@kodelyth/zalo 2026.5.42 → 2026.6.1

package/src/channel.ts

@@ -1,309 +0,0 @@
-import { describeWebhookAccountSnapshot } from "klaw/plugin-sdk/account-helpers";
-import { DEFAULT_ACCOUNT_ID } from "klaw/plugin-sdk/account-id";
-import { formatAllowFromLowercase } from "klaw/plugin-sdk/allow-from";
-import {
-  adaptScopedAccountAccessor,
-  createScopedChannelConfigAdapter,
-  createScopedDmSecurityResolver,
-  mapAllowFromEntries,
-} from "klaw/plugin-sdk/channel-config-helpers";
-import type { ChannelAccountSnapshot } from "klaw/plugin-sdk/channel-contract";
-import {
-  buildChannelConfigSchema,
-  createChatChannelPlugin,
-  type ChannelPlugin,
-} from "klaw/plugin-sdk/channel-core";
-import { defineChannelMessageAdapter } from "klaw/plugin-sdk/channel-message";
-import {
-  buildOpenGroupPolicyRestrictSendersWarning,
-  buildOpenGroupPolicyWarning,
-  createOpenProviderGroupPolicyWarningCollector,
-} from "klaw/plugin-sdk/channel-policy";
-import {
-  createEmptyChannelResult,
-  createRawChannelSendResultAdapter,
-} from "klaw/plugin-sdk/channel-send-result";
-import { buildTokenChannelStatusSummary } from "klaw/plugin-sdk/channel-status";
-import type { KlawConfig } from "klaw/plugin-sdk/config-contracts";
-import { createStaticReplyToModeResolver } from "klaw/plugin-sdk/conversation-runtime";
-import { createChannelDirectoryAdapter } from "klaw/plugin-sdk/directory-runtime";
-import { listResolvedDirectoryUserEntriesFromAllowFrom } from "klaw/plugin-sdk/directory-runtime";
-import { createLazyRuntimeModule } from "klaw/plugin-sdk/lazy-runtime";
-import {
-  isNumericTargetId,
-  sendPayloadWithChunkedTextAndMedia,
-} from "klaw/plugin-sdk/reply-payload";
-import {
-  createComputedAccountStatusAdapter,
-  createDefaultChannelRuntimeState,
-} from "klaw/plugin-sdk/status-helpers";
-import { chunkTextForOutbound } from "klaw/plugin-sdk/text-chunking";
-import {
-  listZaloAccountIds,
-  resolveDefaultZaloAccountId,
-  resolveZaloAccount,
-  type ResolvedZaloAccount,
-} from "./accounts.js";
-import { zaloMessageActions } from "./actions.js";
-import { zaloApprovalAuth } from "./approval-auth.js";
-import { ZaloConfigSchema } from "./config-schema.js";
-import type { ZaloProbeResult } from "./probe.js";
-import { collectRuntimeConfigAssignments, secretTargetRegistryEntries } from "./secret-contract.js";
-import { resolveZaloOutboundSessionRoute } from "./session-route.js";
-import { createZaloSetupWizardProxy, zaloSetupAdapter } from "./setup-core.js";
-import { collectZaloStatusIssues } from "./status-issues.js";
-
-const meta = {
-  id: "zalo",
-  label: "Zalo",
-  selectionLabel: "Zalo (Bot API)",
-  docsPath: "/channels/zalo",
-  docsLabel: "zalo",
-  blurb: "Vietnam-focused messaging platform with Bot API.",
-  aliases: ["zl"],
-  order: 80,
-  quickstartAllowFrom: true,
-};
-
-function normalizeZaloMessagingTarget(raw: string): string | undefined {
-  const trimmed = raw?.trim();
-  if (!trimmed) {
-    return undefined;
-  }
-  return trimmed.replace(/^(zalo|zl):/i, "").trim();
-}
-
-const loadZaloChannelRuntime = createLazyRuntimeModule(() => import("./channel.runtime.js"));
-const zaloSetupWizard = createZaloSetupWizardProxy(
-  async () => (await import("./setup-surface.js")).zaloSetupWizard,
-);
-const zaloTextChunkLimit = 2000;
-
-const zaloRawSendResultAdapter = createRawChannelSendResultAdapter({
-  channel: "zalo",
-  sendText: async ({ to, text, accountId, cfg }) =>
-    await (
-      await loadZaloChannelRuntime()
-    ).sendZaloText({
-      to,
-      text,
-      accountId: accountId ?? undefined,
-      cfg,
-    }),
-  sendMedia: async ({ to, text, mediaUrl, accountId, cfg }) =>
-    await (
-      await loadZaloChannelRuntime()
-    ).sendZaloText({
