From 734a7a476d6d0a2d380f4e690563f1d3418a27b5 Mon Sep 17 00:00:00 2001
From: Nick Sullivan <nick@sullivanflock.com>
Date: Thu, 29 Jan 2026 12:42:08 -0600
Subject: [PATCH] fix(whatsapp): gate reactions by DM/group access controls

Address Codex review - reactions now respect the same access controls
as messages (dmPolicy, allowlists, etc). Self-reactions bypass the
check since they're our own actions, not inbound events.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 src/web/inbound/monitor.ts | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/src/web/inbound/monitor.ts b/src/web/inbound/monitor.ts
index aabc6d5fc..e68763468 100644
--- a/src/web/inbound/monitor.ts
+++ b/src/web/inbound/monitor.ts
@@ -352,6 +352,31 @@ export async function monitorWebInbox(options: {
           }
           const senderE164 = senderJid ? await resolveInboundJid(senderJid) : null;
 
+          // Gate reactions by the same access controls as messages (skip for our own reactions)
+          const isOwnReaction = Boolean(reactionKey?.fromMe);
+          if (!isOwnReaction) {
+            const from = group ? chatJid : await resolveInboundJid(chatJid);
+            if (!from) continue;
+            const access = await checkInboundAccessControl({
+              accountId: options.accountId,
+              from,
+              selfE164,
+              senderE164,
+              group,
+              isFromMe: false,
+              connectedAtMs,
+              sock: { sendMessage: (jid, content) => sock.sendMessage(jid, content) },
+              remoteJid: chatJid,
+            });
+            if (!access.allowed) {
+              inboundLogger.debug(
+                { chatJid, senderJid, group },
+                "reaction blocked by access control",
+              );
+              continue;
+            }
+          }
+
           const chatType = group ? "group" : "direct";
           inboundLogger.info(
             {