typeclaw 0.1.5 → 0.2.0

package/src/bundled-plugins/security/policies/git-exfil.ts

@@ -106,34 +106,49 @@ const DANGEROUS_COMMAND_PATTERNS: ReadonlyArray<{ pattern: RegExp; label: string
   },
 ]
 
+// Records remote-taint for any `git remote add/set-url` in this bash
+// command IF the command would have been allowed to proceed (either
+// gitExfil was acknowledged on the call, or the caller is bypassing
+// gitExfil via permission -- caller signals the latter with
+// `permittedBypass: true`). The taint is what makes the second-step
+// gitRemoteTainted defense work, so recording must NOT depend on the
+// gitExfil guard's return value: a permission-bypassed actor would
+// otherwise skip taint recording entirely and a later push to the
+// re-pointed remote would escape detection.
+//
+// When the command would have been blocked (no ack, no bypass), nothing
+// is recorded -- the agent never actually ran the set-url so the remote
+// state on disk is unchanged.
+export function recordGitRemoteTaintIfAny(options: {
+  tool: string
+  args: Record<string, unknown>
+  sessionId?: string
+  permittedBypass?: boolean
+}): void {
+  const { tool, args, sessionId, permittedBypass } = options
+  if (tool !== 'bash') return
+  if (!sessionId) return
+  const command = args.command
+  if (typeof command !== 'string') return
+  const allowed = permittedBypass === true || isGuardAcknowledged(args, GUARD_GIT_EXFIL)
+  if (!allowed) return
+  for (const change of parseRemoteChanges(command)) {
+    recordRemoteTaint(sessionId, { remoteName: change.remoteName, url: change.url })
+  }
+}
+
 export function checkGitExfilGuard(options: {
   tool: string
   args: Record<string, unknown>
   sessionId?: string
 }): SecurityBlock | undefined {
-  const { tool, args, sessionId } = options
+  const { tool, args } = options
   if (tool !== 'bash') return undefined
 
   const command = args.command
   if (typeof command !== 'string') return undefined
 
-  const taintBlock = checkPushToTaintedRemote({ command, args, sessionId })
-  if (taintBlock) return taintBlock
-
-  if (isGuardAcknowledged(args, GUARD_GIT_EXFIL)) {
-    // The user acknowledged that this command may exfil. If the command is a
-    // `git remote add/set-url`, treat the ack as the commit point and taint
-    // the affected remote so any later push must be acknowledged separately.
-    // Done here (and not at tool.after) so the taint is recorded even if the
-    // subsequent shell exec fails -- a partially-applied remote change still
-    // leaves the repo in an exfil-shaped state.
-    if (sessionId) {
-      for (const change of parseRemoteChanges(command)) {
-        recordRemoteTaint(sessionId, { remoteName: change.remoteName, url: change.url })
-      }
-    }
-    return undefined
-  }
+  if (isGuardAcknowledged(args, GUARD_GIT_EXFIL)) return undefined
 
   const matched = DANGEROUS_COMMAND_PATTERNS.find(({ pattern }) => pattern.test(command))
   if (!matched) return undefined
@@ -148,6 +163,24 @@ export function checkGitExfilGuard(options: {
   }
 }
 
+// Separate top-level guard so `security.bypass.gitRemoteTainted` can be
+// granted independently of `security.bypass.gitExfil`. The two defend
+// different shapes: gitExfil blocks the first step (re-point or push),
+// gitRemoteTainted blocks the second step (push to a remote that was
+// re-pointed earlier in the same session). Bypassing one must not silently
+// disable the other.
+export function checkGitRemoteTaintedGuard(options: {
+  tool: string
+  args: Record<string, unknown>
+  sessionId?: string
+}): SecurityBlock | undefined {
+  const { tool, args, sessionId } = options
+  if (tool !== 'bash') return undefined
+  const command = args.command
+  if (typeof command !== 'string') return undefined
+  return checkPushToTaintedRemote({ command, args, sessionId })
+}
+
 function checkPushToTaintedRemote(options: {
   command: string
   args: Record<string, unknown>

package/src/bundled-plugins/tool-result-cap/README.md

@@ -15,6 +15,8 @@ The result is a session JSONL file that's tens of megabytes on disk but mostly o
 
 `tool-result-cap` registers a `tool.after` hook that inspects every tool's result and, in place, replaces oversized image/text parts with a short placeholder before pi-coding-agent appends the entry to the JSONL. The cap happens at the wire-format level, so the bloat never reaches disk or the LLM in the first place.
 
