feat: unify group policy allowlists

2026-01-06 06:40:42 +00:00
parent 51e8bbd2a8
commit dbb51006cd
23 changed files with 729 additions and 88 deletions
--- a/src/discord/monitor.test.ts
+++ b/src/discord/monitor.test.ts
@@ -2,6 +2,7 @@ import { describe, expect, it } from "vitest";
 import {
  allowListMatches,
  type DiscordGuildEntryResolved,
+  isDiscordGroupAllowedByPolicy,
  normalizeDiscordAllowList,
  normalizeDiscordSlug,
  resolveDiscordChannelConfig,
@@ -132,6 +133,58 @@ describe("discord guild/channel resolution", () => {
  });
 });

+describe("discord groupPolicy gating", () => {
+  it("allows when policy is open", () => {
+    expect(
+      isDiscordGroupAllowedByPolicy({
+        groupPolicy: "open",
+        channelAllowlistConfigured: false,
+        channelAllowed: false,
+      }),
+    ).toBe(true);
+  });
+
+  it("blocks when policy is disabled", () => {
+    expect(
+      isDiscordGroupAllowedByPolicy({
+        groupPolicy: "disabled",
+        channelAllowlistConfigured: true,
+        channelAllowed: true,
+      }),
+    ).toBe(false);
+  });
+
+  it("blocks allowlist when no channel allowlist configured", () => {
+    expect(
+      isDiscordGroupAllowedByPolicy({
+        groupPolicy: "allowlist",
+        channelAllowlistConfigured: false,
+        channelAllowed: true,
+      }),
+    ).toBe(false);
+  });
+
+  it("allows allowlist when channel is allowed", () => {
+    expect(
+      isDiscordGroupAllowedByPolicy({
+        groupPolicy: "allowlist",
+        channelAllowlistConfigured: true,
+        channelAllowed: true,
+      }),
+    ).toBe(true);
+  });
+
+  it("blocks allowlist when channel is not allowed", () => {
+    expect(
+      isDiscordGroupAllowedByPolicy({
+        groupPolicy: "allowlist",
+        channelAllowlistConfigured: true,
+        channelAllowed: false,
+      }),
+    ).toBe(false);
+  });
+});
+
 describe("discord group DM gating", () => {
  it("allows all when no allowlist", () => {
    expect(
--- a/src/discord/monitor.ts
+++ b/src/discord/monitor.ts
@@ -141,6 +141,7 @@ export async function monitorDiscordProvider(opts: MonitorDiscordOpts = {}) {

  const dmConfig = cfg.discord?.dm;
  const guildEntries = cfg.discord?.guilds;
+  const groupPolicy = cfg.discord?.groupPolicy ?? "open";
  const allowFrom = dmConfig?.allowFrom;
  const mediaMaxBytes =
    (opts.mediaMaxMb ?? cfg.discord?.mediaMaxMb ?? 8) * 1024 * 1024;
@@ -159,7 +160,7 @@ export async function monitorDiscordProvider(opts: MonitorDiscordOpts = {}) {

  if (shouldLogVerbose()) {
    logVerbose(
-      `discord: config dm=${dmEnabled ? "on" : "off"} allowFrom=${summarizeAllowList(allowFrom)} groupDm=${groupDmEnabled ? "on" : "off"} groupDmChannels=${summarizeAllowList(groupDmChannels)} guilds=${summarizeGuilds(guildEntries)} historyLimit=${historyLimit} mediaMaxMb=${Math.round(mediaMaxBytes / (1024 * 1024))}`,
+      `discord: config dm=${dmEnabled ? "on" : "off"} allowFrom=${summarizeAllowList(allowFrom)} groupDm=${groupDmEnabled ? "on" : "off"} groupDmChannels=${summarizeAllowList(groupDmChannels)} groupPolicy=${groupPolicy} guilds=${summarizeGuilds(guildEntries)} historyLimit=${historyLimit} mediaMaxMb=${Math.round(mediaMaxBytes / (1024 * 1024))}`,
    );
  }

@@ -279,6 +280,32 @@ export async function monitorDiscordProvider(opts: MonitorDiscordOpts = {}) {
        });
      if (isGroupDm && !groupDmAllowed) return;

+      const channelAllowlistConfigured =
+        Boolean(guildInfo?.channels) &&
+        Object.keys(guildInfo?.channels ?? {}).length > 0;
+      const channelAllowed = channelConfig?.allowed !== false;
+      if (
+        isGuildMessage &&
+        !isDiscordGroupAllowedByPolicy({
+          groupPolicy,
+          channelAllowlistConfigured,
+          channelAllowed,
+        })
+      ) {
+        if (groupPolicy === "disabled") {
+          logVerbose("discord: drop guild message (groupPolicy: disabled)");
+        } else if (!channelAllowlistConfigured) {
+          logVerbose(
+            "discord: drop guild message (groupPolicy: allowlist, no channel allowlist)",
+          );
+        } else {
+          logVerbose(
+            `Blocked discord channel ${message.channelId} not in guild channel allowlist (groupPolicy: allowlist)`,
+          );
+        }
+        return;
+      }
+
      if (isGuildMessage && channelConfig?.allowed === false) {
        logVerbose(
          `Blocked discord channel ${message.channelId} not in guild channel allowlist`,
@@ -1169,6 +1196,18 @@ export function resolveDiscordChannelConfig(params: {
  return { allowed: true };
 }

+export function isDiscordGroupAllowedByPolicy(params: {
+  groupPolicy: "open" | "disabled" | "allowlist";
+  channelAllowlistConfigured: boolean;
+  channelAllowed: boolean;
+}): boolean {
+  const { groupPolicy, channelAllowlistConfigured, channelAllowed } = params;
+  if (groupPolicy === "disabled") return false;
+  if (groupPolicy === "open") return true;
+  if (!channelAllowlistConfigured) return false;
+  return channelAllowed;
+}
+
 export function resolveGroupDmAllow(params: {
  channels: Array<string | number> | undefined;
  channelId: string;