fix(config): fail closed allowlist-only group policy

Co-authored-by: etereo <etereo@users.noreply.github.com>
2026-05-10 00:53:28 +00:00 · 2026-02-22 20:30:04 +01:00
parent 371a7da9c8
commit 0932adf361
3 changed files with 125 additions and 2 deletions
--- a/src/config/group-policy.test.ts
+++ b/src/config/group-policy.test.ts
@@ -0,0 +1,92 @@
+import { describe, expect, it } from "vitest";
+import type { OpenClawConfig } from "./config.js";
+import { resolveChannelGroupPolicy } from "./group-policy.js";
+
+describe("resolveChannelGroupPolicy", () => {
+  it("fails closed when groupPolicy=allowlist and groups are missing", () => {
+    const cfg = {
+      channels: {
+        whatsapp: {
+          groupPolicy: "allowlist",
+        },
+      },
+    } as OpenClawConfig;
+
+    const policy = resolveChannelGroupPolicy({
+      cfg,
+      channel: "whatsapp",
+      groupId: "123@g.us",
+    });
+
+    expect(policy.allowlistEnabled).toBe(true);
+    expect(policy.allowed).toBe(false);
+  });
+
+  it("allows configured groups when groupPolicy=allowlist", () => {
+    const cfg = {
+      channels: {
+        whatsapp: {
+          groupPolicy: "allowlist",
+          groups: {
+            "123@g.us": { requireMention: true },
+          },
+        },
+      },
+    } as OpenClawConfig;
+
+    const policy = resolveChannelGroupPolicy({
+      cfg,
+      channel: "whatsapp",
+      groupId: "123@g.us",
+    });
+
+    expect(policy.allowlistEnabled).toBe(true);
+    expect(policy.allowed).toBe(true);
+  });
+
+  it("blocks all groups when groupPolicy=disabled", () => {
+    const cfg = {
+      channels: {
+        whatsapp: {
+          groupPolicy: "disabled",
+          groups: {
+            "*": { requireMention: false },
+          },
+        },
+      },
+    } as OpenClawConfig;
+
+    const policy = resolveChannelGroupPolicy({
+      cfg,
+      channel: "whatsapp",
+      groupId: "123@g.us",
+    });
+
+    expect(policy.allowed).toBe(false);
+  });
+
+  it("respects account-scoped groupPolicy overrides", () => {
+    const cfg = {
+      channels: {
+        whatsapp: {
+          groupPolicy: "open",
+          accounts: {
+            work: {
+              groupPolicy: "allowlist",
+            },
+          },
+        },
+      },
+    } as OpenClawConfig;
+
+    const policy = resolveChannelGroupPolicy({
+      cfg,
+      channel: "whatsapp",
+      accountId: "work",
+      groupId: "123@g.us",
+    });
+
+    expect(policy.allowlistEnabled).toBe(true);
+    expect(policy.allowed).toBe(false);
+  });
+});