@jtalk22/slack-mcp 2.0.0 → 3.0.0

package/README.md

@@ -1,46 +1,67 @@
-<p align="center">
-  <a href="https://jtalk22.github.io/slack-mcp-server/public/demo.html"><img src="docs/assets/icon-512.png" alt="Slack MCP Server" width="80"></a>
-</p>
-
-<h1 align="center">Slack MCP Server</h1>
-
-<p align="center">
-  <em>Give Claude the same Slack access you have.<br>
-  DMs, threads, history—using your existing Slack session.</em>
-</p>
-
-<p align="center">
-  <a href="https://jtalk22.github.io/slack-mcp-server/public/demo-video.html">
-    <img src="docs/images/demo-readme.gif" alt="Slack MCP tools in action" width="640">
-  </a>
-</p>
-
-<p align="center">
-  <a href="https://www.npmjs.com/package/@jtalk22/slack-mcp"><img src="https://img.shields.io/badge/npm-Install-blue?style=for-the-badge&logo=npm&logoColor=white" alt="npm"></a>
-  <a href="https://github.com/jtalk22/slack-mcp-server/pkgs/container/slack-mcp-server"><img src="https://img.shields.io/badge/Docker-Pull-2496ED?style=for-the-badge&logo=docker&logoColor=white" alt="Docker"></a>
-</p>
-
-<p align="center">
-  <a href="https://jtalk22.github.io/slack-mcp-server/public/demo.html"><img src="https://img.shields.io/badge/LIVE%20DEMO-Try%20It%20Now-00C853?style=for-the-badge&logo=slack&logoColor=white" alt="Live Demo"></a>
-  <a href="https://jtalk22.github.io/slack-mcp-server/public/demo-claude.html"><img src="https://img.shields.io/badge/CLAUDE%20DEMO-See%20MCP%20Tools-da7756?style=for-the-badge" alt="Claude Demo"></a>
-</p>
-
-<br>
-
-<p align="center">
-  <a href="https://www.npmjs.com/package/@jtalk22/slack-mcp"><img src="https://img.shields.io/npm/dm/@jtalk22/slack-mcp?label=downloads&color=CB3837" alt="npm downloads"></a>
-  <a href="https://github.com/jtalk22/slack-mcp-server/actions/workflows/ci.yml"><img src="https://img.shields.io/github/actions/workflow/status/jtalk22/slack-mcp-server/ci.yml?label=build" alt="Build Status"></a>
-  <a href="https://smithery.ai/server/jtalk22/slack-mcp-server"><img src="https://img.shields.io/badge/Smithery-Registry-4A154B" alt="Smithery"></a>
-  <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/License-MIT-yellow.svg" alt="License: MIT"></a>
-</p>
+# Slack MCP Server
 
----
+Use your existing Slack session with Claude and other MCP clients.  
+Local-first by default (`stdio`/`web`), hosted HTTP when you need a remote endpoint.
+
+[Live demo](https://jtalk22.github.io/slack-mcp-server/public/demo-video.html) · [npm package](https://www.npmjs.com/package/@jtalk22/slack-mcp) · [Compatibility matrix](https://github.com/jtalk22/slack-mcp-server/blob/main/docs/COMPATIBILITY.md)
+
+![Slack MCP tools in action](https://jtalk22.github.io/slack-mcp-server/docs/images/demo-readme.gif)
+
+## 30-Second Verify
+
+```bash
+npx -y @jtalk22/slack-mcp@latest --version
+npx -y @jtalk22/slack-mcp@latest --doctor
+npx -y @jtalk22/slack-mcp@latest --status
+```
+
+Expected:
+- `--version` prints `slack-mcp-server v3.0.0`
+- `--doctor` exits with deterministic `0|1|2|3`
+- `--status` is read-only and non-mutating
+
+## Install
+
+```bash
+npm install -g @jtalk22/slack-mcp
+npx -y @jtalk22/slack-mcp --setup
+```
+
+If this project saves you setup time, star the repo: https://github.com/jtalk22/slack-mcp-server
+
+Maintainer/operator: `jtalk22` (`james@revasser.nyc`)  
+Release notes: [v3.0.0 notes](https://github.com/jtalk22/slack-mcp-server/blob/main/.github/v3.0.0-release-notes.md)
+
+## v3.0.0 at a Glance
+
+- Hosted HTTP `/mcp` now requires bearer auth by default (`SLACK_MCP_HTTP_AUTH_TOKEN`).
+- Hosted HTTP CORS now uses explicit allowlisting (`SLACK_MCP_HTTP_ALLOWED_ORIGINS`).
+- Local-first paths (`stdio`, `web`) stay compatible.
+- MCP tool names stay stable (no renames/removals).
+
+## 60-Second Hosted Migration
 
-> **Release:** `v2.0.0` is live with deterministic diagnostics and no MCP tool renames/removals.  
-> Release notes: [.github/v2.0.0-release-notes.md](.github/v2.0.0-release-notes.md)  
-> Install proof: [docs/INSTALL-PROOF.md](docs/INSTALL-PROOF.md)
+```bash
+export SLACK_TOKEN=xoxc-...
+export SLACK_COOKIE=xoxd-...
+export SLACK_MCP_HTTP_AUTH_TOKEN=change-this
+export SLACK_MCP_HTTP_ALLOWED_ORIGINS=https://claude.ai
+node src/server-http.js
+```
+
+Request with:
+
+```bash
+Authorization: Bearer <SLACK_MCP_HTTP_AUTH_TOKEN>
+```
+
+Emergency local fallback only:
+
+```bash
+SLACK_MCP_HTTP_INSECURE=1 node src/server-http.js
+```
 
-> Free local-first path: install with `npx -y @jtalk22/slack-mcp`, run on your own machine, and keep full control of session tokens.
+For guided hosted rollout requirements, open: [deployment intake](https://github.com/jtalk22/slack-mcp-server/issues/new?template=deployment-intake.md)
 
 ### Why This Exists
 
@@ -50,7 +71,7 @@ Screenshotting messages is not a workflow.
 
 This server bridges the gap. It creates a secure, local bridge between Claude and your Slack web session. It gives your MCP client the same access **you** already have in the browser—search history, summarize threads, and retrieve prior context—without fighting the platform.
 
-![Slack MCP Server Web UI](docs/images/demo-main.png)
+![Slack MCP Server Web UI](https://jtalk22.github.io/slack-mcp-server/docs/images/demo-main.png)
 
 ---
 
@@ -58,11 +79,11 @@ This server bridges the gap. It creates a secure, local bridge between Claude an
 
 Instead of authenticating as a bot, this server leverages your existing Chrome session credentials (macOS) or manual token injection (Linux/Windows). It mirrors your user access exactly—if you can see it in Slack, Claude can see it too.
 
-![Session Mirroring Flow](docs/images/diagram-session-flow.svg)
+![Session Mirroring Flow](https://jtalk22.github.io/slack-mcp-server/docs/images/diagram-session-flow.svg)
 
 ### Why Not OAuth?
 
-![OAuth vs Session Mirroring](docs/images/diagram-oauth-comparison.svg)
+![OAuth vs Session Mirroring](https://jtalk22.github.io/slack-mcp-server/docs/images/diagram-oauth-comparison.svg)
 
 **Trade-off:** Session tokens expire every 1-2 weeks. Auto-refresh (macOS) or manual update keeps things running.
 
@@ -88,7 +109,7 @@ Instead of authenticating as a bot, this server leverages your existing Chrome s
 | Tool | Description |
 |------|-------------|
 | `slack_health_check` | Verify token validity and workspace info |
-| `slack_token_status` | **New:** Detailed token age, health, and cache stats |
+| `slack_token_status` | Detailed token age, health, and cache stats |
 | `slack_refresh_tokens` | Auto-extract fresh tokens from Chrome |
 | `slack_list_conversations` | List DMs/channels (with lazy discovery cache) |
 | `slack_conversations_history` | Get messages from a channel or DM |
@@ -114,7 +135,7 @@ npx -y @jtalk22/slack-mcp --setup
 ```
 
 Expected:
-- `--version` prints `slack-mcp-server v2.0.x`
+- `--version` prints `slack-mcp-server v3.0.x`
 - `--doctor` returns one clear next action with exit code:
   - `0` ready
   - `1` missing credentials
@@ -122,7 +143,7 @@ Expected:
   - `3` connectivity/runtime issue
 - `--setup` launches the interactive wizard
 
-Command reference: [docs/HN-LAUNCH.md](docs/HN-LAUNCH.md)
+Command reference: [HN launch kit](https://github.com/jtalk22/slack-mcp-server/blob/main/docs/HN-LAUNCH.md)
 
 ### Known Working Clients
 
@@ -132,7 +153,7 @@ Command reference: [docs/HN-LAUNCH.md](docs/HN-LAUNCH.md)
 - Hosted Node runtime (`http`)
 - Cloudflare Worker / Smithery transport
 
-Compatibility matrix: [docs/COMPATIBILITY.md](docs/COMPATIBILITY.md)
+Compatibility matrix: [compatibility matrix](https://github.com/jtalk22/slack-mcp-server/blob/main/docs/COMPATIBILITY.md)
 
 ### Option A: npm (Recommended)
 
@@ -326,9 +347,15 @@ finally { refreshInProgress = false; }
 
 ---
 
-## Web UI (for claude.ai — no MCP support)
+## Web UI (optional browser/local fallback)
 
-If you're using claude.ai in a browser (which doesn't support MCP), you can use the REST server instead:
+Claude now supports remote MCP connectors on paid plans. For claude.ai, the preferred path is adding a remote connector in Settings -> Connectors.
+
+Reference:
+- https://support.anthropic.com/en/articles/11995447-connectors-in-claude
+- https://support.anthropic.com/en/articles/11175166-about-custom-integrations-using-remote-mcp
+
+Use this Web UI when you want a local localhost dashboard, REST access, or a fallback workflow without remote connector hosting:
 
