Generate or commission. Plain logo on solid background works fine.
Short description filled in Basic Info
todo
Copy from §2 below.
Long description filled in Basic Info
todo
Copy from §2 below.
Background color set (Basic Info)
todo
#0a0d12 matches the rest of the brand.
Privacy Policy URL — slack.minicto.ai/privacy
done
Already live.
Support URL — mailto:cz2440@columbia.edu
todo
Just paste the mailto string into the field. Or stand up a real /support page later.
4 screenshots taken (§3)
todo
1280×800 PNG. Dark theme. Names per §3.
Demo video recorded (§4)
todo
~75s · mp4 ≤ 50MB.
Security questionnaire answered (§5)
todo
Copy-paste from §5 into Slack's form.
Test instructions written (§6)
todo
What the reviewer should type to verify the app works.
Submit via Manage Distribution → Submit to App Directory
final
Wait 2–6 weeks for first response.
02 App identity — copy-paste ready
Short description 120 chars
An AI engineer who joins your Slack as a teammate — reads your code, drafts PRs, remembers context per channel.
Long description ~280 words
miniCTO is an AI software engineer who joins your Slack as a teammate. Add them to a channel, share a repo, and they get to work — reviewing code, debugging incidents, drafting PRs, explaining the parts of your stack you'd rather not re-explain to whoever just rotated in.
They behave like any good coworker would. Memory is scoped per channel: the context built up in #payments stays in #payments. Tomorrow's conversation continues yesterday's — you don't onboard miniCTO again every morning.
For private repos, add miniCTO's GitHub handle as a collaborator. Invitations are auto-accepted, the repo lands in that channel's private workspace, and miniCTO can read it, refactor it, or push a branch when asked.
Privacy is built in, not bolted on. miniCTO can't see other channels, other workspaces, or anything outside the conversation in front of them. GitHub credentials never reach the model. Each channel maintains its own allowlist of repos it's allowed to clone. The agent stays in scope by design, not by promise.
Install once per workspace via standard Slack OAuth. Anyone in the workspace can DM miniCTO, @mention them in any channel, or run /minicto from anywhere — no per-user signup, no separate SaaS account.
Best thought of as a senior engineer on your team who happens to live in Slack: fast on routine work, available 24/7, in the same chat tools you already use for standups, incidents, and planning. Not a chatbot. A coworker.
Marketing listing description App Directory page
This is the sales-y, scannable version that lives on the App Directory listing page. Different from the long description above — shorter, more bulleted, includes search keywords for marketplace discovery.
miniCTO is an AI software engineer who lives in your Slack workspace. Add them to a channel, share a GitHub repo, and they get to work — reviewing code, debugging incidents, drafting PRs.
✨ Pair-programs from chat. No IDE switch.
🧠 Memory scoped per channel. Each conversation has its own context.
🔐 Sandboxed by design. miniCTO only sees what you share with them.
🤝 One install per workspace. Everyone uses it. No per-user signup.
Best for engineering teams who want senior-level coding help in the same chat they already use for standups, incidents, and planning.
Tags: AI assistant, code review, GitHub, developer tools, pair programming, engineering, coding agent
App categories (pick at submission)
Primary: Developer Tools
Secondary: Productivity
Background color (Basic Info)
#0a0d12
03 Screenshots — exact compositions
Format: 1280×800 PNG. Slack in dark mode. Use a fresh test workspace (no real DMs / channels visible in the sidebar).
Before you start:
Create a clean test Slack workspace called miniCTO Demo
Install miniCTO into it via slack.minicto.ai
Create one channel #engineering and invite miniCTO into it
Have a tiny test GitHub repo ready (public works fine for screenshots): create github.com/minicto/demo-payments with 2–3 mock files (webhook.ts, retry.ts, README.md)
1 · welcome.png
Stage: DM with miniCTO agent, right after install
Visible:
Left sidebar — Apps section, "miniCTO agent" highlighted
Main pane — bot avatar + the full welcome message ("I'm miniCTO. Installed into…")
Input box at bottom, empty, cursor blinking
Caption to enter in Slack's screenshot form:
miniCTO DMs you the moment it installs, ready to take a task.
2 · share-repo.png
Stage: Same DM, continue. Type and send these messages:
You: Can you review the auth flow in https://github.com/minicto/demo-payments?
Bot reply you want visible (paraphrase if Claude wanders):
miniCTO: Pulled it in, 12 files. The flow is in src/auth/session.ts. Two things worth flagging:
• Session tokens are signed but not encrypted — fine for now, but if you add SSO later you'll want to rotate the secret.
• refreshToken() doesn't check expiration before issuing a new token. That's how the May incident leaked into rotated sessions.
