fix(slack): persist thread participation cache to survive gateway restarts [claude, human developer oversight]

[zeroaltitude]

Summary

Slack thread participation is tracked in-memory so the bot can keep replying in a thread after its first response (without requiring repeated @mentions). That cache was lost on every gateway restart, so the bot would silently stop responding to non-mention thread messages until someone re-@mentioned it. This PR persists the Slack thread participation cache to disk so participation survives restarts.

Review focus: src/slack/sent-thread-cache.ts only; file format is JSON {key→timestamp}.

Before / After

Before: restart gateway → thread cache cleared → bot ignores non-mention messages in previously-participated threads
After: restart gateway → cache restored → bot continues participating normally (within TTL)

What changed

src/slack/sent-thread-cache.ts

• Persist to $STATE_DIR/slack-thread-participation.json
• Lazy-load on first access (no Slack startup cost)
• Debounced best-effort writes (≤1 write / 5s; timer unref() so it won't hold the process open)
• TTL filter on load (expired entries dropped)
• Missing/corrupt file handled gracefully (starts empty)
• clearSlackThreadParticipationCache() now persists empty state so "clear" survives restarts (also wipes stale persist files)

src/slack/sent-thread-cache.test.ts

• Adds persistence + clear/restart tests (round-trip, TTL expiry, missing/corrupt file, clear-before-load wipe)
• Tests isolated via temp persist path so local runs don't touch real $STATE_DIR

Risk

Low. This cache is non-critical: worst case is the current behavior (one extra @mention to re-establish participation). Persistence is best-effort; failures are swallowed and the bot falls back to in-memory behavior.

Testing

vitest unit coverage for persistence + clear semantics, plus manual restart verification.

AI-Assisted Development 🤖

This PR was developed with AI assistance (Claude/OpenClaw agent "Tank").

• Degree of testing: Well-tested — 14 unit tests. pnpm check clean. Deployed locally and in daily use for ~4 weeks.
• Human oversight: All changes reviewed and directed by Eddie Abrams
• Understanding confirmed: The contributor understands the persistence mechanism and data model of the Slack thread cache

[greptile-apps]

Greptile Summary

This PR persists the Slack thread participation cache to $STATE_DIR/slack-thread-participation.json so that the bot's auto-reply behaviour in threads survives gateway restarts. The implementation is thorough: lazy hydration with TTL/size filtering, debounced atomic writes (UUID-named temp file + wx flag + rename), 0o600/0o700 file/dir modes, a 4 MB parse guard against large files, and test-only helpers gated behind an environment check. The remaining file changes are Prettier reformats with no functional impact.

Confidence Score: 5/5

This PR is safe to merge — the persistence path is non-critical (fall-through to in-memory behavior on any failure) and the security hardening is comprehensive.

No P0 or P1 findings. The logic is carefully guarded at every layer: bounded file size before parsing, schema validation, future-timestamp rejection, atomic write semantics (CWE-59 mitigation), and correct insertion-order maintenance for the eviction loop. All previous review concerns have been addressed and regression-tested. Formatting changes in other files are purely cosmetic.

No files require special attention.

_{Reviews (6): Last reviewed commit: "Merge remote-tracking branch 'origin/mai..." | Re-trigger Greptile}

[greptile-apps]

Additional Comments (1)

src/slack/sent-thread-cache.test.ts
afterEach leaves loaded as true, risking real state-dir reads in tests

The existing test suite's afterEach calls clearSlackThreadParticipationCache(), which clears the in-memory map but does not reset the loaded flag. As a result, the very first test to run in this suite will invoke loadFromDisk() and attempt to read from the real $STATE_DIR/slack-thread-participation.json (the default path, because persistPathOverride is undefined). Subsequent tests in the suite are unaffected because loaded stays true.

If someone runs these tests on a machine that has live Slack thread data in its state directory, the first test picks up that data, making the suite environment-dependent. The persistence suite correctly uses _resetForTests(undefined) which resets loaded and persistPathOverride. Using the same helper here would keep things consistent and safe:

  afterEach(() => {
    _resetForTests(undefined);
    vi.restoreAllMocks();
  });

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/slack/sent-thread-cache.test.ts
Line: 14-17

Comment:
**`afterEach` leaves `loaded` as `true`, risking real state-dir reads in tests**

The existing test suite's `afterEach` calls `clearSlackThreadParticipationCache()`, which clears the in-memory map but does **not** reset the `loaded` flag. As a result, the very first test to run in this suite will invoke `loadFromDisk()` and attempt to read from the real `$STATE_DIR/slack-thread-participation.json` (the default path, because `persistPathOverride` is `undefined`). Subsequent tests in the suite are unaffected because `loaded` stays `true`.

