Severity: LOW

Summary

isSlackSenderAllowListed returns true when the allowlist is empty, meaning a freshly configured Slack integration accepts messages from everyone without explicit configuration.

Affected Code

File: src/slack/monitor/auth.ts:19

When allowFrom has no entries, the function returns true for all senders. Combined with groupPolicy defaulting to "open", all users in all channels can interact with the bot.

Impact

Low — this is documented behavior and the provider logs a warning. But it could be surprising for operators who expect a deny-by-default posture.

Recommended Fix

Consider logging a more prominent warning at startup when the Slack allowlist is empty, or add a config flag for deny-by-default mode.