@jtalk22/slack-mcp 4.0.0 → 4.1.2

package/README.md

@@ -10,11 +10,13 @@ Give your AI agent full Slack access. No app registration, no admin approval, no
 npx -y @jtalk22/slack-mcp --setup
 ```
 
-![demo](docs/images/demo-readme.gif)
+[![Slack MCP Server Demo](docs/images/demo-poster.png)](https://jtalk22.github.io/slack-mcp-server/public/demo-video.html)
 
-> **Ask Claude to catch you up on #engineering from the last 24 hours.** Search for that deployment thread from last week. Find every message mentioning the API key. Send a reply. All from your editor.
+**[▶ Watch the demo](https://jtalk22.github.io/slack-mcp-server/public/demo-video.html)** — 7 scenarios, from 47 unreads to inbox zero, without opening Slack.
 
-[Interactive demo](https://jtalk22.github.io/slack-mcp-server/public/demo.html) · [Latest release](https://github.com/jtalk22/slack-mcp-server/releases/latest)
+> **Ask your AI to catch you up on #engineering from the last 24 hours.** Search for that deployment thread from last week. Find the printer admin PIN nobody can remember. Send a reply. All from your editor.
+
+[Interactive demo](https://jtalk22.github.io/slack-mcp-server/public/demo-slack-mcp.html) · [Latest release](https://github.com/jtalk22/slack-mcp-server/releases/latest)
 
 ## Why This Exists
 
@@ -22,7 +24,90 @@ Slack's official MCP server requires a registered app, admin approval, and [does
 
 This server uses your browser's session tokens instead. If you can see it in Slack, your AI agent can see it too. No app install, no scopes, no admin.
 
-![OAuth vs Session](docs/images/diagram-oauth-comparison.svg)
+**Session-token transport:** No bot user appears in the workspace admin panel, no app install shows up, no audit trail entry is created. Your AI agent operates with the same workspace footprint as your browser tab — nothing more, nothing less.
+
+![OAuth vs Chrome DB Decryption](docs/images/diagram-oauth-comparison.svg)
+
+|  | Slack Official MCP | This Server |
+|---|---|---|
+| OAuth app required | Yes | **No** |
+| Admin approval | Yes | **No** |
+| Works with Claude Code | No (DCR incompatible) | **Yes** |
+| Works with Cursor | No | **Yes** |
+| Works with Copilot | No | **Yes** |
+| Works with Windsurf | No | **Yes** |
+| Works with Gemini CLI | No | **Yes** |
+| Works with Codex CLI | No | **Yes** |
+| Setup time | ~30 min | **~2 min** |
+| Tools | Limited | **16** |
+| Visible to admins | Yes | **No — session-token transport** |
+
+## Quick Start per Client
+
+<details>
+<summary><strong>Claude Desktop / Claude Code</strong></summary>
+
+Add to `~/.claude.json` or Claude Desktop settings:
+```json
+{
+  "mcpServers": {
+    "slack": { "command": "npx", "args": ["-y", "@jtalk22/slack-mcp"] }
+  }
+}
+```
+</details>
+
+<details>
+<summary><strong>Cursor</strong></summary>
+
+Add to `.cursor/mcp.json`:
+```json
+{
+  "mcpServers": {
+    "slack": { "command": "npx", "args": ["-y", "@jtalk22/slack-mcp"] }
+  }
+}
+```
+</details>
+
+<details>
+<summary><strong>Windsurf</strong></summary>
+
+Add to `~/.codeium/windsurf/mcp_config.json`:
+```json
+{
+  "mcpServers": {
+    "slack": { "command": "npx", "args": ["-y", "@jtalk22/slack-mcp"] }
+  }
+}
+```
+</details>
+
+<details>
+<summary><strong>Gemini CLI</strong></summary>
+
+Add to `~/.gemini/settings.json`:
+```json
+{
+  "mcpServers": {
+    "slack": { "command": "npx", "args": ["-y", "@jtalk22/slack-mcp"] }
+  }
+}
+```
+</details>
+
+<details>
+<summary><strong>Codex CLI</strong></summary>
+
+Add to `~/.codex/config.toml`:
+```toml
+[mcp_servers.slack]
+command = "npx"
+args = ["-y", "@jtalk22/slack-mcp"]
+```
+
+Or via CLI: `codex mcp add slack -- npx -y @jtalk22/slack-mcp`
+</details>
 
 ## Tools
 
@@ -145,13 +230,15 @@ On macOS, tokens are auto-extracted from Chrome — `env` block is optional.
 <details>
 <summary><strong>Claude Web / Remote MCP</strong></summary>
 
-For browser-based clients that can't run local processes, use the hosted HTTP endpoint:
-
-```
-https://mcp.revasserlabs.com/oauth/mcp
-```
+Hosted tiers at [mcp.revasserlabs.com](https://mcp.revasserlabs.com):
 
-Add this as a remote MCP server in your client's settings. Transport: Streamable HTTP. Auth: OAuth 2.1 + PKCE.
+| Tier | Price | What it owns |
+|------|-------|-------------|
+| Self-host | Free | Local stdio, all 16 tools, MIT licensed |
+| Solo | $19/mo | Managed endpoint + OAuth 2.1 bridge (required for Claude.ai web) + encrypted storage |
+| Team | $49/mo | Solo features + multi-seat routing |
+| Turnkey Team Launch | from $2,500+ | Dedicated instance + 30-day setup support |
+| Managed Reliability | from $800/mo+ | SLA-backed instance + incident response |
 
 </details>
 
@@ -191,6 +278,14 @@ Session tokens (`xoxc-` + `xoxd-`) from your browser. If you can see it in Slack
 
 Tokens expire. The server notices before you do — proactive health monitoring, automatic refresh on macOS, warnings when tokens age out. File writes are atomic (temp file → chmod → rename) to prevent corruption. Concurrent refresh attempts are mutex-locked.
 
+## What's New in 4.1.2
+
+- **LevelDB extraction** — reads tokens directly from Chrome's LevelDB store. No live Slack tab required, no AppleScript flag dependency.
+- **Multi-profile enumeration** — automatically picks the freshest Chrome profile. Override with `SLACK_MCP_CHROME_USER_DATA_DIR`, `SLACK_MCP_CHROME_PROFILE`, or `SLACK_MCP_EXTRACTION_MODE`.
+- **Explicit shutdown handlers** — SIGTERM/SIGINT/SIGHUP/stdin EOF/stdin error all exit cleanly. Zero zombie processes.
+
+Full release notes in [docs/INDEX.md](docs/INDEX.md) and on [GitHub releases/latest](https://github.com/jtalk22/slack-mcp-server/releases/latest).
+
 ## Hosted HTTP Mode
 
 For remote MCP endpoints (Cloudflare Worker, VPS, etc.):
@@ -247,4 +342,4 @@ Not affiliated with Slack Technologies, Inc. Uses browser session credentials
 
 ---
 
-Managed hosting available — [mcp.revasserlabs.com](https://mcp.revasserlabs.com)
+Hosted tiers live at [mcp.revasserlabs.com](https://mcp.revasserlabs.com): Solo $19/mo, Team $49/mo, Turnkey Team Launch from $2,500+, Managed Reliability from $800/mo+. Hosted owns the managed MCP endpoint, the OAuth 2.1 bridge into Claude.ai, encrypted credential storage, and the structural absence of the zombie-process class. It does not replace Chrome — the user still pastes `xoxc-`/`xoxd-` at setup.

