Add Slack text snippet input for larger content (#3)

Enable users to send text snippets and file uploads to Silverback
as input, bypassing the 4000-char Slack message limit. Files are
downloaded via Slack API, filtered to text-compatible mimetypes,
and combined with message text using XML-style prompt delimiters.

- Add file-downloader utility with SSRF defense, 100KB limit
- Add prompt-builder to combine text + file content
- Allow file_share subtype through message handler
- Wire file download into both mention and message handlers
- Add files:read and files:write OAuth scopes to manifest
- Add graceful degradation when files:read scope is missing
- Add 12 tests for file-downloader

Co-authored-by: Claude Bot <claude-bot@users.noreply.github.com>

Author: rossnelson

manifest.yaml

@@ -81,6 +81,8 @@ oauth_config:
       - channels:read
       - chat:write
       - commands
+      - files:read
+      - files:write
       - groups:read
       - incoming-webhook
       - users:read

src/bot/events/mention.ts

@@ -1,21 +1,35 @@
 import { App } from '@slack/bolt';
 import { RequestQueue } from '../../queue/request-queue';
 import { Logger } from '../../logging/logger';
+import { downloadTextFiles, SlackFileInfo } from '../utils/file-downloader';
+import { buildPrompt } from '../utils/prompt-builder';
 
 const logger = new Logger('mention-handler');
 
-export function registerMentionHandler(app: App, queue: RequestQueue): void {
+export function registerMentionHandler(app: App, queue: RequestQueue, botToken: string): void {
   app.event('app_mention', async ({ event, client, say }) => {
-    const prompt = event.text.replace(/<@[A-Z0-9]+>/g, '').trim();
+    const textPrompt = event.text.replace(/<@[A-Z0-9]+>/g, '').trim();
 
-    if (!prompt) {
+    // Extract files if present
+    const files: SlackFileInfo[] = 'files' in event && Array.isArray((event as any).files)
+      ? (event as any).files
+      : [];
+
+    if (!textPrompt && files.length === 0) {
       await say({ text: 'Please provide a task description after mentioning me.', thread_ts: event.ts });
       return;
     }
 
     const threadTs = event.thread_ts || event.ts;
 
-    logger.info('Received mention', { user: event.user, channel: event.channel, threadTs });
+    // Download text files if present
+    let prompt = textPrompt;
+    if (files.length > 0 && botToken) {
+      const downloaded = await downloadTextFiles(files, botToken);
+      prompt = buildPrompt(textPrompt, downloaded);
+    }
+
+    logger.info('Received mention', { user: event.user, channel: event.channel, threadTs, fileCount: files.length });
 
     const entry = await queue.enqueue({
       threadId: threadTs as string,

src/bot/events/message.ts

@@ -2,37 +2,51 @@ import { App } from '@slack/bolt';
 import { RequestQueue } from '../../queue/request-queue';
 import { SessionManager } from '../../orchestrator/session';
 import { Logger } from '../../logging/logger';
+import { downloadTextFiles, SlackFileInfo } from '../utils/file-downloader';
+import { buildPrompt } from '../utils/prompt-builder';
 
 const logger = new Logger('message-handler');
 
-export function registerMessageHandler(app: App, queue: RequestQueue, sessionManager: SessionManager): void {
+export function registerMessageHandler(app: App, queue: RequestQueue, sessionManager: SessionManager, botToken: string): void {
   app.event('message', async ({ event, client }) => {
     // Only handle thread replies
     if (!('thread_ts' in event) || !event.thread_ts) return;
     // Ignore bot messages
     if ('bot_id' in event && event.bot_id) return;
-    // Ignore subtypes (edits, deletes, etc.)
-    if ('subtype' in event && event.subtype) return;
+    // Ignore subtypes (edits, deletes, etc.) but allow file_share
+    if ('subtype' in event && event.subtype && event.subtype !== 'file_share') return;
 
     const threadTs = event.thread_ts;
     const text = 'text' in event ? (event.text || '').trim() : '';
     const userId = 'user' in event ? event.user || '' : '';
     const channelId = event.channel;
 
-    // Ignore empty messages
-    if (!text) return;
+    // Extract files if present
+    const files: SlackFileInfo[] = 'files' in event && Array.isArray((event as any).files)
+      ? (event as any).files
+      : [];
+
+    // Ignore messages with no text and no files
+    if (!text && files.length === 0) return;
 
