  const statePrefix = owner.type === 'org' ? `org_${owner.id}` : `user_${owner.id}`;
+  const state = createOAuthState(statePrefix, authResult.user.id);
+  return NextResponse.redirect(getDiscordUserLinkOAuthUrl(state));
+}
diff --git a/src/app/(app)/integrations/discord/page.tsx b/src/app/(app)/integrations/discord/page.tsx
index 8a2e204ef..31f133970 100644
--- a/src/app/(app)/integrations/discord/page.tsx
+++ b/src/app/(app)/integrations/discord/page.tsx
@@ -43,7 +43,10 @@ export default async function UserDiscordIntegrationPage({
           </Card>
         }
       >
-        <DiscordIntegrationDetails success={search.success === 'installed'} error={search.error} />
+        <DiscordIntegrationDetails
+          success={search.success === 'installed' || search.success === 'linked_user'}
+          error={search.error}
+        />
       </Suspense>
     </PageLayout>
   );
diff --git a/src/app/(app)/organizations/[id]/integrations/discord/page.tsx b/src/app/(app)/organizations/[id]/integrations/discord/page.tsx
index 09ab72889..be834c9cc 100644
--- a/src/app/(app)/organizations/[id]/integrations/discord/page.tsx
+++ b/src/app/(app)/organizations/[id]/integrations/discord/page.tsx
@@ -52,7 +52,7 @@ export default async function OrgDiscordIntegrationPage({
           >
             <DiscordIntegrationDetails
               organizationId={organization.id}
-              success={search.success === 'installed'}
+              success={search.success === 'installed' || search.success === 'linked_user'}
               error={search.error}
             />
           </Suspense>
diff --git a/src/app/api/integrations/discord/callback/route.ts b/src/app/api/integrations/discord/callback/route.ts
index 01b118bdc..2265de799 100644
--- a/src/app/api/integrations/discord/callback/route.ts
+++ b/src/app/api/integrations/discord/callback/route.ts
@@ -4,7 +4,12 @@ import { getUserFromAuth } from '@/lib/user.server';
 import { ensureOrganizationAccess } from '@/routers/organizations/utils';
 import type { Owner } from '@/lib/integrations/core/types';
 import { captureException, captureMessage } from '@sentry/nextjs';
-import { exchangeDiscordCode, upsertDiscordInstallation } from '@/lib/integrations/discord-service';
+import {
+  exchangeDiscordCode,
+  getDiscordOAuthUserId,
+  linkDiscordRequesterToOwner,
+  upsertDiscordInstallation,
+} from '@/lib/integrations/discord-service';
 import { verifyOAuthState } from '@/lib/integrations/oauth-state';
 import { APP_URL } from '@/lib/constants';
 
@@ -121,14 +126,37 @@ export async function GET(request: NextRequest) {
     // 7. Exchange code for access token
     const oauthData = await exchangeDiscordCode(code);
 
-    // 8. Store installation in database
-    await upsertDiscordInstallation(owner, oauthData);
+    // 8. Resolve the Discord requester identity and persist authorization mapping
+    const discordUserId = await getDiscordOAuthUserId(oauthData.access_token);
+    const authorizedRequester = {
+      kiloUserId: user.id,
+      discordUserId,
+    };
+
+    const isInstallFlow = Boolean(oauthData.guild?.id);
+    if (isInstallFlow) {
+      await upsertDiscordInstallation(owner, oauthData, authorizedRequester);
+    } else {
+      const linked = await linkDiscordRequesterToOwner(owner, authorizedRequester);
+      if (!linked) {
+        captureMessage('Discord user link callback without an existing installation', {
+          level: 'warning',
+          tags: { endpoint: 'discord/callback', source: 'discord_oauth' },
+          extra: { owner, userId: user.id },
+        });
+
+        return NextResponse.redirect(
+          new URL(buildDiscordRedirectPath(state, 'error=installation_missing'), APP_URL)
+        );
+      }
+    }
 
     // 9. Redirect to success page
+    const successQuery = isInstallFlow ? 'success=installed' : 'success=linked_user';
     const successPath =
       owner.type === 'org'
-        ? `/organizations/${owner.id}/integrations/discord?success=installed`
-        : `/integrations/discord?success=installed`;
+        ? `/organizations/${owner.id}/integrations/discord?${successQuery}`
+        : `/integrations/discord?${successQuery}`;
 
     return NextResponse.redirect(new URL(successPath, APP_URL));
   } catch (error) {
diff --git a/src/app/discord/webhook/route.ts b/src/app/discord/webhook/route.ts
index 7b80b678f..6521d09ee 100644
--- a/src/app/discord/webhook/route.ts
+++ b/src/app/discord/webhook/route.ts
@@ -171,6 +171,12 @@ async function processGatewayMessage(event: ForwardedGatewayEvent) {
   const responseText = truncateForDiscord(responseWithDevInfo);
   const postResult = await postDiscordMessage(channelId, responseText, {
     messageReference: { message_id: messageId },
+    linkButton: result.linkDiscordAccountUrl
+      ? {
+          label: 'Link My Discord Account',
+          url: result.linkDiscordAccountUrl,
+        }
+      : undefined,
   });
 
   console.log(
diff --git a/src/components/integrations/DiscordIntegrationDetails.tsx b/src/components/integrations/DiscordIntegrationDetails.tsx
index 0eb6d7230..adb1b72bd 100644
--- a/src/components/integrations/DiscordIntegrationDetails.tsx
+++ b/src/components/integrations/DiscordIntegrationDetails.tsx
@@ -274,7 +274,17 @@ export function DiscordIntegrationDetails({
               </div>
 
               {/* Actions */}
+              <Alert>
+                <AlertDescription>
+                  Each team member who wants to use Kilo in Discord must link their own Discord
+                  account.
+                </AlertDescription>
+              </Alert>
+
               <div className="flex flex-wrap gap-3">
+                <Button variant="outline" onClick={handleInstall} disabled={!oauthUrlData?.url}>
+                  Link My Discord Account
+                </Button>
                 <Button
                   variant="outline"
                   onClick={handleTestConnection}
diff --git a/src/lib/discord-bot.ts b/src/lib/discord-bot.ts
index b16efaf7b..6668da361 100644
--- a/src/lib/discord-bot.ts
+++ b/src/lib/discord-bot.ts
@@ -25,9 +25,10 @@ import {
   getDiscordConversationContext,
   type DiscordEventContext,
 } from '@/lib/discord-bot/discord-channel-context';
-import { getDiscordBotAuthTokenForOwner } from '@/lib/discord/auth';
+import { getDiscordAuthTokenForRequester } from '@/lib/discord/auth';
 import { buildDiscordMessageLink } from '@/lib/discord-bot/discord-utils';
 import type { PlatformIntegration } from '@kilocode/db';
+import { APP_URL } from '@/lib/constants';
 
 // Version string for API requests
 const DISCORD_BOT_VERSION = '5.0.0';
@@ -42,9 +43,19 @@ export type DiscordBotMessageResult = {
   toolCallsMade: string[];
   cloudAgentSessionId?: string;
   error?: string;
+  linkDiscordAccountUrl?: string;
   installation: PlatformIntegration | null;
 };
 
+function buildDiscordAccountLinkUrl(owner: Owner): string {
+  const params = new URLSearchParams({
+    ownerType: owner.type,
+    ownerId: owner.id,
+  });
+
+  return `${APP_URL}/integrations/discord/link?${params.toString()}`;
+}
+
 const KILO_BOT_SYSTEM_PROMPT = `You are Kilo Bot, a helpful AI assistant integrated into Discord.
 