package/docs/SETUP.md

@@ -1,40 +1,8 @@
 # Setup Guide
 
-## Cloud
+## Hosted (Coming Soon)
 
-Use **Slack MCP Cloud** when you want a managed endpoint rather than local token handling:
-
-1. Go to [Slack MCP Cloud](https://mcp.revasserlabs.com) and purchase a plan ($19/mo Solo, $49/mo Team)
-2. After checkout, you'll receive an API key and ready-to-paste config for Claude Desktop / Claude Code
-3. Use the hosted endpoint and API key — one URL, 15 managed tools. Team adds 3 AI workflows.
-
-**Claude Desktop config (Cloud):**
-```json
-{
-  "mcpServers": {
-    "slack": {
-      "url": "https://mcp.revasserlabs.com/oauth/mcp"
-    }
-  }
-}
-```
-
-**Claude Code config (Cloud):**
-```json
-{
-  "mcpServers": {
-    "slack": {
-      "type": "sse",
-      "url": "https://mcp.revasserlabs.com/mcp",
-      "headers": {
-        "Authorization": "Bearer YOUR_API_KEY"
-      }
-    }
-  }
-}
-```
-
-If you prefer self-hosting, continue below.
+A hosted version with permanent OAuth tokens, semantic search, and AI summaries is in development at [mcp.revasserlabs.com](https://mcp.revasserlabs.com). The current release is self-hosted only — continue below.
 
 ---
 

package/docs/TROUBLESHOOTING.md

@@ -29,31 +29,9 @@ If `--version` fails here, the issue is install/runtime path, not Slack credenti
 
 ---
 
-## Cloud Issues
+## Hosted Version
 
-### API Key Not Working
-
-**Symptom:** `401 Unauthorized` or `403 Forbidden` when using Cloud endpoint.
-
-**Solutions:**
-1. Verify your API key starts with `stmh_` (team) or `smsh_` (solo)
-2. Check the key hasn't been revoked — contact support@revasserlabs.com for key issues
-3. Ensure you're using the correct endpoint: `https://mcp.revasserlabs.com/mcp`
-
-### Cloud Tools Not Available
-
-**Symptom:** Only seeing fewer tools than expected.
-
-**Cause:** AI compound tools (`slack_channel_summary`, `slack_extract_action_items`, `slack_find_decisions`) are Team plan only ($49/mo).
-
-**Solution:** Upgrade to Team plan for AI compound tools, or use the 15 standard managed tools available on all Cloud plans.
-
-### Cloud Endpoint Health Check
-
-```bash
-curl -s https://mcp.revasserlabs.com/health | jq .
-# Expected: {"status":"healthy","server":"slack-mcp-hosted","version":"0.5.0"}
-```
+A hosted version with permanent OAuth tokens, semantic search, and AI summaries is coming soon at [mcp.revasserlabs.com](https://mcp.revasserlabs.com). The current release is self-hosted only.
 
 ---
 

package/lib/handlers.js

@@ -216,7 +216,7 @@ export async function handleRefreshTokens() {
       code: extractionError.code,
       message: extractionError.message,
       detail: extractionError.detail,
-      next_action: "In Chrome: View > Developer > Allow JavaScript from Apple Events, then retry."
+      next_action: "In Chrome: View > Developer > Allow JavaScript from Apple Events, then retry. (Only needed for token — cookie is extracted from Chrome's database automatically.)"
     }, true);
   }
 

package/lib/public-pages.js

@@ -15,7 +15,7 @@ const ICON_URL = `${GITHUB_PAGES_ROOT}/docs/assets/icon-512.png`;
 const NPM_URL = "https://www.npmjs.com/package/@jtalk22/slack-mcp";
 const RELEASES_URL = `${PUBLIC_METADATA.canonicalRepoUrl}/releases/latest`;
 const SETUP_URL = `${PUBLIC_METADATA.canonicalRepoUrl}/blob/main/docs/SETUP.md`;
-const DEMO_VIDEO_URL = `${GITHUB_PAGES_ROOT}/docs/videos/demo-claude-mobile-20s.mp4`;
+const DEMO_VIDEO_URL = `${GITHUB_PAGES_ROOT}/docs/videos/demo-slack-mcp-mobile-20s.mp4`;
 
 function template(name) {
   return readFileSync(resolve(TEMPLATE_DIR, name), "utf8");
@@ -58,28 +58,28 @@ function shareLinks() {
       <a href="${GITHUB_PAGES_ROOT}/" rel="noopener">Autoplay Demo Landing</a>
       <a href="${DEMO_VIDEO_URL}" rel="noopener">20s Mobile Clip</a>
       <a href="${NPM_URL}" rel="noopener">npm Package</a>
-      <a href="${PUBLIC_METADATA.canonicalSiteUrl}" rel="noopener" style="background:rgba(240,194,70,0.18);border-color:rgba(240,194,70,0.45);color:#f0c246">Cloud</a>
+      <a href="${PUBLIC_METADATA.canonicalSiteUrl}" rel="noopener" style="background:rgba(240,194,70,0.18);border-color:rgba(240,194,70,0.45);color:#f0c246">Hosted</a>
     `.trim();
 }
 
 function shareNote() {
-  return `<strong>Verify in 30 seconds:</strong> <code>--version</code>, <code>--doctor</code>, <code>--status</code>. Self-host gives ${PUBLIC_METADATA.selfHostedToolCount} tools with session-based auth. Works with any MCP client — Claude, ChatGPT, Cursor, Copilot, Gemini, Windsurf. Managed hosting available at <a href="${PUBLIC_METADATA.canonicalSiteUrl}">mcp.revasserlabs.com</a>.`;
+  return `<strong>Verify in 30 seconds:</strong> <code>--version</code>, <code>--doctor</code>, <code>--status</code>. Self-host gives ${PUBLIC_METADATA.selfHostedToolCount} tools with session-based auth. Works with any MCP client — Claude, ChatGPT, Cursor, Copilot, Gemini, Windsurf. Hosted version coming soon at <a href="${PUBLIC_METADATA.canonicalSiteUrl}">mcp.revasserlabs.com</a>.`;
 }
 
 function demoLinks() {
   return `
-      <a href="${PUBLIC_METADATA.canonicalSiteUrl}" target="_blank" rel="noopener noreferrer" style="background:rgba(240,194,70,0.18);border-color:rgba(240,194,70,0.45);color:#f0c246">Cloud</a>
+      <a href="${PUBLIC_METADATA.canonicalSiteUrl}" target="_blank" rel="noopener noreferrer" style="background:rgba(240,194,70,0.18);border-color:rgba(240,194,70,0.45);color:#f0c246">Hosted</a>
       <a href="${NPM_URL}" target="_blank" rel="noopener noreferrer">npm Install</a>
       <a href="${SETUP_URL}" target="_blank" rel="noopener noreferrer">Setup Guide</a>
     `.trim();
 }
 
 function demoNote() {
-  return `Self-host free for ${PUBLIC_METADATA.selfHostedToolCount} tools with session-based auth. Works with Claude, ChatGPT, Cursor, Copilot, Gemini, Windsurf, and any other MCP client. No OAuth app, no admin approval. Managed hosting available at <a href="${PUBLIC_METADATA.canonicalSiteUrl}" target="_blank" rel="noopener noreferrer">mcp.revasserlabs.com</a>.`;