-      to,
-      text,
-      accountId: accountId ?? undefined,
-      mediaUrl,
-      cfg,
-    }),
-});
-
-export const zaloMessageAdapter = defineChannelMessageAdapter({
-  id: "zalo",
-  durableFinal: {
-    capabilities: {
-      text: true,
-      media: true,
-      messageSendingHooks: true,
-    },
-  },
-  send: {
-    text: async ({ to, text, accountId, cfg }) =>
-      await (
-        await loadZaloChannelRuntime()
-      ).sendZaloText({
-        to,
-        text,
-        accountId: accountId ?? undefined,
-        cfg,
-      }),
-    media: async ({ to, text, mediaUrl, accountId, cfg }) =>
-      await (
-        await loadZaloChannelRuntime()
-      ).sendZaloText({
-        to,
-        text,
-        accountId: accountId ?? undefined,
-        mediaUrl,
-        cfg,
-      }),
-  },
-});
-
-const zaloConfigAdapter = createScopedChannelConfigAdapter<ResolvedZaloAccount>({
-  sectionKey: "zalo",
-  listAccountIds: listZaloAccountIds,
-  resolveAccount: adaptScopedAccountAccessor(resolveZaloAccount),
-  defaultAccountId: resolveDefaultZaloAccountId,
-  clearBaseFields: ["botToken", "tokenFile", "name"],
-  resolveAllowFrom: (account: ResolvedZaloAccount) => account.config.allowFrom,
-  formatAllowFrom: (allowFrom) =>
-    formatAllowFromLowercase({ allowFrom, stripPrefixRe: /^(zalo|zl):/i }),
-});
-
-const resolveZaloDmPolicy = createScopedDmSecurityResolver<ResolvedZaloAccount>({
-  channelKey: "zalo",
-  resolvePolicy: (account) => account.config.dmPolicy,
-  resolveAllowFrom: (account) => account.config.allowFrom,
-  policyPathSuffix: "dmPolicy",
-  normalizeEntry: (raw) => raw.trim().replace(/^(zalo|zl):/i, ""),
-});
-
-const collectZaloSecurityWarnings = createOpenProviderGroupPolicyWarningCollector<{
-  cfg: KlawConfig;
-  account: ResolvedZaloAccount;
-}>({
-  providerConfigPresent: (cfg) => cfg.channels?.zalo !== undefined,
-  resolveGroupPolicy: ({ account }) => account.config.groupPolicy,
-  collect: ({ account, groupPolicy }) => {
-    if (groupPolicy !== "open") {
-      return [];
-    }
-    const explicitGroupAllowFrom = mapAllowFromEntries(account.config.groupAllowFrom);
-    const dmAllowFrom = mapAllowFromEntries(account.config.allowFrom);
-    const effectiveAllowFrom =
-      explicitGroupAllowFrom.length > 0 ? explicitGroupAllowFrom : dmAllowFrom;
-    if (effectiveAllowFrom.length > 0) {
-      return [
-        buildOpenGroupPolicyRestrictSendersWarning({
-          surface: "Zalo groups",
-          openScope: "any member",
-          groupPolicyPath: "channels.zalo.groupPolicy",
-          groupAllowFromPath: "channels.zalo.groupAllowFrom",
-        }),
-      ];
-    }
-    return [
-      buildOpenGroupPolicyWarning({
-        surface: "Zalo groups",
-        openBehavior:
-          "with no groupAllowFrom/allowFrom allowlist; any member can trigger (mention-gated)",
-        remediation: 'Set channels.zalo.groupPolicy="allowlist" + channels.zalo.groupAllowFrom',
-      }),
-    ];
-  },
-});
-
-export const zaloPlugin: ChannelPlugin<ResolvedZaloAccount, ZaloProbeResult> =
-  createChatChannelPlugin({
-    base: {
-      id: "zalo",
-      meta,
-      setup: zaloSetupAdapter,
-      setupWizard: zaloSetupWizard,
-      capabilities: {
-        chatTypes: ["direct", "group"],
-        media: true,
-        reactions: false,
-        threads: false,
-        polls: false,
-        nativeCommands: false,
-        blockStreaming: true,
-      },
-      reload: { configPrefixes: ["channels.zalo"] },
-      configSchema: buildChannelConfigSchema(ZaloConfigSchema),
-      config: {
-        ...zaloConfigAdapter,
-        isConfigured: (account) => Boolean(account.token?.trim()),
-        describeAccount: (account): ChannelAccountSnapshot =>
