agent: @U0AJM7X8FBR API - we want to expand our current slack integration to in

[sweetmantech]

Automated PR from coding agent.

Summary by CodeRabbit

• New Features
  • Added WhatsApp platform support for the coding agent bot
  • Extended webhook support to include Slack, WhatsApp, and GitHub integrations
  • Implemented platform verification flow for secure webhook handling

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
recoup-api	Error		Mar 12, 2026 2:34pm

[coderabbitai]

📝 Walkthrough

Walkthrough

These changes extend the coding-agent platform integration to support WhatsApp alongside existing Slack and GitHub adapters. A new GET endpoint initializes the bot, the POST flow incorporates Slack verification, the adapter infrastructure is expanded with WhatsApp, and required environment variables are added for WhatsApp configuration.

Changes

Cohort / File(s)	Summary
API Route Enhancement app/api/coding-agent/[platform]/route.ts	Added GET endpoint that initializes bot and dispatches to platform-specific webhook handlers. Enhanced POST with Slack url_verification handshake flow before bot initialization.
WhatsApp Platform Adapter lib/coding-agent/bot.ts	Integrated WhatsApp adapter alongside existing Slack and GitHub adapters. Updated createCodingAgentBot return type to include whatsapp property in adapters map with proper type annotations.
Environment Configuration lib/coding-agent/validateEnv.ts	Added four new required environment variables: WHATSAPP_ACCESS_TOKEN, WHATSAPP_APP_SECRET, WHATSAPP_PHONE_NUMBER_ID, and WHATSAPP_VERIFY_TOKEN.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: add GitHub adapter for coding agent bot #263: Both PRs modify coding-agent platform adapter integration and dynamic route handling to support additional platform adapters.
• feat: GitHub webhook route for PR comment feedback #266: Both PRs extend coding-agent webhook routes and environment validation logic for multi-platform support.
• fix: initialize Chat SDK in callback route to connect Redis state #272: Both PRs refactor the coding-agent route handler to include explicit bot initialization with platform-specific verification flows.

Poem

🤖📱 WhatsApp joins the chat, a new friend arrives,
Platform adapters dance in tandem, three platforms thrive,
Verification flows aligned, initialization flows true,
The coding agent grows wings—there's so much more to do! ✨

🚥 Pre-merge checks | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Solid & Clean Code	⚠️ Warning	Pull request violates SOLID principles: GET handler initializes bot before validating platform, POST handler hardcodes platform verification logic, and both use unsafe casting instead of Zod validation.	Extract platform validation to Zod schema, validate platform before initialization, move platform-specific logic into adapters, and defer bot initialization to first-request time.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch agent/-u0ajm7x8fbr-api---we-want-to--1773325967788

📝 Coding Plan for PR comments

• Generate coding plan

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

app/api/coding-agent/[platform]/route.ts (1)

49-55: ⚠️ Potential issue | 🔴 Critical

Verify the Slack signature before responding to url_verification challenges.

The early return at lines 51–56 accepts any JSON request with type === "url_verification" without validating the X-Slack-Signature and X-Slack-Request-Timestamp headers. Per Slack's protocol, signature verification is required for all inbound requests, including the initial challenge handshake. Compute the HMAC-SHA256 of the base string v0:{timestamp}:{raw_body} using your signing secret and validate it matches the request signature header before echoing the challenge.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/api/coding-agent/`[platform]/route.ts around lines 49 - 55, The current
early-return for Slack url_verification must verify the Slack signature first:
before returning the challenge in the platform === "slack" branch, read the raw
request body (use request.clone().text() not parsed JSON), extract
X-Slack-Signature and X-Slack-Request-Timestamp headers, build the base string
`v0:{timestamp}:{raw_body}`, compute the HMAC-SHA256 using the Slack signing
secret, prefix with `v0=` and compare using a timing-safe equality to the
incoming signature, and only echo `body.challenge` when the signature and
timestamp are present and valid; otherwise reject/return an error response and
do not short-circuit the normal adapter initialization (refer to the platform
check and the request.clone() usage to locate where to add this).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@app/api/coding-agent/`[platform]/route.ts:
- Around line 6-31: Add unit/integration tests for the new GET route handler to
cover all branches: call the exported GET function (or exercising the route) and
assert (1) successful verification flow when a valid platform-specific challenge
is provided (mock codingAgentBot.initialize and the platform handler in
codingAgentBot.webhooks to return a valid Response), (2) unknown platform
returns 404 when codingAgentBot.webhooks lacks the key, (3) invalid/malformed
challenge payloads produce the expected error response (mock the platform
handler to simulate invalid payload handling), and (4) normal webhook delegation
forwards the request to the platform handler and respects waitUntil behavior
(mock handler to capture the passed request and promise). Mock
codingAgentBot.initialize and codingAgentBot.webhooks entries and assert
responses and side effects for each case.
- Around line 16-30: Validate and parse the incoming platform param first (use a
Zod validate function) and early-return 404 for unknown platforms before
touching the module-scoped bot; then lazily create/initialize the bot and
resolve the handler. Concretely: in GET (and similarly in POST), run Zod
validation on params to extract platform, check
codingAgentBot.webhooks[platform] for a handler and return 404 if missing, and
only after selecting a valid handler call a lazy factory or function to
obtain/initialize the bot (instead of relying on the module-scoped
codingAgentBot created at import) and finally invoke handler(request, {
waitUntil: p => after(() => p) }). Ensure you update both occurrences (lines
matching GET and the POST handler region) to follow this pattern.