+  return `Self-host free for ${PUBLIC_METADATA.selfHostedToolCount} tools with session-based auth. Works with Claude, ChatGPT, Cursor, Copilot, Gemini, Windsurf, and any other MCP client. No OAuth app, no admin approval. Hosted version coming soon at <a href="${PUBLIC_METADATA.canonicalSiteUrl}" target="_blank" rel="noopener noreferrer">mcp.revasserlabs.com</a>.`;
 }
 
 function demoFooterLinks() {
-  return `<a href="${PUBLIC_METADATA.canonicalRepoUrl}">GitHub</a> · <a href="${NPM_URL}" style="color:#94a3b8;text-decoration:none;font-size:0.875rem">npm</a> · <a href="${PUBLIC_METADATA.canonicalSiteUrl}" style="color:#f0c246;text-decoration:none;font-size:0.875rem">Cloud</a>`;
+  return `<a href="${PUBLIC_METADATA.canonicalRepoUrl}">GitHub</a> · <a href="${NPM_URL}" style="color:#94a3b8;text-decoration:none;font-size:0.875rem">npm</a> · <a href="${PUBLIC_METADATA.canonicalSiteUrl}" style="color:#f0c246;text-decoration:none;font-size:0.875rem">Hosted</a>`;
 }
 
 function commonTokens() {
@@ -113,10 +113,10 @@ function commonTokens() {
     SELF_HOSTED_TOOL_COUNT: String(PUBLIC_METADATA.selfHostedToolCount),
     CLOUD_MANAGED_TOOL_COUNT: "15",
     TEAM_AI_WORKFLOW_COUNT: "3",
-    CLOUD_SOLO_PRICE: "$19/mo",
-    CLOUD_TEAM_PRICE: "$49/mo",
-    CLOUD_TURNKEY_LAUNCH_PRICE: "$2.5k+",
-    CLOUD_MANAGED_RELIABILITY_PRICE: "$800/mo+",
+    CLOUD_SOLO_PRICE: "coming soon",
+    CLOUD_TEAM_PRICE: "coming soon",
+    CLOUD_TURNKEY_LAUNCH_PRICE: "contact us",
+    CLOUD_MANAGED_RELIABILITY_PRICE: "contact us",
     SUPPORT_EMAIL: PUBLIC_METADATA.supportEmail,
     ROOT_DECISION_PANEL: rootDecisionPanel(),
     SHARE_LINKS: shareLinks(),
@@ -134,6 +134,6 @@ export function buildPublicPages() {
     "public/share.html": replaceTokens(template("share.html.tpl"), tokens),
     "public/demo.html": replaceTokens(template("demo.html.tpl"), tokens),
     "public/demo-video.html": replaceTokens(template("demo-video.html.tpl"), tokens),
-    "public/demo-claude.html": replaceTokens(template("demo-claude.html.tpl"), tokens),
+    "public/demo-slack-mcp.html": replaceTokens(template("demo-slack-mcp.html.tpl"), tokens),
   };
 }

package/lib/slack-client.js

@@ -9,12 +9,19 @@
  * - Proactive token health checking
  */
 
-import { loadTokens, saveTokens, extractFromChrome } from "./token-store.js";
+import {
+  loadTokens,
+  saveTokens,
+  extractFromChrome,
+  getLastExtractionError,
+  saveAutoHealTelemetry,
+} from "./token-store.js";
 
 // ============ Configuration ============
 
 const TOKEN_WARNING_AGE = 10 * 24 * 60 * 60 * 1000;   // 10 days
 const TOKEN_CRITICAL_AGE = 13 * 24 * 60 * 60 * 1000;  // 13 days
+const STUCK_THRESHOLD_MS = 24 * 60 * 60 * 1000;       // Escalate to 'stuck' after 24h of repeated auto-heal failures
 const REFRESH_COOLDOWN = 60 * 60 * 1000;        // 1 hour between refresh attempts
 const USER_CACHE_MAX_SIZE = 500;
 const USER_CACHE_TTL = 60 * 60 * 1000;          // 1 hour
@@ -113,14 +120,21 @@ export async function checkTokenHealth(logger = console) {
     ? Math.round(tokenAge / (60 * 60 * 1000) * 10) / 10
     : null;
 
+  // Read auto-heal telemetry (only populated when source is "file")
+  let lastAutoHealAttempt = creds.lastAutoHealAttempt || null;
+  let lastAutoHealError = creds.lastAutoHealError || null;
+  let stuckSince = creds.stuckSince || null;
+
   // Attempt proactive refresh if token is getting old
   if (hasKnownAge && tokenAge > TOKEN_WARNING_AGE && Date.now() - lastRefreshAttempt > REFRESH_COOLDOWN) {
     lastRefreshAttempt = Date.now();
+    const attemptAt = new Date().toISOString();
     logger.error?.(`Token is ${ageHours}h old, attempting proactive refresh...`);
 
     const newTokens = extractFromChrome();
     if (newTokens) {
       saveTokens(newTokens.token, newTokens.cookie);
+      saveAutoHealTelemetry({ attemptAt, error: null });
       logger.error?.('Proactively refreshed tokens from Chrome');
       return {
         healthy: true,
@@ -129,35 +143,59 @@ export async function checkTokenHealth(logger = console) {
         age_known: true,
         age_state: 'fresh',
         source: 'chrome-auto',
+        last_auto_heal_attempt: attemptAt,
+        last_auto_heal_error: null,
+        stuck_since: null,
         message: 'Tokens refreshed successfully'
       };
     } else {
-      logger.error?.('Could not refresh from Chrome (is Slack tab open?)');
+      const extractionError = getLastExtractionError();
+      const errorCode = extractionError?.code || 'chrome_extraction_failed';
+      saveAutoHealTelemetry({ attemptAt, error: errorCode });
+      lastAutoHealAttempt = attemptAt;
+      if (lastAutoHealError !== errorCode) {
+        stuckSince = attemptAt;
+      }
+      lastAutoHealError = errorCode;
+      logger.error?.(`Could not refresh from Chrome: ${extractionError?.message || 'unknown error'}`);
     }
   }
 
+  const stuckSinceMs = stuckSince ? new Date(stuckSince).getTime() : Number.NaN;
+  const isStuck = Number.isFinite(stuckSinceMs)
+    && (Date.now() - stuckSinceMs) > STUCK_THRESHOLD_MS
+    && !!lastAutoHealError;
+
   return {
     healthy: !hasKnownAge || tokenAge < TOKEN_CRITICAL_AGE,
     age_hours: ageHours,
     age_known: hasKnownAge,
-    age_state: !hasKnownAge
-      ? 'unknown'
-      : tokenAge > TOKEN_CRITICAL_AGE
-        ? 'critical'
-        : tokenAge > TOKEN_WARNING_AGE
-          ? 'warning'
-          : 'healthy',
+    age_state: isStuck
+      ? 'stuck'
+      : !hasKnownAge
+        ? 'unknown'
+        : tokenAge > TOKEN_CRITICAL_AGE
+          ? 'critical'
+          : tokenAge > TOKEN_WARNING_AGE
+            ? 'warning'
+            : 'healthy',
     warning: hasKnownAge && tokenAge > TOKEN_WARNING_AGE,
     critical: hasKnownAge && tokenAge > TOKEN_CRITICAL_AGE,
+    stuck: isStuck,
     source: creds.source,
     updated_at: creds.updatedAt,
-    message: !hasKnownAge
-      ? 'Token age unknown (missing timestamp) - auth can still be valid'
-      : tokenAge > TOKEN_CRITICAL_AGE
-        ? 'Token may expire soon - open Slack in Chrome'
-        : tokenAge > TOKEN_WARNING_AGE
-          ? 'Token is getting old - will auto-refresh if Slack tab is open'
-          : 'Token is healthy'
+    last_auto_heal_attempt: lastAutoHealAttempt,
+    last_auto_heal_error: lastAutoHealError,
+    stuck_since: stuckSince,