     // Check if this thread has an active session
     const session = await sessionManager.getSession(threadTs);
     if (!session) return;
 
-    logger.info('Thread reply in active session', { threadTs, userId });
+    // Download text files if present
+    let prompt = text;
+    if (files.length > 0 && botToken) {
+      const downloaded = await downloadTextFiles(files, botToken);
+      prompt = buildPrompt(text, downloaded);
+    }
+
+    logger.info('Thread reply in active session', { threadTs, userId, fileCount: files.length });
 
     const entry = await queue.enqueue({
       threadId: threadTs,
       channelId,
       userId,
-      prompt: text,
+      prompt,
     });
 
     if (entry.position > 0) {

src/bot/utils/__tests__/file-downloader.test.ts

@@ -0,0 +1,209 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { downloadTextFiles, SlackFileInfo } from '../file-downloader';
+
+function createMockFile(overrides: Partial<SlackFileInfo> = {}): SlackFileInfo {
+  return {
+    id: 'F123',
+    name: 'test.txt',
+    filetype: 'txt',
+    mimetype: 'text/plain',
+    url_private_download: 'https://files.slack.com/files-pri/T123/F123/test.txt',
+    size: 100,
+    ...overrides,
+  };
+}
+
+describe('downloadTextFiles', () => {
+  const mockFetch = vi.fn();
+  const botToken = 'xoxb-test-token';
+
+  beforeEach(() => {
+    global.fetch = mockFetch;
+    mockFetch.mockReset();
+  });
+
+  it('downloads a text file successfully', async () => {
+    const file = createMockFile();
+    mockFetch.mockResolvedValueOnce({
+      ok: true,
+      arrayBuffer: () => Promise.resolve(new TextEncoder().encode('file content').buffer),
+    });
+
+    const results = await downloadTextFiles([file], botToken);
+
+    expect(results).toHaveLength(1);
+    expect(results[0]).toEqual({
+      filename: 'test.txt',
+      content: 'file content',
+      truncated: false,
+    });
+    expect(mockFetch).toHaveBeenCalledWith(
+      'https://files.slack.com/files-pri/T123/F123/test.txt',
+      {
+        headers: {
+          Authorization: 'Bearer xoxb-test-token',
+        },
+        redirect: 'error',
+      }
+    );
+  });
+
+  it('filters out non-text files', async () => {
+    const files = [
+      createMockFile({ id: 'F1', mimetype: 'image/png', name: 'image.png' }),
+      createMockFile({ id: 'F2', mimetype: 'video/mp4', name: 'video.mp4' }),
+      createMockFile({ id: 'F3', mimetype: 'application/pdf', name: 'doc.pdf' }),
+    ];
+
+    const results = await downloadTextFiles(files, botToken);
+
+    expect(results).toHaveLength(0);
+    expect(mockFetch).not.toHaveBeenCalled();
+  });
+
+  it('truncates file larger than maxFileBytes and marks it', async () => {
+    const largeContent = 'x'.repeat(200 * 1024); // 200KB
+    const file = createMockFile({ size: 200 * 1024 });
+    mockFetch.mockResolvedValueOnce({
+      ok: true,
+      arrayBuffer: () => Promise.resolve(new TextEncoder().encode(largeContent).buffer),
+    });
+
+    const results = await downloadTextFiles([file], botToken, { maxFileBytes: 100 * 1024 });
+
+    expect(results).toHaveLength(1);
+    expect(results[0].truncated).toBe(true);
+    expect(results[0].content.length).toBeLessThanOrEqual(100 * 1024);
+  });
+
+  it('skips file gracefully when fetch returns non-ok status', async () => {
+    const file = createMockFile();
+    mockFetch.mockResolvedValueOnce({
+      ok: false,
+      status: 404,
+    });
+
+    const results = await downloadTextFiles([file], botToken);
+
+    expect(results).toHaveLength(0);
+  });
+
+  it('returns empty array when files array is empty', async () => {
+    const results = await downloadTextFiles([], botToken);
+
+    expect(results).toHaveLength(0);
+    expect(mockFetch).not.toHaveBeenCalled();
+  });
+
