fix(matrix): honor empty live allowlists

2026-05-06 18:30:44 +00:00 · 2026-04-19 15:43:23 -04:00
parent 58c9d4a2b2
commit 0e17a057b6
2 changed files with 36 additions and 11 deletions
--- a/extensions/matrix/src/matrix/monitor/handler.test.ts
+++ b/extensions/matrix/src/matrix/monitor/handler.test.ts
@@ -1841,6 +1841,41 @@ describe("matrix monitor handler live allowlist reload", () => {
    expect(dispatchReplyFromConfig).toHaveBeenCalledTimes(1);
  });

+  it("blocks a DM sender after live wildcard removal", async () => {
+    const dispatchReplyFromConfig = createDispatchReplyFromConfig();
+    const cfg = {
+      channels: {
+        matrix: {
+          dm: { allowFrom: ["*"] },
+        },
+      },
+    };
+    const { handler } = createMatrixHandlerTestHarness({
+      cfg,
+      dmPolicy: "allowlist",
+      isDirectMessage: true,
+      allowFrom: ["*"],
+      allowFromResolvedEntries: [],
+      dispatchReplyFromConfig,
+    });
+
+    await sendLiveAllowlistMessage(handler, {
+      eventId: "$dm-wildcard-before",
+      sender: "@alice:example.org",
+      body: "hello",
+    });
+    expect(dispatchReplyFromConfig).toHaveBeenCalledTimes(1);
+
+    cfg.channels.matrix.dm.allowFrom = [];
+    await sendLiveAllowlistMessage(handler, {
+      eventId: "$dm-wildcard-after",
+      sender: "@alice:example.org",
+      body: "hello again",
+    });
+
+    expect(dispatchReplyFromConfig).toHaveBeenCalledTimes(1);
+  });
+
  it("uses account-scoped live dm.allowFrom overrides", async () => {
    const dispatchReplyFromConfig = createDispatchReplyFromConfig();
    const cfg = {
--- a/extensions/matrix/src/matrix/monitor/handler.ts
+++ b/extensions/matrix/src/matrix/monitor/handler.ts
@@ -216,14 +216,8 @@ function isMatrixHotReloadAllowlistEntry(entry: string): boolean {
 function resolveEffectiveMatrixLiveAllowlist(params: {
  liveEntries?: ReadonlyArray<string | number>;
  startupResolvedEntries?: readonly MatrixResolvedAllowlistEntry[];
-  fallbackEntries?: readonly string[];
 }): string[] {
  const liveEntries = normalizeConfiguredMatrixAllowlistEntries(params.liveEntries);
-  const startupResolvedEntries = params.startupResolvedEntries ?? [];
-  if (liveEntries.length === 0 && startupResolvedEntries.length === 0) {
-    return [...(params.fallbackEntries ?? [])];
-  }
-
  const liveInputs = new Set(liveEntries);
  const effective: string[] = [];
  const seen = new Set<string>();
@@ -245,7 +239,7 @@ function resolveEffectiveMatrixLiveAllowlist(params: {
      add(entry);
    }
  }
-  for (const entry of startupResolvedEntries) {
+  for (const entry of params.startupResolvedEntries ?? []) {
    if (liveInputs.has(entry.input)) {
      add(entry.id);
    }
@@ -420,9 +414,7 @@ export function createMatrixRoomMessageHandler(params: MatrixMonitorHandlerParam
    runtime,
    logger,
    logVerboseMessage,
-    allowFrom,
    allowFromResolvedEntries = [],
-    groupAllowFrom = [],
    groupAllowFromResolvedEntries = [],
    roomsConfig,
    accountAllowBots,
@@ -713,12 +705,10 @@ export function createMatrixRoomMessageHandler(params: MatrixMonitorHandlerParam
        const liveDmAllowFrom = resolveEffectiveMatrixLiveAllowlist({
          liveEntries: liveAccountAllowlists.dmAllowFrom,
          startupResolvedEntries: allowFromResolvedEntries,
-          fallbackEntries: allowFrom,
        });
        const liveGroupAllowFrom = resolveEffectiveMatrixLiveAllowlist({
          liveEntries: liveAccountAllowlists.groupAllowFrom,
          startupResolvedEntries: groupAllowFromResolvedEntries,
-          fallbackEntries: groupAllowFrom,
        });
        const accessState = resolveMatrixMonitorAccessState({
          allowFrom: liveDmAllowFrom,