fix(mattermost): prevent DM replies from creating threads

[vincentkoc]

Summary

• Repair the existing replacement path in fix(mattermost): prevent DM replies from creating threads #72305 for Mattermost DM replies creating thread roots.
• Direct-message replies should not send a Mattermost root_id, while non-DM thread replies must keep using the correct thread root.
• Keep the patch scoped to monitor routing, focused tests, and the existing changelog entry.

Credit

This carries forward the useful fix path from @jwchmodx in #60115 and preserves related context from #55186, #59758, #59981, #59791, and #57565.

Review/Validation

• Address or prove non-actionable the Greptile P2 about canFinalizeMattermostPreviewInPlace not forwarding kind.
• Run pnpm -s vitest run extensions/mattermost/src/mattermost/monitor.test.ts.
• Run pnpm check:changed.
• Run Codex /review and address every finding before merge.

ProjectClownfish replacement details:

• Cluster: ghcrawl-156602-autonomous-smoke
• Source PRs: fix(mattermost): prevent DM replies from threading via resolveMattermostReplyRootId #60115, fix(mattermost): restore threadRootId priority in thread replies #55186, fix(mattermost): prioritize threadRootId over kind===direct for DM thread replies [fixes #59758] #59791
• Credit: Credit @jwchmodx for the narrow fix(mattermost): prevent DM replies from threading via resolveMattermostReplyRootId #60115 fix path: fix(mattermost): prevent DM replies from threading via resolveMattermostReplyRootId #60115.; Credit @hnykda for fix(mattermost): restore threadRootId priority in thread replies #55186 threadRootId priority context: fix(mattermost): restore threadRootId priority in thread replies #55186.; Mention related prior report/attempt context from Mattermost DM replies go to new Thread instead of main channel #59758, [Bug]:Mattermost: DM replies thread despite replyToMode "off" (docs say DMs stay non-threaded) #59981, fix(mattermost): prioritize threadRootId over kind===direct for DM thread replies [fixes #59758] #59791, and fix(mattermost): route thread replies correctly when replyToMode is off #57565 without treating the broader branches as merged.
• Validation: pnpm -s vitest run extensions/mattermost/src/mattermost/monitor.test.ts; pnpm check:changed

[greptile-apps]

Greptile Summary

This PR fixes a bug where Mattermost DM replies could create thread roots by passing a root_id to the API. The fix adds a kind: ChatType parameter to resolveMattermostReplyRootId, canFinalizeMattermostPreviewInPlace, and deliverMattermostReplyWithDraftPreview, and moves the kind === "direct" early-return in resolveMattermostEffectiveReplyToId to before the threadRootId check so that existing thread context on a DM channel is properly suppressed. All three call sites in monitorMattermostProvider are updated, and the new test cases cover the DM suppression path for both functions and the preview finalization check.

Confidence Score: 5/5

This PR is safe to merge; the fix is narrow, well-tested, and all call sites are updated consistently.

No P0 or P1 issues found. The logic change is correct: moving the kind === 'direct' early-return before the threadRootId check in resolveMattermostEffectiveReplyToId closes the regression, and kind is forwarded at every call site of the two affected public functions. New tests cover the DM suppression path in both resolveMattermostReplyRootId and resolveMattermostEffectiveReplyToId, and the canFinalizeMattermostPreviewInPlace DM case.

No files require special attention.

_{Reviews (2): Last reviewed commit: "fix(mattermost): prevent DM replies from..." | Re-trigger Greptile}

[vincentkoc]

ProjectClownfish could not safely update this branch, so it opened a narrow replacement PR instead.

Replacement PR: #72659
Source PR: #72659
Contributor credit is preserved in the replacement PR body and changelog plan.

[vincentkoc]

ProjectClownfish pushed a narrow repair to this branch so the original contributor path can stay canonical.

Source PR: #72659
Validation: pnpm check:changed
Contributor credit is preserved in the branch history and PR context.

[aisle-research-bot]

🔒 Aisle Security Analysis

We found 1 potential security issue(s) in this PR:

#	Severity	Title
1	🟠 High	DM access control bypass via fallback-to-channel when Mattermost channel lookup fails

1. 🟠 DM access control bypass via fallback-to-channel when Mattermost channel lookup fails

Property	Value
Severity	High
CWE	CWE-284
Location	extensions/mattermost/src/mattermost/monitor.ts:1222-1250

Description

Inbound message kind is now derived solely from resolveChannelInfo(channelId) (Mattermost REST lookup) via resolveMattermostTrustedChatKind({ channelType: channelInfo?.type }).

If resolveChannelInfo fails (network error, permission issue, transient Mattermost outage), it returns null and caches that null for 5 minutes. In that case resolveMattermostTrustedChatKind defaults kind to "channel".

Security impact:

• DM/group/channel policies and allowlists are enforced based on kind (isGroup: kind !== "direct").
• If a direct message is misclassified as "channel", DM-specific controls (e.g. dmPolicy: "pairing" / "disabled") are not applied and the message is evaluated under the group/channel policy instead.
• In configurations where group policy is more permissive than DM policy (e.g. groupPolicy/open or an allowlist that doesn’t apply as intended), an attacker can potentially send unsolicited DMs during REST lookup failures and have them processed.

This is a trust-boundary regression because the prior code used the websocket event’s payload.data.channel_type as a fallback when REST lookup was unavailable.

Vulnerable code:

const channelInfo = await resolveChannelInfo(channelId);
const kind = resolveMattermostTrustedChatKind({
  channelType: channelInfo?.type,
});
...
const accessDecision = resolveDmGroupAccessWithLists({
  isGroup: kind !== "direct",
  dmPolicy,
  groupPolicy,
  ...
});

Recommendation

Ensure that inability to resolve the channel type cannot cause a direct message to be treated as a channel/group.

Recommended options (choose one):

1. Fail closed when channel type is unknown for inbound posts:

const channelInfo = await resolveChannelInfo(channelId);
const channelType = channelInfo?.type?.trim();
if (!channelType) {
  logVerboseMessage(`mattermost: drop post (cannot resolve channel type for ${channelId})`);
  return;
}
const kind = mapMattermostChannelTypeToChatType(channelType);

2. Restore a safe fallback to the websocket payload for classification only (if you still consider it sufficiently trustworthy), but still prefer REST lookup:

const channelType = channelInfo?.type ?? payload.data?.channel_type;
const kind = resolveMattermostTrustedChatKind({
  channelType,
  ​// optionally: fallback: "channel" (explicit)
});

Also consider not caching null lookups for as long (or caching with a shorter TTL) to reduce the window where misclassification can occur during transient errors.

---

Analyzed PR: #72659 at commit 47ee191

_{Last updated on: 2026-04-27T09:36:31Z}

[vincentkoc]

ProjectClownfish pushed a narrow repair to this branch so the original contributor path can stay canonical.

Source PR: #72659
Validation: pnpm check:changed
Contributor credit is preserved in the branch history and PR context.