+For sessions that already contain oversized tool results from before this plugin was active (or before its limits were tightened), the **channel session factory also runs the same cap policy at rehydrate time**: just before `SessionManager.open(path)` reads the JSONL, the file is scanned for oversized `toolResult` entries and those entries are rewritten in place. The pass is idempotent and skipped entirely when `tool-result-cap.enabled` is `false`. **`typeclaw restart` is therefore the single user-facing recovery action for a poisoned channel session** — no scrubber subcommand, no manual surgery on `channels/sessions.json`.
+
 ## Config
 
 ```json
@@ -57,11 +59,14 @@ Plugin hook order is the order plugins are listed in `src/run/bundled-plugins.ts
 
 ## What it contributes
 
-| Kind | Name         | Notes                                                                                                                                  |
-| ---- | ------------ | -------------------------------------------------------------------------------------------------------------------------------------- |
-| Hook | `tool.after` | Walks `event.result.content` and replaces oversized image/text parts in place. Logs one `info` line per capped call, silent otherwise. |
+| Kind                 | Name                          | Notes                                                                                                                                                                                                                                                                                                                       |
+| -------------------- | ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Hook                 | `tool.after`                  | Walks `event.result.content` and replaces oversized image/text parts in place. Logs one `info` line per capped call, silent otherwise.                                                                                                                                                                                      |
+| Load-time pass       | `capJsonlFileInPlace`         | Called by `src/run/channel-session-factory.ts` before `SessionManager.open(path)` on every channel-session rehydrate. Walks JSONL entries, applies the same `capToolResult` per `toolResult` message, and rewrites the file atomically (temp + rename) when any entry mutated. Idempotent; passes malformed lines verbatim. |
+| Config-bridge helper | `resolveCapOptionsFromConfig` | Parses the `tool-result-cap` config block through the plugin's `configSchema` and returns the runtime `CapOptions` (or `null` when `enabled: false`). Lets non-plugin call sites share the same disable rule as the `tool.after` hook.                                                                                      |
 
 ## Tests
 
 - `cap-result.test.ts` — pure-function unit tests for the capping logic (image replacement, text truncation, mixed parts, exempt tools, empty results, in-place mutation invariant).
-- `index.test.ts` — composition tests (config schema defaults and validation, hook registration, disabled-mode short-circuit, logging on cap, silence on no-op).
+- `cap-jsonl.test.ts` — load-time pass: rewrite-on-mutation, no-write-when-clean, idempotency, exemptTools respected, non-toolResult entries preserved, malformed-line passthrough, missing-file safety, multi-entry batching, text truncation in JSONL form.
+- `index.test.ts` — composition tests (config schema defaults and validation, hook registration, disabled-mode short-circuit, logging on cap, silence on no-op, `resolveCapOptionsFromConfig` semantics).

package/src/bundled-plugins/tool-result-cap/cap-jsonl.ts

@@ -0,0 +1,115 @@
+import { chmodSync, readFileSync, renameSync, statSync, writeFileSync } from 'node:fs'
+
+import type { ContentPart } from '@/plugin'
+
+import { type CapOptions, type CapStats, capContentParts } from './cap-result'
+
+export type CapJsonlStats = CapStats & {
+  // Number of toolResult entries that had at least one part capped. Distinct
+  // from imagesReplaced + textsTruncated because a single entry can have
+  // multiple oversized parts.
+  entriesMutated: number
+}
+
+export class CapJsonlReadError extends Error {
+  constructor(
+    public readonly path: string,
+    public override readonly cause: unknown,
+  ) {
+    super(`capJsonlFileInPlace: read failed for ${path}: ${cause instanceof Error ? cause.message : String(cause)}`)
+    this.name = 'CapJsonlReadError'
+  }
+}
+
+function parseLine(line: string): unknown {
+  try {
+    return JSON.parse(line) as unknown
+  } catch {
+    return null
+  }
+}
+
+function isToolResultMessageEntry(value: unknown): value is {
+  type: 'message'
+  message: { role: 'toolResult'; toolName?: string; content: ContentPart[] }
+} {
+  if (typeof value !== 'object' || value === null) return false
+  const entry = value as { type?: unknown; message?: unknown }
+  if (entry.type !== 'message') return false
+  if (typeof entry.message !== 'object' || entry.message === null) return false
+  const message = entry.message as { role?: unknown; content?: unknown }
+  if (message.role !== 'toolResult') return false
+  if (!Array.isArray(message.content)) return false
+  return true
+}
+
+// Apply `capContentParts` to every toolResult entry parsed from a JSONL file
+// and rewrite the file in place when anything mutated. Idempotent.
+//
+// Why we own the file IO (rather than going through SessionManager): the
+// `_rewriteFile` method on SessionManager is not on the public type, and
+// running BEFORE `SessionManager.open(path)` is called means pi-coding-agent
+// reads the already-capped file. No private API touched, no race against
+// pi's internal state.
+//
+// Throws CapJsonlReadError when the file can't be read (missing, unreadable,
+// directory, etc.). Callers that want best-effort no-op semantics should
+// wrap in try/catch — see tryReopenOrCreate.
+//
+// Malformed lines are passed through verbatim — matches pi's parser, which
+// silently skips them. We never delete or reorder entries; we only shrink
+// `content` parts of toolResult messages.
+//
+// File mode is preserved across the temp+rename so a 0600 session JSONL
+// stays 0600 after capping.
+export function capJsonlFileInPlace(path: string, options: CapOptions): CapJsonlStats {
+  let raw: string
+  let originalMode: number
+  try {
+    raw = readFileSync(path, 'utf8')
+    originalMode = statSync(path).mode & 0o777
+  } catch (err) {
+    throw new CapJsonlReadError(path, err)
+  }
+
+  const lines = raw.split('\n')
+  const stats: CapJsonlStats = { imagesReplaced: 0, textsTruncated: 0, bytesElided: 0, entriesMutated: 0 }
+  const out: string[] = Array.from({ length: lines.length })
+  let anyMutated = false
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i] ?? ''
+    if (line.length === 0) {
+      out[i] = line
+      continue
+    }
+    const parsed = parseLine(line)
+    if (parsed === null || !isToolResultMessageEntry(parsed)) {
+      out[i] = line
+      continue
+    }
+    const toolName = parsed.message.toolName ?? ''
+    const partStats = capContentParts(toolName, parsed.message.content, options)
+    if (partStats.imagesReplaced > 0 || partStats.textsTruncated > 0) {
+      stats.imagesReplaced += partStats.imagesReplaced
+      stats.textsTruncated += partStats.textsTruncated
+      stats.bytesElided += partStats.bytesElided
+      stats.entriesMutated += 1
+      anyMutated = true
+      out[i] = JSON.stringify(parsed)
+    } else {
+      out[i] = line
+    }
+  }
+
+  if (anyMutated) {
+    // Write-then-rename so a crash mid-write can't leave a truncated JSONL
+    // (which would corrupt the next rehydrate).
+    const tmp = `${path}.cap.tmp`
+    writeFileSync(tmp, out.join('\n'), { mode: originalMode })
+    chmodSync(tmp, originalMode)
+    renameSync(tmp, path)
+  }
+
+  return stats
+}

package/src/bundled-plugins/tool-result-cap/cap-result.ts

@@ -3,7 +3,7 @@ import type { ContentPart, ToolResult } from '@/plugin'
 export type CapOptions = {
   imageMaxBytes: number
   textMaxBytes: number
-  exemptTools: ReadonlySet<string>
+  exemptTools?: ReadonlySet<string>
 }
 
 export type CapStats = {
@@ -12,23 +12,32 @@ export type CapStats = {
   bytesElided: number
 }
 
-// Sentinel marker used in both image and text replacement payloads so a future
-// pass (or the LLM itself) can recognize that a value was capped rather than
-// truthfully short. Plain English on purpose — these strings get fed to the
-// model on every turn, and unfamiliar tokens cost reasoning bandwidth.
 const ELIDED_MARKER = '[tool-result-cap: '
 
-export function capToolResult(tool: string, result: ToolResult, options: CapOptions): CapStats {
