@jtalk22/slack-mcp 2.0.0 → 3.0.0

package/scripts/release-preflight.js

@@ -0,0 +1,243 @@
+#!/usr/bin/env node
+
+import { spawnSync } from "child_process";
+import { mkdirSync, writeFileSync } from "fs";
+import { dirname, resolve } from "path";
+import { fileURLToPath } from "url";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const ROOT = resolve(__dirname, "..");
+const REPORT_PATH = resolve(ROOT, "docs", "release-health", "prepublish-dry-run.md");
+
+const EXPECTED_NAME = process.env.EXPECTED_GIT_NAME || "jtalk22";
+const EXPECTED_EMAIL = process.env.EXPECTED_GIT_EMAIL || "james@revasser.nyc";
+const OWNER_RANGE = process.env.OWNER_CHECK_RANGE || "origin/main..HEAD";
+
+function run(command, args = [], options = {}) {
+  return spawnSync(command, args, {
+    cwd: ROOT,
+    encoding: "utf8",
+    env: process.env,
+    maxBuffer: 20 * 1024 * 1024,
+    ...options
+  });
+}
+
+function trimOutput(text = "", maxChars = 1200) {
+  const normalized = String(text || "").trim();
+  if (!normalized) return "";
+  if (normalized.length <= maxChars) return normalized;
+  return `${normalized.slice(0, maxChars)}... [truncated]`;
+}
+
+function stepResult(name, command, ok, details = "", commandOutput = "") {
+  return { name, command, ok, details, commandOutput };
+}
+
+function gitIdentityStep() {
+  const nameResult = run("git", ["config", "--get", "user.name"]);
+  const emailResult = run("git", ["config", "--get", "user.email"]);
+
+  const actualName = nameResult.stdout.trim();
+  const actualEmail = emailResult.stdout.trim();
+  const ok =
+    nameResult.status === 0 &&
+    emailResult.status === 0 &&
+    actualName === EXPECTED_NAME &&
+    actualEmail === EXPECTED_EMAIL;
+
+  const details = ok
+    ? `Configured as ${actualName} <${actualEmail}>`
+    : `Expected ${EXPECTED_NAME} <${EXPECTED_EMAIL}>, found ${actualName || "(missing)"} <${actualEmail || "(missing)"}>`;
+
+  return stepResult(
+    "Git identity",
+    "git config --get user.name && git config --get user.email",
+    ok,
+    details,
+    `${nameResult.stdout}${nameResult.stderr}${emailResult.stdout}${emailResult.stderr}`
+  );
+}
+
+function ownerAttributionStep() {
+  const result = run("bash", ["scripts/check-owner-attribution.sh", OWNER_RANGE]);
+  return stepResult(
+    "Owner attribution",
+    `bash scripts/check-owner-attribution.sh ${OWNER_RANGE}`,
+    result.status === 0,
+    result.status === 0 ? "All commits in range are owner-attributed." : "Owner attribution check failed.",
+    `${result.stdout}${result.stderr}`
+  );
+}
+
+function publicLanguageStep() {
+  const result = run("bash", ["scripts/check-public-language.sh"]);
+  return stepResult(
+    "Public language",
+    "bash scripts/check-public-language.sh",
+    result.status === 0,
+    result.status === 0 ? "Public wording guardrail passed." : "Disallowed wording found.",
+    `${result.stdout}${result.stderr}`
+  );
+}
+
+function markerScanStep() {
+  const pattern = "Co-authored-by|co-authored-by|Generated with|generated with";
+  const scanPaths = [
+    "README.md",
+    "docs",
+    "public",
+    ".github/RELEASE_NOTES_TEMPLATE.md",
+    ".github/ISSUE_REPLY_TEMPLATE.md"
+  ];
+  const result = run("rg", [
+    "-n",
+    pattern,
+    "--glob",
+    "!docs/release-health/**",
+    ...scanPaths
+  ]);
+
+  if (result.status === 1) {
+    return stepResult(
+      "Public attribution markers",
+      "marker-scan",
+      true,
+      "No non-owner attribution markers found in public surfaces."
+    );
+  }
+
+  return stepResult(
+    "Public attribution markers",
+    "marker-scan",
+    false,
+    result.status === 0
+      ? "Found disallowed markers on public surfaces."
+      : "Marker scan failed.",
+    `${result.stdout}${result.stderr}`
+  );
+}
+
+function runNodeStep(name, scriptPath, extraArgs = []) {
+  const result = run("node", [scriptPath, ...extraArgs]);