 ```bash
 npm run web
@@ -339,7 +366,7 @@ npm run web
 
 ```
 ════════════════════════════════════════════════════════════
-  Slack Web API Server v2.0.0
+  Slack Web API Server v3.0.0
 ════════════════════════════════════════════════════════════
 
   Dashboard: http://localhost:3000/?key=smcp_xxxxxxxxxxxx
@@ -352,21 +379,40 @@ Just click the link - no copy-paste needed. The key is saved to your browser and
 
 | DMs View | Channels View |
 |----------|---------------|
-| ![DMs](docs/images/demo-main.png) | ![Channels](docs/images/demo-channels.png) |
+| ![DMs](https://jtalk22.github.io/slack-mcp-server/docs/images/demo-main.png) | ![Channels](https://jtalk22.github.io/slack-mcp-server/docs/images/demo-channels.png) |
 
 </details>
 
 ---
 
+## Hosted HTTP Mode (Secure Defaults)
+
+Use this mode only when you need a remote MCP endpoint:
+
+```bash
+SLACK_TOKEN=xoxc-...
+SLACK_COOKIE=xoxd-...
+SLACK_MCP_HTTP_AUTH_TOKEN=change-this
+SLACK_MCP_HTTP_ALLOWED_ORIGINS=https://claude.ai
+node src/server-http.js
+```
+
+Behavior:
+- `/mcp` requires `Authorization: Bearer <SLACK_MCP_HTTP_AUTH_TOKEN>` by default.
+- Cross-origin browser calls are denied unless origin is listed in `SLACK_MCP_HTTP_ALLOWED_ORIGINS`.
+- For local testing only, you can opt out with `SLACK_MCP_HTTP_INSECURE=1`.
+
+---
+
 ## Operations Guides
 
-- [Docs Index](docs/INDEX.md) - One-click index for setup, API, troubleshooting, deployment, and support docs
-- [Deployment Modes](docs/DEPLOYMENT-MODES.md) - Choose the right operating model (`stdio`, `web`, hosted HTTP, Smithery/Worker)
-- [Use Case Recipes](docs/USE_CASE_RECIPES.md) - 12 copy/paste prompts mapped to current tool contracts
-- [Support Boundaries](docs/SUPPORT-BOUNDARIES.md) - Scope, response targets, and solo-maintainer capacity limits
-- [Release Health](docs/RELEASE-HEALTH.md) - Track setup reliability and support-load targets through this release cycle
+- [Docs Index](https://github.com/jtalk22/slack-mcp-server/blob/main/docs/INDEX.md) - One-click index for setup, API, troubleshooting, deployment, and support docs
+- [Deployment Modes](https://github.com/jtalk22/slack-mcp-server/blob/main/docs/DEPLOYMENT-MODES.md) - Choose the right operating model (`stdio`, `web`, hosted HTTP, Smithery/Worker)
+- [Use Case Recipes](https://github.com/jtalk22/slack-mcp-server/blob/main/docs/USE_CASE_RECIPES.md) - 12 copy/paste prompts mapped to current tool contracts
+- [Support Boundaries](https://github.com/jtalk22/slack-mcp-server/blob/main/docs/SUPPORT-BOUNDARIES.md) - Scope, response targets, and solo-maintainer capacity limits
+- [Release Health](https://github.com/jtalk22/slack-mcp-server/blob/main/docs/RELEASE-HEALTH.md) - Track setup reliability and support-load targets through this release cycle
 
-If you're evaluating team rollout, start with [Deployment Modes](docs/DEPLOYMENT-MODES.md) before exposing remote endpoints.
+If you're evaluating team rollout, start with [Deployment Modes](https://github.com/jtalk22/slack-mcp-server/blob/main/docs/DEPLOYMENT-MODES.md) before exposing remote endpoints.
 
 ---
 
@@ -382,11 +428,13 @@ If you're evaluating team rollout, start with [Deployment Modes](docs/DEPLOYMENT
    npx -y @jtalk22/slack-mcp --setup
    ```
 3. Open an issue with full environment details:
-   - [Bug Report Template](.github/ISSUE_TEMPLATE/bug_report.md)
-   - [Deployment Intake Template](.github/ISSUE_TEMPLATE/deployment-intake.md)
-4. Check scope and response targets:
-   - [Support Boundaries](docs/SUPPORT-BOUNDARIES.md)
-   - [Troubleshooting Guide](docs/TROUBLESHOOTING.md)
+   - [Bug Report Template](https://github.com/jtalk22/slack-mcp-server/issues/new?template=bug_report.md)
+   - [Deployment Intake Template](https://github.com/jtalk22/slack-mcp-server/issues/new?template=deployment-intake.md)
+4. For guided hosted rollout support:
+   - [GitHub Discussions](https://github.com/jtalk22/slack-mcp-server/discussions)
+5. Check scope and response targets:
+   - [Support Boundaries](https://github.com/jtalk22/slack-mcp-server/blob/main/docs/SUPPORT-BOUNDARIES.md)
+   - [Troubleshooting Guide](https://github.com/jtalk22/slack-mcp-server/blob/main/docs/TROUBLESHOOTING.md)
 
 ---
 
@@ -472,13 +520,13 @@ slack-mcp-server/
 
 PRs welcome. Run `node --check` on modified files before submitting.
 
-If you find this project useful, consider starring the repo.
+If this project saves you setup time, consider starring the repository.
 
