@jtalk22/slack-mcp 4.0.0 → 4.1.0

package/README.md

@@ -10,11 +10,13 @@ Give your AI agent full Slack access. No app registration, no admin approval, no
 npx -y @jtalk22/slack-mcp --setup
 ```
 
-![demo](docs/images/demo-readme.gif)
+[![Slack MCP Server Demo](docs/images/demo-poster.png)](https://jtalk22.github.io/slack-mcp-server/public/demo-video.html)
 
-> **Ask Claude to catch you up on #engineering from the last 24 hours.** Search for that deployment thread from last week. Find every message mentioning the API key. Send a reply. All from your editor.
+**[▶ Watch the demo](https://jtalk22.github.io/slack-mcp-server/public/demo-video.html)** — 7 scenarios, from 47 unreads to inbox zero, without opening Slack.
 
-[Interactive demo](https://jtalk22.github.io/slack-mcp-server/public/demo.html) · [Latest release](https://github.com/jtalk22/slack-mcp-server/releases/latest)
+> **Ask your AI to catch you up on #engineering from the last 24 hours.** Search for that deployment thread from last week. Find the printer admin PIN nobody can remember. Send a reply. All from your editor.
+
+[Interactive demo](https://jtalk22.github.io/slack-mcp-server/public/demo-slack-mcp.html) · [Latest release](https://github.com/jtalk22/slack-mcp-server/releases/latest)
 
 ## Why This Exists
 
@@ -22,7 +24,90 @@ Slack's official MCP server requires a registered app, admin approval, and [does
 
 This server uses your browser's session tokens instead. If you can see it in Slack, your AI agent can see it too. No app install, no scopes, no admin.
 
-![OAuth vs Session](docs/images/diagram-oauth-comparison.svg)
+**Stealth Mode:** Session tokens leave zero footprint in your workspace admin panel. No bot user appears, no app install shows up, no audit trail. Your AI agent operates with the same invisibility as your browser tab.
+
+![OAuth vs Chrome DB Decryption](docs/images/diagram-oauth-comparison.svg)
+
+|  | Slack Official MCP | This Server |
+|---|---|---|
+| OAuth app required | Yes | **No** |
+| Admin approval | Yes | **No** |
+| Works with Claude Code | No (DCR incompatible) | **Yes** |
+| Works with Cursor | No | **Yes** |
+| Works with Copilot | No | **Yes** |
+| Works with Windsurf | No | **Yes** |
+| Works with Gemini CLI | No | **Yes** |
+| Works with Codex CLI | No | **Yes** |
+| Setup time | ~30 min | **~2 min** |
+| Tools | Limited | **16** |
+| Visible to admins | Yes | **No — Stealth Mode** |
+
+## Quick Start per Client
+
+<details>
+<summary><strong>Claude Desktop / Claude Code</strong></summary>
+
+Add to `~/.claude.json` or Claude Desktop settings:
+```json
+{
+  "mcpServers": {
+    "slack": { "command": "npx", "args": ["-y", "@jtalk22/slack-mcp"] }
+  }
+}
+```
+</details>
+
+<details>
+<summary><strong>Cursor</strong></summary>
+
+Add to `.cursor/mcp.json`:
+```json
+{
+  "mcpServers": {
+    "slack": { "command": "npx", "args": ["-y", "@jtalk22/slack-mcp"] }
+  }
+}
+```
+</details>
+
+<details>
+<summary><strong>Windsurf</strong></summary>
+
+Add to `~/.codeium/windsurf/mcp_config.json`:
+```json
+{
+  "mcpServers": {
+    "slack": { "command": "npx", "args": ["-y", "@jtalk22/slack-mcp"] }
+  }
+}
+```
+</details>
+
+<details>
+<summary><strong>Gemini CLI</strong></summary>
+
+Add to `~/.gemini/settings.json`:
+```json
+{
+  "mcpServers": {
+    "slack": { "command": "npx", "args": ["-y", "@jtalk22/slack-mcp"] }
+  }
+}
+```
+</details>
+
+<details>
+<summary><strong>Codex CLI</strong></summary>
+
+Add to `~/.codex/config.toml`:
+```toml
+[mcp_servers.slack]
+command = "npx"
+args = ["-y", "@jtalk22/slack-mcp"]
+```
+
+Or via CLI: `codex mcp add slack -- npx -y @jtalk22/slack-mcp`
+</details>
 
 ## Tools
 
@@ -145,13 +230,7 @@ On macOS, tokens are auto-extracted from Chrome — `env` block is optional.
 <details>
 <summary><strong>Claude Web / Remote MCP</strong></summary>
 
-For browser-based clients that can't run local processes, use the hosted HTTP endpoint:
-
-```
-https://mcp.revasserlabs.com/oauth/mcp
-```
-
-Add this as a remote MCP server in your client's settings. Transport: Streamable HTTP. Auth: OAuth 2.1 + PKCE.
+Hosted version with permanent OAuth tokens coming soon. See [mcp.revasserlabs.com](https://mcp.revasserlabs.com) for updates.
