fix: harden msteams group access

src/config/config.test.ts

@@ -1481,6 +1481,16 @@ describe("legacy config detection", () => {
     }
   });
 
+  it("defaults msteams.groupPolicy to allowlist when msteams section exists", async () => {
+    vi.resetModules();
+    const { validateConfigObject } = await import("./config.js");
+    const res = validateConfigObject({ msteams: {} });
+    expect(res.ok).toBe(true);
+    if (res.ok) {
+      expect(res.config.msteams?.groupPolicy).toBe("allowlist");
+    }
+  });
+
   it("rejects unsafe executable config values", async () => {
     vi.resetModules();
     const { validateConfigObject } = await import("./config.js");

src/config/types.ts

@@ -763,6 +763,15 @@ export type MSTeamsConfig = {
   dmPolicy?: DmPolicy;
   /** Allowlist for DM senders (AAD object IDs or UPNs). */
   allowFrom?: Array<string>;
+  /** Optional allowlist for group/channel senders (AAD object IDs or UPNs). */
+  groupAllowFrom?: Array<string>;
+  /**
+   * Controls how group/channel messages are handled:
+   * - "open": groups bypass allowFrom; mention-gating applies
+   * - "disabled": block all group messages
+   * - "allowlist": only allow group messages from senders in groupAllowFrom/allowFrom
+   */
+  groupPolicy?: GroupPolicy;
   /** Outbound text chunk size (chars). Default: 4000. */
   textChunkLimit?: number;
   /** Merge streamed block replies before sending. */

src/config/zod-schema.ts

@@ -619,6 +619,8 @@ const MSTeamsConfigSchema = z
       .optional(),
     dmPolicy: DmPolicySchema.optional().default("pairing"),
     allowFrom: z.array(z.string()).optional(),
+    groupAllowFrom: z.array(z.string()).optional(),
+    groupPolicy: GroupPolicySchema.optional().default("allowlist"),
     textChunkLimit: z.number().int().positive().optional(),
     blockStreamingCoalesce: BlockStreamingCoalesceSchema.optional(),
     mediaAllowHosts: z.array(z.string()).optional(),