fix(routing): require ids for slack and msteams allowlists

src/slack/monitor/auth.ts

@@ -256,6 +256,7 @@ export async function authorizeSlackSystemEventSender(params: {
       channels: params.ctx.channelsConfig,
       channelKeys: params.ctx.channelsConfigKeys,
       defaultRequireMention: params.ctx.defaultRequireMention,
+      allowNameMatching: params.ctx.allowNameMatching,
     });
     const channelUsersAllowlistConfigured =
       Array.isArray(channelConfig?.users) && channelConfig.users.length > 0;

src/slack/monitor/channel-config.ts

@@ -91,8 +91,16 @@ export function resolveSlackChannelConfig(params: {
   channels?: SlackChannelConfigEntries;
   channelKeys?: string[];
   defaultRequireMention?: boolean;
+  allowNameMatching?: boolean;
 }): SlackChannelConfigResolved | null {
-  const { channelId, channelName, channels, channelKeys, defaultRequireMention } = params;
+  const {
+    channelId,
+    channelName,
+    channels,
+    channelKeys,
+    defaultRequireMention,
+    allowNameMatching,
+  } = params;
   const entries = channels ?? {};
   const keys = channelKeys ?? Object.keys(entries);
   const normalizedName = channelName ? normalizeSlackSlug(channelName) : "";
@@ -107,9 +115,9 @@ export function resolveSlackChannelConfig(params: {
     channelId,
     channelIdLower !== channelId ? channelIdLower : undefined,
     channelIdUpper !== channelId ? channelIdUpper : undefined,
-    channelName ? `#${directName}` : undefined,
-    directName,
-    normalizedName,
+    allowNameMatching ? (channelName ? `#${directName}` : undefined) : undefined,
+    allowNameMatching ? directName : undefined,
+    allowNameMatching ? normalizedName : undefined,
   );
   const match = resolveChannelEntryMatchWithFallback({
     entries,

src/slack/monitor/context.ts

@@ -324,6 +324,7 @@ export function createSlackMonitorContext(params: {
         channels: params.channelsConfig,
         channelKeys: channelsConfigKeys,
         defaultRequireMention,
+        allowNameMatching: params.allowNameMatching,
       });
       const channelMatchMeta = formatAllowlistMatchMeta(channelConfig);
       const channelAllowed = channelConfig?.allowed !== false;

src/slack/monitor/message-handler/prepare.ts

@@ -144,6 +144,7 @@ async function resolveSlackConversationContext(params: {
         channels: ctx.channelsConfig,
         channelKeys: ctx.channelsConfigKeys,
         defaultRequireMention: ctx.defaultRequireMention,
+        allowNameMatching: ctx.allowNameMatching,
       })
     : null;
   const allowBots =

src/slack/monitor/monitor.test.ts

@@ -81,6 +81,32 @@ describe("resolveSlackChannelConfig", () => {
     });
     expect(res).toMatchObject({ allowed: true, requireMention: false });
   });
+
+  it("blocks channel-name route matches by default", () => {
+    const res = resolveSlackChannelConfig({
+      channelId: "C1",
+      channelName: "ops-room",
+      channels: { "ops-room": { allow: true, requireMention: false } },
+      defaultRequireMention: true,
+    });
+    expect(res).toMatchObject({ allowed: false, requireMention: true });
+  });
+
+  it("allows channel-name route matches when dangerous name matching is enabled", () => {
+    const res = resolveSlackChannelConfig({
+      channelId: "C1",
+      channelName: "ops-room",
+      channels: { "ops-room": { allow: true, requireMention: false } },
+      defaultRequireMention: true,
+      allowNameMatching: true,
+    });
+    expect(res).toMatchObject({
+      allowed: true,
+      requireMention: false,
+      matchKey: "ops-room",
+      matchSource: "direct",
+    });
+  });
 });
 
 const baseParams = () => ({

src/slack/monitor/slash.ts

@@ -404,6 +404,7 @@ export async function registerSlackMonitorSlashCommands(params: {
           channels: ctx.channelsConfig,
           channelKeys: ctx.channelsConfigKeys,
           defaultRequireMention: ctx.defaultRequireMention,
+          allowNameMatching: ctx.allowNameMatching,
         });
         if (ctx.useAccessGroups) {
           const channelAllowlistConfigured = (ctx.channelsConfigKeys?.length ?? 0) > 0;