#4390: fix(whatsapp): allow media from allowlisted groups without groupAllow…

## Summary Fixes #3375 - WhatsApp media from group members not downloaded when using groupPolicy: allowlist ## Problem When a group is in the `groups` allowlist with `requireMention: false`, media from group members was silently ignored unless they were also in `groupAllowFrom`. ## Solution Modified `checkInboundAccessControl` to first check if a group is explicitly in the `groups` allowlist. When it is, messages from all participants are now allowed (bypassing the `groupAllowFrom` check for that group). ## Changes - `src/web/inbound/access-control.ts` - Added groups allowlist check before groupAllowFrom filtering - `src/web/inbound/monitor.ts` - Pass groupId to access control function - `src/web/inbound/access-control.groups-allowlist.test.ts` - 6 new test cases ## Testing - [x] All 6 new tests pass <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR adjusts WhatsApp inbound access control for `groupPolicy: "allowlist"` so that if a group JID is explicitly present in the per-account `groups` config, messages from any participant in that group are allowed (bypassing `groupAllowFrom`). To support that, the inbound monitor now passes the group’s JID into `checkInboundAccessControl`, and a new Vitest suite covers allowlisted vs non-allowlisted group behavior, disabled policy behavior, and wildcard sender allowlisting. The change lives in the inbound pipeline (`src/web/inbound/monitor.ts` → `checkInboundAccessControl`), and is intended to align sender/media handling with the existing group allowlist semantics used elsewhere in the WhatsApp web channel. <h3>Confidence Score: 4/5</h3> - This PR is likely safe to merge, with one notable edge-case around allowlist membership checking. - Behavioral change is localized to group allowlist handling and is covered by new tests. The main risk is the `in`-operator allowlist membership check, which can produce false positives for inherited keys and is easy to harden. - src/web/inbound/access-control.ts <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->