 ---
 
 ## License
 
-MIT - See [LICENSE](LICENSE)
+MIT - See LICENSE
 
 ---
 

package/docs/CLOUDFLARE-BROWSER-TOOLKIT.md

@@ -0,0 +1,67 @@
+# Cloudflare Browser Toolkit
+
+Use Cloudflare Browser Rendering from this repo to run resilient page checks and captures when local browser automation is blocked.
+
+## Prerequisites
+
+- `CLOUDFLARE_ACCOUNT_ID` set
+- `CLOUDFLARE_API_TOKEN` **or** `CF_TERRAFORM_TOKEN` set
+- Token needs Browser Rendering access
+- Account API tokens are supported (recommended for this workflow)
+
+## Verify Access
+
+```bash
+npm run cf:browser -- verify
+```
+
+The verifier checks account-token auth (`/accounts/{account_id}/tokens/verify`) first and falls back to user-token verification automatically.
+
+## Quick Commands
+
+Rendered HTML:
+
+```bash
+npm run cf:browser -- content "https://example.com"
+```
+
+Markdown extract:
+
+```bash
+npm run cf:browser -- markdown "https://example.com"
+```
+
+Link extraction:
+
+```bash
+npm run cf:browser -- links "https://example.com"
+```
+
+Selector scrape:
+
+```bash
+npm run cf:browser -- scrape "https://example.com" --selectors "h1,.card a"
+```
+
+Screenshot:
+
+```bash
+npm run cf:browser -- screenshot "https://example.com" --out ./tmp/example.png --type png
+```
+
+PDF:
+
+```bash
+npm run cf:browser -- pdf "https://example.com" --out ./tmp/example.pdf
+```
+
+Structured JSON:
+
+```bash
+npm run cf:browser -- json "https://example.com" --schema '{"title":"string","links":["string"]}'
+```
+
+## Notes
+
+- This toolkit is for page rendering, extraction, and evidence capture.
+- It does not manage third-party account logins for posting workflows.

package/docs/DEPLOYMENT-MODES.md

@@ -15,7 +15,7 @@ Use this guide to choose the right operating mode before rollout.
 |------|---------------|----------|---------------|----------|-------|
 | Local MCP (`stdio`) | `npx -y @jtalk22/slack-mcp` | Individual daily usage in Claude | `SLACK_TOKEN` + `SLACK_COOKIE` via token file/env | Local process | Lowest ops burden |
 | Local Web UI (`web`) | `npx -y @jtalk22/slack-mcp web` | Browser-first usage, manual search/send | Same as above + generated API key | `localhost` by default | Useful when MCP is not available |
-| Hosted MCP (`http`) | `node src/server-http.js` | Controlled hosted integration | Env-injected Slack token/cookie | Remote endpoint | Requires runtime hardening and monitoring |
+| Hosted MCP (`http`) | `node src/server-http.js` | Controlled hosted integration | Env-injected Slack token/cookie + HTTP bearer token | Remote endpoint | `/mcp` is bearer-protected by default; configure CORS allowlist |
 | Smithery/Worker | `wrangler deploy` + Smithery publish flow | Registry distribution for hosted consumers | Query/env token handoff | Remote endpoint | Keep worker version parity with npm release |
 
 ## Team Deployment Guidance
@@ -44,5 +44,12 @@ If you are deploying for more than one operator:
 ### Hosted (`http` or Worker)
 
 1. Verify `version` parity across `package.json`, server metadata, and health responses.
-2. Confirm `slack_get_thread`, `slack_search_messages`, and `slack_users_info` behavior.
-3. Confirm token handling mode (ephemeral vs env persistence) is documented.
+2. Verify HTTP auth behavior:
+   - missing `SLACK_MCP_HTTP_AUTH_TOKEN` returns `503`
+   - bad bearer token returns `401`
+   - valid bearer token succeeds
+3. Verify CORS behavior:
+   - denied by default
+   - allowed origins work when listed in `SLACK_MCP_HTTP_ALLOWED_ORIGINS`
+4. Confirm `slack_get_thread`, `slack_search_messages`, and `slack_users_info` behavior.
+5. Confirm token handling mode (ephemeral vs env persistence) is documented.

package/docs/HN-LAUNCH.md

@@ -1,61 +1,72 @@
-# HN Launch Kit (v2.0.0)
+# HN Launch Kit (v3.0.0)
 
-Use this file for Show HN posting and first-comment follow-up.
+Use this for Show HN and follow-up comments.
 
 ## Title Options
 
-- `Show HN: Slack MCP Server v2.0.0 (deterministic Slack MCP diagnostics)`
-- `Show HN: Slack MCP Server v2.0.0 (session-based Slack access, stable contracts)`
-- `Show HN: Slack MCP Server v2.0.0 (local-first Slack context for Claude)`
+- `Show HN: Slack MCP Server v3.0.0 (secure-default hosted mode, local-first unchanged)`
+- `Show HN: Slack MCP Server v3.0.0 (session-based Slack access for MCP clients)`
+- `Show HN: Slack MCP Server v3.0.0 (hosted HTTP now auth-by-default)`
 
-## Launch Post Template
+## Main Post Draft
 
