refactor: share sender-scoped group policy derivation

src/plugin-sdk/googlechat.ts

@@ -73,6 +73,7 @@ export type { WizardPrompter } from "../wizard/prompts.js";
 export { resolveInboundRouteEnvelopeBuilderWithRuntime } from "./inbound-envelope.js";
 export { createScopedPairingAccess } from "./pairing-access.js";
 export { issuePairingChallenge } from "../pairing/pairing-challenge.js";
+export { resolveSenderScopedGroupPolicy } from "./group-access.js";
 export { extractToolSend } from "./tool-send.js";
 export { resolveWebhookPath } from "./webhook-path.js";
 export type { WebhookInFlightLimiter } from "./webhook-request-guards.js";

src/plugin-sdk/group-access.test.ts

@@ -1,5 +1,35 @@
 import { describe, expect, it } from "vitest";
-import { evaluateSenderGroupAccess, evaluateSenderGroupAccessForPolicy } from "./group-access.js";
+import {
+  evaluateSenderGroupAccess,
+  evaluateSenderGroupAccessForPolicy,
+  resolveSenderScopedGroupPolicy,
+} from "./group-access.js";
+
+describe("resolveSenderScopedGroupPolicy", () => {
+  it("preserves disabled policy", () => {
+    expect(
+      resolveSenderScopedGroupPolicy({
+        groupPolicy: "disabled",
+        groupAllowFrom: ["a"],
+      }),
+    ).toBe("disabled");
+  });
+
+  it("maps open/allowlist based on effective sender allowlist", () => {
+    expect(
+      resolveSenderScopedGroupPolicy({
+        groupPolicy: "allowlist",
+        groupAllowFrom: ["a"],
+      }),
+    ).toBe("allowlist");
+    expect(
+      resolveSenderScopedGroupPolicy({
+        groupPolicy: "allowlist",
+        groupAllowFrom: [],
+      }),
+    ).toBe("open");
+  });
+});
 
 describe("evaluateSenderGroupAccessForPolicy", () => {
   it("blocks disabled policy", () => {

src/plugin-sdk/group-access.ts

@@ -14,6 +14,16 @@ export type SenderGroupAccessDecision = {
   reason: SenderGroupAccessReason;
 };
 
+export function resolveSenderScopedGroupPolicy(params: {
+  groupPolicy: GroupPolicy;
+  groupAllowFrom: string[];
+}): GroupPolicy {
+  if (params.groupPolicy === "disabled") {
+    return "disabled";
+  }
+  return params.groupAllowFrom.length > 0 ? "allowlist" : "open";
+}
+
 export function evaluateSenderGroupAccessForPolicy(params: {
   groupPolicy: GroupPolicy;
   providerMissingFallbackApplied?: boolean;

src/plugin-sdk/index.ts

@@ -280,6 +280,7 @@ export {
 export {
   evaluateSenderGroupAccess,
   evaluateSenderGroupAccessForPolicy,
+  resolveSenderScopedGroupPolicy,
   type SenderGroupAccessDecision,
   type SenderGroupAccessReason,
 } from "./group-access.js";

src/plugin-sdk/matrix.ts

@@ -93,6 +93,7 @@ export {
 } from "../security/dm-policy-shared.js";
 export { formatDocsLink } from "../terminal/links.js";
 export type { WizardPrompter } from "../wizard/prompts.js";
+export { resolveSenderScopedGroupPolicy } from "./group-access.js";
 export { createScopedPairingAccess } from "./pairing-access.js";
 export { formatResolvedUnresolvedNote } from "./resolution-notes.js";
 export { runPluginCommandWithTimeout } from "./run-command.js";

src/plugin-sdk/msteams.ts

@@ -91,7 +91,10 @@ export {
   resolveDmGroupAccessWithLists,
   resolveEffectiveAllowFromLists,
 } from "../security/dm-policy-shared.js";
-export { evaluateSenderGroupAccessForPolicy } from "./group-access.js";
+export {
+  evaluateSenderGroupAccessForPolicy,
+  resolveSenderScopedGroupPolicy,
+} from "./group-access.js";
 export { formatDocsLink } from "../terminal/links.js";
 export { sleep } from "../utils.js";
 export { loadWebMedia } from "../web/media.js";