ScalarCmdV3 path does not reject commands targeting disabled output types

[qdot]

Description

Commit 839cbe3 added an is_disabled() guard to TryFromDeviceAttributes<OutputCmdV4> in checked_output_cmd.rs, correctly rejecting commands that target user-disabled output types. However, the ScalarCmdV3 path in checked_output_vec_cmd.rs was not covered by this fix.

The v3 scalar path calls feature.feature().output() / get_output() which returns output properties for disabled outputs (they are still present in ServerDeviceFeature). No is_disabled() check is performed, so a client using the v3 protocol can send commands to output types that the user has explicitly disabled in their device config.

Files

• crates/buttplug_server/src/message/v4/checked_output_cmd.rs — has the guard (line ~124)
• crates/buttplug_server/src/message/v4/checked_output_vec_cmd.rs — missing the guard

Expected behavior

ScalarCmdV3 commands targeting a disabled output type should be rejected with a MessageNotSupported error, matching the OutputCmdV4 behavior.

Context

Related fix: 839cbe3 ("Reject server-side commands targeting disabled output types")