@openclaw/msteams 2026.3.11 → 2026.3.13

package/CHANGELOG.md

@@ -1,8 +1,21 @@
 # Changelog
 
+## 2026.3.13
+
+### Changes
+
+- Version alignment with core OpenClaw release numbers.
+
+## 2026.3.12
+
+### Changes
+
+- Version alignment with core OpenClaw release numbers.
+
 ## 2026.3.11
 
 ### Changes
+
 - Version alignment with core OpenClaw release numbers.
 
 ## 2026.3.10

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openclaw/msteams",
-  "version": "2026.3.11",
+  "version": "2026.3.13",
   "description": "OpenClaw Microsoft Teams channel plugin",
   "type": "module",
   "dependencies": {

package/src/attachments/shared.test.ts

@@ -31,6 +31,23 @@ function mockFetchWithRedirect(redirectMap: Record<string, string>, finalBody =
   });
 }
 
+async function expectSafeFetchStatus(params: {
+  fetchMock: ReturnType<typeof vi.fn>;
+  url: string;
+  allowHosts: string[];
+  expectedStatus: number;
+  resolveFn?: typeof publicResolve;
+}) {
+  const res = await safeFetch({
+    url: params.url,
+    allowHosts: params.allowHosts,
+    fetchFn: params.fetchMock as unknown as typeof fetch,
+    resolveFn: params.resolveFn ?? publicResolve,
+  });
+  expect(res.status).toBe(params.expectedStatus);
+  return res;
+}
+
 describe("msteams attachment allowlists", () => {
   it("normalizes wildcard host lists", () => {
     expect(resolveAllowedHosts(["*", "graph.microsoft.com"])).toEqual(["*"]);
@@ -121,13 +138,12 @@ describe("safeFetch", () => {
     const fetchMock = vi.fn(async (_url: string, _init?: RequestInit) => {
       return new Response("ok", { status: 200 });
     });
-    const res = await safeFetch({
+    await expectSafeFetchStatus({
+      fetchMock,
       url: "https://teams.sharepoint.com/file.pdf",
       allowHosts: ["sharepoint.com"],
-      fetchFn: fetchMock as unknown as typeof fetch,
-      resolveFn: publicResolve,
+      expectedStatus: 200,
     });
-    expect(res.status).toBe(200);
     expect(fetchMock).toHaveBeenCalledOnce();
     // Should have used redirect: "manual"
     expect(fetchMock.mock.calls[0][1]).toHaveProperty("redirect", "manual");
@@ -137,13 +153,12 @@ describe("safeFetch", () => {
     const fetchMock = mockFetchWithRedirect({
       "https://teams.sharepoint.com/file.pdf": "https://cdn.sharepoint.com/storage/file.pdf",
     });
-    const res = await safeFetch({
+    await expectSafeFetchStatus({
+      fetchMock,
       url: "https://teams.sharepoint.com/file.pdf",
       allowHosts: ["sharepoint.com"],
-      fetchFn: fetchMock as unknown as typeof fetch,
-      resolveFn: publicResolve,
+      expectedStatus: 200,
     });
-    expect(res.status).toBe(200);
     expect(fetchMock).toHaveBeenCalledTimes(2);
   });
 

package/src/attachments.test.ts

@@ -88,14 +88,17 @@ function isUrlAllowedBySsrfPolicy(url: string, policy?: SsrFPolicy): boolean {
   );
 }
 
-const fetchRemoteMediaMock = vi.fn(async (params: RemoteMediaFetchParams) => {
+async function fetchRemoteMediaWithRedirects(
+  params: RemoteMediaFetchParams,
+  requestInit?: RequestInit,
+) {
   const fetchFn = params.fetchImpl ?? fetch;
   let currentUrl = params.url;
   for (let i = 0; i <= MAX_REDIRECT_HOPS; i += 1) {
     if (!isUrlAllowedBySsrfPolicy(currentUrl, params.ssrfPolicy)) {
       throw new Error(`Blocked hostname (not in allowlist): ${currentUrl}`);
     }
-    const res = await fetchFn(currentUrl, { redirect: "manual" });
+    const res = await fetchFn(currentUrl, { redirect: "manual", ...requestInit });
     if (REDIRECT_STATUS_CODES.includes(res.status)) {
       const location = res.headers.get("location");
       if (!location) {
@@ -107,6 +110,10 @@ const fetchRemoteMediaMock = vi.fn(async (params: RemoteMediaFetchParams) => {
     return readRemoteMediaResponse(res, params);
   }
   throw new Error("too many redirects");
+}
+
+const fetchRemoteMediaMock = vi.fn(async (params: RemoteMediaFetchParams) => {
+  return await fetchRemoteMediaWithRedirects(params);
 });
 
