fix(feishu): admit groups explicitly listed under channels.feishu.groups (#67687)

[MoerAI]

Summary

A Feishu group whose only configured override is channels.feishu.groups.<chat_id>.requireMention=false (with no groupAllowFrom) was silently dropped on the inbound path because the schema-default groupPolicy="allowlist" rejects an empty allowlist before the per-group requireMention is ever evaluated. Treat the explicit presence of a group entry under channels.feishu.groups as the operator's allowlist signal so the per-group settings actually take effect.

Root Cause

In extensions/feishu/src/bot.ts, handleFeishuMessage resolves groupConfig from channels.feishu.groups.<chat_id> and then runs isFeishuGroupAllowed({ groupPolicy, allowFrom: groupAllowFrom, ... }) against the top-level groupAllowFrom only. With the validated config defaults (groupPolicy="allowlist", groupAllowFrom=[]), evaluateSenderGroupAccessForPolicy returns allowed:false, reason:"empty_allowlist" and handleFeishuMessage returns before resolveFeishuReplyPolicy (which honors per-group requireMention) ever runs. Result: every group message is dropped, exactly as reported by @Artyomkun in #67687.

Changes

• extensions/feishu/src/bot.ts: in the group admission block, check whether the group is explicitly listed under channels.feishu.groups.<chat_id> (via the already-resolved groupConfig). If yes, treat it as admitted regardless of groupAllowFrom. Existing behaviors are preserved: groupConfig.enabled === false still drops the message, the per-sender effectiveGroupSenderAllowFrom allowlist still applies, and resolveFeishuReplyPolicy still owns mention gating.
• extensions/feishu/src/bot.test.ts: add a regression test that exercises the reporter's exact config shape (only groups."oc-explicit-group".requireMention=false, no top-level groupAllowFrom, default groupPolicy="allowlist") and asserts the inbound text reaches finalizeInboundContext/dispatchReplyFromConfig.

Reproduction (before fix)

With the reporter's config and the prior code, handleFeishuMessage logs feishu[<account>]: group <chat_id> not in groupAllowFrom (groupPolicy=allowlist) and returns. The new test in bot.test.ts failed before this fix (it expected mockFinalizeInboundContext/mockDispatchReplyFromConfig to be called and they were not, because the function returned at the admission gate).

Verification (after fix)

$ pnpm test extensions/feishu/src/bot.test.ts
 Test Files  1 passed (1)
      Tests  55 passed (55)

pnpm tsgo:prod (core + extensions) and pnpm lint:extensions both exit 0. Full extension suite shows 663/666 pass; the 3 failures are in extensions/feishu/src/docx.test.ts (feishu_doc image fetch hardening), reproduce on upstream/main without this change, and are unrelated to the group admission code path.

Test

• Regression test: extensions/feishu/src/bot.test.ts > admits group when chat_id is explicitly configured under groups, even with empty groupAllowFrom (#67687) — verifies the reporter's config shape is admitted.
• Full Feishu bot suite: pnpm test extensions/feishu/src/bot.test.ts — 55/55 pass.
• No change to src/plugin-sdk/group-access.ts (shared by Teams/Mattermost/Zalo/Feishu); fix is intentionally plugin-local to avoid cross-plugin regressions.

Notes

• This follows the conservative direction in clawsweeper's review on [Bug]: Group messages not reaching session - requireMention: false not working (Feishu) #67687 ("treat explicit channels.feishu.groups.<chat_id> entries as admitted groups under groupPolicy: 'allowlist'").
• Backwards compatible: configurations that already worked (top-level groupAllowFrom populated, or groupPolicy="open", or no groups.<chat_id> entry) keep their existing behavior.

Closes #67687

[greptile-apps]

Greptile Summary

This PR fixes a bug where Feishu group messages were silently dropped when a group was explicitly configured under channels.feishu.groups.<chat_id> but groupAllowFrom was left empty. The schema-default groupPolicy="allowlist" with an empty allowlist caused isFeishuGroupAllowed to reject the group before any per-group settings (e.g. requireMention=false) could take effect. The fix correctly short-circuits the allowlist check when groupConfig !== undefined, treating explicit group configuration as the operator's allowlist signal. The downstream guards (enabled === false, sender allowlist, resolveFeishuReplyPolicy) are all preserved.

Confidence Score: 5/5

This PR is safe to merge — the fix is minimal, well-targeted, and backed by a regression test.

The change is a single short-circuit in the group admission gate, all other security guards remain intact, and a regression test covering the exact reported config shape passes. No cross-plugin risk since the fix is plugin-local.

No files require special attention.

_{Reviews (1): Last reviewed commit: "fix(feishu): admit groups explicitly lis..." | Re-trigger Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5b5c963bed

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve groupPolicy checks when applying group overrides

groupAllowed now short-circuits to true whenever groupConfig is defined, which skips isFeishuGroupAllowed entirely. Because resolveFeishuGroupConfig can return wildcard config (groups["*"]) for any chat ID (extensions/feishu/src/policy.ts:128-149), a wildcard per-group override like requireMention will admit every group regardless of groupAllowFrom, and even bypass groupPolicy: "disabled". This is an access-control regression for allowlist/disabled deployments and was introduced by this change.

Useful? React with 👍 / 👎.