refactor: centralize open group-policy warning flow collectors

src/channels/plugins/group-policy-warnings.test.ts

@@ -1,5 +1,8 @@
 import { describe, expect, it } from "vitest";
 import {
+  collectOpenGroupPolicyConfiguredRouteWarnings,
+  collectOpenGroupPolicyRestrictSendersWarnings,
+  collectOpenGroupPolicyRouteAllowlistWarnings,
   buildOpenGroupPolicyConfigureRouteAllowlistWarning,
   buildOpenGroupPolicyNoRouteAllowlistWarning,
   buildOpenGroupPolicyRestrictSendersWarning,
@@ -58,4 +61,91 @@ describe("group policy warning builders", () => {
       '- Example channels: groupPolicy="open" allows any channel not explicitly denied to trigger (mention-gated). Set channels.example.groupPolicy="allowlist" and configure channels.example.channels.',
     );
   });
+
+  it("collects restrict-senders warning only for open policy", () => {
+    expect(
+      collectOpenGroupPolicyRestrictSendersWarnings({
+        groupPolicy: "allowlist",
+        surface: "Example groups",
+        openScope: "any member",
+        groupPolicyPath: "channels.example.groupPolicy",
+        groupAllowFromPath: "channels.example.groupAllowFrom",
+      }),
+    ).toEqual([]);
+
+    expect(
+      collectOpenGroupPolicyRestrictSendersWarnings({
+        groupPolicy: "open",
+        surface: "Example groups",
+        openScope: "any member",
+        groupPolicyPath: "channels.example.groupPolicy",
+        groupAllowFromPath: "channels.example.groupAllowFrom",
+      }),
+    ).toHaveLength(1);
+  });
+
+  it("collects route allowlist warning variants", () => {
+    const params = {
+      groupPolicy: "open" as const,
+      restrictSenders: {
+        surface: "Example groups",
+        openScope: "any member in allowed groups",
+        groupPolicyPath: "channels.example.groupPolicy",
+        groupAllowFromPath: "channels.example.groupAllowFrom",
+      },
+      noRouteAllowlist: {
+        surface: "Example groups",
+        routeAllowlistPath: "channels.example.groups",
+        routeScope: "group",
+        groupPolicyPath: "channels.example.groupPolicy",
+        groupAllowFromPath: "channels.example.groupAllowFrom",
+      },
+    };
+
+    expect(
+      collectOpenGroupPolicyRouteAllowlistWarnings({
+        ...params,
+        routeAllowlistConfigured: true,
+      }),
+    ).toEqual([buildOpenGroupPolicyRestrictSendersWarning(params.restrictSenders)]);
+
+    expect(
+      collectOpenGroupPolicyRouteAllowlistWarnings({
+        ...params,
+        routeAllowlistConfigured: false,
+      }),
+    ).toEqual([buildOpenGroupPolicyNoRouteAllowlistWarning(params.noRouteAllowlist)]);
+  });
+
+  it("collects configured-route warning variants", () => {
+    const params = {
+      groupPolicy: "open" as const,
+      configureRouteAllowlist: {
+        surface: "Example channels",
+        openScope: "any channel not explicitly denied",
+        groupPolicyPath: "channels.example.groupPolicy",
+        routeAllowlistPath: "channels.example.channels",
+      },
+      missingRouteAllowlist: {
+        surface: "Example channels",
+        openBehavior: "with no route allowlist; any channel can trigger (mention-gated)",
+        remediation:
+          'Set channels.example.groupPolicy="allowlist" and configure channels.example.channels',
+      },
+    };
+
+    expect(
+      collectOpenGroupPolicyConfiguredRouteWarnings({
+        ...params,
+        routeAllowlistConfigured: true,
+      }),
+    ).toEqual([buildOpenGroupPolicyConfigureRouteAllowlistWarning(params.configureRouteAllowlist)]);
+
+    expect(
+      collectOpenGroupPolicyConfiguredRouteWarnings({
+        ...params,
+        routeAllowlistConfigured: false,
+      }),
+    ).toEqual([buildOpenGroupPolicyWarning(params.missingRouteAllowlist)]);
+  });
 });

src/channels/plugins/group-policy-warnings.ts

@@ -51,3 +51,44 @@ export function buildOpenGroupPolicyConfigureRouteAllowlistWarning(params: {
     remediation: `Set ${params.groupPolicyPath}="allowlist" and configure ${params.routeAllowlistPath}`,
   });
 }
+
+export function collectOpenGroupPolicyRestrictSendersWarnings(
+  params: Parameters<typeof buildOpenGroupPolicyRestrictSendersWarning>[0] & {
+    groupPolicy: "open" | "allowlist" | "disabled";
+  },
+): string[] {
+  if (params.groupPolicy !== "open") {
+    return [];
+  }
+  return [buildOpenGroupPolicyRestrictSendersWarning(params)];
+}
+
+export function collectOpenGroupPolicyRouteAllowlistWarnings(params: {
+  groupPolicy: "open" | "allowlist" | "disabled";
+  routeAllowlistConfigured: boolean;
+  restrictSenders: Parameters<typeof buildOpenGroupPolicyRestrictSendersWarning>[0];
+  noRouteAllowlist: Parameters<typeof buildOpenGroupPolicyNoRouteAllowlistWarning>[0];
+}): string[] {
+  if (params.groupPolicy !== "open") {
+    return [];
+  }
+  if (params.routeAllowlistConfigured) {
+    return [buildOpenGroupPolicyRestrictSendersWarning(params.restrictSenders)];
+  }
+  return [buildOpenGroupPolicyNoRouteAllowlistWarning(params.noRouteAllowlist)];
+}
+
+export function collectOpenGroupPolicyConfiguredRouteWarnings(params: {
+  groupPolicy: "open" | "allowlist" | "disabled";
+  routeAllowlistConfigured: boolean;
+  configureRouteAllowlist: Parameters<typeof buildOpenGroupPolicyConfigureRouteAllowlistWarning>[0];
+  missingRouteAllowlist: Parameters<typeof buildOpenGroupPolicyWarning>[0];
+}): string[] {
+  if (params.groupPolicy !== "open") {
+    return [];
+  }
+  if (params.routeAllowlistConfigured) {
+    return [buildOpenGroupPolicyConfigureRouteAllowlistWarning(params.configureRouteAllowlist)];
+  }
+  return [buildOpenGroupPolicyWarning(params.missingRouteAllowlist)];
+}

src/plugin-sdk/index.ts

@@ -536,6 +536,9 @@ export {
   buildOpenGroupPolicyNoRouteAllowlistWarning,
   buildOpenGroupPolicyRestrictSendersWarning,
   buildOpenGroupPolicyWarning,
+  collectOpenGroupPolicyConfiguredRouteWarnings,
+  collectOpenGroupPolicyRestrictSendersWarnings,
+  collectOpenGroupPolicyRouteAllowlistWarnings,
 } from "../channels/plugins/group-policy-warnings.js";
 export {
   buildAccountScopedDmSecurityPolicy,