Security fixes: upgrade Hubot + Slack adapter

[rhamenator]

Summary

1. Upgrade Hubot core to 13.1.4 and migrate from the deprecated hubot-slack RTM adapter to @hubot-friends/hubot-slack (Socket Mode), including Procfile/bin/README updates and new environment variables.
2. Refresh vulnerable dependencies (Firebase 12.4.0, Standard 17, npm-run-all removal, etc.), regenerate the lockfile, and add .env.example plus a detailed security-upgrade-plan.md with verification steps and sandbox token guidance.
3. Replace the old hubot-heroku-keepalive script with an internal initializer, modernize Slack-related helpers/templates/tests (welcome email, mentioned rooms, tweeter, watch-for-disconnected), and introduce a reusable Hubot test harness so specs use the public API.

Testing

1. npm run lint
2. npm test
3. npm audit and npm audit --omit=dev
4. Manual smoke test note: Hubot boots locally with the new adapter; full Socket Mode verification requires valid Slack SLACK_APP_TOKEN / SLACK_BOT_TOKEN (sandbox instructions included in the plan).

[Copilot]

Pull Request Overview

This PR upgrades the Slackbot to use modern Hubot and Slack adapter dependencies, addressing security vulnerabilities and deprecations. The changes migrate from the deprecated hubot-slack to @hubot-friends/hubot-slack, upgrade Hubot core from v3 to v13, and refactor code to work with the new Socket Mode/Web API architecture.

• Replaces deprecated Slack RTM client with Web API client
• Implements internal heroku-keepalive to replace deprecated external script
• Modernizes test infrastructure with async/await support and proxyquire for dependency injection

Reviewed Changes

Copilot reviewed 22 out of 25 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
package.json	Updates Hubot to v13, adds @hubot-friends/hubot-slack adapter, upgrades firebase and standard, removes deprecated external scripts
lib/initializers/mentioned-rooms-referencer.js	Refactors to use Slack Web API instead of RTM dataStore
lib/initializers/watch-for-disconnected.js	Adds adapter event listeners alongside legacy logger interception
lib/initializers/heroku-keepalive.js	New internal implementation replacing external hubot-heroku-keepalive script
lib/helpers/shorten-url.js	Adds error handling and HTTPS enforcement for TinyURL shortening
lib/templates/welcome-email.js	Adds helper functions to handle both string and object group structures
spec/lib/templates/welcome-email-spec.js	Replaces live API tests with mocked shorten-url dependency
spec/lib/initializers/*.js	Updates tests to use modern Hubot imports and async patterns
spec/helpers/include-hubot.js	Implements MockAdapter extending Hubot's Adapter class with async methods
bin/hubot	Adds -a @hubot-friends/hubot-slack adapter flag
README.md	Documents Socket Mode setup requirements and required scopes

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.