 
 </details>
 
@@ -247,4 +326,4 @@ Not affiliated with Slack Technologies, Inc. Uses browser session credentials
 
 ---
 
-Managed hosting available — [mcp.revasserlabs.com](https://mcp.revasserlabs.com)
+Hosted version with semantic search, AI summaries, and permanent OAuth — coming soon at [mcp.revasserlabs.com](https://mcp.revasserlabs.com)

package/docs/SETUP.md

@@ -1,40 +1,8 @@
 # Setup Guide
 
-## Cloud
+## Hosted (Coming Soon)
 
-Use **Slack MCP Cloud** when you want a managed endpoint rather than local token handling:
-
-1. Go to [Slack MCP Cloud](https://mcp.revasserlabs.com) and purchase a plan ($19/mo Solo, $49/mo Team)
-2. After checkout, you'll receive an API key and ready-to-paste config for Claude Desktop / Claude Code
-3. Use the hosted endpoint and API key — one URL, 15 managed tools. Team adds 3 AI workflows.
-
-**Claude Desktop config (Cloud):**
-```json
-{
-  "mcpServers": {
-    "slack": {
-      "url": "https://mcp.revasserlabs.com/oauth/mcp"
-    }
-  }
-}
-```
-
-**Claude Code config (Cloud):**
-```json
-{
-  "mcpServers": {
-    "slack": {
-      "type": "sse",
-      "url": "https://mcp.revasserlabs.com/mcp",
-      "headers": {
-        "Authorization": "Bearer YOUR_API_KEY"
-      }
-    }
-  }
-}
-```
-
-If you prefer self-hosting, continue below.
+A hosted version with permanent OAuth tokens, semantic search, and AI summaries is in development at [mcp.revasserlabs.com](https://mcp.revasserlabs.com). The current release is self-hosted only — continue below.
 
 ---
 

package/docs/TROUBLESHOOTING.md

@@ -29,31 +29,9 @@ If `--version` fails here, the issue is install/runtime path, not Slack credenti
 
 ---
 
-## Cloud Issues
+## Hosted Version
 
-### API Key Not Working
-
-**Symptom:** `401 Unauthorized` or `403 Forbidden` when using Cloud endpoint.
-
-**Solutions:**
-1. Verify your API key starts with `stmh_` (team) or `smsh_` (solo)
-2. Check the key hasn't been revoked — contact support@revasserlabs.com for key issues
-3. Ensure you're using the correct endpoint: `https://mcp.revasserlabs.com/mcp`
-
-### Cloud Tools Not Available
-
-**Symptom:** Only seeing fewer tools than expected.
-
-**Cause:** AI compound tools (`slack_channel_summary`, `slack_extract_action_items`, `slack_find_decisions`) are Team plan only ($49/mo).
-
-**Solution:** Upgrade to Team plan for AI compound tools, or use the 15 standard managed tools available on all Cloud plans.
-
-### Cloud Endpoint Health Check
-
-```bash
-curl -s https://mcp.revasserlabs.com/health | jq .
-# Expected: {"status":"healthy","server":"slack-mcp-hosted","version":"0.5.0"}
-```
+A hosted version with permanent OAuth tokens, semantic search, and AI summaries is coming soon at [mcp.revasserlabs.com](https://mcp.revasserlabs.com). The current release is self-hosted only.
 
 ---
 

package/lib/handlers.js

@@ -216,7 +216,7 @@ export async function handleRefreshTokens() {
       code: extractionError.code,
       message: extractionError.message,
       detail: extractionError.detail,
-      next_action: "In Chrome: View > Developer > Allow JavaScript from Apple Events, then retry."
+      next_action: "In Chrome: View > Developer > Allow JavaScript from Apple Events, then retry. (Only needed for token — cookie is extracted from Chrome's database automatically.)"
     }, true);
   }
 

package/lib/public-pages.js

@@ -15,7 +15,7 @@ const ICON_URL = `${GITHUB_PAGES_ROOT}/docs/assets/icon-512.png`;
 const NPM_URL = "https://www.npmjs.com/package/@jtalk22/slack-mcp";
 const RELEASES_URL = `${PUBLIC_METADATA.canonicalRepoUrl}/releases/latest`;
 const SETUP_URL = `${PUBLIC_METADATA.canonicalRepoUrl}/blob/main/docs/SETUP.md`;
-const DEMO_VIDEO_URL = `${GITHUB_PAGES_ROOT}/docs/videos/demo-claude-mobile-20s.mp4`;
+const DEMO_VIDEO_URL = `${GITHUB_PAGES_ROOT}/docs/videos/demo-slack-mcp-mobile-20s.mp4`;
 
 function template(name) {
   return readFileSync(resolve(TEMPLATE_DIR, name), "utf8");
@@ -58,28 +58,28 @@ function shareLinks() {
       <a href="${GITHUB_PAGES_ROOT}/" rel="noopener">Autoplay Demo Landing</a>
       <a href="${DEMO_VIDEO_URL}" rel="noopener">20s Mobile Clip</a>
       <a href="${NPM_URL}" rel="noopener">npm Package</a>
-      <a href="${PUBLIC_METADATA.canonicalSiteUrl}" rel="noopener" style="background:rgba(240,194,70,0.18);border-color:rgba(240,194,70,0.45);color:#f0c246">Cloud</a>
+      <a href="${PUBLIC_METADATA.canonicalSiteUrl}" rel="noopener" style="background:rgba(240,194,70,0.18);border-color:rgba(240,194,70,0.45);color:#f0c246">Hosted</a>
     `.trim();
 }
 
 function shareNote() {
-  return `<strong>Verify in 30 seconds:</strong> <code>--version</code>, <code>--doctor</code>, <code>--status</code>. Self-host gives ${PUBLIC_METADATA.selfHostedToolCount} tools with session-based auth. Works with any MCP client — Claude, ChatGPT, Cursor, Copilot, Gemini, Windsurf. Managed hosting available at <a href="${PUBLIC_METADATA.canonicalSiteUrl}">mcp.revasserlabs.com</a>.`;
