fix(telegram): fail closed on empty group allowFrom override

src/telegram/group-access.base-access.test.ts

@@ -0,0 +1,56 @@
+import { describe, expect, it } from "vitest";
+import type { NormalizedAllowFrom } from "./bot-access.js";
+import { evaluateTelegramGroupBaseAccess } from "./group-access.js";
+
+function allow(entries: string[], hasWildcard = false): NormalizedAllowFrom {
+  return {
+    entries,
+    hasWildcard,
+    hasEntries: entries.length > 0 || hasWildcard,
+    invalidEntries: [],
+  };
+}
+
+describe("evaluateTelegramGroupBaseAccess", () => {
+  it("fails closed when explicit group allowFrom override is empty", () => {
+    const result = evaluateTelegramGroupBaseAccess({
+      isGroup: true,
+      hasGroupAllowOverride: true,
+      effectiveGroupAllow: allow([]),
+      senderId: "12345",
+      senderUsername: "tester",
+      enforceAllowOverride: true,
+      requireSenderForAllowOverride: true,
+    });
+
+    expect(result).toEqual({ allowed: false, reason: "group-override-unauthorized" });
+  });
+
+  it("allows group message when override is not configured", () => {
+    const result = evaluateTelegramGroupBaseAccess({
+      isGroup: true,
+      hasGroupAllowOverride: false,
+      effectiveGroupAllow: allow([]),
+      senderId: "12345",
+      senderUsername: "tester",
+      enforceAllowOverride: true,
+      requireSenderForAllowOverride: true,
+    });
+
+    expect(result).toEqual({ allowed: true });
+  });
+
+  it("allows sender explicitly listed in override", () => {
+    const result = evaluateTelegramGroupBaseAccess({
+      isGroup: true,
+      hasGroupAllowOverride: true,
+      effectiveGroupAllow: allow(["12345"]),
+      senderId: "12345",
+      senderUsername: "tester",
+      enforceAllowOverride: true,
+      requireSenderForAllowOverride: true,
+    });
+
+    expect(result).toEqual({ allowed: true });
+  });
+});