fix: fail closed missing provider group policy across message channels (#23367) (thanks @bmendonca3)

2026-04-18 16:57:27 +00:00 · 2026-02-22 12:17:44 +01:00
parent 78c3c2a542
commit 777817392d
45 changed files with 420 additions and 75 deletions
--- a/docs/channels/discord.md
+++ b/docs/channels/discord.md
@@ -425,7 +425,7 @@ Example:
 }
 ```

-    If you only set `DISCORD_BOT_TOKEN` and do not create a `channels.discord` block, runtime fallback is `groupPolicy="allowlist"` (with a warning in logs).
+    If you only set `DISCORD_BOT_TOKEN` and do not create a `channels.discord` block, runtime fallback is `groupPolicy="allowlist"` (with a warning in logs), even if `channels.defaults.groupPolicy` is `open`.

  </Tab>

--- a/docs/channels/groups.md
+++ b/docs/channels/groups.md
@@ -190,6 +190,7 @@ Notes:
 - Group DMs are controlled separately (`channels.discord.dm.*`, `channels.slack.dm.*`).
 - Telegram allowlist can match user IDs (`"123456789"`, `"telegram:123456789"`, `"tg:123456789"`) or usernames (`"@alice"` or `"alice"`); prefixes are case-insensitive.
 - Default is `groupPolicy: "allowlist"`; if your group allowlist is empty, group messages are blocked.
+- Runtime safety: when a provider block is completely missing (`channels.<provider>` absent), group policy falls back to a fail-closed mode (typically `allowlist`) instead of inheriting `channels.defaults.groupPolicy`.

 Quick mental model (evaluation order for group messages):

--- a/docs/channels/imessage.md
+++ b/docs/channels/imessage.md
@@ -158,6 +158,7 @@ imsg send <handle> "test"
    Group sender allowlist: `channels.imessage.groupAllowFrom`.

    Runtime fallback: if `groupAllowFrom` is unset, iMessage group sender checks fall back to `allowFrom` when available.
+    Runtime note: if `channels.imessage` is completely missing, runtime falls back to `groupPolicy="allowlist"` and logs a warning (even if `channels.defaults.groupPolicy` is set).

    Mention gating for groups:

--- a/docs/channels/line.md
+++ b/docs/channels/line.md
@@ -118,6 +118,7 @@ Allowlists and policies:
 - `channels.line.groupPolicy`: `allowlist | open | disabled`
 - `channels.line.groupAllowFrom`: allowlisted LINE user IDs for groups
 - Per-group overrides: `channels.line.groups.<groupId>.allowFrom`
+- Runtime note: if `channels.line` is completely missing, runtime falls back to `groupPolicy="allowlist"` for group checks (even if `channels.defaults.groupPolicy` is set).

 LINE IDs are case-sensitive. Valid IDs look like:

--- a/docs/channels/matrix.md
+++ b/docs/channels/matrix.md
@@ -195,6 +195,7 @@ Notes:
 ## Rooms (groups)

 - Default: `channels.matrix.groupPolicy = "allowlist"` (mention-gated). Use `channels.defaults.groupPolicy` to override the default when unset.
+- Runtime note: if `channels.matrix` is completely missing, runtime falls back to `groupPolicy="allowlist"` for room checks (even if `channels.defaults.groupPolicy` is set).
 - Allowlist rooms with `channels.matrix.groups` (room IDs or aliases; names are resolved to IDs when directory search finds a single exact match):

 ```json5
--- a/docs/channels/mattermost.md
+++ b/docs/channels/mattermost.md
@@ -103,6 +103,7 @@ Notes:
 - Default: `channels.mattermost.groupPolicy = "allowlist"` (mention-gated).
 - Allowlist senders with `channels.mattermost.groupAllowFrom` (user IDs or `@username`).
 - Open channels: `channels.mattermost.groupPolicy="open"` (mention-gated).
+- Runtime note: if `channels.mattermost` is completely missing, runtime falls back to `groupPolicy="allowlist"` for group checks (even if `channels.defaults.groupPolicy` is set).

 ## Targets for outbound delivery

--- a/docs/channels/signal.md
+++ b/docs/channels/signal.md
@@ -195,6 +195,7 @@ Groups:

 - `channels.signal.groupPolicy = open | allowlist | disabled`.
 - `channels.signal.groupAllowFrom` controls who can trigger in groups when `allowlist` is set.
+- Runtime note: if `channels.signal` is completely missing, runtime falls back to `groupPolicy="allowlist"` for group checks (even if `channels.defaults.groupPolicy` is set).

 ## How it works (behavior)

--- a/docs/channels/slack.md
+++ b/docs/channels/slack.md
@@ -165,7 +165,7 @@ For actions/directory reads, user token can be preferred when configured. For wr

    Channel allowlist lives under `channels.slack.channels`.

-    Runtime note: if `channels.slack` is completely missing (env-only setup) and `channels.defaults.groupPolicy` is unset, runtime falls back to `groupPolicy="allowlist"` and logs a warning.
+    Runtime note: if `channels.slack` is completely missing (env-only setup), runtime falls back to `groupPolicy="allowlist"` and logs a warning (even if `channels.defaults.groupPolicy` is set).

    Name/ID resolution:

--- a/docs/channels/telegram.md
+++ b/docs/channels/telegram.md
@@ -148,6 +148,7 @@ curl "https://api.telegram.org/bot<bot_token>/getUpdates"

    `groupAllowFrom` is used for group sender filtering. If not set, Telegram falls back to `allowFrom`.
    `groupAllowFrom` entries must be numeric Telegram user IDs.
+    Runtime note: if `channels.telegram` is completely missing, runtime falls back to `groupPolicy="allowlist"` for group policy evaluation (even if `channels.defaults.groupPolicy` is set).

    Example: allow any member in one specific group:

--- a/docs/channels/whatsapp.md
+++ b/docs/channels/whatsapp.md
@@ -171,7 +171,7 @@ OpenClaw recommends running WhatsApp on a separate number when possible. (The ch
    - if `groupAllowFrom` is unset, runtime falls back to `allowFrom` when available
    - sender allowlists are evaluated before mention/reply activation

-    Note: if no `channels.whatsapp` block exists at all, runtime group-policy fallback is effectively `open`.
+    Note: if no `channels.whatsapp` block exists at all, runtime group-policy fallback is `allowlist` (with a warning log), even if `channels.defaults.groupPolicy` is set.

  </Tab>