@rokrokss/claude-slack-channel 0.3.1 → 0.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/bun.lock +10 -10
- package/lib/security.ts +2 -0
- package/package.json +1 -1
- package/server.test.ts +12 -0
- package/server.ts +13 -2
package/bun.lock
CHANGED
|
@@ -17,9 +17,9 @@
|
|
|
17
17
|
},
|
|
18
18
|
},
|
|
19
19
|
"packages": {
|
|
20
|
-
"@hono/node-server": ["@hono/node-server@1.19.
|
|
20
|
+
"@hono/node-server": ["@hono/node-server@1.19.13", "", { "peerDependencies": { "hono": "^4" } }, "sha512-TsQLe4i2gvoTtrHje625ngThGBySOgSK3Xo2XRYOdqGN1teR8+I7vchQC46uLJi8OF62YTYA3AhSpumtkhsaKQ=="],
|
|
21
21
|
|
|
22
|
-
"@modelcontextprotocol/sdk": ["@modelcontextprotocol/sdk@1.
|
|
22
|
+
"@modelcontextprotocol/sdk": ["@modelcontextprotocol/sdk@1.29.0", "", { "dependencies": { "@hono/node-server": "^1.19.9", "ajv": "^8.17.1", "ajv-formats": "^3.0.1", "content-type": "^1.0.5", "cors": "^2.8.5", "cross-spawn": "^7.0.5", "eventsource": "^3.0.2", "eventsource-parser": "^3.0.0", "express": "^5.2.1", "express-rate-limit": "^8.2.1", "hono": "^4.11.4", "jose": "^6.1.3", "json-schema-typed": "^8.0.2", "pkce-challenge": "^5.0.0", "raw-body": "^3.0.0", "zod": "^3.25 || ^4.0", "zod-to-json-schema": "^3.25.1" }, "peerDependencies": { "@cfworker/json-schema": "^4.1.1" }, "optionalPeers": ["@cfworker/json-schema"] }, "sha512-zo37mZA9hJWpULgkRpowewez1y6ML5GsXJPY8FI0tBBCd77HEvza4jDqRKOXgHNn867PVGCyTdzqpz0izu5ZjQ=="],
|
|
23
23
|
|
|
24
24
|
"@slack/logger": ["@slack/logger@4.0.1", "", { "dependencies": { "@types/node": ">=18" } }, "sha512-6cmdPrV/RYfd2U0mDGiMK8S7OJqpCTm7enMLRR3edccsPX8j7zXTLnaEF4fhxxJJTAIOil6+qZrnUPTuaLvwrQ=="],
|
|
25
25
|
|
|
@@ -31,7 +31,7 @@
|
|
|
31
31
|
|
|
32
32
|
"@types/bun": ["@types/bun@1.3.11", "", { "dependencies": { "bun-types": "1.3.11" } }, "sha512-5vPne5QvtpjGpsGYXiFyycfpDF2ECyPcTSsFBMa0fraoxiQyMJ3SmuQIGhzPg2WJuWxVBoxWJ2kClYTcw/4fAg=="],
|
|
33
33
|
|
|
34
|
-
"@types/node": ["@types/node@25.5.
|
|
34
|
+
"@types/node": ["@types/node@25.5.2", "", { "dependencies": { "undici-types": "~7.18.0" } }, "sha512-tO4ZIRKNC+MDWV4qKVZe3Ql/woTnmHDr5JD8UI5hn2pwBrHEwOEMZK7WlNb5RKB6EoJ02gwmQS9OrjuFnZYdpg=="],
|
|
35
35
|
|
|
36
36
|
"@types/retry": ["@types/retry@0.12.0", "", {}, "sha512-wWKOClTTiizcZhXnPY4wikVAwmdYHp8q6DmC+EJUzAMsycb7HB32Kh9RN4+0gExjmPmZSAQjgURXIGATPegAvA=="],
|
|
37
37
|
|
|
@@ -45,7 +45,7 @@
|
|
|
45
45
|
|
|
46
46
|
"asynckit": ["asynckit@0.4.0", "", {}, "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q=="],
|
|
47
47
|
|
|
48
|
-
"axios": ["axios@1.