+// A capped text part is exactly the placeholder we generated: starts with
+// `[tool-result-cap: `, ends with `]`, and contains no inner `]`. The shape
+// check exists for idempotency so a previously-capped entry survives a second
+// pass untouched — but tight enough that real tool output that merely STARTS
+// with the marker (e.g. quotes a prior placeholder then continues with more
+// content) still gets capped on its trailing bulk. A prefix-only check would
+// be an oversized-text bypass.
+const ELIDED_PLACEHOLDER_PATTERN = /^\[tool-result-cap: [^\]]*\]$/
+
+function isElidedPlaceholderText(text: string): boolean {
+  return ELIDED_PLACEHOLDER_PATTERN.test(text)
+}
+
+export function capContentParts(tool: string, content: ContentPart[], options: CapOptions): CapStats {
   const stats: CapStats = { imagesReplaced: 0, textsTruncated: 0, bytesElided: 0 }
-  if (options.exemptTools.has(tool)) return stats
+  if (options.exemptTools?.has(tool)) return stats
 
-  for (let i = 0; i < result.content.length; i++) {
-    const part = result.content[i]
+  for (let i = 0; i < content.length; i++) {
+    const part = content[i]
     if (!part) continue
     if (part.type === 'image') {
       const size = part.data.length
       if (size <= options.imageMaxBytes) continue
-      result.content[i] = {
+      content[i] = {
         type: 'text',
         text: `${ELIDED_MARKER}image ${part.mimeType} elided, ${size} bytes of base64 exceeded imageMaxBytes=${options.imageMaxBytes}]`,
       }
@@ -39,18 +48,21 @@ export function capToolResult(tool: string, result: ToolResult, options: CapOpti
     if (part.type === 'text') {
       const size = part.text.length
       if (size <= options.textMaxBytes) continue
-      // Keep a head slice of the original text so the LLM still has a hint of
-      // shape (e.g. "fetched HTML starts with <!DOCTYPE..."). Tail is dropped.
+      if (isElidedPlaceholderText(part.text)) continue
       const head = part.text.slice(0, options.textMaxBytes)
       const elided = size - options.textMaxBytes
       const replacement: ContentPart = {
         type: 'text',
         text: `${head}\n\n${ELIDED_MARKER}${elided} bytes truncated from text part; original was ${size} bytes, textMaxBytes=${options.textMaxBytes}]`,
       }
-      result.content[i] = replacement
+      content[i] = replacement
       stats.textsTruncated += 1
       stats.bytesElided += elided
     }
   }
   return stats
 }
+
+export function capToolResult(tool: string, result: ToolResult, options: CapOptions): CapStats {
+  return capContentParts(tool, result.content, options)
+}

package/src/bundled-plugins/tool-result-cap/index.ts

@@ -2,14 +2,14 @@ import { z } from 'zod'
 
 import { definePlugin } from '@/plugin'
 
-import { capToolResult } from './cap-result'
+import { type CapOptions, capToolResult } from './cap-result'
 
 const DEFAULT_IMAGE_MAX_BYTES = 262_144
 const DEFAULT_TEXT_MAX_BYTES = 65_536
 const MIN_IMAGE_MAX_BYTES = 1_024
 const MIN_TEXT_MAX_BYTES = 1_024
 
-const toolResultCapConfigSchema = z
+export const toolResultCapConfigSchema = z
   .object({
     enabled: z.boolean().default(true),
     imageMaxBytes: z.number().int().min(MIN_IMAGE_MAX_BYTES).default(DEFAULT_IMAGE_MAX_BYTES),
@@ -23,6 +23,20 @@ const toolResultCapConfigSchema = z
     exemptTools: [],
   })
 
+// Helper for non-plugin call sites (e.g. channel-session-factory's load-time
+// pass) to parse the same `tool-result-cap` config block and resolve it to
+// the runtime options shape, or `null` when the plugin is disabled. Keeps
+// the schema and the disable rule in one place.
+export function resolveCapOptionsFromConfig(raw: unknown): CapOptions | null {
+  const parsed = toolResultCapConfigSchema.parse(raw)
+  if (!parsed.enabled) return null
+  return {
+    imageMaxBytes: parsed.imageMaxBytes,
+    textMaxBytes: parsed.textMaxBytes,
+    exemptTools: new Set(parsed.exemptTools),
+  }
+}
+
 export default definePlugin({
   configSchema: toolResultCapConfigSchema,
   plugin: async (ctx) => {

package/src/channels/adapters/discord-bot-classify.ts

@@ -5,13 +5,12 @@ import type {
   DiscordGatewayStickerItem,
 } from 'agent-messenger/discordbot'
 
-import { isAllowed, type ChannelAdapterConfig } from '@/channels/schema'
+import type { ChannelAdapterConfig } from '@/channels/schema'
 import type { InboundMessage } from '@/channels/types'
 
 export type InboundDropReason =