Want me to draft a PR for the second one?
———————
miniCTO · 38s
Caption:
Paste a repo URL. miniCTO clones it into the channel's private sandbox and reports back.
Audio: Voiceover in English, calm, mid-tempo. Background music optional but keep quiet.
Time
Visual
Voiceover
0:00–0:05
Black screen → fade in "miniCTO" logo + tagline "An AI engineer in your Slack"
(silence or 1-second sting)
0:05–0:15
Browser opens slack.minicto.ai → cursor moves to "Add to Slack" → click → Slack OAuth consent (flash through) → "miniCTO is installed ✓"
"Install miniCTO in one click. Standard Slack OAuth, no setup."
0:15–0:25
Slack opens to the miniCTO DM → welcome message visible → user types: "Hey, can you take a look at our payments service?"
"The moment it lands, miniCTO DMs you to introduce themselves."
0:25–0:45
User pastes https://github.com/yourorg/payments-svc → bot shows "⏳ Thinking… (15s)" → cut to bot's response: Block Kit with explanation, listed bullets, code references, "miniCTO · 24s" footer
"Drop a GitHub URL. miniCTO clones the repo into the channel's private sandbox, reads the code, and explains what they found — like any senior engineer would."
0:45–0:60
Cut to #engineering channel → team member @miniCTO can you draft the PR for option 1? → bot starts working → cut to GitHub UI showing a new PR opened by miniCTO
"Hand off real tasks. They draft PRs, debug stack traces, refactor — in the same chat your team already uses."
0:60–0:70
Back to Slack DM next day → user: "where were we yesterday?" → bot: "We were looking at retry logic in webhook.ts — you wanted me to draft a circuit breaker. Want me to push it?"
"Memory persists per channel. Tomorrow's conversation continues yesterday's."
0:70–0:75
End card: miniCTO logo · URL slack.minicto.ai · "Free during beta"
(static logo, 5 seconds)
Recording tips
The "Thinking… (15s)" → response can be jump-cut. Don't actually wait 30 seconds on camera.
Don't record anything you wouldn't want a Slack reviewer to see in your sidebar. Use a fresh test workspace.
Between segments, a 0.3s black fade with a one-line caption strengthens the pacing.
Export at 1080p, H.264 video + AAC audio. Loom's default settings are fine.
05 Security & compliance questionnaire
Slack's form groups questions into Data Handling, Access Controls, Third Parties, Authentication, Compliance, and Incident Response. Below are copy-paste answers based on the actual implementation.
Data handling
Where is customer data stored?
All customer data is stored on a single-tenant server we operate. PostgreSQL holds OAuth tokens and message logs; cloned repositories and per-channel agent memory live on the server's filesystem under slack/<team_id>/<channel_id>/.
Is data encrypted at rest?
Filesystem-level: the server uses full-disk encryption. OAuth bot tokens and GitHub credentials live in 600-permission files readable only by the service user. Application-level encryption for message bodies is on the 2026 roadmap.
Is data encrypted in transit?
Yes. All HTTPS traffic uses Let's Encrypt certificates with TLS 1.2+. Outbound calls to Anthropic, GitHub, and Slack go over HTTPS.
How long is data retained?
Customer data is retained for the lifetime of the installation. When a workspace uninstalls miniCTO (either via Slack's UI or our admin panel), OAuth tokens are revoked immediately, and message logs + cloned repos + memory files are deleted from our database and filesystem in the same transaction. No soft-delete, no grace period. See https://slack.minicto.ai/privacy section 6.
Can customers request deletion of their data?
Yes — uninstalling triggers immediate deletion. Customers can also email cz2440@columbia.edu with their team ID to confirm wipe within 48 hours.
Access controls
Who has access to customer data?
One person (the operator). Server SSH access is restricted by key authentication. Database access requires both SSH access and database credentials stored outside the repository.
Is multi-factor authentication required for internal access?
Do you have role-based access control for customer data?
Not applicable at current scale (single operator). Will be added before SOC 2 audit.
Third parties
Do you share customer data with third parties?
Yes, two operationally:
1. Anthropic — receives the agent's prompt (user's latest message + recent channel context + contents of files the agent has chosen to read) to generate the reply. Anthropic's data policy applies: https://www.anthropic.com/legal/privacy.
2. GitHub — when a user shares a repository URL, miniCTO calls the GitHub API to clone the repo and accept any pending collaborator invitation. No customer data is pushed to GitHub unless the user explicitly asks miniCTO to commit or push.
We do not share data with any other third party (no analytics vendors, no advertising networks, no data brokers).
Are subprocessors disclosed in your privacy policy?
