fix(doctor): detect groupPolicy=allowlist with empty groupAllowFrom (…

[stolyarchuk]

…openclaw#28477)

• fix(doctor): detect groupPolicy=allowlist with empty groupAllowFrom

The existing detectEmptyAllowlistPolicy check only covers dmPolicy="allowlist" with empty allowFrom. After the .26 security hardening (resolveDmGroupAccessDecision fails closed on empty allowlists), groupPolicy="allowlist" without groupAllowFrom or allowFrom silently drops all group/channel messages with only a verbose-level log.

Add a parallel check: when groupPolicy is "allowlist" and neither groupAllowFrom nor allowFrom has entries, surface a doctor warning with remediation steps.

Closes openclaw#27552

• fix: align empty-array semantics with runtime resolveGroupAllowFromSources

The runtime treats groupAllowFrom: [] as unset and falls back to allowFrom, but the doctor check used ?? which treats [] as authoritative. This caused a false warning when groupAllowFrom was explicitly empty but allowFrom had entries.

Match runtime behavior: treat empty groupAllowFrom arrays as unset before falling back to allowFrom.

• fix: scope group allowlist check to sender-based channels only

• fix: align doctor group allowlist semantics (fix(doctor): detect groupPolicy=allowlist with empty groupAllowFrom openclaw/openclaw#28477) (thanks @tonydehnke)

---

Summary

Describe the problem and fix in 2–5 bullets:

• Problem:
• Why it matters:
• What changed:
• What did NOT change (scope boundary):

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #
• Related #

User-visible / Behavior Changes

List user-visible changes (including defaults/config).
If none, write None.

Security Impact (required)

• New permissions/capabilities? (Yes/No)
• Secrets/tokens handling changed? (Yes/No)
• New/changed network calls? (Yes/No)
• Command/tool execution surface changed? (Yes/No)
• Data access scope changed? (Yes/No)
• If any Yes, explain risk + mitigation:

Repro + Verification

Environment

• OS:
• Runtime/container:
• Model/provider:
• Integration/channel (if any):
• Relevant config (redacted):

Steps

Expected

Actual

Evidence

Attach at least one:

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios:
• Edge cases checked:
• What you did not verify:

Compatibility / Migration

• Backward compatible? (Yes/No)
• Config/env changes? (Yes/No)
• Migration needed? (Yes/No)
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly:
• Files/config to restore:
• Known bad symptoms reviewers should watch for:

Risks and Mitigations

List only real risks for this PR. Add/remove entries as needed. If none, write None.

• Risk:
  • Mitigation: