@jtalk22/slack-mcp 1.1.5 → 1.1.7

package/README.md

@@ -87,7 +87,7 @@ flowchart LR
 - **Send Messages** - DMs or channels, with thread support
 - **User Directory** - List and search 500+ users with pagination
 
-### Stability (v1.0.6+)
+### Stability
 - **Auto Token Refresh** - Extracts fresh tokens from Chrome automatically *(macOS only)*
 - **Atomic Writes** - File operations use temp-file-then-rename to prevent corruption
 - **Zombie Protection** - Background timers use `unref()` for clean process exit
@@ -294,11 +294,11 @@ npm run web
 # Or: npx @jtalk22/slack-mcp web
 ```
 
-**Magic Link (v1.1.0+):** The console prints a one-click URL with the API key embedded:
+**Magic Link:** The console prints a one-click URL with the API key embedded:
 
 ```
 ════════════════════════════════════════════════════════════
-  Slack Web API Server v1.1.0
+  Slack Web API Server v1.1.7
 ════════════════════════════════════════════════════════════
 
   Dashboard: http://localhost:3000/?key=smcp_xxxxxxxxxxxx
@@ -393,20 +393,9 @@ slack-mcp-server/
 
 ## Contributing
 
-1. Fork the repository
-2. Create a feature branch
-3. Make your changes
-4. Run `node --check` on modified files
-5. Submit a pull request
+PRs welcome. Run `node --check` on modified files before submitting.
 
----
-
-## Support
-
-If this saved you from OAuth hell, consider:
-
-- [GitHub Sponsors](https://github.com/sponsors/jtalk22)
-- Star the repo
+If you find this project useful, consider [sponsoring](https://github.com/sponsors/jtalk22) or starring the repo.
 
 ---
 

package/docs/API.md

@@ -21,6 +21,36 @@ Check if Slack tokens are valid.
 
 ---
 
+### slack_token_status
+
+Get detailed token health, age, and cache statistics.
+
+**Parameters:** None
+
+**Returns:**
+```json
+{
+  "token": {
+    "status": "healthy",
+    "age_hours": 2.5,
+    "source": "file",
+    "updated_at": "2026-01-08T12:00:00Z",
+    "message": "Token is healthy"
+  },
+  "auto_refresh": {
+    "enabled": true,
+    "interval": "4 hours",
+    "requires": "Slack tab open in Chrome"
+  },
+  "cache": {
+    "users": { "size": 25, "maxSize": 500, "ttlMs": 3600000 },
+    "dms": { "count": 10, "age_hours": 1.2 }
+  }
+}
+```
+
+---
+
 ### slack_refresh_tokens
 
 Force refresh tokens from Chrome.
@@ -119,7 +149,7 @@ Export full conversation with threads.
 | latest | string | - | Unix timestamp end |
 | max_messages | number | 2000 | Max messages (up to 10000) |
 | include_threads | boolean | true | Fetch thread replies |
-| output_file | string | - | Save to file path |
+| output_file | string | - | Filename (saved to ~/.slack-mcp-exports/) |
 
 **Timestamps:**
 - Dec 1, 2025 = `1733011200`

package/docs/SETUP.md

@@ -12,7 +12,7 @@
 
 ```bash
 cd ~
-git clone https://github.com/yourusername/slack-mcp-server.git
+git clone https://github.com/jtalk22/slack-mcp-server.git
 # or if already exists:
 cd ~/slack-mcp-server
 ```

package/docs/TROUBLESHOOTING.md

@@ -98,9 +98,15 @@ launchctl load ~/Library/LaunchAgents/com.slack-web-api.plist
 
 ### API Key Invalid
 
-**Default API Key:** `slack-mcp-local`
+The web server generates a unique API key on first run, stored in `~/.slack-mcp-api-key`.
 
-If you set a custom key, make sure it matches:
+The key is printed to the console when you start the server:
+```
+Dashboard: http://localhost:3000/?key=smcp_xxxxxxxxxxxx
+API Key:   smcp_xxxxxxxxxxxx
+```
+
+You can also set a custom key:
 ```bash
 SLACK_API_KEY=your-custom-key npm run web
 ```
@@ -109,7 +115,8 @@ SLACK_API_KEY=your-custom-key npm run web
 
 Check if the server is running:
 ```bash
-curl http://localhost:3000/health -H "Authorization: Bearer slack-mcp-local"
+# Get your API key from ~/.slack-mcp-api-key
+curl http://localhost:3000/health -H "Authorization: Bearer $(cat ~/.slack-mcp-api-key)"
 ```
 
