fix(slack): honor open groupPolicy when channelsConfig has entries #1563
Conversation
## Summary
Fix Slack `groupPolicy: "open"` to allow unlisted channels even when `channels.slack.channels` contains custom entries.
## Problem
When `groupPolicy` is set to `"open"`, the bot should respond in **any channel** it's invited to. However, if `channels.slack.channels` contains *any* entries—even just one channel with a custom system prompt—the open policy is ignored. Only explicitly listed channels receive responses; all others get an ephemeral "This channel is not allowed" error.
### Example config
```json
{
"channels": {
"slack": {
"groupPolicy": "open",
"channels": {
"C0123456789": { "systemPrompt": "Custom prompt for this channel" }
}
}
}
}
```
With this config, the bot only responds in `C0123456789`. Messages in any other channel are blocked—even though the policy is `"open"`.
## Root Cause
In `src/slack/monitor/context.ts`, `isChannelAllowed()` has two sequential checks:
1. `isSlackChannelAllowedByPolicy()` — correctly returns `true` for open policy
2. A secondary `!channelAllowed` check — was blocking channels when `resolveSlackChannelConfig()` returned `{ allowed: false }` for unlisted channels
The second check conflated "channel not in config" with "channel explicitly denied."
## Fix
Use `matchSource` to distinguish explicit denial from absence of config:
```ts
const hasExplicitConfig = Boolean(channelConfig?.matchSource);
if (!channelAllowed && (params.groupPolicy !== "open" || hasExplicitConfig)) {
return false;
}
```
When `matchSource` is undefined, the channel has no explicit config entry and should be allowed under open policy.
## Behavior After Fix
| Scenario | Result |
|----------|--------|
| `groupPolicy: "open"`, channel unlisted | ✅ Allowed |
| `groupPolicy: "open"`, channel explicitly denied (`allow: false`) | ❌ Blocked |
| `groupPolicy: "open"`, channel with custom config | ✅ Allowed |
| `groupPolicy: "allowlist"`, channel unlisted | ❌ Blocked |
## Test Plan
- [x] Open policy + unlisted channel → allowed
- [x] Open policy + explicitly denied channel → blocked
- [x] Allowlist policy + unlisted channel → blocked
- [x] Allowlist policy + listed channel → allowed
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 257aa9fcef
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Address reviewer feedback: slash commands now use the same hasExplicitConfig check as regular messages, so unlisted channels are allowed under groupPolicy: "open" for both message handling and slash commands.
|
Good catch! You're right that slash commands had a separate policy check that wasn't updated. I've pushed a fix in 72d0827 that applies the same
Now both regular messages and slash commands behave consistently under |
|
Codex Review: Didn't find any major issues. Chef's kiss. ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
|
Landed via temp rebase onto main. Thanks @itsjaydesu! |
Summary
Fix Slack
groupPolicy: "open"to allow unlisted channels even whenchannels.slack.channelscontains custom entries.Problem
When
groupPolicyis set to"open", the bot should respond in any channel it's invited to. However, ifchannels.slack.channelscontains any entries—even just one channel with a custom system prompt—the open policy is ignored. Only explicitly listed channels receive responses; all others get an ephemeral "This channel is not allowed" error.Example config
{ "channels": { "slack": { "groupPolicy": "open", "channels": { "C0123456789": { "systemPrompt": "Custom prompt for this channel" } } } } }With this config, the bot only responds in
C0123456789. Messages in any other channel are blocked—even though the policy is"open".Root Cause
In
src/slack/monitor/context.ts,isChannelAllowed()has two sequential checks:isSlackChannelAllowedByPolicy()— correctly returnstruefor open policy!channelAllowedcheck — was blocking channels whenresolveSlackChannelConfig()returned{ allowed: false }for unlisted channelsThe second check conflated "channel not in config" with "channel explicitly denied."
Fix
Use
matchSourceto distinguish explicit denial from absence of config:When
matchSourceis undefined, the channel has no explicit config entry and should be allowed under open policy.Behavior After Fix
groupPolicy: "open", channel unlistedgroupPolicy: "open", channel explicitly denied (allow: false)groupPolicy: "open", channel with custom configgroupPolicy: "allowlist", channel unlistedTest Plan
Added unit tests in
src/slack/monitor/context.test.tscovering: