t1385.6: Add Slack bot integration subagent doc

[marcusquinn]

Summary

• Create .agents/services/communications/slack.md — comprehensive subagent doc for Slack bot integration using @slack/bolt SDK
• Update subagent-index.toon and AGENTS.md domain index to include the new Slack entry

What's Covered

• Connection modes: Socket Mode (WebSocket, no public URL) vs HTTP Events API (production/Marketplace)
• App manifest: Full YAML manifest with bot user, slash commands, event subscriptions, OAuth scopes
• OAuth scopes: Complete reference for bot token (xoxb-) and app-level token (xapp-) scopes
• Messaging: say(), chat.postMessage, threads, ephemeral messages, Block Kit, reactions, file uploads, message updates
• Slash commands: Registration, handling, immediate vs deferred response, response_url patterns
• Interactive components: Buttons, select menus, modals (views.open/view_submission), action handlers
• Agents & AI Apps: Assistant pattern with threadStarted/userMessage handlers, native streaming via chatStream(), feedback buttons
• Access control: Middleware for workspace/channel/user allowlists
• Privacy/security assessment: No E2E encryption, admin DM access, AI/ML training data warning (opt-out required), metadata exposure, platform comparison table
• Runner dispatch: Channel-to-runner mapping pattern consistent with Matrix bot integration
• Matterbridge: Native Slack bridge config and security notes for cross-platform bridging
• Rate limits: Tier 1-4 reference, 3-second ack requirement, response_url validity
• Troubleshooting: Common issues and solutions table

Style

Follows existing communications subagent conventions (YAML frontmatter, AI-CONTEXT markers, architecture diagram, config reference, code examples, Related section). Consistent with matrix-bot.md, matterbridge.md, and simplex.md patterns.

Closes #2753

[coderabbitai]

Warning

Rate limit exceeded

@marcusquinn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 26 minutes and 50 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between ac2beaf and 25d295db0140b83dc2cbda7bffe6d35c3ecae867.

📒 Files selected for processing (3)

• .agents/AGENTS.md
• .agents/services/communications/slack.md
• .agents/subagent-index.toon

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/t1385.6-slack-bot-agent

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces comprehensive documentation for integrating Slack bots into the aidevops ecosystem. It provides a detailed guide for developers on setting up, configuring, and utilizing Slack's various features, including messaging, interactive components, and AI app integration. A significant portion is dedicated to a privacy and security assessment, ensuring users are aware of the platform's implications. The changes aim to streamline the development of Slack-based AI assistants and ensure secure and effective deployment.

Highlights

• Comprehensive Slack Bot Documentation: A new slack.md subagent document was added, detailing Slack bot integration using the @slack/bolt SDK, covering setup, messaging, interactive components, and AI app patterns.
• Detailed Setup and Configuration: The documentation provides extensive guidance on Slack app manifest creation, token generation, OAuth scopes, and various configuration options for aidevops Slack bots.
• Advanced Messaging and Interactive Features: Instructions are included for sending rich messages, managing threads, using ephemeral messages, reactions, file uploads, message updates, slash commands, buttons, select menus, and modals.
• Privacy and Security Assessment: A critical privacy and security assessment of the Slack platform is provided, highlighting concerns such as lack of E2E encryption, admin access to DMs, and the importance of opting out of AI/ML data training.
• Integration with aidevops Runners: The document outlines patterns for mapping Slack channels to aidevops runners, dispatching tasks, and includes troubleshooting tips and Matterbridge bridging details.

Changelog

• .agents/AGENTS.md
  • Added slack.md to the list of communication services.
• .agents/services/communications/slack.md
  • Created a new document detailing Slack bot integration, covering setup, messaging, interactive components, AI app patterns, and security considerations.
• .agents/subagent-index.toon
  • Updated the communications subagent index to include slack.

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 113 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Tue Mar 3 04:46:56 UTC 2026: Code review monitoring started
Tue Mar 3 04:46:57 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 113

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 113
• VULNERABILITIES: 0

Generated on: Tue Mar 3 04:46:59 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive subagent document for Slack bot integration using the @slack/bolt SDK, covering various aspects such as connection modes, app manifest, OAuth scopes, messaging, slash commands, interactive components, and security considerations. The changes also include updates to subagent-index.toon and AGENTS.md to incorporate the new Slack entry. I have added a review comment to address a potential command injection vulnerability and suggest using child_process.spawn with a bash array for safer command execution.

_{Note: Security Review is unavailable for this PR.}

[gemini-code-assist]

high: The execSync command constructs a shell command with user-provided input (prompt) without proper sanitization, which could lead to command injection vulnerabilities. To prevent command injection, avoid using execSync with unsanitized input. Instead, use child_process.spawn with a bash array to build the command and its arguments safely.

const { spawn } = require('child_process');

async function dispatchToRunner(runner, prompt, channel, threadTs) {
  // Add reaction to show processing
  await client.reactions.add({
    channel,
    timestamp: threadTs,
    name: 'hourglass_flowing_sand',
  });

  try {
    // Dispatch via runner-helper.sh using spawn
    const child = spawn('runner-helper.sh', ['dispatch', runner, prompt], {
      timeout: 600000,
      encoding: 'utf-8',
    });

    let result = '';
    for await (const chunk of child.stdout) {
        result += chunk;
    }

    // Post response in thread
    await client.chat.postMessage({
      channel,
      thread_ts: threadTs,
      text: result.trim(),
    });

    // Success reaction
    await client.reactions.remove({ channel, timestamp: threadTs, name: 'hourglass_flowing_sand' });
    await client.reactions.add({ channel, timestamp: threadTs, name: 'white_check_mark' });
  } catch (error) {
    // Failure reaction
    await client.reactions.remove({ channel, timestamp: threadTs, name: 'hourglass_flowing_sand' });
    await client.reactions.add({ channel, timestamp: threadTs, name: 'x' });

    await client.chat.postEphemeral({
      channel,
      user: event.user,
      text: `Runner dispatch failed: ${error.message}`,
    });
  }
}

References

1. To avoid command injection vulnerabilities when constructing shell commands dynamically, do not use eval. Instead, use a bash array to build the command and its arguments safely.

[alex-solovyev]

This PR was superseded by the batch merge in PR #2771 (feat: t1385 — add 11 chat platform integration agents), which merged all the content from this branch. Closing as the content is already in main.