openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎extensions/mattermost/src/channel.ts‎
Lines changed: 3 additions & 57 deletions b/‎extensions/mattermost/src/channel.ts‎
Lines changed: 3 additions & 57 deletions
diff --git a/‎extensions/mattermost/src/config-schema.ts‎
Lines changed: 1 addition & 0 deletions b/‎extensions/mattermost/src/config-schema.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎extensions/mattermost/src/mattermost/interactions.test.ts‎
Lines changed: 184 additions & 2 deletions b/‎extensions/mattermost/src/mattermost/interactions.test.ts‎
Lines changed: 184 additions & 2 deletions
@@ -30,6 +30,7 @@ Docs: https://docs.openclaw.ai
 - Docs/Web search: remove outdated Brave free-tier wording and replace prescriptive AI ToS guidance with neutral compliance language in Brave setup docs. (#26860) Thanks @HenryLoenwind.
 - Config/Compaction safeguard tuning: expose `agents.defaults.compaction.recentTurnsPreserve` and quality-guard retry knobs through the validated config surface and embedded-runner wiring, with regression coverage for real config loading and schema metadata. (#25557) thanks @rodrigouroz.
 - iOS/App Store Connect release prep: align iOS bundle identifiers under `ai.openclaw.client`, refresh Watch app icons, add Fastlane metadata/screenshot automation, and support Keychain-backed ASC auth for uploads. (#38936) Thanks @ngutman.
+- Mattermost/model picker: add Telegram-style interactive provider/model browsing for `/oc_model` and `/oc_models`, fix picker callback updates, and emit a normal confirmation reply when a model is selected. (#38767) thanks @mukhtharcm.
 
 ### Breaking
 
 
@@ -26,21 +26,14 @@ import {
   listMattermostDirectoryGroups,
   listMattermostDirectoryPeers,
 } from "./mattermost/directory.js";
-import {
-  buildButtonAttachments,
-  resolveInteractionCallbackUrl,
-  setInteractionSecret,
-} from "./mattermost/interactions.js";
 import { monitorMattermostProvider } from "./mattermost/monitor.js";
 import { probeMattermost } from "./mattermost/probe.js";
 import { addMattermostReaction, removeMattermostReaction } from "./mattermost/reactions.js";
-import { resolveMattermostSendChannelId, sendMessageMattermost } from "./mattermost/send.js";
+import { sendMessageMattermost } from "./mattermost/send.js";
 import { looksLikeMattermostTargetId, normalizeMattermostMessagingTarget } from "./normalize.js";
 import { mattermostOnboardingAdapter } from "./onboarding.js";
 import { getMattermostRuntime } from "./runtime.js";
 
-const SIGNED_CHANNEL_ID_CONTEXT_KEY = "__openclaw_channel_id";
-
 const mattermostMessageActions: ChannelMessageActionAdapter = {
   listActions: ({ cfg }) => {
     const enabledAccounts = listMattermostAccountIds(cfg)
@@ -162,61 +155,14 @@ const mattermostMessageActions: ChannelMessageActionAdapter = {
     const replyToId = typeof params.replyToId === "string" ? params.replyToId : undefined;
     const resolvedAccountId = accountId || undefined;
 
-    // Build props with button attachments if buttons are provided
-    let props: Record<string, unknown> | undefined;
-    if (params.buttons && Array.isArray(params.buttons)) {
-      const account = resolveMattermostAccount({ cfg, accountId: resolvedAccountId });
-      if (account.botToken) setInteractionSecret(account.accountId, account.botToken);
-      const channelId = await resolveMattermostSendChannelId(to, {
-        cfg,
-        accountId: account.accountId,
-      });
-      const callbackUrl = resolveInteractionCallbackUrl(account.accountId, {
-        gateway: cfg.gateway,
-        interactions: account.config.interactions,
-      });
-
-      // Flatten 2D array (rows of buttons) to 1D — core schema sends Array<Array<Button>>
-      // but Mattermost doesn't have row layout, so we flatten all rows into a single list.
-      // Also supports 1D arrays for backward compatibility.
-      const rawButtons = (params.buttons as Array<unknown>).flatMap((item) =>
-        Array.isArray(item) ? item : [item],
-      ) as Array<Record<string, unknown>>;
-
-      const buttons = rawButtons
-        .map((btn) => ({
-          id: String(btn.id ?? btn.callback_data ?? ""),
-          name: String(btn.text ?? btn.name ?? btn.label ?? ""),
-          style: (btn.style as "default" | "primary" | "danger") ?? "default",
-          context:
-            typeof btn.context === "object" && btn.context !== null
-              ? {
-                  ...(btn.context as Record<string, unknown>),
-                  [SIGNED_CHANNEL_ID_CONTEXT_KEY]: channelId,
-                }
-              : { [SIGNED_CHANNEL_ID_CONTEXT_KEY]: channelId },
-        }))
-        .filter((btn) => btn.id && btn.name);
-
-      const attachmentText =
-        typeof params.attachmentText === "string" ? params.attachmentText : undefined;
-      props = {
-        attachments: buildButtonAttachments({
-          callbackUrl,
-          accountId: account.accountId,
-          buttons,
-          text: attachmentText,
-        }),
-      };
-    }
-
     const mediaUrl =
       typeof params.media === "string" ? params.media.trim() || undefined : undefined;
 