+  return `<strong>Verify in 30 seconds:</strong> <code>--version</code>, <code>--doctor</code>, <code>--status</code>. Self-host gives ${PUBLIC_METADATA.selfHostedToolCount} tools with session-based auth. Works with any MCP client — Claude, ChatGPT, Cursor, Copilot, Gemini, Windsurf. Hosted version coming soon at <a href="${PUBLIC_METADATA.canonicalSiteUrl}">mcp.revasserlabs.com</a>.`;
 }
 
 function demoLinks() {
   return `
-      <a href="${PUBLIC_METADATA.canonicalSiteUrl}" target="_blank" rel="noopener noreferrer" style="background:rgba(240,194,70,0.18);border-color:rgba(240,194,70,0.45);color:#f0c246">Cloud</a>
+      <a href="${PUBLIC_METADATA.canonicalSiteUrl}" target="_blank" rel="noopener noreferrer" style="background:rgba(240,194,70,0.18);border-color:rgba(240,194,70,0.45);color:#f0c246">Hosted</a>
       <a href="${NPM_URL}" target="_blank" rel="noopener noreferrer">npm Install</a>
       <a href="${SETUP_URL}" target="_blank" rel="noopener noreferrer">Setup Guide</a>
     `.trim();
 }
 
 function demoNote() {
-  return `Self-host free for ${PUBLIC_METADATA.selfHostedToolCount} tools with session-based auth. Works with Claude, ChatGPT, Cursor, Copilot, Gemini, Windsurf, and any other MCP client. No OAuth app, no admin approval. Managed hosting available at <a href="${PUBLIC_METADATA.canonicalSiteUrl}" target="_blank" rel="noopener noreferrer">mcp.revasserlabs.com</a>.`;
+  return `Self-host free for ${PUBLIC_METADATA.selfHostedToolCount} tools with session-based auth. Works with Claude, ChatGPT, Cursor, Copilot, Gemini, Windsurf, and any other MCP client. No OAuth app, no admin approval. Hosted version coming soon at <a href="${PUBLIC_METADATA.canonicalSiteUrl}" target="_blank" rel="noopener noreferrer">mcp.revasserlabs.com</a>.`;
 }
 
 function demoFooterLinks() {
-  return `<a href="${PUBLIC_METADATA.canonicalRepoUrl}">GitHub</a> · <a href="${NPM_URL}" style="color:#94a3b8;text-decoration:none;font-size:0.875rem">npm</a> · <a href="${PUBLIC_METADATA.canonicalSiteUrl}" style="color:#f0c246;text-decoration:none;font-size:0.875rem">Cloud</a>`;
+  return `<a href="${PUBLIC_METADATA.canonicalRepoUrl}">GitHub</a> · <a href="${NPM_URL}" style="color:#94a3b8;text-decoration:none;font-size:0.875rem">npm</a> · <a href="${PUBLIC_METADATA.canonicalSiteUrl}" style="color:#f0c246;text-decoration:none;font-size:0.875rem">Hosted</a>`;
 }
 
 function commonTokens() {
@@ -113,10 +113,10 @@ function commonTokens() {
     SELF_HOSTED_TOOL_COUNT: String(PUBLIC_METADATA.selfHostedToolCount),
     CLOUD_MANAGED_TOOL_COUNT: "15",
     TEAM_AI_WORKFLOW_COUNT: "3",
-    CLOUD_SOLO_PRICE: "$19/mo",
-    CLOUD_TEAM_PRICE: "$49/mo",
-    CLOUD_TURNKEY_LAUNCH_PRICE: "$2.5k+",
-    CLOUD_MANAGED_RELIABILITY_PRICE: "$800/mo+",
+    CLOUD_SOLO_PRICE: "coming soon",
+    CLOUD_TEAM_PRICE: "coming soon",
+    CLOUD_TURNKEY_LAUNCH_PRICE: "contact us",
+    CLOUD_MANAGED_RELIABILITY_PRICE: "contact us",
     SUPPORT_EMAIL: PUBLIC_METADATA.supportEmail,
     ROOT_DECISION_PANEL: rootDecisionPanel(),
     SHARE_LINKS: shareLinks(),
@@ -134,6 +134,6 @@ export function buildPublicPages() {
     "public/share.html": replaceTokens(template("share.html.tpl"), tokens),
     "public/demo.html": replaceTokens(template("demo.html.tpl"), tokens),
     "public/demo-video.html": replaceTokens(template("demo-video.html.tpl"), tokens),
-    "public/demo-claude.html": replaceTokens(template("demo-claude.html.tpl"), tokens),
+    "public/demo-slack-mcp.html": replaceTokens(template("demo-slack-mcp.html.tpl"), tokens),
   };
 }

package/lib/token-store.js

@@ -8,10 +8,11 @@
  * 4. Chrome auto-extraction (fallback)
  */
 
-import { readFileSync, writeFileSync, existsSync, renameSync, unlinkSync, chmodSync } from "fs";
-import { homedir, platform } from "os";
+import { readFileSync, writeFileSync, existsSync, renameSync, unlinkSync, chmodSync, copyFileSync, mkdtempSync } from "fs";
+import { homedir, platform, tmpdir } from "os";
 import { join } from "path";
-import { execSync, execFileSync } from "child_process";
+import { execFileSync } from "child_process";
+import { pbkdf2Sync, createDecipheriv } from "crypto";
 
 const TOKEN_FILE = join(homedir(), ".slack-mcp-tokens.json");
 const KEYCHAIN_SERVICE = "slack-mcp-server";
@@ -102,32 +103,31 @@ export function saveToFile(token, cookie) {
 
 // Multiple localStorage paths Slack might use (for robustness)
 const SLACK_TOKEN_PATHS = [
-  // Current known path
   `JSON.parse(localStorage.localConfig_v2).teams[Object.keys(JSON.parse(localStorage.localConfig_v2).teams)[0]].token`,
-  // Potential future paths
   `JSON.parse(localStorage.localConfig_v3).teams[Object.keys(JSON.parse(localStorage.localConfig_v3).teams)[0]].token`,
-  // Redux store path (older Slack)
   `JSON.parse(localStorage.getItem('reduxPersist:localConfig'))?.teams?.[Object.keys(JSON.parse(localStorage.getItem('reduxPersist:localConfig'))?.teams || {})[0]]?.token`,
