refactor: centralize channel ingress access

2026-05-13 23:56:07 +00:00 · 2026-05-10 05:06:03 +01:00
parent 1725eebe62
commit a0fb7fb045
250 changed files with 11410 additions and 8161 deletions
--- a/extensions/irc/src/inbound.behavior.test.ts
+++ b/extensions/irc/src/inbound.behavior.test.ts
@@ -1,3 +1,4 @@
+import { createPluginRuntimeMock } from "openclaw/plugin-sdk/channel-test-helpers";
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import type { ResolvedIrcAccount } from "./accounts.js";
 import { handleIrcInbound } from "./inbound.js";
@@ -163,4 +164,30 @@ describe("irc inbound behavior", () => {
      "irc: drop control command (unauthorized) target=alice!ident@example.com",
    );
  });
+
+  it("passes the shared reply pipeline for dispatched replies", async () => {
+    const coreRuntime = createPluginRuntimeMock();
+    setIrcRuntime(coreRuntime as never);
+
+    await handleIrcInbound({
+      message: createMessage(),
+      account: createAccount({
+        config: {
+          dmPolicy: "open",
+          allowFrom: ["*"],
+          groupPolicy: "allowlist",
+          groupAllowFrom: [],
+        },
+      }),
+      config: { channels: { irc: {} } } as CoreConfig,
+      runtime: createRuntimeEnv(),
+      sendReply: vi.fn(async () => {}),
+    });
+
+    expect(coreRuntime.channel.turn.runAssembled).toHaveBeenCalledWith(
+      expect.objectContaining({
+        replyPipeline: {},
+      }),
+    );
+  });
 });
--- a/extensions/irc/src/inbound.policy.test.ts
+++ b/extensions/irc/src/inbound.policy.test.ts
@@ -1,37 +0,0 @@
-import { describe, expect, it } from "vitest";
-import { __testing } from "./inbound.js";
-
-describe("irc inbound policy", () => {
-  it("keeps DM allowlist merged with pairing-store entries", () => {
-    const resolved = __testing.resolveIrcEffectiveAllowlists({
-      configAllowFrom: ["owner"],
-      configGroupAllowFrom: [],
-      storeAllowList: ["paired-user"],
-      dmPolicy: "pairing",
-    });
-
-    expect(resolved.effectiveAllowFrom).toEqual(["owner", "paired-user"]);
-  });
-
-  it("does not grant group access from pairing-store when explicit groupAllowFrom exists", () => {
-    const resolved = __testing.resolveIrcEffectiveAllowlists({
-      configAllowFrom: ["owner"],
-      configGroupAllowFrom: ["group-owner"],
-      storeAllowList: ["paired-user"],
-      dmPolicy: "pairing",
-    });
-
-    expect(resolved.effectiveGroupAllowFrom).toEqual(["group-owner"]);
-  });
-
-  it("does not grant group access from pairing-store when groupAllowFrom is empty", () => {
-    const resolved = __testing.resolveIrcEffectiveAllowlists({
-      configAllowFrom: ["owner"],
-      configGroupAllowFrom: [],
-      storeAllowList: ["paired-user"],
-      dmPolicy: "pairing",
-    });
-
-    expect(resolved.effectiveGroupAllowFrom).toStrictEqual([]);
-  });
-});
--- a/extensions/irc/src/inbound.ts
+++ b/extensions/irc/src/inbound.ts
@@ -1,12 +1,12 @@
-import { createChannelMessageReplyPipeline } from "openclaw/plugin-sdk/channel-message";
-import { createChannelPairingController } from "openclaw/plugin-sdk/channel-pairing";
 import {
-  readStoreAllowFromForDmPolicy,
-  resolveEffectiveAllowFromLists,
-} from "openclaw/plugin-sdk/channel-policy";
-import { resolveControlCommandGate } from "openclaw/plugin-sdk/command-auth";
+  channelIngressRoutes,
+  createChannelIngressResolver,
+  defineStableChannelIngressIdentity,
+} from "openclaw/plugin-sdk/channel-ingress-runtime";
+import { createChannelPairingController } from "openclaw/plugin-sdk/channel-pairing";
 import type { OpenClawConfig } from "openclaw/plugin-sdk/config-types";
 import { isDangerousNameMatchingEnabled } from "openclaw/plugin-sdk/dangerous-name-runtime";
+import { resolveInboundRouteEnvelopeBuilderWithRuntime } from "openclaw/plugin-sdk/inbound-envelope";
 import {
  deliverFormattedTextWithAttachments,
  type OutboundReplyPayload,
@@ -21,42 +21,122 @@ import {
 import {
  normalizeLowercaseStringOrEmpty,
  normalizeOptionalString,
+  normalizeStringEntries,
 } from "openclaw/plugin-sdk/text-runtime";
 import type { ResolvedIrcAccount } from "./accounts.js";
-import { normalizeIrcAllowlist, resolveIrcAllowlistMatch } from "./normalize.js";
-import {
-  resolveIrcMentionGate,
-  resolveIrcGroupAccessGate,
-  resolveIrcGroupMatch,
-  resolveIrcGroupSenderAllowed,
-  resolveIrcRequireMention,
-} from "./policy.js";
+import { buildIrcAllowlistCandidates, normalizeIrcAllowEntry } from "./normalize.js";
+import { resolveIrcGroupMatch, resolveIrcRequireMention } from "./policy.js";
 import { getIrcRuntime } from "./runtime.js";
 import { sendMessageIrc } from "./send.js";
 import type { CoreConfig, IrcInboundMessage } from "./types.js";