+  return stepResult(
+    name,
+    `node ${scriptPath}${extraArgs.length ? ` ${extraArgs.join(" ")}` : ""}`,
+    result.status === 0,
+    result.status === 0 ? "Passed." : "Failed.",
+    `${result.stdout}${result.stderr}`
+  );
+}
+
+function npmPackSnapshot() {
+  const result = run("npm", ["pack", "--dry-run", "--json"]);
+  if (result.status !== 0) {
+    return {
+      ok: false,
+      details: "Unable to generate npm pack snapshot.",
+      output: `${result.stdout}${result.stderr}`
+    };
+  }
+
+  try {
+    const parsed = JSON.parse(result.stdout);
+    const entry = Array.isArray(parsed) ? parsed[0] : parsed;
+    const fileCount = Array.isArray(entry.files) ? entry.files.length : 0;
+    const details = `package size ${entry.size} bytes, unpacked ${entry.unpackedSize} bytes, files ${fileCount}`;
+    return { ok: true, details, output: result.stdout };
+  } catch (error) {
+    return {
+      ok: false,
+      details: "npm pack output was not valid JSON.",
+      output: `${result.stdout}\n${String(error)}`
+    };
+  }
+}
+
+function buildReport(results, packSnapshot) {
+  const generated = new Date().toISOString();
+  const failed = results.filter((step) => !step.ok);
+  const lines = [];
+  lines.push("# Prepublish Dry Run");
+  lines.push("");
+  lines.push(`- Generated: ${generated}`);
+  lines.push(`- Expected owner: \`${EXPECTED_NAME} <${EXPECTED_EMAIL}>\``);
+  lines.push(`- Owner range: \`${OWNER_RANGE}\``);
+  lines.push("");
+  lines.push("## Step Matrix");
+  lines.push("");
+  lines.push("| Step | Status | Command | Details |");
+  lines.push("|---|---|---|---|");
+  for (const step of results) {
+    lines.push(`| ${step.name} | ${step.ok ? "pass" : "fail"} | \`${step.command}\` | ${step.details} |`);
+  }
+  lines.push("");
+  lines.push("## npm Pack Snapshot");
+  lines.push("");
+  lines.push(`- Status: ${packSnapshot.ok ? "pass" : "fail"}`);
+  lines.push(`- Details: ${packSnapshot.details}`);
+  lines.push("");
+
+  if (failed.length === 0 && packSnapshot.ok) {
+    lines.push("## Result");
+    lines.push("");
+    lines.push("Prepublish dry run passed.");
+  } else {
+    lines.push("## Result");
+    lines.push("");
+    lines.push("Prepublish dry run failed.");
+    lines.push("");
+    lines.push("### Failing checks");
+    for (const step of failed) {
+      lines.push(`- ${step.name}`);
+    }
+    if (!packSnapshot.ok) lines.push("- npm pack snapshot");
+  }
+
+  lines.push("");
+  lines.push("## Command Output (Truncated)");
+  lines.push("");
+  for (const step of results) {
+    lines.push(`### ${step.name}`);
+    lines.push("");
+    lines.push("```text");
+    lines.push(trimOutput(step.commandOutput) || "(no output)");
+    lines.push("```");
+    lines.push("");
+  }
+  lines.push("### npm Pack Snapshot");
+  lines.push("");
+  lines.push("```text");
+  lines.push(trimOutput(packSnapshot.output, 4000) || "(no output)");
+  lines.push("```");
+  lines.push("");
+
+  return lines.join("\n");
+}
+
+function main() {
+  const steps = [
+    gitIdentityStep(),
+    ownerAttributionStep(),
+    publicLanguageStep(),
+    markerScanStep(),
+    runNodeStep("Core verification", "scripts/verify-core.js"),
+    runNodeStep("Web verification", "scripts/verify-web.js"),
+    runNodeStep("Install-flow verification", "scripts/verify-install-flow.js"),
+    runNodeStep("Version parity", "scripts/check-version-parity.js", ["--allow-propagation"])
+  ];
+
+  const packSnapshot = npmPackSnapshot();
+  const report = buildReport(steps, packSnapshot);
+
+  mkdirSync(resolve(ROOT, "docs", "release-health"), { recursive: true });
+  writeFileSync(REPORT_PATH, `${report}\n`);
+
+  console.log(`Wrote ${REPORT_PATH}`);
+  const failed = steps.some((step) => !step.ok) || !packSnapshot.ok;
+  if (failed) {
+    process.exitCode = 1;
+  }
+}
+
+main();