 const runtimeStub: PluginRuntime = createPluginRuntimeMock({
@@ -720,24 +727,9 @@ describe("msteams attachments", () => {
       });
 
       fetchRemoteMediaMock.mockImplementationOnce(async (params) => {
-        const fetchFn = params.fetchImpl ?? fetch;
-        let currentUrl = params.url;
-        for (let i = 0; i < MAX_REDIRECT_HOPS; i += 1) {
-          const res = await fetchFn(currentUrl, {
-            redirect: "manual",
-            dispatcher: {},
-          } as RequestInit);
-          if (REDIRECT_STATUS_CODES.includes(res.status)) {
-            const location = res.headers.get("location");
-            if (!location) {
-              throw new Error("redirect missing location");
-            }
-            currentUrl = new URL(location, currentUrl).toString();
-            continue;
-          }
-          return readRemoteMediaResponse(res, params);
-        }
-        throw new Error("too many redirects");
+        return await fetchRemoteMediaWithRedirects(params, {
+          dispatcher: {},
+        } as RequestInit);
       });
 
       const media = await downloadAttachmentsWithFetch(

package/src/channel.directory.test.ts

@@ -1,15 +1,10 @@
 import type { OpenClawConfig, RuntimeEnv } from "openclaw/plugin-sdk/msteams";
 import { describe, expect, it } from "vitest";
+import { createDirectoryTestRuntime, expectDirectorySurface } from "../../test-utils/directory.js";
 import { msteamsPlugin } from "./channel.js";
 
 describe("msteams directory", () => {
-  const runtimeEnv: RuntimeEnv = {
-    log: () => {},
-    error: () => {},
-    exit: (code: number): never => {
-      throw new Error(`exit ${code}`);
-    },
-  };
+  const runtimeEnv = createDirectoryTestRuntime() as RuntimeEnv;
 
   it("lists peers and groups from config", async () => {
     const cfg = {
@@ -29,12 +24,10 @@ describe("msteams directory", () => {
       },
     } as unknown as OpenClawConfig;
 
-    expect(msteamsPlugin.directory).toBeTruthy();
-    expect(msteamsPlugin.directory?.listPeers).toBeTruthy();
-    expect(msteamsPlugin.directory?.listGroups).toBeTruthy();
+    const directory = expectDirectorySurface(msteamsPlugin.directory);
 
     await expect(
-      msteamsPlugin.directory!.listPeers!({
+      directory.listPeers({
         cfg,
         query: undefined,
         limit: undefined,
@@ -50,7 +43,7 @@ describe("msteams directory", () => {
     );
 
     await expect(
-      msteamsPlugin.directory!.listGroups!({
+      directory.listGroups({
         cfg,
         query: undefined,
         limit: undefined,