 ```md
-Released `@jtalk22/slack-mcp@2.0.0` today.
+Released `@jtalk22/slack-mcp@3.0.0`.
 
-This release focuses on install reliability and deterministic diagnostics:
-- read-only `--status` behavior enforced in install-path verification
-- deterministic `--doctor` exits (`0/1/2/3`)
-- structured MCP/web error payloads for triage consistency
-- token health handles missing timestamp as unknown age, not false critical
-- no MCP tool renames or removals
+This release keeps local session-mirroring intact (`stdio`, `web`) and hardens hosted HTTP defaults:
+- `/mcp` requires bearer auth by default
+- CORS requires explicit origin allowlisting
+- no MCP tool renames/removals
+- `--doctor` stays deterministic (`0/1/2/3`)
+- `--status` stays read-only
 
-Verify:
-- `npx -y @jtalk22/slack-mcp --version`
-- `npx -y @jtalk22/slack-mcp --doctor`
-- `npx -y @jtalk22/slack-mcp --status`
+Verify in 30 seconds:
+- `npx -y @jtalk22/slack-mcp@latest --version`
+- `npx -y @jtalk22/slack-mcp@latest --doctor`
+- `npx -y @jtalk22/slack-mcp@latest --status`
 
 Repo: https://github.com/jtalk22/slack-mcp-server
 npm: https://www.npmjs.com/package/@jtalk22/slack-mcp
+Release notes: https://github.com/jtalk22/slack-mcp-server/blob/main/.github/v3.0.0-release-notes.md
+Maintainer/operator: `jtalk22` (`james@revasser.nyc`)
 ```
 
 ## First Comment Draft
 