|
|
48
|
+
"axios": ["axios@1.15.0", "", { "dependencies": { "follow-redirects": "^1.15.11", "form-data": "^4.0.5", "proxy-from-env": "^2.1.0" } }, "sha512-wWyJDlAatxk30ZJer+GeCWS209sA42X+N5jU2jy6oHTp7ufw8uzUTVFBX9+wTfAlhiJXGS0Bq7X6efruWjuK9Q=="],
|
|
49
49
|
|
|
50
50
|
"body-parser": ["body-parser@2.2.2", "", { "dependencies": { "bytes": "^3.1.2", "content-type": "^1.0.5", "debug": "^4.4.3", "http-errors": "^2.0.0", "iconv-lite": "^0.7.0", "on-finished": "^2.4.1", "qs": "^6.14.1", "raw-body": "^3.0.1", "type-is": "^2.0.1" } }, "sha512-oP5VkATKlNwcgvxi0vM0p/D3n2C3EReYVX+DNYs5TjZFn/oQt2j+4sVJtSMr18pdRr8wjTcBl6LoV+FUwzPmNA=="],
|
|
51
51
|
|
|
@@ -59,7 +59,7 @@
|
|
|
59
59
|
|
|
60
60
|
"combined-stream": ["combined-stream@1.0.8", "", { "dependencies": { "delayed-stream": "~1.0.0" } }, "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg=="],
|
|
61
61
|
|
|
62
|
-
"content-disposition": ["content-disposition@1.0
|
|
62
|
+
"content-disposition": ["content-disposition@1.1.0", "", {}, "sha512-5jRCH9Z/+DRP7rkvY83B+yGIGX96OYdJmzngqnw2SBSxqCFPd0w2km3s5iawpGX8krnwSGmF0FW5Nhr0Hfai3g=="],
|
|
63
63
|
|
|
64
64
|
"content-type": ["content-type@1.0.5", "", {}, "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA=="],
|
|
65
65
|
|
|
@@ -103,7 +103,7 @@
|
|
|
103
103
|
|
|
104
104
|
"express": ["express@5.2.1", "", { "dependencies": { "accepts": "^2.0.0", "body-parser": "^2.2.1", "content-disposition": "^1.0.0", "content-type": "^1.0.5", "cookie": "^0.7.1", "cookie-signature": "^1.2.1", "debug": "^4.4.0", "depd": "^2.0.0", "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "etag": "^1.8.1", "finalhandler": "^2.1.0", "fresh": "^2.0.0", "http-errors": "^2.0.0", "merge-descriptors": "^2.0.0", "mime-types": "^3.0.0", "on-finished": "^2.4.1", "once": "^1.4.0", "parseurl": "^1.3.3", "proxy-addr": "^2.0.7", "qs": "^6.14.0", "range-parser": "^1.2.1", "router": "^2.2.0", "send": "^1.1.0", "serve-static": "^2.2.0", "statuses": "^2.0.1", "type-is": "^2.0.1", "vary": "^1.1.2" } }, "sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw=="],
|
|
105
105
|
|
|
106
|
-
"express-rate-limit": ["express-rate-limit@8.3.
|
|
106
|
+
"express-rate-limit": ["express-rate-limit@8.3.2", "", { "dependencies": { "ip-address": "10.1.0" }, "peerDependencies": { "express": ">= 4.11" } }, "sha512-77VmFeJkO0/rvimEDuUC5H30oqUC4EyOhyGccfqoLebB0oiEYfM7nwPrsDsBL1gsTpwfzX8SFy2MT3TDyRq+bg=="],
|
|
107
107
|
|
|
108
108
|
"fast-deep-equal": ["fast-deep-equal@3.1.3", "", {}, "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q=="],
|
|
109
109
|
|
|
@@ -133,7 +133,7 @@
|
|
|
133
133
|
|
|
134
134
|
"hasown": ["hasown@2.0.2", "", { "dependencies": { "function-bind": "^1.1.2" } }, "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ=="],
|
|
135
135
|
|
|
136
|
-
"hono": ["hono@4.12.
