Explicit-mode sends (agent tool calls, gateway send command) bypassed
the allowFrom allowlist on every channel adapter. An agent hallucination
or prompt injection could send messages to arbitrary recipients despite
dmPolicy: "allowlist" being configured.
Fix by:
- Adding allowlist enforcement to the default fallback in targets.ts,
covering all channels without a custom resolveTarget (Discord, Slack,
Matrix, MS Teams, etc.)
- Fixing WhatsApp (core + extension), Twitch, and Google Chat adapters
to reject explicit sends to non-allowlisted targets
- Enforcing allowlist on WhatsApp group JIDs (previously unguarded)
Implicit and heartbeat modes still fall back to allowList[0] as before.
AI-assisted (Claude). Tested locally.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
513f3556e7