package/src/graph-upload.test.ts

@@ -0,0 +1,101 @@
+import { describe, expect, it, vi } from "vitest";
+import { uploadToOneDrive, uploadToSharePoint } from "./graph-upload.js";
+
+describe("graph upload helpers", () => {
+  const tokenProvider = {
+    getAccessToken: vi.fn(async () => "graph-token"),
+  };
+
+  it("uploads to OneDrive with the personal drive path", async () => {
+    const fetchFn = vi.fn(
+      async () =>
+        new Response(
+          JSON.stringify({ id: "item-1", webUrl: "https://example.com/1", name: "a.txt" }),
+          {
+            status: 200,
+            headers: { "content-type": "application/json" },
+          },
+        ),
+    );
+
+    const result = await uploadToOneDrive({
+      buffer: Buffer.from("hello"),
+      filename: "a.txt",
+      tokenProvider,
+      fetchFn: fetchFn as typeof fetch,
+    });
+
+    expect(fetchFn).toHaveBeenCalledWith(
+      "https://graph.microsoft.com/v1.0/me/drive/root:/OpenClawShared/a.txt:/content",
+      expect.objectContaining({
+        method: "PUT",
+        headers: expect.objectContaining({
+          Authorization: "Bearer graph-token",
+          "Content-Type": "application/octet-stream",
+        }),
+      }),
+    );
+    expect(result).toEqual({
+      id: "item-1",
+      webUrl: "https://example.com/1",
+      name: "a.txt",
+    });
+  });
+
+  it("uploads to SharePoint with the site drive path", async () => {
+    const fetchFn = vi.fn(
+      async () =>
+        new Response(
+          JSON.stringify({ id: "item-2", webUrl: "https://example.com/2", name: "b.txt" }),
+          {
+            status: 200,
+            headers: { "content-type": "application/json" },
+          },
+        ),
+    );
+
+    const result = await uploadToSharePoint({
+      buffer: Buffer.from("world"),
+      filename: "b.txt",
+      siteId: "site-123",
+      tokenProvider,
+      fetchFn: fetchFn as typeof fetch,
+    });
+
+    expect(fetchFn).toHaveBeenCalledWith(
+      "https://graph.microsoft.com/v1.0/sites/site-123/drive/root:/OpenClawShared/b.txt:/content",
+      expect.objectContaining({
+        method: "PUT",
+        headers: expect.objectContaining({
+          Authorization: "Bearer graph-token",
+          "Content-Type": "application/octet-stream",
+        }),
+      }),
+    );
+    expect(result).toEqual({
+      id: "item-2",
+      webUrl: "https://example.com/2",
+      name: "b.txt",
+    });
+  });
+
+  it("rejects upload responses missing required fields", async () => {
+    const fetchFn = vi.fn(
+      async () =>
+        new Response(JSON.stringify({ id: "item-3" }), {
+          status: 200,
+          headers: { "content-type": "application/json" },
+        }),
+    );
+
+    await expect(
+      uploadToSharePoint({
+        buffer: Buffer.from("world"),
+        filename: "bad.txt",
+        siteId: "site-123",
+        tokenProvider,
+        fetchFn: fetchFn as typeof fetch,
+      }),
+    ).rejects.toThrow("SharePoint upload response missing required fields");
+  });
+});

package/src/graph-upload.ts

@@ -21,24 +21,34 @@ export interface OneDriveUploadResult {
   name: string;
 }
 
-/**
- * Upload a file to the user's OneDrive root folder.
- * For larger files, this uses the simple upload endpoint (up to 4MB).
- */
-export async function uploadToOneDrive(params: {
+function parseUploadedDriveItem(
+  data: { id?: string; webUrl?: string; name?: string },
+  label: "OneDrive" | "SharePoint",
+): OneDriveUploadResult {
+  if (!data.id || !data.webUrl || !data.name) {
+    throw new Error(`${label} upload response missing required fields`);
+  }
+
+  return {
+    id: data.id,
+    webUrl: data.webUrl,
+    name: data.name,
+  };
+}
+
+async function uploadDriveItem(params: {
   buffer: Buffer;
   filename: string;
   contentType?: string;
   tokenProvider: MSTeamsAccessTokenProvider;
   fetchFn?: typeof fetch;
+  url: string;
+  label: "OneDrive" | "SharePoint";
 }): Promise<OneDriveUploadResult> {
   const fetchFn = params.fetchFn ?? fetch;
   const token = await params.tokenProvider.getAccessToken(GRAPH_SCOPE);
 
-  // Use "OpenClawShared" folder to organize bot-uploaded files
-  const uploadPath = `/OpenClawShared/${encodeURIComponent(params.filename)}`;
-
-  const res = await fetchFn(`${GRAPH_ROOT}/me/drive/root:${uploadPath}:/content`, {
+  const res = await fetchFn(params.url, {
     method: "PUT",
     headers: {
       Authorization: `Bearer ${token}`,
@@ -49,24 +59,33 @@ export async function uploadToOneDrive(params: {
 
   if (!res.ok) {
     const body = await res.text().catch(() => "");
-    throw new Error(`OneDrive upload failed: ${res.status} ${res.statusText} - ${body}`);
+    throw new Error(`${params.label} upload failed: ${res.status} ${res.statusText} - ${body}`);
   }
 