 ## Core behavior
@@ -258,8 +269,23 @@ export async function processDiscordBotMessage(
   }
   console.log('[DiscordBot] Using model:', selectedModel);
 
-  const authResult = await getDiscordBotAuthTokenForOwner(owner);
+  const authResult = await getDiscordAuthTokenForRequester(owner, {
+    metadata: installation.metadata,
+    discordUserId: discordEventContext?.userId,
+  });
   if ('error' in authResult) {
+    if (authResult.errorCode === 'unlinked_requester') {
+      return {
+        response:
+          'Link your Discord account to Kilo before using this integration. Click the button below to connect now.',
+        modelUsed: '',
+        toolCallsMade: [],
+        error: authResult.error,
+        linkDiscordAccountUrl: buildDiscordAccountLinkUrl(owner),
+        installation,
+      };
+    }
+
     return {
       response: `Error: ${authResult.error}`,
       modelUsed: '',
diff --git a/src/lib/discord/auth.test.ts b/src/lib/discord/auth.test.ts
new file mode 100644
index 000000000..259ccb3cc
--- /dev/null
+++ b/src/lib/discord/auth.test.ts
@@ -0,0 +1,136 @@
+import { beforeEach, describe, expect, test } from '@jest/globals';
+import { getDiscordAuthTokenForRequester } from '@/lib/discord/auth';
+import { addUserToOrganization, createOrganization } from '@/lib/organizations/organizations';
+import { db } from '@/lib/drizzle';
+import { insertTestUser } from '@/tests/helpers/user.helper';
+import { kilocode_users, organization_memberships, organizations } from '@kilocode/db/schema';
+
+describe('getDiscordAuthTokenForRequester', () => {
+  beforeEach(async () => {
+    // eslint-disable-next-line drizzle/enforce-delete-with-where
+    await db.delete(organization_memberships);
+    // eslint-disable-next-line drizzle/enforce-delete-with-where
+    await db.delete(organizations);
+    // eslint-disable-next-line drizzle/enforce-delete-with-where
+    await db.delete(kilocode_users);
+  });
+
+  test('returns member auth token for org-owned integration when Discord user is linked', async () => {
+    const owner = await insertTestUser();
+    const member = await insertTestUser();
+    const organization = await createOrganization('Discord Auth Test Org', owner.id);
+    await addUserToOrganization(organization.id, member.id, 'member');
+
+    const result = await getDiscordAuthTokenForRequester(
+      { type: 'org', id: organization.id },
+      {
+        metadata: {
+          authorized_discord_users: {
+            'discord-member': member.id,
+          },
+        },
+        discordUserId: 'discord-member',
+      }
+    );
+
+    expect('error' in result).toBe(false);
+    if ('error' in result) {
+      return;
+    }
+
+    expect(result.userId).toBe(member.id);
+    expect(result.authToken.length).toBeGreaterThan(20);
+  });
+
+  test('rejects org request when linked Discord user is not an organization member', async () => {
+    const owner = await insertTestUser();
+    const outsider = await insertTestUser();
+    const organization = await createOrganization('Discord Auth Test Org', owner.id);
+
+    const result = await getDiscordAuthTokenForRequester(
+      { type: 'org', id: organization.id },
+      {
+        metadata: {
+          authorized_discord_users: {
+            'discord-outsider': outsider.id,
+          },
+        },
+        discordUserId: 'discord-outsider',
+      }
+    );
+
+    expect(result).toEqual({
+      error: 'This Discord user is not a member of the organization that owns this integration.',
+      errorCode: 'not_org_member',
+    });
+  });
+
+  test('rejects org request when Discord user has no link', async () => {
+    const owner = await insertTestUser();
+    const organization = await createOrganization('Discord Auth Test Org', owner.id);
+
+    const result = await getDiscordAuthTokenForRequester(
+      { type: 'org', id: organization.id },
+      {
+        metadata: {
+          authorized_discord_users: {
+            'discord-owner': owner.id,
+          },
+        },
+        discordUserId: 'discord-unknown',
+      }
+    );
+
+    expect(result).toEqual({
+      error:
+        'This Discord user is not linked to a Kilo member for this integration. Open Kilo integration settings and click "Link My Discord Account" using this Discord user.',
+      errorCode: 'unlinked_requester',
+    });
+  });
+
+  test('allows user-owned integration when requester maps to the owner', async () => {
+    const user = await insertTestUser();
+
+    const result = await getDiscordAuthTokenForRequester(
+      { type: 'user', id: user.id },
+      {
+        metadata: {
+          authorized_discord_users: {
+            'discord-owner': user.id,
+          },
+        },
+        discordUserId: 'discord-owner',
+      }
+    );
+
+    expect('error' in result).toBe(false);
+    if ('error' in result) {
+      return;
+    }
+
+    expect(result.userId).toBe(user.id);
+    expect(result.authToken.length).toBeGreaterThan(20);
+  });
+
+  test('rejects user-owned integration when requester maps to another user', async () => {
+    const owner = await insertTestUser();
+    const otherUser = await insertTestUser();
+
+    const result = await getDiscordAuthTokenForRequester(
+      { type: 'user', id: owner.id },
+      {
+        metadata: {
+          authorized_discord_users: {
+            'discord-other': otherUser.id,
+          },
+        },
+        discordUserId: 'discord-other',
+      }
+    );
+
+    expect(result).toEqual({
+      error: 'Only the owner of this user-level integration can use it.',
+      errorCode: 'not_user_owner',
+    });
+  });
+});
diff --git a/src/lib/discord/auth.ts b/src/lib/discord/auth.ts
index 2fca68fa2..c1f406798 100644
--- a/src/lib/discord/auth.ts
+++ b/src/lib/discord/auth.ts
@@ -1,36 +1,72 @@
 import 'server-only';
-import { ensureBotUserForOrg } from '@/lib/bot-users/bot-user-service';
 import { generateApiToken } from '@/lib/tokens';
 import { findUserById } from '@/lib/user';
 import type { Owner } from '@/lib/integrations/core/types';
+import { isOrganizationMember } from '@/lib/organizations/organizations';
+import { getAuthorizedKiloUserIdForDiscordUser } from '@/lib/discord/authorized-users';
+
+export type DiscordAuthErrorCode =
+  | 'missing_requester'
+  | 'unlinked_requester'
+  | 'not_org_member'
+  | 'not_user_owner'
+  | 'linked_user_missing';
+
+type DiscordAuthResult =
+  | { authToken: string; userId: string }
+  | { error: string; errorCode: DiscordAuthErrorCode };
 