 const CHANNEL_ID = "irc" as const;
+const IRC_NICK_KIND = "plugin:irc-nick" as const;
+type IrcGroupPolicy = "open" | "allowlist" | "disabled";
+
+const ircIngressIdentity = defineStableChannelIngressIdentity({
+  key: "irc-id",
+  normalizeEntry: normalizeIrcStableEntry,
+  normalizeSubject: normalizeLowercaseStringOrEmpty,
+  sensitivity: "pii",
+  aliases: [
+    ...["irc-id-nick-user", "irc-id-nick-host"].map((key) => ({
+      key,
+      kind: "stable-id" as const,
+      normalizeEntry: () => null,
+      normalizeSubject: normalizeLowercaseStringOrEmpty,
+      sensitivity: "pii" as const,
+    })),
+    {
+      key: "irc-nick",
+      kind: IRC_NICK_KIND,
+      normalizeEntry: normalizeIrcNickEntry,
+      normalizeSubject: normalizeLowercaseStringOrEmpty,
+      dangerous: true,
+      sensitivity: "pii",
+    },
+  ],
+  isWildcardEntry: (entry) => normalizeIrcAllowEntry(entry) === "*",
+  resolveEntryId: ({ entryIndex, fieldKey }) =>
+    `irc-entry-${entryIndex + 1}:${fieldKey === "irc-nick" ? "nick" : "id"}`,
+});

 const escapeIrcRegexLiteral = (value: string) => value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");

-function resolveIrcEffectiveAllowlists(params: {
-  configAllowFrom: string[];
-  configGroupAllowFrom: string[];
-  storeAllowList: string[];
-  dmPolicy: string;
-}): {
-  effectiveAllowFrom: string[];
-  effectiveGroupAllowFrom: string[];
-} {
-  const { effectiveAllowFrom, effectiveGroupAllowFrom } = resolveEffectiveAllowFromLists({
-    allowFrom: params.configAllowFrom,
-    groupAllowFrom: params.configGroupAllowFrom,
-    storeAllowFrom: params.storeAllowList,
-    dmPolicy: params.dmPolicy,
-    // IRC intentionally requires explicit groupAllowFrom; do not fallback to allowFrom.
-    groupAllowFromFallbackToAllowFrom: false,
-  });
-  return { effectiveAllowFrom, effectiveGroupAllowFrom };
+function isBareNick(value: string): boolean {
+  return !value.includes("!") && !value.includes("@");
+}
+
+function normalizeIrcStableEntry(value: string): string | null {
+  const normalized = normalizeIrcAllowEntry(value);
+  if (!normalized || normalized === "*" || isBareNick(normalized)) {
+    return null;
+  }
+  return normalized;
+}
+
+function normalizeIrcNickEntry(value: string): string | null {
+  const normalized = normalizeIrcAllowEntry(value);
+  if (!normalized || normalized === "*" || !isBareNick(normalized)) {
+    return null;
+  }
+  return normalized;
+}
+
+function hasEntries(entries: Array<string | number> | undefined): boolean {
+  return normalizeStringEntries(entries).some((entry) => normalizeIrcAllowEntry(entry));
+}
+
+function createIrcIngressSubject(message: IrcInboundMessage) {
+  const candidates = buildIrcAllowlistCandidates(message, { allowNameMatching: true });
+  const stableCandidates = candidates.filter((candidate) => !isBareNick(candidate));
+  const nick = normalizeLowercaseStringOrEmpty(message.senderNick);
+  return {
+    stableId: stableCandidates[stableCandidates.length - 1] ?? nick,
+    aliases: {
+      "irc-id-nick-user": stableCandidates.find(
+        (candidate) => candidate.includes("!") && !candidate.includes("@"),
+      ),
+      "irc-id-nick-host": stableCandidates.find(
+        (candidate) => !candidate.includes("!") && candidate.includes("@"),
+      ),
+      "irc-nick": nick,
+    },
+  };
+}
+
+function routeDescriptorsForIrcGroup(params: {
+  isGroup: boolean;
+  groupPolicy: IrcGroupPolicy;
+  groupAllowed: boolean;
+  hasConfiguredGroups: boolean;
+  groupEnabled: boolean;
+  routeGroupAllowFrom: string[];
+}) {
+  if (!params.isGroup) {
+    return [];
+  }
+  return channelIngressRoutes(
+    params.groupPolicy === "allowlist" && {
+      id: "irc:channel",
+      allowed: params.hasConfiguredGroups && params.groupAllowed,
+      precedence: 0,
+      matchId: "irc-channel",
+      blockReason: "channel_not_allowlisted",
+    },
+    !params.groupEnabled && {
+      id: "irc:channel-enabled",
+      enabled: false,
+      precedence: 10,
+      blockReason: "channel_disabled",
+    },
+    hasEntries(params.routeGroupAllowFrom) && {
+      id: "irc:channel-sender",
+      precedence: 20,
+      senderPolicy: "replace",
+      senderAllowFrom: params.routeGroupAllowFrom,
+    },
+  );
 }

