Substrate: rotate Slack webhook URLs out of mono into Doppler secrets
blockedFollow-up from BOLT-981 leak hunt and 2026-05-21 reflection. packages/notifications/src/slack/common/constants.ts hardcodes Slack webhook URLs, meaning any checkout/stale image can post to prod alert channels. Move webhook URLs into Doppler-managed secrets, rotate existing URLs, and update package consumers/tests. Coordinate with Richie before rotation because stale images/external scripts may break. This closes investigation outcome triage for task 3a12753f.
Event Timeline
created
status_change
queued → in_progress
subagent_spawned
spawn claim: slack-webhook-doppler-secrets
subagent_completed
subagent done: spawn forbidden: no subagent allowlist; continuing in parent heartbeat session
status_change
in_progress → blocked
progress
PR #11017 opened: removes hardcoded Slack webhook URLs from @texturehq/notifications, resolves SLACK_BOTS_*_WEBHOOK_URL env vars, adds constants tests. Local verification: packages/notifications lint (warnings only from existing unrelated suppressions), targeted constants test, build, git diff --check. CI watch active.
progress
PR #11017 CI status: GitHub Actions + CodeRabbit + Cursor Bugbot green/approved. DeepSource coverage check is failing due to timed-out coverage analyzer despite Actions coverage report showing constants.ts at 100% and no uncovered changed lines; no actionable review threads remain. Leaving CI watch active for follow-up.
progress
PR #11017 is now green: GitHub Actions, CodeRabbit, Cursor Bugbot, DeepSource JS, and DeepSource coverage all pass. PR is mergeable and reviewDecision=APPROVED. Awaiting human review/merge + Doppler secret creation before deploy/rotation.