fix(web): let group pings bypass allowFrom

src/web/inbound.ts

@@ -116,9 +116,10 @@ export async function monitorWebInbox(options: {
       const allowFrom = cfg.inbound?.allowFrom;
       const isSamePhone = from === selfE164;
 
-      if (!isSamePhone && Array.isArray(allowFrom) && allowFrom.length > 0) {
-        const candidate =
-          group && senderE164 ? normalizeE164(senderE164) : from;
+      const allowlistEnabled =
+        !group && Array.isArray(allowFrom) && allowFrom.length > 0;
+      if (!isSamePhone && allowlistEnabled) {
+        const candidate = from;
         const allowedList = allowFrom.map(normalizeE164);
         if (!allowFrom.includes("*") && !allowedList.includes(candidate)) {
           logVerbose(

src/web/monitor-inbox.test.ts

@@ -321,7 +321,7 @@ describe("web monitor inbox", () => {
     await listener.close();
   });
 
-  it("applies allowFrom to group participants", async () => {
+  it("lets group messages through even when sender not in allowFrom", async () => {
     mockLoadConfig.mockReturnValue({
       inbound: {
         allowFrom: ["+1234"],
@@ -353,16 +353,10 @@ describe("web monitor inbox", () => {
     sock.ev.emit("messages.upsert", upsert);
     await new Promise((resolve) => setImmediate(resolve));
 
-    expect(onMessage).not.toHaveBeenCalled();
-
-    mockLoadConfig.mockReturnValue({
-      inbound: {
-        allowFrom: ["*"],
-        messagePrefix: undefined,
-        responsePrefix: undefined,
-        timestampPrefix: false,
-      },
-    });
+    expect(onMessage).toHaveBeenCalledTimes(1);
+    const payload = onMessage.mock.calls[0][0];
+    expect(payload.chatType).toBe("group");
+    expect(payload.senderE164).toBe("+999");
 
     await listener.close();
   });