fix: surface match metadata in audits and slack logs

Co-authored-by: thewilloftheshadow <thewilloftheshadow@users.noreply.github.com>
2026-01-18 00:50:33 +00:00
parent 79a44d0da4
commit 22c7f659f6
5 changed files with 59 additions and 11 deletions
--- a/src/slack/monitor/slash.ts
+++ b/src/slack/monitor/slash.ts
@@ -25,9 +25,9 @@ import { resolveCommandAuthorizedFromAuthorizers } from "../../channels/command-
 import type { ResolvedSlackAccount } from "../accounts.js";

 import {
-  allowListMatches,
  normalizeAllowList,
  normalizeAllowListLower,
+  resolveSlackAllowListMatch,
  resolveSlackUserAllowed,
 } from "./allow-list.js";
 import { resolveSlackChannelConfig, type SlackChannelConfigResolved } from "./channel-config.js";
@@ -201,12 +201,15 @@ export function registerSlackMonitorSlashCommands(params: {
        if (ctx.dmPolicy !== "open") {
          const sender = await ctx.resolveUserName(command.user_id);
          const senderName = sender?.name ?? undefined;
-          const permitted = allowListMatches({
+          const allowMatch = resolveSlackAllowListMatch({
            allowList: effectiveAllowFromLower,
            id: command.user_id,
            name: senderName,
          });
-          if (!permitted) {
+          const allowMatchMeta = `matchKey=${allowMatch.matchKey ?? "none"} matchSource=${
+            allowMatch.matchSource ?? "none"
+          }`;
+          if (!allowMatch.allowed) {
            if (ctx.dmPolicy === "pairing") {
              const { code, created } = await upsertChannelPairingRequest({
                channel: "slack",
@@ -214,6 +217,11 @@ export function registerSlackMonitorSlashCommands(params: {
                meta: { name: senderName },
              });
              if (created) {
+                logVerbose(
+                  `slack pairing request sender=${command.user_id} name=${
+                    senderName ?? "unknown"
+                  } (${allowMatchMeta})`,
+                );
                await respond({
                  text: buildPairingReply({
                    channel: "slack",
@@ -224,6 +232,9 @@ export function registerSlackMonitorSlashCommands(params: {
                });
              }
            } else {
+              logVerbose(
+                `slack: blocked slash sender ${command.user_id} (dmPolicy=${ctx.dmPolicy}, ${allowMatchMeta})`,
+              );
              await respond({
                text: "You are not authorized to use this command.",
                response_type: "ephemeral",
@@ -289,11 +300,11 @@ export function registerSlackMonitorSlashCommands(params: {
        return;
      }

-      const ownerAllowed = allowListMatches({
+      const ownerAllowed = resolveSlackAllowListMatch({
        allowList: effectiveAllowFromLower,
        id: command.user_id,
        name: senderName,
-      });
+      }).allowed;
      if (isRoomish) {
        commandAuthorized = resolveCommandAuthorizedFromAuthorizers({
          useAccessGroups: ctx.useAccessGroups,