feat(slack): add trogon-source-slack webhook receiver

Signed-off-by: Yordis Prieto <yordis.prieto@gmail.com>

Author: yordis

.mise/tasks/tunnels

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+#MISE description="Show ngrok tunnel URLs with webhook paths"
+set -euo pipefail
+
+NGROK_API="http://ngrok.trogonai.orb.local:4040/api/tunnels"
+
+if ! tunnels=$(curl -sf "$NGROK_API" 2>/dev/null); then
+  echo "ngrok is not running. Start it with: mise run dev:up"
+  exit 1
+fi
+
+echo ""
+echo "  ngrok tunnels"
+echo "  ─────────────────────────────────────────────────────────"
+echo ""
+
+echo "$tunnels" | jq -r '.tunnels[] | "\(.name)\t\(.public_url)"' | while IFS=$'\t' read -r name url; do
+  printf "  %-10s %s/webhook\n" "$name" "$url"
+done
+
+echo ""
+echo "  dashboard  http://ngrok.trogonai.orb.local:4040"
+echo ""

devops/docker/compose/.env.example

@@ -0,0 +1,27 @@
+# --- NATS ---
+# NATS_URL=nats://localhost:4222
+
+# --- GitHub Source ---
+# GITHUB_WEBHOOK_SECRET=
+# GITHUB_WEBHOOK_PORT=8080
+# GITHUB_SUBJECT_PREFIX=github
+# GITHUB_STREAM_NAME=GITHUB
+# GITHUB_STREAM_MAX_AGE_SECS=604800
+# GITHUB_NATS_ACK_TIMEOUT_SECS=10
+# GITHUB_MAX_BODY_SIZE=26214400
+
+# --- Slack Source ---
+# SLACK_SIGNING_SECRET=
+# SLACK_WEBHOOK_PORT=3000
+# SLACK_SUBJECT_PREFIX=slack
+# SLACK_STREAM_NAME=SLACK
+# SLACK_STREAM_MAX_AGE_SECS=604800
+# SLACK_NATS_ACK_TIMEOUT_SECS=10
+# SLACK_MAX_BODY_SIZE=1048576
+# SLACK_TIMESTAMP_MAX_DRIFT_SECS=300
+
+# --- Logging ---
+# RUST_LOG=info
+
+# --- Dev (ngrok tunnels) ---
+# NGROK_AUTHTOKEN=

devops/docker/compose/compose.yml

@@ -7,9 +7,6 @@ services:
       - "--jetstream"
       - "--store_dir=/data"
       - "--http_port=8222"
-    ports:
-      - "4222:4222"
-      - "8222:8222"
     volumes:
       - nats_data:/data
     restart: unless-stopped
@@ -23,12 +20,10 @@ services:
   trogon-source-github:
     build:
       context: ../../../rsworkspace
-      dockerfile: crates/trogon-source-github/Dockerfile
-    ports:
-      - "${GITHUB_WEBHOOK_PORT:-8080}:${GITHUB_WEBHOOK_PORT:-8080}"
+      dockerfile: ../devops/docker/compose/services/trogon-source-github/Dockerfile
     environment:
       NATS_URL: "nats:4222"
-      GITHUB_WEBHOOK_SECRET: "${GITHUB_WEBHOOK_SECRET:?GITHUB_WEBHOOK_SECRET is required}"
+      GITHUB_WEBHOOK_SECRET: "${GITHUB_WEBHOOK_SECRET:-}"
       GITHUB_WEBHOOK_PORT: "${GITHUB_WEBHOOK_PORT:-8080}"
       GITHUB_SUBJECT_PREFIX: "${GITHUB_SUBJECT_PREFIX:-github}"
       GITHUB_STREAM_NAME: "${GITHUB_STREAM_NAME:-GITHUB}"
@@ -47,18 +42,58 @@ services:
       start_period: 10s
       retries: 3
 