 async function deliverIrcReply(params: {
@@ -67,7 +147,7 @@ async function deliverIrcReply(params: {
  sendReply?: (target: string, text: string, replyToId?: string) => Promise<void>;
  statusSink?: (patch: { lastOutboundAt?: number }) => void;
 }) {
-  const delivered = await deliverFormattedTextWithAttachments({
+  await deliverFormattedTextWithAttachments({
    payload: params.payload,
    send: async ({ text, replyToId }) => {
      if (params.sendReply) {
@@ -82,9 +162,6 @@ async function deliverIrcReply(params: {
      params.statusSink?.({ lastOutboundAt: Date.now() });
    },
  });
-  if (!delivered) {
-    return;
-  }
 }

 export async function handleIrcInbound(params: {
@@ -132,124 +209,16 @@ export async function handleIrcInbound(params: {
    log: (message) => runtime.log?.(message),
  });

-  const configAllowFrom = normalizeIrcAllowlist(account.config.allowFrom);
-  const configGroupAllowFrom = normalizeIrcAllowlist(account.config.groupAllowFrom);
-  const storeAllowFrom = await readStoreAllowFromForDmPolicy({
-    provider: CHANNEL_ID,
-    accountId: account.accountId,
-    dmPolicy,
-    readStore: pairing.readStoreForDmPolicy,
-  });
-  const storeAllowList = normalizeIrcAllowlist(storeAllowFrom);
-
  const groupMatch = resolveIrcGroupMatch({
    groups: account.config.groups,
    target: message.target,
  });

