fix: separate bot and user identity in auth storage

Bot and user tokens return different identities from auth.test — the bot
returns the bot's user ID (e.g. U0AC6DLSHRV/slackbuzz) while the user
token returns the human's (e.g. U018Y0Y9HSN/isaac). Previously both
called StoreUserInfo which shared a single user_id/user_name, so whichever
token was stored last would overwrite the other.

Now bot identity is stored in separate bot_user_id/bot_user_name keys
(keyring + auth.yml), and self-DM detection uses client.AuthUserID()
which calls auth.test directly on the active token instead of reading
potentially stale stored data.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: isaacrowntree

internal/api/client.go

@@ -37,3 +37,13 @@ func NewClient(token string) *Client {
 func (c *Client) Token() string {
 	return c.token
 }
+
+// AuthUserID calls auth.test to get the user ID for this client's token.
+// Returns empty string on failure.
+func (c *Client) AuthUserID() string {
+	resp, err := c.Slack.AuthTest()
+	if err != nil {
+		return ""
+	}
+	return resp.UserID
+}

internal/auth/keyring.go

@@ -8,13 +8,15 @@ import (
 )
 
 const (
-	serviceName  = "slack-cli"
-	botTokenKey  = "bot_token"
-	userTokenKey = "user_token"
-	teamIDKey    = "team_id"
-	teamNameKey  = "team_name"
-	userIDKey    = "user_id"
-	userNameKey  = "user_name"
+	serviceName    = "slack-cli"
+	botTokenKey    = "bot_token"
+	userTokenKey   = "user_token"
+	teamIDKey      = "team_id"
+	teamNameKey    = "team_name"
+	userIDKey      = "user_id"
+	userNameKey    = "user_name"
+	botUserIDKey   = "bot_user_id"
+	botUserNameKey = "bot_user_name"
 )
 
 // StoreBotToken saves a bot token (xoxb-) to the OS keyring, falling back to plaintext.
@@ -43,22 +45,19 @@ func StoreTeamInfo(teamID, teamName string) error {
 	return ac.Save()
 }
 
-// ResolveUserID returns the user's Slack ID, fetching it via auth.test if not
-// already stored (e.g. tokens saved before UserID tracking was added).
-// The result is cached to the keyring/file for future calls.
+// ResolveUserID returns the human user's Slack ID, fetching it via auth.test
+// on the user token if not already stored. Only uses the user token (not bot)
+// to ensure the returned ID is the human's, not the bot's.
 func ResolveUserID() (userID, userName string, err error) {
 	userID, userName = GetUserInfo()
 	if userID != "" {
 		return userID, userName, nil
 	}
 
-	// Try user token first, then bot token
+	// Only use user token — bot token would return the bot's identity
 	token, tokenErr := GetUserToken()
 	if tokenErr != nil || token == "" {
-		token, tokenErr = GetBotToken()
-		if tokenErr != nil || token == "" {
-			return "", "", fmt.Errorf("no tokens available to resolve user ID")
-		}
+		return "", "", fmt.Errorf("no user token available to resolve user ID (bot token returns bot identity, not yours)")
 	}
 
 	info, err := ValidateToken(token)
@@ -85,7 +84,7 @@ func GetUserToken() (string, error) {
 	})
 }
 
-// StoreUserInfo saves the authenticated user's Slack ID and username.
+// StoreUserInfo saves the human user's Slack ID and username (from user token auth.test).
 func StoreUserInfo(userID, userName string) error {
 	_ = keyring.Set(serviceName, userIDKey, userID)
 	_ = keyring.Set(serviceName, userNameKey, userName)
@@ -97,7 +96,19 @@ func StoreUserInfo(userID, userName string) error {
 	return ac.Save()
 }
 
-// GetUserInfo retrieves the stored user ID and username.
+// StoreBotUserInfo saves the bot's Slack user ID and username (from bot token auth.test).
+func StoreBotUserInfo(userID, userName string) error {
+	_ = keyring.Set(serviceName, botUserIDKey, userID)
+	_ = keyring.Set(serviceName, botUserNameKey, userName)
+
+	// Also persist to file as fallback
+	ac, _ := config.LoadAuth()
+	ac.BotUserID = userID
+	ac.BotUserName = userName
+	return ac.Save()
+}
+
+// GetUserInfo retrieves the stored human user ID and username.
 func GetUserInfo() (userID, userName string) {
 	userID, _ = keyring.Get(serviceName, userIDKey)
 	userName, _ = keyring.Get(serviceName, userNameKey)
@@ -112,6 +123,21 @@ func GetUserInfo() (userID, userName string) {
 	return ac.UserID, ac.UserName
 }
 
