Quartz 4

Slack Integration Hub

6 min read

Slack Integration Hub

Slack is OpenClaw’s secondary team communication layer — used primarily by the Aurora agent for deal-related notifications, approval workflows, and BetterFiles/BetterAcq team coordination across the TeamSteph and Henry workspaces. Unlike Discord (ops alerting), Slack carries human-facing deal status and approval flows. Read this hub before modifying Aurora’s Slack behavior or adding new Slack-connected scripts.

Quick reference

FieldValue
VendorSalesforce / Slack Technologies
URLhttps://slack.com / https://api.slack.com/docs
KB docAPI · WEBHOOKS
Auth methodHMAC-SHA256 (X-Slack-Signature header) for inbound webhooks; Bearer bot token for outbound API
Auth credentialop://Aurora/slack/bot-token · op://Aurora/slack/app-token · op://Aurora/slack/signing-secret
Cred-proxy portn/a (until B1-B6 ratified)
Webhook portn/a (HTTP mode — no Socket Mode; inbound events delivered to registered URL)
Webhook handlern/a (no dedicated inbound handler currently running in FUNNEL-REGISTRY)
Webhook dedup tablen/a
Tunnel pathn/a
Outbound API basehttps://slack.com/api/
Rate limitsTier 1: 1 req/min; Tier 2: 20 req/min; Tier 3: 50 req/min; Tier 4: 100+ req/min (per method)
Rate-limit action429 + Retry-After header → exponential backoff; ok: false with error: ratelimited in body
CostIncluded in Slack workspace subscription (TeamSteph + Henry)
Backup/recoveryVendor-owned; message history per workspace retention policy
Discord alert channelops (if Slack integration fails)
Drift cadenceOn bot token rotation; on workspace permission changes
Statusproduction

Workspace map

WorkspaceOwnerPrimary use
TeamStephteamsteph@betterfiles.comBetterFiles TC ops, deal approval flows, dispo notifications
Henryhenry@reri.coPersonal RERI ops, acquisitions review

Both workspaces are accessible to the Aurora agent via the op://Aurora/slack/bot-token credential (bot must be installed in each workspace separately).

Token types in use

TokenPrefix1Password referencePurpose
Bot tokenxoxb-op://Aurora/slack/bot-tokenPrimary — chat.postMessage, channel ops, file upload
App tokenxapp-op://Aurora/slack/app-tokenSocket Mode (disabled — see note below)
Signing secretop://Aurora/slack/signing-secretHMAC-SHA256 verification of inbound webhook payloads

Note on HTTP vs Socket Mode: The Slack KB doc (last verified 2026-03-04) confirms HTTP mode is in use due to zombie process issues with Socket Mode. Socket Mode (xapp- token) is provisioned but not active. If Socket Mode is re-enabled, the app-token must be referenced and a port must be registered per G-SERVICE-PRE-START-DOC before starting the daemon.

Components

  • /home/opsadmin/.openclaw/workspace-betterfiles/scripts/slack-approval.js — BetterFiles deal approval flow via Slack interactive messages
  • /home/opsadmin/.openclaw/workspace-dispo/scripts/slack-button-handler.js — dispo deal button interactions (approve/pass/hold)
  • /home/opsadmin/.openclaw/scripts/slack-health-check.sh — Slack connectivity health check script
  • /home/opsadmin/.openclaw/workspace-dealcmd/scripts/create-slack-channels.js — programmatic channel creation for deal cohorts
  • /home/opsadmin/.openclaw/workspace-betteracq/send_to_slack.py — Python Slack poster used by acquisitions workspace
  • /home/opsadmin/.openclaw/workspace/slack-channel-audit.md — channel inventory audit (last run date unknown)
  • @slack/web-api npm package — used by JS scripts for Slack API calls