-  if (message.isGroup) {
-    const groupAccess = resolveIrcGroupAccessGate({ groupPolicy, groupMatch });
-    if (!groupAccess.allowed) {
-      runtime.log?.(`irc: drop channel ${message.target} (${groupAccess.reason})`);
-      return;
-    }
-  }
-
-  const directGroupAllowFrom = normalizeIrcAllowlist(groupMatch.groupConfig?.allowFrom);
-  const wildcardGroupAllowFrom = normalizeIrcAllowlist(groupMatch.wildcardConfig?.allowFrom);
-  const groupAllowFrom =
-    directGroupAllowFrom.length > 0 ? directGroupAllowFrom : wildcardGroupAllowFrom;
-
-  const { effectiveAllowFrom, effectiveGroupAllowFrom } = resolveIrcEffectiveAllowlists({
-    configAllowFrom,
-    configGroupAllowFrom,
-    storeAllowList,
-    dmPolicy,
-  });
-
  const allowTextCommands = core.channel.commands.shouldHandleTextCommands({
    cfg: config as OpenClawConfig,
    surface: CHANNEL_ID,
  });
-  const useAccessGroups = config.commands?.useAccessGroups !== false;
-  const senderAllowedForCommands = resolveIrcAllowlistMatch({
-    allowFrom: message.isGroup ? effectiveGroupAllowFrom : effectiveAllowFrom,
-    message,
-    allowNameMatching,
-  }).allowed;
  const hasControlCommand = core.channel.text.hasControlCommand(rawBody, config as OpenClawConfig);
-  const commandGate = resolveControlCommandGate({
-    useAccessGroups,
-    authorizers: [
-      {
-        configured: (message.isGroup ? effectiveGroupAllowFrom : effectiveAllowFrom).length > 0,
-        allowed: senderAllowedForCommands,
-      },
-    ],
-    allowTextCommands,
-    hasControlCommand,
-  });
-  const commandAuthorized = commandGate.commandAuthorized;
-
-  if (message.isGroup) {
-    const senderAllowed = resolveIrcGroupSenderAllowed({
-      groupPolicy,
-      message,
-      outerAllowFrom: effectiveGroupAllowFrom,
-      innerAllowFrom: groupAllowFrom,
-      allowNameMatching,
-    });
-    if (!senderAllowed) {
-      runtime.log?.(`irc: drop group sender ${senderDisplay} (policy=${groupPolicy})`);
-      return;
-    }
-  } else {
-    if (dmPolicy === "disabled") {
-      runtime.log?.(`irc: drop DM sender=${senderDisplay} (dmPolicy=disabled)`);
-      return;
-    }
-    const dmAllowed = resolveIrcAllowlistMatch({
-      allowFrom: effectiveAllowFrom,
-      message,
-      allowNameMatching,
-    }).allowed;
-    if (!dmAllowed) {
-      if (dmPolicy === "pairing") {
-        await pairing.issueChallenge({
-          senderId: normalizeLowercaseStringOrEmpty(senderDisplay),
-          senderIdLine: `Your IRC id: ${senderDisplay}`,
-          meta: { name: message.senderNick || undefined },
-          sendPairingReply: async (text) => {
-            await deliverIrcReply({
-              payload: { text },
-              cfg: config,
-              target: message.senderNick,
-              accountId: account.accountId,
-              sendReply: params.sendReply,
-              statusSink,
-            });
-          },
-          onReplyError: (err) => {
-            runtime.error?.(`irc: pairing reply failed for ${senderDisplay}: ${String(err)}`);
-          },
-        });
-      }
-      runtime.log?.(`irc: drop DM sender ${senderDisplay} (dmPolicy=${dmPolicy})`);
-      return;
-    }
-  }
-
-  if (message.isGroup && commandGate.shouldBlock) {
-    const { logInboundDrop } = await import("openclaw/plugin-sdk/channel-inbound");
-    logInboundDrop({
-      log: (line) => runtime.log?.(line),
-      channel: CHANNEL_ID,
-      reason: "control command (unauthorized)",
-      target: senderDisplay,
-    });
-    return;
-  }
-
  const mentionRegexes = core.channel.mentions.buildMentionRegexes(config as OpenClawConfig);
  const mentionNick = connectedNick?.trim() || account.nick;
  const explicitMentionRegex = mentionNick
@@ -258,29 +227,126 @@ export async function handleIrcInbound(params: {
  const wasMentioned =
    core.channel.mentions.matchesMentionPatterns(rawBody, mentionRegexes) ||
    (explicitMentionRegex ? explicitMentionRegex.test(rawBody) : false);
-
  const requireMention = message.isGroup
    ? resolveIrcRequireMention({
        groupConfig: groupMatch.groupConfig,
        wildcardConfig: groupMatch.wildcardConfig,
      })
    : false;
-
-  const mentionGate = resolveIrcMentionGate({
-    isGroup: message.isGroup,
-    requireMention,
-    wasMentioned,
-    hasControlCommand,
-    allowTextCommands,
-    commandAuthorized,
+  const routeGroupAllowFrom = normalizeStringEntries(
+    groupMatch.groupConfig?.allowFrom?.length
+      ? groupMatch.groupConfig.allowFrom
+      : groupMatch.wildcardConfig?.allowFrom,
+  );
+  const accessGroupPolicy: IrcGroupPolicy =
+    groupPolicy === "open" &&
+    (hasEntries(account.config.groupAllowFrom) || hasEntries(routeGroupAllowFrom))
+      ? "allowlist"
+      : groupPolicy;
+  const access = await createChannelIngressResolver({
+    channelId: CHANNEL_ID,
+    accountId: account.accountId,
+    identity: ircIngressIdentity,
+    cfg: config as OpenClawConfig,
+    readStoreAllowFrom: async () => await pairing.readAllowFromStore(),
+  }).message({
+    subject: createIrcIngressSubject(message),
+    conversation: {
+      kind: message.isGroup ? "group" : "direct",
+      id: message.target,
+    },
+    route: routeDescriptorsForIrcGroup({
+      isGroup: message.isGroup,
+      groupPolicy,
+      groupAllowed: groupMatch.allowed,
+      hasConfiguredGroups: groupMatch.hasConfiguredGroups,
+      groupEnabled:
+        groupMatch.groupConfig?.enabled !== false && groupMatch.wildcardConfig?.enabled !== false,
+      routeGroupAllowFrom,
+    }),
+    mentionFacts: message.isGroup
+      ? {
+          canDetectMention: true,
+          wasMentioned,
+          hasAnyMention: wasMentioned,
+        }
+      : undefined,
+    dmPolicy,
+    groupPolicy: accessGroupPolicy,
+    policy: {
+      groupAllowFromFallbackToAllowFrom: false,
+      mutableIdentifierMatching: allowNameMatching ? "enabled" : "disabled",
+      activation: {
+        requireMention: message.isGroup && requireMention,
+        allowTextCommands,
+      },
+    },
+    allowFrom: account.config.allowFrom,
+    groupAllowFrom: account.config.groupAllowFrom,
+    command: {
+      allowTextCommands,
+      hasControlCommand,
+    },
  });
-  if (mentionGate.shouldSkip) {
-    runtime.log?.(`irc: drop channel ${message.target} (${mentionGate.reason})`);
+  const commandAuthorized = access.commandAccess.authorized;
+
+  if (access.ingress.admission === "pairing-required") {
+    await pairing.issueChallenge({
+      senderId: normalizeLowercaseStringOrEmpty(senderDisplay),
+      senderIdLine: `Your IRC id: ${senderDisplay}`,
+      meta: { name: message.senderNick || undefined },
+      sendPairingReply: async (text) => {
+        await deliverIrcReply({
+          payload: { text },
+          cfg: config,
+          target: message.senderNick,
+          accountId: account.accountId,
+          sendReply: params.sendReply,
+          statusSink,
+        });
+      },
+      onReplyError: (err) => {
+        runtime.error?.(`irc: pairing reply failed for ${senderDisplay}: ${String(err)}`);
+      },
+    });
+    runtime.log?.(`irc: drop DM sender ${senderDisplay} (dmPolicy=${dmPolicy})`);
+    return;
+  }
+  if (access.ingress.admission === "skip") {
+    runtime.log?.(`irc: drop channel ${message.target} (missing-mention)`);
+    return;
+  }
+  if (access.ingress.admission !== "dispatch") {
+    if (
+      message.isGroup &&
+      access.ingress.decisiveGateId === "command" &&
+      access.commandAccess.shouldBlockControlCommand
+    ) {
+      const { logInboundDrop } = await import("openclaw/plugin-sdk/channel-inbound");
+      logInboundDrop({
+        log: (line) => runtime.log?.(line),
+        channel: CHANNEL_ID,
+        reason: "control command (unauthorized)",
+        target: senderDisplay,
+      });
+      return;
+    }
+    if (message.isGroup) {
+      if (access.routeAccess.reason === "channel_not_allowlisted") {
+        runtime.log?.(`irc: drop channel ${message.target} (not allowlisted)`);
+      } else if (access.routeAccess.reason === "channel_disabled") {
+        runtime.log?.(`irc: drop channel ${message.target} (disabled)`);
+      } else {
+        runtime.log?.(`irc: drop group sender ${senderDisplay} (policy=${groupPolicy})`);
+      }
+    } else {
+      runtime.log?.(`irc: drop DM sender ${senderDisplay} (dmPolicy=${dmPolicy})`);
+    }
    return;
  }