-  smee:
-    image: node:alpine
-    command:
-      - npx
-      - smee-client
-      - --url
-      - "${SMEE_URL:?SMEE_URL is required — create a channel at https://smee.io}"
-      - --target
-      - "http://trogon-source-github:${GITHUB_WEBHOOK_PORT:-8080}/webhook"
+  trogon-source-slack:
+    build:
+      context: ../../../rsworkspace
+      dockerfile: ../devops/docker/compose/services/trogon-source-slack/Dockerfile
+    environment:
+      NATS_URL: "nats:4222"
+      SLACK_SIGNING_SECRET: "${SLACK_SIGNING_SECRET:-}"
+      SLACK_WEBHOOK_PORT: "${SLACK_WEBHOOK_PORT:-3000}"
+      SLACK_SUBJECT_PREFIX: "${SLACK_SUBJECT_PREFIX:-slack}"
+      SLACK_STREAM_NAME: "${SLACK_STREAM_NAME:-SLACK}"
+      SLACK_STREAM_MAX_AGE_SECS: "${SLACK_STREAM_MAX_AGE_SECS:-604800}"
+      SLACK_NATS_ACK_TIMEOUT_SECS: "${SLACK_NATS_ACK_TIMEOUT_SECS:-10}"
+      SLACK_MAX_BODY_SIZE: "${SLACK_MAX_BODY_SIZE:-1048576}"
+      SLACK_TIMESTAMP_MAX_DRIFT_SECS: "${SLACK_TIMESTAMP_MAX_DRIFT_SECS:-300}"
+      RUST_LOG: "${RUST_LOG:-info}"
+    depends_on:
+      nats:
+        condition: service_healthy
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "curl", "-sf", "http://localhost:${SLACK_WEBHOOK_PORT:-3000}/health"]
+      interval: 10s
+      timeout: 3s
+      start_period: 10s
+      retries: 3
+
+  ngrok:
+    image: ngrok/ngrok:alpine
+    environment:
+      NGROK_AUTHTOKEN: "${NGROK_AUTHTOKEN:-}"
+      GITHUB_ADDR: "trogon-source-github:${GITHUB_WEBHOOK_PORT:-8080}"
+      SLACK_ADDR: "trogon-source-slack:${SLACK_WEBHOOK_PORT:-3000}"
+    entrypoint:
+      - /bin/sh
+      - -c
+      - |
+        cat > /tmp/ngrok.yml <<EOF
+        version: 3
+        tunnels:
+          github:
+            addr: $${GITHUB_ADDR}
+            proto: http
+          slack:
+            addr: $${SLACK_ADDR}
+            proto: http
+        EOF
+        exec ngrok start --all --config /tmp/ngrok.yml
     depends_on:
       trogon-source-github:
         condition: service_healthy
+      trogon-source-slack:
+        condition: service_healthy
     restart: unless-stopped
     profiles:
       - dev

…e/crates/trogon-source-github/Dockerfile …services/trogon-source-github/Dockerfilersworkspace/crates/trogon-source-github/Dockerfile renamed to devops/docker/compose/services/trogon-source-github/Dockerfile rsworkspace/crates/trogon-source-github/Dockerfile renamed to devops/docker/compose/services/trogon-source-github/Dockerfile

@@ -29,7 +29,7 @@ RUN cargo build --release -p trogon-source-github && \
 FROM debian:bookworm-20250317-slim AS runtime
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    ca-certificates \
+    ca-certificates curl \
     && rm -rf /var/lib/apt/lists/*
 
 RUN useradd --no-create-home --shell /usr/sbin/nologin trogon

devops/docker/compose/GITHUB_WEBHOOKS.md …/services/trogon-source-github/README.mddevops/docker/compose/GITHUB_WEBHOOKS.md renamed to devops/docker/compose/services/trogon-source-github/README.md devops/docker/compose/GITHUB_WEBHOOKS.md renamed to devops/docker/compose/services/trogon-source-github/README.md

@@ -5,6 +5,7 @@
 - Docker Compose
 - A GitHub App (org or personal) — the app's webhook delivers events from every
   repo where it's installed, so you configure the URL once
+- An [ngrok](https://ngrok.com) account (free tier works)
 
 ## 1. Generate a webhook secret
 
@@ -14,51 +15,54 @@ openssl rand -hex 32
 
 Save the output — you'll use it in both GitHub and the local stack.
 
-## 2. Create a smee.io channel
+## 2. Start the stack
 
-Go to [smee.io](https://smee.io) and click **Start a new channel**. Copy the
-channel URL (e.g. `https://smee.io/abc123`).
+```bash
+docker compose --profile dev up
+```
+
+This starts NATS, the webhook receiver, and ngrok. Find the public tunnel URL
+in the ngrok container logs:
+
+```bash
+docker compose logs ngrok
+```
+
+Look for the `github` tunnel URL (e.g. `https://abc123.ngrok-free.app`).
 
