fix(slack): surface attachment access diagnostics

Translate Slack attachment failures into actionable user-facing notices instead of generic download errors. When a scope/auth/permission issue breaks attachment processing, the user sees: [Slack attachment notice] - Slack attachment access failed for photo.jpg. Missing scope: files:read. Update the Slack app scopes/settings and reinstall the app to the workspace. Two helpers do the translation: _describe_slack_api_error — handles SlackApiError responses (missing_scope, invalid_auth, file_not_found, access_denied, etc.) _describe_slack_download_failure — handles httpx.HTTPStatusError (401/403/404) and Slack-returns-HTML-sign-in fallbacks Wired into three existing call sites: - the Slack Connect files.info path (PR #11111) so scope errors surface instead of being logged as generic "files.info failed" - the image, audio, and document download paths so 401/403 and HTML-body responses translate into actionable notices Adjustment from original PR: dropped _probe_slack_file_access_issue, the proactive pre-download files.info probe. It added one extra Slack API call per attachment even on healthy ones, and overlapped with the existing files.info call from PR #11111. The post-failure translation path covers the same user-facing diagnostic value without the per-message tax. Also documents files:read scope more prominently in the Slack setup guide and troubleshooting table. Contributed back from https://github.com/xinbenlv/zn-hermes-agent. Closes #7015. Co-authored-by: xinbenlv <zzn+pa@zzn.im>
2026-04-27 01:11:40 +00:00 · 2026-04-26 12:47:10 -07:00 · 2026-04-26 12:47:10 -07:00 · 778fd1898e
commit 778fd1898e
parent 45bfcb9e71
4 changed files with 164 additions and 12 deletions
--- a/website/docs/user-guide/messaging/slack.md
+++ b/website/docs/user-guide/messaging/slack.md
@ -82,7 +82,8 @@ Navigate to **Features → OAuth & Permissions** in the sidebar. Scroll to **Sco

 :::caution Missing scopes = missing features
 Without `channels:history` and `groups:history`, the bot **will not receive messages in channels** —
-it will only work in DMs. These are the most commonly missed scopes.
+it will only work in DMs. Without `files:read`, Hermes can chat but **cannot reliably read user-uploaded attachments**.
+These are the most commonly missed scopes.
 :::

 **Optional scopes:**
@ -520,7 +521,8 @@ Keys are Slack channel IDs (find them via channel details → "About" → scroll
 | "Sending messages to this app has been turned off" in DMs | Enable the **Messages Tab** in App Home settings (see Step 5) |
 | "not_authed" or "invalid_auth" errors | Regenerate your Bot Token and App Token, update `.env` |
 | Bot responds but can't post in a channel | Invite the bot to the channel with `/invite @Hermes Agent` |
-| "missing_scope" error | Add the required scope in OAuth & Permissions, then **reinstall** the app |
+| Bot can chat but can't read uploaded images/files | Add `files:read`, then **reinstall** the app. Hermes now surfaces attachment access diagnostics in-chat when Slack returns scope/auth/permission failures. |
+| `missing_scope` error | Add the required scope in OAuth & Permissions, then **reinstall** the app |
 | Socket disconnects frequently | Check your network; Bolt auto-reconnects but unstable connections cause lag |
 | Changed scopes/events but nothing changed | You **must reinstall** the app to your workspace after any scope or event subscription change |