typeclaw 0.16.0 → 0.18.0

package/src/channels/adapters/github/auth.ts

@@ -3,15 +3,30 @@ import type { GithubAppAuthBlock, GithubPatAuthBlock } from '@/secrets/schema'
 import { AppAuthStrategy } from './auth-app'
 import { PatAuthStrategy } from './auth-pat'
 
+// Repo identity threaded through every auth call so App auth can pick the
+// correct installation. `repoSlug` is the canonical input ("owner/name"); App
+// auth resolves it to an installation via GET /repos/{owner}/{repo}/installation
+// and caches the result. PAT auth ignores it entirely. Omitted context means
+// "no specific repo" — App auth then falls back to a single discoverable
+// installation (and errors if the App spans multiple installations).
+export type GithubAuthContext = {
+  repoSlug?: string
+  // Org login, for operations that aren't repo-scoped (e.g. team-membership
+  // lookups under GET /orgs/{org}/...). App auth resolves it to an
+  // installation via GET /orgs/{org}/installation. Ignored when repoSlug is set.
+  owner?: string
+}
+
 export type GithubAuthStrategy = {
-  token: () => Promise<string>
-  authHeaders: () => Promise<HeadersInit>
+  token: (context?: GithubAuthContext) => Promise<string>
+  authHeaders: (context?: GithubAuthContext) => Promise<HeadersInit>
   getSelf: () => Promise<GithubSelfUser>
   // App-only: returns the installation's granted-permissions map and declared
   // events so the adapter can preflight against the configured eventAllowlist
   // before any webhook arrives. PATs return access via token scopes, not an
-  // installation grant, so they leave this undefined.
-  getInstallationGrants?: () => Promise<GithubInstallationGrants>
+  // installation grant, so they leave this undefined. Context selects which
+  // installation to inspect when the App spans multiple owners.
+  getInstallationGrants?: (context?: GithubAuthContext) => Promise<GithubInstallationGrants>
   dispose: () => Promise<void>
 }
 
@@ -36,7 +51,6 @@ export function buildAuthStrategy(options: {
       return new AppAuthStrategy({
         appId: options.auth.appId,
         privateKey: options.auth.privateKey,
-        installationId: options.auth.installationId,
         fetchImpl: options.fetchImpl,
       })
   }

package/src/channels/adapters/github/channel-resolver.ts

@@ -1,10 +1,11 @@
 import type { ChannelNameResolver, ResolvedChannelNames } from '@/channels/types'
 
+import type { GithubAuthContext } from './auth'
 import { GITHUB_API_BASE, githubJsonHeaders } from './auth-pat'
 import { parseChat, parseRepo } from './outbound'
 
 export function createGithubChannelNameResolver(options: {
-  token: () => Promise<string>
+  token: (context?: GithubAuthContext) => Promise<string>
   fetchImpl?: typeof fetch
 }): ChannelNameResolver {
   const fetchImpl = options.fetchImpl ?? fetch
@@ -18,7 +19,7 @@ export function createGithubChannelNameResolver(options: {
     const path = chat.kind === 'issue' ? `issues/${chat.number}` : `pulls/${chat.number}`
     try {
       const response = await fetchImpl(`${GITHUB_API_BASE}/repos/${repo.owner}/${repo.name}/${path}`, {
-        headers: githubJsonHeaders(await options.token()),
+        headers: githubJsonHeaders(await options.token({ repoSlug: key.workspace })),
       })
       if (!response.ok) return names
       const raw = (await response.json()) as { title?: string }

package/src/channels/adapters/github/history.ts

@@ -1,10 +1,11 @@
 import type { ChannelHistoryMessage, FetchHistoryArgs, FetchHistoryResult, HistoryCallback } from '@/channels/types'
 
+import type { GithubAuthContext } from './auth'
 import { GITHUB_API_BASE, githubJsonHeaders } from './auth-pat'
 import { parseChat, parseRepo } from './outbound'
 
 export function createGithubHistoryCallback(options: {
-  token: () => Promise<string>
+  token: (context?: GithubAuthContext) => Promise<string>
   workspaceForChat: (chat: string) => string | null
   fetchImpl?: typeof fetch
 }): HistoryCallback {
@@ -26,7 +27,7 @@ export function createGithubHistoryCallback(options: {
       const response = await fetchImpl(
         `${endpoint}?per_page=${Math.min(Math.max(args.limit, 1), 100)}&direction=desc${cursor}`,
         {
-          headers: githubJsonHeaders(await options.token()),
+          headers: githubJsonHeaders(await options.token({ repoSlug: workspace })),
         },
       )
       if (!response.ok) return { ok: false, error: `GitHub history ${response.status}` }

package/src/channels/adapters/github/index.ts

@@ -3,7 +3,7 @@ import type { ChannelAdapterConfig, GithubAdapterConfig } from '@/channels/schem
 import { resolveSecret } from '@/secrets/resolve'
 import type { GithubSecretsBlock } from '@/secrets/schema'
 
