Summary
When groupPolicy: "allowlist" is configured alongside groupAllowFrom (or allowFrom) but without any explicit per-group groups: entries, all inbound group messages are silently dropped. Direct messages and outbound group messages are unaffected.
Config that triggers the bug
channels:
telegram:
groupPolicy: allowlist
groupAllowFrom:
- "@alice"
- "@bob"
# No `groups:` block — user intends any group, gated by senderSteps to reproduce
- Configure Telegram with
groupPolicy: allowlist and groupAllowFrom containing one or more usernames/IDs.
- Do not add any explicit group IDs under
groups:.
- Send a message from an allowlisted sender in any Telegram group.
- Observe: message is silently dropped, no log entry produced.
Expected behavior
The gateway should accept the message and defer access control to the sender-level filter (groupAllowFrom). A user who sets groupAllowFrom without listing specific groups intends to allow any group but restrict by sender — the chat-level check should not block all traffic in this case.
Actual behavior
resolveChannelGroupPolicy returns allowed: false for every group because no per-group config exists. The senderFilterBypass path inside resolveChannelGroupPolicy is never activated because the bot.ts closure calling it never passes hasGroupAllowFrom.
Root cause
In src/telegram/bot.ts, the resolveGroupPolicy closure calls resolveChannelGroupPolicy without forwarding hasGroupAllowFrom:
// Before fix — hasGroupAllowFrom missing, so senderFilterBypass is always false
const resolveGroupPolicy = (chatId: string | number) =>
resolveChannelGroupPolicy({
cfg,
channel: "telegram",
accountId: account.accountId,
groupId: String(chatId),
});resolveChannelGroupPolicy already has the correct senderFilterBypass logic (line 347–348 of src/config/group-policy.ts) — it just never receives the flag.
Fix
Pass hasGroupAllowFrom in the closure:
const resolveGroupPolicy = (chatId: string | number) =>
resolveChannelGroupPolicy({
cfg,
channel: "telegram",
accountId: account.accountId,
groupId: String(chatId),
hasGroupAllowFrom: Array.isArray(groupAllowFrom) && groupAllowFrom.length > 0,
});Version
Introduced in v2026.2.26. Worked on v2026.2.25.
Additional context
A fix with regression tests is ready on branch fix/telegram-group-allowlist-regression-28107. PR to follow.
Summary
When
groupPolicy: "allowlist"is configured alongsidegroupAllowFrom(orallowFrom) but without any explicit per-groupgroups:entries, all inbound group messages are silently dropped. Direct messages and outbound group messages are unaffected.Config that triggers the bug
Steps to reproduce
groupPolicy: allowlistandgroupAllowFromcontaining one or more usernames/IDs.groups:.Expected behavior
The gateway should accept the message and defer access control to the sender-level filter (
groupAllowFrom). A user who setsgroupAllowFromwithout listing specific groups intends to allow any group but restrict by sender — the chat-level check should not block all traffic in this case.Actual behavior
resolveChannelGroupPolicyreturnsallowed: falsefor every group because no per-group config exists. ThesenderFilterBypasspath insideresolveChannelGroupPolicyis never activated because thebot.tsclosure calling it never passeshasGroupAllowFrom.Root cause
In
src/telegram/bot.ts, theresolveGroupPolicyclosure callsresolveChannelGroupPolicywithout forwardinghasGroupAllowFrom:resolveChannelGroupPolicyalready has the correctsenderFilterBypasslogic (line 347–348 ofsrc/config/group-policy.ts) — it just never receives the flag.Fix
Pass
hasGroupAllowFromin the closure:Version
Introduced in v2026.2.26. Worked on v2026.2.25.
Additional context
A fix with regression tests is ready on branch
fix/telegram-group-allowlist-regression-28107. PR to follow.