annotate permissions/v2 default builder

[laurenleach]

Summary by CodeRabbit

Release Notes

• New Features

  • Slack connector now includes enhanced capability permissions providing improved access control and fine-grained scope management for users, workspaces, groups, and roles.

• Refactor

  • Updated resource annotation architecture to support capability-based permission composition and scoping.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request integrates capability-based permissions into the Slack connector. The main connector initialization is updated to use a default capabilities builder, and resource type definitions are enhanced with fine-grained capability permissions annotations covering users, workspaces, groups, and roles.

Changes

Cohort / File(s)	Summary
Connector Initialization cmd/baton-slack/main.go	Adds WithDefaultCapabilitiesConnectorBuilderV2 option to the RunConnector call for the Slack connector.
Resource Type Permissions pkg/connector/resource_types.go	Introduces capabilityPermissions helper function and extends resourceType definitions (User, Workspace, UserGroup, Group, WorkspaceRole) with capability-scoped permission annotations including bot and user scopes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A rabbit hops through Slack's new doors,
With capabilities the connector explores,
Permissions fine-grained, scopes so clear,
User and bot, near and dear,
Building trust, level by level!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding capability permission annotations and utilizing the v2 default builder pattern in the Slack connector.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch lauren/annotate-permissions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Claude finished @laurenleach's task in 1m 21s —— View job

---

PR Review: Annotate permissions/v2 default builder

• Gather context and read changed files
• Analyze changes and review code
• Post review feedback

---

Summary

This PR does two things:

1. Registers a default capabilities connector builder via WithDefaultCapabilitiesConnectorBuilderV2 so the capabilities sub-command can introspect the connector's resource types without requiring full client initialization.
2. Annotates each resource type with the Slack API scopes (permissions) it requires, using a new capabilityPermissions helper.

Review

Looks good overall. The changes are clean, well-organized, and the permission annotations per resource type are logically sound. A few observations:

&connector.Slack{} zero-value safety (cmd/baton-slack/main.go:20)

The capabilities builder uses a zero-value Slack{} (nil client, nil businessPlusClient). This is fine as long as the capabilities sub-command only calls ResourceSyncers() → ResourceType() on each builder to discover types and their annotations, and never invokes List()/Entitlements()/Grants(). The builder constructors (userBuilder, workspaceBuilder, etc.) just store the nil references, so construction is safe. Worth confirming the SDK's capabilities sub-command contract guarantees this.

Helper function (pkg/connector/resource_types.go:8-14)

capabilityPermissions is clean and appropriate. Minor nit: you could pre-allocate the slice with make([]*v2.CapabilityPermission, 0, len(perms)) to avoid incremental growth, but with 2-6 permissions per call, the performance difference is negligible. Not a blocking comment.

Permission scope accuracy — Spot-checked the scopes against the resource type usage:

• User: users:read, users:read.email, users.profile:read (bot) + admin, admin.users:read (SCIM) — consistent with user listing via both bot and Business+ APIs.
• Workspace: team:read, users:read, users:read.email, channels:join, channels:read, groups:read (bot) + admin.teams:read (user) — covers team info, channel enumeration, and member listing.
• UserGroup: usergroups:read, users:read (bot) + admin.usergroups:read (user) — matches user group sync.
• Group (IDP): admin, admin.users:write (SCIM) — matches SCIM group operations.
• WorkspaceRole: admin, admin.roles:read (user) — matches role listing.

The bot vs. user token scope categorization via comments is a nice touch for maintainability.

No issues found. LGTM.

---

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/connector/resource_types.go (1)

8-12: Preallocate permission slice capacity in helper

At Line 9, preallocating cp.Permissions to len(perms) avoids incremental reallocations in the append loop.

Suggested diff

 func capabilityPermissions(perms ...string) *v2.CapabilityPermissions {
-	cp := &v2.CapabilityPermissions{}
+	cp := &v2.CapabilityPermissions{
+		Permissions: make([]*v2.CapabilityPermission, 0, len(perms)),
+	}
 	for _, p := range perms {
 		cp.Permissions = append(cp.Permissions, &v2.CapabilityPermission{Permission: p})
 	}
 	return cp
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/connector/resource_types.go` around lines 8 - 12, The helper
capabilityPermissions preallocates cp.Permissions to avoid incremental
reallocations: inside capabilityPermissions, initialize cp.Permissions with
make([]*v2.CapabilityPermission, 0, len(perms)) (or make with length len(perms)
and assign by index) before the loop, then populate it with the
CapabilityPermission values for each p; this ensures capacity is reserved for
len(perms) and improves performance when appending in the loop.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cmd/baton-slack/main.go`:
- Around line 17-21: Add CLI flags --base-url (string) and --insecure (bool) in
main(), parse them before calling config.RunConnector, and propagate their
values into the connector configuration used by RunConnector. Concretely:
declare flag variables (e.g., baseURL, insecure), call flag.Parse(), then set
the appropriate fields on cfg.Configuration (or call a setter on
cfg.Configuration) so the value of baseURL is used as the connector API base URL
and insecure toggles TLS verification (e.g., disable cert verification in the
connector's HTTP/TLS setup). Keep the rest of the invocation of
config.RunConnector(ctx, connectorName, version, cfg.Configuration,
connector.New,
connectorrunner.WithDefaultCapabilitiesConnectorBuilderV2(&connector.Slack{}),
connectorrunner.WithSessionStoreEnabled()) unchanged except that
cfg.Configuration now contains the parsed baseURL and insecure values.

---

Nitpick comments:
In `@pkg/connector/resource_types.go`:
- Around line 8-12: The helper capabilityPermissions preallocates cp.Permissions
to avoid incremental reallocations: inside capabilityPermissions, initialize
cp.Permissions with make([]*v2.CapabilityPermission, 0, len(perms)) (or make
with length len(perms) and assign by index) before the loop, then populate it
with the CapabilityPermission values for each p; this ensures capacity is
reserved for len(perms) and improves performance when appending in the loop.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3af32b5 and ff0f1c3.

📒 Files selected for processing (2)

• cmd/baton-slack/main.go
• pkg/connector/resource_types.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add required --base-url and --insecure CLI support

Line 19 currently runs with static connector configuration and does not expose --base-url / --insecure handling required for mock-server and self-signed cert workflows.

As per coding guidelines, "Use command-line flags for API URLs and configuration rather than hardcoding them to allow mock server testing and environment flexibility. Support --base-url and --insecure command-line flags for mock server testing and self-signed certificate handling."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/baton-slack/main.go` around lines 17 - 21, Add CLI flags --base-url
(string) and --insecure (bool) in main(), parse them before calling
config.RunConnector, and propagate their values into the connector configuration
used by RunConnector. Concretely: declare flag variables (e.g., baseURL,
insecure), call flag.Parse(), then set the appropriate fields on
cfg.Configuration (or call a setter on cfg.Configuration) so the value of
baseURL is used as the connector API base URL and insecure toggles TLS
verification (e.g., disable cert verification in the connector's HTTP/TLS
setup). Keep the rest of the invocation of config.RunConnector(ctx,
connectorName, version, cfg.Configuration, connector.New,
connectorrunner.WithDefaultCapabilitiesConnectorBuilderV2(&connector.Slack{}),
connectorrunner.WithSessionStoreEnabled()) unchanged except that
cfg.Configuration now contains the parsed baseURL and insecure values.