-          describeWebhookAccountSnapshot({
-            account,
-            configured: Boolean(account.token?.trim()),
-            mode: account.config.webhookUrl ? "webhook" : "polling",
-            extra: {
-              tokenSource: account.tokenSource,
-            },
-          }),
-      },
-      approvalCapability: zaloApprovalAuth,
-      secrets: {
-        secretTargetRegistryEntries,
-        collectRuntimeConfigAssignments,
-      },
-      groups: {
-        resolveRequireMention: () => true,
-      },
-      actions: zaloMessageActions,
-      messaging: {
-        targetPrefixes: ["zalo", "zl"],
-        normalizeTarget: normalizeZaloMessagingTarget,
-        resolveOutboundSessionRoute: (params) => resolveZaloOutboundSessionRoute(params),
-        targetResolver: {
-          looksLikeId: isNumericTargetId,
-          hint: "<chatId>",
-        },
-      },
-      directory: createChannelDirectoryAdapter({
-        listPeers: async (params) =>
-          listResolvedDirectoryUserEntriesFromAllowFrom<ResolvedZaloAccount>({
-            ...params,
-            resolveAccount: adaptScopedAccountAccessor(resolveZaloAccount),
-            resolveAllowFrom: (account) => account.config.allowFrom,
-            normalizeId: (entry) => entry.trim().replace(/^(zalo|zl):/i, ""),
-          }),
-        listGroups: async () => [],
-      }),
-      status: createComputedAccountStatusAdapter<ResolvedZaloAccount, ZaloProbeResult>({
-        defaultRuntime: createDefaultChannelRuntimeState(DEFAULT_ACCOUNT_ID),
-        collectStatusIssues: collectZaloStatusIssues,
-        buildChannelSummary: ({ snapshot }) => buildTokenChannelStatusSummary(snapshot),
-        probeAccount: async ({ account, timeoutMs }) =>
-          await (await loadZaloChannelRuntime()).probeZaloAccount({ account, timeoutMs }),
-        resolveAccountSnapshot: ({ account }) => {
-          const configured = Boolean(account.token?.trim());
-          return {
-            accountId: account.accountId,
-            name: account.name,
-            enabled: account.enabled,
-            configured,
-            extra: {
-              tokenSource: account.tokenSource,
-              mode: account.config.webhookUrl ? "webhook" : "polling",
-              dmPolicy: account.config.dmPolicy ?? "pairing",
-            },
-          };
-        },
-      }),
-      gateway: {
-        startAccount: async (ctx) =>
-          await (await loadZaloChannelRuntime()).startZaloGatewayAccount(ctx),
-      },
-      message: zaloMessageAdapter,
-    },
-    security: {
-      resolveDmPolicy: resolveZaloDmPolicy,
-      collectWarnings: collectZaloSecurityWarnings,
-    },
-    pairing: {
-      text: {
-        idLabel: "zaloUserId",
-        message: "Your pairing request has been approved.",
-        normalizeAllowEntry: (entry) => entry.trim().replace(/^(zalo|zl):/i, ""),
-        notify: async (params) =>
-          await (await loadZaloChannelRuntime()).notifyZaloPairingApproval(params),
-      },
-    },
-    threading: {
-      resolveReplyToMode: createStaticReplyToModeResolver("off"),
-    },
-    outbound: {
-      deliveryMode: "direct",
-      chunker: chunkTextForOutbound,
-      chunkerMode: "text",
-      textChunkLimit: zaloTextChunkLimit,
-      sendPayload: async (ctx) =>
-        await sendPayloadWithChunkedTextAndMedia({
-          ctx,
-          textChunkLimit: zaloTextChunkLimit,
-          chunker: chunkTextForOutbound,
-          sendText: (nextCtx) => zaloRawSendResultAdapter.sendText!(nextCtx),
-          sendMedia: (nextCtx) => zaloRawSendResultAdapter.sendMedia!(nextCtx),
-          emptyResult: createEmptyChannelResult("zalo"),
-        }),
-      ...zaloRawSendResultAdapter,
-    },
-  });

