refactor slack configuration to separate backend-specific settings for Hermes and OpenClaw

Signed-off-by: Peter Jausovec <peter.jausovec@solo.io>

Author: peterj

go/api/config/crd/bases/kagent.dev_agentharnesses.yaml

@@ -86,40 +86,6 @@ spec:
                     slack:
                       description: Slack configures Slack when type is Slack.
                       properties:
-                        allowedUserIDs:
-                          description: AllowedUserIDs restricts which Slack member
-                            IDs may interact with the bot (SLACK_ALLOWED_USERS).
-                          items:
-                            type: string
-                          type: array
-                        allowedUserIDsFrom:
-                          description: ValueSource defines a source for configuration
-                            values from a Secret or ConfigMap
-                          properties:
-                            key:
-                              description: The key of the ConfigMap or Secret.
-                              maxLength: 253
-                              type: string
-                            name:
-                              description: The name of the ConfigMap or Secret.
-                              maxLength: 253
-                              type: string
-                            type:
-                              enum:
-                              - ConfigMap
-                              - Secret
-                              type: string
-                          required:
-                          - key
-                          - name
-                          - type
-                          type: object
-                        allowlistChannels:
-                          description: AllowlistChannels is required when channelAccess
-                            is allowlist.
-                          items:
-                            type: string
-                          type: array
                         appToken:
                           description: AgentHarnessChannelCredential supplies a token
                             from an inline value or a Secret/ConfigMap key.
@@ -188,38 +154,82 @@ spec:
                           - message: Exactly one of value or valueFrom must be specified
                             rule: (has(self.value) && !has(self.valueFrom)) || (!has(self.value)
                               && has(self.valueFrom))
-                        channelAccess:
-                          description: AgentHarnessChannelAccess controls whether
-                            the bot listens broadly or only on an allowlist.
-                          enum:
-                          - allowlist
-                          - open
-                          - disabled
-                          type: string
-                        homeChannel:
-                          description: HomeChannel is the default Slack channel ID
-                            for cron/scheduled messages (SLACK_HOME_CHANNEL).
-                          type: string
-                        homeChannelName:
-                          description: HomeChannelName is a human-readable label for
-                            HomeChannel (SLACK_HOME_CHANNEL_NAME).
-                          type: string
-                        interactiveReplies:
-                          default: true
-                          type: boolean
+                        hermes:
+                          description: Hermes configures Hermes-specific Slack settings.
+                          properties:
+                            allowedUserIDs:
+                              description: AllowedUserIDs restricts which Slack member
+                                IDs may interact with the bot (SLACK_ALLOWED_USERS).
+                              items:
+                                type: string
+                              type: array
+                            allowedUserIDsFrom:
+                              description: ValueSource defines a source for configuration
+                                values from a Secret or ConfigMap
+                              properties:
+                                key:
+                                  description: The key of the ConfigMap or Secret.
+                                  maxLength: 253
+                                  type: string
+                                name:
+                                  description: The name of the ConfigMap or Secret.
+                                  maxLength: 253
+                                  type: string
+                                type:
+                                  enum:
+                                  - ConfigMap
+                                  - Secret
+                                  type: string
+                              required:
+                              - key
+                              - name
+                              - type
+                              type: object
+                            homeChannel:
+                              description: HomeChannel is the default Slack channel
+                                ID for cron/scheduled messages (SLACK_HOME_CHANNEL).
+                              type: string
+                            homeChannelName:
+                              description: HomeChannelName is a human-readable label
+                                for HomeChannel (SLACK_HOME_CHANNEL_NAME).
+                              type: string
+                          type: object
+                          x-kubernetes-validations:
+                          - message: allowedUserIDs and allowedUserIDsFrom are mutually
+                              exclusive
+                            rule: '!(size(self.allowedUserIDs) > 0 && has(self.allowedUserIDsFrom))'
+                        openclaw:
+                          description: OpenClaw configures OpenClaw/NemoClaw-specific
+                            Slack routing.
+                          properties:
+                            allowlistChannels:
+                              description: AllowlistChannels is required when channelAccess
+                                is allowlist.
+                              items:
+                                type: string
+                              type: array
+                            channelAccess:
+                              description: AgentHarnessChannelAccess controls whether
+                                the bot listens broadly or only on an allowlist.
+                              enum:
+                              - allowlist
+                              - open
+                              - disabled
+                              type: string
+                            interactiveReplies:
+                              default: true
+                              type: boolean
+                          type: object
+                          x-kubernetes-validations:
+                          - message: allowlistChannels is required when channelAccess
+                              is allowlist
+                            rule: '!has(self.channelAccess) || self.channelAccess
+                              != ''allowlist'' || (has(self.allowlistChannels) &&
+                              size(self.allowlistChannels) > 0)'
                       required:
                       - appToken
                       - botToken
                       type: object
-                      x-kubernetes-validations:
-                      - message: allowedUserIDs and allowedUserIDsFrom are mutually
-                          exclusive
-                        rule: '!(size(self.allowedUserIDs) > 0 && has(self.allowedUserIDsFrom))'
-                      - message: allowlistChannels is required when channelAccess
-                          is allowlist
-                        rule: '!has(self.channelAccess) || self.channelAccess != ''allowlist''
-                          || (has(self.allowlistChannels) && size(self.allowlistChannels)
-                          > 0)'
                     telegram:
                       description: AgentHarnessTelegramChannelSpec configures Telegram
                         when AgentHarnessChannel.type is Telegram.
@@ -500,6 +510,12 @@ spec:
             required:
             - backend
             type: object
+            x-kubernetes-validations:
+            - message: slack backend-specific settings must match spec.backend
+              rule: '!has(self.channels) || self.channels.all(c, c.type != ''slack''
+                || (has(c.slack) && ((self.backend == ''hermes'' && has(c.slack.hermes)
+                && !has(c.slack.openclaw)) || ((self.backend == ''openclaw'' || self.backend
+                == ''nemoclaw'') && has(c.slack.openclaw) && !has(c.slack.hermes)))))'
           status:
             description: AgentHarnessStatus is the observed state of an AgentHarness.
             properties:

