fix: default groupPolicy to allowlist

src/telegram/bot.test.ts

@@ -1244,7 +1244,7 @@ describe("createTelegramBot", () => {
     expect(replySpy).toHaveBeenCalledTimes(1);
   });
 
-  it("allows all group messages when groupPolicy is 'open' (default)", async () => {
+  it("allows all group messages when groupPolicy is 'open'", async () => {
     onSpy.mockReset();
     const replySpy = replyModule.__replySpy as unknown as ReturnType<
       typeof vi.fn
@@ -1252,7 +1252,7 @@ describe("createTelegramBot", () => {
     replySpy.mockReset();
     loadConfig.mockReturnValue({
       telegram: {
-        // groupPolicy not set, should default to "open"
+        groupPolicy: "open",
         groups: { "*": { requireMention: false } },
       },
     });

src/telegram/bot.ts

@@ -982,7 +982,7 @@ export function createTelegramBot(opts: TelegramBotOptions) {
         }
 
         if (isGroup && useAccessGroups) {
-          const groupPolicy = telegramCfg.groupPolicy ?? "open";
+          const groupPolicy = telegramCfg.groupPolicy ?? "allowlist";
           if (groupPolicy === "disabled") {
             await bot.api.sendMessage(
               chatId,
@@ -1211,10 +1211,10 @@ export function createTelegramBot(opts: TelegramBotOptions) {
           }
         }
         // Group policy filtering: controls how group messages are handled
-        // - "open" (default): groups bypass allowFrom, only mention-gating applies
+        // - "open": groups bypass allowFrom, only mention-gating applies
         // - "disabled": block all group messages entirely
         // - "allowlist": only allow group messages from senders in groupAllowFrom/allowFrom
-        const groupPolicy = telegramCfg.groupPolicy ?? "open";
+        const groupPolicy = telegramCfg.groupPolicy ?? "allowlist";
         if (groupPolicy === "disabled") {
           logVerbose(`Blocked telegram group message (groupPolicy: disabled)`);
           return;