-  // Direct boot data
   `window.boot_data?.api_token`,
 ];
 
+// Chrome profile directories to search (in priority order)
+const CHROME_PROFILES = ['Default', 'Profile 1', 'Profile 2', 'Profile 3'];
+
 function normalizeExtractionError(error) {
   const raw = String(error?.message || error || "");
 
   if (raw.includes("Executing JavaScript through AppleScript is turned off")) {
     return {
       code: "apple_events_javascript_disabled",
-      message: "Chrome blocked JavaScript execution from Apple Events.",
-      detail: "Enable it in Chrome: View > Developer > Allow JavaScript from Apple Events."
+      message: "Chrome needs one setting enabled for token extraction.",
+      detail: "In Chrome: View > Developer > Allow JavaScript from Apple Events. Cookie extraction works without this — only the token needs it."
     };
   }
 
   if (raw.includes("Application isn't running") || raw.includes("Google Chrome got an error")) {
     return {
       code: "chrome_not_ready",
-      message: "Chrome is not ready for token extraction.",
-      detail: "Open Google Chrome with an active Slack tab at app.slack.com."
+      message: "Chrome is not running or has no windows open.",
+      detail: "Open Google Chrome with a Slack tab at app.slack.com."
     };
   }
 
@@ -139,6 +139,14 @@ function normalizeExtractionError(error) {
     };
   }
 
+  if (raw.includes("Chrome Safe Storage")) {
+    return {
+      code: "keychain_access_denied",
+      message: "Could not access Chrome's encryption key in Keychain.",
+      detail: "You may need to allow terminal access in System Settings > Privacy > Full Disk Access."
+    };
+  }
+
   return {
     code: "chrome_extraction_failed",
     message: "Chrome token extraction failed.",
@@ -147,13 +155,133 @@ function normalizeExtractionError(error) {
 }
 
 /**
- * Extract tokens from Chrome (macOS only, uses AppleScript)
- * Returns null on non-macOS platforms
+ * Extract the Slack session cookie from Chrome's encrypted cookie database.
+ * The `d` cookie is HttpOnly — JavaScript cannot access it via document.cookie.
+ * This reads Chrome's SQLite cookie store and decrypts using the Keychain-stored key.
+ */
+function extractCookieFromChromeDB() {
+  const chromeBase = join(homedir(), 'Library', 'Application Support', 'Google', 'Chrome');
+
+  // Find the first profile with a Slack d cookie
+  for (const profile of CHROME_PROFILES) {
+    const cookiesPath = join(chromeBase, profile, 'Cookies');
+    if (!existsSync(cookiesPath)) continue;
+
+    // Copy DB to temp location (Chrome holds a WAL lock on the original)
+    const tmpDir = mkdtempSync(join(tmpdir(), 'slack-mcp-'));
+    const tmpDb = join(tmpDir, 'Cookies');
+    try {
+      copyFileSync(cookiesPath, tmpDb);
+
+      // Query for the encrypted d cookie
+      const queryResult = execFileSync('sqlite3', [
+        tmpDb,
+        "SELECT hex(encrypted_value) FROM cookies WHERE host_key LIKE '%.slack.com%' AND name = 'd' LIMIT 1;"
+      ], { encoding: 'utf-8', timeout: 5000 }).trim();
+
+      // Clean up temp files
+      try { unlinkSync(tmpDb); unlinkSync(tmpDir); } catch {}
+
+      if (!queryResult) continue;
+
+      // Convert hex back to buffer
+      const encrypted = Buffer.from(queryResult, 'hex');
+      if (encrypted.length < 4) continue;
+
+      // Get Chrome Safe Storage password from Keychain
+      const safeStoragePassword = execFileSync('security', [
+        'find-generic-password', '-s', 'Chrome Safe Storage', '-w'
+      ], { encoding: 'utf-8', timeout: 5000 }).trim();
+
+      // Chrome macOS cookies: v10 prefix + AES-128-CBC
+      const prefix = encrypted.subarray(0, 3).toString('utf-8');
+      if (prefix !== 'v10') continue;
+
+      const ciphertext = encrypted.subarray(3);
+
+      // Derive key: PBKDF2-SHA1, 1003 iterations, salt 'saltysalt', 16-byte key
+      const key = pbkdf2Sync(safeStoragePassword, 'saltysalt', 1003, 16, 'sha1');
+      const iv = Buffer.alloc(16, ' '); // 16 space characters
+
+      const decipher = createDecipheriv('aes-128-cbc', key, iv);
+      let decrypted;
+      try {
+        decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+      } catch {
+        continue; // Decryption failed for this profile, try next
+      }
+
+      // Find xoxd- in decrypted data (Chrome prepends internal metadata bytes)
+      const text = decrypted.toString('utf-8');
+      const xoxdIndex = text.indexOf('xoxd-');
+      if (xoxdIndex < 0) continue;
+
+      return text.substring(xoxdIndex);
+    } catch (e) {
+      // Clean up on error and try next profile
+      try { unlinkSync(tmpDb); } catch {}
+      try { unlinkSync(tmpDir); } catch {}
+      continue;
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Extract Slack token from Chrome via AppleScript (reads localStorage).