   | 'self_author' // event.author.id === botUserId; we never route our own messages back to ourselves
   | 'empty_content' // SDK delivered content: '' — usually missing MessageContent intent
-  | 'not_in_allow_list' // workspace/channel not admitted by typeclaw.json `channels.discord-bot.allow`
   | 'pre_connect' // bot identity is not known yet, so mention/self/reply classification cannot be trusted
 
 export type InboundClassification =
@@ -26,7 +25,7 @@ export type InboundClassification =
 // forces logging to stay exhaustive.
 export function classifyInbound(
   event: DiscordGatewayMessageCreateEvent,
-  config: ChannelAdapterConfig,
+  _config: ChannelAdapterConfig,
   botUserId: string | null,
 ): InboundClassification {
   // Self-drop is the hard floor: we must never route our own messages back to
@@ -41,9 +40,6 @@ export function classifyInbound(
 
   const isDm = event.guild_id === undefined
   const workspace = isDm ? '@dm' : event.guild_id!
-  if (!isAllowed(config.allow, workspace, event.channel_id)) {
-    return { kind: 'drop', reason: 'not_in_allow_list' }
-  }
 
   if (botUserId === null) {
     return { kind: 'drop', reason: 'pre_connect' }

package/src/channels/adapters/discord-bot.ts

@@ -9,7 +9,7 @@ import {
 } from '@/channels/membership'
 import { deriveMembershipFromHistory } from '@/channels/membership-from-history'
 import type { ChannelRouter } from '@/channels/router'
-import { isAllowed, type ChannelAdapterConfig } from '@/channels/schema'
+import type { ChannelAdapterConfig } from '@/channels/schema'
 import type {
   ChannelHistoryMessage,
   FetchAttachmentCallback,
@@ -82,11 +82,10 @@ export type DiscordBotAdapter = {
 // router caps cadence per-channel at 8s.
 export function createTypingCallback(deps: {
   token: string
-  configRef: () => ChannelAdapterConfig
   logger: DiscordBotAdapterLogger
   formatChannelTag?: (workspace: string, chat: string) => Promise<string>
 }): TypingCallback {
-  const { token, configRef, logger, formatChannelTag } = deps
+  const { token, logger, formatChannelTag } = deps
   return async (target: TypingTarget): Promise<void> => {
     if (target.adapter !== 'discord-bot') return
     // Discord's typing indicator auto-expires after ~10s on Discord's side,
@@ -94,8 +93,6 @@ export function createTypingCallback(deps: {
     // for platforms (Slack) that need an explicit clear; for Discord it
     // would be extra POSTs that confuse the indicator into reappearing.
     if (target.phase === 'stop') return
-    const config = configRef()
-    if (!isAllowed(config.allow, target.workspace, target.chat)) return
     // Threads are channels in Discord, so the typing endpoint takes the
     // thread id directly when present.
     const channelId = target.thread ?? target.chat
@@ -240,19 +237,13 @@ type DiscordRawHistoryMessage = {
 // design where `chat` is the parent and `thread` is the thread channel id).
 export function createDiscordHistoryCallback(deps: {
   token: string
-  configRef: () => ChannelAdapterConfig
   logger: DiscordBotAdapterLogger
   botUserIdRef: () => string | null
   fetchImpl?: typeof fetch
 }): HistoryCallback {
-  const { token, configRef, logger, botUserIdRef } = deps
+  const { token, logger, botUserIdRef } = deps
   const fetchFn = deps.fetchImpl ?? fetch
   return async (args: FetchHistoryArgs): Promise<FetchHistoryResult> => {
-    const config = configRef()
-    if (!isAllowedAnyGuild(config.allow, args.chat)) {
-      return { ok: false, error: 'denied by allow rules' }
-    }
-
     const channelId = args.thread ?? args.chat
     const limit = clampLimit(args.limit, DISCORD_HISTORY_LIMIT_MAX)
     const params = new URLSearchParams({ limit: String(limit) })
@@ -315,27 +306,6 @@ function clampLimit(requested: number, max: number): number {
   return Math.min(Math.floor(requested), max)
 }
 
-// Discord channel ids are globally unique snowflakes, so a `channel:<id>`
-// or `guild:<g>/<id>` rule for any guild admits this chat. We match this
-// way because at fetch time the tool has resolved the chat from session
-// origin but does not always re-supply the guild id (esp. across cursor
-// pagination), so the workspace-aware `isAllowed` is too narrow here.
-function isAllowedAnyGuild(rules: readonly string[], chat: string): boolean {
-  for (const rule of rules) {
-    if (rule === '*') return true
