Add file download command for Slack

[devxoul]

Summary

Add file download <file-id> [output-path] command that downloads Slack files using extracted credentials. Previously, downloading files shared in Slack required manually extracting the token and cookie from credentials and curling url_private with the correct auth headers — this automates the entire flow.

Changes

SlackClient (client.ts)

• Add getFileInfo() — wraps files.info API for efficient single-file metadata retrieval instead of listing all files and filtering.
• Add downloadFile() — fetches url_private with Bearer token + cookie auth headers, returns the file buffer and metadata.
• Store token and cookie as private fields alongside the WebClient instance to support authenticated downloads via native fetch.

File command (commands/file.ts)

• Add file download <file-id> [output-path] subcommand with optional output path. Defaults to original filename in the current directory. Detects when the output path is a directory and appends the original filename automatically.
• Improve file info to call getFileInfo() directly instead of listing all files then filtering by ID — faster and avoids the file count limit.

Tests

• Unit tests for getFileInfo(), downloadFile() (happy path, missing URL, download failure, auth header verification), and command mock.
• E2e test for upload-then-download round-trip: uploads a file, downloads it by ID, and verifies content matches.

Testing

• Unit tests cover client methods and command action.
• E2e test verifies full upload → download → content comparison flow.

---

Summary by cubic

Adds file download <file-id> [output-path] to fetch Slack files using extracted credentials. Speeds up file info by calling files.info directly, and sanitizes filenames before writing to disk.

• New Features

  • CLI: file download <file-id> [output-path]. Defaults to original filename; detects directories; outputs JSON with id, name, mimetype, size, path.
  • SlackClient.downloadFile() downloads url_private with Bearer token and cookie, returning a buffer and metadata.
  • E2E: upload → download round-trip verifies content; cleans up uploaded files.

• Bug Fixes

  • Sanitize downloaded filenames using basename() with backslash normalization to prevent path traversal.
  • Replace tautological unit test with a dedicated filename sanitization test.

^{Written for commit bff5a39. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
agent-messenger	Ignored		Mar 9, 2026 11:30am

[cubic-dev-ai]

3 issues found across 5 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="src/platforms/slack/commands/file.ts">

<violation number="1" location="src/platforms/slack/commands/file.ts:133">
P1: Sanitize `file.name` before using it in filesystem paths to prevent path traversal/arbitrary overwrite via crafted filenames.</violation>
</file>

<file name="e2e/slack.e2e.test.ts">

<violation number="1" location="e2e/slack.e2e.test.ts:374">
P2: This test uploads a Slack file but never deletes it, so each run leaves orphaned remote test files in the workspace.</violation>
</file>

<file name="src/platforms/slack/commands/file.test.ts">

<violation number="1" location="src/platforms/slack/commands/file.test.ts:193">
P2: This test is tautological for `path` and does not exercise real download-command path handling, so it can pass even when command behavior is broken.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}