refactor(security): centralize channel allowlist auth policy

src/channels/allow-from.test.ts

@@ -55,6 +55,16 @@ describe("resolveGroupAllowFromSources", () => {
       }),
     ).toEqual(["owner", "owner2"]);
   });
+
+  it("can disable fallback to DM allowlist", () => {
+    expect(
+      resolveGroupAllowFromSources({
+        allowFrom: ["owner", "owner2"],
+        groupAllowFrom: [],
+        fallbackToAllowFrom: false,
+      }),
+    ).toEqual([]);
+  });
 });
 
 describe("firstDefined", () => {

src/channels/allow-from.ts

@@ -12,10 +12,16 @@ export function mergeDmAllowFromSources(params: {
 export function resolveGroupAllowFromSources(params: {
   allowFrom?: Array<string | number>;
   groupAllowFrom?: Array<string | number>;
+  fallbackToAllowFrom?: boolean;
 }): string[] {
-  const scoped =
-    params.groupAllowFrom && params.groupAllowFrom.length > 0
+  const explicitGroupAllowFrom =
+    Array.isArray(params.groupAllowFrom) && params.groupAllowFrom.length > 0
       ? params.groupAllowFrom
+      : undefined;
+  const scoped = explicitGroupAllowFrom
+    ? explicitGroupAllowFrom
+    : params.fallbackToAllowFrom === false
+      ? []
       : (params.allowFrom ?? []);
   return scoped.map((value) => String(value).trim()).filter(Boolean);
 }