 ## 3. Configure your GitHub App
 
 1. Go to **Settings → Developer settings → GitHub Apps**
 2. Select your app (or create a new one)
 3. Under **Webhook**:
-   - **Webhook URL**: your smee.io channel URL
+   - **Webhook URL**: `https://<ngrok-url>/webhook`
    - **Webhook secret**: the secret you generated in step 1
 4. Under **Permissions & events**, subscribe to the events you need
 5. Install the app on the repositories or organization you want to receive
    events from
 
-## 4. Start the stack
-
-```bash
-SMEE_URL=https://smee.io/abc123 \
-GITHUB_WEBHOOK_SECRET=<secret-from-step-1> \
-docker compose --profile dev up
-```
+## 4. Verify
 
-This starts NATS, the webhook receiver, and the smee client. The smee client
-connects to your channel and forwards events to the webhook receiver.
+Trigger an event in a repository where the app is installed (e.g. push a
+commit). You should see:
 
-Without `--profile dev`, the smee client is excluded and only the core services
-start.
+- The webhook receiver log the incoming event
+- The event published to NATS on `github.{event}`
 
-## 5. Verify
+You can inspect NATS with:
 
-Trigger an event in a repository where the app is installed (e.g. push a
-commit). You should see:
+```bash
+nats sub -s nats://nats.trogonai.orb.local:4222 "github.>"
+```
 
-- The event appear on your smee.io channel page
-- The smee client forward it to the webhook receiver
-- The webhook receiver publish it to NATS on `github.{event}`
+Without `--profile dev`, ngrok is excluded and only the core services start.
 
 ## Environment variables
 
 | Variable | Required | Default | Description |
 |---|---|---|---|
 | `GITHUB_WEBHOOK_SECRET` | yes | — | HMAC-SHA256 secret (must match GitHub App) |
-| `SMEE_URL` | yes (dev profile) | — | smee.io channel URL |
+| `NGROK_AUTHTOKEN` | yes (dev profile) | — | ngrok auth token |
 | `GITHUB_WEBHOOK_PORT` | no | `8080` | HTTP port for the webhook receiver |
 | `GITHUB_SUBJECT_PREFIX` | no | `github` | NATS subject prefix |
 | `GITHUB_STREAM_NAME` | no | `GITHUB` | JetStream stream name |

devops/docker/compose/services/trogon-source-slack/Dockerfile

@@ -0,0 +1,45 @@
+# ── Stage 1: chef — generate dependency recipe ──────────────────────────────
+FROM rust:1.93-slim AS chef
+
+RUN cargo install cargo-chef --locked
+
+WORKDIR /build
+
+# ── Stage 2: planner — capture dependency graph ─────────────────────────────
+FROM chef AS planner
+
+COPY Cargo.toml Cargo.lock ./
+COPY crates/ crates/
+
+RUN cargo chef prepare --recipe-path recipe.json
+
+# ── Stage 3: builder — cached dependency build + final compile ──────────────
+FROM chef AS builder
+
+COPY --from=planner /build/recipe.json recipe.json
+RUN cargo chef cook --release --recipe-path recipe.json -p trogon-source-slack
+
+COPY Cargo.toml Cargo.lock ./
+COPY crates/ crates/
+
+RUN cargo build --release -p trogon-source-slack && \
+    strip target/release/trogon-source-slack
+
+# ── Stage 4: runtime ────────────────────────────────────────────────────────
+FROM debian:bookworm-20250317-slim AS runtime
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates curl \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN useradd --no-create-home --shell /usr/sbin/nologin trogon
+
+COPY --from=builder /build/target/release/trogon-source-slack /usr/local/bin/trogon-source-slack
+
+USER trogon
+
+EXPOSE 3000
+
+STOPSIGNAL SIGTERM
+
+ENTRYPOINT ["/usr/local/bin/trogon-source-slack"]

devops/docker/compose/services/trogon-source-slack/README.md

@@ -0,0 +1,107 @@
+# Receiving Slack Events Locally
+
+## Prerequisites
+
+- Docker Compose
+- A Slack App with Event Subscriptions enabled
+- An [ngrok](https://ngrok.com) account (free tier works)
+
+## 1. Create a Slack App
+
+1. Go to [api.slack.com/apps](https://api.slack.com/apps) and click **Create New App**
+2. Choose **From scratch**, pick a name and workspace
+3. Under **Basic Information → App Credentials**, copy the **Signing Secret**
+
+## 2. Start the stack
+
+```bash
+docker compose --profile dev up
+```
+
+This starts NATS, the Slack webhook receiver, and ngrok. Find the public tunnel
+URL in the ngrok container logs:
+
+```bash
+docker compose logs ngrok
+```
+
+Look for the `slack` tunnel URL (e.g. `https://def456.ngrok-free.app`).
+
+## 3. Enable Event Subscriptions
+
+1. In your Slack App settings, go to **Event Subscriptions**
+2. Toggle **Enable Events** to On
+3. Set the **Request URL** to `https://<ngrok-url>/webhook`
+4. Slack will send a `url_verification` challenge — the server responds
+   automatically
+5. Under **Subscribe to bot events**, add the events you need:
+   - `message.channels` — public channels
+   - `message.groups` — private channels
+   - `message.im` — direct messages
+   - `app_mention` — @mentions anywhere
+6. Click **Save Changes**
+
+## 4. Enable Interactivity (optional)
+
+1. Go to **Interactivity & Shortcuts**
+2. Toggle **Interactivity** to On
+3. Set the **Request URL** to the same `https://<ngrok-url>/webhook`
+4. Click **Save Changes**
+
+Block actions, modal submissions, and shortcuts will be published to NATS on
+`slack.interaction.{type}` subjects (e.g. `slack.interaction.block_actions`).
+
+## 5. Register Slash Commands (optional)
+
+1. Go to **Slash Commands** and click **Create New Command**
+2. Set the **Request URL** to the same `https://<ngrok-url>/webhook`
+3. Fill in the command name, description, and usage hint
+4. Click **Save**
+
+Slash commands will be published to NATS on `slack.command.{command_name}`
+subjects (e.g. `slack.command.trogon`).
+
+## 6. Install the app to your workspace
+
+1. Go to **OAuth & Permissions**
+2. Under **Scopes → Bot Token Scopes**, ensure you have the scopes required
+   by the events you subscribed to
+3. Click **Install to Workspace** and authorize
+
+## 7. Verify
+
+Send a message in a channel where the app is installed. You should see:
+
+- The webhook receiver log the incoming event
+- The event published to NATS on `slack.event.message`
+
+You can inspect NATS with:
+
+```bash
+nats sub -s nats://nats.trogonai.orb.local:4222 "slack.>"
+```
+
+Without `--profile dev`, ngrok is excluded and only the core services start.
+
+## NATS subject mapping
+
+| Slack payload | NATS subject | `X-Slack-Payload-Kind` header |
+|---|---|---|
+| Events API (`event_callback`) | `slack.event.{event.type}` | `event` |
+| Interactions (block actions, modals) | `slack.interaction.{type}` | `interaction` |
+| Slash commands | `slack.command.{command_name}` | `command` |
+
+## Environment variables
+
+| Variable | Required | Default | Description |
+|---|---|---|---|
+| `SLACK_SIGNING_SECRET` | yes | — | Slack app signing secret |
+| `NGROK_AUTHTOKEN` | yes (dev profile) | — | ngrok auth token |
+| `SLACK_WEBHOOK_PORT` | no | `3000` | HTTP port for the webhook receiver |
+| `SLACK_SUBJECT_PREFIX` | no | `slack` | NATS subject prefix |
+| `SLACK_STREAM_NAME` | no | `SLACK` | JetStream stream name |
+| `SLACK_STREAM_MAX_AGE_SECS` | no | `604800` | Max message age in seconds (default 7 days) |
+| `SLACK_NATS_ACK_TIMEOUT_SECS` | no | `10` | NATS acknowledgement timeout in seconds |
+| `SLACK_MAX_BODY_SIZE` | no | `1048576` | Max HTTP request body size in bytes (default 1 MB) |
+| `SLACK_TIMESTAMP_MAX_DRIFT_SECS` | no | `300` | Max allowed clock drift in seconds (default 5 min) |
+| `RUST_LOG` | no | `info` | Log level |