-import { buildAuthStrategy } from './auth'
+import { buildAuthStrategy, type GithubAuthContext } from './auth'
 import { createGithubChannelNameResolver } from './channel-resolver'
 import { createDeliveryDedup } from './dedup'
 import { findPermissionGaps } from './event-permissions'
@@ -99,29 +99,30 @@ export function createGithubAdapter(options: GithubAdapterOptions): GithubAdapte
     workspaceByChat.set(chat, workspace)
   }
 
-  const tokenFn = async () => {
-    const t = await auth.token()
-    process.env.GH_TOKEN = t
-    return t
-  }
+  // Repo/owner-aware token resolver. A single GitHub App can span multiple
+  // installations (one per owner); each consumer passes its repo/owner so the
+  // right installation token is minted. Unlike the old single-token path, this
+  // does NOT mutate process.env.GH_TOKEN — that global is seeded separately and
+  // only when exactly one installation applies (see seedGhTokenIfSingle).
+  const authToken = (context?: GithubAuthContext) => auth.token(context)
   const outbound = createGithubOutboundCallback({
-    token: tokenFn,
+    token: authToken,
     authType: options.secrets.auth.type,
     logger,
     fetchImpl,
   })
   const history = createGithubHistoryCallback({
-    token: tokenFn,
+    token: authToken,
     fetchImpl,
     workspaceForChat: (chat) => workspaceByChat.get(chat) ?? null,
   })
-  const membership = createGithubMembershipResolver({ token: tokenFn, fetchImpl })
-  const channelNameResolver = createGithubChannelNameResolver({ token: tokenFn, fetchImpl })
+  const membership = createGithubMembershipResolver({ token: authToken, fetchImpl })
+  const channelNameResolver = createGithubChannelNameResolver({ token: authToken, fetchImpl })
   const fetchAttachment = createGithubFetchAttachmentCallback()
   // No-op typing callback: GitHub has no typing indicator API.
   const typing = async (): Promise<void> => {}
   const dedup = createDeliveryDedup()
-  const isBotInTeam = createTeamMembershipChecker({ token: tokenFn, fetchImpl })
+  const isBotInTeam = createTeamMembershipChecker({ token: authToken, fetchImpl })
   const handler = createGithubWebhookHandler({
     webhookSecret,
     dedup,
@@ -174,35 +175,48 @@ export function createGithubAdapter(options: GithubAdapterOptions): GithubAdapte
         selfLogin = null
         throw err
       }
-      // Seed GH_TOKEN so `gh` CLI calls in the container are pre-authenticated.
-      // tokenFn keeps it current on every adapter API call; App tokens refresh
-      // automatically when within 5 minutes of expiry.
-      process.env.GH_TOKEN = await auth.token()
       started = true
-      // Keep GH_TOKEN warm even when the adapter is only receiving inbound
-      // webhooks and not making outbound API calls. This prevents `gh` CLI
-      // calls from the agent from failing with 401 after the token expires.
-      const tokenRefreshIntervalMs = options.tokenRefreshIntervalMs ?? DEFAULT_TOKEN_REFRESH_INTERVAL_MS
-      if (tokenRefreshIntervalMs > 0) {
-        const refresh = () => {
-          tokenFn().catch((err) => {
-            logger.error(`[github] periodic token refresh failed: ${err instanceof Error ? err.message : String(err)}`)
-          })
+      // GH_TOKEN is a single process-wide env var the container's `gh` CLI
+      // reads, but a GitHub App spanning multiple owners has no single correct
+      // token. Seed/refresh it only when exactly one repo is configured (PAT,
+      // or App with one unambiguous installation). With multiple repos we skip
+      // the global seed: ad-hoc `gh` calls must target a specific repo, and the
+      // adapter's own API calls always resolve a repo-scoped token via authToken.
+      const ghTokenRepo = ghTokenSeedRepo(options.configRef().repos ?? [])
+      const seedGhToken = async (): Promise<void> => {
+        process.env.GH_TOKEN = await auth.token(ghTokenRepo === null ? undefined : { repoSlug: ghTokenRepo })
+      }
+      if (ghTokenRepo !== null || options.secrets.auth.type === 'pat') {
+        await seedGhToken()
+        const tokenRefreshIntervalMs = options.tokenRefreshIntervalMs ?? DEFAULT_TOKEN_REFRESH_INTERVAL_MS
+        if (tokenRefreshIntervalMs > 0) {
+          const refresh = () => {
+            seedGhToken().catch((err) => {
+              logger.error(
+                `[github] periodic token refresh failed: ${err instanceof Error ? err.message : String(err)}`,
+              )
+            })
+          }
+          const setIntervalFn =
+            options.setInterval ??
+            ((handler: () => void, ms: number) => {
+              const timer = setInterval(handler, ms)
+              return { clear: () => clearInterval(timer) }
+            })
+          tokenRefreshTimer = setIntervalFn(refresh, tokenRefreshIntervalMs)
         }
-        const setIntervalFn =