package/src/config-schema.test.ts

@@ -1,30 +0,0 @@
-import { describe, expect, it } from "vitest";
-import { ZaloConfigSchema } from "./config-schema.js";
-
-describe("ZaloConfigSchema SecretInput", () => {
-  it("accepts SecretRef botToken and webhookSecret at top-level", () => {
-    const result = ZaloConfigSchema.safeParse({
-      botToken: { source: "env", provider: "default", id: "ZALO_BOT_TOKEN" },
-      webhookUrl: "https://example.com/zalo",
-      webhookSecret: { source: "env", provider: "default", id: "ZALO_WEBHOOK_SECRET" },
-    });
-    expect(result.success).toBe(true);
-  });
-
-  it("accepts SecretRef botToken and webhookSecret on account", () => {
-    const result = ZaloConfigSchema.safeParse({
-      accounts: {
-        work: {
-          botToken: { source: "env", provider: "default", id: "ZALO_WORK_BOT_TOKEN" },
-          webhookUrl: "https://example.com/zalo/work",
-          webhookSecret: {
-            source: "env",
-            provider: "default",
-            id: "ZALO_WORK_WEBHOOK_SECRET",
-          },
-        },
-      },
-    });
-    expect(result.success).toBe(true);
-  });
-});

package/src/config-schema.ts

@@ -1,29 +0,0 @@
-import {
-  AllowFromListSchema,
-  buildCatchallMultiAccountChannelSchema,
-  DmPolicySchema,
-  GroupPolicySchema,
-  MarkdownConfigSchema,
-} from "klaw/plugin-sdk/channel-config-schema";
-import { z } from "zod";
-import { buildSecretInputSchema } from "./secret-input.js";
-
-const zaloAccountSchema = z.object({
-  name: z.string().optional(),
-  enabled: z.boolean().optional(),
-  markdown: MarkdownConfigSchema,
-  botToken: buildSecretInputSchema().optional(),
-  tokenFile: z.string().optional(),
-  webhookUrl: z.string().optional(),
-  webhookSecret: buildSecretInputSchema().optional(),
-  webhookPath: z.string().optional(),
-  dmPolicy: DmPolicySchema.optional(),
-  allowFrom: AllowFromListSchema,
-  groupPolicy: GroupPolicySchema.optional(),
-  groupAllowFrom: AllowFromListSchema,
-  mediaMaxMb: z.number().optional(),
-  proxy: z.string().optional(),
-  responsePrefix: z.string().optional(),
-});
-
-export const ZaloConfigSchema = buildCatchallMultiAccountChannelSchema(zaloAccountSchema);