+    message: isStuck
+      ? `Auto-heal has been failing since ${stuckSince} (last error: ${lastAutoHealError}). Open Chrome > View > Developer > Allow JavaScript from Apple Events, then run npm run tokens:auto.`
+      : !hasKnownAge
+        ? 'Token age unknown (missing timestamp) - auth can still be valid'
+        : tokenAge > TOKEN_CRITICAL_AGE
+          ? 'Token may expire soon - open Slack in Chrome'
+          : tokenAge > TOKEN_WARNING_AGE
+            ? 'Token is getting old - will auto-refresh if Slack tab is open'
+            : 'Token is healthy'
   };
 }
 
@@ -250,13 +288,28 @@ export async function slackAPI(method, params = {}, options = {}) {
     // Handle auth errors with auto-retry
     if ((data.error === "invalid_auth" || data.error === "token_expired") && retryOnAuthFail) {
       logger.error?.("Token expired, attempting Chrome auto-extraction...");
+      const attemptAt = new Date().toISOString();
       const chromeTokens = extractFromChrome();
       if (chromeTokens) {
         saveTokens(chromeTokens.token, chromeTokens.cookie);
+        saveAutoHealTelemetry({ attemptAt, error: null });
         // Retry the request
         return slackAPI(method, params, { ...options, retryOnAuthFail: false });
       }
-      throw new Error(`${data.error} - Tokens expired. Open Slack in Chrome and use slack_refresh_tokens.`);
+      const extractionError = getLastExtractionError() || {
+        code: 'chrome_extraction_failed',
+        message: 'Auto-heal attempted but no structured error surfaced.',
+        detail: null
+      };
+      saveAutoHealTelemetry({ attemptAt, error: extractionError.code });
+      const err = new Error(
+        `Slack auth failed (${data.error}) and auto-heal could not refresh tokens: ${extractionError.message}`
+      );
+      err.code = 'token_auth_failed';
+      err.slack_error = data.error;
+      err.extraction_error = extractionError;
+      err.next_action = 'Open http://localhost:3000 and click Refresh, OR run `npm run tokens:auto` with Slack open in Chrome, OR check Chrome > View > Developer > Allow JavaScript from Apple Events.';
+      throw err;
     }
     throw new Error(data.error || "Slack API error");
   }

package/lib/token-store.js

@@ -8,10 +8,11 @@
  * 4. Chrome auto-extraction (fallback)
  */
 
-import { readFileSync, writeFileSync, existsSync, renameSync, unlinkSync, chmodSync } from "fs";
-import { homedir, platform } from "os";
+import { readFileSync, writeFileSync, existsSync, renameSync, unlinkSync, chmodSync, copyFileSync, mkdtempSync, statSync, readdirSync } from "fs";
+import { homedir, platform, tmpdir } from "os";
 import { join } from "path";
-import { execSync, execFileSync } from "child_process";
+import { execFileSync } from "child_process";
+import { pbkdf2Sync, createDecipheriv } from "crypto";
 
 const TOKEN_FILE = join(homedir(), ".slack-mcp-tokens.json");
 const KEYCHAIN_SERVICE = "slack-mcp-server";
@@ -19,6 +20,12 @@ const KEYCHAIN_SERVICE = "slack-mcp-server";
 // Platform detection
 const IS_MACOS = platform() === 'darwin';
 
+// Default Chrome user-data dir on macOS
+const DEFAULT_CHROME_BASE = join(homedir(), 'Library', 'Application Support', 'Google', 'Chrome');
+
+// Slack xoxc- token regex: 3 numeric segments then a hex signature
+const XOXC_TOKEN_RE = /xoxc-[0-9]+-[0-9]+-[0-9]+-[a-f0-9]{20,}/g;
+
 // Refresh lock to prevent concurrent extraction attempts
 let refreshInProgress = null;
 let lastExtractionError = null;
@@ -64,13 +71,45 @@ export function getFromFile() {
     return {
       token: data.SLACK_TOKEN,
       cookie: data.SLACK_COOKIE,
-      updatedAt: data.updated_at || data.UPDATED_AT || null
+      updatedAt: data.updated_at || data.UPDATED_AT || null,
+      lastAutoHealAttempt: data.last_auto_heal_attempt || null,
+      lastAutoHealError: data.last_auto_heal_error || null,
+      stuckSince: data.stuck_since || null
     };
   } catch (e) {
     return null;
   }
 }
 
+/**
+ * Persist auto-heal telemetry into the token file.
+ * Best-effort: silent on failure (tokens are more important than metadata).
+ * error === null indicates a successful auto-heal; any non-null string is an
+ * error code (e.g. "apple_events_javascript_disabled"). When the error code
+ * changes, stuck_since is reset; when it stays the same across attempts,
+ * stuck_since is preserved so downstream consumers can detect a long-running
+ * stuck state.
+ */
+export function saveAutoHealTelemetry({ attemptAt, error }) {
+  if (!existsSync(TOKEN_FILE)) return;
+  try {
+    const data = JSON.parse(readFileSync(TOKEN_FILE, "utf-8"));
+    data.last_auto_heal_attempt = attemptAt;
+    if (error) {
+      if (data.last_auto_heal_error !== error) {
+        data.stuck_since = attemptAt;
+      }
+      data.last_auto_heal_error = error;
+    } else {
+      data.last_auto_heal_error = null;
+      data.stuck_since = null;
+    }
+    atomicWriteSync(TOKEN_FILE, JSON.stringify(data, null, 2));
+  } catch (e) {
+    // Silent: telemetry must never break the auto-heal hot path.
+  }
+}
+
 /**
  * Atomic write to prevent file corruption from concurrent writes
  */
@@ -102,32 +141,89 @@ export function saveToFile(token, cookie) {
 
 // Multiple localStorage paths Slack might use (for robustness)
 const SLACK_TOKEN_PATHS = [
-  // Current known path
   `JSON.parse(localStorage.localConfig_v2).teams[Object.keys(JSON.parse(localStorage.localConfig_v2).teams)[0]].token`,
-  // Potential future paths
   `JSON.parse(localStorage.localConfig_v3).teams[Object.keys(JSON.parse(localStorage.localConfig_v3).teams)[0]].token`,
-  // Redux store path (older Slack)
   `JSON.parse(localStorage.getItem('reduxPersist:localConfig'))?.teams?.[Object.keys(JSON.parse(localStorage.getItem('reduxPersist:localConfig'))?.teams || {})[0]]?.token`,
-  // Direct boot data
   `window.boot_data?.api_token`,
 ];
 
+// Fallback profile list used when Local State JSON can't be read
+const FALLBACK_CHROME_PROFILES = ['Default', 'Profile 1', 'Profile 2', 'Profile 3', 'Profile 4', 'Profile 5'];
+
+// ============ Chrome profile discovery ============
+
+/**
+ * Resolve the Chrome user-data directory.