 ```md
-Quick notes:
-- Default path is local-first (`stdio`) and remains fully supported.
-- `--status` is read-only by design in this release.
-- `--doctor` has deterministic exit codes for automation and triage.
-- If registry pages lag, metadata is propagating; npm and GitHub release are authoritative first.
-
-If anything fails, include OS, Node version, runtime mode (`stdio|web|http|worker`), and exact output.
+Additional operator notes:
+- Local users (`stdio`, `web`) do not need migration.
+- Hosted users need `SLACK_MCP_HTTP_AUTH_TOKEN` and `SLACK_MCP_HTTP_ALLOWED_ORIGINS` configured.
+- Emergency local fallback is available via `SLACK_MCP_HTTP_INSECURE=1`.
+
+If something fails, include:
+- OS + Node version
+- runtime mode (`stdio|web|http|worker`)
+- exact command + output
 ```
 
-## FAQ Macro
+## Reply Macros
+
+### Why not Slack OAuth?
+
+Session mirroring uses the access already present in the signed-in Slack web session, which is useful for operator workflows where a bot scope model is too limiting.
+
+### Is hosted required?
+
+No. Local-first use is still the default and fully supported.
+
+### Did the tool API change?
+
+No MCP tool names were removed or renamed in `v3.0.0`.
 
-### Why session-based instead of OAuth app scopes?
-Session mirroring provides the same access visible in the signed-in Slack web session.
+### Why a major version?
 
-### Is hosted deployment required?
-No. Local operator path is primary. Hosted paths are optional.
+Hosted HTTP defaults changed to auth-by-default behavior, which can change existing hosted deployments.
 
-### Are tool contracts changed in v2.0.0?
-No. This release keeps existing MCP tool names.
+### What should users run first?
 
-### What should I run first?
-Use:
 ```bash
-npx -y @jtalk22/slack-mcp --version
-npx -y @jtalk22/slack-mcp --doctor
-npx -y @jtalk22/slack-mcp --status
+npx -y @jtalk22/slack-mcp@latest --version
+npx -y @jtalk22/slack-mcp@latest --doctor
+npx -y @jtalk22/slack-mcp@latest --status
 ```

package/docs/INDEX.md

@@ -13,20 +13,23 @@ Start here for setup, compatibility checks, operations, and support.
 ## Operations
 
 - [Deployment Modes](DEPLOYMENT-MODES.md)
+- [Cloudflare Browser Toolkit](CLOUDFLARE-BROWSER-TOOLKIT.md)
 - [Use Case Recipes](USE_CASE_RECIPES.md)
 - [Support Boundaries](SUPPORT-BOUNDARIES.md)
 
 ## Launch and Communication
 
 - [HN Launch Kit](HN-LAUNCH.md)
-- [Launch Copy (v2.0.0)](LAUNCH-COPY-v2.0.0.md)
+- [Launch Copy (v3.0.0)](LAUNCH-COPY-v3.0.0.md)
 - [Launch Ops Runbook](LAUNCH-OPS.md)
 - [Capability Matrix](LAUNCH-MATRIX.md)
 - [Install Proof Block](INSTALL-PROOF.md)
+- [Release Notes (v3.0.0)](../.github/v3.0.0-release-notes.md)
 - [Communication Style](COMMUNICATION-STYLE.md)
 - [Release Health Guide](RELEASE-HEALTH.md)
 - [Latest Release Health Snapshot](release-health/latest.md)
 - [Version Parity Report](release-health/version-parity.md)
+- [Prepublish Dry Run Report](release-health/prepublish-dry-run.md)
 - [Launch Log Template](release-health/launch-log-template.md)
 - [Changelog](../CHANGELOG.md)
 

package/docs/INSTALL-PROOF.md

@@ -1,15 +1,15 @@
-# Install Proof Block (v2.0.0)
+# Install Proof Block (v3.0.0)
 
 Use this command block in release notes, HN/X/Reddit follow-ups, and issue replies.
 