package/scripts/setup-wizard.js

@@ -23,7 +23,7 @@ import {
 } from "../lib/token-store.js";
 
 const IS_MACOS = platform() === 'darwin';
-const VERSION = "2.0.0";
+const VERSION = "3.0.0";
 const MIN_NODE_MAJOR = 20;
 const AUTH_TEST_URL = process.env.SLACK_MCP_AUTH_TEST_URL || "https://slack.com/api/auth.test";
 

package/scripts/verify-install-flow.js

@@ -9,10 +9,11 @@ import { fileURLToPath } from "node:url";
 const PKG = "@jtalk22/slack-mcp";
 const repoRoot = join(dirname(fileURLToPath(import.meta.url)), "..");
 const strictPublished = process.argv.includes("--strict-published");
+const PUBLISHED_SPEC = `${PKG}@latest`;
 const localVersion = JSON.parse(readFileSync(join(repoRoot, "package.json"), "utf8")).version;
 
 function runNpx(args, options = {}) {
-  const cmdArgs = ["-y", PKG, ...args];
+  const cmdArgs = ["-y", PUBLISHED_SPEC, ...args];
   const result = spawnSync("npx", cmdArgs, {
     cwd: options.cwd,
     env: options.env,

package/scripts/verify-web.js

@@ -6,7 +6,8 @@
  * 1. Server starts and prints Magic Link
  * 2. /demo.html contains "STATIC PREVIEW" banner
  * 3. /?key=... serves the dashboard (index.html)
- * 4. Server shuts down cleanly
+ * 4. /demo-video.html media assets are reachable
+ * 5. Server shuts down cleanly
  */
 
 import { spawn } from "child_process";
@@ -142,6 +143,45 @@ async function testApiWithKey(apiKey) {
   return true;
 }
 
+async function testDemoVideoAssets() {
+  const demoVideoUrl = `http://localhost:${PORT}/demo-video.html`;
+  const demoVideoRes = await fetch(demoVideoUrl);
+
+  if (!demoVideoRes.ok) {
+    throw new Error(`Failed to fetch demo-video.html: ${demoVideoRes.status}`);
+  }
+
+  const demoVideoHtml = await demoVideoRes.text();
+  const requiredAssetCandidates = [
+    [
+      "/docs/images/demo-poster.png",
+      "https://jtalk22.github.io/slack-mcp-server/docs/images/demo-poster.png",
+    ],
+    [
+      "/docs/videos/demo-claude.webm",
+      "https://jtalk22.github.io/slack-mcp-server/docs/videos/demo-claude.webm",
+    ],
+  ];
+
+  for (const candidates of requiredAssetCandidates) {
+    const matched = candidates.find((candidate) => demoVideoHtml.includes(candidate));
+    if (!matched) {
+      throw new Error(`demo-video.html missing expected media reference: ${candidates.join(" OR ")}`);
+    }
+
+    const assetUrl = matched.startsWith("http")
+      ? matched
+      : `http://localhost:${PORT}${matched}`;
+
+    const assetRes = await fetch(assetUrl);
+    if (!assetRes.ok) {
+      throw new Error(`Demo media not reachable: ${assetUrl} (status ${assetRes.status})`);
+    }
+  }
+
+  return true;
+}
+
 async function main() {
   console.log("╔════════════════════════════════════════╗");
   console.log("║  Web UI Verification Tests             ║");
@@ -192,6 +232,14 @@ async function main() {
     log("PASS: API correctly rejects bad keys");
     results.push(true);
 