 /**
- * Generate an auth token for the given owner (user or organization).
- * For Discord, we don't have a direct email mapping from Discord users to Kilo users,
- * so org-owned integrations always use a bot user for auth.
+ * Generate an auth token for a Discord requester tied to a Kilo user.
+ * We only authorize requesters that are explicitly linked through Discord OAuth.
  */
-export async function getDiscordBotAuthTokenForOwner(
-  owner: Owner
-): Promise<{ authToken: string; userId: string } | { error: string }> {
-  let authToken: string | undefined;
-  let userId: string | undefined;
+export async function getDiscordAuthTokenForRequester(
+  owner: Owner,
+  params: { metadata: unknown; discordUserId?: string | null }
+): Promise<DiscordAuthResult> {
+  if (!params.discordUserId) {
+    return {
+      error: 'Could not verify the Discord requester for this message.',
+      errorCode: 'missing_requester',
+    };
+  }
+
+  const linkedKiloUserId = getAuthorizedKiloUserIdForDiscordUser(
+    params.metadata,
+    params.discordUserId
+  );
+  if (!linkedKiloUserId) {
+    return {
+      error:
+        'This Discord user is not linked to a Kilo member for this integration. Open Kilo integration settings and click "Link My Discord Account" using this Discord user.',
+      errorCode: 'unlinked_requester',
+    };
+  }
 
   if (owner.type === 'org') {
-    // For organizations, use a dedicated bot user
-    const user = await ensureBotUserForOrg(owner.id, 'discord-bot');
-    authToken = generateApiToken(user, { botId: 'discord-bot', internalApiUse: true });
-    userId = user.id;
-  } else {
-    const user = await findUserById(owner.id);
-    if (user) {
-      authToken = generateApiToken(user, { internalApiUse: true });
-      userId = user.id;
+    const isMember = await isOrganizationMember(owner.id, linkedKiloUserId);
+    if (!isMember) {
+      return {
+        error: 'This Discord user is not a member of the organization that owns this integration.',
+        errorCode: 'not_org_member',
+      };
     }
+  } else if (linkedKiloUserId !== owner.id) {
+    return {
+      error: 'Only the owner of this user-level integration can use it.',
+      errorCode: 'not_user_owner',
+    };
   }
 
-  if (!authToken || !userId) {
-    return { error: `Discord bot user not found for ID: ${owner.id} and type: ${owner.type}` };
+  const user = await findUserById(linkedKiloUserId);
+  if (!user) {
+    return {
+      error: `Linked Kilo user not found for Discord user ${params.discordUserId}. Re-authorize the integration from Kilo.`,
+      errorCode: 'linked_user_missing',
+    };
   }
 
-  return { authToken, userId };
+  const authToken = generateApiToken(user, { internalApiUse: true });
+
+  return { authToken, userId: user.id };
 }
diff --git a/src/lib/discord/authorized-users.test.ts b/src/lib/discord/authorized-users.test.ts
new file mode 100644
index 000000000..0944fc7db
--- /dev/null
+++ b/src/lib/discord/authorized-users.test.ts
@@ -0,0 +1,44 @@
+import { describe, expect, test } from '@jest/globals';
+import {
+  getAuthorizedDiscordUsers,
+  getAuthorizedKiloUserIdForDiscordUser,
+  linkAuthorizedDiscordUser,
+} from '@/lib/discord/authorized-users';
+
+describe('authorized Discord users metadata', () => {
+  test('returns empty map for invalid metadata', () => {
+    expect(getAuthorizedDiscordUsers(null)).toEqual({});
+    expect(getAuthorizedDiscordUsers('invalid')).toEqual({});
+    expect(getAuthorizedDiscordUsers({ authorized_discord_users: 'invalid' })).toEqual({});
+  });
+
+  test('links a Discord user while preserving existing links', () => {
+    const metadata = {
+      authorized_discord_users: {
+        'discord-user-1': 'kilo-user-1',
+      },
+      model_slug: 'model-1',
+    };
+
+    const updatedMetadata = linkAuthorizedDiscordUser(metadata, {
+      discordUserId: 'discord-user-2',
+      kiloUserId: 'kilo-user-2',
+    });
+
+    expect(getAuthorizedDiscordUsers(updatedMetadata)).toEqual({
+      'discord-user-1': 'kilo-user-1',
+      'discord-user-2': 'kilo-user-2',
+    });
+  });
+
+  test('returns linked Kilo user id for a Discord user', () => {
+    const metadata = {
+      authorized_discord_users: {
+        'discord-user-1': 'kilo-user-1',
+      },
+    };
+
+    expect(getAuthorizedKiloUserIdForDiscordUser(metadata, 'discord-user-1')).toBe('kilo-user-1');
+    expect(getAuthorizedKiloUserIdForDiscordUser(metadata, 'discord-user-2')).toBeNull();
+  });
+});
diff --git a/src/lib/discord/authorized-users.ts b/src/lib/discord/authorized-users.ts
new file mode 100644
index 000000000..c80ae124d
--- /dev/null
+++ b/src/lib/discord/authorized-users.ts
@@ -0,0 +1,50 @@
+const AUTHORIZED_DISCORD_USERS_KEY = 'authorized_discord_users';
+
+type MetadataRecord = Record<string, unknown>;
+
+function isMetadataRecord(value: unknown): value is MetadataRecord {
+  return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+
+export function getAuthorizedDiscordUsers(metadata: unknown): Record<string, string> {
+  if (!isMetadataRecord(metadata)) {
+    return {};
+  }
+
+  const value = metadata[AUTHORIZED_DISCORD_USERS_KEY];
+  if (!isMetadataRecord(value)) {
+    return {};
+  }
+
+  const authorizedUsers: Record<string, string> = {};
+  for (const [discordUserId, kiloUserId] of Object.entries(value)) {
+    if (typeof kiloUserId === 'string' && kiloUserId.length > 0) {
+      authorizedUsers[discordUserId] = kiloUserId;
+    }
+  }
+
+  return authorizedUsers;
+}
+
+export function linkAuthorizedDiscordUser(
+  metadata: unknown,
+  params: { discordUserId: string; kiloUserId: string }
+): Record<string, unknown> {
+  const nextMetadata = isMetadataRecord(metadata) ? { ...metadata } : {};
+  const existingAuthorizedUsers = getAuthorizedDiscordUsers(metadata);
+
+  nextMetadata[AUTHORIZED_DISCORD_USERS_KEY] = {
+    ...existingAuthorizedUsers,
+    [params.discordUserId]: params.kiloUserId,
+  };
+
+  return nextMetadata;
+}
+
+export function getAuthorizedKiloUserIdForDiscordUser(
+  metadata: unknown,
+  discordUserId: string
+): string | null {
+  const authorizedUsers = getAuthorizedDiscordUsers(metadata);
+  return authorizedUsers[discordUserId] || null;
+}
diff --git a/src/lib/integrations/discord-service.ts b/src/lib/integrations/discord-service.ts
index d0909d2a5..b1c2a0a90 100644
--- a/src/lib/integrations/discord-service.ts
+++ b/src/lib/integrations/discord-service.ts
@@ -13,16 +13,18 @@ import { getDefaultAllowedModel } from '@/lib/slack-bot/model-allow-list';
 import { createProviderAwareModelAllowPredicate } from '@/lib/model-allow.server';
 import { minimax_m25_free_model } from '@/lib/providers/minimax';
 import { CLAUDE_OPUS_CURRENT_MODEL_ID } from '@/lib/providers/anthropic';
+import { linkAuthorizedDiscordUser } from '@/lib/discord/authorized-users';
 