+ * Uses strict URL matching to avoid hitting non-Slack tabs.
+ */
+function extractTokenFromChrome() {
+  // Prefer /client URLs (active workspace), fall back to any app.slack.com
+  const urlChecks = [
+    'URL of t starts with "https://app.slack.com/client"',
+    'URL of t starts with "https://app.slack.com"',
+  ];
+
+  const tokenPathsJS = SLACK_TOKEN_PATHS.map((path, i) =>
+    `try { var t${i} = ${path}; if (t${i} && t${i}.startsWith('xoxc-')) return t${i}; } catch(e) {}`
+  ).join(' ');
+
+  for (const urlCheck of urlChecks) {
+    try {
+      const script = `tell application "Google Chrome"
+  repeat with w in windows
+    repeat with t in tabs of w
+      if ${urlCheck} then
+        return execute t javascript "(function() { ${tokenPathsJS} return ''; })()"
+      end if
+    end repeat
+  end repeat
+  return ""
+end tell`;
+
+      const token = execFileSync('osascript', ['-e', script], {
+        encoding: 'utf-8', timeout: 8000
+      }).trim();
+
+      if (token && token.startsWith('xoxc-')) return token;
+    } catch {
+      continue;
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Extract tokens from Chrome (macOS only).
+ *
+ * Token: AppleScript executes JS in Chrome to read localStorage (requires
+ *   "Allow JavaScript from Apple Events" in Chrome > View > Developer).
+ * Cookie: Reads Chrome's encrypted SQLite cookie database directly. The `d`
+ *   session cookie is HttpOnly and cannot be accessed via document.cookie.
+ *   Decryption uses the Chrome Safe Storage key from macOS Keychain.
  */
 function extractFromChromeInternal() {
   lastExtractionError = null;
+
   if (!IS_MACOS) {
-    // AppleScript/osascript is macOS-only
     lastExtractionError = {
       code: "unsupported_platform",
       message: "Chrome auto-extraction is only available on macOS.",
@@ -162,68 +290,51 @@ function extractFromChromeInternal() {
     return null;
   }
 
+  // Extract cookie from Chrome's encrypted cookie database
+  let cookie;
   try {
-    // Extract cookie
-    const cookieScript = `
-      tell application "Google Chrome"
-        repeat with w in windows
-          repeat with t in tabs of w
-            if URL of t contains "slack.com" then
-              return execute t javascript "document.cookie.split('; ').find(c => c.startsWith('d='))?.split('=')[1] || ''"
-            end if
-          end repeat
-        end repeat
-        return ""
-      end tell
-    `;
-    const cookie = execSync(`osascript -e '${cookieScript.replace(/'/g, "'\"'\"'")}'`, {
-      encoding: 'utf-8', timeout: 5000
-    }).trim();
-
-    if (!cookie || !cookie.startsWith('xoxd-')) {
-      lastExtractionError = {
-        code: "cookie_not_found",
-        message: "Could not extract Slack cookie from Chrome.",
-        detail: "Ensure a logged-in Slack tab is open at app.slack.com."
-      };
-      return null;
-    }
+    cookie = extractCookieFromChromeDB();
+  } catch (e) {
+    lastExtractionError = normalizeExtractionError(e);
+    return null;
+  }
+
+  if (!cookie) {
+    lastExtractionError = {
+      code: "cookie_not_found",
+      message: "Could not extract Slack session cookie from Chrome.",
+      detail: "Ensure you are logged into Slack at app.slack.com in Chrome."
+    };
+    return null;
+  }
 
-    // Try multiple token extraction paths
-    const tokenPathsJS = SLACK_TOKEN_PATHS.map((path, i) =>
-      `try { var t${i} = ${path}; if (t${i}?.startsWith('xoxc-')) return t${i}; } catch(e) {}`
-    ).join(' ');
-
-    const tokenScript = `
-      tell application "Google Chrome"
-        repeat with w in windows
-          repeat with t in tabs of w
-            if URL of t contains "slack.com" then
-              return execute t javascript "(function() { ${tokenPathsJS} return ''; })()"
-            end if
-          end repeat
-        end repeat
-        return ""
-      end tell
-    `;
-    const token = execSync(`osascript -e '${tokenScript.replace(/'/g, "'\"'\"'")}'`, {
-      encoding: 'utf-8', timeout: 5000
-    }).trim();
-
-    if (!token || !token.startsWith('xoxc-')) {
+  // Extract token via AppleScript (localStorage)
+  let token;
+  try {
+    token = extractTokenFromChrome();
+  } catch (e) {
+    lastExtractionError = normalizeExtractionError(e);
+    // If we got the cookie but not the token, give a specific error
+    if (cookie && !token) {
       lastExtractionError = {
-        code: "token_not_found",
-        message: "Could not extract Slack token from Chrome.",
-        detail: "Refresh Slack in Chrome and retry extraction."