+    // Test 5: Demo video/media paths
+    console.log("\n[TEST 5] Demo Video Media Reachability");
+    console.log("─".repeat(40));
+
+    await testDemoVideoAssets();
+    log("PASS: demo-video media assets are reachable");
+    results.push(true);
+
   } catch (err) {
     console.log(`  FAIL: ${err.message}`);
     results.push(false);

package/server.json

@@ -0,0 +1,47 @@
+{
+  "$schema": "https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json",
+  "name": "io.github.jtalk22/slack-mcp-server",
+  "title": "Slack MCP Server",
+  "description": "Session-based Slack access for Claude: DMs, channels, search, and threads via your Slack session.",
+  "websiteUrl": "https://jtalk22.github.io/slack-mcp-server/public/demo.html",
+  "icons": [
+    {
+      "src": "https://raw.githubusercontent.com/jtalk22/slack-mcp-server/main/docs/assets/icon-512.png",
+      "mimeType": "image/png",
+      "sizes": [
+        "512x512"
+      ]
+    }
+  ],
+  "repository": {
+    "url": "https://github.com/jtalk22/slack-mcp-server",
+    "source": "github"
+  },
+  "version": "3.0.0",
+  "packages": [
+    {
+      "registryType": "npm",
+      "identifier": "@jtalk22/slack-mcp",
+      "version": "3.0.0",
+      "transport": {
+        "type": "stdio"
+      },
+      "environmentVariables": [
+        {
+          "description": "Slack xoxc- token from browser session",
+          "isRequired": false,
+          "format": "string",
+          "isSecret": true,
+          "name": "SLACK_TOKEN"
+        },
+        {
+          "description": "Slack xoxd- cookie from browser session",
+          "isRequired": false,
+          "format": "string",
+          "isSecret": true,
+          "name": "SLACK_COOKIE"
+        }
+      ]
+    }
+  ]
+}

package/smithery.yaml

@@ -0,0 +1,34 @@
+# Smithery configuration for slack-mcp-server
+# https://smithery.ai/docs/build/project-config/smithery-yaml
+
+startCommand:
+  type: stdio
+  configSchema:
+    type: object
+    properties:
+      slackToken:
+        type: string
+        title: "Slack Token"
+        description: "Your xoxc- token from browser session. Optional on macOS (auto-extracted from Chrome)."
+        pattern: "^xoxc-.*$"
+      slackCookie:
+        type: string
+        title: "Slack Cookie"
+        description: "Your xoxd- cookie from browser session. Optional on macOS (auto-extracted from Chrome)."
+        pattern: "^xoxd-.*$"
+      autoRefresh:
+        type: boolean
+        title: "Auto Refresh"
+        description: "Enable automatic token refresh from Chrome (macOS only)"
+        default: true
+    additionalProperties: false
+  commandFunction: |-
+    (config) => ({
+      command: 'node',
+      args: ['src/server.js'],
+      env: {
+        ...(config.slackToken && { SLACK_TOKEN: config.slackToken }),
+        ...(config.slackCookie && { SLACK_COOKIE: config.slackCookie }),
+        ...(config.autoRefresh === false && { SLACK_NO_AUTO_REFRESH: 'true' })
+      }
+    })

package/src/server-http.js

@@ -30,8 +30,51 @@ import {
 } from "../lib/handlers.js";
 
