fix(synology-chat): land @bmendonca3 fail-closed allowlist follow-up (#25827)

Carry fail-closed empty-allowlist guard clarity and changelog attribution for PR #25827.

Co-authored-by: Brian Mendonca <brianmendonca@Brians-MacBook-Air.local>

extensions/synology-chat/src/security.test.ts

@@ -30,7 +30,7 @@ describe("validateToken", () => {
 });
 
 describe("checkUserAllowed", () => {
-  it("rejects user when allowlist is empty", () => {
+  it("rejects all users when allowlist is empty", () => {
     expect(checkUserAllowed("user1", [])).toBe(false);
   });
 

extensions/synology-chat/src/security.ts

@@ -29,6 +29,7 @@ export function validateToken(received: string, expected: string): boolean {
  * Allowlist mode must be explicit; empty lists should not match any user.
  */
 export function checkUserAllowed(userId: string, allowedUserIds: string[]): boolean {
+  if (allowedUserIds.length === 0) return false;
   return allowedUserIds.includes(userId);
 }