-          options.setInterval ??
-          ((handler: () => void, ms: number) => {
-            const timer = setInterval(handler, ms)
-            return { clear: () => clearInterval(timer) }
-          })
-        tokenRefreshTimer = setIntervalFn(refresh, tokenRefreshIntervalMs)
+      } else {
+        logger.info(
+          '[github] multiple repos configured across possibly-different owners; GH_TOKEN not seeded globally. ' +
+            'Ad-hoc `gh` commands should set a repo-scoped token explicitly.',
+        )
       }
       logger.info(`[github] webhook listening on port ${options.configRef().webhookPort} as @${self.login}`)
       // Best-effort: App-only preflight that compares the installation's granted
       // permissions against the configured eventAllowlist and warns about gaps.
       // Catches the most common misconfiguration (App installed with the default
       // metadata-only permission set) before any event fires a 403.
-      await runAppPermissionPreflight(logger, auth, options.configRef().eventAllowlist)
+      await runAppPermissionPreflight(logger, auth, options.configRef().eventAllowlist, options.configRef().repos ?? [])
       // Repository webhook registration is best-effort: failures are logged
       // per-repo, the adapter stays up. A misconfigured PAT or App that
       // can't manage hooks must not prevent the adapter from accepting
@@ -225,6 +239,9 @@ export function createGithubAdapter(options: GithubAdapterOptions): GithubAdapte
         })
       } else if (repos.length > 0) {
         const legacyProviderHostSuffix = detectLegacyProviderHostSuffix(effectiveUrl)
+        logger.info(
+          `[github] registering webhook for ${repos.length} repo(s) [${repos.join(', ')}] -> ${effectiveUrl} (events: ${cfg.eventAllowlist.join(', ')})`,
+        )
         if (webhookRegistrationDelayMs > 0) {
           logger.info(
             `[github] waiting ${webhookRegistrationDelayMs}ms before registering webhook so the Cloudflare edge can warm up`,
@@ -232,7 +249,7 @@ export function createGithubAdapter(options: GithubAdapterOptions): GithubAdapte
           await sleep(webhookRegistrationDelayMs)
         }
         const registration = await registerGithubWebhooks({
-          token: tokenFn,
+          token: (repoSlug: string) => auth.token({ repoSlug }),
           webhookUrl: effectiveUrl,
           webhookSecret,
           repos,
@@ -263,7 +280,7 @@ export function createGithubAdapter(options: GithubAdapterOptions): GithubAdapte
       // last to clear the cached App-installation token.
       if (managedHooks.length > 0) {
         const deregistration = await deregisterGithubWebhooks({
-          token: tokenFn,
+          token: (repoSlug: string) => auth.token({ repoSlug }),
           hooks: managedHooks,
           fetchImpl,
         })
@@ -367,18 +384,36 @@ async function runAppPermissionPreflight(
   logger: GithubAdapterLogger,
   auth: ReturnType<typeof buildAuthStrategy>,
   eventAllowlist: readonly string[],
+  repos: readonly string[],
 ): Promise<void> {
   if (auth.getInstallationGrants === undefined) return
-  let grants
-  try {
-    grants = await auth.getInstallationGrants()
-  } catch (err) {
-    logger.warn(`[github] permission preflight skipped: ${err instanceof Error ? err.message : String(err)}`)
-    return
+  const getGrants = (context: GithubAuthContext | undefined) => auth.getInstallationGrants?.(context)
+  // One grants check per distinct owner: installations are owner-scoped, so
+  // repos sharing an owner share an installation. The first repo per owner is
+  // the resolution key. With no repos, fall back to a single context-free check.
+  const reposByOwner = new Map<string, string>()
+  for (const repo of repos) {
+    const owner = repo.split('/')[0]
+    if (owner !== undefined && owner !== '' && !reposByOwner.has(owner)) reposByOwner.set(owner, repo)
+  }
+  const contexts: Array<{ label: string; context: { repoSlug: string } | undefined }> =
+    reposByOwner.size === 0
+      ? [{ label: 'app', context: undefined }]
+      : [...reposByOwner.values()].map((repo) => ({ label: repo, context: { repoSlug: repo } }))
+  for (const { label, context } of contexts) {
+    let grants
+    try {
+      grants = await getGrants(context)
+    } catch (err) {
+      logger.warn(
+        `[github] permission preflight skipped for ${label}: ${err instanceof Error ? err.message : String(err)}`,
+      )
+      continue
+    }
+    if (grants === undefined) continue
+    const gaps = findPermissionGaps(eventAllowlist, grants.permissions)
+    if (gaps.length > 0) logger.warn(buildAppPermissionPreflightGuidance(gaps))
   }
-  const gaps = findPermissionGaps(eventAllowlist, grants.permissions)
-  if (gaps.length === 0) return
-  logger.warn(buildAppPermissionPreflightGuidance(gaps))
 }
 