 const SERVER_NAME = "slack-mcp-server";
-const SERVER_VERSION = "2.0.0";
+const SERVER_VERSION = "3.0.0";
 const PORT = process.env.PORT || 3000;
+const HTTP_INSECURE = process.env.SLACK_MCP_HTTP_INSECURE === "1";
+const HTTP_AUTH_TOKEN = process.env.SLACK_MCP_HTTP_AUTH_TOKEN || process.env.SLACK_API_KEY || null;
+const HTTP_ALLOWED_ORIGINS = new Set(
+  String(process.env.SLACK_MCP_HTTP_ALLOWED_ORIGINS || "")
+    .split(",")
+    .map(origin => origin.trim())
+    .filter(Boolean)
+);
+
+function structuredError(code, message, nextAction = null, details = null) {
+  const payload = {
+    status: "error",
+    code,
+    message,
+    next_action: nextAction
+  };
+  if (details) payload.details = details;
+  return payload;
+}
+
+function parseBearerToken(req) {
+  const auth = req.headers?.authorization;
+  if (!auth) return null;
+  const [scheme, token] = String(auth).split(" ");
+  if (scheme?.toLowerCase() !== "bearer" || !token) return null;
+  return token.trim();
+}
+
+function applyCors(req, res) {
+  const origin = String(req.headers?.origin || "");
+  const allowOrigin =
+    HTTP_INSECURE
+      ? "*"
+      : (origin && HTTP_ALLOWED_ORIGINS.has(origin) ? origin : null);
+
+  if (allowOrigin) {
+    res.setHeader("Access-Control-Allow-Origin", allowOrigin);
+    if (allowOrigin !== "*") res.setHeader("Vary", "Origin");
+  }
+  res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+  res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, mcp-session-id");
+  return allowOrigin;
+}
 
 // Create MCP server
 const server = new Server(
@@ -112,12 +155,20 @@ await server.connect(transport);
 
 // Create HTTP server
 const httpServer = http.createServer(async (req, res) => {
-  // CORS headers
-  res.setHeader('Access-Control-Allow-Origin', '*');
-  res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
-  res.setHeader('Access-Control-Allow-Headers', 'Content-Type, mcp-session-id');
+  const allowOrigin = applyCors(req, res);
 
   if (req.method === 'OPTIONS') {
+    if (!HTTP_INSECURE && req.headers?.origin && !allowOrigin) {
+      res.writeHead(403, { "Content-Type": "application/json" });
+      res.end(JSON.stringify(
+        structuredError(
+          "cors_origin_denied",
+          "CORS origin is not allowed.",
+          "Set SLACK_MCP_HTTP_ALLOWED_ORIGINS to a comma-separated allowlist."
+        )
+      ));
+      return;
+    }
     res.writeHead(204);
     res.end();
     return;
@@ -138,6 +189,33 @@ const httpServer = http.createServer(async (req, res) => {
 
   // MCP endpoint
   if (req.url === '/mcp' || req.url === '/') {
+    if (!HTTP_INSECURE) {
+      if (!HTTP_AUTH_TOKEN) {
+        res.writeHead(503, { "Content-Type": "application/json" });
+        res.end(JSON.stringify(
+          structuredError(
+            "http_auth_token_missing",
+            "HTTP auth token is not configured for /mcp.",
+            "Set SLACK_MCP_HTTP_AUTH_TOKEN (or SLACK_API_KEY), or set SLACK_MCP_HTTP_INSECURE=1 for local testing only."
+          )
+        ));
+        return;
+      }
+
+      const bearer = parseBearerToken(req);
+      if (bearer !== HTTP_AUTH_TOKEN) {
+        res.writeHead(401, { "Content-Type": "application/json" });
+        res.end(JSON.stringify(
+          structuredError(
+            "unauthorized",
+            "Bearer token is invalid for /mcp.",
+            "Provide Authorization: Bearer <SLACK_MCP_HTTP_AUTH_TOKEN>."
+          )
+        ));
+        return;
+      }
+    }
+
     await transport.handleRequest(req, res);
     return;
   }
@@ -149,4 +227,19 @@ const httpServer = http.createServer(async (req, res) => {
 httpServer.listen(PORT, () => {
   console.log(`${SERVER_NAME} v${SERVER_VERSION} HTTP server running on port ${PORT}`);
   console.log(`MCP endpoint: http://localhost:${PORT}/mcp`);
+  if (HTTP_INSECURE) {
+    console.warn("WARNING: SLACK_MCP_HTTP_INSECURE=1 enabled. /mcp is unauthenticated and CORS is wildcard.");
+  } else {
+    if (!HTTP_AUTH_TOKEN) {
+      console.warn("WARNING: SLACK_MCP_HTTP_AUTH_TOKEN is not set. /mcp will reject requests with 503.");
+    } else {
+      console.log("HTTP auth: bearer token required for /mcp");
+    }
+
+    if (HTTP_ALLOWED_ORIGINS.size > 0) {
+      console.log(`CORS allowlist: ${Array.from(HTTP_ALLOWED_ORIGINS).join(", ")}`);
+    } else {
+      console.log("CORS allowlist: none (browser cross-origin requests denied by default)");
+    }
+  }
 });

