#19757: fix(security): OC-91 enforce JID allowlist validation in WhatsApp send tools — Aether AI Agent

## Summary - **Attack vector**: `sendReactionWhatsApp` in `src/agents/tools/whatsapp-actions.ts` accepted `chatJid` directly from agent tool parameters without validating it against the configured `allowFrom` contact list. An authenticated agent could invoke the `react` action with an arbitrary WhatsApp JID (any phone number or group JID), bypassing the allowFrom restriction entirely and sending reactions to contacts outside the operator-configured allowlist. - **Fix applied**: Added allowlist validation in the `react` action handler using the existing `resolveWhatsAppOutboundTarget` function (from `src/whatsapp/resolve-outbound-target.ts`) with `mode: "implicit"`. The resolved (normalized) JID is passed to `sendReactionWhatsApp` instead of the raw user-supplied value. Per-account `allowFrom` config is respected, falling back to the channel-level `allowFrom`. - **Advisory**: GHSA-2prf-9cw7-fq62 ## Test plan - [ ] Reaction to a JID in `allowFrom` succeeds as before - [ ] Reaction to a JID not in `allowFrom` throws an error and does not call `sendReactionWhatsApp` - [ ] Wildcard `allowFrom: ["*"]` continues to allow all targets - [ ] Per-account `allowFrom` overrides channel-level list correctly - [ ] Group JIDs continue to be handled by `isWhatsAppGroupJid` inside `resolveWhatsAppOutboundTarget` <!-- greptile_comment --> <h3>Greptile Summary</h3> Security fix that adds allowlist (`allowFrom`) validation to the WhatsApp `react` action handler using the existing `resolveWhatsAppOutboundTarget` function. Previously, `sendReactionWhatsApp` accepted an arbitrary `chatJid` from agent tool parameters without checking the configured contact allowlist, allowing reactions to be sent to any JID. - Correctly reuses the `resolveWhatsAppOutboundTarget` helper with `mode: "implicit"` and respects per-account vs. channel-level `allowFrom` precedence - Uses the resolved (normalized) JID for the outbound call, which is consistent with other send paths - **Existing tests in `whatsapp-actions.e2e.test.ts` will break**: `resolveWhatsAppOutboundTarget` normalizes `"123@s.whatsapp.net"` to `"+123"` (E.164), but all test assertions expect the original JID format — tests need to be updated - **Missing test coverage**: no tests were added to verify the new allowlist blocking behavior (JID not in `allowFrom` throws, wildcard allows all, per-account override, etc.) despite the PR description's test plan listing these scenarios <h3>Confidence Score: 3/5</h3> - The security fix logic is sound but existing tests will break due to JID format change, and the new validation path lacks test coverage. - The core security fix correctly applies allowlist validation using an existing, well-tested utility. However, the normalized JID format passed to sendReactionWhatsApp will cause all four existing e2e test assertions to fail, and the PR adds no new tests for the security validation itself. The runtime behavior is likely correct since downstream functions (toWhatsappJid) handle E.164 → JID conversion, but the test breakage and missing coverage lower confidence. - src/agents/tools/whatsapp-actions.ts (test assertions will fail), src/agents/tools/whatsapp-actions.e2e.test.ts (needs updates for normalized JID format and new allowlist validation tests) _{Last reviewed commit: 20e5a85} <!-- greptile_other_comments_section --> **Context used:** - Context from `dashboard` - CLAUDE.md ([source](https://app.greptile.com/review/custom-context?memory=fd949e91-5c3a-4ab5-90a1-cbe184fd6ce8)) - Context from `dashboard` - AGENTS.md ([source](https://app.greptile.com/review/custom-context?memory=0d0c8278-ef8e-4d6c-ab21-f5527e322f13)) <!-- /greptile_comment -->