Skip to content

feat(installer): seed slack allowlists + allow-all-users via values.yaml#112

Merged
AndySakov merged 1 commit into
mainfrom
feat/values-driven-slack-allowlists
May 15, 2026
Merged

feat(installer): seed slack allowlists + allow-all-users via values.yaml#112
AndySakov merged 1 commit into
mainfrom
feat/values-driven-slack-allowlists

Conversation

@AndySakov
Copy link
Copy Markdown
Contributor

@AndySakov AndySakov commented May 15, 2026

What

Extends installer/values_helper.py:cmd_render_gateway_runtime_env to emit three more values-driven env vars into <auth>/gateway-runtime.env:

  • SLACK_ALLOWED_CHANNELS from slack.runtime.allowed_channels
  • GATEWAY_ALLOW_ALL_USERS from gateway.allow_all_users (bool)
  • SLACK_ALLOWED_USERS (already existed) gets a documented empty-list contract for clearing stale env values

Plus deploy.values.yaml schema docs + seeds for the new fields, and 8 new tests across TestRenderGatewayRuntimeEnv.

Why

The z-runtime-env.conf systemd drop-in loads gateway-runtime.env LAST in lexical drop-in order (the z- prefix is intentional, per its docstring), so anything emitted here OVERRIDES the same env var staged earlier by auth/slack.env or /etc/default/hermes-gateway. This is the right place for values-derived runtime config because:

  • values.yaml is the source of truth and is rewritten on every install.
  • Legacy values staged by older stage-secrets.sh runs into auth/slack.env get cleanly overridden without operators needing to chase them down.
  • Re-running setup-hermes.sh is sufficient to propagate channel/user allowlist edits across the fleet.

Production fallout that motivated this: PR #109's bypass for in-thread @mentions deployed cleanly, but the gateway still dropped @bot replies in #brix-feedback-sandbox because:

  1. SLACK_ALLOWED_CHANNELS=C0B23MZ0USV in auth/slack.env (left by an older stage-secrets.sh run) masked the 3-channel list in config.yaml → the allowlist gate at _handle_slack_message blocked the feedback-sandbox channel.
  2. SLACK_ALLOWED_USERS= was empty → the gateway's per-user authz gate denied every user.

Operator fix today: manually drop the stale env line + add GATEWAY_ALLOW_ALL_USERS=true to .hermes/.env. Operator fix tomorrow: update deploy.values.yaml and re-run setup-hermes.sh.

Schema (new)

slack:
  runtime:
    allowed_channels:
      - C0B23MZ0USV
      - C0B4LLZ5Z2L
    # ... empty list emits `SLACK_ALLOWED_CHANNELS=` to wipe stale values.

gateway:
  allow_all_users: true   # GATEWAY_ALLOW_ALL_USERS=true; trust channel-level authz

Both fields are optional. Omitted fields don't emit the corresponding env var.

Behavior matrix

field state emitted line
allowed_channels: [C_A, C_B] SLACK_ALLOWED_CHANNELS=C_A,C_B
allowed_channels: [] SLACK_ALLOWED_CHANNELS= (wipes stale)
allowed_channels absent not emitted
allow_all_users: true GATEWAY_ALLOW_ALL_USERS=true
allow_all_users: false GATEWAY_ALLOW_ALL_USERS=false (wipes stale)
allow_all_users absent not emitted

How to verify

  • python3 -m pytest tests/installer/test_values_helper.py -q (181 pass; 8 new in TestRenderGatewayRuntimeEnv).
  • After deploy: cat /home/hermes/.hermes/auth/gateway-runtime.env should show all three vars; gateway logs should not warn No user allowlists configured; in-thread @bot file 1 in #brix-feedback-sandbox should reach the agent (bypass + allowlist + user-gate all pass).

@AndySakov @claude
feat(installer): seed slack allowlists + allow-all-users via values.yaml
a01e98d 
cmd_render_gateway_runtime_env grows three new values-driven env vars:

- SLACK_ALLOWED_CHANNELS from slack.runtime.allowed_channels
- GATEWAY_ALLOW_ALL_USERS from gateway.allow_all_users (bool)
- (SLACK_ALLOWED_USERS empty-list semantics already in place)

All three land in <auth>/gateway-runtime.env which is loaded by the
z-runtime-env.conf systemd drop-in (lexical sort: loads LAST, wins).
That means values.yaml is now the single source of truth for slack
allowlists; stale assignments in legacy auth/slack.env or
/etc/default/hermes-gateway are overridden on every install.

Motivation: the krustentier rails deploy went stale because PR #109
never rendered into the running tree, but even after re-rendering the
gateway dropped in-thread @mentions because (a) SLACK_ALLOWED_CHANNELS
in auth/slack.env was an older single-channel value masking the 3-
channel list in config.yaml, and (b) SLACK_ALLOWED_USERS was empty so
the gateway denied every user in normal flow. Routing both through
the existing values-driven render-gateway-runtime-env step makes
re-running setup-hermes.sh sufficient to propagate channel/user
allowlist edits across all hosts.

deploy.values.yaml additions:
- gateway.allow_all_users: true (the deployment trusts channel-level
  authz via slack.runtime.allowed_channels; per-user gate is redundant)
- schema-doc entries for slack.runtime.allowed_channels and
  gateway.allow_all_users.

8 new tests across TestRenderGatewayRuntimeEnv covering write/empty/
non-list/non-bool/absent cases for both new fields. 181 total in
test_values_helper.py pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@AndySakov AndySakov requested a review from lafawnduh1966 May 15, 2026 18:26
@AndySakov AndySakov self-assigned this May 15, 2026
@AndySakov AndySakov merged commit 160bcb2 into main May 15, 2026
1 check passed
@AndySakov AndySakov deleted the feat/values-driven-slack-allowlists branch May 15, 2026 18:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lafawnduh1966 lafawnduh1966 lafawnduh1966 approved these changes

Assignees

@AndySakov AndySakov

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AndySakov @lafawnduh1966