+  it('downloads multiple text files and respects maxFiles limit', async () => {
+    const files = [
+      createMockFile({ id: 'F1', name: 'file1.txt' }),
+      createMockFile({ id: 'F2', name: 'file2.json', mimetype: 'application/json' }),
+      createMockFile({ id: 'F3', name: 'file3.xml', mimetype: 'application/xml' }),
+      createMockFile({ id: 'F4', name: 'file4.txt' }),
+      createMockFile({ id: 'F5', name: 'file5.txt' }),
+      createMockFile({ id: 'F6', name: 'file6.txt' }),
+    ];
+
+    mockFetch.mockImplementation(() =>
+      Promise.resolve({
+        ok: true,
+        arrayBuffer: () => Promise.resolve(new TextEncoder().encode('content').buffer),
+      })
+    );
+
+    const results = await downloadTextFiles(files, botToken, { maxFiles: 3 });
+
+    expect(results).toHaveLength(3);
+    expect(results[0].filename).toBe('file1.txt');
+    expect(results[1].filename).toBe('file2.json');
+    expect(results[2].filename).toBe('file3.xml');
+    expect(mockFetch).toHaveBeenCalledTimes(3);
+  });
+
+  it('skips file with non-slack.com hostname (SSRF defense)', async () => {
+    const file = createMockFile({
+      url_private_download: 'https://evil.com/malicious.txt',
+    });
+
+    const results = await downloadTextFiles([file], botToken);
+
+    expect(results).toHaveLength(0);
+    expect(mockFetch).not.toHaveBeenCalled();
+  });
+
+  it('skips file without url_private_download', async () => {
+    const file = createMockFile({ url_private_download: undefined });
+
+    const results = await downloadTextFiles([file], botToken);
+
+    expect(results).toHaveLength(0);
+    expect(mockFetch).not.toHaveBeenCalled();
+  });
+
+  it('continues processing after download failure', async () => {
+    const files = [
+      createMockFile({ id: 'F1', name: 'file1.txt' }),
+      createMockFile({ id: 'F2', name: 'file2.txt' }),
+    ];
+
+    mockFetch
+      .mockRejectedValueOnce(new Error('Network error'))
+      .mockResolvedValueOnce({
+        ok: true,
+        arrayBuffer: () => Promise.resolve(new TextEncoder().encode('success').buffer),
+      });
+
+    const results = await downloadTextFiles(files, botToken);
+
+    expect(results).toHaveLength(1);
+    expect(results[0].filename).toBe('file2.txt');
+    expect(results[0].content).toBe('success');
+  });
+
+  it('accepts yaml files as text-compatible', async () => {
+    const files = [
+      createMockFile({ name: 'config.yaml', mimetype: 'application/yaml' }),
+      createMockFile({ name: 'data.yml', mimetype: 'application/x-yaml' }),
+    ];
+
+    mockFetch.mockImplementation(() =>
+      Promise.resolve({
+        ok: true,
+        arrayBuffer: () => Promise.resolve(new TextEncoder().encode('key: value').buffer),
+      })
+    );
+
+    const results = await downloadTextFiles(files, botToken);
+
+    expect(results).toHaveLength(2);
+  });
+
+  it('uses default maxFileBytes from env when not provided', async () => {
+    const originalEnv = process.env.MAX_SNIPPET_BYTES;
+    process.env.MAX_SNIPPET_BYTES = '50000';
+
+    const largeContent = 'x'.repeat(60000);
+    const file = createMockFile({ size: 60000 });
+    mockFetch.mockResolvedValueOnce({
+      ok: true,
+      arrayBuffer: () => Promise.resolve(new TextEncoder().encode(largeContent).buffer),
+    });
+
+    const results = await downloadTextFiles([file], botToken);
+
+    expect(results[0].truncated).toBe(true);
+    expect(results[0].content.length).toBeLessThanOrEqual(50000);
+
+    process.env.MAX_SNIPPET_BYTES = originalEnv;
+  });
+
+  it('skips file with invalid URL format', async () => {
+    const file = createMockFile({ url_private_download: 'not-a-valid-url' });
+
+    const results = await downloadTextFiles([file], botToken);
+
+    expect(results).toHaveLength(0);
+    expect(mockFetch).not.toHaveBeenCalled();
+  });
+});