Yes — section 4 of https://slack.minicto.ai/privacy.
Authentication & authorization
How are Slack OAuth tokens stored?
Encrypted-at-rest at the disk level, stored as JSONB rows in PostgreSQL. Indexed by (enterprise_id, team_id). Application-level encryption is on the 2026 roadmap.
What OAuth scopes does the app request, and why?
Seven bot scopes:
• app_mentions:read — receive @miniCTO mentions
• chat:write — post replies
• channels:history, groups:history, im:history, mpim:history — read user messages so the agent can respond (only in conversations miniCTO is a member of)
• im:write — open the welcome DM after installation
• files:write — upload generated files back to the conversation (e.g. when miniCTO writes a script or doc on the user's request)
No users:read, no team:read, no admin scopes. We don't enumerate workspace membership or organization structure.
Do you store Slack OAuth refresh tokens?
No — we use the standard non-rotating bot token. Re-installation is the rotation mechanism.
Compliance
Are you SOC 2 certified?
Not yet. Targeting SOC 2 Type I in H2 2026.
Are you ISO 27001 certified?
No.
Are you GDPR compliant?
Best-effort. Privacy policy discloses data categories, third-party sharing, deletion rights, and contact for data subject requests. We are not currently registered with an EU DPO.
Are you CCPA compliant?
Best-effort. We do not sell customer data. Deletion-on-request is supported via uninstall or email.
Where are your servers located?
Mainland China.
Incident response
Do you have an incident response plan?
Yes — informal: detection via standard logs and uptime monitoring; containment by revoking compromised tokens and rotating credentials; notification to affected workspaces within 72 hours via Slack DM through the bot.
Have you experienced a breach in the last 12 months?
No.
Do you have a vulnerability disclosure policy?
Yes — section 8 of https://slack.minicto.ai/privacy. Disclose to cz2440@columbia.edu, response within 5 business days.
Vendor management
Do you use any sub-processors beyond Anthropic and GitHub?
No other sub-processors for customer data. We use Cloudflare (DNS only, no proxy) and Let's Encrypt (TLS certificates), neither of which sees customer message content.
06 Test instructions for the Slack reviewer
Slack's submission form asks for instructions the reviewer will follow to verify the app works. Be specific so they don't have to think.
How to test miniCTO
1. Install miniCTO into a test Slack workspace via https://slack.minicto.ai/. Click "Add to Slack" and approve the OAuth consent.
2. The bot will immediately DM you with a welcome message. Confirm you receive it in your DMs.
3. In that DM, send:
Can you take a look at https://github.com/anthropics/anthropic-cookbook ?
4. The bot will reply with "⏳ Thinking…" and then, within ~30 seconds, replace that message with a real response that describes the structure of the cookbook repo (it actually clones the repo into a per-channel sandbox to do this).
5. To test the slash command: in any channel or DM, send:
/minicto how do I print a list in python in reverse?
The bot replies with an ephemeral message (only you see it) containing the answer.
6. To uninstall: in the Slack workspace's "Manage apps", remove miniCTO. The bot's OAuth tokens are revoked immediately and all stored data for that workspace is deleted within the same transaction (verifiable on request — email cz2440@columbia.edu).
If anything is unclear or doesn't work as described, please reach out to cz2440@columbia.edu and we'll respond within 24 hours.
07 Asset locations & final hand-off
When you've gathered everything, put it here so it's findable next time you need to update the submission:
Asset
Where it should live
App icon (512×512 PNG)
docs/assets/app-icon.png
Screenshots (4 × PNG)
docs/assets/screenshots/welcome.png, etc.
Demo video (mp4)
docs/assets/demo.mp4 (or a Loom URL — Slack accepts both)
This submission pack
docs/submission.html · this page
Long / short description, security answers
Inline above — copy directly into Slack's form
Submit at
https://api.slack.com/apps/[YOUR_APP_ID]/distribute → scroll to bottom → Submit your app to the App Directory.
After submission
Expect first review response in 2–6 weeks.
If they ask for changes, fix them and resubmit — usually 1–2 weeks for re-review.
Total time to approval: typically 6–8 weeks from first submission.
During the wait: continue rolling out to seed customers via the direct install URL (warning + admin pre-approval path), and continue gathering usage data.
If you get rejected
Common reasons and what to do:
Insufficient OAuth scope justification — update Long description to explicitly mention which scope does what.
Privacy policy too vague — already covered, but Slack may want explicit GDPR/CCPA wording added to /privacy.
Demo video over 90s or under 30s — re-cut to ~60s.
"Slack" in app name — we don't have this. Good.
App icon too generic — commission a real designer or generate something distinctive.