package/src/group-access.ts

@@ -1,23 +0,0 @@
-import type { GroupPolicy } from "klaw/plugin-sdk/config-contracts";
-import { resolveOpenProviderRuntimeGroupPolicy } from "klaw/plugin-sdk/runtime-group-policy";
-
-const ZALO_ALLOW_FROM_PREFIX_RE = /^(zalo|zl):/i;
-
-export function normalizeZaloAllowEntry(value: string): string {
-  return value.trim().replace(ZALO_ALLOW_FROM_PREFIX_RE, "").trim().toLowerCase();
-}
-
-export function resolveZaloRuntimeGroupPolicy(params: {
-  providerConfigPresent: boolean;
-  groupPolicy?: GroupPolicy;
-  defaultGroupPolicy?: GroupPolicy;
-}): {
-  groupPolicy: GroupPolicy;
-  providerMissingFallbackApplied: boolean;
-} {
-  return resolveOpenProviderRuntimeGroupPolicy({
-    providerConfigPresent: params.providerConfigPresent,
-    groupPolicy: params.groupPolicy,
-    defaultGroupPolicy: params.defaultGroupPolicy,
-  });
-}

package/src/monitor-durable.test.ts

@@ -1,49 +0,0 @@
-import { describe, expect, it, vi } from "vitest";
-import {
-  prepareZaloDurableReplyPayload,
-  resolveZaloDurableReplyOptions,
-} from "./monitor-durable.js";
-
-describe("Zalo durable reply helpers", () => {
-  it("normalizes markdown tables before durable or legacy delivery", () => {
-    const convertMarkdownTables = vi.fn(() => "converted table");
-
-    expect(
-      prepareZaloDurableReplyPayload({
-        payload: { text: "| a |\n| - |" },
-        tableMode: "code",
-        convertMarkdownTables,
-      }),
-    ).toEqual({ text: "converted table" });
-    expect(convertMarkdownTables).toHaveBeenCalledWith("| a |\n| - |", "code");
-  });
-
-  it("uses durable final delivery for text-only final replies", () => {
-    expect(
-      resolveZaloDurableReplyOptions({
-        payload: { text: "hello" },
-        infoKind: "final",
-        chatId: "123456789",
-      }),
-    ).toEqual({
-      to: "123456789",
-    });
-  });
-
-  it("keeps media and non-final replies on the legacy path", () => {
-    expect(
-      resolveZaloDurableReplyOptions({
-        payload: { text: "photo", mediaUrl: "https://example.com/photo.jpg" },
-        infoKind: "final",
-        chatId: "123456789",
-      }),
-    ).toBe(false);
-    expect(
-      resolveZaloDurableReplyOptions({
-        payload: { text: "hello" },
-        infoKind: "block",
-        chatId: "123456789",
-      }),
-    ).toBe(false);
-  });
-});

package/src/monitor-durable.ts

@@ -1,38 +0,0 @@
-import type { MarkdownTableMode } from "klaw/plugin-sdk/config-contracts";
-import { resolveSendableOutboundReplyParts } from "klaw/plugin-sdk/reply-payload";
-import type { OutboundReplyPayload } from "klaw/plugin-sdk/reply-payload";
-
-export type ZaloDurableReplyOptions = {
-  to: string;
-};
-
-export function prepareZaloDurableReplyPayload(params: {
-  payload: OutboundReplyPayload;
-  tableMode: MarkdownTableMode;
-  convertMarkdownTables: (text: string, tableMode: MarkdownTableMode) => string;
-}): OutboundReplyPayload {
-  if (!params.payload.text) {
-    return params.payload;
-  }
-  return {
-    ...params.payload,
-    text: params.convertMarkdownTables(params.payload.text, params.tableMode),
-  };
-}
-
-export function resolveZaloDurableReplyOptions(params: {
-  payload: OutboundReplyPayload;
-  infoKind: string;
-  chatId: string;
-}): ZaloDurableReplyOptions | false {
-  if (params.infoKind !== "final") {
-    return false;
-  }
-  const reply = resolveSendableOutboundReplyParts(params.payload);
-  if (reply.hasMedia || !reply.hasText) {
-    return false;
-  }
-  return {
-    to: params.chatId,
-  };
-}