 // Default model for Discord integrations - mirrors the Slack default
 const DISCORD_DEFAULT_MODEL = minimax_m25_free_model.is_enabled
   ? minimax_m25_free_model.public_id
   : CLAUDE_OPUS_CURRENT_MODEL_ID;
 
-// Discord OAuth2 scopes for the bot integration
-// 'bot' scope is needed for the bot to join servers
-// 'guilds' scope allows reading basic guild info
-const DISCORD_SCOPES = ['bot', 'guilds', 'applications.commands'];
+// Discord OAuth2 scopes for installing/updating the bot integration
+const DISCORD_INSTALL_SCOPES = ['bot', 'guilds', 'identify', 'applications.commands'];
+
+// Discord OAuth2 scopes for linking an individual Discord user to an existing integration
+const DISCORD_USER_LINK_SCOPES = ['identify'];
 
 // Discord bot permissions (bitfield)
 // Includes: Send Messages, Read Message History, Add Reactions, Use Slash Commands, Embed Links, Attach Files
@@ -46,6 +48,21 @@ export type DiscordOAuth2Response = {
   };
 };
 
+type DiscordOAuthUser = {
+  id: string;
+};
+
+function isDiscordOAuthUser(value: unknown): value is DiscordOAuthUser {
+  return (
+    typeof value === 'object' &&
+    value !== null &&
+    !Array.isArray(value) &&
+    'id' in value &&
+    typeof value.id === 'string' &&
+    value.id.length > 0
+  );
+}
+
 function getOwnershipConditions(owner: Owner) {
   return owner.type === 'user'
     ? [
@@ -69,7 +86,27 @@ export function getDiscordOAuthUrl(state: string): string {
   const params = new URLSearchParams({
     client_id: DISCORD_CLIENT_ID,
     permissions: DISCORD_BOT_PERMISSIONS,
-    scope: DISCORD_SCOPES.join(' '),
+    scope: DISCORD_INSTALL_SCOPES.join(' '),
+    redirect_uri: DISCORD_REDIRECT_URI,
+    response_type: 'code',
+    state,
+  });
+
+  return `https://discord.com/oauth2/authorize?${params.toString()}`;
+}
+
+/**
+ * Get Discord OAuth URL for linking an individual Discord user.
+ * This flow does not require server admin permissions.
+ */
+export function getDiscordUserLinkOAuthUrl(state: string): string {
+  if (!DISCORD_CLIENT_ID) {
+    throw new Error('DISCORD_CLIENT_ID is not configured');
+  }
+
+  const params = new URLSearchParams({
+    client_id: DISCORD_CLIENT_ID,
+    scope: DISCORD_USER_LINK_SCOPES.join(' '),
     redirect_uri: DISCORD_REDIRECT_URI,
     response_type: 'code',
     state,
@@ -114,6 +151,29 @@ export async function exchangeDiscordCode(code: string): Promise<DiscordOAuth2Re
   return data;
 }
 
+/**
+ * Fetch the Discord user ID associated with an OAuth access token.
+ */
+export async function getDiscordOAuthUserId(accessToken: string): Promise<string> {
+  const response = await fetch('https://discord.com/api/v10/users/@me', {
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+    },
+  });
+
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`Discord OAuth user lookup error: ${errorText}`);
+  }
+
+  const userData: unknown = await response.json();
+  if (!isDiscordOAuthUser(userData)) {
+    throw new Error('Discord OAuth user lookup error: No user ID in response');
+  }
+
+  return userData.id;
+}
+
 /**
  * Get Discord installation for an owner
  */
@@ -168,7 +228,8 @@ export function getOwnerFromInstallation(integration: PlatformIntegration): Owne
  */
 export async function upsertDiscordInstallation(
   owner: Owner,
-  oauthResponse: DiscordOAuth2Response
+  oauthResponse: DiscordOAuth2Response,
+  authorizedRequester: { kiloUserId: string; discordUserId: string }
 ): Promise<PlatformIntegration> {
   if (!oauthResponse.guild?.id) {
     throw new Error(
@@ -188,16 +249,15 @@ export async function upsertDiscordInstallation(
 
   if (existing) {
     // Preserve existing model_slug when re-authorizing
-    const existingMetadata = existing.metadata || {};
-    const updatedMetadata = {
-      ...existingMetadata,
-      guild_icon: oauthResponse.guild.icon,
-    };
+    const updatedMetadata = linkAuthorizedDiscordUser(existing.metadata, authorizedRequester);
+    updatedMetadata.guild_icon = oauthResponse.guild.icon;
 
     const [updated] = await db
       .update(platform_integrations)
       .set({
         platform_account_id: guildId,
+        platform_requester_account_id: authorizedRequester.discordUserId,
+        kilo_requester_user_id: authorizedRequester.kiloUserId,
         platform_account_login: guildName,
         scopes,
         integration_status: INTEGRATION_STATUS.ACTIVE,
@@ -222,19 +282,24 @@ export async function upsertDiscordInstallation(
     model_slug: defaultModel,
   };
 
+  const linkedMetadata = linkAuthorizedDiscordUser(metadata, authorizedRequester);
+
   const [created] = await db
     .insert(platform_integrations)
     .values({
       owned_by_user_id: owner.type === 'user' ? owner.id : null,
       owned_by_organization_id: owner.type === 'org' ? owner.id : null,
+      created_by_user_id: authorizedRequester.kiloUserId,
       platform: PLATFORM.DISCORD,
       integration_type: 'oauth',
       platform_installation_id: guildId,
+      platform_requester_account_id: authorizedRequester.discordUserId,
+      kilo_requester_user_id: authorizedRequester.kiloUserId,
       platform_account_id: guildId,
       platform_account_login: guildName,
       scopes,
       integration_status: INTEGRATION_STATUS.ACTIVE,
-      metadata,
+      metadata: linkedMetadata,
       installed_at: new Date().toISOString(),
     })
     .returning();
@@ -242,6 +307,34 @@ export async function upsertDiscordInstallation(
   return created;
 }
 
