Skip to content

fix(slack-work-app): Remove user scopes#3052

Closed
miles-kt-inkeep wants to merge 2 commits intomainfrom
fix/remove-slack-user-scopes
Closed

fix(slack-work-app): Remove user scopes#3052
miles-kt-inkeep wants to merge 2 commits intomainfrom
fix/remove-slack-user-scopes

Conversation

@miles-kt-inkeep
Copy link
Copy Markdown
Contributor

No description provided.

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Apr 7, 2026

🦋 Changeset detected

Latest commit: 7230aed

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 10 packages
Name Type
@inkeep/agents-work-apps Patch
@inkeep/agents-api Patch
@inkeep/agents-manage-ui Patch
@inkeep/agents-cli Patch
@inkeep/agents-core Patch
@inkeep/agents-email Patch
@inkeep/agents-mcp Patch
@inkeep/agents-sdk Patch
@inkeep/ai-sdk-provider Patch
@inkeep/create-agents Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 7, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
agents-api Ready Ready Preview, Comment Apr 7, 2026 8:18pm
agents-docs Ready Ready Preview, Comment Apr 7, 2026 8:18pm
agents-manage-ui Ready Ready Preview, Comment Apr 7, 2026 8:18pm

Request Review

Copy link
Copy Markdown
Contributor

@pullfrog pullfrog Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean change. The removed user scopes (users:read, users:read.email) were unused — the app operates entirely through bot scopes, which still include both. slack-scopes.ts only exports bot scopes, so no downstream code is affected.

Pullfrog  | View workflow run | Using Claude Opus𝕏

@pullfrog
Copy link
Copy Markdown
Contributor

pullfrog Bot commented Apr 7, 2026

TL;DR — Removes the users:read and users:read.email user scopes from the Slack app manifest, leaving the user scopes array empty. These scopes were unused and unnecessarily broadened the OAuth permission surface.

Key changes

  • Clear unused user scopes from Slack app manifest — Empties the user scopes array in slack-app-manifest.json, removing users:read and users:read.email which were not consumed by any work-app code path.

Summary | 2 files | 1 commit | base: mainfix/remove-slack-user-scopes

Before: The Slack app manifest requested users:read and users:read.email user scopes during OAuth.
After: The user scopes array is empty — only bot scopes are requested.

Requesting fewer OAuth scopes reduces the trust burden on installing workspace admins and aligns the manifest with actual usage (only bot scopes are exercised at runtime).

slack-app-manifest.json

Pullfrog  | View workflow run | Triggered by Pullfrog | Using Claude Opus𝕏

@pullfrog
Copy link
Copy Markdown
Contributor

pullfrog Bot commented Apr 7, 2026

TL;DR — Removes the users:read and users:read.email user scopes from the Slack app manifest, leaving the user scope array empty. These scopes were unused and unnecessary for the Slack Work App's bot-driven functionality.

Key changes

  • Clear unused user scopes from slack-app-manifest.json — Empties the user scopes array, removing users:read and users:read.email that were never exercised by the app.

Summary | 2 files | 2 commits | base: mainfix/remove-slack-user-scopes

Before: The Slack manifest requested users:read and users:read.email user scopes during OAuth.
After: The user scopes array is empty — no user-token scopes are requested.

User scopes grant permissions on behalf of the installing user rather than the bot. Since the Slack Work App operates entirely through bot-token scopes, these user scopes added unnecessary permission surface without being used.

slack-app-manifest.json · .changeset/firm-tan-rat.md

Pullfrog  | View workflow run | Triggered by Pullfrog | Using Claude Opus𝕏

Copy link
Copy Markdown
Contributor

@claude claude Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Review Summary

(0) Total Issues | Risk: Low

Summary

This PR correctly removes unused OAuth user scopes from the Slack app manifest. The change is safe and appropriate:

What was verified:

  • ✅ The users:read and users:read.email scopes remain in the bot scopes section (lines 66-67), which is what the app actually uses
  • ✅ The codebase only exports BOT_SCOPES via slack-scopes.ts — user scopes were never referenced
  • ✅ All Slack API calls use the bot token (tokenData.access_token), not user tokens
  • ✅ The authed_user.id from OAuth responses is just metadata, not requiring user scopes
  • ✅ Changeset is properly formatted for @inkeep/agents-work-apps patch release

Security benefit: Removing unused OAuth scopes follows the principle of least privilege — the app should only request permissions it actually needs.


✅ APPROVE

Summary: Clean, minimal change that removes unused OAuth scopes. The bot scopes (which are actually used) remain intact. Good housekeeping! 🧹

Reviewers (1)
Reviewer Returned Main Findings Consider While You're Here Inline Comments Pending Recs Discarded
orchestrator-direct 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0

Note: Direct review by orchestrator — change too minimal to warrant sub-reviewer dispatch.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 7, 2026

Preview URLs

Use these stable preview aliases for testing this PR:

These point to the same Vercel preview deployment as the bot comment, but they stay stable and easier to find.

Raw Vercel deployment URLs

@miles-kt-inkeep miles-kt-inkeep added this pull request to the merge queue Apr 7, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Apr 7, 2026
@github-actions
Copy link
Copy Markdown
Contributor

This pull request has been automatically marked as stale because it has not had recent activity.
It will be closed in 7 days if no further activity occurs.

If this PR is still relevant:

  • Rebase it on the latest main branch
  • Add a comment explaining its current status
  • Request a review if it's ready

Thank you for your contributions!

@github-actions github-actions Bot added the stale label Apr 15, 2026
@github-actions
Copy link
Copy Markdown
Contributor

This pull request has been automatically closed due to inactivity.

If you'd like to continue working on this, please:

  1. Create a new branch from the latest main
  2. Cherry-pick your commits or rebase your changes
  3. Open a new pull request

Thank you for your understanding!

@github-actions github-actions Bot closed this Apr 25, 2026
@github-actions github-actions Bot deleted the fix/remove-slack-user-scopes branch April 25, 2026 00:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant