fix(slack): reject HTML responses when downloading media

[tumf]

Summary

Slack sometimes returns HTML login pages instead of binary media when authentication fails (e.g., missing files:read scope) or URLs expire. This change detects and rejects HTML responses, improving error visibility.

Changes

• Add looksLikeHtml() function to detect HTML content by checking:
  • <!doctype html or <html prefixes
  • slack-edge.com or redirecturl: patterns (Slack-specific)
• Log warning when HTML is received instead of media
• Skip to next file URL when HTML is detected
• Add tests for HTML detection scenarios

Testing

• Unit tests added and passing
• Tested locally with Slack channel file uploads
• Verified warning log helps identify scope/auth issues

AI Assistance

• AI-assisted (Claude)
• Fully tested
• I understand what the code does

This fix helped diagnose a real issue where files:read scope was missing from the Slack bot token - the warning log made it clear that HTML was being returned instead of the actual file.

Greptile Overview

Greptile Summary

(placeholder)

Confidence Score: 4/5

• This PR is safe to merge with low risk; behavior change is scoped to Slack media downloads and covered by unit tests.
• Change is localized and defensive (skip HTML masquerading as media). Main risk is false positives from heuristic HTML detection, but the code exempts expected HTML files and tests cover key cases.
• src/slack/monitor/media.ts (HTML detection heuristic)

_{(4/5) You can add custom instructions or style guidelines for the agent here!}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: da6f3e21a5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[greptile-apps]

_{2 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

src/slack/monitor/media.test.ts
[P1] The new tests don’t assert the warning log side-effect. Since the PR’s goal is improved diagnosability, it’d be useful to mock ../../logger.js and assert logWarn is called when HTML is detected (and not called for genuine HTML files). This helps prevent regressions where the guard keeps working but the visibility signal disappears.

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/slack/monitor/media.test.ts
Line: 1:1

Comment:
[P1] The new tests don’t assert the warning log side-effect. Since the PR’s goal is improved diagnosability, it’d be useful to mock `../../logger.js` and assert `logWarn` is called when HTML is detected (and *not* called for genuine HTML files). This helps prevent regressions where the guard keeps working but the visibility signal disappears.

<sub>Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!</sub>

How can I resolve this? If you propose a fix, please make it concise.

[tumf]

Rebased onto main and addressed review feedback:

• P2 Allow genuine HTML files: Fixed - now skips HTML detection for files with mimetype: text/html or .html/.htm extensions
• P2 looksLikeHtml trim: Fixed - now only trims leading whitespace (replace(/^\s+/, "")) and removed slack-edge.com/redirecturl: checks, keeping only reliable <!doctype html and <html prefix detection
• P1 logWarn test assertions: Added - tests now mock logWarn and assert it is called (or not called for genuine HTML files)