package/src/server.js

@@ -11,11 +11,12 @@
  * - Network error retry with exponential backoff
  * - Background token health monitoring
  *
- * @version 2.0.0
+ * @version 3.0.0
  */
 
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { pathToFileURL } from "node:url";
 import {
   CallToolRequestSchema,
   ListToolsRequestSchema,
@@ -47,7 +48,7 @@ const BACKGROUND_REFRESH_INTERVAL = 4 * 60 * 60 * 1000;
 
 // Package info
 const SERVER_NAME = "slack-mcp-server";
-const SERVER_VERSION = "2.0.0";
+const SERVER_VERSION = "3.0.0";
 
 // MCP Prompts - predefined prompt templates for common Slack operations
 const PROMPTS = [
@@ -320,10 +321,21 @@ async function main() {
   console.error(`${SERVER_NAME} v${SERVER_VERSION} running`);
 }
 
-main().catch(error => {
-  console.error("Fatal error:", error);
-  process.exit(1);
-});
+function isDirectExecution() {
+  if (!process.argv[1]) return false;
+  try {
+    return import.meta.url === pathToFileURL(process.argv[1]).href;
+  } catch {
+    return false;
+  }
+}
+
+if (isDirectExecution()) {
+  main().catch(error => {
+    console.error("Fatal error:", error);
+    process.exit(1);
+  });
+}
 
 /**
  * Smithery sandbox server for capability scanning

package/src/web-server.js

@@ -5,7 +5,7 @@
  * Exposes Slack MCP tools as REST endpoints for browser access.
  * Run alongside or instead of the MCP server for web-based access.
  *
- * @version 2.0.0
+ * @version 3.0.0
  */
 
 import express from "express";
@@ -66,6 +66,8 @@ const API_KEY = getOrCreateAPIKey();
 // Middleware
 app.use(express.json());
 app.use(express.static(join(__dirname, "../public")));
+// Keep /docs URL compatibility for demo media and documentation links.
+app.use("/docs", express.static(join(__dirname, "../docs")));
 
 // CORS - restricted to localhost for security
 // Using * would allow any website to make requests to your local server
@@ -132,7 +134,7 @@ function extractContent(result) {
 app.get("/", (req, res) => {
   res.json({
     name: "Slack Web API Server",
-    version: "2.0.0",
+    version: "3.0.0",
     status: "ok",
     code: "ok",
     message: "Web API server is running.",
@@ -333,7 +335,7 @@ async function main() {
   app.listen(PORT, '127.0.0.1', () => {
     // Print to stderr to keep logs clean (stdout reserved for JSON in some setups)
     console.error(`\n${"═".repeat(60)}`);
-    console.error(`  Slack Web API Server v2.0.0`);
+    console.error(`  Slack Web API Server v3.0.0`);
     console.error(`${"═".repeat(60)}`);
     console.error(`\n  Dashboard: http://localhost:${PORT}/?key=${API_KEY}`);
     console.error(`\n  API Key:   ${API_KEY}`);