feat: Add slack_app Django app with Slack Bolt and /inc help command

[spalmurray]

Adds the foundations for migrating the incident bot (/inc slash commands) from opsbot to firetower. This sets up a new firetower.slack_app Django app with Slack Bolt wired up, a DRF authentication class that verifies Slack signing secrets, a /inc help smoke test command, and Datadog metrics instrumentation for command tracking.

• Adds slack-bolt dependency and signing_secret to Slack config
• Custom SlackSigningSecretAuthentication DRF auth class with HMAC-SHA256 verification and replay protection
• Registers both /inc and /testinc commands (test Slack app sends /testinc, prod sends /inc)
• Emits slack_app.commands.{submitted,completed,failed} Datadog metrics
• 11 tests covering handlers, auth, and endpoint integration

Linear: https://linear.app/getsentry/issue/RELENG-463/infrastructure-and-slack-bolt-setup

[linear]

RELENG-463 Infrastructure and Slack Bolt setup

[spalmurray]

this is for the firetower internal service account. The 'user' the slack app authenticates as for the purpose of accessing Incident data.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Slack bot Cloud Run runs web server

High Severity

deploy-test-slack-bot deploys firetower-slack-app-test with only image: set, so the new service likely runs the container’s default CMD (/app/entrypoint.sh server) instead of the Slack bot process. This can make the Slack bot service come up “healthy” while never starting run_slack_bot.

 

[cursor]

Existing configs may fail to deserialize

High Severity

SlackConfig now requires signing_secret and app_token, which can break startup if any deployed TOML configs (or secrets-driven config generation) haven’t been updated to include these keys, since deserialization via serde is typically strict about required fields.