Skip to content

fix: remove chat:write.public scope for better security #267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: remove chat:write.public scope for better security #267

wants to merge 2 commits into from
+5 −5

Conversation

@GPTI314
Copy link

@GPTI314 GPTI314 commented Nov 17, 2025
edited
Loading

Changed botScopes from ["commands", "chat:write", "chat:write.public"] to ["commands", "chat:write"] to remove the overly broad public permission.

The chat:write.public scope allows bots to write to channels they're not members of, which is unnecessarily permissive. Using just chat:write provides better security and privacy while maintaining necessary functionality.

Updated:

  • Test data manifests (manifest-sdk.ts, manifest-sdk-app-name.ts)
  • Documentation example
  • Test expectations in strings_test.go

Summary

(Please describe the goal of this pull request and mention any related issue numbers)

Requirements

@claude
fix: remove chat:write.public scope for better security
e361933 
Changed botScopes from ["commands", "chat:write", "chat:write.public"] to
["commands", "chat:write"] to remove the overly broad public permission.

The chat:write.public scope allows bots to write to channels they're not
members of, which is unnecessarily permissive. Using just chat:write
provides better security and privacy while maintaining necessary functionality.

Updated:
- Test data manifests (manifest-sdk.ts, manifest-sdk-app-name.ts)
- Documentation example
- Test expectations in strings_test.go
Copilot AI review requested due to automatic review settings November 17, 2025 07:49
@GPTI314 GPTI314 requested review from a team as code owners November 17, 2025 07:49
@salesforce-cla salesforce-cla bot added the cla:missing The CLA was not signed label Nov 17, 2025
@salesforce-cla
Copy link

salesforce-cla bot commented Nov 17, 2025

Thanks for the contribution! Before we can merge this, we need @claude to sign the Salesforce Inc. Contributor License Agreement.

Copilot finished reviewing on behalf of GPTI314 November 17, 2025 07:50
Copilot AI reviewed Nov 17, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR improves security by removing the overly permissive chat:write.public scope from bot configurations. The chat:write.public scope allows bots to write to channels they're not members of, which is unnecessarily broad. The change maintains necessary functionality while following the principle of least privilege.

Key changes:

  • Removed chat:write.public from botScopes arrays, keeping only commands and chat:write
  • Updated test data, test expectations, and documentation to reflect the security improvement

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
test/testdata/manifest-sdk.ts Updated test data manifest to remove chat:write.public from botScopes
test/testdata/manifest-sdk-app-name.ts Updated test data manifest to remove chat:write.public from botScopes
internal/goutils/strings_test.go Updated test expectations to match the new scope configuration in mock HTTP responses
docs/guides/using-environment-variables-with-the-slack-cli.md Updated documentation example to reflect the security-improved scope configuration

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@salesforce-cla
Copy link

salesforce-cla bot commented Nov 17, 2025

Thanks for the contribution! Before we can merge this, we need @claude @GPTI314 to sign the Salesforce Inc. Contributor License Agreement.

GPTI314
GPTI314 commented Nov 17, 2025
View reviewed changes
Copy link
Author

@GPTI314 GPTI314 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

roger

mwbrooks
mwbrooks reviewed Nov 17, 2025
View reviewed changes
Copy link
Member

@mwbrooks mwbrooks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @GPTI314 👋🏻

Thanks for the PR and using conventional commits in the title. 👌🏻

This PR only changes our tests and a documentation example, although I agree that is does set a better example for security.

Before we can review your PR, you'll need to sign our open source CLA. It looks like the CLA is looking for @claude to sign it. Did you put together this PR with Claude Code?

@mwbrooks mwbrooks mentioned this pull request Nov 28, 2025
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mwbrooks mwbrooks mwbrooks left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

cla:missing The CLA was not signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@GPTI314 @mwbrooks @claude