fix(elevated): reject group ids as senders

[eleqtrizit]

Summary

Tighten elevated allowlist sender matching so shared conversation identifiers are not treated as sender identities.

Changes

• Extract the existing From sender-fallback guard into src/auto-reply/sender-identity.ts.
• Reuse that guard in elevated allowlist matching before adding ctx.From tokens.
• Add regression coverage for group conversation IDs, missing chat type, and direct-chat from: fallback behavior.

Validation

• node scripts/run-vitest.mjs src/auto-reply/reply/reply-elevated.test.ts src/auto-reply/command-auth.owner-default.test.ts
• node --import tsx --input-type=module source-level elevated allowlist proof for group and missing-chat-type contexts
• corepack pnpm exec oxfmt --check --threads=1 src/auto-reply/sender-identity.ts src/auto-reply/command-auth.ts src/auto-reply/reply/reply-elevated.ts src/auto-reply/reply/reply-elevated.test.ts
• corepack pnpm tsgo:core
• .agents/skills/autoreview/scripts/autoreview --mode local clean after one accepted finding was fixed

Notes

AI-assisted by Codex. CHANGELOG.md was not updated.

Real behavior proof:
Behavior addressed: elevated allowlist matching no longer treats group conversation IDs as sender identities.
Real environment tested: local OpenClaw source checkout on branch 743 after dependency hydration with corepack pnpm install --frozen-lockfile.
Exact steps or command run after this patch: targeted Vitest, source-level resolveElevatedPermissions proof, formatter check, core tsgo, and autoreview commands listed above.
Evidence after fix: group and missing-chat-type source-level checks returned allowed:false with tools.elevated.allowFrom.whatsapp failure.
Observed result after fix: direct-chat from: fallback remains allowed, while group conversation ID allowlist entries are rejected.
What was not tested: live WhatsApp device traffic.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 9, 2026, 3:15 PM ET / 19:15 UTC.

Summary
The PR extracts the command-auth From fallback guard into a shared helper, applies it to elevated allowlist matching, and adds resolver regression tests for group conversation IDs and direct From fallback.

PR surface: Source +10, Tests +26. Total +36 across 4 files.

Reproducibility: yes. Current-main source inspection shows elevated matching unconditionally adds ctx.From, while the WhatsApp inbound contract uses From as the group conversation id and separate sender fields for the actor.

Review metrics: 1 noteworthy metric.

• Elevated allowlist compatibility: 1 entry class now fails closed. WhatsApp group conversation-id entries in tools.elevated.allowFrom.whatsapp stop granting elevated mode, so maintainers should notice the upgrade behavior before merge.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🦞 diamond lobster
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P1] Have a maintainer explicitly accept the fail-closed WhatsApp group-id upgrade behavior or request upgrade-facing wording before merge.

Risk before merge

• [P1] Existing tools.elevated.allowFrom.whatsapp entries that use a WhatsApp group conversation id will stop authorizing elevated mode after this PR; that fail-closed change is probably correct, but it is upgrade-visible.
• [P1] The protected maintainer label means this should not be closed or auto-landed without explicit maintainer handling even though the code review found no blocking defect.

Maintainer options:

1. Accept fail-closed elevated authorization (recommended)
   A maintainer can intentionally accept that group conversation-id entries no longer grant elevated access because elevated mode is a security boundary and sender identities remain supported.
2. Add upgrade-facing wording before merge
   If maintainers want more operator guidance, require a PR-body, squash-message, or docs note explaining that WhatsApp elevated allowlists must use sender id or E.164 identities.
3. Pause if group-level elevated access is desired
   If maintainers actually want shared group ids to authorize elevated mode, pause this PR and design that as an explicit product policy rather than preserving the accidental fallback.

Next step before merge

• [P1] The remaining action is maintainer acceptance of the upgrade-visible fail-closed behavior, not a concrete automation repair.

Security
Cleared: The diff does not add dependencies, scripts, secret handling, or supply-chain surface, and it tightens elevated authorization; compatibility is tracked separately.

Review details

Best possible solution:

Land this after a maintainer explicitly accepts the fail-closed elevated allowlist behavior and the PR body or squash message names the operator-facing upgrade note: allowlist individual sender identities, not shared group conversation ids.

Do we have a high-confidence way to reproduce the issue?

Yes. Current-main source inspection shows elevated matching unconditionally adds ctx.From, while the WhatsApp inbound contract uses From as the group conversation id and separate sender fields for the actor.

Is this the best way to solve the issue?

Yes, with a maintainer compatibility decision still required. Sharing the existing generic From fallback guard is narrower than a WhatsApp-specific parser in core and keeps the owner boundary clean.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 8b84e951e5a6.

Label changes

Label changes:

• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🦞 diamond lobster.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The follow-up comment includes terminal proof against the patched resolver showing group context denied and direct from: fallback allowed after the fix.
• remove rating: 🦐 gold shrimp: Current PR rating is rating: 🐚 platinum hermit, so this older rating label is no longer current.
• remove status: ⏳ waiting on author: Current PR status label is status: 👀 ready for maintainer look.

Label justifications:

• P1: The PR affects elevated-mode authorization, which is a user-facing security boundary for sandbox escape behavior.
• merge-risk: 🚨 compatibility: Merging changes how existing elevated allowlist entries containing WhatsApp group conversation ids behave during upgrade.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🦞 diamond lobster.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The follow-up comment includes terminal proof against the patched resolver showing group context denied and direct from: fallback allowed after the fix.
• proof: sufficient: Contributor real behavior proof is sufficient. The follow-up comment includes terminal proof against the patched resolver showing group context denied and direct from: fallback allowed after the fix.

Evidence reviewed

PR surface:

Source +10, Tests +26. Total +36 across 4 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	3	38	28	+10
Tests	1	26	0	+26
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	4	64	28	+36

What I checked:

• Current-main bug path: Current main unconditionally adds ctx.From to elevated sender identity tokens, so a group conversation id can satisfy tools.elevated.allowFrom before this PR. (src/auto-reply/reply/reply-elevated.ts:97, 8b84e951e5a6)
• PR guarded elevated From fallback: At the PR head, elevated matching only adds ctx.From when shouldUseFromAsSenderFallback accepts it, aligning elevated matching with command authorization. (src/auto-reply/reply/reply-elevated.ts:98, fe8020d99dab)
• Shared generic helper: The new helper rejects non-direct chat From fallback and generic conversation-shaped identifiers without embedding WhatsApp-specific group-JID parsing in core. (src/auto-reply/sender-identity.ts:19, fe8020d99dab)
• Regression coverage: The PR adds tests that reject a WhatsApp group conversation id as an elevated sender and preserve direct-chat from: fallback behavior. (src/auto-reply/reply/reply-elevated.test.ts:73, fe8020d99dab)
• WhatsApp inbound contract: WhatsApp marks from as the conversation id and carries the actor through sender identity fields, so core elevated authorization should use sender fields for group senders. (extensions/whatsapp/src/inbound/types.ts:59, 8b84e951e5a6)
• Generic inbound context contract: The channel inbound builder projects From, ChatType, and SenderId as separate fields, supporting the PR's separation between conversation id and sender identity. (src/channels/inbound-event/context.ts:483, 8b84e951e5a6)

Likely related people:

• vincentkoc: git blame and git show --stat tie the current elevated resolver, command-auth guard, docs, and WhatsApp inbound contract in this checkout to commit b08e110 authored by Vincent Koc. (role: introduced behavior and recent area contributor; confidence: high; commits: b08e1109c67e; files: src/auto-reply/reply/reply-elevated.ts, src/auto-reply/command-auth.ts, extensions/whatsapp/src/inbound/types.ts)
• thomas.krohnfuss: The same root commit that introduced the relevant current-main surfaces includes Thomas Krohnfuss as a co-author, but the local history does not show a more specific per-file split. (role: adjacent co-author signal; confidence: low; commits: b08e1109c67e; files: src/auto-reply/reply/reply-elevated.ts, src/auto-reply/command-auth.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[eleqtrizit]

ClawSweeper follow-up for the owner-boundary finding is addressed in fe8020d99d.

What changed after the review:

• Removed the WhatsApp-specific @g.us detector from core src/auto-reply/sender-identity.ts.
• Removed the missing-ChatType regression that depended on that service-specific parser.
• Kept the generic elevated fix: core only uses ctx.From as a sender fallback when the normalized chat type is direct, or when the value has generic conversation-like prefixes such as group: / channel: / thread:.

Why this satisfies the boundary concern:

• WhatsApp-owned code still provides the canonical contract: extensions/whatsapp/src/inbound/types.ts defines from as the conversation id, and extensions/whatsapp/src/auto-reply/monitor/on-message.ts sends group messages with ChatType: "group", From as the group conversation id, and the actual actor in SenderId / SenderE164.
• Core no longer embeds WhatsApp group-JID syntax. The elevated authorization decision now relies on the channel-provided ChatType / sender identity contract, which is the generic seam ClawSweeper asked for.

Real behavior proof after the patch:

node --import tsx --input-type=module <<'NODEPROOF'
import { resolveElevatedPermissions } from './src/auto-reply/reply/reply-elevated.ts';

const cfg = {
  tools: {
    elevated: {
      enabled: true,
      allowFrom: { whatsapp: ['120363411111111111@g.us'] },
    },
  },
};
const groupCtx = {
  Provider: 'whatsapp',
  Surface: 'whatsapp',
  ChatType: 'group',
  SenderId: '+15550002222',
  From: '120363411111111111@g.us',
  SenderE164: '+15550002222',
  To: '+15559990000',
};
const directCfg = {
  tools: {
    elevated: {
      enabled: true,
      allowFrom: { whatsapp: ['from:whatsapp:+15550001111'] },
    },
  },
};
const directCtx = {
  Provider: 'whatsapp',
  Surface: 'whatsapp',
  ChatType: 'direct',
  SenderId: undefined,
  From: 'whatsapp:+15550001111',
  SenderE164: undefined,
  To: '+15559990000',
};
console.log('GROUP=' + JSON.stringify(resolveElevatedPermissions({ cfg, agentId: 'main', provider: 'whatsapp', ctx: groupCtx })));
console.log('DIRECT=' + JSON.stringify(resolveElevatedPermissions({ cfg: directCfg, agentId: 'main', provider: 'whatsapp', ctx: directCtx })));
NODEPROOF