+ * Override with SLACK_MCP_CHROME_USER_DATA_DIR for non-standard installations
+ * (e.g. a portable Chrome, a test profile, or a Chrome Canary layout).
+ */
+function getChromeBase() {
+  return process.env.SLACK_MCP_CHROME_USER_DATA_DIR || DEFAULT_CHROME_BASE;
+}
+
+/**
+ * Extraction mode config:
+ *   "auto"       - LevelDB first, AppleScript fallback (default)
+ *   "leveldb"    - On-disk only, never touch AppleScript (CI-safe, headless-safe)
+ *   "applescript"- Legacy AppleScript-only path
+ */
+function getExtractionMode() {
+  const mode = (process.env.SLACK_MCP_EXTRACTION_MODE || 'auto').toLowerCase();
+  return ['auto', 'leveldb', 'applescript'].includes(mode) ? mode : 'auto';
+}
+
+/**
+ * Enumerate all Chrome profiles present on this machine, newest cookie DB first.
+ * SLACK_MCP_CHROME_PROFILE can pin a single profile (exact directory name).
+ * Falls back to the legacy hardcoded list if Local State is unreadable.
+ */
+function enumerateChromeProfiles() {
+  const envProfile = process.env.SLACK_MCP_CHROME_PROFILE;
+  if (envProfile) return [envProfile];
+
+  const base = getChromeBase();
+  const localStatePath = join(base, 'Local State');
+
+  let profiles = [];
+  try {
+    const localState = JSON.parse(readFileSync(localStatePath, 'utf-8'));
+    profiles = Object.keys(localState.profile?.info_cache || {});
+  } catch {
+    profiles = [...FALLBACK_CHROME_PROFILES];
+  }
+
+  if (profiles.length === 0) profiles = [...FALLBACK_CHROME_PROFILES];
+
+  // Rank profiles by cookie-db mtime descending so the freshest Slack session wins.
+  const ranked = profiles.map(p => {
+    const cookiePath = join(base, p, 'Cookies');
+    let mtime = 0;
+    try { mtime = statSync(cookiePath).mtimeMs; } catch {}
+    return { name: p, mtime };
+  });
+  ranked.sort((a, b) => b.mtime - a.mtime);
+  return ranked.map(x => x.name);
+}
+
+// Chrome profile directories to search (legacy helper retained for back-compat)
+const CHROME_PROFILES = ['Default', 'Profile 1', 'Profile 2', 'Profile 3'];
+
 function normalizeExtractionError(error) {
   const raw = String(error?.message || error || "");
 
   if (raw.includes("Executing JavaScript through AppleScript is turned off")) {
     return {
       code: "apple_events_javascript_disabled",
-      message: "Chrome blocked JavaScript execution from Apple Events.",
-      detail: "Enable it in Chrome: View > Developer > Allow JavaScript from Apple Events."
+      message: "Chrome needs one setting enabled for token extraction.",
+      detail: "In Chrome: View > Developer > Allow JavaScript from Apple Events. Cookie extraction works without this — only the token needs it."
     };
   }
 
   if (raw.includes("Application isn't running") || raw.includes("Google Chrome got an error")) {
     return {
       code: "chrome_not_ready",
-      message: "Chrome is not ready for token extraction.",
-      detail: "Open Google Chrome with an active Slack tab at app.slack.com."
+      message: "Chrome is not running or has no windows open.",
+      detail: "Open Google Chrome with a Slack tab at app.slack.com."
     };
   }
 
@@ -139,6 +235,14 @@ function normalizeExtractionError(error) {
     };
   }
 
+  if (raw.includes("Chrome Safe Storage")) {
+    return {
+      code: "keychain_access_denied",
+      message: "Could not access Chrome's encryption key in Keychain.",
+      detail: "You may need to allow terminal access in System Settings > Privacy > Full Disk Access."
+    };
+  }
+
   return {
     code: "chrome_extraction_failed",
     message: "Chrome token extraction failed.",
@@ -147,83 +251,273 @@ function normalizeExtractionError(error) {
 }
 
 /**
- * Extract tokens from Chrome (macOS only, uses AppleScript)
- * Returns null on non-macOS platforms
+ * Extract the Slack `d` cookie from a specific Chrome profile's cookie DB.
+ * Returns the decrypted xoxd- cookie string or null if this profile has no
+ * Slack session or decryption fails.
+ *
+ * Chrome holds a WAL lock on the live DB; we copy-then-query for safety.
+ */
+function extractCookieForProfile(profileDir) {
+  const cookiesPath = join(profileDir, 'Cookies');
+  if (!existsSync(cookiesPath)) return null;
+
+  const tmpDir = mkdtempSync(join(tmpdir(), 'slack-mcp-'));
+  const tmpDb = join(tmpDir, 'Cookies');
+  try {
+    copyFileSync(cookiesPath, tmpDb);
+
+    const queryResult = execFileSync('sqlite3', [
+      tmpDb,
+      "SELECT hex(encrypted_value) FROM cookies WHERE host_key LIKE '%.slack.com%' AND name = 'd' LIMIT 1;"
+    ], { encoding: 'utf-8', timeout: 5000 }).trim();
+
+    try { unlinkSync(tmpDb); unlinkSync(tmpDir); } catch {}
+
+    if (!queryResult) return null;
+
+    const encrypted = Buffer.from(queryResult, 'hex');
+    if (encrypted.length < 4) return null;
+
+    // Chrome Safe Storage password (per-machine, stored in macOS Keychain)
+    const safeStoragePassword = execFileSync('security', [
+      'find-generic-password', '-s', 'Chrome Safe Storage', '-w'
+    ], { encoding: 'utf-8', timeout: 5000 }).trim();
+
+    // macOS Chrome cookies: v10 prefix + AES-128-CBC
+    const prefix = encrypted.subarray(0, 3).toString('utf-8');
+    if (prefix !== 'v10') return null;
+
+    const ciphertext = encrypted.subarray(3);
+    const key = pbkdf2Sync(safeStoragePassword, 'saltysalt', 1003, 16, 'sha1');
+    const iv = Buffer.alloc(16, ' ');
+
+    const decipher = createDecipheriv('aes-128-cbc', key, iv);
+    let decrypted;
+    try {
+      decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    } catch {
+      return null;
+    }
+
+    const text = decrypted.toString('utf-8');
+    const xoxdIndex = text.indexOf('xoxd-');
+    if (xoxdIndex < 0) return null;
+    return text.substring(xoxdIndex);
+  } catch {
+    try { unlinkSync(tmpDb); unlinkSync(tmpDir); } catch {}
+    return null;
+  }
+}
+
+/**
+ * Legacy helper: walk CHROME_PROFILES and return the first cookie found.
+ * Retained so existing callers that only want a cookie string keep working.
+ */
+function extractCookieFromChromeDB() {
+  const base = getChromeBase();
+  for (const profile of enumerateChromeProfiles()) {
+    const cookie = extractCookieForProfile(join(base, profile));
+    if (cookie) return cookie;
+  }
+  return null;
+}
+
+/**
+ * Extract a Slack xoxc- token by reading the on-disk LevelDB for a profile.