+/**
+ * Link a Discord requester to an existing installation owner.
+ */
+export async function linkDiscordRequesterToOwner(
+  owner: Owner,
+  authorizedRequester: { kiloUserId: string; discordUserId: string }
+): Promise<PlatformIntegration | null> {
+  const existing = await getInstallation(owner);
+  if (!existing) {
+    return null;
+  }
+
+  const updatedMetadata = linkAuthorizedDiscordUser(existing.metadata, authorizedRequester);
+
+  const [updated] = await db
+    .update(platform_integrations)
+    .set({
+      platform_requester_account_id: authorizedRequester.discordUserId,
+      kilo_requester_user_id: authorizedRequester.kiloUserId,
+      metadata: updatedMetadata,
+      updated_at: new Date().toISOString(),
+    })
+    .where(eq(platform_integrations.id, existing.id))
+    .returning();
+
+  return updated || null;
+}
+
 /**
  * Uninstall Discord integration for an owner
  */
@@ -399,7 +492,10 @@ export async function updateModel(
 export async function postDiscordMessage(
   channelId: string,
   content: string,
-  options?: { messageReference?: { message_id: string } }
+  options?: {
+    messageReference?: { message_id: string };
+    linkButton?: { label: string; url: string };
+  }
 ): Promise<{ ok: boolean; messageId?: string; error?: string }> {
   if (!DISCORD_BOT_TOKEN) {
     return { ok: false, error: 'DISCORD_BOT_TOKEN is not configured' };
@@ -410,6 +506,21 @@ export async function postDiscordMessage(
     if (options?.messageReference) {
       body.message_reference = options.messageReference;
     }
+    if (options?.linkButton) {
+      body.components = [
+        {
+          type: 1,
+          components: [
+            {
+              type: 2,
+              style: 5,
+              label: options.linkButton.label,
+              url: options.linkButton.url,
+            },
+          ],
+        },
+      ];
+    }
 
     const response = await fetch(`https://discord.com/api/v10/channels/${channelId}/messages`, {
       method: 'POST',
diff --git a/src/routers/discord-router.ts b/src/routers/discord-router.ts
index 2259a3e0d..bcabe78df 100644
--- a/src/routers/discord-router.ts
+++ b/src/routers/discord-router.ts
@@ -48,10 +48,21 @@ export const discordRouter = createTRPCRouter({
     if (input?.organizationId) {
       await ensureOrganizationAccess(ctx, input.organizationId);
     }
+
+    const owner = resolveOwner(ctx, input?.organizationId);
+    const installation = await discordService.getInstallation(owner);
+
     const statePrefix = input?.organizationId
       ? `org_${input.organizationId}`
       : `user_${ctx.user.id}`;
     const state = createOAuthState(statePrefix, ctx.user.id);
+
+    if (installation?.integration_status === 'active') {
+      return {
+        url: discordService.getDiscordUserLinkOAuthUrl(state),
+      };
+    }
+
     return {
       url: discordService.getDiscordOAuthUrl(state),
     };

From bfc88c424e0e993f8f162d451911fceb85a1cd2f Mon Sep 17 00:00:00 2001
From: Remon Oldenbeuving <remon@kilocode.ai>
Date: Mon, 2 Mar 2026 15:44:26 +0100
Subject: [PATCH 2/4] Add dedicated Discord link success page

Redirect Discord link OAuth completions to a standalone confirmation screen with a prominent success state, so users can close the tab after linking without returning to settings.
---
 .../integrations/discord/callback/route.ts    | 10 ++++-----
 .../discord/link/success/page.tsx             | 22 +++++++++++++++++++
 2 files changed, 27 insertions(+), 5 deletions(-)
 create mode 100644 src/app/integrations/discord/link/success/page.tsx

diff --git a/src/app/api/integrations/discord/callback/route.ts b/src/app/api/integrations/discord/callback/route.ts
index 2265de799..b765987dd 100644
--- a/src/app/api/integrations/discord/callback/route.ts
+++ b/src/app/api/integrations/discord/callback/route.ts
@@ -152,11 +152,11 @@ export async function GET(request: NextRequest) {
     }
 
     // 9. Redirect to success page
-    const successQuery = isInstallFlow ? 'success=installed' : 'success=linked_user';
-    const successPath =
-      owner.type === 'org'
-        ? `/organizations/${owner.id}/integrations/discord?${successQuery}`
-        : `/integrations/discord?${successQuery}`;
+    const successPath = isInstallFlow
+      ? owner.type === 'org'
+        ? `/organizations/${owner.id}/integrations/discord?success=installed`
+        : '/integrations/discord?success=installed'
+      : '/integrations/discord/link/success';
 
     return NextResponse.redirect(new URL(successPath, APP_URL));
   } catch (error) {
diff --git a/src/app/integrations/discord/link/success/page.tsx b/src/app/integrations/discord/link/success/page.tsx
new file mode 100644
index 000000000..270c42799
--- /dev/null
+++ b/src/app/integrations/discord/link/success/page.tsx
@@ -0,0 +1,22 @@
+import { KiloCardLayout } from '@/components/KiloCardLayout';
+import { CheckCircle2 } from 'lucide-react';
+import { getUserFromAuthOrRedirect } from '@/lib/user.server';
+
+export default async function DiscordLinkSuccessPage() {
+  await getUserFromAuthOrRedirect('/users/sign_in?callbackPath=/integrations/discord/link/success');
+
+  return (
+    <KiloCardLayout
+      className="max-w-xl"
+      contentClassName="flex flex-col items-center gap-6 py-12 text-center"
+    >
+      <CheckCircle2 className="h-20 w-20 text-green-600" />
+      <div className="space-y-2">
+        <h1 className="text-3xl font-semibold tracking-tight">Discord account linked</h1>
+        <p className="text-muted-foreground text-lg">
+          Your account is now linked to Kilo. You can close this tab and return to Discord.
+        </p>
+      </div>
+    </KiloCardLayout>
+  );
+}

From f714a303a190c14503ef30344e2b0432cc5b7483 Mon Sep 17 00:00:00 2001
From: Remon Oldenbeuving <remon@kilocode.ai>
Date: Mon, 2 Mar 2026 16:19:59 +0100
Subject: [PATCH 3/4] Replay Discord message after account linking

Carry signed Discord message context through the link OAuth state and replay the original mention after the user links their account. This keeps the user flow seamless while preserving ownership and author validation checks.
---
 .../(app)/integrations/discord/link/route.ts  |  57 ++++++-
 .../integrations/discord/callback/route.ts    | 157 +++++++++++++++++-
 src/lib/discord-bot.ts                        |  10 +-
 src/lib/integrations/discord-service.ts       | 111 +++++++++++++
 src/lib/integrations/oauth-state.ts           |  53 +++++-
 5 files changed, 372 insertions(+), 16 deletions(-)

diff --git a/src/app/(app)/integrations/discord/link/route.ts b/src/app/(app)/integrations/discord/link/route.ts
index bcbe6e56d..a6a4e0a63 100644
--- a/src/app/(app)/integrations/discord/link/route.ts
+++ b/src/app/(app)/integrations/discord/link/route.ts
@@ -3,15 +3,39 @@ import { NextResponse } from 'next/server';
 import * as z from 'zod';
 import { APP_URL } from '@/lib/constants';
 import { getUserFromAuth } from '@/lib/user.server';
-import { createOAuthState } from '@/lib/integrations/oauth-state';
+import { createOAuthState, type OAuthStateContext } from '@/lib/integrations/oauth-state';
 import { getDiscordUserLinkOAuthUrl, getInstallation } from '@/lib/integrations/discord-service';
 import { isOrganizationMember } from '@/lib/organizations/organizations';
 import type { Owner } from '@/lib/integrations/core/types';
 