-  const data = (await res.json()) as {
-    id?: string;
-    webUrl?: string;
-    name?: string;
-  };
-
-  if (!data.id || !data.webUrl || !data.name) {
-    throw new Error("OneDrive upload response missing required fields");
-  }
+  return parseUploadedDriveItem(
+    (await res.json()) as { id?: string; webUrl?: string; name?: string },
+    params.label,
+  );
+}
 
-  return {
-    id: data.id,
-    webUrl: data.webUrl,
-    name: data.name,
-  };
+/**
+ * Upload a file to the user's OneDrive root folder.
+ * For larger files, this uses the simple upload endpoint (up to 4MB).
+ */
+export async function uploadToOneDrive(params: {
+  buffer: Buffer;
+  filename: string;
+  contentType?: string;
+  tokenProvider: MSTeamsAccessTokenProvider;
+  fetchFn?: typeof fetch;
+}): Promise<OneDriveUploadResult> {
+  // Use "OpenClawShared" folder to organize bot-uploaded files
+  const uploadPath = `/OpenClawShared/${encodeURIComponent(params.filename)}`;
+  return await uploadDriveItem({
+    ...params,
+    url: `${GRAPH_ROOT}/me/drive/root:${uploadPath}:/content`,
+    label: "OneDrive",
+  });
 }
 
 export interface OneDriveSharingLink {
@@ -175,44 +194,13 @@ export async function uploadToSharePoint(params: {
   siteId: string;
   fetchFn?: typeof fetch;
 }): Promise<OneDriveUploadResult> {
-  const fetchFn = params.fetchFn ?? fetch;
-  const token = await params.tokenProvider.getAccessToken(GRAPH_SCOPE);
-
   // Use "OpenClawShared" folder to organize bot-uploaded files
   const uploadPath = `/OpenClawShared/${encodeURIComponent(params.filename)}`;
-
-  const res = await fetchFn(
-    `${GRAPH_ROOT}/sites/${params.siteId}/drive/root:${uploadPath}:/content`,
-    {
-      method: "PUT",
-      headers: {
-        Authorization: `Bearer ${token}`,
-        "Content-Type": params.contentType ?? "application/octet-stream",
-      },
-      body: new Uint8Array(params.buffer),
-    },
-  );
-
-  if (!res.ok) {
-    const body = await res.text().catch(() => "");
-    throw new Error(`SharePoint upload failed: ${res.status} ${res.statusText} - ${body}`);
-  }
-
-  const data = (await res.json()) as {
-    id?: string;
-    webUrl?: string;
-    name?: string;
-  };
-
-  if (!data.id || !data.webUrl || !data.name) {
-    throw new Error("SharePoint upload response missing required fields");
-  }
-
-  return {
-    id: data.id,
-    webUrl: data.webUrl,
-    name: data.name,
-  };
+  return await uploadDriveItem({
+    ...params,
+    url: `${GRAPH_ROOT}/sites/${params.siteId}/drive/root:${uploadPath}:/content`,
+    label: "SharePoint",
+  });
 }
 
 export interface ChatMember {

package/src/messenger.test.ts

@@ -139,6 +139,22 @@ describe("msteams messenger", () => {
   });
 
   describe("sendMSTeamsMessages", () => {
+    function createRevokedThreadContext(params?: { failAfterAttempt?: number; sent?: string[] }) {
+      let attempt = 0;
+      return {
+        sendActivity: async (activity: unknown) => {
+          const { text } = activity as { text?: string };
+          const content = text ?? "";
+          attempt += 1;
+          if (params?.failAfterAttempt && attempt < params.failAfterAttempt) {
+            params.sent?.push(content);
+            return { id: `id:${content}` };
+          }
+          throw new TypeError(REVOCATION_ERROR);
+        },
+      };
+    }
+
     const baseRef: StoredConversationReference = {
       activityId: "activity123",
       user: { id: "user123", name: "User" },
@@ -305,13 +321,7 @@ describe("msteams messenger", () => {
 
