refactor: generalize command sender identity checks

src/auto-reply/command-auth.ts

@@ -458,9 +458,6 @@ function isConversationLikeIdentity(value: string): boolean {
   if (!normalized) {
     return false;
   }
-  if (normalized.includes("@g.us")) {
-    return true;
-  }
   if (normalized.startsWith("chat_id:")) {
     return true;
   }

src/auto-reply/command-control.test.ts

@@ -48,18 +48,19 @@ describe("resolveCommandAuthorization", () => {
     setActivePluginRegistry(createTestRegistry(plugins));
   }
 
-  function resolveWhatsAppAuthorization(params: {
+  function resolveTestChannelAuthorization(params: {
     from: string;
     senderId?: string;
     senderE164?: string;
     allowFrom: string[];
   }) {
+    registerAllowFromPlugins(createAllowFromPlugin("mobilechat", () => params.allowFrom));
     const cfg = {
-      channels: { whatsapp: { allowFrom: params.allowFrom } },
+      channels: { mobilechat: { allowFrom: params.allowFrom } },
     } as OpenClawConfig;
     const ctx = {
-      Provider: "whatsapp",
-      Surface: "whatsapp",
+      Provider: "mobilechat",
+      Surface: "mobilechat",
       From: params.from,
       SenderId: params.senderId,
       SenderE164: params.senderE164,
@@ -74,7 +75,7 @@ describe("resolveCommandAuthorization", () => {
   it.each([
     {
       name: "falls back from empty SenderId to SenderE164",
-      from: "whatsapp:+999",
+      from: "mobilechat:+999",
       senderId: "",
       senderE164: "+123",
       allowFrom: ["+123"],
@@ -82,7 +83,7 @@ describe("resolveCommandAuthorization", () => {
     },
     {
       name: "falls back from whitespace SenderId to SenderE164",
-      from: "whatsapp:+999",
+      from: "mobilechat:+999",
       senderId: "   ",
       senderE164: "+123",
       allowFrom: ["+123"],
@@ -90,7 +91,7 @@ describe("resolveCommandAuthorization", () => {
     },
     {
       name: "falls back to From when SenderId and SenderE164 are whitespace",
-      from: "whatsapp:+999",
+      from: "+999",
       senderId: "   ",
       senderE164: "   ",
       allowFrom: ["+999"],
@@ -98,7 +99,7 @@ describe("resolveCommandAuthorization", () => {
     },
     {
       name: "falls back from un-normalizable SenderId to SenderE164",
-      from: "whatsapp:+999",
+      from: "mobilechat:+999",
       senderId: "wat",
       senderE164: "+123",
       allowFrom: ["+123"],
@@ -106,14 +107,14 @@ describe("resolveCommandAuthorization", () => {
     },
     {
       name: "prefers SenderE164 when SenderId does not match allowFrom",
-      from: "whatsapp:120363401234567890@g.us",
-      senderId: "123@lid",
+      from: "mobilechat:group:room-1",
+      senderId: "opaque-user",
       senderE164: "+41796666864",
       allowFrom: ["+41796666864"],
       expectedSenderId: "+41796666864",
     },
   ])("$name", ({ from, senderId, senderE164, allowFrom, expectedSenderId }) => {
-    const auth = resolveWhatsAppAuthorization({
+    const auth = resolveTestChannelAuthorization({
       from,
       senderId,
       senderE164,
@@ -559,7 +560,7 @@ describe("resolveCommandAuthorization", () => {
       const cfg = {
         commands: {
           allowFrom: {
-            "*": ["120363411111111111@g.us"],
+            "*": ["demo:group:room-1"],
           },
         },
       } as OpenClawConfig;
@@ -568,7 +569,7 @@ describe("resolveCommandAuthorization", () => {
         ctx: {
           Provider: "whatsapp",
           Surface: "whatsapp",
-          From: "120363411111111111@g.us",
+          From: "demo:group:room-1",
           SenderId: " ",
           SenderE164: " ",
         } as MsgContext,

src/secrets/channel-contract-surface-guardrails.test.ts

@@ -66,6 +66,10 @@ const CORE_SECRET_SURFACE_GUARDS = [
     path: "src/channels/conversation-label.ts",
     forbiddenPatterns: [/@g\.us/],
   },
+  {
+    path: "src/auto-reply/command-auth.ts",
+    forbiddenPatterns: [/@g\.us/],
+  },
   {
     path: "src/channels/plugins/setup-promotion-helpers.ts",
     forbiddenPatterns: [/\btelegram\b/],