Observed output:

GROUP={"enabled":true,"allowed":false,"failures":[{"gate":"allowFrom","key":"tools.elevated.allowFrom.whatsapp"}]}
DIRECT={"enabled":true,"allowed":true,"failures":[]}

Validation run:

node scripts/run-vitest.mjs src/auto-reply/reply/reply-elevated.test.ts src/auto-reply/command-auth.owner-default.test.ts
-> 2 files passed, 14 tests passed

corepack pnpm exec oxfmt --check --threads=1 src/auto-reply/sender-identity.ts src/auto-reply/command-auth.ts src/auto-reply/reply/reply-elevated.ts src/auto-reply/reply/reply-elevated.test.ts
-> All matched files use the correct format.

corepack pnpm tsgo:core
-> passed

Upgrade behavior is intentional: existing tools.elevated.allowFrom.whatsapp entries that contain a WhatsApp group conversation id now fail closed for elevated mode. Operators should allowlist individual sender identities such as sender id / E.164 values for elevated access. The config schema is unchanged and direct-chat from: fallback behavior remains allowed.

What was not tested: live WhatsApp device traffic.

[eleqtrizit]

Relevance

The PR addresses GHSA-fh38-965w-f6c3, a high-severity authorization bypass in the elevated-mode sender allowlist. Three independent relevance checks confirmed the issue is in scope: the elevated allowlist unconditionally treated ctx.From as a sender identity, but on WhatsApp group ingress From is the shared group conversation JID while the actual sender is carried in SenderId/SenderE164. The sibling command-auth path already had the correct invariant via shouldUseFromAsSenderFallback(), but the elevated path did not reuse it. The vulnerability was verified unfixed on both the latest main commit and the latest shipped stable tag.

Compatibility

A dedicated compatibility check confirmed the fix is safe to merge. No exported symbols were removed or renamed, no config key shapes changed, no CLI flags or gateway protocol messages were altered, and no compatibility shims were added. The tools.elevated.allowFrom schema remains identical. Docs describe elevated allowlists as sender allowlists, not conversation allowlists, so the fix aligns runtime behavior with the documented contract. Direct-chat From fallback, individual SenderId/SenderE164 entries, wildcards, and mutable-field matchers all continue to work identically. The only user-visible change is that a group conversation JID configured in allowFrom will no longer grant elevated access to every group participant — which is the vulnerability being fixed, not a supported contract.

ClawSweeper

ClawSweeper started a review but did not complete it — the placeholder comment was posted but never edited with findingsched findings. After the initial review, the WhatsApp-specific @g.us detector was removed from core per the owner-boundary concern, keeping only the generic ChatType-based invariant and generic conversation-like prefix matching. The ClawSweeper review gap was noted but does not represent blocking findings against the code.

Code Reviews Completed

Multiple independent code reviews were conducted, each covering the full changed surface. All reviews confirmed the fix is correct, targeted, and follows OpenClaw best practices. The fix extracts the existing shouldUseFromAsSenderFallback() invariant from command-auth.ts into a shared module and reuses it in the elevated path before populating senderFromTokens. Defense-in-depth is provided by guarding on both ChatType metadata and generic conversation-like identity patterns. Regression tests cover the primary vulnerability path, the missing-metadata edge case, and the backward-compatibility guarantee. No bypass paths were identified. All reviews returned an approve-for-merge recommendation.

---

Checks Completed

Check	Status
Relevance verification (3 independent checks)	✅ Confirmed in scope, not yet fixed
Compatibility analysis	✅ Safe to merge, no config/schema/API changes
Source-level behavioral proof	✅ Group JID denied, direct-chat fallback allowed
Unit tests (reply-elevated.test.ts, command-auth.owner-default.test.ts)	✅ 2 files, 14 tests passed
Formatting (oxfmt --check)	✅ Passed
Type checking (tsgo:core)	✅ Passed
Import cycle check	✅ No new cycles
CI checks (lint, prod types, test types, auto-reply checks, security checks, boundary checks)	✅ All passing on head SHA
Code review — architecture and correctness	✅ Clean extraction, no dead code, no bypass paths
Code review — security and defense-in-depth	✅ Dual guard (ChatType + pattern), no new attack surface
Code review — testing and regression coverage	✅ 3 new focused test cases covering vulnerability, edge case, and compatibility
Code review — compatibility and migration	✅ No migration needed, no operator action required
USER.md not committed to PR	✅ Verified excluded