+ * This is the preferred path:
+ *   - No AppleScript required
+ *   - No "Allow JavaScript from Apple Events" Chrome dev flag required
+ *   - No live Slack tab required — the token just has to have been cached
+ *     at some point during normal use
+ *   - Works headlessly, works in CI, works when Chrome is closed
+ *
+ * We scan .ldb and .log files newest-first so the freshest cached token wins.
+ */
+function extractTokenFromLevelDB(profileDir) {
+  const ldbDir = join(profileDir, 'Local Storage', 'leveldb');
+  if (!existsSync(ldbDir)) return null;
+
+  let files;
+  try {
+    files = readdirSync(ldbDir)
+      .filter(f => /\.(ldb|log)$/.test(f))
+      .map(f => {
+        const p = join(ldbDir, f);
+        let mtime = 0;
+        try { mtime = statSync(p).mtimeMs; } catch {}
+        return { path: p, mtime };
+      })
+      .sort((a, b) => b.mtime - a.mtime);
+  } catch {
+    return null;
+  }
+
+  for (const f of files) {
+    try {
+      // Binary encoding avoids UTF-8 re-interpretation of snappy-compressed blocks
+      const txt = readFileSync(f.path).toString('binary');
+      XOXC_TOKEN_RE.lastIndex = 0;
+      const matches = txt.match(XOXC_TOKEN_RE);
+      if (matches && matches.length) return matches[0];
+    } catch {
+      continue;
+    }
+  }
+  return null;
+}
+
+/**
+ * Extract Slack token from Chrome via AppleScript (reads localStorage).
+ * Uses strict URL matching to avoid hitting non-Slack tabs.
+ */
+function extractTokenFromChrome() {
+  // Prefer /client URLs (active workspace), fall back to any app.slack.com
+  const urlChecks = [
+    'URL of t starts with "https://app.slack.com/client"',
+    'URL of t starts with "https://app.slack.com"',
+  ];
+
+  const tokenPathsJS = SLACK_TOKEN_PATHS.map((path, i) =>
+    `try { var t${i} = ${path}; if (t${i} && t${i}.startsWith('xoxc-')) return t${i}; } catch(e) {}`
+  ).join(' ');
+
+  for (const urlCheck of urlChecks) {
+    try {
+      const script = `tell application "Google Chrome"
+  repeat with w in windows
+    repeat with t in tabs of w
+      if ${urlCheck} then
+        return execute t javascript "(function() { ${tokenPathsJS} return ''; })()"
+      end if
+    end repeat
+  end repeat
+  return ""
+end tell`;
+
+      const token = execFileSync('osascript', ['-e', script], {
+        encoding: 'utf-8', timeout: 8000
+      }).trim();
+
+      if (token && token.startsWith('xoxc-')) return token;
+    } catch {
+      continue;
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Extract tokens from Chrome (macOS only).
+ *
+ * Two extraction paths:
+ *
+ *   1. LevelDB (preferred, default "auto" mode tries this first):
+ *      Cookie: Reads the encrypted SQLite cookie DB and decrypts with the
+ *              Chrome Safe Storage key from macOS Keychain.
+ *      Token:  Reads the on-disk LevelDB under Local Storage and regex-matches
+ *              any cached xoxc- token. Works without a live Slack tab, without
+ *              the AppleScript dev flag, and works when Chrome is closed.
+ *
+ *   2. AppleScript (legacy fallback, or forced with SLACK_MCP_EXTRACTION_MODE=applescript):
+ *      Cookie: Same SQLite-backed path.
+ *      Token:  Drives Chrome via AppleScript to run JS against localStorage.
+ *              Requires Chrome > View > Developer > "Allow JavaScript from
+ *              Apple Events" AND a live app.slack.com tab. Kept because it
+ *              grabs the token from whichever workspace is actually active
+ *              right now, which can differ from what's cached on disk.
+ *
+ * Environment overrides:
+ *   SLACK_MCP_CHROME_USER_DATA_DIR  - base Chrome dir (default ~/Library/Application Support/Google/Chrome)
+ *   SLACK_MCP_CHROME_PROFILE        - pin a single profile directory name
+ *   SLACK_MCP_EXTRACTION_MODE       - auto | leveldb | applescript
  */
 function extractFromChromeInternal() {
   lastExtractionError = null;
+
   if (!IS_MACOS) {
-    // AppleScript/osascript is macOS-only
     lastExtractionError = {
       code: "unsupported_platform",
       message: "Chrome auto-extraction is only available on macOS.",
-      detail: "Use manual token setup on this platform."
+      detail: "Use manual token setup on this platform, or set SLACK_TOKEN and SLACK_COOKIE env vars."
     };
     return null;
   }
 
-  try {
-    // Extract cookie
-    const cookieScript = `
-      tell application "Google Chrome"
-        repeat with w in windows
-          repeat with t in tabs of w
-            if URL of t contains "slack.com" then
-              return execute t javascript "document.cookie.split('; ').find(c => c.startsWith('d='))?.split('=')[1] || ''"
-            end if
-          end repeat
-        end repeat
-        return ""
-      end tell
-    `;
-    const cookie = execSync(`osascript -e '${cookieScript.replace(/'/g, "'\"'\"'")}'`, {
-      encoding: 'utf-8', timeout: 5000
-    }).trim();
-
-    if (!cookie || !cookie.startsWith('xoxd-')) {
+  const mode = getExtractionMode();
+  const base = getChromeBase();
+  const profiles = enumerateChromeProfiles();
+
+  if (profiles.length === 0) {
+    lastExtractionError = {
+      code: "no_chrome_profiles",
+      message: "No Chrome profiles found.",
+      detail: `Looked under ${base}. Set SLACK_MCP_CHROME_USER_DATA_DIR if Chrome is installed elsewhere.`
+    };
+    return null;
+  }
+
+  // --- Path 1: LevelDB (no AppleScript, no live tab needed) ---
+  if (mode === 'leveldb' || mode === 'auto') {
+    for (const profileName of profiles) {
+      const profileDir = join(base, profileName);
+      const cookie = extractCookieForProfile(profileDir);
+      if (!cookie) continue;
+      const token = extractTokenFromLevelDB(profileDir);
+      if (!token) continue;
+      return { token, cookie, profile: profileName, extraction_mode: 'leveldb' };
+    }
+
+    if (mode === 'leveldb') {
       lastExtractionError = {
-        code: "cookie_not_found",
-        message: "Could not extract Slack cookie from Chrome.",
-        detail: "Ensure a logged-in Slack tab is open at app.slack.com."
