fix(doctor): materialize group allowFrom fallback

[steipete]

Summary

• Add a doctor repair that materializes fallback-enabled channel allowFrom entries into explicit groupAllowFrom allowlists.
• Run the migration after allowlist/open-policy repairs so recovered and dmPolicy="open" sources are preserved.
• Align MS Teams doctor metadata with runtime fallback behavior and cover sequencing/capability edge cases.

Verification

• git diff --check origin/main...HEAD
• OPENCLAW_BUNDLED_PLUGINS_DIR=/Users/steipete/Projects/clawdbot6/extensions OPENCLAW_TEST_TRUST_BUNDLED_PLUGINS_DIR=1 OPENCLAW_VITEST_MAX_WORKERS=1 pnpm test src/commands/doctor/shared/allowfrom-fallback-migration.test.ts src/commands/doctor/repair-sequencing.test.ts src/commands/doctor/channel-capabilities.test.ts src/commands/doctor-config-flow.test.ts -- --reporter=verbose
• /Users/steipete/Projects/agent-scripts/skills/codex-review/scripts/codex-review --mode local --full-access --parallel-tests "OPENCLAW_BUNDLED_PLUGINS_DIR=/Users/steipete/Projects/clawdbot6/extensions OPENCLAW_TEST_TRUST_BUNDLED_PLUGINS_DIR=1 OPENCLAW_VITEST_MAX_WORKERS=1 pnpm test src/commands/doctor/shared/allowfrom-fallback-migration.test.ts src/commands/doctor/repair-sequencing.test.ts src/commands/doctor/channel-capabilities.test.ts src/commands/doctor-config-flow.test.ts -- --reporter=verbose"

Behavior addressed: openclaw doctor --fix preserves existing group sender access for channels whose runtime currently falls back from groupAllowFrom to allowFrom, without adding runtime fallback-transition flags.
Real environment tested: Local OpenClaw source checkout with source plugin metadata forced through OPENCLAW_BUNDLED_PLUGINS_DIR=/Users/steipete/Projects/clawdbot6/extensions.
Exact steps or command run after this patch: OPENCLAW_BUNDLED_PLUGINS_DIR=/Users/steipete/Projects/clawdbot6/extensions OPENCLAW_TEST_TRUST_BUNDLED_PLUGINS_DIR=1 OPENCLAW_VITEST_MAX_WORKERS=1 pnpm test src/commands/doctor/shared/allowfrom-fallback-migration.test.ts src/commands/doctor/repair-sequencing.test.ts src/commands/doctor/channel-capabilities.test.ts src/commands/doctor-config-flow.test.ts -- --reporter=verbose
Evidence after fix: 47 focused Vitest tests passed; git diff --check origin/main...HEAD passed; Codex review reported no accepted/actionable findings.
Observed result after fix: Doctor copies normalized/deduped allowFrom entries to groupAllowFrom, respects nested DM mode, account scope, disabled entries, non-fallback channels, inherited channel group allowlists, and MS Teams fallback metadata.
What was not tested: Full pnpm check, live gateway, and real channel inbound flows.

Replaces and closes #81259.

[github-actions]

Dependency Changes Detected

This PR changes dependency-related files. Maintainers should confirm these changes are intentional.

Changed files:

• extensions/msteams/package.json

Maintainer follow-up:

• Review whether the dependency changes are intentional.
• Inspect resolved package deltas when lockfile or workspace dependency policy changes are present.
• Run pnpm deps:changes:report -- --base-ref origin/main --markdown /tmp/dependency-changes.md --json /tmp/dependency-changes.json locally for detailed release-style evidence.

[clawsweeper]

ClawSweeper status: review started.

I am starting a fresh review of this pull request: fix(doctor): materialize group allowFrom fallback This is item 1/1 in the current shard. Shard 0/1.

This placeholder means the worker is alive and reading the current context. I will edit this same comment with the actual review when the claws are done clicking.

Crustacean status: shell secured, claws on keyboard, evidence pebbles being sorted.

[steipete]

Landed via squash merge onto main.

• Source head: a76b666
• Merge commit: cce1269
• Gate: pnpm build:plugin-sdk:strict-smoke
• Gate: OPENCLAW_BUNDLED_PLUGINS_DIR=/Users/steipete/Projects/clawdbot6/extensions OPENCLAW_TEST_TRUST_BUNDLED_PLUGINS_DIR=1 OPENCLAW_VITEST_MAX_WORKERS=1 pnpm test src/commands/doctor/shared/allowfrom-fallback-migration.test.ts src/commands/doctor/repair-sequencing.test.ts src/commands/doctor/channel-capabilities.test.ts src/commands/doctor-config-flow.test.ts -- --reporter=verbose
• Review: codex-review clean, no accepted/actionable findings
• GitHub: Real behavior proof passed with maintainer override; no failures on the rebased head before merge

Thanks @steipete.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a76b666029

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Require explicit fallback metadata before migrating

maybeRepairGroupAllowFromFallback runs on every non-pseudo channel and gates only on getDoctorChannelCapabilities(channelName).groupAllowFromFallbackToAllowFrom, but unknown/external channels inherit the default capabilities where this flag is true. As a result, openclaw doctor --fix will copy allowFrom into groupAllowFrom for plugins that never declared fallback support, which can silently broaden group sender access when those plugins treat DM and group allowlists separately.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Preserve explicit empty account allowFrom overrides

After channel-level migration sets channel.groupAllowFrom, accounts with an explicit empty allowFrom ([]) hit this early return and do not get an account-scoped groupAllowFrom. In merged account configs, they then inherit the new channel groupAllowFrom, which flips that account from “no allowed group senders” to allowing the parent list. This is an access-control behavior change introduced by the repair, rather than preserving pre-fix behavior.

Useful? React with 👍 / 👎.