---

Outside diff comments:
In `@app/api/coding-agent/`[platform]/route.ts:
- Around line 49-55: The current early-return for Slack url_verification must
verify the Slack signature first: before returning the challenge in the platform
=== "slack" branch, read the raw request body (use request.clone().text() not
parsed JSON), extract X-Slack-Signature and X-Slack-Request-Timestamp headers,
build the base string `v0:{timestamp}:{raw_body}`, compute the HMAC-SHA256 using
the Slack signing secret, prefix with `v0=` and compare using a timing-safe
equality to the incoming signature, and only echo `body.challenge` when the
signature and timestamp are present and valid; otherwise reject/return an error
response and do not short-circuit the normal adapter initialization (refer to
the platform check and the request.clone() usage to locate where to add this).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 76e76f4c-b543-4e3d-bc29-7e46a0a13ab4

📥 Commits

Reviewing files that changed from the base of the PR and between 5b1f6bc and 41882f0.

⛔ Files ignored due to path filters (2)

• README.md is excluded by none and included by none
• app/api/coding-agent/__tests__/route.test.ts is excluded by !**/*.test.*, !**/__tests__/** and included by app/**

📒 Files selected for processing (3)

• app/api/coding-agent/[platform]/route.ts
• lib/coding-agent/bot.ts
• lib/coding-agent/validateEnv.ts

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Please add route coverage for the new verification branches.

The new GET handler and Slack challenge shortcut add several contracts that can regress quietly: verification success, unknown platform handling, invalid challenge payloads, and normal webhook delegation. I don't see matching tests in this PR.

Based on learnings "Write tests for new API endpoints covering all success and error paths".

Also applies to: 33-67

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/api/coding-agent/`[platform]/route.ts around lines 6 - 31, Add
unit/integration tests for the new GET route handler to cover all branches: call
the exported GET function (or exercising the route) and assert (1) successful
verification flow when a valid platform-specific challenge is provided (mock
codingAgentBot.initialize and the platform handler in codingAgentBot.webhooks to
return a valid Response), (2) unknown platform returns 404 when
codingAgentBot.webhooks lacks the key, (3) invalid/malformed challenge payloads
produce the expected error response (mock the platform handler to simulate
invalid payload handling), and (4) normal webhook delegation forwards the
request to the platform handler and respects waitUntil behavior (mock handler to
capture the passed request and promise). Mock codingAgentBot.initialize and
codingAgentBot.webhooks entries and assert responses and side effects for each
case.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

The verification fast-path is ineffective while the bot stays module-scoped.

codingAgentBot is instantiated during module import in lib/coding-agent/bot.ts:66, so these handlers still validate env and touch Redis before GET or POST runs. That makes unknown-platform requests and Slack/WhatsApp verification depend on unrelated startup state, which can turn a simple 404/challenge response into a 500 or timeout. Validate platform first, then lazily create and initialize the bot only after a real handler has been selected.

As per coding guidelines "All API endpoints should use a validate function for input parsing using Zod for schema validation".

Also applies to: 43-58

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@app/api/coding-agent/`[platform]/route.ts around lines 16 - 30, Validate and
parse the incoming platform param first (use a Zod validate function) and
early-return 404 for unknown platforms before touching the module-scoped bot;
then lazily create/initialize the bot and resolve the handler. Concretely: in
GET (and similarly in POST), run Zod validation on params to extract platform,
check codingAgentBot.webhooks[platform] for a handler and return 404 if missing,
and only after selecting a valid handler call a lazy factory or function to
obtain/initialize the bot (instead of relying on the module-scoped
codingAgentBot created at import) and finally invoke handler(request, {
waitUntil: p => after(() => p) }). Ensure you update both occurrences (lines
matching GET and the POST handler region) to follow this pattern.