package/src/monitor.group-policy.test.ts

@@ -1,213 +0,0 @@
-import { resolveStableChannelMessageIngress } from "klaw/plugin-sdk/channel-ingress-runtime";
-import type { GroupPolicy, KlawConfig } from "klaw/plugin-sdk/config-contracts";
-import { describe, expect, it, vi } from "vitest";
-import { normalizeZaloAllowEntry, resolveZaloRuntimeGroupPolicy } from "./group-access.js";
-import type { ZaloAccountConfig } from "./types.js";
-
-function stringEntries(entries: Array<string | number> | undefined): string[] {
-  return (entries ?? []).map((entry) => String(entry));
-}
-
-const groupPolicyCases: Array<[string, ZaloAccountConfig, string, boolean, string]> = [
-  [
-    "disabled policy",
-    { groupPolicy: "disabled", groupAllowFrom: ["zalo:123"] },
-    "123",
-    false,
-    "group_policy_disabled",
-  ],
-  [
-    "empty allowlist",
-    { groupPolicy: "allowlist", groupAllowFrom: [] },
-    "attacker",
-    false,
-    "group_policy_empty_allowlist",
-  ],
-  [
-    "allowlist mismatch",
-    { groupPolicy: "allowlist", groupAllowFrom: ["zalo:victim-user-001"] },
-    "attacker-user-999",
-    false,
-    "group_policy_not_allowlisted",
-  ],
-  [
-    "Zalo prefix match",
-    { groupPolicy: "allowlist", groupAllowFrom: ["zl:12345"] },
-    "12345",
-    true,
-    "group_policy_allowed",
-  ],
-  [
-    "allowFrom fallback",
-    { groupPolicy: "allowlist", allowFrom: ["zl:12345"], groupAllowFrom: [] },
-    "12345",
-    true,
-    "group_policy_allowed",
-  ],
-  [
-    "open policy",
-    { groupPolicy: "open", groupAllowFrom: [] },
-    "attacker-user-999",
-    true,
-    "group_policy_open",
-  ],
-];
-
-async function resolveAccess(
-  params: {
-    cfg?: KlawConfig;
-    accountConfig?: ZaloAccountConfig;
-    providerConfigPresent?: boolean;
-    defaultGroupPolicy?: GroupPolicy;
-    isGroup?: boolean;
-    senderId?: string;
-    rawBody?: string;
-    storeAllowFrom?: string[];
-    shouldComputeCommandAuthorized?: boolean;
-  } = {},
-) {
-  const readAllowFromStore = vi.fn(async () => params.storeAllowFrom ?? []);
-  const accountConfig = {
-    dmPolicy: "pairing",
-    groupPolicy: "allowlist",
-    allowFrom: [],
-    groupAllowFrom: [],
-    ...params.accountConfig,
-  } satisfies ZaloAccountConfig;
-  const { groupPolicy, providerMissingFallbackApplied } = resolveZaloRuntimeGroupPolicy({
-    providerConfigPresent: params.providerConfigPresent ?? true,
-    groupPolicy: accountConfig.groupPolicy,
-    defaultGroupPolicy: params.defaultGroupPolicy ?? "open",
-  });
-  const shouldComputeAuth = params.shouldComputeCommandAuthorized ?? false;
-  const isGroup = params.isGroup ?? true;
-  const result = await resolveStableChannelMessageIngress({
-    channelId: "zalo",
-    accountId: "default",
-    identity: {
-      key: "zalo-user-id",
-      normalize: normalizeZaloAllowEntry,
-      sensitivity: "pii",
-      entryIdPrefix: "zalo-entry",
-    },
-    accessGroups: params.cfg?.accessGroups,
-    readStoreAllowFrom: async () => await readAllowFromStore(),
-    useAccessGroups: params.cfg?.commands?.useAccessGroups !== false,
-    subject: { stableId: params.senderId ?? "123" },
-    conversation: {
-      kind: isGroup ? "group" : "direct",
-      id: "chat-1",
-    },
-    providerMissingFallbackApplied,
-    dmPolicy: accountConfig.dmPolicy ?? "pairing",