+        code: "apple_events_javascript_disabled",
+        message: "Cookie extracted, but token extraction requires a Chrome setting.",
+        detail: "In Chrome: View > Developer > Allow JavaScript from Apple Events. Then retry."
       };
-      return null;
     }
+    return null;
+  }
 
-    return { token, cookie };
-  } catch (e) {
-    lastExtractionError = normalizeExtractionError(e);
+  if (!token) {
+    lastExtractionError = {
+      code: "token_not_found",
+      message: "Could not extract Slack token from Chrome.",
+      detail: "Ensure a Slack workspace is open in Chrome (not just the landing page). If Chrome blocks AppleScript, enable View > Developer > Allow JavaScript from Apple Events."
+    };
     return null;
   }
+
+  return { token, cookie };
 }
 
 /**

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "@jtalk22/slack-mcp",
   "mcpName": "io.github.jtalk22/slack-mcp-server",
-  "version": "4.0.0",
-  "description": "Slack MCP server. Session-based auth, 16 tools, stdio transport. Works with any MCP client.",
+  "version": "4.1.0",
+  "description": "Slack MCP without OAuth — no app registration, no admin approval. Works with Claude Code, Cursor, Copilot (where the official server doesn't). 16 tools, one command.",
   "type": "module",
   "main": "src/server.js",
   "bin": {
@@ -30,6 +30,7 @@
     "build:demo-mobile:gif": "node scripts/build-mobile-demo.js --gif",
     "record-demo": "node scripts/record-demo.js",
     "social-preview:update": "node scripts/update-github-social-preview.js --headed",
+    "bookmarklet": "node scripts/generate-bookmarklet.js",
     "cf:browser": "node scripts/cloudflare-browser-tool.js",
     "verify:attribution-guardrail": "node scripts/verify-attribution-guardrail.js",
     "verify:public-pages": "node scripts/verify-generated-public-pages.js",
@@ -61,7 +62,14 @@
     "slack-integration",
     "ai-agents",
     "automation",
-    "productivity"
+    "productivity",
+    "oauth-free",
+    "no-admin-approval",
+    "cursor",
+    "copilot",
+    "windsurf",
+    "codex-cli",
+    "stealth-mode"
   ],
   "author": {
     "name": "Revasser",

package/public/index.html

@@ -255,7 +255,7 @@
   <div class="container">
     <h1>Slack Web API <span id="status" class="status"></span></h1>
     <div style="background:rgba(240,194,70,0.08);border:1px solid rgba(240,194,70,0.2);border-radius:8px;padding:8px 14px;margin-bottom:16px;display:flex;align-items:center;justify-content:space-between;flex-wrap:wrap;gap:8px;font-size:13px;color:#d4c48a">
-      <span>Skip local setup? <strong style="color:#f0c246">Slack MCP Cloud</strong> gives you 15 managed tools with one URL. Team adds 3 AI workflows.</span>
+      <span>Hosted version coming soon — <strong style="color:#f0c246">permanent OAuth, semantic search, AI summaries</strong></span>
       <a href="https://mcp.revasserlabs.com" style="color:#f0c246;font-weight:600;text-decoration:none;white-space:nowrap" target="_blank">Learn more &rarr;</a>
     </div>
     <div class="grid">

package/public/share.html

@@ -4,17 +4,17 @@
   <meta charset="utf-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <title>Slack MCP Server</title>
-  <meta name="description" content="Session-based Slack MCP for Claude. Self-host locally or use the managed Cloud path with Gemini CLI support, pricing, security/procurement review, deployment review, and hosted credentials.">
+  <meta name="description" content="No OAuth. No admin. 16 Slack tools for Claude, Cursor, Copilot, Gemini, and any MCP client. One command: npx -y @jtalk22/slack-mcp --setup">
   <meta property="og:type" content="website">
-  <meta property="og:title" content="Slack MCP Server">
-  <meta property="og:description" content="Session-based Slack MCP for Claude. Self-host 16 tools for free or use Cloud for 15 managed tools, Gemini CLI support, security/procurement review, deployment review, and support.">
+  <meta property="og:title" content="Slack MCP Server — No OAuth, no admin, just your browser session">
+  <meta property="og:description" content="Slack's official MCP needs OAuth + admin. This one uses your browser session. 16 tools, works with Claude, Cursor, Copilot, Gemini.">
   <meta property="og:url" content="https://jtalk22.github.io/slack-mcp-server/public/share.html">
   <meta property="og:image" content="https://jtalk22.github.io/slack-mcp-server/docs/images/social-preview-v3.png">
   <meta property="og:image:width" content="1280">
   <meta property="og:image:height" content="640">
   <meta name="twitter:card" content="summary_large_image">
-  <meta name="twitter:title" content="Slack MCP Server">
-  <meta name="twitter:description" content="Session-based Slack MCP for Claude. Self-host 16 tools for free or use Cloud for 15 managed tools, Gemini CLI support, security/procurement review, deployment review, and support.">