 function logDeregistrationOutcome(
@@ -392,6 +427,13 @@ function logDeregistrationOutcome(
   }
 }
 
+// Two repos under the same owner share an installation and could in principle
+// share a global GH_TOKEN, but the marginal value doesn't justify the special
+// case — only a single configured repo yields an unambiguous seed.
+function ghTokenSeedRepo(repos: readonly string[]): string | null {
+  return repos.length === 1 ? (repos[0] ?? null) : null
+}
+
 function defaultSleep(ms: number): Promise<void> {
   return new Promise((resolve) => setTimeout(resolve, ms))
 }

package/src/channels/adapters/github/membership.ts

@@ -1,10 +1,11 @@
 import type { MembershipResolver, MembershipResolverResult } from '@/channels/membership'
 
+import type { GithubAuthContext } from './auth'
 import { GITHUB_API_BASE, githubJsonHeaders } from './auth-pat'
 import { parseRepo } from './outbound'
 
 export function createGithubMembershipResolver(options: {
-  token: () => Promise<string>
+  token: (context?: GithubAuthContext) => Promise<string>
   fetchImpl?: typeof fetch
 }): MembershipResolver {
   const fetchImpl = options.fetchImpl ?? fetch
@@ -16,7 +17,7 @@ export function createGithubMembershipResolver(options: {
       const response = await fetchImpl(
         `${GITHUB_API_BASE}/repos/${repo.owner}/${repo.name}/collaborators?per_page=100`,
         {
-          headers: githubJsonHeaders(await options.token()),
+          headers: githubJsonHeaders(await options.token({ repoSlug: key.workspace })),
         },
       )
       if (!response.ok) return response.status >= 500 ? { kind: 'transient' } : { kind: 'permanent' }

package/src/channels/adapters/github/outbound.ts

@@ -1,5 +1,6 @@
 import type { OutboundCallback, OutboundMessage, SendResult } from '@/channels/types'
 
+import type { GithubAuthContext } from './auth'
 import { GITHUB_API_BASE, githubJsonHeaders } from './auth-pat'
 import {
   buildOutboundPermissionGuidance,
@@ -11,7 +12,7 @@ import {
 export type GithubOutboundLogger = { info: (m: string) => void; warn: (m: string) => void; error: (m: string) => void }
 
 export function createGithubOutboundCallback(deps: {
-  token: () => Promise<string>
+  token: (context?: GithubAuthContext) => Promise<string>
   authType: GithubAuthType
   logger: GithubOutboundLogger
   fetchImpl?: typeof fetch
@@ -28,9 +29,12 @@ export function createGithubOutboundCallback(deps: {
     const target = parseChat(msg.chat)
     if (target === null) return { ok: false, error: `invalid GitHub chat: ${msg.chat}` }
 
