TCHAP: fix external detection for prod HS

[thistehneisen]

Fix: external-user detection in invite flow misses the production external homeserver

Summary

InviteDialog.doesTargetsContainsExternal() decides whether selected invite
targets include an external user. That decision drives the entire
external-invite safeguard introduced in the new invite flow (PR #1565):

• showing the "this room will become accessible to external users —
  irreversible" confirmation modal, and
• sending the m.room.accessRules → Unrestricted state event so the room is
  correctly classified as containing external participants.

The external check used a hardcoded domain list:

["externe.tchap.gouv.fr", "e.tchap.gouv.fr", "ext01.tchap.incubateur.net"].includes(hs)

This list does not contain the production external homeserver domain.
Per config.prod.json (and config.prod.lab.json) the external homeserver is:

"base_url": "https://matrix.agent.externe.tchap.gouv.fr",
"server_name": "Externes"

so production external accounts are @user:agent.externe.tchap.gouv.fr. The
match is an exact Array.includes, and "agent.externe.tchap.gouv.fr" is not
in the list (the list has externe.tchap.gouv.fr with no agent. prefix, plus
the preprod and dev domains).

Impact

In production, inviting an existing external user by Matrix ID / directory
pick (a resolved user — not a ThreepidMember, display name is not an email)
into a Restricted internal-only room is not detected as external.
Consequently:

• the "accessible to external / irreversible" confirmation is never shown, and
• the room's access-rule classification is never updated.

Internal members lose the signal that an external party is present in the room —
the exact internal/external segregation guarantee Tchap is built around.

Fix

Derive the external homeserver domain(s) from the runtime config instead of
a hardcoded list. A new helper TchapUtils.getExternalHomeServerDomains()
returns the MXID domain(s) of the homeserver_list entries whose server_name
contains "Externes", by stripping the scheme and the leading matrix. label
from base_url.

This stays correct across every environment without code changes:

env	base_url	derived domain
prod	https://matrix.agent.externe.tchap.gouv.fr	agent.externe.tchap.gouv.fr
preprod	https://matrix.e.tchap.gouv.fr	e.tchap.gouv.fr
dev	https://matrix.ext01.tchap.incubateur.net	ext01.tchap.incubateur.net

InviteDialog.doesTargetsContainsExternal() now uses that helper. The stray
console.log("in doesTargetsContainsExternal member", m) (which leaked member
objects to the browser console) was also removed.

Changes

• src/tchap/util/TchapUtils.ts — add getExternalHomeServerDomains().
• src/components/views/dialogs/InviteDialog.tsx — use config-derived domains;
  remove debug console.log.

---

Nils Putnins / OffSeq Cybersecurity
npu@offseq.com / https://offseq.com / https://radar.offseq.com