  const peerId = message.isGroup ? message.target : message.senderNick;
-  const route = core.channel.routing.resolveAgentRoute({
+  const { route, buildEnvelope } = resolveInboundRouteEnvelopeBuilderWithRuntime({
    cfg: config as OpenClawConfig,
    channel: CHANNEL_ID,
    accountId: account.accountId,
@@ -288,23 +354,15 @@ export async function handleIrcInbound(params: {
      kind: message.isGroup ? "group" : "direct",
      id: peerId,
    },
+    runtime: core.channel,
+    sessionStore: config.session?.store,
  });

  const fromLabel = message.isGroup ? message.target : senderDisplay;
-  const storePath = core.channel.session.resolveStorePath(config.session?.store, {
-    agentId: route.agentId,
-  });
-  const envelopeOptions = core.channel.reply.resolveEnvelopeFormatOptions(config as OpenClawConfig);
-  const previousTimestamp = core.channel.session.readSessionUpdatedAt({
-    storePath,
-    sessionKey: route.sessionKey,
-  });
-  const body = core.channel.reply.formatAgentEnvelope({
+  const { storePath, body } = buildEnvelope({
    channel: "IRC",
    from: fromLabel,
    timestamp: message.timestamp,
-    previousTimestamp,
-    envelope: envelopeOptions,
    body: rawBody,
  });