+    const token = () => deps.token({ repoSlug: msg.workspace })
+
     if (target.kind === 'discussion') {
       return await postDiscussionComment({
         ...deps,
+        token,
         fetchImpl,
         repo,
         discussionNumber: target.number,
@@ -44,7 +48,7 @@ export function createGithubOutboundCallback(deps: {
       : `${GITHUB_API_BASE}/repos/${repo.owner}/${repo.name}/issues/${target.number}/comments`
     return await postJson(
       fetchImpl,
-      await deps.token(),
+      await token(),
       endpoint,
       { body },
       {

package/src/channels/adapters/github/team-membership.ts

@@ -7,12 +7,14 @@
 // request rebuilds it). Errors fall closed (return false): we'd rather drop
 // a real review request than wake the agent on a team the bot isn't in.
 
+import type { GithubAuthContext } from './auth'
+
 const ACTIVE_MEMBERSHIP_STATE = 'active'
 
 export type TeamMembershipChecker = (input: { org: string; slug: string; login: string }) => Promise<boolean>
 
 export function createTeamMembershipChecker(options: {
-  token: () => Promise<string>
+  token: (context?: GithubAuthContext) => Promise<string>
   fetchImpl?: typeof fetch
 }): TeamMembershipChecker {
   const fetchImpl = options.fetchImpl ?? fetch
@@ -23,7 +25,7 @@ export function createTeamMembershipChecker(options: {
     const cached = cache.get(key)
     if (cached !== undefined) return cached
 
-    const result = await lookup(fetchImpl, await options.token(), org, slug, login)
+    const result = await lookup(fetchImpl, await options.token({ owner: org }), org, slug, login)
     cache.set(key, result)
     return result
   }

package/src/channels/adapters/github/webhook-register.ts

@@ -1,7 +1,10 @@
 import { GITHUB_API_BASE, githubJsonHeaders } from './auth-pat'
 
 export type RegisterGithubWebhooksOptions = {
-  token: () => Promise<string>
+  // Resolves an installation token scoped to the given "owner/name" repo. A
+  // single GitHub App may span multiple owners (separate installations), so
+  // each repo's hook must be created/listed with that repo's own token.
+  token: (repoSlug: string) => Promise<string>
   webhookUrl: string
   webhookSecret: string
   repos: readonly string[]
@@ -51,22 +54,22 @@ export async function registerGithubWebhooks(
   options: RegisterGithubWebhooksOptions,
 ): Promise<WebhookRegistrationResult> {
   const fetchImpl = options.fetchImpl ?? fetch
-  let token: string
-  try {
-    token = await options.token()
-  } catch (err) {
-    const error = describe(err)
-    return { repos: options.repos.map((repo) => ({ repo, action: 'failed' as const, error })) }
-  }
   const repos: WebhookRepoResult[] = []
   for (const repo of options.repos) {
+    let token: string
+    try {
+      token = await options.token(repo)
+    } catch (err) {
+      repos.push({ repo, action: 'failed', error: describe(err) })
+      continue
+    }
     repos.push(await registerOne(fetchImpl, token, repo, options))
   }
   return { repos }
 }
 
 export type DeregisterGithubWebhooksOptions = {
-  token: () => Promise<string>
+  token: (repoSlug: string) => Promise<string>
   hooks: ReadonlyArray<{ repo: string; hookId: number }>
   fetchImpl?: typeof fetch
 }
@@ -79,15 +82,15 @@ export async function deregisterGithubWebhooks(
   options: DeregisterGithubWebhooksOptions,
 ): Promise<WebhookDeregistrationResult> {
   const fetchImpl = options.fetchImpl ?? fetch
-  let token: string
-  try {
-    token = await options.token()
-  } catch (err) {
-    const error = describe(err)
-    return { hooks: options.hooks.map((h) => ({ ...h, action: 'failed', error })) }
-  }
   const hooks: WebhookDeregistrationResult['hooks'] = []
   for (const hook of options.hooks) {
+    let token: string
+    try {
+      token = await options.token(hook.repo)
+    } catch (err) {
+      hooks.push({ ...hook, action: 'failed', error: describe(err) })
+      continue
+    }
     hooks.push(await deleteOne(fetchImpl, token, hook))
   }
   return { hooks }

package/src/channels/adapters/slack-bot-slash-commands.ts

@@ -1,5 +1,6 @@
 import type { SlackSocketModeSlashCommandArgs } from 'agent-messenger/slackbot'
 
