fix: fail closed missing provider group policy across message channels (#23367) (thanks @bmendonca3)

2026-05-09 23:04:32 +00:00 · 2026-02-22 12:17:44 +01:00
parent 78c3c2a542
commit 777817392d
45 changed files with 420 additions and 75 deletions
--- a/src/line/bot-handlers.ts
+++ b/src/line/bot-handlers.ts
@@ -8,6 +8,7 @@ import type {
  PostbackEvent,
 } from "@line/bot-sdk";
 import type { OpenClawConfig } from "../config/config.js";
+import { resolveRuntimeGroupPolicy } from "../config/runtime-group-policy.js";
 import { danger, logVerbose } from "../globals.js";
 import { resolvePairingIdLabel } from "../pairing/pairing-labels.js";
 import { buildPairingReply } from "../pairing/pairing-messages.js";
@@ -40,6 +41,8 @@ export interface LineHandlerContext {
  processMessage: (ctx: LineInboundContext) => Promise<void>;
 }

+let lineGroupPolicyFallbackWarned = false;
+
 function resolveLineGroupConfig(params: {
  config: ResolvedLineAccount["config"];
  groupId?: string;
@@ -133,7 +136,19 @@ async function shouldProcessLineEvent(
    dmPolicy,
  });
  const defaultGroupPolicy = cfg.channels?.defaults?.groupPolicy;
-  const groupPolicy = account.config.groupPolicy ?? defaultGroupPolicy ?? "allowlist";
+  const { groupPolicy, providerMissingFallbackApplied } = resolveRuntimeGroupPolicy({
+    providerConfigPresent: cfg.channels?.line !== undefined,
+    groupPolicy: account.config.groupPolicy,
+    defaultGroupPolicy,
+    configuredFallbackPolicy: "allowlist",
+    missingProviderFallbackPolicy: "allowlist",
+  });
+  if (providerMissingFallbackApplied && !lineGroupPolicyFallbackWarned) {
+    lineGroupPolicyFallbackWarned = true;
+    logVerbose(
+      'line: channels.line is missing; defaulting groupPolicy to "allowlist" (group messages blocked until explicitly configured).',
+    );
+  }

  if (isGroup) {
    if (groupConfig?.enabled === false) {