@@ -334,49 +392,40 @@ export async function handleIrcInbound(params: {
    CommandAuthorized: commandAuthorized,
  });

-  const { onModelSelected, ...replyPipeline } = createChannelMessageReplyPipeline({
+  await core.channel.turn.runAssembled({
    cfg: config as OpenClawConfig,
+    channel: CHANNEL_ID,
+    accountId: account.accountId,
    agentId: route.agentId,
-    channel: CHANNEL_ID,
-    accountId: account.accountId,
-  });
-
-  await core.channel.turn.runPrepared({
-    channel: CHANNEL_ID,
-    accountId: account.accountId,
    routeSessionKey: route.sessionKey,
    storePath,
    ctxPayload,
    recordInboundSession: core.channel.session.recordInboundSession,
-    runDispatch: async () =>
-      await core.channel.reply.dispatchReplyWithBufferedBlockDispatcher({
-        ctx: ctxPayload,
-        cfg: config as OpenClawConfig,
-        dispatcherOptions: {
-          ...replyPipeline,
-          deliver: async (payload) => {
-            await deliverIrcReply({
-              payload,
-              cfg: config,
-              target: peerId,
-              accountId: account.accountId,
-              sendReply: params.sendReply,
-              statusSink,
-            });
-          },
-          onError: (err, info) => {
-            runtime.error?.(`irc ${info.kind} reply failed: ${String(err)}`);
-          },
-        },
-        replyOptions: {
-          onModelSelected,
-          skillFilter: groupMatch.groupConfig?.skills,
-          disableBlockStreaming:
-            typeof account.config.blockStreaming === "boolean"
-              ? !account.config.blockStreaming
-              : undefined,
-        },
-      }),
+    dispatchReplyWithBufferedBlockDispatcher:
+      core.channel.reply.dispatchReplyWithBufferedBlockDispatcher,
+    delivery: {
+      deliver: async (payload) => {
+        await deliverIrcReply({
+          payload,
+          cfg: config,
+          target: peerId,
+          accountId: account.accountId,
+          sendReply: params.sendReply,
+          statusSink,
+        });
+      },
+      onError: (err, info) => {
+        runtime.error?.(`irc ${info.kind} reply failed: ${String(err)}`);
+      },
+    },
+    replyPipeline: {},
+    replyOptions: {
+      skillFilter: groupMatch.groupConfig?.skills,
+      disableBlockStreaming:
+        typeof account.config.blockStreaming === "boolean"
+          ? !account.config.blockStreaming
+          : undefined,
+    },
    record: {
      onRecordError: (err) => {
        runtime.error?.(`irc: failed updating session meta: ${String(err)}`);
@@ -384,7 +433,3 @@ export async function handleIrcInbound(params: {
    },
  });
 }
-
-export const __testing = {
-  resolveIrcEffectiveAllowlists,
-};
--- a/extensions/irc/src/policy.test.ts
+++ b/extensions/irc/src/policy.test.ts
@@ -1,12 +1,6 @@
 import { resolveChannelGroupPolicy } from "openclaw/plugin-sdk/channel-policy";
 import { describe, expect, it } from "vitest";
-import {
-  resolveIrcGroupAccessGate,
-  resolveIrcGroupMatch,
-  resolveIrcGroupSenderAllowed,
-  resolveIrcMentionGate,
-  resolveIrcRequireMention,
-} from "./policy.js";
+import { resolveIrcGroupMatch, resolveIrcRequireMention } from "./policy.js";

 describe("irc policy", () => {
  it("matches direct and wildcard group entries", () => {
@@ -29,94 +23,6 @@ describe("irc policy", () => {
    expect(resolveIrcRequireMention({ wildcardConfig: wildcard.wildcardConfig })).toBe(true);
  });