 ```bash
-npx -y @jtalk22/slack-mcp --version
-npx -y @jtalk22/slack-mcp --doctor
-npx -y @jtalk22/slack-mcp --status
+npx -y @jtalk22/slack-mcp@latest --version
+npx -y @jtalk22/slack-mcp@latest --doctor
+npx -y @jtalk22/slack-mcp@latest --status
 ```
 
 Expected:
-- `--version` prints `slack-mcp-server v2.0.0`
+- `--version` prints `slack-mcp-server v3.0.0`
 - `--doctor` exits with:
   - `0` ready
   - `1` missing credentials

package/docs/LAUNCH-COPY-v3.0.0.md

@@ -0,0 +1,73 @@
+# Launch Copy (v3.0.0)
+
+Canonical text blocks for GitHub release surfaces, listings, and operator updates.
+
+## Short Summary (Public)
+
+`@jtalk22/slack-mcp v3.0.0` is live. This release keeps local-first operation unchanged (`stdio`, `web`) and hardens hosted HTTP mode with secure defaults. Hosted `/mcp` now requires bearer authentication using `SLACK_MCP_HTTP_AUTH_TOKEN`, and browser-origin access now uses explicit allowlisting via `SLACK_MCP_HTTP_ALLOWED_ORIGINS`. The major version reflects this hosted behavior change; local workflows and MCP tool names remain stable. Diagnostics remain deterministic (`--doctor` returns `0|1|2|3`), and `--status` remains read-only for safe checks. Public demo/media checks are now included in web verification so broken assets are caught before publish. Maintainer/operator: `jtalk22` (`james@revasser.nyc`).
+
+## GitHub Release Block
+
+```md
+`v3.0.0` secures hosted HTTP defaults while keeping local-first workflows stable.
+
+What changed:
+- `/mcp` requires bearer auth by default
+- CORS is origin-allowlist driven (`SLACK_MCP_HTTP_ALLOWED_ORIGINS`)
+- no MCP tool renames/removals
+- deterministic diagnostics are preserved
+
+Verify:
+`npx -y @jtalk22/slack-mcp@latest --version`
+`npx -y @jtalk22/slack-mcp@latest --doctor`
+`npx -y @jtalk22/slack-mcp@latest --status`
+```
+
+## Hosted Migration Block
+
+```md
+Hosted migration in under a minute:
+`SLACK_TOKEN=xoxc-...`
+`SLACK_COOKIE=xoxd-...`
+`SLACK_MCP_HTTP_AUTH_TOKEN=change-this`
+`SLACK_MCP_HTTP_ALLOWED_ORIGINS=https://claude.ai`
+`node src/server-http.js`
+
+Requests must include:
+`Authorization: Bearer <SLACK_MCP_HTTP_AUTH_TOKEN>`
+
+Emergency local fallback only:
+`SLACK_MCP_HTTP_INSECURE=1 node src/server-http.js`
+```
+
+## GitHub Discussion Announcement
+
+```md
+`v3.0.0` is published.
+
+- Hosted HTTP now enforces auth-by-default and explicit CORS policy.
+- Local-first paths (`stdio`, `web`) remain unchanged.
+- MCP tool names remain unchanged.
+
+If you hit a deployment blocker, open deployment intake and include runtime mode + exact output.
+```
+
+## Listing Snippet (awesome-mcp-servers / registries)
+
+```md
+Session-based Slack MCP server for local-first operators. `v3.0.0` hardens hosted HTTP defaults (bearer auth + origin allowlist) while keeping local tool contracts stable.
+```
+
+## Support Intake Snippet
+
+```md
+Need guided hosted deployment help?
+- Open deployment intake: `https://github.com/jtalk22/slack-mcp-server/issues/new?template=deployment-intake.md`
+- Continue in Discussions: `https://github.com/jtalk22/slack-mcp-server/discussions`
+```
+
+## Propagation Note
+
+Use when listing or registry caches lag:
+
+`Release is published. Metadata propagation is in progress as of <UTC timestamp>.`

package/docs/LAUNCH-MATRIX.md

@@ -1,12 +1,14 @@
-# Capability Matrix (v2.0.0)
+# Capability Matrix (v3.0.0)
 
 Comparison matrix for release notes and channel posts. Keep competitor references unnamed.
 
-| Capability | This Release (`v2.0.0`) | Typical Session-Based Alternatives |
+| Capability | This Release (`v3.0.0`) | Typical Session-Based Alternatives |
 |---|---|---|
 | Read-only status checks | Enforced and verified in install flow | Often undocumented or mixed with refresh side effects |
 | Deterministic doctor exits | Enforced (`0/1/2/3`) with install-path coverage | Often ad-hoc or text-only |
 | Structured diagnostics | Shared fields in MCP/web error payloads | Mixed payload shapes |
+| Hosted HTTP auth default | Bearer required on `/mcp` by default | Often permissive by default |
+| Hosted HTTP CORS | Explicit allowlist (`SLACK_MCP_HTTP_ALLOWED_ORIGINS`) | Often wildcard/implicit |
 | Unknown token age handling | Explicit `unknown_age` semantics | Missing timestamp may appear as stale/failing |
 | Tool contract stability | No MCP tool rename/removal | Varies by release |
 | Local-first operator path | First-class (`stdio`, `web`) | Varies by runtime emphasis |