feat(slack): add userToken for read-only access to DMs and private channels (#981)

- Add userToken and userTokenReadOnly (default: true) config fields
- Implement token routing: reads prefer user token, writes use bot token
- Add tests for token routing logic
- Update documentation with required OAuth scopes

User tokens enable reading DMs and private channels without requiring
bot membership. The userTokenReadOnly flag (true by default) ensures
the user token can only be used for reads, preventing accidental
sends as the user.

Required user token scopes:
- channels:history, channels:read
- groups:history, groups:read
- im:history, im:read
- mpim:history, mpim:read
- users:read, reactions:read, pins:read, emoji:read, search:read

src/agents/tools/slack-actions.test.ts

@@ -361,4 +361,48 @@ describe("handleSlackAction", () => {
     expect(payload.pins[0].message?.timestampMs).toBe(expectedMs);
     expect(payload.pins[0].message?.timestampUtc).toBe(new Date(expectedMs).toISOString());
   });
+
+  it("uses user token for reads when available", async () => {
+    const cfg = {
+      channels: { slack: { botToken: "xoxb-1", userToken: "xoxp-1" } },
+    } as ClawdbotConfig;
+    readSlackMessages.mockClear();
+    readSlackMessages.mockResolvedValueOnce({ messages: [], hasMore: false });
+    await handleSlackAction({ action: "readMessages", channelId: "C1" }, cfg);
+    const [, opts] = readSlackMessages.mock.calls[0] ?? [];
+    expect(opts?.token).toBe("xoxp-1");
+  });
+
+  it("falls back to bot token for reads when user token missing", async () => {
+    const cfg = {
+      channels: { slack: { botToken: "xoxb-1" } },
+    } as ClawdbotConfig;
+    readSlackMessages.mockClear();
+    readSlackMessages.mockResolvedValueOnce({ messages: [], hasMore: false });
+    await handleSlackAction({ action: "readMessages", channelId: "C1" }, cfg);
+    const [, opts] = readSlackMessages.mock.calls[0] ?? [];
+    expect(opts?.token).toBeUndefined();
+  });
+
+  it("uses bot token for writes when userTokenReadOnly is true", async () => {
+    const cfg = {
+      channels: { slack: { botToken: "xoxb-1", userToken: "xoxp-1" } },
+    } as ClawdbotConfig;
+    sendSlackMessage.mockClear();
+    await handleSlackAction({ action: "sendMessage", to: "channel:C1", content: "Hello" }, cfg);
+    const [, , opts] = sendSlackMessage.mock.calls[0] ?? [];
+    expect(opts?.token).toBeUndefined();
+  });
+
+  it("allows user token writes when bot token is missing", async () => {
+    const cfg = {
+      channels: {
+        slack: { userToken: "xoxp-1", userTokenReadOnly: false },
+      },
+    } as ClawdbotConfig;
+    sendSlackMessage.mockClear();
+    await handleSlackAction({ action: "sendMessage", to: "channel:C1", content: "Hello" }, cfg);
+    const [, , opts] = sendSlackMessage.mock.calls[0] ?? [];
+    expect(opts?.token).toBe("xoxp-1");
+  });
 });