feat: unify group policy allowlists

2026-01-06 06:40:42 +00:00
parent 51e8bbd2a8
commit dbb51006cd
23 changed files with 729 additions and 88 deletions
--- a/src/slack/monitor.test.ts
+++ b/src/slack/monitor.test.ts
@@ -0,0 +1,55 @@
+import { describe, expect, it } from "vitest";
+
+import { isSlackRoomAllowedByPolicy } from "./monitor.js";
+
+describe("slack groupPolicy gating", () => {
+  it("allows when policy is open", () => {
+    expect(
+      isSlackRoomAllowedByPolicy({
+        groupPolicy: "open",
+        channelAllowlistConfigured: false,
+        channelAllowed: false,
+      }),
+    ).toBe(true);
+  });
+
+  it("blocks when policy is disabled", () => {
+    expect(
+      isSlackRoomAllowedByPolicy({
+        groupPolicy: "disabled",
+        channelAllowlistConfigured: true,
+        channelAllowed: true,
+      }),
+    ).toBe(false);
+  });
+
+  it("blocks allowlist when no channel allowlist configured", () => {
+    expect(
+      isSlackRoomAllowedByPolicy({
+        groupPolicy: "allowlist",
+        channelAllowlistConfigured: false,
+        channelAllowed: true,
+      }),
+    ).toBe(false);
+  });
+
+  it("allows allowlist when channel is allowed", () => {
+    expect(
+      isSlackRoomAllowedByPolicy({
+        groupPolicy: "allowlist",
+        channelAllowlistConfigured: true,
+        channelAllowed: true,
+      }),
+    ).toBe(true);
+  });
+
+  it("blocks allowlist when channel is not allowed", () => {
+    expect(
+      isSlackRoomAllowedByPolicy({
+        groupPolicy: "allowlist",
+        channelAllowlistConfigured: true,
+        channelAllowed: false,
+      }),
+    ).toBe(false);
+  });
+});
--- a/src/slack/monitor.ts
+++ b/src/slack/monitor.ts
@@ -379,6 +379,7 @@ export async function monitorSlackProvider(opts: MonitorSlackOpts = {}) {
  const groupDmChannels = normalizeAllowList(dmConfig?.groupChannels);
  const channelsConfig = cfg.slack?.channels;
  const dmEnabled = dmConfig?.enabled ?? true;
+  const groupPolicy = cfg.slack?.groupPolicy ?? "open";
  const reactionMode = cfg.slack?.reactionNotifications ?? "own";
  const reactionAllowlist = cfg.slack?.reactionAllowlist ?? [];
  const slashCommand = resolveSlackSlashCommandConfig(
@@ -517,7 +518,19 @@ export async function monitorSlackProvider(opts: MonitorSlackOpts = {}) {
        channelName: params.channelName,
        channels: channelsConfig,
      });
-      if (channelConfig?.allowed === false) return false;
+      const channelAllowed = channelConfig?.allowed !== false;
+      const channelAllowlistConfigured =
+        Boolean(channelsConfig) && Object.keys(channelsConfig ?? {}).length > 0;
+      if (
+        !isSlackRoomAllowedByPolicy({
+          groupPolicy,
+          channelAllowlistConfigured,
+          channelAllowed,
+        })
+      ) {
+        return false;
+      }
+      if (!channelAllowed) return false;
    }

    return true;
@@ -1440,6 +1453,18 @@ type SlackRespondFn = (payload: {
  response_type?: "ephemeral" | "in_channel";
 }) => Promise<unknown>;

+export function isSlackRoomAllowedByPolicy(params: {
+  groupPolicy: "open" | "disabled" | "allowlist";
+  channelAllowlistConfigured: boolean;
+  channelAllowed: boolean;
+}): boolean {
+  const { groupPolicy, channelAllowlistConfigured, channelAllowed } = params;
+  if (groupPolicy === "disabled") return false;
+  if (groupPolicy === "open") return true;
+  if (!channelAllowlistConfigured) return false;
+  return channelAllowed;
+}
+
 async function deliverSlackSlashReplies(params: {
  replies: ReplyPayload[];
  respond: SlackRespondFn;