From 36e3a874d5ddc6795646ee4be00e416a0dd0e165 Mon Sep 17 00:00:00 2001
From: Michael Brooks <mbrooks@slack-corp.com>
Date: Fri, 28 Nov 2025 10:41:22 -0800
Subject: [PATCH] docs: remove chat:write.public scope for best practice

---
 .../using-environment-variables-with-the-slack-cli.md     | 8 ++++----
 internal/goutils/strings_test.go                          | 4 ++--
 test/testdata/manifest-sdk-app-name.ts                    | 2 +-
 test/testdata/manifest-sdk.ts                             | 2 +-
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/docs/guides/using-environment-variables-with-the-slack-cli.md b/docs/guides/using-environment-variables-with-the-slack-cli.md
index 7e9f2664..f67742da 100644
--- a/docs/guides/using-environment-variables-with-the-slack-cli.md
+++ b/docs/guides/using-environment-variables-with-the-slack-cli.md
@@ -22,7 +22,7 @@ MY_ENV_VAR=asdf1234
 
 Note that changes to your `.env` file will be reflected when you restart your local development server.
 
-While the `.env` file should **never** be committed to source control for security reasons, you can see a sample `.env` file we've included in the [Timesheet approval sample app](https://github.com/slack-samples/deno-timesheet-approval) and the [Incident management sample app](https://github.com/slack-samples/deno-incident-management). 
+While the `.env` file should **never** be committed to source control for security reasons, you can see a sample `.env` file we've included in the [Timesheet approval sample app](https://github.com/slack-samples/deno-timesheet-approval) and the [Incident management sample app](https://github.com/slack-samples/deno-incident-management).
 
 ### Storing deployed environment variables {#deployed-env-vars}
 
@@ -40,7 +40,7 @@ If your token contains non-alphanumeric characters, wrap it in quotes like this:
 slack env add SLACK_API_URL "https://dev<yournumber>.slack.com/api/"
 ```
 
-Your environment variables are always encrypted before being stored on our servers and will be automatically decrypted when you use them&mdash;including when listing environment variables with `slack env list`. 
+Your environment variables are always encrypted before being stored on our servers and will be automatically decrypted when you use them&mdash;including when listing environment variables with `slack env list`.
 
 ### Access variables from within function {#access-function}
 
@@ -108,7 +108,7 @@ export default Manifest({
   outgoingDomains: [
     Deno.env.get("CHATBOT_API_URL")!,
   ],
-  botScopes: ["commands", "chat:write", "chat:write.public"],
+  botScopes: ["commands", "chat:write"],
 });
 ```
 
@@ -134,7 +134,7 @@ With this addition, running `slack deploy` without defining a value for `CHATBOT
 
 ## Enabling debug mode {#debug}
 
-The included environment variable `SLACK_DEBUG` can enable a basic debug mode. Set `SLACK_DEBUG` to `true` to have all function-related payloads logged. 
+The included environment variable `SLACK_DEBUG` can enable a basic debug mode. Set `SLACK_DEBUG` to `true` to have all function-related payloads logged.
 
 For local apps, add the following to your `.env` file:
 
diff --git a/internal/goutils/strings_test.go b/internal/goutils/strings_test.go
index 938f5f8a..336e2ca6 100644
--- a/internal/goutils/strings_test.go
+++ b/internal/goutils/strings_test.go
@@ -326,8 +326,8 @@ func Test_RedactPII(t *testing.T) {
 		},
 		{
 			name:     "Escape sensitive data from mock HTTP response",
-			text:     `{"ok":true,"app_id":"A123","credentials":{"client_id":"123","client_secret":"123","verification_token":"123","signing_secret":"123"},"oauth_authorize_url":"123":\/\/slack.com\/oauth\/v2\/authorize?client_id=123&scope=commands,chat:write,chat:write.public"}`,
-			expected: `{"ok":true,"app_id":"A123","credentials":{"client_id":"...","client_secret":"...","verification_token":"...","signing_secret":"..."},"oauth_authorize_url":"...":\/\/slack.com\/oauth\/v2\/authorize?client_id=...&scope=commands,chat:write,chat:write.public"}`,
+			text:     `{"ok":true,"app_id":"A123","credentials":{"client_id":"123","client_secret":"123","verification_token":"123","signing_secret":"123"},"oauth_authorize_url":"123":\/\/slack.com\/oauth\/v2\/authorize?client_id=123&scope=commands,chat:write"}`,
+			expected: `{"ok":true,"app_id":"A123","credentials":{"client_id":"...","client_secret":"...","verification_token":"...","signing_secret":"..."},"oauth_authorize_url":"...":\/\/slack.com\/oauth\/v2\/authorize?client_id=...&scope=commands,chat:write"}`,
 		},
 		{
 			name:     "Escape from `Command` for external-auth add-secret",
diff --git a/test/testdata/manifest-sdk-app-name.ts b/test/testdata/manifest-sdk-app-name.ts
index 07d6b959..1818b2ab 100644
--- a/test/testdata/manifest-sdk-app-name.ts
+++ b/test/testdata/manifest-sdk-app-name.ts
@@ -18,5 +18,5 @@ export default Manifest({
   "icon": "assets/icon.png",
   "functions": [ReverseFunction],
   "outgoingDomains": [],
-  "botScopes": ["commands", "chat:write", "chat:write.public"],
+  "botScopes": ["commands", "chat:write"],
 });
diff --git a/test/testdata/manifest-sdk.ts b/test/testdata/manifest-sdk.ts
index c2f433f3..679ab4a3 100644
--- a/test/testdata/manifest-sdk.ts
+++ b/test/testdata/manifest-sdk.ts
@@ -18,5 +18,5 @@ export default Manifest({
   "icon": "assets/icon.png",
   "functions": [ReverseFunction],
   "outgoingDomains": [],
-  "botScopes": ["commands", "chat:write", "chat:write.public"],
+  "botScopes": ["commands", "chat:write"],
 });