fix(fanout): extend TERMINAL_SLACK_API_ERRORS with permission codes (aws-samples#79 review aws-samples#8)

Original set omitted documented Slack permission/scope failures.
Codes outside the set fall to the retryable branch, so a
misconfiguration like ``ekm_access_denied`` or ``missing_scope``
would burn 3 Lambda retries before DLQ on every event — even
though the failure is fundamentally a configuration bug that no
retry can clear.

Adds:
  - Permission/scope: missing_scope, ekm_access_denied,
    team_access_not_granted, posting_to_general_channel_denied
  - Payload shape: invalid_arguments

Reorganized the set into commented blocks (channel-shape, auth,
permission/scope, payload-shape) so future additions go in the
right bucket and the rationale stays visible.

Test coverage: parametrized over the full TERMINAL_SLACK_API_ERRORS
set (21 codes) — every one must throw SlackApiError so the router
swallows it. The existing retryable test.each remains intact and
covers the negative-class case (codes outside the set throw a
plain Error and escalate to retry).

Author: bgagent

cdk/src/handlers/slack-notify.ts

@@ -125,22 +125,34 @@ export class SlackApiError extends Error {
  * ``service_unavailable`` doesn't get permanently dropped.
  */
 const TERMINAL_SLACK_API_ERRORS: ReadonlySet<string> = new Set([
+  // Channel-shape failures.
   'channel_not_found',
   'not_in_channel',
   'is_archived',
+  'message_not_found',
+  // Auth failures.
   'not_authed',
   'invalid_auth',
   'token_revoked',
   'token_expired',
   'account_inactive',
+  // Permission / scope failures (PR #79 review #8): each of these
+  // means a configuration fix is required before any retry can
+  // succeed, so swallow them as terminal and let operators alert on
+  // the dedicated ``fanout.slack.api_error`` warn rate.
   'no_permission',
+  'missing_scope',
+  'restricted_action',
+  'ekm_access_denied',
+  'team_access_not_granted',
+  'posting_to_general_channel_denied',
+  'as_user_not_supported',
+  // Payload-shape failures.
   'invalid_blocks',
   'invalid_blocks_format',
+  'invalid_arguments',
   'msg_too_long',
   'too_many_attachments',
-  'restricted_action',
-  'as_user_not_supported',
-  'message_not_found',
 ]);
 
 /** Tag a Slack ``!result.ok`` error as terminal vs retryable so the

cdk/test/handlers/slack-notify.test.ts

@@ -123,10 +123,37 @@ describe('dispatchSlackEvent', () => {
     expect(fetchMock).not.toHaveBeenCalled();
   });
 
-  test('throws a tagged SlackApiError on a TERMINAL Slack code (router swallows)', async () => {
-    // Slack errors like channel_not_found are terminal — retrying
-    // won't change the outcome. Throw SlackApiError so the router
-    // catches and logs at warn instead of escalating to batch retry.
+  test.each([
+    // Channel + message shape.
+    'channel_not_found',
+    'not_in_channel',
+    'is_archived',
+    'message_not_found',
+    // Auth.
+    'not_authed',
+    'invalid_auth',
+    'token_revoked',
+    'token_expired',
+    'account_inactive',
+    // Permission / scope (PR #79 review #8).
+    'no_permission',
+    'missing_scope',
+    'restricted_action',
+    'ekm_access_denied',
+    'team_access_not_granted',
+    'posting_to_general_channel_denied',
+    'as_user_not_supported',
+    // Payload shape.
+    'invalid_blocks',
+    'invalid_blocks_format',
+    'invalid_arguments',
+    'msg_too_long',
+    'too_many_attachments',
+  ])('throws a tagged SlackApiError on terminal Slack code %s (router swallows)', async (slackErrorCode) => {
+    // Pre-PR-#79-review the set was narrower; permission/scope
+    // codes (ekm_access_denied, missing_scope, etc.) used to be
+    // classified retryable and would burn 3 retries before DLQ on
+    // a misconfiguration that no retry can fix.
     ddbSend.mockResolvedValueOnce({
       Item: {
         task_id: 't1',
@@ -136,7 +163,7 @@ describe('dispatchSlackEvent', () => {
     });
     fetchMock.mockResolvedValueOnce({
       ok: true,
-      json: () => Promise.resolve({ ok: false, error: 'channel_not_found' }),
+      json: () => Promise.resolve({ ok: false, error: slackErrorCode }),
     });
 
     await expect(