-const LinkRequestSchema = z.discriminatedUnion('ownerType', [
-  z.object({ ownerType: z.literal('org'), ownerId: z.uuid() }),
-  z.object({ ownerType: z.literal('user'), ownerId: z.string().min(1) }),
-]);
+const DISCORD_SNOWFLAKE_REGEX = /^\d+$/;
+
+const LinkRequestSchema = z
+  .discriminatedUnion('ownerType', [
+    z.object({
+      ownerType: z.literal('org'),
+      ownerId: z.uuid(),
+      guildId: z.string().regex(DISCORD_SNOWFLAKE_REGEX).optional(),
+      channelId: z.string().regex(DISCORD_SNOWFLAKE_REGEX).optional(),
+      messageId: z.string().regex(DISCORD_SNOWFLAKE_REGEX).optional(),
+    }),
+    z.object({
+      ownerType: z.literal('user'),
+      ownerId: z.string().min(1),
+      guildId: z.string().regex(DISCORD_SNOWFLAKE_REGEX).optional(),
+      channelId: z.string().regex(DISCORD_SNOWFLAKE_REGEX).optional(),
+      messageId: z.string().regex(DISCORD_SNOWFLAKE_REGEX).optional(),
+    }),
+  ])
+  .superRefine((value, ctx) => {
+    const presentCount = [value.guildId, value.channelId, value.messageId].filter(Boolean).length;
+    if (presentCount > 0 && presentCount < 3) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'guildId, channelId, and messageId must be provided together',
+      });
+    }
+  });
 
 function buildIntegrationPath(owner: Owner, queryParam?: string): string {
   const basePath =
@@ -30,6 +54,9 @@ export async function GET(request: NextRequest) {
   const parsed = LinkRequestSchema.safeParse({
     ownerType: request.nextUrl.searchParams.get('ownerType'),
     ownerId: request.nextUrl.searchParams.get('ownerId'),
+    guildId: request.nextUrl.searchParams.get('guildId') ?? undefined,
+    channelId: request.nextUrl.searchParams.get('channelId') ?? undefined,
+    messageId: request.nextUrl.searchParams.get('messageId') ?? undefined,
   });
 
   if (!parsed.success) {
@@ -69,7 +96,25 @@ export async function GET(request: NextRequest) {
     );
   }
 
+  const replayContext: OAuthStateContext | undefined =
+    parsed.data.guildId && parsed.data.channelId && parsed.data.messageId
+      ? {
+          discordReplayGuildId: parsed.data.guildId,
+          discordReplayChannelId: parsed.data.channelId,
+          discordReplayMessageId: parsed.data.messageId,
+        }
+      : undefined;
+
+  if (
+    replayContext?.discordReplayGuildId &&
+    installation.platform_installation_id !== replayContext.discordReplayGuildId
+  ) {
+    return NextResponse.redirect(
+      new URL(buildIntegrationPath(owner, 'error=invalid_link'), APP_URL)
+    );
+  }
+
   const statePrefix = owner.type === 'org' ? `org_${owner.id}` : `user_${owner.id}`;
-  const state = createOAuthState(statePrefix, authResult.user.id);
+  const state = createOAuthState(statePrefix, authResult.user.id, replayContext);
   return NextResponse.redirect(getDiscordUserLinkOAuthUrl(state));
 }
diff --git a/src/app/api/integrations/discord/callback/route.ts b/src/app/api/integrations/discord/callback/route.ts
index b765987dd..7a5ee4ac6 100644
--- a/src/app/api/integrations/discord/callback/route.ts
+++ b/src/app/api/integrations/discord/callback/route.ts
@@ -1,17 +1,154 @@
 import type { NextRequest } from 'next/server';
-import { NextResponse } from 'next/server';
+import { after, NextResponse } from 'next/server';
 import { getUserFromAuth } from '@/lib/user.server';
 import { ensureOrganizationAccess } from '@/routers/organizations/utils';
 import type { Owner } from '@/lib/integrations/core/types';
 import { captureException, captureMessage } from '@sentry/nextjs';
 import {
   exchangeDiscordCode,
+  getDiscordBotUserId,
+  getDiscordChannelMessage,
   getDiscordOAuthUserId,
   linkDiscordRequesterToOwner,
+  postDiscordMessage,
   upsertDiscordInstallation,
 } from '@/lib/integrations/discord-service';
 import { verifyOAuthState } from '@/lib/integrations/oauth-state';
 import { APP_URL } from '@/lib/constants';
+import { processDiscordBotMessage } from '@/lib/discord-bot';
+import { getDevUserSuffix } from '@/lib/slack-bot/dev-user-info';
+import {
+  isDiscordBotMessage,
+  replaceDiscordUserMentionsWithNames,
+  stripDiscordBotMention,
+  truncateForDiscord,
+} from '@/lib/discord-bot/discord-utils';
+import { z } from 'zod';
+
+const DISCORD_SNOWFLAKE_REGEX = /^\d+$/;
+
+const DiscordReplayContextSchema = z.object({
+  discordReplayGuildId: z.string().regex(DISCORD_SNOWFLAKE_REGEX),
+  discordReplayChannelId: z.string().regex(DISCORD_SNOWFLAKE_REGEX),
+  discordReplayMessageId: z.string().regex(DISCORD_SNOWFLAKE_REGEX),
+});
+
+type DiscordReplayContext = {
+  guildId: string;
+  channelId: string;
+  messageId: string;
+};
+
+function getDiscordReplayContext(
+  value: Record<string, string> | undefined
+): DiscordReplayContext | null {
+  if (!value) {
+    return null;
+  }
+
+  const parsed = DiscordReplayContextSchema.safeParse(value);
+  if (!parsed.success) {
+    return null;
+  }
+
+  return {
+    guildId: parsed.data.discordReplayGuildId,
+    channelId: parsed.data.discordReplayChannelId,
+    messageId: parsed.data.discordReplayMessageId,
+  };
+}
+
+async function replayLinkedDiscordMessage(
+  replayContext: DiscordReplayContext,
+  linkedDiscordUserId: string
+): Promise<void> {
+  const messageResult = await getDiscordChannelMessage(
+    replayContext.channelId,
+    replayContext.messageId
+  );
+  if (!messageResult.ok) {
+    captureMessage('Discord replay failed to fetch original message', {
+      level: 'warning',
+      tags: { endpoint: 'discord/callback', source: 'discord_replay' },
+      extra: { replayContext, error: messageResult.error },
+    });
+    return;
+  }
+
+  const message = messageResult.message;
+  if (message.author.id !== linkedDiscordUserId) {
+    captureMessage('Discord replay skipped due to author mismatch', {
+      level: 'warning',
+      tags: { endpoint: 'discord/callback', source: 'discord_replay' },
+      extra: {
+        replayContext,
+        expectedDiscordUserId: linkedDiscordUserId,
+        messageAuthorId: message.author.id,
+      },
+    });
+    return;
+  }
+
+  if (isDiscordBotMessage({ author: { bot: message.author.bot } })) {
+    return;
+  }
+
+  const botUserResult = await getDiscordBotUserId();
+  if (!botUserResult.ok) {
+    captureMessage('Discord replay failed to resolve bot user', {
+      level: 'warning',
+      tags: { endpoint: 'discord/callback', source: 'discord_replay' },
+      extra: { replayContext, error: botUserResult.error },
+    });
+    return;
+  }
+
+  const botUserId = botUserResult.userId;
+  const mentionsBot = message.mentions.some(mention => mention.id === botUserId);
+  if (!mentionsBot) {
+    captureMessage('Discord replay skipped because message no longer mentions bot', {
+      level: 'info',
+      tags: { endpoint: 'discord/callback', source: 'discord_replay' },
+      extra: { replayContext, botUserId },
+    });
+    return;
+  }
+
+  const cleanedText = stripDiscordBotMention(message.content, botUserId);
+  if (!cleanedText) {
+    return;
+  }
+
+  const resolvedText = await replaceDiscordUserMentionsWithNames(
+    cleanedText,
+    replayContext.guildId
+  );
+  const result = await processDiscordBotMessage(resolvedText, replayContext.guildId, {
+    channelId: replayContext.channelId,
+    guildId: replayContext.guildId,
+    userId: linkedDiscordUserId,
+    messageId: replayContext.messageId,
+  });
+
+  const responseText = truncateForDiscord(result.response + getDevUserSuffix());
+  const postResult = await postDiscordMessage(replayContext.channelId, responseText, {
+    messageReference: { message_id: replayContext.messageId },
+    linkButton: result.linkDiscordAccountUrl
+      ? {
+          label: 'Link My Discord Account',
+          url: result.linkDiscordAccountUrl,
+        }
+      : undefined,
+  });
+
+  if (!postResult.ok) {
+    captureMessage('Discord replay failed to post response', {
+      level: 'warning',
+      tags: { endpoint: 'discord/callback', source: 'discord_replay' },
+      extra: { replayContext, error: postResult.error },
+    });
+  }
+}
 