     it("falls back to proactive messaging when thread context is revoked", async () => {
       const proactiveSent: string[] = [];
-
-      const ctx = {
-        sendActivity: async () => {
-          throw new TypeError(REVOCATION_ERROR);
-        },
-      };
-
+      const ctx = createRevokedThreadContext();
       const adapter = createFallbackAdapter(proactiveSent);
 
       const ids = await sendMSTeamsMessages({
@@ -331,21 +341,7 @@ describe("msteams messenger", () => {
     it("falls back only for remaining thread messages after context revocation", async () => {
       const threadSent: string[] = [];
       const proactiveSent: string[] = [];
-      let attempt = 0;
-
-      const ctx = {
-        sendActivity: async (activity: unknown) => {
-          const { text } = activity as { text?: string };
-          const content = text ?? "";
-          attempt += 1;
-          if (attempt === 1) {
-            threadSent.push(content);
-            return { id: `id:${content}` };
-          }
-          throw new TypeError(REVOCATION_ERROR);
-        },
-      };
-
+      const ctx = createRevokedThreadContext({ failAfterAttempt: 2, sent: threadSent });
       const adapter = createFallbackAdapter(proactiveSent);
 
       const ids = await sendMSTeamsMessages({

package/src/monitor-handler/message-handler.ts

@@ -9,7 +9,7 @@ import {
   evaluateSenderGroupAccessForPolicy,
   resolveSenderScopedGroupPolicy,
   recordPendingHistoryEntryIfEnabled,
-  resolveControlCommandGate,
+  resolveDualTextControlCommandGate,
   resolveDefaultGroupPolicy,
   isDangerousNameMatchingEnabled,
   readStoreAllowFromForDmPolicy,
@@ -175,6 +175,7 @@ export function createMSTeamsMessageHandler(deps: MSTeamsMessageHandlerDeps) {
       teamName,
       conversationId,
       channelName,
+      allowNameMatching: isDangerousNameMatchingEnabled(msteamsCfg),
     });
     const senderGroupPolicy = resolveSenderScopedGroupPolicy({
       groupPolicy,
@@ -296,18 +297,15 @@ export function createMSTeamsMessageHandler(deps: MSTeamsMessageHandlerDeps) {
       senderName,
       allowNameMatching: isDangerousNameMatchingEnabled(msteamsCfg),
     });
-    const hasControlCommandInMessage = core.channel.text.hasControlCommand(text, cfg);
-    const commandGate = resolveControlCommandGate({
+    const { commandAuthorized, shouldBlock } = resolveDualTextControlCommandGate({
       useAccessGroups,
-      authorizers: [
-        { configured: commandDmAllowFrom.length > 0, allowed: ownerAllowedForCommands },
-        { configured: effectiveGroupAllowFrom.length > 0, allowed: groupAllowedForCommands },
-      ],
-      allowTextCommands: true,
-      hasControlCommand: hasControlCommandInMessage,
+      primaryConfigured: commandDmAllowFrom.length > 0,
+      primaryAllowed: ownerAllowedForCommands,
+      secondaryConfigured: effectiveGroupAllowFrom.length > 0,
+      secondaryAllowed: groupAllowedForCommands,
+      hasControlCommand: core.channel.text.hasControlCommand(text, cfg),
     });
-    const commandAuthorized = commandGate.commandAuthorized;
-    if (commandGate.shouldBlock) {
+    if (shouldBlock) {
       logInboundDrop({
         log: logVerboseMessage,
         channel: "msteams",