-  it("enforces allowlist by default in groups", () => {
-    const message = {
-      messageId: "m1",
-      target: "#ops",
-      senderNick: "alice",
-      senderUser: "ident",
-      senderHost: "example.org",
-      text: "hi",
-      timestamp: Date.now(),
-      isGroup: true,
-    };
-
-    expect(
-      resolveIrcGroupSenderAllowed({
-        groupPolicy: "allowlist",
-        message,
-        outerAllowFrom: [],
-        innerAllowFrom: [],
-      }),
-    ).toBe(false);
-
-    expect(
-      resolveIrcGroupSenderAllowed({
-        groupPolicy: "allowlist",
-        message,
-        outerAllowFrom: ["alice!ident@example.org"],
-        innerAllowFrom: [],
-      }),
-    ).toBe(true);
-    expect(
-      resolveIrcGroupSenderAllowed({
-        groupPolicy: "allowlist",
-        message,
-        outerAllowFrom: ["alice"],
-        innerAllowFrom: [],
-      }),
-    ).toBe(false);
-    expect(
-      resolveIrcGroupSenderAllowed({
-        groupPolicy: "allowlist",
-        message,
-        outerAllowFrom: ["alice"],
-        innerAllowFrom: [],
-        allowNameMatching: true,
-      }),
-    ).toBe(true);
-  });
-
-  it('allows unconfigured channels when groupPolicy is "open"', () => {
-    const groupMatch = resolveIrcGroupMatch({
-      groups: undefined,
-      target: "#random",
-    });
-    const gate = resolveIrcGroupAccessGate({
-      groupPolicy: "open",
-      groupMatch,
-    });
-    expect(gate.allowed).toBe(true);
-    expect(gate.reason).toBe("open");
-  });
-
-  it("honors explicit group disable even in open mode", () => {
-    const groupMatch = resolveIrcGroupMatch({
-      groups: {
-        "#ops": { enabled: false },
-      },
-      target: "#ops",
-    });
-    const gate = resolveIrcGroupAccessGate({
-      groupPolicy: "open",
-      groupMatch,
-    });
-    expect(gate.allowed).toBe(false);
-    expect(gate.reason).toBe("disabled");
-  });
-
-  it("allows authorized control commands without mention", () => {
-    const gate = resolveIrcMentionGate({
-      isGroup: true,
-      requireMention: true,
-      wasMentioned: false,
-      hasControlCommand: true,
-      allowTextCommands: true,
-      commandAuthorized: true,
-    });
-    expect(gate.shouldSkip).toBe(false);
-  });
-
  it("keeps case-insensitive group matching aligned with shared channel policy resolution", () => {
    const groups = {
      "#Ops": { requireMention: false },
--- a/extensions/irc/src/policy.ts
+++ b/extensions/irc/src/policy.ts
@@ -1,20 +1,13 @@
 import { normalizeLowercaseStringOrEmpty } from "openclaw/plugin-sdk/text-runtime";
-import { normalizeIrcAllowlist, resolveIrcAllowlistMatch } from "./normalize.js";
-import type { IrcAccountConfig, IrcChannelConfig } from "./types.js";
-import type { IrcInboundMessage } from "./types.js";
+import type { IrcChannelConfig } from "./types.js";

-type IrcGroupMatch = {
+export type IrcGroupMatch = {
  allowed: boolean;
  groupConfig?: IrcChannelConfig;
  wildcardConfig?: IrcChannelConfig;
  hasConfiguredGroups: boolean;
 };

-type IrcGroupAccessGate = {
-  allowed: boolean;
-  reason: string;
-};
-
 export function resolveIrcGroupMatch(params: {
  groups?: Record<string, IrcChannelConfig>;
  target: string;
@@ -29,7 +22,7 @@ export function resolveIrcGroupMatch(params: {
  if (direct) {
    return {
      // "allowed" means the target matched an allowlisted key.
-      // Explicit disables are handled later by resolveIrcGroupAccessGate.
+      // Explicit disables are represented later as ingress route facts.
      allowed: true,
      groupConfig: direct,
      wildcardConfig: groups["*"],
@@ -46,7 +39,7 @@ export function resolveIrcGroupMatch(params: {
    if (matched) {
      return {
        // "allowed" means the target matched an allowlisted key.
-        // Explicit disables are handled later by resolveIrcGroupAccessGate.
+        // Explicit disables are represented later as ingress route facts.
        allowed: true,
        groupConfig: matched,
        wildcardConfig: groups["*"],
@@ -59,7 +52,7 @@ export function resolveIrcGroupMatch(params: {
  if (wildcard) {
    return {
      // "allowed" means the target matched an allowlisted key.
-      // Explicit disables are handled later by resolveIrcGroupAccessGate.
+      // Explicit disables are represented later as ingress route facts.
      allowed: true,
      wildcardConfig: wildcard,
      hasConfiguredGroups,
@@ -71,39 +64,6 @@ export function resolveIrcGroupMatch(params: {
  };
 }