 Check LaunchAgent status:

package/docs/WEB-API.md

@@ -12,7 +12,7 @@ npm run web
 The server will:
 1. Start on port 3000
 2. Serve the web UI at http://localhost:3000
-3. Use default API key `slack-mcp-local` (or set `SLACK_API_KEY` env var)
+3. Generate a secure API key (saved to `~/.slack-mcp-api-key`)
 
 ## Auto-Start on Login (Recommended)
 
@@ -69,7 +69,11 @@ All API requests require the API key in the Authorization header:
 Authorization: Bearer <your-api-key>
 ```
 
-**Default API Key:** `slack-mcp-local`
+The server generates a cryptographically secure API key on first run, saved to `~/.slack-mcp-api-key`. The key is printed to the console:
+
+```
+Dashboard: http://localhost:3000/?key=smcp_xxxxxxxxxxxx
+```
 
 To use a custom key:
 ```bash

package/lib/handlers.js

@@ -4,7 +4,8 @@
  * Implementation of all MCP tool handlers.
  */
 
-import { writeFileSync, readFileSync, existsSync, renameSync, unlinkSync } from "fs";
+import { writeFileSync, readFileSync, existsSync, renameSync, unlinkSync, mkdirSync } from "fs";
+import { execSync } from "child_process";
 import { homedir, platform } from "os";
 import { join } from "path";
 import { loadTokens, saveTokens, extractFromChrome, isAutoRefreshAvailable } from "./token-store.js";
@@ -33,7 +34,7 @@ function atomicWriteSync(filePath, content) {
   try {
     writeFileSync(tempPath, content);
     if (platform() === 'darwin' || platform() === 'linux') {
-      try { require('child_process').execSync(`chmod 600 "${tempPath}"`); } catch {}
+      try { execSync(`chmod 600 "${tempPath}"`); } catch {}
     }
     renameSync(tempPath, filePath);
   } catch (e) {
@@ -115,7 +116,7 @@ export async function handleHealthCheck() {
     return {
       content: [{
         type: "text",
-        text: "NO CREDENTIALS\n\nOptions:\n1. Open Slack in Chrome, then use slack_refresh_tokens\n2. Run: ~/slack-mcp-server/scripts/refresh-tokens.sh"
+        text: "NO CREDENTIALS\n\nOptions:\n1. Open Slack in Chrome, then use slack_refresh_tokens\n2. Run: npm run tokens:auto (or npx @jtalk22/slack-mcp tokens:auto)"
       }],
       isError: true
     };
@@ -404,11 +405,20 @@ export async function handleGetFullConversation(args) {
     messages: allMessages
   };
 
-  // Save to file if requested
+  // Save to file if requested (restricted to ~/.slack-mcp-exports/ for security)
   if (args.output_file) {
-    const outputPath = args.output_file.startsWith('/')
-      ? args.output_file
-      : join(homedir(), args.output_file);
+    const exportDir = join(homedir(), '.slack-mcp-exports');
+    // Ensure export directory exists
+    try { mkdirSync(exportDir, { recursive: true }); } catch {}
+
+    // Sanitize filename - remove any path traversal attempts
+    const sanitizedName = args.output_file
+      .replace(/^.*[\\\/]/, '')  // Remove any path components
+      .replace(/\.\./g, '')       // Remove .. sequences
+      .replace(/[<>:"|?*]/g, '') // Remove invalid chars
+      || 'export.json';
+
+    const outputPath = join(exportDir, sanitizedName);
     writeFileSync(outputPath, JSON.stringify(output, null, 2));
     output.saved_to = outputPath;
   }

package/lib/tools.js

@@ -109,7 +109,7 @@ export const TOOLS = [
         },
         output_file: {
           type: "string",
-          description: "Save to file path (optional, relative to home directory)"
+          description: "Filename to save export (saved to ~/.slack-mcp-exports/)"
         }
       },
       required: ["channel_id"]

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jtalk22/slack-mcp",
-  "version": "1.1.5",
+  "version": "1.1.7",
   "description": "Full Slack access for Claude - DMs, channels, search. No OAuth. No admin approval. Just works.",
   "type": "module",
   "main": "src/server.js",

package/scripts/token-cli.js

@@ -3,7 +3,7 @@
  * Token CLI - Manage Slack tokens
  */
 
-import { loadTokens, saveTokens, extractFromChrome, getFromFile, TOKEN_FILE } from "../lib/token-store.js";
+import { loadTokens, saveTokens, extractFromChrome, getFromFile, TOKEN_FILE, KEYCHAIN_SERVICE } from "../lib/token-store.js";
 import { slackAPI } from "../lib/slack-client.js";
 import * as readline from "readline";
 