 const buildDiscordRedirectPath = (state: string | null, queryParam: string): string => {
   // Try to extract the owner from a signed state for best-effort redirects on error paths.
@@ -94,6 +231,8 @@ export async function GET(request: NextRequest) {
       return NextResponse.redirect(new URL('/integrations?error=unauthorized', APP_URL));
     }
 
+    const replayContext = getDiscordReplayContext(verified.context);
+
     // 5. Parse owner from verified state payload
     let owner: Owner;
     const ownerStr = verified.owner;
@@ -149,6 +288,22 @@ export async function GET(request: NextRequest) {
           new URL(buildDiscordRedirectPath(state, 'error=installation_missing'), APP_URL)
         );
       }
+
+      if (replayContext && replayContext.guildId === linked.platform_installation_id) {
+        after(async () => {
+          await replayLinkedDiscordMessage(replayContext, discordUserId);
+        });
+      } else if (replayContext) {
+        captureMessage('Discord replay context guild mismatch; replay skipped', {
+          level: 'warning',
+          tags: { endpoint: 'discord/callback', source: 'discord_replay' },
+          extra: {
+            replayContext,
+            linkedInstallationGuildId: linked.platform_installation_id,
+            owner,
+          },
+        });
+      }
     }
 
     // 9. Redirect to success page
diff --git a/src/lib/discord-bot.ts b/src/lib/discord-bot.ts
index 6668da361..8d06f5a07 100644
--- a/src/lib/discord-bot.ts
+++ b/src/lib/discord-bot.ts
@@ -47,12 +47,18 @@ export type DiscordBotMessageResult = {
   installation: PlatformIntegration | null;
 };
 
-function buildDiscordAccountLinkUrl(owner: Owner): string {
+function buildDiscordAccountLinkUrl(owner: Owner, eventContext?: DiscordEventContext): string {
   const params = new URLSearchParams({
     ownerType: owner.type,
     ownerId: owner.id,
   });
 
+  if (eventContext) {
+    params.set('guildId', eventContext.guildId);
+    params.set('channelId', eventContext.channelId);
+    params.set('messageId', eventContext.messageId);
+  }
+
   return `${APP_URL}/integrations/discord/link?${params.toString()}`;
 }
 
@@ -281,7 +287,7 @@ export async function processDiscordBotMessage(
         modelUsed: '',
         toolCallsMade: [],
         error: authResult.error,
-        linkDiscordAccountUrl: buildDiscordAccountLinkUrl(owner),
+        linkDiscordAccountUrl: buildDiscordAccountLinkUrl(owner, discordEventContext),
         installation,
       };
     }
diff --git a/src/lib/integrations/discord-service.ts b/src/lib/integrations/discord-service.ts
index b1c2a0a90..a58320b6d 100644
--- a/src/lib/integrations/discord-service.ts
+++ b/src/lib/integrations/discord-service.ts
@@ -486,6 +486,117 @@ export async function updateModel(
   return { success: true };
 }
 
