Harden console Slack webhook config

[firstedition0123]

/claim #55

Scope

This is a small, separate console Slack webhook hardening slice.

It does not touch the existing common app Slack config or the already-open third-party credential hardening PR. The change is limited to the console app configuration and keeps the shared SLACK_WEBHOOK_URL as a fallback for deployments that use one Slack webhook across app surfaces.

Changes:

• Moves the console Slack webhook URL out of console/config/main.php.
• Reads CONSOLE_SLACK_WEBHOOK_URL first, then falls back to SLACK_WEBHOOK_URL.
• Adds docs/console-slack-env.md for the runtime variables.
• Adds scripts/check-console-slack-hardening.py to prevent reintroducing a checked-in console Slack webhook.

Safety Boundary

No live Slack workspace, AWS/IAM, candidate data, production services, or private account data were accessed. This PR only changes checked-in config wiring, documentation, and a static regression check. It does not include secret values.

Demo

Privacy-safe demo video: https://github.com/firstedition0123/studenthub/releases/download/console-slack-demo-20260515/studenthub-console-slack-demo.mp4

Verification

python scripts/check-console-slack-hardening.py
# Console Slack webhook hardening check passed.

python -m py_compile scripts/check-console-slack-hardening.py

git diff --check

Targeted search of console/config/main.php confirmed that the checked-in Slack webhook URL pattern is no longer present.

PHP lint was not run locally because the php executable is not installed in this environment. The PHP change is limited to assigning an env-backed value before the existing config array and wiring that value into the Slack client URL.

[coderabbitai]

Warning

Rate limit exceeded

@firstedition0123 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 46 minutes and 23 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4223bc76-daf8-40fa-b027-9d1ee2aa6ff4

📥 Commits

Reviewing files that changed from the base of the PR and between 3aba596 and 8a88298.

📒 Files selected for processing (1)

• scripts/check-console-slack-hardening.py

📝 Walkthrough

Walkthrough

This PR secures Slack webhook configuration by moving from hardcoded values in code to environment variables. The console configuration reads from CONSOLE_SLACK_WEBHOOK_URL with a SLACK_WEBHOOK_URL fallback, a validation script ensures the hardening is maintained, and documentation guides deployment and security practices.

Changes

Slack Webhook Security Hardening

Layer / File(s)	Summary
Environment-based webhook configuration console/config/main.php	$consoleSlackWebhookUrl is initialized from CONSOLE_SLACK_WEBHOOK_URL environment variable (with fallback to SLACK_WEBHOOK_URL), replacing hardcoded webhook URLs in the Slack component configuration.
Hardening validation script scripts/check-console-slack-hardening.py	New Python script validates the console config for hardening compliance: no hardcoded Slack webhook hosts, proper environment variable reading, fallback variable inclusion, and correct Slack component URL wiring.
Configuration documentation and guidance docs/console-slack-env.md	Documentation describes the two configuration variables, deployment secrecy best practices (secret managers, local env files), and references the hardening check script as a pre-change regression prevention tool.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

A webhook once hardcoded in sight,
Now hides in the env so tight.
The validation script stands guard, so keen,
Ensuring secrets aren't seen.
🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Harden console Slack webhook config' clearly and concisely summarizes the main change: removing hardcoded credentials and migrating to environment variables for the console's Slack webhook configuration.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

scripts/check-console-slack-hardening.py (1)

22-23: ⚡ Quick win

Use a whitespace-tolerant pattern for Slack URL wiring check.

Line 22 currently depends on an exact PHP formatting string, so benign style changes can fail the guard. Prefer a regex that matches 'url' => $consoleSlackWebhookUrl with flexible spacing/quotes.

Proposed diff

 from pathlib import Path
+import re
@@
-    if "'url' => $consoleSlackWebhookUrl" not in text:
+    if not re.search(r"['\"]url['\"]\s*=>\s*\$consoleSlackWebhookUrl\b", text):
         failures.append("console/config/main.php does not wire the Slack client URL through the env-backed value")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/check-console-slack-hardening.py` around lines 22 - 23, The current
check in check-console-slack-hardening.py looks for the exact literal "'url' =>
$consoleSlackWebhookUrl" which is brittle; replace that equality check with a
regex search that tolerates flexible spacing and either single or double quotes
around the key and arrow (e.g. pattern like
r"""['"]url['"]\s*=>\s*\$consoleSlackWebhookUrl"""), compile with re.IGNORECASE
if desired, and use re.search(text) instead of the string containment test so
the failures.append branch only triggers when the pattern is truly absent.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@scripts/check-console-slack-hardening.py`:
- Around line 22-23: The current check in check-console-slack-hardening.py looks
for the exact literal "'url' => $consoleSlackWebhookUrl" which is brittle;
replace that equality check with a regex search that tolerates flexible spacing
and either single or double quotes around the key and arrow (e.g. pattern like
r"""['"]url['"]\s*=>\s*\$consoleSlackWebhookUrl"""), compile with re.IGNORECASE
if desired, and use re.search(text) instead of the string containment test so
the failures.append branch only triggers when the pattern is truly absent.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7d391e70-20ea-4e22-ad17-e80c103193fd

📥 Commits

Reviewing files that changed from the base of the PR and between 7b023ff and 3aba596.

📒 Files selected for processing (3)

• console/config/main.php
• docs/console-slack-env.md
• scripts/check-console-slack-hardening.py

[firstedition0123]

Follow-up on the CodeRabbit nit: the Slack URL wiring guard is already regex-based in 8a882989, accepting flexible quotes/spacing while still requiring $consoleSlackWebhookUrl.

Fresh verification:

• python scripts\check-console-slack-hardening.py
• python -m py_compile scripts\check-console-slack-hardening.py
• git diff --check