Skip to content

fix(cron/whatsapp): route implicit delivery to allowlisted recipients#21533

Merged
Takhoffman merged 1 commit intomainfrom
issue-19701-guided
Feb 20, 2026
Merged

fix(cron/whatsapp): route implicit delivery to allowlisted recipients#21533
Takhoffman merged 1 commit intomainfrom
issue-19701-guided

Conversation

@Takhoffman
Copy link
Copy Markdown
Contributor

@Takhoffman Takhoffman commented Feb 20, 2026
edited by greptile-apps bot
Loading

Fixes #19701

Summary

  • add synchronous pairing-store allowFrom reader for runtime target resolution paths
  • enforce allowlisted recipient selection for implicit WhatsApp cron delivery when last-route points to a non-allowlisted chat
  • constrain WhatsApp heartbeat recipient resolution to allowlisted recipients when allowFrom exists (configured + pairing-store)
  • add focused regression tests for heartbeat recipient filtering and implicit cron reroute behavior

Validation

  • pnpm install --frozen-lockfile
  • pnpm build
  • pnpm check
  • pnpm test:macmini

Greptile Summary

This PR enforces allowlisted recipient routing for implicit WhatsApp delivery in cron jobs and heartbeats by merging configured and pairing-store allowFrom entries, preventing scheduled messages from being sent to unauthorized recipients when session history points to non-allowlisted chats.

Key changes:

  • Added readChannelAllowFromStoreSync function in pairing-store.ts:354-370 to synchronously read allowFrom entries from both scoped and legacy storage paths
  • Modified resolveWhatsAppHeartbeatRecipients in whatsapp-heartbeat.ts:46-94 to merge configured and pairing-store allowFrom lists, then filter session recipients against this merged allowlist before selecting a target
  • Updated resolveDeliveryTarget in delivery-target.ts:118-137 to reroute implicit WhatsApp deliveries to the first allowlisted recipient when the session's last target is not in the merged allowFrom list
  • Added comprehensive test coverage for both heartbeat recipient filtering and cron delivery rerouting scenarios

Confidence Score: 5/5

  • This PR is safe to merge with minimal risk
  • The implementation is well-tested with focused regression tests covering both heartbeat and cron delivery scenarios, follows existing patterns for allowFrom handling, properly handles edge cases (no allowFrom, empty lists, unauthorized recipients), and the synchronous file reading approach is appropriate for the runtime context where these functions are called
  • No files require special attention

Last reviewed commit: c0ddbab

@openclaw-barnacle openclaw-barnacle bot added size: S maintainer Maintainer-authored PR labels Feb 20, 2026
@Takhoffman Takhoffman merged commit d9e4602 into main Feb 20, 2026
27 checks passed
@Takhoffman Takhoffman deleted the issue-19701-guided branch February 20, 2026 02:33
@Takhoffman
Copy link
Copy Markdown
Contributor Author

Takhoffman commented Feb 20, 2026

PR #21533 - fix(cron/whatsapp): route implicit delivery to allowlisted recipients (#21533)

Merged via squash.

  • Merge commit: d9e4602
  • Verified: pnpm build, pnpm check, pnpm test:macmini
  • Changelog: CHANGELOG.md updated=true required=true opt_out=false

Thanks @Takhoffman!

vignesh07 pushed a commit to pahdo/openclaw that referenced this pull request Feb 20, 2026
@Takhoffman @vignesh07
fix(cron/whatsapp): route implicit delivery to allowlisted recipients (
3d50a46 
…openclaw#21533) thanks @Takhoffman

Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: Tak Hoffman <[email protected]>
anisoptera pushed a commit to anisoptera/openclaw that referenced this pull request Feb 20, 2026
@Takhoffman @anisoptera
fix(cron/whatsapp): route implicit delivery to allowlisted recipients (
237530c 
…openclaw#21533) thanks @Takhoffman

Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: Tak Hoffman <[email protected]>
rodrigogs pushed a commit to rodrigogs/openclaw that referenced this pull request Feb 20, 2026
@Takhoffman
fix(cron/whatsapp): route implicit delivery to allowlisted recipients (
d77f81a 
…openclaw#21533) thanks @Takhoffman

Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: Tak Hoffman <[email protected]>
Hansen1018 added a commit to Hansen1018/openclaw that referenced this pull request Feb 21, 2026
@Hansen1018 @Takhoffman
fix(cron/whatsapp): route implicit delivery to allowlisted recipients (
e6ed8c6 
…openclaw#21533) thanks @Takhoffman

Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: Tak Hoffman <[email protected]>
vincentkoc pushed a commit that referenced this pull request Feb 21, 2026
@Takhoffman @vincentkoc
fix(cron/whatsapp): route implicit delivery to allowlisted recipients (
8e9aaa2 
…#21533) thanks @Takhoffman

Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: Tak Hoffman <[email protected]>
vincentkoc pushed a commit that referenced this pull request Feb 21, 2026
@Takhoffman @vincentkoc
fix(cron/whatsapp): route implicit delivery to allowlisted recipients (
fb47233 
…#21533) thanks @Takhoffman

Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: Tak Hoffman <[email protected]>
mmyyfirstb pushed a commit to mmyyfirstb/openclaw that referenced this pull request Feb 21, 2026
@Takhoffman @mmyyfirstb
fix(cron/whatsapp): route implicit delivery to allowlisted recipients (
39c330e 
…openclaw#21533) thanks @Takhoffman

Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: Tak Hoffman <[email protected]>
obviyus pushed a commit to guirguispierre/openclaw that referenced this pull request Feb 22, 2026
@Takhoffman @obviyus
fix(cron/whatsapp): route implicit delivery to allowlisted recipients (
d33e6bd 
…openclaw#21533) thanks @Takhoffman

Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: Tak Hoffman <[email protected]>
@github-actions github-actions bot mentioned this pull request Feb 22, 2026
Closed
@jiulingyun jiulingyun mentioned this pull request Feb 22, 2026
Closed
6 tasks
Copilot AI mentioned this pull request Feb 22, 2026
Closed
zooqueen pushed a commit to hanzoai/bot that referenced this pull request Mar 6, 2026
@Takhoffman
fix(cron/whatsapp): route implicit delivery to allowlisted recipients (
ca62831 
…openclaw#21533) thanks @Takhoffman

Verified:
- pnpm build
- pnpm check
- pnpm test:macmini

Co-authored-by: Tak Hoffman <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

maintainer Maintainer-authored PR size: S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Cron jobs and system notifications sent to wrong WhatsApp conversations

1 participant

@Takhoffman