-    groupPolicy,
-    policy: { groupAllowFromFallbackToAllowFrom: true },
-    allowFrom: stringEntries(accountConfig.allowFrom),
-    groupAllowFrom: stringEntries(accountConfig.groupAllowFrom),
-    command: shouldComputeAuth ? {} : undefined,
-  });
-  return { result, readAllowFromStore };
-}
-
-function stableSenderAccess(access: { allowed: boolean; decision: string; reasonCode: string }) {
-  return {
-    allowed: access.allowed,
-    decision: access.decision,
-    reasonCode: access.reasonCode,
-  };
-}
-
-describe("zalo shared ingress access policy", () => {
-  it.each(groupPolicyCases)(
-    "maps %s through shared ingress",
-    async (_name, accountConfig, senderId, allowed, reasonCode) => {
-      const { result } = await resolveAccess({ accountConfig, senderId });
-      expect(stableSenderAccess(result.senderAccess)).toEqual({
-        allowed,
-        decision: allowed ? "allow" : "block",
-        reasonCode,
-      });
-    },
-  );
-
-  it("keeps group control-command authorization separate from group sender access", async () => {
-    const { result } = await resolveAccess({
-      accountConfig: {
-        groupPolicy: "open",
-        allowFrom: [],
-        groupAllowFrom: [],
-      },
-      rawBody: "/reset",
-      shouldComputeCommandAuthorized: true,
-    });
-
-    expect(result.senderAccess.decision).toBe("allow");
-    expect(result.commandAccess.authorized).toBe(false);
-  });
-
-  it("authorizes direct commands from the pairing store", async () => {
-    const { result, readAllowFromStore } = await resolveAccess({
-      isGroup: false,
-      accountConfig: {
-        dmPolicy: "pairing",
-        allowFrom: [],
-      },
-      senderId: "12345",
-      storeAllowFrom: ["zl:12345"],
-      rawBody: "/status",
-      shouldComputeCommandAuthorized: true,
-    });
-
-    expect(readAllowFromStore).toHaveBeenCalledTimes(1);
-    expect(stableSenderAccess(result.senderAccess)).toEqual({
-      allowed: true,
-      decision: "allow",
-      reasonCode: "dm_policy_allowlisted",
-    });
-    expect(result.commandAccess.authorized).toBe(true);
-  });
-
-  it("requires an explicit wildcard or allowlist match for open DMs", async () => {
-    const { result, readAllowFromStore } = await resolveAccess({
-      isGroup: false,
-      accountConfig: {
-        dmPolicy: "open",
-        allowFrom: [],
-      },
-      senderId: "12345",
-    });
-
-    expect(readAllowFromStore).not.toHaveBeenCalled();
-    expect(stableSenderAccess(result.senderAccess)).toEqual({
-      allowed: false,
-      decision: "block",
-      reasonCode: "dm_policy_not_allowlisted",
-    });
-  });
-
-  it("matches static access-group entries through the shared ingress resolver", async () => {
-    const { result } = await resolveAccess({
-      cfg: {
-        accessGroups: {
-          operators: {
-            type: "message.senders",
-            members: {
-              zalo: ["zl:12345"],
-            },
-          },
-        },
-      },
-      accountConfig: {
-        groupPolicy: "allowlist",
-        groupAllowFrom: ["accessGroup:operators"],
-      },
-      senderId: "12345",
-    });
-
-    expect(stableSenderAccess(result.senderAccess)).toEqual({
-      allowed: true,
-      decision: "allow",
-      reasonCode: "group_policy_allowed",
-    });
-  });
-});