     const result = await sendMessageMattermost(to, message, {
       accountId: resolvedAccountId,
       replyToId,
-      props,
+      buttons: Array.isArray(params.buttons) ? params.buttons : undefined,
+      attachmentText: typeof params.attachmentText === "string" ? params.attachmentText : undefined,
       mediaUrl,
     });
 
 
@@ -53,6 +53,7 @@ const MattermostAccountSchemaBase = z
     interactions: z
       .object({
         callbackBaseUrl: z.string().optional(),
+        allowedSourceIps: z.array(z.string()).optional(),
       })
       .optional(),
   })
 
@@ -1,5 +1,5 @@
 import { type IncomingMessage, type ServerResponse } from "node:http";
-import { describe, expect, it, beforeEach, afterEach } from "vitest";
+import { describe, expect, it, beforeEach, afterEach, vi } from "vitest";
 import { setMattermostRuntime } from "../runtime.js";
 import { resolveMattermostAccount } from "./accounts.js";
 import type { MattermostClient } from "./client.js";
@@ -109,6 +109,53 @@ describe("generateInteractionToken / verifyInteractionToken", () => {
     expect(verifyInteractionToken(reorderedContext, token)).toBe(true);
   });
 
+  it("verifies nested context regardless of nested key order", () => {
+    const originalContext = {
+      action_id: "nested",
+      payload: {
+        model: "gpt-5",
+        meta: {
+          provider: "openai",
+          page: 2,
+        },
+      },
+    };
+    const token = generateInteractionToken(originalContext);
+
+    const reorderedContext = {
+      payload: {
+        meta: {
+          page: 2,
+          provider: "openai",
+        },
+        model: "gpt-5",
+      },
+      action_id: "nested",
+    };
+
+    expect(verifyInteractionToken(reorderedContext, token)).toBe(true);
+  });
+
+  it("rejects nested context tampering", () => {
+    const originalContext = {
+      action_id: "nested",
+      payload: {
+        provider: "openai",
+        model: "gpt-5",
+      },
+    };
+    const token = generateInteractionToken(originalContext);
+    const tamperedContext = {
+      action_id: "nested",
+      payload: {
+        provider: "anthropic",
+        model: "gpt-5",
+      },
+    };
+
+    expect(verifyInteractionToken(tamperedContext, token)).toBe(false);
+  });
+
   it("scopes tokens per account when account secrets differ", () => {
     setInteractionSecret("acct-a", "bot-token-a");
     setInteractionSecret("acct-b", "bot-token-b");
@@ -400,12 +447,14 @@ describe("createMattermostInteractionHandler", () => {
     method?: string;
     body?: unknown;
     remoteAddress?: string;
+    headers?: Record<string, string>;
   }): IncomingMessage {
     const body = params.body === undefined ? "" : JSON.stringify(params.body);
     const listeners = new Map<string, Array<(...args: unknown[]) => void>>();
 
     const req = {
       method: params.method ?? "POST",
+      headers: params.headers ?? {},
       socket: { remoteAddress: params.remoteAddress ?? "203.0.113.10" },
       on(event: string, handler: (...args: unknown[]) => void) {
         const existing = listeners.get(event) ?? [];
@@ -447,7 +496,7 @@ describe("createMattermostInteractionHandler", () => {
     return res as unknown as ServerResponse & { headers: Record<string, string>; body: string };
   }
 
-  it("accepts non-localhost requests when the interaction token is valid", async () => {
+  it("accepts callback requests from an allowlisted source IP", async () => {
     const context = { action_id: "approve", __openclaw_channel_id: "chan-1" };
     const token = generateInteractionToken(context, "acct");
     const requestLog: Array<{ path: string; method?: string }> = [];
@@ -469,6 +518,7 @@ describe("createMattermostInteractionHandler", () => {
       } as unknown as MattermostClient,
       botUserId: "bot",
       accountId: "acct",
+      allowedSourceIps: ["198.51.100.8"],
     });
 
     const req = createReq({
@@ -493,6 +543,80 @@ describe("createMattermostInteractionHandler", () => {
     ]);
   });
 
+  it("accepts forwarded Mattermost source IPs from a trusted proxy", async () => {
+    const context = { action_id: "approve", __openclaw_channel_id: "chan-1" };
+    const token = generateInteractionToken(context, "acct");
+    const handler = createMattermostInteractionHandler({
+      client: {
+        request: async (_path: string, init?: { method?: string }) => {
+          if (init?.method === "PUT") {
+            return { id: "post-1" };
+          }
+          return {
+            channel_id: "chan-1",
+            message: "Choose",
+            props: {
+              attachments: [{ actions: [{ id: "approve", name: "Approve" }] }],
+            },
+          };
+        },
+      } as unknown as MattermostClient,
+      botUserId: "bot",
+      accountId: "acct",
+      allowedSourceIps: ["198.51.100.8"],
+      trustedProxies: ["127.0.0.1"],
+    });
+
+    const req = createReq({
+      remoteAddress: "127.0.0.1",
+      headers: { "x-forwarded-for": "198.51.100.8" },
+      body: {
+        user_id: "user-1",
+        user_name: "alice",
+        channel_id: "chan-1",
+        post_id: "post-1",
+        context: { ...context, _token: token },
+      },
+    });
+    const res = createRes();
+
+    await handler(req, res);
+
+    expect(res.statusCode).toBe(200);
+    expect(res.body).toBe("{}");
+  });
+
+  it("rejects callback requests from non-allowlisted source IPs", async () => {
+    const context = { action_id: "approve", __openclaw_channel_id: "chan-1" };
+    const token = generateInteractionToken(context, "acct");
+    const handler = createMattermostInteractionHandler({
+      client: {
+        request: async () => {
+          throw new Error("should not fetch post for rejected origins");
+        },
+      } as unknown as MattermostClient,
+      botUserId: "bot",
+      accountId: "acct",
+      allowedSourceIps: ["127.0.0.1"],
+    });
+
+    const req = createReq({
+      remoteAddress: "198.51.100.8",
+      body: {
+        user_id: "user-1",
+        channel_id: "chan-1",
+        post_id: "post-1",
+        context: { ...context, _token: token },
+      },
+    });
+    const res = createRes();
+
+    await handler(req, res);
+
+    expect(res.statusCode).toBe(403);
+    expect(res.body).toContain("Forbidden origin");
+  });
+
   it("rejects requests with an invalid interaction token", async () => {
     const handler = createMattermostInteractionHandler({
       client: {
@@ -610,4 +734,62 @@ describe("createMattermostInteractionHandler", () => {
     expect(res.statusCode).toBe(403);
     expect(res.body).toContain("Unknown action");
   });
+
+  it("lets a custom interaction handler short-circuit generic completion updates", async () => {
+    const context = { action_id: "mdlprov", __openclaw_channel_id: "chan-1" };
+    const token = generateInteractionToken(context, "acct");
+    const requestLog: Array<{ path: string; method?: string }> = [];
+    const handleInteraction = vi.fn().mockResolvedValue({
+      ephemeral_text: "Only the original requester can use this picker.",
+    });
+    const dispatchButtonClick = vi.fn();
+    const handler = createMattermostInteractionHandler({
+      client: {
+        request: async (path: string, init?: { method?: string }) => {
+          requestLog.push({ path, method: init?.method });
+          return {
+            channel_id: "chan-1",
+            message: "Choose",
+            props: {
+              attachments: [{ actions: [{ id: "mdlprov", name: "Browse providers" }] }],
+            },
+          };
+        },
+      } as unknown as MattermostClient,
+      botUserId: "bot",
+      accountId: "acct",
+      handleInteraction,
+      dispatchButtonClick,
+    });
+
+    const req = createReq({
+      body: {
+        user_id: "user-2",
+        user_name: "alice",
+        channel_id: "chan-1",
+        post_id: "post-1",
+        context: { ...context, _token: token },
+      },
+    });
+    const res = createRes();
+
+    await handler(req, res);
+
+    expect(res.statusCode).toBe(200);
+    expect(res.body).toBe(
+      JSON.stringify({
+        ephemeral_text: "Only the original requester can use this picker.",
+      }),
+    );
+    expect(requestLog).toEqual([{ path: "/posts/post-1", method: undefined }]);
+    expect(handleInteraction).toHaveBeenCalledWith(
+      expect.objectContaining({
+        actionId: "mdlprov",
+        actionName: "Browse providers",
+        originalMessage: "Choose",
+        userName: "alice",
+      }),
+    );
+    expect(dispatchButtonClick).not.toHaveBeenCalled();
+  });
 });