#18657: feat(mattermost): add native slash command support (refresh)

## Summary Refresh of stale PR #17302 onto current `main`. Reintroduces native Mattermost slash command support, including follow-up hardening commits from the original branch. ## Included - native slash command registration/state + callback handling - per-account command config merge - callback URL/path normalization and runtime host/port handling - fail-closed behavior and auth-bypass tightening for configured callback paths - lifecycle cleanup/race fixes and related robustness updates ## Validation - `pnpm exec vitest run src/auto-reply/command-control.test.ts src/gateway/server-http.hooks-request-timeout.test.ts extensions/mattermost/src/channel.test.ts extensions/mattermost/src/mattermost/client.test.ts` Refs #16515 <!-- greptile_comment --> <h3>Greptile Summary</h3> Reintroduces native Mattermost slash command support with comprehensive security hardening: - **Slash command infrastructure**: Registers custom slash commands via Mattermost REST API (`/api/v4/commands`) and handles callbacks through dedicated HTTP endpoints - **Command registration lifecycle**: Auto-registers commands on bot startup (with per-team registration), tracks state per-account, and cleans up on shutdown to prevent stranded registrations - **Security hardening**: Fail-closed token validation (rejects when no tokens registered), HTTP route whitelisting for Mattermost callbacks to prevent auth bypass, wildcard bind host detection, and improved `commands.allowFrom` override semantics - **Multi-account support**: Per-account state management with token-based routing for concurrent account deployments - **Configuration**: Opt-in via `channels.mattermost.commands.native=true`, supports callback URL overrides for reverse proxies, and skill-based command registration via `nativeSkills` - **Authorization flow**: Enforces same DM/group policies and allowlist checks as websocket messages, with proper command-specific authorization <h3>Confidence Score: 4/5</h3> - Safe to merge with minor verification recommended for deployment-specific callback URL configuration - Score reflects well-architected implementation with robust security measures (fail-closed token validation, HTTP route whitelisting, proper authorization), comprehensive lifecycle management (startup registration, shutdown cleanup, race condition handling), and appropriate test coverage. One point deducted for the localhost callback URL warning being advisory-only rather than failing explicitly when callback URLs would be unreachable - No files require special attention - the security hardening (src/gateway/server-http.ts:505-551) properly exempts Mattermost callbacks from gateway auth while maintaining token-based authentication, and the fail-closed behaviors throughout are appropriate _{Last reviewed commit: 31eff97} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->