From 5a9ad5f3dbded217a47ff6bd1d0698dac18a7836 Mon Sep 17 00:00:00 2001
From: Brian O'Kelley <bokelley@scope3.com>
Date: Wed, 7 Jan 2026 05:32:19 -0800
Subject: [PATCH] fix: restrict billing channel picker to private channels only
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

For security, billing notifications should not go to public channels.
This change:
- Only shows private channels in the billing channel dropdown
- Adds server-side validation to reject public channel IDs
- Shows a helpful message when no private channels are found

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .changeset/slimy-singers-care.md    |  2 ++
 server/public/admin-settings.html   | 23 ++++++++++++++---------
 server/src/routes/admin/settings.ts | 21 ++++++++++++++++++---
 3 files changed, 34 insertions(+), 12 deletions(-)
 create mode 100644 .changeset/slimy-singers-care.md

diff --git a/.changeset/slimy-singers-care.md b/.changeset/slimy-singers-care.md
new file mode 100644
index 000000000..a845151cc
--- /dev/null
+++ b/.changeset/slimy-singers-care.md
@@ -0,0 +1,2 @@
+---
+---
diff --git a/server/public/admin-settings.html b/server/public/admin-settings.html
index e56d19ef7..d7b9e6ce6 100644
--- a/server/public/admin-settings.html
+++ b/server/public/admin-settings.html
@@ -184,7 +184,7 @@ <h3>Billing Notifications Channel</h3>
               <select id="billingChannel" disabled>
                 <option value="">Loading channels...</option>
               </select>
-              <small>Only public channels the bot has access to are shown</small>
+              <small>Only private channels are shown. Invite Addie to your billing channel first.</small>
             </div>
             <button class="btn btn-primary" id="saveBtn" onclick="saveBillingChannel()" disabled>
               Save
@@ -243,14 +243,19 @@ <h3>Billing Notifications Channel</h3>
 
         // Build options
         let html = '<option value="">-- No channel (disabled) --</option>';
-        slackChannels.forEach(ch => {
-          const selected = currentSettings?.billing_channel?.channel_id === ch.id ? 'selected' : '';
-          html += `<option value="${ch.id}" ${selected}>#${escapeHtml(ch.name)}</option>`;
-        });
-
-        select.innerHTML = html;
-        select.disabled = false;
-        document.getElementById('saveBtn').disabled = false;
+        if (slackChannels.length === 0) {
+          html = '<option value="">No private channels found - invite Addie first</option>';
+          select.innerHTML = html;
+          showStatusMessage('Addie is not in any private channels. Invite @Addie to your billing channel and refresh.', 'error');
+        } else {
+          slackChannels.forEach(ch => {
+            const selected = currentSettings?.billing_channel?.channel_id === ch.id ? 'selected' : '';
+            html += `<option value="${ch.id}" ${selected}>#${escapeHtml(ch.name)}</option>`;
+          });
+          select.innerHTML = html;
+          select.disabled = false;
+          document.getElementById('saveBtn').disabled = false;
+        }
       } catch (error) {
         console.error('Error loading Slack channels:', error);
         select.innerHTML = '<option value="">Error loading channels</option>';
diff --git a/server/src/routes/admin/settings.ts b/server/src/routes/admin/settings.ts
index f90f58d5a..08a8ec539 100644
--- a/server/src/routes/admin/settings.ts
+++ b/server/src/routes/admin/settings.ts
@@ -14,7 +14,7 @@ import {
   getBillingChannel,
   setBillingChannel,
 } from '../../db/system-settings-db.js';
-import { getSlackChannels, isSlackConfigured } from '../../slack/client.js';
+import { getSlackChannels, getChannelInfo, isSlackConfigured } from '../../slack/client.js';
 
 const logger = createLogger('admin-settings');
 
@@ -51,8 +51,11 @@ export function createAdminSettingsRouter(): Router {
         return;
       }
 
-      // Get public channels the bot can see
-      const channels = await getSlackChannels({ types: 'public_channel', exclude_archived: true });
+      // Only private channels - billing info should not go to public channels
+      const channels = await getSlackChannels({
+        types: 'private_channel',
+        exclude_archived: true,
+      });
 
       // Sort by name and return minimal info
       const sorted = channels
@@ -89,6 +92,18 @@ export function createAdminSettingsRouter(): Router {
           });
           return;
         }
+
+        // Verify the channel is private (billing info should not go to public channels)
+        if (isSlackConfigured()) {
+          const channelInfo = await getChannelInfo(channel_id);
+          if (channelInfo && !channelInfo.is_private) {
+            res.status(400).json({
+              error: 'Invalid channel',
+              message: 'Only private channels are allowed for billing notifications',
+            });
+            return;
+          }
+        }
       }
 
       // Validate channel name if provided