If someone runs these tests on a machine that has live Slack thread data in its state directory, the first test picks up that data, making the suite environment-dependent. The persistence suite correctly uses `_resetForTests(undefined)` which resets `loaded` and `persistPathOverride`. Using the same helper here would keep things consistent and safe:

```suggestion
  afterEach(() => {
    _resetForTests(undefined);
    vi.restoreAllMocks();
  });
```

How can I resolve this? If you propose a fix, please make it concise.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0a210d0aa0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[greptile-apps]

Confidence Score: 5/5 ✅

The only gap from the previous review has been fully addressed. You've added two excellent tests for the clearSlackThreadParticipationCache() persistence fix:

1. "clear persists empty state so entries do not return after restart" - tests the primary restart scenario
2. "clear before first load still wipes existing persist file" - tests the edge case where clear happens before any cache access

The test suite is now comprehensive (6 persistence tests total), the implementation is solid, and there's complete regression protection for the clear functionality. No changes needed — this is ready to merge.

[zeroaltitude]

Confidence Score: 5/5 ✅

The only gap from the previous review has been fully addressed. You've added two excellent tests for the clearSlackThreadParticipationCache() persistence fix:

1. "clear persists empty state so entries do not return after restart" - tests the primary restart scenario
2. "clear before first load still wipes existing persist file" - tests the edge case where clear happens before any cache access

The test suite is now comprehensive (6 persistence tests total), the implementation is solid, and there's complete regression protection for the clear functionality. No changes needed — this is ready to merge.

@greptile-apps: if you could update your main score comment with this change, it would be somewhat easier for reviewers. Thank you in advance!

[greptile-apps]

Additional Comments (1)

src/slack/sent-thread-cache.test.ts, line 55
Unit test silently writes to real $STATE_DIR on clear

clearSlackThreadParticipationCache() now synchronously calls persistToDisk(), and the first describe block never sets a persistPathOverride. This means when this test calls clearSlackThreadParticipationCache() at line 52, it resolves the real $STATE_DIR path and overwrites (or creates) slack-thread-participation.json with {}.

On a developer's machine running pnpm test / vitest, this silently wipes any real Slack thread participation cache that may have existed in their ~/.openclaw/ state dir. In CI it's harmless since there's no state dir.

The other tests in this block are safe — schedulePersist() timers are always cancelled by _resetForTests() in afterEach before they can fire — but persistToDisk() in clearSlackThreadParticipationCache() is immediate and synchronous.

The straightforward fix is to add path isolation to this describe block's afterEach, mirroring the persistence suite:

describe("slack sent-thread-cache", () => {
  let tempDir: string;

  beforeEach(() => {
    tempDir = fs.mkdtempSync(path.join(os.tmpdir(), "slack-thread-cache-test-"));
    _resetForTests(path.join(tempDir, "slack-thread-participation.json"));
  });

  afterEach(() => {
    _resetForTests(undefined);
    vi.restoreAllMocks();
    try { fs.rmSync(tempDir, { recursive: true, force: true }); } catch { /* ignore */ }
  });
  ...

Alternatively, if keeping the two suites cleanly separated is preferred, the "clears all entries" test could be moved into the persistence suite (where setup() is already called), since it now inherently tests a persisted-state concern.

[zeroaltitude]

Just a note to reviewers that greptile added it's 5/5 score as a secondary comment in this PR.

[zeroaltitude]

CI/secrets failing due to pnpm-audit-prod on transitive deps (@buape/carbon -> @hono/node-server -> hono); PR does not modify package.json/lockfile. Happy to send a separate dependency bump/override PR if that’s the preferred fix

[zeroaltitude]

@greptile-apps: I'd apprecate you renewing your greptile summary as the 4/5 score there seems to be superceded by your 5/5 score in comments.

[zeroaltitude]

@joshavant — small channel/gateway fix, would appreciate your eyes on when you have a moment! thanks in advance!

[zeroaltitude]

@greptile-apps: can I get a review?