-export function resolveIrcGroupAccessGate(params: {
-  groupPolicy: IrcAccountConfig["groupPolicy"];
-  groupMatch: IrcGroupMatch;
-}): IrcGroupAccessGate {
-  const policy = params.groupPolicy ?? "allowlist";
-  if (policy === "disabled") {
-    return { allowed: false, reason: "groupPolicy=disabled" };
-  }
-
-  // In open mode, unconfigured channels are allowed (mention-gated) but explicit
-  // per-channel/wildcard disables still apply.
-  if (policy === "allowlist") {
-    if (!params.groupMatch.hasConfiguredGroups) {
-      return {
-        allowed: false,
-        reason: "groupPolicy=allowlist and no groups configured",
-      };
-    }
-    if (!params.groupMatch.allowed) {
-      return { allowed: false, reason: "not allowlisted" };
-    }
-  }
-
-  if (
-    params.groupMatch.groupConfig?.enabled === false ||
-    params.groupMatch.wildcardConfig?.enabled === false
-  ) {
-    return { allowed: false, reason: "disabled" };
-  }
-
-  return { allowed: true, reason: policy === "open" ? "open" : "allowlisted" };
-}
-
 export function resolveIrcRequireMention(params: {
  groupConfig?: IrcChannelConfig;
  wildcardConfig?: IrcChannelConfig;
@@ -116,54 +76,3 @@ export function resolveIrcRequireMention(params: {
  }
  return true;
 }
-
-export function resolveIrcMentionGate(params: {
-  isGroup: boolean;
-  requireMention: boolean;
-  wasMentioned: boolean;
-  hasControlCommand: boolean;
-  allowTextCommands: boolean;
-  commandAuthorized: boolean;
-}): { shouldSkip: boolean; reason: string } {
-  if (!params.isGroup) {
-    return { shouldSkip: false, reason: "direct" };
-  }
-  if (!params.requireMention) {
-    return { shouldSkip: false, reason: "mention-not-required" };
-  }
-  if (params.wasMentioned) {
-    return { shouldSkip: false, reason: "mentioned" };
-  }
-  if (params.hasControlCommand && params.allowTextCommands && params.commandAuthorized) {
-    return { shouldSkip: false, reason: "authorized-command" };
-  }
-  return { shouldSkip: true, reason: "missing-mention" };
-}
-
-export function resolveIrcGroupSenderAllowed(params: {
-  groupPolicy: IrcAccountConfig["groupPolicy"];
-  message: IrcInboundMessage;
-  outerAllowFrom: string[];
-  innerAllowFrom: string[];
-  allowNameMatching?: boolean;
-}): boolean {
-  const policy = params.groupPolicy ?? "allowlist";
-  const inner = normalizeIrcAllowlist(params.innerAllowFrom);
-  const outer = normalizeIrcAllowlist(params.outerAllowFrom);
-
-  if (inner.length > 0) {
-    return resolveIrcAllowlistMatch({
-      allowFrom: inner,
-      message: params.message,
-      allowNameMatching: params.allowNameMatching,
-    }).allowed;
-  }
-  if (outer.length > 0) {
-    return resolveIrcAllowlistMatch({
-      allowFrom: outer,
-      message: params.message,
-      allowNameMatching: params.allowNameMatching,
-    }).allowed;
-  }
-  return policy === "open";
-}
--- a/extensions/irc/src/runtime-api.ts
+++ b/extensions/irc/src/runtime-api.ts
@@ -24,11 +24,7 @@ export {
 } from "openclaw/plugin-sdk/channel-status";
 export { createChannelPairingController } from "openclaw/plugin-sdk/channel-pairing";
 export { createAccountStatusSink } from "openclaw/plugin-sdk/channel-lifecycle";
-export {
-  readStoreAllowFromForDmPolicy,
-  resolveEffectiveAllowFromLists,
-} from "openclaw/plugin-sdk/channel-policy";
-export { resolveControlCommandGate } from "openclaw/plugin-sdk/command-auth";
+export { resolveControlCommandGate } from "openclaw/plugin-sdk/command-auth-native";
 export { createChannelMessageReplyPipeline } from "openclaw/plugin-sdk/channel-message";
 export { chunkTextForOutbound } from "openclaw/plugin-sdk/text-chunking";
 export {