+        code: "leveldb_no_matching_profile",
+        message: "No Chrome profile had both a Slack cookie and a cached xoxc- token on disk.",
+        detail: `Profiles checked: ${profiles.join(', ')}. Open Slack in Chrome and sign in once, then retry. SLACK_MCP_CHROME_PROFILE can pin a specific profile.`
       };
       return null;
     }
+    // Fall through to AppleScript
+  }
+
+  // --- Path 2: AppleScript + SQLite (legacy, requires live tab + dev flag) ---
+  if (mode === 'applescript' || mode === 'auto') {
+    let cookieSeen = null;
+    for (const profileName of profiles) {
+      const profileDir = join(base, profileName);
+      const cookie = extractCookieForProfile(profileDir);
+      if (!cookie) continue;
+      cookieSeen = cookie;
+
+      let token;
+      try {
+        token = extractTokenFromChrome();
+      } catch (e) {
+        lastExtractionError = normalizeExtractionError(e);
+        continue;
+      }
+      if (token) {
+        return { token, cookie, profile: profileName, extraction_mode: 'applescript' };
+      }
+    }
 
-    // Try multiple token extraction paths
-    const tokenPathsJS = SLACK_TOKEN_PATHS.map((path, i) =>
-      `try { var t${i} = ${path}; if (t${i}?.startsWith('xoxc-')) return t${i}; } catch(e) {}`
-    ).join(' ');
-
-    const tokenScript = `
-      tell application "Google Chrome"
-        repeat with w in windows
-          repeat with t in tabs of w
-            if URL of t contains "slack.com" then
-              return execute t javascript "(function() { ${tokenPathsJS} return ''; })()"
-            end if
-          end repeat
-        end repeat
-        return ""
-      end tell
-    `;
-    const token = execSync(`osascript -e '${tokenScript.replace(/'/g, "'\"'\"'")}'`, {
-      encoding: 'utf-8', timeout: 5000
-    }).trim();
-
-    if (!token || !token.startsWith('xoxc-')) {
+    if (cookieSeen && !lastExtractionError) {
       lastExtractionError = {
-        code: "token_not_found",
-        message: "Could not extract Slack token from Chrome.",
-        detail: "Refresh Slack in Chrome and retry extraction."
+        code: "apple_events_javascript_disabled",
+        message: "Cookie extracted, but AppleScript could not read the Slack token from localStorage.",
+        detail: "Enable Chrome > View > Developer > Allow JavaScript from Apple Events, then retry. Or set SLACK_MCP_EXTRACTION_MODE=leveldb to skip AppleScript entirely."
       };
       return null;
     }
+  }
 
-    return { token, cookie };
-  } catch (e) {
-    lastExtractionError = normalizeExtractionError(e);
-    return null;
+  if (!lastExtractionError) {
+    lastExtractionError = {
+      code: "extraction_failed_all_paths",
+      message: "Could not extract Slack credentials via LevelDB or AppleScript.",
+      detail: `Profiles checked: ${profiles.join(', ')}. Ensure you are logged into Slack at app.slack.com in Chrome at least once.`
+    };
   }
+  return null;
 }
 
 /**
@@ -273,7 +567,10 @@ function getStoredTokens() {
       token: fileTokens.token,
       cookie: fileTokens.cookie,
       source: "file",
-      updatedAt: fileTokens.updatedAt
+      updatedAt: fileTokens.updatedAt,
+      lastAutoHealAttempt: fileTokens.lastAutoHealAttempt,
+      lastAutoHealError: fileTokens.lastAutoHealError,
+      stuckSince: fileTokens.stuckSince
     };
   }
 

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "@jtalk22/slack-mcp",
   "mcpName": "io.github.jtalk22/slack-mcp-server",
-  "version": "4.0.0",
-  "description": "Slack MCP server. Session-based auth, 16 tools, stdio transport. Works with any MCP client.",
+  "version": "4.1.2",
+  "description": "Slack MCP without OAuth — no app registration, no admin approval. Works with Claude Code, Cursor, Copilot (where the official server doesn't). 16 tools, one command.",
   "type": "module",
   "main": "src/server.js",
   "bin": {
@@ -30,6 +30,7 @@
     "build:demo-mobile:gif": "node scripts/build-mobile-demo.js --gif",
     "record-demo": "node scripts/record-demo.js",
     "social-preview:update": "node scripts/update-github-social-preview.js --headed",
+    "bookmarklet": "node scripts/generate-bookmarklet.js",
     "cf:browser": "node scripts/cloudflare-browser-tool.js",
     "verify:attribution-guardrail": "node scripts/verify-attribution-guardrail.js",
     "verify:public-pages": "node scripts/verify-generated-public-pages.js",
@@ -61,7 +62,14 @@
     "slack-integration",
     "ai-agents",
     "automation",
-    "productivity"
+    "productivity",
+    "oauth-free",
+    "no-admin-approval",
+    "cursor",
+    "copilot",
+    "windsurf",
+    "codex-cli",
+    "stealth-mode"
   ],
   "author": {
     "name": "Revasser",

package/public/index.html

@@ -255,8 +255,8 @@
   <div class="container">
     <h1>Slack Web API <span id="status" class="status"></span></h1>
     <div style="background:rgba(240,194,70,0.08);border:1px solid rgba(240,194,70,0.2);border-radius:8px;padding:8px 14px;margin-bottom:16px;display:flex;align-items:center;justify-content:space-between;flex-wrap:wrap;gap:8px;font-size:13px;color:#d4c48a">
-      <span>Skip local setup? <strong style="color:#f0c246">Slack MCP Cloud</strong> gives you 15 managed tools with one URL. Team adds 3 AI workflows.</span>
-      <a href="https://mcp.revasserlabs.com" style="color:#f0c246;font-weight:600;text-decoration:none;white-space:nowrap" target="_blank">Learn more &rarr;</a>
+      <span>Hosted tiers live — <strong style="color:#f0c246">managed MCP endpoint, OAuth bridge for Claude.ai, encrypted storage</strong></span>
+      <a href="https://mcp.revasserlabs.com" style="color:#f0c246;font-weight:600;text-decoration:none;white-space:nowrap" target="_blank">See tiers &rarr;</a>
     </div>
     <div class="grid">
       <div class="sidebar">

package/public/share.html

@@ -4,17 +4,17 @@
   <meta charset="utf-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <title>Slack MCP Server</title>
-  <meta name="description" content="Session-based Slack MCP for Claude. Self-host locally or use the managed Cloud path with Gemini CLI support, pricing, security/procurement review, deployment review, and hosted credentials.">
+  <meta name="description" content="No OAuth. No admin. 16 Slack tools for Claude, Cursor, Copilot, Gemini, and any MCP client. One command: npx -y @jtalk22/slack-mcp --setup">
   <meta property="og:type" content="website">
-  <meta property="og:title" content="Slack MCP Server">
-  <meta property="og:description" content="Session-based Slack MCP for Claude. Self-host 16 tools for free or use Cloud for 15 managed tools, Gemini CLI support, security/procurement review, deployment review, and support.">
+  <meta property="og:title" content="Slack MCP Server — No OAuth, no admin, just your browser session">
+  <meta property="og:description" content="Slack's official MCP needs OAuth + admin. This one uses your browser session. 16 tools, works with Claude, Cursor, Copilot, Gemini.">
   <meta property="og:url" content="https://jtalk22.github.io/slack-mcp-server/public/share.html">