go/api/v1alpha2/agentharness_types.go

@@ -111,31 +111,19 @@ type AgentHarnessHermesSlackOptions struct {
 }
 
 // AgentHarnessSlackChannelSpec configures Slack when AgentHarnessChannel.type is Slack.
-// YAML is flat: botToken, appToken, plus backend-specific fields. Which fields apply is determined
-// by spec.backend on the AgentHarness; OpenClaw and Hermes settings are separate structs in Go.
+// Backend-specific settings live under the matching backend key; AgentHarnessSpec validation
+// requires the key to match spec.backend.
 type AgentHarnessSlackChannelSpec struct {
 	// +required
 	BotToken AgentHarnessChannelCredential `json:"botToken"`
 	// +required
-	AppToken                         AgentHarnessChannelCredential `json:"appToken"`
-	AgentHarnessOpenClawSlackOptions `json:",inline"`
-	AgentHarnessHermesSlackOptions   `json:",inline"`
-}
-
-// OpenClawOptions returns OpenClaw/NemoClaw Slack settings embedded in the spec.
-func (s *AgentHarnessSlackChannelSpec) OpenClawOptions() *AgentHarnessOpenClawSlackOptions {
-	if s == nil {
-		return nil
-	}
-	return &s.AgentHarnessOpenClawSlackOptions
-}
-
-// HermesOptions returns Hermes Slack settings embedded in the spec.
-func (s *AgentHarnessSlackChannelSpec) HermesOptions() *AgentHarnessHermesSlackOptions {
-	if s == nil {
-		return nil
-	}
-	return &s.AgentHarnessHermesSlackOptions
+	AppToken AgentHarnessChannelCredential `json:"appToken"`
+	// OpenClaw configures OpenClaw/NemoClaw-specific Slack routing.
+	// +optional
+	OpenClaw *AgentHarnessOpenClawSlackOptions `json:"openclaw,omitempty"`
+	// Hermes configures Hermes-specific Slack settings.
+	// +optional
+	Hermes *AgentHarnessHermesSlackOptions `json:"hermes,omitempty"`
 }
 
 // AgentHarnessChannel declares one messenger binding inside a harness VM.
@@ -161,6 +149,7 @@ type AgentHarnessChannel struct {
 // An AgentHarness is distinct from a SandboxAgent: it has no agent runtime baked
 // in. The backend is responsible for provisioning an environment that stays
 // ready to accept incoming commands.
+// +kubebuilder:validation:XValidation:rule="!has(self.channels) || self.channels.all(c, c.type != 'slack' || (has(c.slack) && ((self.backend == 'hermes' && has(c.slack.hermes) && !has(c.slack.openclaw)) || ((self.backend == 'openclaw' || self.backend == 'nemoclaw') && has(c.slack.openclaw) && !has(c.slack.hermes)))))",message="slack backend-specific settings must match spec.backend"
 type AgentHarnessSpec struct {
 	// Backend selects the control plane to use. Required.
 	// +required

