Conversation
Cross-repo audit Finding 1 (2026-04-25) found that the existing test mock returned a hardcoded value regardless of which secret name the production code requested. That permissive mock hid a real bug: SLACK_TRANSPORT=http would 404 in production because phantomd's allowlist did not include slack_gateway_signing_secret. Fix: replace the loose secFetcher in every transport=http test with makeSecretFetcher(), a helper that throws fail-loud on any name not in SECRET_RESPONSES. The error message points at phantomd's AllowedSecretNames map so a future divergence between the two repos surfaces in CI instead of in production logs. Adds an explicit regression test (makeSecretFetcher fails-loud when production asks for an unknown name) so the guard itself is pinned. Adds a cross-repo doc comment in slack-channel-factory.ts pointing at phantomd's allowlist; phantomd's matching commit adds the reverse pointer. Refs: phantomd audit-fix/canonicalize-gateway-signing-secret
mcheemaa
force-pushed
the
audit-fix/canonicalize-gateway-signing-secret
branch
from
2858c9e to
fc7178e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Cross-repo audit Finding 1 (2026-04-25) caught a regression that the existing test suite hid: the mock secret fetcher in
slack-channel-factory.test.tsreturned a hardcoded value for any name the production code requested. That permissive mock masked a real production bug wherephantomd's/v1/secretsallowlist did not includeslack_gateway_signing_secret, which madeSLACK_TRANSPORT=httpboot 404 in production.This PR tightens the test mock so future drift between phantom and phantomd fails CI immediately:
secFetcherin everytransport=httptest withmakeSecretFetcher(), a helper that throws fail-loud on any name not inSECRET_RESPONSES. The error message points at phantomd'sAllowedSecretNamesso an engineer landing a rename knows where to update the other repo.makeSecretFetcher fails-loud when production asks for an unknown name) that pins the guard itself.slack-channel-factory.tsnear thesecFetcher.get(...)calls naming both required secret names and pointing at phantomd's allowlist file.The companion change on the phantomd side (
ghostwright/phantomdPR #9) addsslack_gateway_signing_secretto its allowlist and adds a matching reverse-pointer doc comment. With both PRs merged, drift on either side fails CI on at least one of the two repos.The production code in
slack-channel-factory.tswas already requesting the correct name (slack_gateway_signing_secret); this PR does not change the production fetch.Changes
src/channels/__tests__/slack-channel-factory.test.ts: introducemakeSecretFetcher(tape?)helper; convert all five http-mode tests to use it; add the new fail-loud regression test; addrequested.toHaveLength(2)assertion in the parallel-fetch test.src/channels/slack-channel-factory.ts: add a cross-repo invariant doc comment immediately above thePromise.allthat fetches the two secrets.Test plan
bun testgreen: 1930 pass, 0 fail (file count up by 1: 13 to 14 in this file)bun run typecheckcleanbun run lintcleanslack-channel-factory.test.tsconfirms 14 tests pass and the new regression test fails-loud on the legacy nameAudit reference
Finding 1 of
local/2026-04-25-cross-repo-audit-report.md(severity: critical, marked as production-breaking forSLACK_TRANSPORT=http).Base branch note
Targets
slack-5b/http-receiverbecause the file under test does not yet exist onmain. Afterslack-5b/http-receivermerges, this branch can fast-forward into the same merge train.