+  <meta name="twitter:title" content="Slack MCP Server — No OAuth, no admin, just your browser session">
+  <meta name="twitter:description" content="16 tools for Claude, Cursor, Copilot, Gemini. npx -y @jtalk22/slack-mcp --setup">
   <meta name="twitter:image" content="https://jtalk22.github.io/slack-mcp-server/docs/images/social-preview-v3.png">
   <link rel="icon" href="https://jtalk22.github.io/slack-mcp-server/docs/assets/icon-512.png" type="image/png">
   <style>
@@ -107,7 +107,7 @@
 <body>
   <main class="wrap">
     <h1>Slack MCP Server</h1>
-    <p class="sub">Give Claude full access to your Slack. Self-host 16 tools for free, or use Cloud for 15 managed tools, Gemini CLI support, hosted credentials, rollout support, and buyer-facing security review.</p>
+    <p class="sub">Give Claude full access to your Slack. Self-host 16 tools for free. Hosted version with semantic search, AI summaries, and permanent OAuth coming soon.</p>
 
     <a class="preview" href="https://github.com/jtalk22/slack-mcp-server" rel="noopener">
       <img src="https://jtalk22.github.io/slack-mcp-server/docs/images/social-preview-v3.png" alt="Slack MCP Server social preview card">
@@ -118,12 +118,12 @@
       <a href="https://github.com/jtalk22/slack-mcp-server/blob/main/docs/SETUP.md" rel="noopener">Verify (`--version/--doctor/--status`)</a>
       <a href="https://github.com/jtalk22/slack-mcp-server/releases/latest" rel="noopener">Latest Release</a>
       <a href="https://jtalk22.github.io/slack-mcp-server/" rel="noopener">Autoplay Demo Landing</a>
-      <a href="https://jtalk22.github.io/slack-mcp-server/docs/videos/demo-claude-mobile-20s.mp4" rel="noopener">20s Mobile Clip</a>
+      <a href="https://jtalk22.github.io/slack-mcp-server/docs/videos/demo-slack-mcp-mobile-20s.mp4" rel="noopener">20s Mobile Clip</a>
       <a href="https://www.npmjs.com/package/@jtalk22/slack-mcp" rel="noopener">npm Package</a>
-      <a href="https://mcp.revasserlabs.com" rel="noopener" style="background:rgba(240,194,70,0.18);border-color:rgba(240,194,70,0.45);color:#f0c246">Cloud</a>
+      <a href="https://mcp.revasserlabs.com" rel="noopener" style="background:rgba(240,194,70,0.18);border-color:rgba(240,194,70,0.45);color:#f0c246">Hosted</a>
     </div>
 
-    <p class="note"><strong>Verify in 30 seconds:</strong> <code>--version</code>, <code>--doctor</code>, <code>--status</code>. Self-host gives 16 tools with session-based auth. Works with any MCP client — Claude, ChatGPT, Cursor, Copilot, Gemini, Windsurf. Managed hosting available at <a href="https://mcp.revasserlabs.com">mcp.revasserlabs.com</a>.</p>
+    <p class="note"><strong>Verify in 30 seconds:</strong> <code>--version</code>, <code>--doctor</code>, <code>--status</code>. Self-host gives 16 tools with session-based auth. Works with any MCP client — Claude, ChatGPT, Cursor, Copilot, Gemini, Windsurf. Hosted version coming soon at <a href="https://mcp.revasserlabs.com">mcp.revasserlabs.com</a>.</p>
   </main>
 </body>
 </html>

package/scripts/setup-wizard.js

@@ -131,10 +131,18 @@ async function runMacOSSetup(rl) {
     }
     print();
     if (extractionError?.code === "apple_events_javascript_disabled") {
-      print("Fix and retry:");
-      print("  1. In Chrome menu: View > Developer > Allow JavaScript from Apple Events");
-      print("  2. Keep Slack open in a Chrome tab (app.slack.com)");
-      print("  3. Re-run: npx -y @jtalk22/slack-mcp --setup");
+      print();
+      printBox([
+        "Chrome needs one setting enabled (one-time only):",
+        "",
+        "1. Open Chrome",
+        "2. Menu bar: View → Developer → Allow JavaScript",
+        "   from Apple Events  ✓",
+        "3. Run this command again",
+      ], 55);
+      print();
+      print("Once enabled, --setup extracts tokens automatically.");
+      print("No DevTools, no copy-paste, just one command.");
     } else {
       print("Make sure:");
       print("  1. Chrome is running");
@@ -180,42 +188,83 @@ async function runManualSetup(rl) {
   print();
   if (IS_MACOS) {
     info("Switching to manual token entry...");
+    info("Note: On macOS, the session cookie can be extracted automatically.");
   } else {
     info(`Detected platform: ${platform()}`);
     warn("Auto-extraction not available on this platform.");
   }
+
+  const consoleHotkey = IS_MACOS ? "Cmd+Option+J" : "Ctrl+Shift+J";
+  // Token-only one-liner (cookie is HttpOnly and cannot be read via document.cookie)
+  const oneLiner = `copy(JSON.parse(localStorage.localConfig_v2).teams[Object.keys(JSON.parse(localStorage.localConfig_v2).teams)[0]].token)`;
+
   print();
-  print("Follow these steps to extract tokens from Chrome:");
-  print();