-    if (rule === 'guild:*' || rule === 'team:*') return true
-    if (rule === 'dm:*') return true
-    if (rule.startsWith('channel:') && rule.slice(8) === chat) return true
-    if (rule.startsWith('dm:') && rule.slice(3) === chat) return true
-    if (rule.startsWith('guild:')) {
-      const body = rule.slice(6)
-      const slash = body.indexOf('/')
-      if (slash !== -1 && body.slice(slash + 1) === chat) return true
-    }
-  }
-  return false
-}
-
 // Discord-side asymmetry: agent-messenger's upstream `uploadFile` posts the
 // file to `POST /channels/{id}/messages` as a multipart-only request. It does
 // not accept a `content` body or a `thread_id`. So when the agent wants to
@@ -353,21 +323,15 @@ function isAllowedAnyGuild(rules: readonly string[], chat: string): boolean {
 // after every upload succeeds.
 export function createOutboundCallback(deps: {
   client: Pick<DiscordBotClient, 'sendMessage' | 'uploadFile'>
-  configRef: () => ChannelAdapterConfig
   logger: DiscordBotAdapterLogger
   formatChannelTag: (workspace: string, chat: string) => Promise<string>
   resolvePath?: (path: string) => string
 }): OutboundCallback {
-  const { client, configRef, logger, formatChannelTag, resolvePath } = deps
+  const { client, logger, formatChannelTag, resolvePath } = deps
   return async (msg: OutboundMessage): Promise<SendResult> => {
     if (msg.adapter !== 'discord-bot') {
       return { ok: false, error: `unknown adapter: ${msg.adapter}` }
     }
-    const config = configRef()
-    if (!isAllowed(config.allow, msg.workspace, msg.chat)) {
-      logger.warn(`[discord-bot] outbound denied by allow rules: ${msg.workspace}/${msg.chat}`)
-      return { ok: false, error: 'denied by allow rules' }
-    }
     const text = msg.text ?? ''
     const attachments = msg.attachments ?? []
     if (text === '' && attachments.length === 0) {
@@ -491,14 +455,12 @@ export function createDiscordBotAdapter(options: DiscordBotAdapterOptions): Disc
 
   const typingCallback = createTypingCallback({
     token: options.token,
-    configRef: options.configRef,
     logger,
     formatChannelTag,
   })
 
   const historyCallback = createDiscordHistoryCallback({
     token: options.token,
-    configRef: options.configRef,
     logger,
     botUserIdRef: () => botUserId,
   })
@@ -511,7 +473,6 @@ export function createDiscordBotAdapter(options: DiscordBotAdapterOptions): Disc
 
   const outboundCallback = createOutboundCallback({
     client,
-    configRef: options.configRef,
     logger,
     formatChannelTag,
   })
@@ -631,8 +592,6 @@ function dropHint(reason: InboundDropReason): string {
   switch (reason) {
     case 'empty_content':
       return ' (enable MESSAGE CONTENT INTENT in Discord Developer Portal and restart)'
-    case 'not_in_allow_list':
-      return ' (extend channels.discord-bot.allow in typeclaw.json to admit this workspace/channel)'
     case 'pre_connect':
     case 'self_author':
       return ''

package/src/channels/adapters/kakaotalk-classify.ts

@@ -1,10 +1,10 @@
 import type { KakaoTalkPushMessageEvent } from 'agent-messenger/kakaotalk'
 
 import { matchesAnyAlias } from '@/channels/engagement'
-import { isAllowed, type ChannelAdapterConfig } from '@/channels/schema'
+import type { ChannelAdapterConfig } from '@/channels/schema'
 import type { InboundMessage } from '@/channels/types'
 
-export type InboundDropReason = 'self_author' | 'empty_text' | 'unknown_chat' | 'not_in_allow_list' | 'pre_connect'
+export type InboundDropReason = 'self_author' | 'empty_text' | 'unknown_chat' | 'pre_connect'
 
 export type InboundClassification =
   | { kind: 'drop'; reason: InboundDropReason }
@@ -23,7 +23,7 @@ export type KakaoInboundContext = {
 
 export function classifyInbound(
   event: KakaoTalkPushMessageEvent,
-  config: ChannelAdapterConfig,
+  _config: ChannelAdapterConfig,
   context: KakaoInboundContext,
 ): InboundClassification {
   if (context.selfUserId === null) {
@@ -41,10 +41,6 @@ export function classifyInbound(
     return { kind: 'drop', reason: 'unknown_chat' }
   }
 
-  if (!isAllowed(config.allow, chatInfo.workspace, event.chat_id)) {
-    return { kind: 'drop', reason: 'not_in_allow_list' }
-  }
-
   // KakaoTalk has no native @-mention syntax in the LOCO protocol that the
   // SDK exposes (mention rendering happens client-side via display_name
   // matching). Mention-equivalent engagement comes solely from alias