+export type DiscordChannelMessage = {
+  id: string;
+  content: string;
+  channelId: string;
+  author: {
+    id: string;
+    username: string;
+    bot?: boolean;
+  };
+  mentions: Array<{ id: string }>;
+};
+
+/**
+ * Fetch a Discord channel message using the bot token.
+ */
+export async function getDiscordChannelMessage(
+  channelId: string,
+  messageId: string
+): Promise<{ ok: true; message: DiscordChannelMessage } | { ok: false; error: string }> {
+  if (!DISCORD_BOT_TOKEN) {
+    return { ok: false, error: 'DISCORD_BOT_TOKEN is not configured' };
+  }
+
+  try {
+    const response = await fetch(
+      `https://discord.com/api/v10/channels/${channelId}/messages/${messageId}`,
+      {
+        headers: { Authorization: `Bot ${DISCORD_BOT_TOKEN}` },
+      }
+    );
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      return { ok: false, error: `Discord API ${response.status}: ${errorText}` };
+    }
+
+    const rawMessage = (await response.json()) as {
+      id?: string;
+      content?: string;
+      channel_id?: string;
+      author?: { id?: string; username?: string; bot?: boolean };
+      mentions?: Array<{ id?: string }>;
+    };
+
+    if (
+      typeof rawMessage.id !== 'string' ||
+      typeof rawMessage.content !== 'string' ||
+      typeof rawMessage.channel_id !== 'string' ||
+      typeof rawMessage.author?.id !== 'string' ||
+      typeof rawMessage.author?.username !== 'string'
+    ) {
+      return { ok: false, error: 'Discord API returned malformed message payload' };
+    }
+
+    const mentions = (rawMessage.mentions || [])
+      .map(mention => mention.id)
+      .filter((id): id is string => typeof id === 'string')
+      .map(id => ({ id }));
+
+    return {
+      ok: true,
+      message: {
+        id: rawMessage.id,
+        content: rawMessage.content,
+        channelId: rawMessage.channel_id,
+        author: {
+          id: rawMessage.author.id,
+          username: rawMessage.author.username,
+          bot: rawMessage.author.bot,
+        },
+        mentions,
+      },
+    };
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+    return { ok: false, error: errorMessage };
+  }
+}
+
+/**
+ * Fetch the bot user ID for mention checks.
+ */
+export async function getDiscordBotUserId(): Promise<
+  { ok: true; userId: string } | { ok: false; error: string }
+> {
+  if (!DISCORD_BOT_TOKEN) {
+    return { ok: false, error: 'DISCORD_BOT_TOKEN is not configured' };
+  }
+
+  try {
+    const response = await fetch('https://discord.com/api/v10/users/@me', {
+      headers: { Authorization: `Bot ${DISCORD_BOT_TOKEN}` },
+    });
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      return { ok: false, error: `Discord API ${response.status}: ${errorText}` };
+    }
+
+    const user = (await response.json()) as { id?: string };
+    if (typeof user.id !== 'string' || user.id.length === 0) {
+      return { ok: false, error: 'Discord API returned malformed bot user payload' };
+    }
+
+    return { ok: true, userId: user.id };
+  } catch (error) {
+    const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+    return { ok: false, error: errorMessage };
+  }
+}
+
 /**
  * Post a message to a Discord channel using the Bot Token.
  */
diff --git a/src/lib/integrations/oauth-state.ts b/src/lib/integrations/oauth-state.ts
index 1d30f2c39..f980b168e 100644
--- a/src/lib/integrations/oauth-state.ts
+++ b/src/lib/integrations/oauth-state.ts
@@ -12,11 +12,12 @@ import { NEXTAUTH_SECRET } from '@/lib/config.server';
  *
  * This module produces a state value of the form:
  *
- *   base64url({ owner, uid, iat, nonce }) . HMAC-SHA256(payload, secret)
+ *   base64url({ owner, uid, iat, nonce, context? }) . HMAC-SHA256(payload, secret)
  *
  * where `owner` is the original owner string, `uid` is the ID of the
  * authenticated user who started the flow, `iat` is the issued-at timestamp
- * (seconds since epoch), and `nonce` is random bytes to ensure uniqueness.
+ * (seconds since epoch), `nonce` is random bytes to ensure uniqueness, and
+ * optional `context` carries signed flow metadata.
  *
  * On the callback we:
  *
@@ -40,18 +41,50 @@ function sign(data: string): string {
   return crypto.createHmac(HMAC_ALGORITHM, NEXTAUTH_SECRET).update(data).digest('base64url');
 }
 
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+
+function getValidOAuthStateContext(value: unknown): OAuthStateContext | null | undefined {
+  if (value === undefined) {
+    return undefined;
+  }
+  if (!isRecord(value)) {
+    return null;
+  }
+
+  const context: OAuthStateContext = {};
+  for (const [key, entry] of Object.entries(value)) {
+    if (typeof entry !== 'string') {
+      return null;
+    }
+    context[key] = entry;
+  }
+
+  return context;
+}
+
+export type OAuthStateContext = Record<string, string>;
+
 /**
  * Build a signed OAuth state parameter.
  *
  * @param owner  – owner string, e.g. `user_abc123` or `org_xyz789`
  * @param userId – the ID of the currently-authenticated user initiating the flow
+ * @param context – optional signed metadata carried through the callback
  */
-export function createOAuthState(owner: string, userId: string): string {
+export function createOAuthState(
+  owner: string,
+  userId: string,
+  context?: OAuthStateContext
+): string {
   const iat = Math.floor(Date.now() / 1000);
   const nonce = crypto.randomBytes(NONCE_BYTES).toString('base64url');
-  const payload = Buffer.from(JSON.stringify({ owner, uid: userId, iat, nonce })).toString(
-    'base64url'
-  );
+
+  const data = context
+    ? { owner, uid: userId, iat, nonce, context }
+    : { owner, uid: userId, iat, nonce };
+  const payload = Buffer.from(JSON.stringify(data)).toString('base64url');
   const signature = sign(payload);
   return `${payload}.${signature}`;
 }
@@ -61,6 +94,8 @@ export type VerifiedOAuthState = {
   owner: string;
   /** The user ID that initiated the OAuth flow */
   userId: string;
+  /** Optional signed metadata from flow initiation */
+  context?: OAuthStateContext;
 };
 
 /**
@@ -93,6 +128,7 @@ export function verifyOAuthState(state: string | null): VerifiedOAuthState | nul
       uid?: string;
       iat?: number;
       nonce?: string;
+      context?: unknown;
     };
     if (typeof data.owner !== 'string' || typeof data.uid !== 'string') return null;
 
@@ -104,7 +140,10 @@ export function verifyOAuthState(state: string | null): VerifiedOAuthState | nul
     // Require nonce to be present (guards against old-format tokens)
     if (typeof data.nonce !== 'string' || data.nonce.length === 0) return null;
 
-    return { owner: data.owner, userId: data.uid };
+    const context = getValidOAuthStateContext(data.context);
+    if (context === null) return null;
+
+    return { owner: data.owner, userId: data.uid, context };
   } catch {
     return null;
   }

From 36b954a5135eb48c2681a70df819dd2fd6da7e32 Mon Sep 17 00:00:00 2001
From: Remon Oldenbeuving <remon@kilocode.ai>
Date: Tue, 3 Mar 2026 15:26:28 +0100
Subject: [PATCH 4/4] Remove obsolete Discord link success flag checks

The link flow now ends on a dedicated success page, so integration pages only need to treat install callbacks as success states.
---
 src/app/(app)/integrations/discord/page.tsx                  | 5 +----
 .../(app)/organizations/[id]/integrations/discord/page.tsx   | 2 +-
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/src/app/(app)/integrations/discord/page.tsx b/src/app/(app)/integrations/discord/page.tsx
index 31f133970..8a2e204ef 100644
--- a/src/app/(app)/integrations/discord/page.tsx
+++ b/src/app/(app)/integrations/discord/page.tsx
@@ -43,10 +43,7 @@ export default async function UserDiscordIntegrationPage({
           </Card>
         }
       >
-        <DiscordIntegrationDetails
-          success={search.success === 'installed' || search.success === 'linked_user'}
-          error={search.error}
-        />
+        <DiscordIntegrationDetails success={search.success === 'installed'} error={search.error} />
       </Suspense>
     </PageLayout>
   );
diff --git a/src/app/(app)/organizations/[id]/integrations/discord/page.tsx b/src/app/(app)/organizations/[id]/integrations/discord/page.tsx
index be834c9cc..09ab72889 100644
--- a/src/app/(app)/organizations/[id]/integrations/discord/page.tsx
+++ b/src/app/(app)/organizations/[id]/integrations/discord/page.tsx
@@ -52,7 +52,7 @@ export default async function OrgDiscordIntegrationPage({
           >
             <DiscordIntegrationDetails
               organizationId={organization.id}
-              success={search.success === 'installed' || search.success === 'linked_user'}
+              success={search.success === 'installed'}
               error={search.error}
             />
           </Suspense>