docs: Slack distributed-app operator runbook (Phase 8 close-out)#95
Merged
docs: Slack distributed-app operator runbook (Phase 8 close-out)#95
Conversation
Adds docs/slack-cloud-mode.md, the operator-facing companion to the gateway operations runbook in phantom-slack-events. Covers the in-tenant Phantom side of the distributed-app flow: - The two transports (socket vs http) and how SLACK_TRANSPORT selects. - The four metadata gateway endpoints the agent consumes (/v1/identity, /v1/secrets/slack_bot_token, /v1/secrets/slack_gateway_signing_secret, generic /v1/secrets/<name>) with the security invariants each fetcher enforces. - The bot-token lifecycle from OAuth install through to operator rotation, including the Phase D scope of the RestartTenant RPC. - ip netns exec curl diagnostic commands for inspecting identity, bot token, and gateway signing secret from the host. - A failure-mode triage table covering token revocation, missing identity subfield, signing-secret mismatch, foreign team_id, and KMS unreachability. No code changes; the doc explains existing behavior already shipped in src/channels/slack-channel-factory.ts, src/channels/slack-http-receiver.ts, and src/config/. Gates: bun test 1929 pass / 10 skip / 0 fail unchanged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Slack Phase 8 close-out for the agent. Adds
docs/slack-cloud-mode.md, the operator-facing companion to the gateway operations runbook inphantom-slack-events. Zero code changes.The doc covers the in-tenant Phantom side of the distributed-app flow:
socketvshttp) and howSLACK_TRANSPORTselects./v1/identity,/v1/secrets/slack_bot_token,/v1/secrets/slack_gateway_signing_secret, generic/v1/secrets/<name>) with the security invariants each fetcher enforces.RestartTenantRPC.ip netns exec curldiagnostic commands for inspecting identity, bot token, and gateway signing secret from the host. Each command shows the safe handling pattern (no plaintext to a pager, shred after read).The doc explains existing behavior shipped in
src/channels/slack-channel-factory.ts,src/channels/slack-http-receiver.ts, andsrc/config/. It does NOT introduce new APIs.Phase 8 review verification (F9)
The Phase 8 close-out review flagged the doc's claim about
MetadataSecretFetcherETag refresh againstX-Phantom-Rotation-Idfor spot-check verification. Cross-checkedsrc/config/metadata-fetcher.ts:METADATA_CACHE_TTL_MS = 60_000matches "caches each value for 60 seconds".headers["If-None-Match"] = '"' + cached.rotationId + '"'matches "usesIf-None-MatchETag refresh".rotationId = res.headers.get("X-Phantom-Rotation-Id") ?? "0"matches "phantomd'sX-Phantom-Rotation-Idheader".cached.fetchedAt = Date.now()matching "a 304 reply extends the cache window".Doc claim is accurate; no changes required for F9.
Test plan
bun test1929 pass / 10 skip / 0 fail (unchanged from main)bun run typecheckcleanbun run lintcleangetting-started.md,security.md,src/channels/slack-channel-factory.ts,src/config/identity-fetcher.ts,src/config/metadata-fetcher.ts)phantom-slack-events/docs/operations-slack-gateway.mdandghostwright-site/docs/phantom-signup-walkthrough.mdare intentional and resolve when sibling checkouts are present