+import type { ExecuteCommandResult } from '@/channels/router'
 import type { ChannelKey } from '@/channels/types'
 
 // Slack channel ids: 'C' = public, 'G' = private/legacy multi-party DM,
@@ -64,13 +65,87 @@ export function parseSlashCommand(
   }
 }
 
+// Slack blocks native slash commands inside threads ("/stop is not supported
+// in threads. Sorry!"), so the only way to abort a thread-scoped turn from
+// inside that thread is a normal message. We recognise a leading `!` as an
+// alternate command prefix and route it through the same router.executeCommand
+// path as native slashes. The guard is strict: only a first token that resolves
+// to a known command name is rewritten, so casual messages like "!nice work"
+// pass through untouched as regular agent input.
+//
+// Unlike native slash payloads (which never carry a thread and rely on the
+// router's workspace+chat fallback), a thread message carries `thread_ts`,
+// letting us target the exact thread session and skip the ambiguous-match case
+// entirely.
+export const THREAD_COMMAND_PREFIX = '!'
+
+export type ThreadCommandInput = {
+  text: string
+  channel: string
+  threadTs: string | null
+  isDm: boolean
+  teamId: string
+  invokerId: string
+}
+
+export type ParseThreadCommandResult =
+  | { kind: 'parsed'; command: ParsedSlackSlashCommand }
+  | { kind: 'ignore'; reason: 'no-prefix' | 'unknown-command' }
+
+// Both ignore reasons (`no-prefix`, `unknown-command`) are non-fatal: the
+// caller lets the message flow through as ordinary agent input.
+export function parseThreadCommand(
+  input: ThreadCommandInput,
+  knownCommands: ReadonlySet<string>,
+): ParseThreadCommandResult {
+  const trimmed = input.text.trimStart()
+  if (!trimmed.startsWith(THREAD_COMMAND_PREFIX)) {
+    return { kind: 'ignore', reason: 'no-prefix' }
+  }
+  const firstToken = trimmed.slice(THREAD_COMMAND_PREFIX.length).split(/\s/, 1)[0] ?? ''
+  const name = firstToken.toLowerCase()
+  if (name === '' || !knownCommands.has(name)) {
+    return { kind: 'ignore', reason: 'unknown-command' }
+  }
+
+  const workspace = input.isDm ? '@dm' : input.teamId
+  return {
+    kind: 'parsed',
+    command: {
+      name,
+      key: { adapter: 'slack-bot', workspace, chat: input.channel, thread: input.threadTs },
+      invokerId: input.invokerId,
+    },
+  }
+}
+
 export const SLACK_SLASH_REPLY_ABORTED = 'Stopped the current turn.'
 export const SLACK_SLASH_REPLY_NO_LIVE_SESSION = 'Nothing to stop — no active turn in this channel.'
 export const SLACK_SLASH_REPLY_FAILED = 'Could not stop the current turn (internal error).'
 export const SLACK_SLASH_REPLY_PERMISSION_DENIED =
   'You do not have permission to stop the current turn in this channel.'
+// Native slash commands cannot be invoked from a thread, so the only way to
+// disambiguate is the `!stop` thread-message fallback — advise that, not the
+// impossible `/stop`-in-thread.
 export const SLACK_SLASH_REPLY_AMBIGUOUS =
-  'Multiple active turns in this channel. Reply `/stop` from inside the specific thread you want to stop.'
+  'Multiple active turns in this channel. Reply `!stop` inside the specific thread you want to stop.'
+
+// Single outcome→reply mapping shared by the native-slash (ack payload) and
+// `!cmd` thread (postMessage) delivery paths so the two never drift.
+export function commandResultReply(result: ExecuteCommandResult): string {
+  switch (result.kind) {
+    case 'handled':
+      return SLACK_SLASH_REPLY_ABORTED
+    case 'no-live-session':
+      return SLACK_SLASH_REPLY_NO_LIVE_SESSION
+    case 'permission-denied':
+      return SLACK_SLASH_REPLY_PERMISSION_DENIED
+    case 'ambiguous':
+      return SLACK_SLASH_REPLY_AMBIGUOUS
+    case 'unknown-command':
+      return SLACK_SLASH_REPLY_FAILED
+  }
+}
 
 // Slack's ack callback accepts an optional response payload that becomes
 // the user-visible reply. `response_type: 'ephemeral'` keeps the reply