sendPolicy not enforced on WhatsApp auto-reply delivery path

[rsuk-mb]

Summary

session.sendPolicy deny rules have no effect on WhatsApp auto-reply responses. The auto-reply delivery pipeline (on-message.ts → process-message.ts → deliverWebReply) never calls resolveSendPolicy, so deny rules intended to suppress replies to specific DM sessions are silently ignored.

Related issues

• sendPolicy deny rules bypassed by system notifications (abort, etc.) #6301 — same root cause (sendPolicy bypass) but for system notifications (abort, error)
• Security: No outbound message restrictions — AI agents can send to arbitrary numbers #10157 — outbound restriction gap for CLI message send

All three issues stem from sendPolicy only being enforced in commands-core.ts and gateway/server-methods/agent.ts, while other outbound paths bypass it.

Reproduction

1. Configure sendPolicy to deny WhatsApp DM replies except self-chat:

"session": {
  "sendPolicy": {
    "rules": [
      { "action": "allow", "match": { "keyPrefix": "agent:main:whatsapp:direct:+44XXXXXXXXXX" } },
      { "action": "allow", "match": { "channel": "whatsapp", "chatType": "group" } },
      { "action": "deny",  "match": { "keyPrefix": "agent:main:whatsapp:direct:" } }
    ],
    "default": "allow"
  }
}

2. Set dmPolicy: "open" with allowFrom: ["*"] so messages are ingested
3. Receive a DM from another WhatsApp contact
4. Expected: message is ingested but no reply is sent (deny rule matches)
5. Actual: assistant replies to the other contact, ignoring the deny rule

Root cause

resolveSendPolicy() is only called from:

• src/auto-reply/reply/commands-core.ts (text command processing)
• src/gateway/server-methods/agent.ts (gateway-mediated sends)

The WhatsApp auto-reply flow does not check it:

• src/web/auto-reply/monitor/on-message.ts — DM branch (~line 145) has no reply gating (unlike the group branch which has applyGroupGating)
• src/web/auto-reply/monitor/process-message.ts → deliverWebReply — no resolveSendPolicy call

Impact

Users cannot configure a "see but don't reply" mode for non-self DMs. The assistant responds to incoming DMs from other contacts even when sendPolicy explicitly denies them. The only workaround is dmPolicy: "allowlist" with empty allowFrom, which blocks messages at the inbound access-control layer entirely (no ingestion, no context).

Suggested fix

Add a resolveSendPolicy check in the DM branch of on-message.ts (or in process-message.ts before dispatching the reply). If the policy resolves to "deny", skip the reply but still allow the message to be ingested for context — mirroring how group mention-gating stores un-mentioned messages in history without replying.

[Glucksberg]

Worth a look:

Several PRs appear to address this issue:

• PR fix(whatsapp): enforce sendPolicy on auto-reply delivery path #21827 by @rsuk-mb — PR#21827 adds resolveSendPolicy enforcement to the WhatsApp on-message.ts handler, directly fixing the issue that sendPolicy rules are bypassed for WhatsApp auto-replies as reported in sendPolicy not enforced on WhatsApp auto-reply delivery path #21824.
• PR fix(web): enforce sendPolicy on WhatsApp auto-reply delivery path #21893 by @hydro13

PR#21827 adds resolveSendPolicy enforcement to the WhatsApp on-message.ts handler, directly fixing the issue that sendPolicy rules are bypassed for WhatsApp auto-replies as reported in #21824.

If any of these links don't look right, let me know and I'll correct them.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[openclaw-barnacle]

Closing due to inactivity.
If this is still an issue, please retry on the latest OpenClaw release and share updated details.
If you are absolutely sure it still happens on the latest release, open a new issue with fresh repro steps.