|
|
136
|
+
"hono": ["hono@4.12.12", "", {}, "sha512-p1JfQMKaceuCbpJKAPKVqyqviZdS0eUxH9v82oWo1kb9xjQ5wA6iP3FNVAPDFlz5/p7d45lO+BpSk1tuSZMF4Q=="],
|
|
137
137
|
|
|
138
138
|
"http-errors": ["http-errors@2.0.1", "", { "dependencies": { "depd": "~2.0.0", "inherits": "~2.0.4", "setprototypeof": "~1.2.0", "statuses": "~2.0.2", "toidentifier": "~1.0.1" } }, "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ=="],
|
|
139
139
|
|
|
@@ -193,7 +193,7 @@
|
|
|
193
193
|
|
|
194
194
|
"path-key": ["path-key@3.1.1", "", {}, "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q=="],
|
|
195
195
|
|
|
196
|
-
"path-to-regexp": ["path-to-regexp@8.4.
|
|
196
|
+
"path-to-regexp": ["path-to-regexp@8.4.2", "", {}, "sha512-qRcuIdP69NPm4qbACK+aDogI5CBDMi1jKe0ry5rSQJz8JVLsC7jV8XpiJjGRLLol3N+R5ihGYcrPLTno6pAdBA=="],
|
|
197
197
|
|
|
198
198
|
"pkce-challenge": ["pkce-challenge@5.0.1", "", {}, "sha512-wQ0b/W4Fr01qtpHlqSqspcj3EhBvimsdh0KlHhH8HRZnMsEa0ea2fTULOXOS9ccQr3om+GcGRk4e+isrZWV8qQ=="],
|
|
199
199
|
|
|
@@ -201,7 +201,7 @@
|
|
|
201
201
|
|
|
202
202
|
"proxy-from-env": ["proxy-from-env@2.1.0", "", {}, "sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA=="],
|
|
203
203
|
|
|
204
|
-
"qs": ["qs@6.15.
|
|
204
|
+
"qs": ["qs@6.15.1", "", { "dependencies": { "side-channel": "^1.1.0" } }, "sha512-6YHEFRL9mfgcAvql/XhwTvf5jKcOiiupt2FiJxHkiX1z4j7WL8J/jRHYLluORvc1XxB5rV20KoeK00gVJamspg=="],
|
|
205
205
|
|
|
206
206
|
"range-parser": ["range-parser@1.2.1", "", {}, "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg=="],
|
|
207
207
|
|
|
@@ -227,7 +227,7 @@
|
|
|
227
227
|
|
|
228
228
|
"side-channel": ["side-channel@1.1.0", "", { "dependencies": { "es-errors": "^1.3.0", "object-inspect": "^1.13.3", "side-channel-list": "^1.0.0", "side-channel-map": "^1.0.1", "side-channel-weakmap": "^1.0.2" } }, "sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw=="],
|
|
229
229
|
|
|
230
|
-
"side-channel-list": ["side-channel-list@1.0.