package/src/monitor-handler.file-consent.test.ts

@@ -123,6 +123,26 @@ function createInvokeContext(params: {
   };
 }
 
+function createConsentInvokeHarness(params: {
+  pendingConversationId?: string;
+  invokeConversationId: string;
+  action: "accept" | "decline";
+}) {
+  const uploadId = storePendingUpload({
+    buffer: Buffer.from("TOP_SECRET_VICTIM_FILE\n"),
+    filename: "secret.txt",
+    contentType: "text/plain",
+    conversationId: params.pendingConversationId ?? "19:victim@thread.v2",
+  });
+  const handler = registerMSTeamsHandlers(createActivityHandler(), createDeps());
+  const { context, sendActivity } = createInvokeContext({
+    conversationId: params.invokeConversationId,
+    uploadId,
+    action: params.action,
+  });
+  return { uploadId, handler, context, sendActivity };
+}
+
 describe("msteams file consent invoke authz", () => {
   beforeEach(() => {
     setMSTeamsRuntime(runtimeStub);
@@ -132,17 +152,8 @@ describe("msteams file consent invoke authz", () => {
   });
 
   it("uploads when invoke conversation matches pending upload conversation", async () => {
-    const uploadId = storePendingUpload({
-      buffer: Buffer.from("TOP_SECRET_VICTIM_FILE\n"),
-      filename: "secret.txt",
-      contentType: "text/plain",
-      conversationId: "19:victim@thread.v2",
-    });
-    const deps = createDeps();
-    const handler = registerMSTeamsHandlers(createActivityHandler(), deps);
-    const { context, sendActivity } = createInvokeContext({
-      conversationId: "19:victim@thread.v2;messageid=abc123",
-      uploadId,
+    const { uploadId, handler, context, sendActivity } = createConsentInvokeHarness({
+      invokeConversationId: "19:victim@thread.v2;messageid=abc123",
       action: "accept",
     });
 
@@ -166,17 +177,8 @@ describe("msteams file consent invoke authz", () => {
   });
 
   it("rejects cross-conversation accept invoke and keeps pending upload", async () => {
-    const uploadId = storePendingUpload({
-      buffer: Buffer.from("TOP_SECRET_VICTIM_FILE\n"),
-      filename: "secret.txt",
-      contentType: "text/plain",
-      conversationId: "19:victim@thread.v2",
-    });
-    const deps = createDeps();
-    const handler = registerMSTeamsHandlers(createActivityHandler(), deps);
-    const { context, sendActivity } = createInvokeContext({
-      conversationId: "19:attacker@thread.v2",
-      uploadId,
+    const { uploadId, handler, context, sendActivity } = createConsentInvokeHarness({
+      invokeConversationId: "19:attacker@thread.v2",
       action: "accept",
     });
 
@@ -198,17 +200,8 @@ describe("msteams file consent invoke authz", () => {
   });
 
   it("ignores cross-conversation decline invoke and keeps pending upload", async () => {
-    const uploadId = storePendingUpload({
-      buffer: Buffer.from("TOP_SECRET_VICTIM_FILE\n"),
-      filename: "secret.txt",
-      contentType: "text/plain",
-      conversationId: "19:victim@thread.v2",
-    });
-    const deps = createDeps();
-    const handler = registerMSTeamsHandlers(createActivityHandler(), deps);
-    const { context, sendActivity } = createInvokeContext({
-      conversationId: "19:attacker@thread.v2",
-      uploadId,
+    const { uploadId, handler, context, sendActivity } = createConsentInvokeHarness({
+      invokeConversationId: "19:attacker@thread.v2",
       action: "decline",
     });
 

package/src/policy.test.ts

@@ -6,6 +6,27 @@ import {
   resolveMSTeamsRouteConfig,
 } from "./policy.js";
 
+function resolveNamedTeamRouteConfig(allowNameMatching = false) {
+  const cfg: MSTeamsConfig = {
+    teams: {
+      "My Team": {
+        requireMention: true,
+        channels: {
+          "General Chat": { requireMention: false },
+        },
+      },
+    },
+  };
+
+  return resolveMSTeamsRouteConfig({
+    cfg,
+    teamName: "My Team",
+    channelName: "General Chat",
+    conversationId: "ignored",
+    allowNameMatching,
+  });
+}
+
 describe("msteams policy", () => {
   describe("resolveMSTeamsRouteConfig", () => {
     it("returns team and channel config when present", () => {
@@ -50,24 +71,16 @@ describe("msteams policy", () => {
       expect(res.allowed).toBe(false);
     });
 
