#23288: feat(whatsapp): group command gating via commands.allowFrom + sender fields in inbound logs
channel: whatsapp-web
size: S
## Summary
Two related improvements for WhatsApp group handling:
### 1. Group command gating (`commands.allowFrom`)
Currently, when `groupAllowFrom: ["*"]` is set (to allow logging all group messages), **any group member** can invoke bot commands (e.g. `/cb`). This PR adds proper command authorization:
- **`group-gating.ts`**: Early `/cb` invocation check — blocks non-owner command triggers in groups while still recording the message to group history
- **`process-message.ts`**: `resolveWhatsAppCommandAuthorized()` now checks `commands.allowFrom.whatsapp` (or `commands.allowFrom["*"]`) before falling back to `groupAllowFrom`
This enables a common pattern: **log everything from groups** (`groupAllowFrom: ["*"]`) while **restricting slash commands to the owner only** (`commands.allowFrom.whatsapp: ["whatsapp:+55..."]`).
#### Config example
```json
{
"channels": {
"whatsapp": {
"groupAllowFrom": ["*"],
"allowFrom": ["+5531984890807"]
}
},
"commands": {
"allowFrom": {
"whatsapp": ["whatsapp:+5531984890807"]
}
}
}
```
### 2. Sender fields in `web-inbound` logs
The `web-inbound` log lines now include `participant` (E.164) and `senderName` (push name) when available. This enables downstream log collectors/scripts to identify **who** sent each message in a group — previously only `from` (group JID) and `body` were logged, making sender attribution impossible.
## Files Changed
- `src/web/auto-reply/monitor/group-gating.ts` — `/cb` block for non-owners
- `src/web/auto-reply/monitor/process-message.ts` — `commands.allowFrom` authorization
- `src/web/inbound/monitor.ts` — added `participant`/`senderName` to inbound log
## Testing
- Existing tests pass (21 tests in `command-control.test.ts`, 8 in `monitor-inbox.streams-inbound-messages.test.ts`)
- Manually verified: non-owner `/cb` blocked in group, owner `/cb` works, all group messages still logged with sender info
<!-- greptile_comment -->
<h3>Greptile Summary</h3>
Adds WhatsApp group command authorization that separates logging permissions (`groupAllowFrom`) from command execution permissions (`commands.allowFrom`). Also includes sender attribution in inbound logs for group message collectors.
The changes enable a common pattern: log all group messages while restricting slash commands to the owner. Implementation adds early `/cb` blocking in `group-gating.ts` and command authorization checks in `process-message.ts`.
<h3>Confidence Score: 4/5</h3>
- Safe to merge - implements authorization correctly with proper owner checks
- The PR correctly implements command gating and adds useful logging fields. The logic is sound with proper owner validation via `isOwnerSender()` and authorization checks. Minor code duplication exists but doesn't affect correctness. Tests pass (21 in command-control, 8 in monitor-inbox).
- No files require special attention
<sub>Last reviewed commit: 534791c</sub>
<!-- greptile_other_comments_section -->
<sub>(2/5) Greptile learns from your feedback when you react with thumbs up/down!</sub>
<!-- /greptile_comment -->
Most Similar PRs
#11611: feat: separate group-level allowlist from sender-level command auth...
by thisnick · 2026-02-08
87.2%
#4390: fix(whatsapp): allow media from allowlisted groups without groupAllow…
by Sarang19114 · 2026-01-30
83.7%
#4402: fix: store group messages from non-allowlisted senders as pending c...
by adam91holt · 2026-01-30
83.1%
#5665: fix: match group JIDs in groupAllowFrom allowlist
by koala73 · 2026-01-31
82.9%
#23579: feat(whatsapp): add sender attribution to inbound message logs
by svan058 · 2026-02-22
81.6%
#6567: fix: include paired users in WhatsApp group sender allowlist
by giannisanni · 2026-02-01
79.8%
#7287: feat(whatsapp): expose group admin functions
by balthazar-bot · 2026-02-02
79.4%
#21889: fix(whatsapp): include outbound DMs in agent context for allowed co...
by mactsk · 2026-02-20
78.6%
#23046: fix(whatsapp): detect LID JID in implicit reply-to-bot mention check
by hydro13 · 2026-02-21
78.2%
#12069: fix(whatsapp): handle native group @mentions with requireMention
by abhishek0450 · 2026-02-08
78.1%