|
|
230
|
+
"side-channel-list": ["side-channel-list@1.0.1", "", { "dependencies": { "es-errors": "^1.3.0", "object-inspect": "^1.13.4" } }, "sha512-mjn/0bi/oUURjc5Xl7IaWi/OJJJumuoJFQJfDDyO46+hBWsfaVM65TBHq2eoZBhzl9EchxOijpkbRC8SVBQU0w=="],
|
|
231
231
|
|
|
232
232
|
"side-channel-map": ["side-channel-map@1.0.1", "", { "dependencies": { "call-bound": "^1.0.2", "es-errors": "^1.3.0", "get-intrinsic": "^1.2.5", "object-inspect": "^1.13.3" } }, "sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA=="],
|
|
233
233
|
|
package/lib/security.ts
CHANGED
|
@@ -1,8 +1,10 @@
|
|
|
1
1
|
export function assertOutboundAllowed(
|
|
2
2
|
chatId: string,
|
|
3
3
|
deliveredChannels: ReadonlySet<string>,
|
|
4
|
+
allowedOutbound?: ReadonlySet<string>,
|
|
4
5
|
): void {
|
|
5
6
|
if (deliveredChannels.has(chatId)) return
|
|
7
|
+
if (allowedOutbound?.has(chatId)) return
|
|
6
8
|
throw new Error(
|
|
7
9
|
`Outbound gate: channel ${chatId} has not received any inbound messages.`,
|
|
8
10
|
)
|
package/package.json
CHANGED
package/server.test.ts
CHANGED
|
@@ -183,6 +183,18 @@ describe('assertOutboundAllowed', () => {
|
|
|
183
183
|
const delivered = new Set(['D_DIFFERENT'])
|
|
184
184
|
expect(() => assertOutboundAllowed('C_ATTACKER', delivered)).toThrow('Outbound gate')
|
|
185
185
|
})
|
|
186
|
+
|
|
187
|
+
test('allows pre-authorized outbound channels', () => {
|
|
188
|
+
const delivered = new Set<string>()
|
|
189
|
+
const allowed = new Set(['D_PREAUTH'])
|
|
190
|
+
expect(() => assertOutboundAllowed('D_PREAUTH', delivered, allowed)).not.toThrow()
|
|
191
|
+
})
|
|
192
|
+
|
|
193
|
+
test('blocks channels not in allowedOutbound', () => {
|
|
194
|
+
const delivered = new Set<string>()
|
|
195
|
+
const allowed = new Set(['D_OTHER'])
|
|
196
|
+
expect(() => assertOutboundAllowed('C_RANDO', delivered, allowed)).toThrow('Outbound gate')
|
|
197
|
+
})
|
|
186
198
|
})
|
|
187
199
|
|
|
188
200
|
// ---------------------------------------------------------------------------
|
package/server.ts
CHANGED
|
@@ -106,6 +106,17 @@ const access: Access = { allowFrom: allowFromList, ackReaction, botOwner }
|
|
|
106
106
|
// Security — outbound gate
|
|
107
107
|
// ---------------------------------------------------------------------------
|
|
108
108
|
|
|
109
|
+
// Pre-authorized outbound targets (channel/user IDs from SLACK_ALLOW_OUTBOUND)
|
|
110
|
+
const allowedOutbound = new Set<string>(
|
|
111
|
+
(process.env['SLACK_ALLOW_OUTBOUND'] || '')
|
|
112
|
+
.split(',')
|
|
113
|
+
.map(s => s.trim())
|
|
114
|
+
.filter(Boolean),
|
|
115
|
+
)
|
|
116
|
+
if (allowedOutbound.size > 0) {
|
|
117
|
+
console.error(`[slack] allowedOutbound: ${[...allowedOutbound].join(', ')}`)
|
|
118
|
+
}
|
|
119
|
+
|
|
109
120
|
// Track channels that passed inbound gate (session-lifetime cache)
|
|
110
121
|
const deliveredChannels = new Set<string>()
|
|
111
122
|
|
|
@@ -118,7 +129,7 @@ const dedup = new EventDeduplicator()
|
|
|
118
129
|
const lastInboundMessageId = new Map<string, string>()
|
|
119
130
|
|
|
120
131
|
function assertOutboundAllowed(chatId: string): void {
|
|
121
|
-
libAssertOutboundAllowed(chatId, deliveredChannels)
|
|
132
|
+
libAssertOutboundAllowed(chatId, deliveredChannels, allowedOutbound)
|
|
122
133
|
}
|
|
123
134
|
|
|
124
135
|
// ---------------------------------------------------------------------------
|
|
@@ -160,7 +171,7 @@ async function resolveUserName(userId: string): Promise<string> {
|
|
|
160
171
|
// ---------------------------------------------------------------------------
|
|
161
172
|
|
|
162
173
|
const mcp = new McpServer(
|
|
163
|
-
{ name: 'slack-channel', version: '0.3.
|
|
174
|
+
{ name: 'slack-channel', version: '0.3.2' },
|
|
164
175
|
{
|
|
165
176
|
capabilities: {
|
|
166
177
|
experimental: {
|