feat: fallback on bot token when oauth creds are missing

Author: mwbrooks

pydantic-ai/app_oauth.py

@@ -3,12 +3,11 @@
 
 from dotenv import load_dotenv
 from slack_bolt import App
-from slack_bolt.oauth.oauth_settings import OAuthSettings
 from slack_sdk import WebClient
 
 from agent import get_model
 from listeners import register_listeners
-from oauth import BOT_SCOPES, USER_SCOPES, installation_store, state_store
+from oauth import oauth_settings
 
 load_dotenv(dotenv_path=".env", override=False)
 get_model()  # Fail fast if no AI provider key is configured
@@ -25,14 +24,7 @@
     # Allow bot-posted messages (e.g. issue modal submissions with metadata)
     # to reach the message handler instead of being silently dropped
     ignoring_self_events_enabled=False,
-    oauth_settings=OAuthSettings(
-        client_id=os.environ.get("SLACK_CLIENT_ID"),
-        client_secret=os.environ.get("SLACK_CLIENT_SECRET"),
-        scopes=BOT_SCOPES,
-        user_scopes=USER_SCOPES,
-        installation_store=installation_store,
-        state_store=state_store,
-    ),
+    oauth_settings=oauth_settings,
 )
 
 register_listeners(app)

pydantic-ai/listeners/views/app_home_builder.py

@@ -94,23 +94,42 @@ def build_app_home_view(
                 "type": "section",
                 "text": {
                     "type": "mrkdwn",
-                    "text": (
-                        "🟢 *Slack MCP Server is connected.*\n"
-                        "Casey has access to search messages, read channels, and more."
-                    ),
+                    "text": "🟢 *Slack MCP Server is connected.*",
                 },
             }
         )
+        blocks.append(
+            {
+                "type": "context",
+                "elements": [
+                    {
+                        "type": "mrkdwn",
+                        "text": "Casey has access to search messages, read channels, and more.",
+                    }
+                ],
+            }
+        )
     elif authorize_url:
         blocks.append(
             {
                 "type": "section",
                 "text": {
                     "type": "mrkdwn",
-                    "text": f"🔴 *Slack MCP Server is disconnected.* <{authorize_url}|Connect now.>",
+                    "text": f"🔴 *Slack MCP Server is disconnected.* <{authorize_url}|Connect the Slack MCP Server.>",
                 },
             }
         )
+        blocks.append(
+            {
+                "type": "context",
+                "elements": [
+                    {
+                        "type": "mrkdwn",
+                        "text": "The Slack MCP Server enables Casey to search messages, read channels, and more.",
+                    }
+                ],
+            }
+        )
 
     return {
         "type": "home",

pydantic-ai/oauth.py

@@ -1,11 +1,17 @@
 import json
+import logging
 import os
 from pathlib import Path
 
+from slack_bolt.authorization.authorize_result import AuthorizeResult
+from slack_bolt.oauth.oauth_settings import OAuthSettings
+from slack_sdk import WebClient
 from slack_sdk.oauth import AuthorizeUrlGenerator
 from slack_sdk.oauth.installation_store import FileInstallationStore
 from slack_sdk.oauth.state_store import FileOAuthStateStore
 
+logger = logging.getLogger(__name__)
+
 _manifest = json.loads(Path("manifest.json").read_text())
 BOT_SCOPES = _manifest["oauth_config"]["scopes"]["bot"]
 
@@ -36,3 +42,67 @@
     scopes=BOT_SCOPES,
     user_scopes=USER_SCOPES,
 )
+
+oauth_settings = OAuthSettings(
+    client_id=os.environ.get("SLACK_CLIENT_ID"),
+    client_secret=os.environ.get("SLACK_CLIENT_SECRET"),
+    scopes=BOT_SCOPES,
+    user_scopes=USER_SCOPES,
+    installation_store=installation_store,
+    state_store=state_store,
+)
+
+# ---------------------------------------------------------------------------
+# Bot-token fallback for pre-OAuth first-run experience
+# ---------------------------------------------------------------------------
+# When installed via Slack CLI, SLACK_BOT_TOKEN is available but Bolt clears
+# it when oauth_settings is present. This wrapper lets the bot token serve as
+# a fallback so App Home (with the OAuth install URL) and basic bot operations
+# work before anyone has completed the OAuth flow.
+
+_fallback_bot_token = os.environ.get("SLACK_BOT_TOKEN")
+
+if _fallback_bot_token:
+    _original_authorize = oauth_settings.authorize
+
+    def _authorize_with_fallback_bot_token(
+        *,
+        context,
+        enterprise_id,
+        team_id,
+        user_id,
+        actor_enterprise_id=None,
+        actor_team_id=None,
+        actor_user_id=None,
+    ):
+        result = _original_authorize(
+            context=context,
+            enterprise_id=enterprise_id,
+            team_id=team_id,
+            user_id=user_id,
+            actor_enterprise_id=actor_enterprise_id,
+            actor_team_id=actor_team_id,
+            actor_user_id=actor_user_id,
+        )
+        if result is not None:
+            return result
+
+        logger.info(
+            "No OAuth installation found (team=%s); falling back to SLACK_BOT_TOKEN",
+            team_id,
+        )
+        try:
+            fallback_client = WebClient(
+                base_url=os.environ.get("SLACK_API_URL", "https://slack.com/api"),
+                token=_fallback_bot_token,
+            )
+            auth_test = fallback_client.auth_test()
+            return AuthorizeResult.from_auth_test_response(
+                auth_test_response=auth_test,
+                bot_token=_fallback_bot_token,
+            )
+        except Exception:
+            logger.exception("Fallback bot token auth.test failed")
+            return None
+
+    oauth_settings.authorize = _authorize_with_fallback_bot_token