+// GetBotUserInfo retrieves the stored bot user ID and username.
+func GetBotUserInfo() (userID, userName string) {
+	userID, _ = keyring.Get(serviceName, botUserIDKey)
+	userName, _ = keyring.Get(serviceName, botUserNameKey)
+	if userID != "" {
+		return
+	}
+
+	ac, err := config.LoadAuth()
+	if err != nil {
+		return "", ""
+	}
+	return ac.BotUserID, ac.BotUserName
+}
+
 // GetTeamInfo retrieves the stored team ID and name.
 func GetTeamInfo() (teamID, teamName string) {
 	teamID, _ = keyring.Get(serviceName, teamIDKey)
@@ -135,6 +161,8 @@ func ClearTokens() error {
 	_ = keyring.Delete(serviceName, teamNameKey)
 	_ = keyring.Delete(serviceName, userIDKey)
 	_ = keyring.Delete(serviceName, userNameKey)
+	_ = keyring.Delete(serviceName, botUserIDKey)
+	_ = keyring.Delete(serviceName, botUserNameKey)
 
 	ac := &config.AuthConfig{}
 	_ = ac.Clear()

internal/auth/keyring_test.go

@@ -190,6 +190,49 @@ func TestStoreAndGetUserInfo(t *testing.T) {
 	}
 }
 
+func TestStoreAndGetBotUserInfo(t *testing.T) {
+	keyring.MockInit()
+	setConfigDir(t)
+
+	if err := StoreBotUserInfo("U_BOT_123", "mybot"); err != nil {
+		t.Fatalf("StoreBotUserInfo() error: %v", err)
+	}
+
+	botUserID, botUserName := GetBotUserInfo()
+	if botUserID != "U_BOT_123" {
+		t.Errorf("GetBotUserInfo() userID = %q, want %q", botUserID, "U_BOT_123")
+	}
+	if botUserName != "mybot" {
+		t.Errorf("GetBotUserInfo() userName = %q, want %q", botUserName, "mybot")
+	}
+}
+
+func TestBotAndUserInfoSeparate(t *testing.T) {
+	keyring.MockInit()
+	setConfigDir(t)
+
+	// Store bot info
+	if err := StoreBotUserInfo("U_BOT", "bot-name"); err != nil {
+		t.Fatalf("StoreBotUserInfo() error: %v", err)
+	}
+
+	// Store user info — should NOT overwrite bot info
+	if err := StoreUserInfo("U_HUMAN", "human-name"); err != nil {
+		t.Fatalf("StoreUserInfo() error: %v", err)
+	}
+
+	// Verify both are stored independently
+	botID, botName := GetBotUserInfo()
+	userID, userName := GetUserInfo()
+
+	if botID != "U_BOT" || botName != "bot-name" {
+		t.Errorf("GetBotUserInfo() = (%q, %q), want (%q, %q)", botID, botName, "U_BOT", "bot-name")
+	}
+	if userID != "U_HUMAN" || userName != "human-name" {
+		t.Errorf("GetUserInfo() = (%q, %q), want (%q, %q)", userID, userName, "U_HUMAN", "human-name")
+	}
+}
+
 func TestClearTokensFileFallback(t *testing.T) {
 	keyring.MockInitWithError(fmt.Errorf("keyring unavailable"))
 	setConfigDir(t)

internal/config/auth_config.go

@@ -14,8 +14,10 @@ type AuthConfig struct {
 	ConfigToken string `yaml:"config_token,omitempty"` // App configuration token for manifest API
 	TeamID      string `yaml:"team_id,omitempty"`
 	TeamName    string `yaml:"team_name,omitempty"`
-	UserID      string `yaml:"user_id,omitempty"`
-	UserName    string `yaml:"user_name,omitempty"`
+	UserID      string `yaml:"user_id,omitempty"`      // Human user ID (from user token)
+	UserName    string `yaml:"user_name,omitempty"`    // Human username (from user token)
+	BotUserID   string `yaml:"bot_user_id,omitempty"`  // Bot user ID (from bot token)
+	BotUserName string `yaml:"bot_user_name,omitempty"` // Bot username (from bot token)
 }
 