How it’s used

  • Trigger: Aurora agent determines a deal event requires human approval or notification → posts to the relevant deal channel; or a cron script posts a summary embed to a reporting channel
  • Workflow: Aurora calls chat.postMessage with blocks (interactive components) → operator clicks approve/pass → Slack sends interaction payload to registered endpoint → slack-button-handler.js processes the action → updates HubSpot deal stage via hubspot
  • Agents involved: _summary is the primary Slack actor; BetterFiles agent posts dispo approvals; BetterAcq workspace posts acquisitions status
  • Failure mode: if bot token is expired/revoked, chat.postMessage returns ok: false with error: invalid_auth; interactive message buttons silently fail if the interaction endpoint is unreachable or unregistered; HMAC verification failure returns 403 and Slack retries 3x
  • Success criteria: chat.postMessage returns { ok: true, ts: "..." }; button interaction processed within 3s (Slack requires 200 within 3s or shows error to user)

Signature verification (inbound)

All inbound Slack event/interaction payloads MUST be verified with HMAC-SHA256 before processing:

X-Slack-Signature: v0=<HMAC-SHA256 of "v0:<timestamp>:<raw_body>">
X-Slack-Request-Timestamp: <unix_epoch>

Signing secret: op://Aurora/slack/signing-secret

Reject payloads where abs(now - timestamp) > 300 seconds (replay attack protection). Never trust X-Slack-Signature header values without verifying against the signing secret.

Aurora Slack behavior rules

Per feedback_aurora_slack_behavior:

  • Aurora does not post to Slack channels unless explicitly triggered by a deal event or Henry instruction
  • Never post Henry’s full name in Slack messages (per feedback_never_use_henry_name)
  • Slack is for human-readable deal status; structured data goes to Supabase, not Slack threads
  • All interactive message payloads must be acknowledged within 3 seconds (use deferred processing pattern)
HubRelationship
cloudflareAny Slack interaction endpoint must be registered in FUNNEL-REGISTRY with HMAC sig verification before exposure
discordDiscord = ops alerting (automated); Slack = human-facing deal comms. Separate concerns, complementary channels
hubspotSlack button interactions trigger HubSpot deal stage updates; Aurora bridges the two
CredentialReferenceNotes
Bot token (xoxb-)op://Aurora/slack/bot-tokenPrimary; rotate after any session exposure
App token (xapp-)op://Aurora/slack/app-tokenProvisioned, inactive (Socket Mode off)
Signing secretop://Aurora/slack/signing-secretRequired for HMAC-SHA256 verification of all inbound payloads

See 1password for rotation procedures and Aurora vault structure.

Agents that touch this

  • _summary — primary Slack bot; posts deal notifications, handles interactive approvals
  • BetterFiles agent — dispo approval flows via slack-approval.js
  • BetterAcq workspace — acquisitions status posts via send_to_slack.py

Skills that invoke this

  • hubspot-deal-ingest — deal creation notifications may trigger Slack posts via Aurora
  • dispo-blast — buyer blast results can route notifications to Slack deal channels

Plans that govern this

Feedback rules

KB / source docs

  • API — Slack Web API reference (last verified 2026-03-04); token types, method list, rate limit tiers
  • WEBHOOKS — Incoming webhooks, HMAC-SHA256 sig verification, Socket Mode vs HTTP mode tradeoffs

System maps

Open issues / TODOs

  • P1: No Slack interaction endpoint registered in FUNNEL-REGISTRY — slack-button-handler.js is running on dispo workspace but its public URL is undocumented; verify endpoint security and add to registry
  • P1: slack-channel-audit.md — last run date unknown; re-run to verify active channels match deal pipeline stages
  • P2: Socket Mode (xapp- app token) provisioned but disabled due to zombie process issues — if re-enabled, register a new port in CLAUDE.md port map and ARCHITECTURE.md before starting daemon (G-SERVICE-PRE-START-DOC)
  • P2: send_to_slack.py in BetterAcq workspace uses Python; verify it reads SLACK_BOT_TOKEN from env (not hardcoded) before next credential rotation
  • P2: Slack workspace channel inventory for TeamSteph workspace is not in ARCHITECTURE.md — document active channels used by deal workflows

Recent activity

  • 2026-05-03: Hub created by W1-S6 (Wave 1 hub authoring pass)
  • 2026-03-04: KB docs (API.md + WEBHOOKS.md) last verified; HTTP mode confirmed over Socket Mode
  • Ongoing: Aurora agent posts deal status to TeamSteph Slack workspace on deal pipeline transitions

Graph View

Backlinks