-  print(`${colors.bold}Step 1:${colors.reset} Open Chrome and navigate to your Slack workspace`);
-  print("         https://app.slack.com");
+  print(`${colors.bold}Quick extract (recommended):${colors.reset}`);
   print();
-  print(`${colors.bold}Step 2:${colors.reset} Press F12 to open DevTools`);
+  print(`  1. Open Chrome → ${colors.cyan}app.slack.com${colors.reset} (must be logged in)`);
+  print(`  2. Press ${colors.cyan}${consoleHotkey}${colors.reset} to open the Console`);
+  print(`  3. Paste this one-liner and press Enter:`);
   print();
-  print(`${colors.bold}Step 3:${colors.reset} Go to the ${colors.cyan}Console${colors.reset} tab and paste this:`);
+  printBox([oneLiner], oneLiner.length + 4);
   print();
-  printBox([
-    "JSON.parse(localStorage.localConfig_v2).teams[",
-    "  Object.keys(JSON.parse(localStorage.localConfig_v2)",
-    "  .teams)[0]].token",
-  ], 55);
+  print(`  4. Your token is now on the clipboard. Paste below.`);
+  if (IS_MACOS) {
+    print(`  ${colors.dim}(Cookie will be extracted automatically from Chrome)${colors.reset}`);
+  }
   print();
-  print(`         Copy the token (starts with ${colors.cyan}xoxc-${colors.reset})`);
+  print(`${colors.dim}(Or paste a JSON object with token+cookie, or a raw xoxc- token)${colors.reset}`);
   print();
 
-  const token = await question(rl, `${colors.bold}Paste your token:${colors.reset} `);
+  const input = await question(rl, `${colors.bold}Paste token:${colors.reset} `);
+  const trimmed = input.trim();
 
-  if (!token.startsWith('xoxc-')) {
-    error("Invalid token. Token should start with 'xoxc-'");
-    return false;
+  let token, cookie;
+
+  // Try JSON parse first (legacy one-liner output or manual JSON)
+  if (trimmed.startsWith('{')) {
+    try {
+      const parsed = JSON.parse(trimmed);
+      if (parsed.token) token = parsed.token;
+      if (parsed.cookie) cookie = parsed.cookie;
+    } catch (_) {
+      // Not valid JSON — fall through to raw token
+    }
   }
 
-  print();
-  print(`${colors.bold}Step 4:${colors.reset} Go to ${colors.cyan}Application${colors.reset} tab → ${colors.cyan}Cookies${colors.reset} → slack.com`);
-  print(`         Find the '${colors.cyan}d${colors.reset}' cookie and copy its value`);
-  print();
+  // Treat as raw token
+  if (!token) {
+    token = trimmed;
+    if (!token.startsWith('xoxc-')) {
+      error("Invalid input. Expected a token starting with 'xoxc-'");
+      return false;
+    }
+  }
+
+  // On macOS, try to extract cookie from Chrome's cookie database automatically
+  if (!cookie && IS_MACOS) {
+    print();
+    print("Extracting session cookie from Chrome...");
+    const chromeTokens = extractFromChrome();
+    if (chromeTokens?.cookie) {
+      cookie = chromeTokens.cookie;
+      success("Cookie extracted from Chrome automatically");
+    } else {
+      warn("Could not extract cookie automatically.");
+      print(`  Paste the cookie manually. In Chrome: ${colors.cyan}Application${colors.reset} tab → ${colors.cyan}Cookies${colors.reset} → find '${colors.cyan}d${colors.reset}'`);
+      print();
+      const cookieInput = await question(rl, `${colors.bold}Paste cookie (xoxd-...):${colors.reset} `);
+      cookie = cookieInput.trim();
+    }
+  }
 
-  const cookie = await question(rl, `${colors.bold}Paste your cookie:${colors.reset} `);
+  // Non-macOS: always ask for cookie
+  if (!cookie) {
+    print();
+    print(`Paste the cookie. In Chrome: ${colors.cyan}Application${colors.reset} tab → ${colors.cyan}Cookies${colors.reset} → find '${colors.cyan}d${colors.reset}'`);
+    print();
+    const cookieInput = await question(rl, `${colors.bold}Paste cookie (xoxd-...):${colors.reset} `);
+    cookie = cookieInput.trim();
+  }
 
   if (!cookie.startsWith('xoxd-')) {
     error("Invalid cookie. Cookie should start with 'xoxd-'");

package/server.json

@@ -2,7 +2,7 @@
   "$schema": "https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json",
   "name": "io.github.jtalk22/slack-mcp-server",
   "title": "Slack MCP Server",
-  "description": "Slack MCP server. Session-based auth, 16 tools, stdio transport. Works with any MCP client.",
+  "description": "Slack MCP without OAuth — no app registration, no admin approval. Works with Claude Code, Cursor, Copilot (where the official server doesn't). 16 tools, one command.",
   "websiteUrl": "https://mcp.revasserlabs.com",
   "icons": [
     {
@@ -17,7 +17,7 @@
     "url": "https://github.com/jtalk22/slack-mcp-server",
     "source": "github"
   },
-  "version": "4.0.0",
+  "version": "4.1.0",
   "remotes": [
     {
       "type": "streamable-http",
@@ -28,7 +28,7 @@
     {
       "registryType": "npm",
       "identifier": "@jtalk22/slack-mcp",
-      "version": "4.0.0",
+      "version": "4.1.0",
       "transport": {
         "type": "stdio"
       },