#5665: fix: match group JIDs in groupAllowFrom allowlist

## Summary When `groupPolicy` is `"allowlist"`, the WhatsApp inbound access control compared the **sender's phone number** (`senderE164`) against `groupAllowFrom` entries. However, `groupAllowFrom` typically contains **group JIDs** (e.g. `120363406018241337@g.us`), not phone numbers — so the check always failed, silently blocking every group message. **Root cause:** `access-control.ts:102-104` ran `normalizeE164()` on group JID entries (stripping `@g.us`), then compared them against the sender's phone number. A group JID like `120363406018241337@g.us` can never match a phone number like `+971559273244`. **Fix:** Split `groupAllowFrom` entries into two categories: - **Group JIDs** (`@g.us` suffix) → matched against `remoteJid` (the group the message came from) - **Phone numbers** → matched against `senderE164` (the individual sender) This lets users allowlist specific groups by JID **and/or** specific senders by phone number, which is the intended behavior per the config schema and docs. ## Test plan - [x] Existing tests pass (sender phone number matching still works) - [x] New test: allows group messages when `groupAllowFrom` contains the group JID - [x] New test: blocks group messages when group JID is not in `groupAllowFrom` - [x] `pnpm build` passes (type-check clean) - [x] 11/11 tests pass in `monitor-inbox.blocks-messages-from-unauthorized-senders-not-allowfrom.test.ts` <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR fixes WhatsApp inbound access control when `groupPolicy: "allowlist"` by correctly interpreting `groupAllowFrom` entries that are group JIDs (e.g. `...@g.us`) vs phone numbers. In `src/web/inbound/access-control.ts`, `groupAllowFrom` is split into two allowlists: group JIDs are matched against `remoteJid` (the group chat ID), and phone numbers are normalized and matched against `senderE164` (the participant). This prevents the prior behavior where group JIDs were incorrectly passed through `normalizeE164()` and compared to phone numbers, causing all group messages to be silently blocked. The PR also adds coverage in `src/web/monitor-inbox.blocks-messages-from-unauthorized-senders-not-allowfrom.test.ts` to verify that allowlisted group JIDs are accepted and non-allowlisted group JIDs are blocked under the allowlist policy. <h3>Confidence Score: 5/5</h3> - This PR is safe to merge with minimal risk. - Change is small, targeted, and aligns with how WhatsApp group messages are structured (group `remoteJid` vs participant `senderE164`). Added tests cover the new expected behavior (allowlisted group JID allowed; non-allowlisted blocked), and existing phone allowlist behavior remains intact because `senderE164` is already normalized upstream via `resolveJidToE164()`. - No files require special attention <!-- greptile_other_comments_section --> _{(4/5) You can add custom instructions or style guidelines for the agent [here](https://app.greptile.com/review/github)!} **Context used:** - Context from `dashboard` - CLAUDE.md ([source](https://app.greptile.com/review/custom-context?memory=fd949e91-5c3a-4ab5-90a1-cbe184fd6ce8)) - Context from `dashboard` - AGENTS.md ([source](https://app.greptile.com/review/custom-context?memory=0d0c8278-ef8e-4d6c-ab21-f5527e322f13)) <!-- /greptile_comment -->