@@ -141,8 +141,8 @@ async function clearTokens() {
   }
 
   try {
-    execSync('security delete-generic-password -s "slack-mcp-server" -a "token" 2>/dev/null');
-    execSync('security delete-generic-password -s "slack-mcp-server" -a "cookie" 2>/dev/null');
+    execSync(`security delete-generic-password -s "${KEYCHAIN_SERVICE}" -a "token" 2>/dev/null`);
+    execSync(`security delete-generic-password -s "${KEYCHAIN_SERVICE}" -a "cookie" 2>/dev/null`);
     console.log("Deleted keychain entries");
   } catch (e) {
     console.log("No keychain entries to delete");

package/scripts/{verify-v106.js → verify-core.js}

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 /**
- * v1.0.6 Verification Script
+ * Core Stability Verification Script
  *
  * Tests:
  * 1. Atomic write - no .tmp artifacts remain after write
@@ -131,7 +131,7 @@ async function testServerExit() {
 
 async function main() {
   console.log("╔════════════════════════════════════════╗");
-  console.log("║  v1.0.6 Verification Tests             ║");
+  console.log("║  Core Stability Verification Tests     ║");
   console.log("╚════════════════════════════════════════╝");
 
   const results = [];
@@ -145,7 +145,7 @@ async function main() {
 
   if (passed === total) {
     console.log(`\n✓ ALL TESTS PASSED (${passed}/${total})`);
-    console.log("\nReady to deploy v1.0.6");
+    console.log("\nCore stability features verified");
     process.exit(0);
   } else {
     console.log(`\n✗ TESTS FAILED (${passed}/${total})`);

package/scripts/verify-web.js

@@ -206,7 +206,7 @@ async function main() {
 
   if (passed === total) {
     console.log(`\n✓ ALL TESTS PASSED (${passed}/${total})`);
-    console.log("\nReady to bump version to 1.1.0");
+    console.log("\nWeb UI features verified");
     process.exit(0);
   } else {
     console.log(`\n✗ TESTS FAILED (${passed}/${total})`);

package/src/server.js

@@ -11,7 +11,7 @@
  * - Network error retry with exponential backoff
  * - Background token health monitoring
  *
- * @version 1.1.0
+ * @version 1.1.7
  */
 
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
@@ -43,7 +43,7 @@ const BACKGROUND_REFRESH_INTERVAL = 4 * 60 * 60 * 1000;
 
 // Package info
 const SERVER_NAME = "slack-mcp-server";
-const SERVER_VERSION = "1.1.0";
+const SERVER_VERSION = "1.1.7";
 
 // Initialize server
 const server = new Server(

package/src/web-server.js

@@ -5,7 +5,7 @@
  * Exposes Slack MCP tools as REST endpoints for browser access.
  * Run alongside or instead of the MCP server for web-based access.
  *
- * @version 1.1.0
+ * @version 1.1.7
  */
 
 import express from "express";
@@ -67,9 +67,20 @@ const API_KEY = getOrCreateAPIKey();
 app.use(express.json());
 app.use(express.static(join(__dirname, "../public")));
 
-// CORS for local development
+// CORS - restricted to localhost for security
+// Using * would allow any website to make requests to your local server
+const ALLOWED_ORIGINS = [
+  `http://localhost:${PORT}`,
+  `http://127.0.0.1:${PORT}`,
+  'http://localhost:3000',
+  'http://127.0.0.1:3000'
+];
+
 app.use((req, res, next) => {
-  res.header("Access-Control-Allow-Origin", "*");
+  const origin = req.headers.origin;
+  if (ALLOWED_ORIGINS.includes(origin)) {
+    res.header("Access-Control-Allow-Origin", origin);
+  }
   res.header("Access-Control-Allow-Headers", "Content-Type, Authorization");
   res.header("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
   if (req.method === "OPTIONS") {
@@ -280,14 +291,16 @@ async function main() {
     console.log(`Credentials loaded from: ${credentials.source}`);
   }
 
-  app.listen(PORT, () => {
+  // Bind to localhost only - prevents access from other devices on the network
+  app.listen(PORT, '127.0.0.1', () => {
     // Print to stderr to keep logs clean (stdout reserved for JSON in some setups)
     console.error(`\n${"═".repeat(60)}`);
-    console.error(`  Slack Web API Server v1.1.0`);
+    console.error(`  Slack Web API Server v1.1.7`);
     console.error(`${"═".repeat(60)}`);
     console.error(`\n  Dashboard: http://localhost:${PORT}/?key=${API_KEY}`);
     console.error(`\n  API Key:   ${API_KEY}`);
     console.error(`\n  curl -H "Authorization: Bearer ${API_KEY}" http://localhost:${PORT}/health`);
+    console.error(`\n  Security: Bound to localhost only (127.0.0.1)`);
     console.error(`\n${"═".repeat(60)}\n`);
   });
 }