 // AuthFile returns the path to the auth config file.
@@ -64,5 +66,7 @@ func (a *AuthConfig) Clear() error {
 	a.TeamName = ""
 	a.UserID = ""
 	a.UserName = ""
+	a.BotUserID = ""
+	a.BotUserName = ""
 	return os.Remove(AuthFile())
 }

pkg/cmd/app/create.go

@@ -270,7 +270,7 @@ func storeDetectedToken(ios *iostreams.IOStreams, cs *iostreams.ColorScheme, tok
 			fmt.Fprintf(ios.ErrOut, "Warning: failed to store bot token: %v\n", storeErr)
 		} else {
 			_ = auth.StoreTeamInfo(info.TeamID, info.Team)
-			_ = auth.StoreUserInfo(info.UserID, info.User)
+			_ = auth.StoreBotUserInfo(info.UserID, info.User)
 			fmt.Fprintf(ios.Out, "%s Bot token saved (%s on %s)\n\n", cs.Green("✓"), cs.Bold(info.User), cs.Bold(info.Team))
 			storedBot = true
 		}

pkg/cmd/auth/login.go

@@ -124,9 +124,13 @@ func loginRun(opts *loginOptions) error {
 		}
 	}
 
-	// Store team and user info
+	// Store team info and token-specific user info
 	_ = auth.StoreTeamInfo(info.TeamID, info.Team)
-	_ = auth.StoreUserInfo(info.UserID, info.User)
+	if tokenType == "bot" {
+		_ = auth.StoreBotUserInfo(info.UserID, info.User)
+	} else {
+		_ = auth.StoreUserInfo(info.UserID, info.User)
+	}
 
 	fmt.Fprintf(ios.Out, "%s Logged in as %s (%s token) — team: %s\n",
 		cs.Green("✓"),

pkg/cmd/message/send.go

@@ -9,7 +9,6 @@ import (
 	"github.com/slack-go/slack"
 	"github.com/spf13/cobra"
 	"github.com/triptechtravel/slackbuzz-cli/internal/api"
-	"github.com/triptechtravel/slackbuzz-cli/internal/auth"
 	"github.com/triptechtravel/slackbuzz-cli/pkg/cmdutil"
 )
 
@@ -121,18 +120,17 @@ func sendRun(opts *sendOptions) error {
 	}
 
 	// Self-DM: if sending a DM to yourself, switch to bot so you get a notification.
-	// The bot must re-open its own DM channel since the user's channel ID won't work.
-	if api.LooksLikeUser(opts.channel) && !opts.asBot {
-		if selfID, _, _ := auth.ResolveUserID(); selfID != "" {
-			targetID := resolveTargetUserID(resolver, opts.channel)
-			if targetID == selfID {
-				if botClient, botErr := opts.factory.BotClient(); botErr == nil {
-					botResolver := api.NewResolver(botClient.Slack)
-					if botChannelID, botErr := botResolver.ResolveDM(opts.channel); botErr == nil {
-						client = botClient
-						channelID = botChannelID
-						fmt.Fprintf(ios.ErrOut, "%s Sending to yourself — using bot so you get a notification\n", cs.Blue("→"))
-					}
+	// The bot opens its own DM channel with you so the message appears from the bot.
+	if api.LooksLikeUser(opts.channel) && !opts.asBot && !agentMode {
+		targetID := resolveTargetUserID(resolver, opts.channel)
+		selfID := client.AuthUserID()
+		if targetID != "" && selfID != "" && targetID == selfID {
+			if botClient, botErr := opts.factory.BotClient(); botErr == nil {
+				botResolver := api.NewResolver(botClient.Slack)
+				if botChannelID, botErr := botResolver.ResolveDM(opts.channel); botErr == nil {
+					client = botClient
+					channelID = botChannelID
+					fmt.Fprintf(ios.ErrOut, "%s Sending to yourself — using bot so you get a notification\n", cs.Blue("→"))
 				}
 			}
 		}