go/api/v1alpha2/zz_generated.deepcopy.go

@@ -104,49 +104,22 @@ func (r *Resolved) addSlackChannel(ctx context.Context, kube client.Client, name
 	}
 	switch backend {
 	case v1alpha2.AgentHarnessBackendHermes:
-		if err := rejectOpenClawSlackFields(ch.Name, spec); err != nil {
-			return err
+		opts := spec.Hermes
+		if opts == nil {
+			opts = &v1alpha2.AgentHarnessHermesSlackOptions{}
 		}
-		return r.addHermesSlack(ctx, kube, namespace, ch.Name, spec.BotToken, spec.AppToken, spec.HermesOptions())
+		return r.addHermesSlack(ctx, kube, namespace, ch.Name, spec.BotToken, spec.AppToken, opts)
 	case v1alpha2.AgentHarnessBackendOpenClaw, v1alpha2.AgentHarnessBackendNemoClaw:
-		if err := rejectHermesSlackFields(ch.Name, spec); err != nil {
-			return err
+		opts := spec.OpenClaw
+		if opts == nil {
+			opts = &v1alpha2.AgentHarnessOpenClawSlackOptions{}
 		}
-		return r.addOpenClawSlack(ctx, kube, namespace, ch.Name, spec.BotToken, spec.AppToken, spec.OpenClawOptions())
+		return r.addOpenClawSlack(ctx, kube, namespace, ch.Name, spec.BotToken, spec.AppToken, opts)
 	default:
 		return fmt.Errorf("channel %q: slack channels are not supported for backend %q", ch.Name, backend)
 	}
 }
 
-func rejectOpenClawSlackFields(channelName string, spec *v1alpha2.AgentHarnessSlackChannelSpec) error {
-	opts := spec.OpenClawOptions()
-	if opts == nil {
-		return nil
-	}
-	if opts.ChannelAccess != "" {
-		return fmt.Errorf("channel %q: channelAccess is not supported when backend is hermes", channelName)
-	}
-	if len(opts.AllowlistChannels) > 0 {
-		return fmt.Errorf("channel %q: allowlistChannels is not supported when backend is hermes", channelName)
-	}
-	if opts.InteractiveReplies != nil {
-		return fmt.Errorf("channel %q: interactiveReplies is not supported when backend is hermes", channelName)
-	}
-	return nil
-}
-
-func rejectHermesSlackFields(channelName string, spec *v1alpha2.AgentHarnessSlackChannelSpec) error {
-	opts := spec.HermesOptions()
-	if opts == nil {
-		return nil
-	}
-	if len(opts.AllowedUserIDs) > 0 || opts.AllowedUserIDsFrom != nil ||
-		strings.TrimSpace(opts.HomeChannel) != "" || strings.TrimSpace(opts.HomeChannelName) != "" {
-		return fmt.Errorf("channel %q: Hermes slack fields are not supported when backend is openclaw or nemoclaw", channelName)
-	}
-	return nil
-}
-
 func (r *Resolved) putSlackCredentials(ctx context.Context, kube client.Client, namespace, channelName string, botToken, appToken v1alpha2.AgentHarnessChannelCredential) error {
 	if err := PutChannelCredential(ctx, kube, namespace, botToken, SlackBotTokenEnvKey(channelName), r.Secrets); err != nil {
 		return fmt.Errorf("channel %q slack bot token: %w", channelName, err)

go/core/pkg/sandboxbackend/openshell/channels/resolve.go

@@ -73,7 +73,7 @@ func TestBuildBootstrapArtifacts_TelegramSlack(t *testing.T) {
 					Slack: &v1alpha2.AgentHarnessSlackChannelSpec{
 						BotToken: v1alpha2.AgentHarnessChannelCredential{Value: "xoxb-bot"},
 						AppToken: v1alpha2.AgentHarnessChannelCredential{Value: "xapp-app"},
-						AgentHarnessHermesSlackOptions: v1alpha2.AgentHarnessHermesSlackOptions{
+						Hermes: &v1alpha2.AgentHarnessHermesSlackOptions{
 							AllowedUserIDs:  []string{"U01234567", "U89ABCDEF"},
 							HomeChannel:     "C01234567890",
 							HomeChannelName: "general",

go/core/pkg/sandboxbackend/openshell/hermes/bootstrap_test.go

@@ -167,7 +167,7 @@ func TestBuildOpenshellCreateRequest_OpenClaw_Slack_HasSlackPolicy(t *testing.T)
 					Slack: &v1alpha2.AgentHarnessSlackChannelSpec{
 						BotToken: v1alpha2.AgentHarnessChannelCredential{Value: "b"},
 						AppToken: v1alpha2.AgentHarnessChannelCredential{Value: "a"},
-						AgentHarnessOpenClawSlackOptions: v1alpha2.AgentHarnessOpenClawSlackOptions{
+						OpenClaw: &v1alpha2.AgentHarnessOpenClawSlackOptions{
 							ChannelAccess: v1alpha2.AgentHarnessChannelAccessOpen,
 						},
 					},