docs(messaging): clarify Slack token validation and slack policy preset (#4979)

[abhi-0906]

Summary

Documents the intended Slack onboarding behavior that #4979 ran into: NemoClaw validates Slack tokens against the live Slack API during onboard, so invalid/placeholder tokens (invalid_auth) cause the Slack channel to be skipped — and because the slack network policy preset is only applied for channels that are actually enabled, the preset is not applied either (not shown as ● in policy-list). Also points to the existing NEMOCLAW_SKIP_SLACK_AUTH_VALIDATION=1 escape hatch for exercising Slack setup and the slack preset with placeholder tokens in restricted/hermetic environments.

Related Issue

Fixes #4979

Context

The current behavior is intentional and secure: live token validation prevents onboarding from enabling a channel with credentials Slack cannot use. The "fake-token test mode" the issue asks for already exists as NEMOCLAW_SKIP_SLACK_AUTH_VALIDATION (documented in the commands reference). The gap was purely documentation — the consequence chain (invalid tokens → channel skipped → slack preset not applied) and the skip-flag's role in policy-preset testing were not stated where Slack onboarding is documented. This is the reporter's "at minimum, document the mismatch" resolution; no behavior change.

Changes

• docs/manage-sandboxes/messaging-channels.mdx — in the Slack section, document that validation calls the live Slack API, that rejected tokens skip the channel and therefore do not apply the slack preset, and that NEMOCLAW_SKIP_SLACK_AUTH_VALIDATION=1 skips the live probes for testing (format checks still apply).

Type of Change

• Doc only (prose changes, no code sample modifications)

Verification

• No secrets or credentials committed
• Uses the existing <name> sandbox placeholder and backtick-wrapped ● conventions; new env/command references match the commands reference
• Note: npm run docs / the docs link-check were not run on my Windows dev box (the link-check harness shells out in a way that fails locally); the change adds no links and is plain prose with inline code spans. Deferred to CI on Linux.

Summary by CodeRabbit

• Documentation
  • Updated Slack channel requirements section to document the credential validation flow that occurs when enabling Slack channels, including behavior when validation fails.
  • Added documentation for the environment variable option that allows bypassing live Slack authentication checks in restricted or hermetic test environments while preserving token format validation.

Signed-off-by: abhi-0906 abhimanyukumar7290@gmail.com

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[prekshivyas]

LGTM. Docs-only clarification that directly addresses #4979's confusion: it documents that Slack credential validation calls the live Slack API (auth.test/apps.connections.open), so placeholder tokens get invalid_auth → the channel is skipped → the slack preset isn't applied (no ● in policy-list). Verified against source: the documented NEMOCLAW_SKIP_SLACK_AUTH_VALIDATION=1 escape hatch is real (SLACK_AUTH_VALIDATION_SKIP_ENV in slack/hooks/credential-validation.ts) and the per-channel preset gating matches (manifest policyPresets: ["slack"]). Accurate, low-risk. CI green.

[coderabbitai]

📝 Walkthrough

Walkthrough

Documentation update to messaging-channels.mdx that clarifies NemoClaw's live Slack credential validation behavior during channel enablement, including the skip behavior when validation fails and the environment variable to bypass validation in test environments.

Changes

Slack Channel Validation Documentation

Layer / File(s)	Summary
Slack credential validation and policy behavior documentation docs/manage-sandboxes/messaging-channels.mdx	"Channel Requirements" section now documents that NemoClaw calls Slack's auth.test and apps.connections.open APIs, skips Slack channel enablement if validation fails, does not apply the slack policy preset when skipped, and provides the NEMOCLAW_SKIP_SLACK_AUTH_VALIDATION=1 environment variable to bypass live validation in restricted test environments.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• NVIDIA/NemoClaw#4582: Implements the live Slack credential validation behavior (auth.test and apps.connections.open checks) that this PR documents, including the bypass flag.

Suggested labels

enhancement: messaging, integration: slack

Suggested reviewers

• cv
• prekshivyas

Poem

🐰 A Slack doc hops into the fray,
Explaining credentials that pass or decay,
When tokens won't dance with the API test,
We skip the whole channel—a wise, cautious jest!
NEMOCLAW_SKIP_SLACK_AUTH_VALIDATION saves the day! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: documenting Slack token validation behavior and clarifying the slack policy preset application during channel enablement.
Linked Issues check	✅ Passed	The PR directly addresses issue #4979 by documenting NemoClaw's live Slack API validation flow and the NEMOCLAW_SKIP_SLACK_AUTH_VALIDATION environment variable escape hatch, aligning with Option A (update docs to clarify validation requirements).
Out of Scope Changes check	✅ Passed	All changes are in scope—documentation of existing Slack validation behavior and the escape hatch environment variable in the messaging channels guide, with no unrelated modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

docs/manage-sandboxes/messaging-channels.mdx (1)

85-85: ⚡ Quick win

Rewrite in active voice.

The sentence contains passive constructions ("is only applied", "is not applied"). As per coding guidelines, active voice is required.

✏️ Suggested active voice rewrite

-Because the `slack` network policy preset is only applied for channels that are actually enabled, a skipped Slack channel also means the `slack` preset is not applied, so it does not appear as applied (`●`) in `$$nemoclaw <name> policy-list`.
+Because NemoClaw only applies the `slack` network policy preset for actually enabled channels, a skipped Slack channel means NemoClaw does not apply the `slack` preset, so the preset does not appear as applied (`●`) in `$$nemoclaw <name> policy-list`.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/manage-sandboxes/messaging-channels.mdx` at line 85, Rewrite the
sentence in active voice so it clearly states the actor and action: e.g., say
that the system applies the `slack` network policy preset only for channels that
are enabled, and that when the system skips a Slack channel it does not apply
the `slack` preset, so it won’t appear as applied (`●`) in the `$$nemoclaw
<name> policy-list` output; replace passive phrases like "is only applied" and
"is not applied" with active verbs referring to the system or process applying
the preset.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@docs/manage-sandboxes/messaging-channels.mdx`:
- Line 85: Rewrite the sentence in active voice so it clearly states the actor
and action: e.g., say that the system applies the `slack` network policy preset
only for channels that are enabled, and that when the system skips a Slack
channel it does not apply the `slack` preset, so it won’t appear as applied
(`●`) in the `$$nemoclaw <name> policy-list` output; replace passive phrases
like "is only applied" and "is not applied" with active verbs referring to the
system or process applying the preset.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 64160d49-a5c9-4bf7-b01e-b48cfe10cabb

📥 Commits

Reviewing files that changed from the base of the PR and between 8827570 and 873dabf.

📒 Files selected for processing (1)

• docs/manage-sandboxes/messaging-channels.mdx

[abhi-0906]

@cv The failing dco-check is addressed — I've added the sign-off line to the PR description:

Signed-off-by: abhi-0906 <abhimanyukumar7290@gmail.com>

The edit re-triggered dco-check (and commit-lint), but the new runs are waiting on fork workflow approval (action_required). Once approved, dco-check should go green and auto-merge can proceed.