sendPolicy deny blocks inbound message processing, not just outbound delivery

[omarshahine]

Bug

session.sendPolicy deny rules block inbound message processing, not just outbound delivery. When a deny rule matches (e.g., {action: "deny", match: {channel: "whatsapp", chatType: "group"}}), the inbound message is silently dropped — the agent never sees it.

The docs say sendPolicy "controls cross-session send permissions" — it should only gate whether the agent's response is delivered, not whether the inbound message is processed.

Affected Code

Primary: src/auto-reply/reply/dispatch-from-config.ts (lines ~461-481)

const sendPolicy = resolveSendPolicy({...});
if (sendPolicy === "deny" && !bypassAcpForCommand) {
  // Returns early BEFORE the agent processes the message
  return { queuedFinal: false, counts };
}

This check happens BEFORE getReplyFromConfig() (line ~549) which runs the agent. The message is dropped without the agent ever seeing it.

Secondary: src/auto-reply/reply/commands-core.ts (lines ~314-324)

if (sendPolicy === "deny") {
  return { shouldContinue: false };
}

This blocks slash command processing for denied sessions. This is arguably correct behavior and should be left as-is.

Expected Behavior

• sendPolicy: "deny" should suppress delivery of the agent's response only
• The agent should still process the inbound message (for context, memory, tool calls, etc.)
• Slash commands from denied sessions can reasonably remain blocked

Proposed Fix

In dispatch-from-config.ts:

1. Replace the early return block (lines 473-481) with a flag: const suppressDelivery = sendPolicy === "deny" && !bypassAcpForCommand;
2. Before the delivery loop (line ~641), check suppressDelivery and skip delivery while still returning normally
3. The agent still processes inbound messages via getReplyFromConfig(), maintaining context and memory

This separates the "should the agent see this message" decision from the "should the response be delivered" decision, matching the documented intent of sendPolicy.

[Hollychou924]

Excellent root cause documentation — the fix direction is exactly right

The reporter has correctly identified the issue and the affected code. Here's a deeper look at the fix and a key edge case to handle.

Why this matters

A common use case: configure sendPolicy: deny for a group chat to prevent the agent from responding publicly, while still having the agent process group messages for context, memory capture, or tool execution (e.g., reading mentions, updating notes). The current behavior makes this impossible — the agent can't silently observe a group it's been told not to reply to.

The proposed fix is correct — with one important addition

The reporter's fix in dispatch-from-config.ts is right:

// Instead of early return:
const suppressDelivery = sendPolicy === 'deny' && !bypassAcpForCommand;

// ... proceed to getReplyFromConfig() ...

// Before delivery loop:
if (!suppressDelivery) {
  // deliver response
}

Important edge case: suppress streaming too

If delivery is suppressed but the agent still runs, make sure streaming events (partial tokens, tool call events) are also suppressed from being sent to the originating channel. Otherwise you may deliver partial output while suppressing the final message:

const agentRunOptions = {
  suppressDelivery,
  suppressStreaming: suppressDelivery, // ← prevent partial events from leaking
  // ...
};

Secondary: Log that suppression occurred (for debuggability)

Add a debug-level log when delivery is suppressed so users can verify their sendPolicy is working as expected:

if (suppressDelivery) {
  logger.debug('[dispatch] inbound processed, outbound delivery suppressed by sendPolicy:deny', {
    channel: message.channel,
    chatType: message.chatType,
  });
}

The commands-core.ts behavior

The reporter is also correct that blocking slash commands from denied sessions (commands-core.ts) is arguably intentional — slash commands modify gateway state, so preventing them from denied sessions is a security gate, not a bug.