fix: require team membership for delegated session creation

chyuen-devsentient · chyuen-devsentient · commit fde4234de050 · 2026-02-10T21:51:57.000Z
Non-team-members who mention both @kaji and @owner could create delegated sessions. Now only teammates (added via !team add) can initiate delegation. Non-team-members are silently ignored. Bump version to 0.3.95
diff --git a/.opencode/plugin/mattermost-control/tools/connect.ts b/.opencode/plugin/mattermost-control/tools/connect.ts
@@ -530,8 +530,14 @@ function setupWebSocketListeners(
           }
           
           // Non-owner mentioned bot - only allow delegated session creation
-          // They MUST also mention the session owner (e.g., "@kaji @christine fix this")
+          // They MUST be a team member AND mention the session owner
+          // e.g., "@kaji @christine fix this"
           // Just mentioning @kaji alone does nothing for non-owners
+          if (!isTeamMember) {
+            log.debug(`[Channel] Non-team-member @mentioned bot in unmapped thread - ignoring (channel: ${channel.id})`);
+            return;
+          }
+          
           if (ownerUserId && botUser) {
             const mentionedUsers = sessionOwnershipHandler.detectMentionedUsers(
               postData.message,
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "opencode-mattermost-control",
-  "version": "0.3.94",
+  "version": "0.3.95",
   "description": "OpenCode plugin for remote control via Mattermost DMs",
   "type": "module",
   "main": ".opencode/plugin/mattermost-control/index.ts",

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "opencode-mattermost-control",`
`3`		`- "version": "0.3.94",`
	`3`	`+ "version": "0.3.95",`
`4`	`4`	`"description": "OpenCode plugin for remote control via Mattermost DMs",`
`5`	`5`	`"type": "module",`
`6`	`6`	`"main": ".opencode/plugin/mattermost-control/index.ts",`