-    it("matches team and channel by name", () => {
-      const cfg: MSTeamsConfig = {
-        teams: {
-          "My Team": {
-            requireMention: true,
-            channels: {
-              "General Chat": { requireMention: false },
-            },
-          },
-        },
-      };
+    it("blocks team and channel name matches by default", () => {
+      const res = resolveNamedTeamRouteConfig();
 
-      const res = resolveMSTeamsRouteConfig({
-        cfg,
-        teamName: "My Team",
-        channelName: "General Chat",
-        conversationId: "ignored",
-      });
+      expect(res.teamConfig).toBeUndefined();
+      expect(res.channelConfig).toBeUndefined();
+      expect(res.allowed).toBe(false);
+    });
+
+    it("matches team and channel by name when dangerous name matching is enabled", () => {
+      const res = resolveNamedTeamRouteConfig(true);
 
       expect(res.teamConfig?.requireMention).toBe(true);
       expect(res.channelConfig?.requireMention).toBe(false);

package/src/policy.ts

@@ -16,6 +16,7 @@ import {
   resolveToolsBySender,
   resolveChannelEntryMatchWithFallback,
   resolveNestedAllowlistDecision,
+  isDangerousNameMatchingEnabled,
 } from "openclaw/plugin-sdk/msteams";
 
 export type MSTeamsResolvedRouteConfig = {
@@ -35,6 +36,7 @@ export function resolveMSTeamsRouteConfig(params: {
   teamName?: string | null | undefined;
   conversationId?: string | null | undefined;
   channelName?: string | null | undefined;
+  allowNameMatching?: boolean;
 }): MSTeamsResolvedRouteConfig {
   const teamId = params.teamId?.trim();
   const teamName = params.teamName?.trim();
@@ -44,8 +46,8 @@ export function resolveMSTeamsRouteConfig(params: {
   const allowlistConfigured = Object.keys(teams).length > 0;
   const teamCandidates = buildChannelKeyCandidates(
     teamId,
-    teamName,
-    teamName ? normalizeChannelSlug(teamName) : undefined,
+    params.allowNameMatching ? teamName : undefined,
+    params.allowNameMatching && teamName ? normalizeChannelSlug(teamName) : undefined,
   );
   const teamMatch = resolveChannelEntryMatchWithFallback({
     entries: teams,
@@ -58,8 +60,8 @@ export function resolveMSTeamsRouteConfig(params: {
   const channelAllowlistConfigured = Object.keys(channels).length > 0;
   const channelCandidates = buildChannelKeyCandidates(
     conversationId,
-    channelName,
-    channelName ? normalizeChannelSlug(channelName) : undefined,
+    params.allowNameMatching ? channelName : undefined,
+    params.allowNameMatching && channelName ? normalizeChannelSlug(channelName) : undefined,
   );
   const channelMatch = resolveChannelEntryMatchWithFallback({
     entries: channels,
@@ -101,6 +103,7 @@ export function resolveMSTeamsGroupToolPolicy(
   const groupId = params.groupId?.trim();
   const groupChannel = params.groupChannel?.trim();
   const groupSpace = params.groupSpace?.trim();
+  const allowNameMatching = isDangerousNameMatchingEnabled(cfg);
 
   const resolved = resolveMSTeamsRouteConfig({
     cfg,
@@ -108,6 +111,7 @@ export function resolveMSTeamsGroupToolPolicy(
     teamName: groupSpace,
     conversationId: groupId,
     channelName: groupChannel,
+    allowNameMatching,
   });
 
   if (resolved.channelConfig) {
@@ -158,8 +162,8 @@ export function resolveMSTeamsGroupToolPolicy(
 
   const channelCandidates = buildChannelKeyCandidates(
     groupId,
-    groupChannel,
-    groupChannel ? normalizeChannelSlug(groupChannel) : undefined,
+    allowNameMatching ? groupChannel : undefined,
+    allowNameMatching && groupChannel ? normalizeChannelSlug(groupChannel) : undefined,
   );
   for (const teamConfig of Object.values(cfg.teams ?? {})) {
     const match = resolveChannelEntryMatchWithFallback({