   <meta property="og:image" content="https://jtalk22.github.io/slack-mcp-server/docs/images/social-preview-v3.png">
   <meta property="og:image:width" content="1280">
   <meta property="og:image:height" content="640">
   <meta name="twitter:card" content="summary_large_image">
-  <meta name="twitter:title" content="Slack MCP Server">
-  <meta name="twitter:description" content="Session-based Slack MCP for Claude. Self-host 16 tools for free or use Cloud for 15 managed tools, Gemini CLI support, security/procurement review, deployment review, and support.">
+  <meta name="twitter:title" content="Slack MCP Server — No OAuth, no admin, just your browser session">
+  <meta name="twitter:description" content="16 tools for Claude, Cursor, Copilot, Gemini. npx -y @jtalk22/slack-mcp --setup">
   <meta name="twitter:image" content="https://jtalk22.github.io/slack-mcp-server/docs/images/social-preview-v3.png">
   <link rel="icon" href="https://jtalk22.github.io/slack-mcp-server/docs/assets/icon-512.png" type="image/png">
   <style>
@@ -107,7 +107,7 @@
 <body>
   <main class="wrap">
     <h1>Slack MCP Server</h1>
-    <p class="sub">Give Claude full access to your Slack. Self-host 16 tools for free, or use Cloud for 15 managed tools, Gemini CLI support, hosted credentials, rollout support, and buyer-facing security review.</p>
+    <p class="sub">Give Claude full access to your Slack. Self-host 16 tools for free. Hosted version with semantic search, AI summaries, and permanent OAuth coming soon.</p>
 
     <a class="preview" href="https://github.com/jtalk22/slack-mcp-server" rel="noopener">
       <img src="https://jtalk22.github.io/slack-mcp-server/docs/images/social-preview-v3.png" alt="Slack MCP Server social preview card">
@@ -118,12 +118,12 @@
       <a href="https://github.com/jtalk22/slack-mcp-server/blob/main/docs/SETUP.md" rel="noopener">Verify (`--version/--doctor/--status`)</a>
       <a href="https://github.com/jtalk22/slack-mcp-server/releases/latest" rel="noopener">Latest Release</a>
       <a href="https://jtalk22.github.io/slack-mcp-server/" rel="noopener">Autoplay Demo Landing</a>
-      <a href="https://jtalk22.github.io/slack-mcp-server/docs/videos/demo-claude-mobile-20s.mp4" rel="noopener">20s Mobile Clip</a>
+      <a href="https://jtalk22.github.io/slack-mcp-server/docs/videos/demo-slack-mcp-mobile-20s.mp4" rel="noopener">20s Mobile Clip</a>
       <a href="https://www.npmjs.com/package/@jtalk22/slack-mcp" rel="noopener">npm Package</a>
-      <a href="https://mcp.revasserlabs.com" rel="noopener" style="background:rgba(240,194,70,0.18);border-color:rgba(240,194,70,0.45);color:#f0c246">Cloud</a>
+      <a href="https://mcp.revasserlabs.com" rel="noopener" style="background:rgba(240,194,70,0.18);border-color:rgba(240,194,70,0.45);color:#f0c246">Hosted</a>
     </div>
 
-    <p class="note"><strong>Verify in 30 seconds:</strong> <code>--version</code>, <code>--doctor</code>, <code>--status</code>. Self-host gives 16 tools with session-based auth. Works with any MCP client — Claude, ChatGPT, Cursor, Copilot, Gemini, Windsurf. Managed hosting available at <a href="https://mcp.revasserlabs.com">mcp.revasserlabs.com</a>.</p>
+    <p class="note"><strong>Verify in 30 seconds:</strong> <code>--version</code>, <code>--doctor</code>, <code>--status</code>. Self-host gives 16 tools with session-based auth. Works with any MCP client — Claude, ChatGPT, Cursor, Copilot, Gemini, Windsurf. Hosted version coming soon at <a href="https://mcp.revasserlabs.com">mcp.revasserlabs.com</a>.</p>
   </main>
 </body>
 </html>

package/scripts/setup-wizard.js

@@ -131,10 +131,18 @@ async function runMacOSSetup(rl) {
     }
     print();
     if (extractionError?.code === "apple_events_javascript_disabled") {
-      print("Fix and retry:");
-      print("  1. In Chrome menu: View > Developer > Allow JavaScript from Apple Events");
-      print("  2. Keep Slack open in a Chrome tab (app.slack.com)");
-      print("  3. Re-run: npx -y @jtalk22/slack-mcp --setup");
+      print();
+      printBox([
+        "Chrome needs one setting enabled (one-time only):",
+        "",
+        "1. Open Chrome",
+        "2. Menu bar: View → Developer → Allow JavaScript",
+        "   from Apple Events  ✓",
+        "3. Run this command again",
+      ], 55);
+      print();
+      print("Once enabled, --setup extracts tokens automatically.");
+      print("No DevTools, no copy-paste, just one command.");
     } else {
       print("Make sure:");
       print("  1. Chrome is running");
@@ -180,42 +188,83 @@ async function runManualSetup(rl) {
   print();
   if (IS_MACOS) {
     info("Switching to manual token entry...");
+    info("Note: On macOS, the session cookie can be extracted automatically.");
   } else {
     info(`Detected platform: ${platform()}`);
     warn("Auto-extraction not available on this platform.");
   }
+
+  const consoleHotkey = IS_MACOS ? "Cmd+Option+J" : "Ctrl+Shift+J";
+  // Token-only one-liner (cookie is HttpOnly and cannot be read via document.cookie)
+  const oneLiner = `copy(JSON.parse(localStorage.localConfig_v2).teams[Object.keys(JSON.parse(localStorage.localConfig_v2).teams)[0]].token)`;
+
   print();
-  print("Follow these steps to extract tokens from Chrome:");
-  print();
-  print(`${colors.bold}Step 1:${colors.reset} Open Chrome and navigate to your Slack workspace`);
-  print("         https://app.slack.com");
+  print(`${colors.bold}Quick extract (recommended):${colors.reset}`);
   print();
-  print(`${colors.bold}Step 2:${colors.reset} Press F12 to open DevTools`);
+  print(`  1. Open Chrome → ${colors.cyan}app.slack.com${colors.reset} (must be logged in)`);
+  print(`  2. Press ${colors.cyan}${consoleHotkey}${colors.reset} to open the Console`);
+  print(`  3. Paste this one-liner and press Enter:`);
   print();
-  print(`${colors.bold}Step 3:${colors.reset} Go to the ${colors.cyan}Console${colors.reset} tab and paste this:`);
+  printBox([oneLiner], oneLiner.length + 4);
   print();
-  printBox([
-    "JSON.parse(localStorage.localConfig_v2).teams[",
-    "  Object.keys(JSON.parse(localStorage.localConfig_v2)",
-    "  .teams)[0]].token",
-  ], 55);
+  print(`  4. Your token is now on the clipboard. Paste below.`);
+  if (IS_MACOS) {
+    print(`  ${colors.dim}(Cookie will be extracted automatically from Chrome)${colors.reset}`);
+  }
   print();
-  print(`         Copy the token (starts with ${colors.cyan}xoxc-${colors.reset})`);
+  print(`${colors.dim}(Or paste a JSON object with token+cookie, or a raw xoxc- token)${colors.reset}`);
   print();
 
-  const token = await question(rl, `${colors.bold}Paste your token:${colors.reset} `);
+  const input = await question(rl, `${colors.bold}Paste token:${colors.reset} `);
+  const trimmed = input.trim();
 
-  if (!token.startsWith('xoxc-')) {
-    error("Invalid token. Token should start with 'xoxc-'");
-    return false;
+  let token, cookie;
+
+  // Try JSON parse first (legacy one-liner output or manual JSON)
+  if (trimmed.startsWith('{')) {
+    try {
+      const parsed = JSON.parse(trimmed);
+      if (parsed.token) token = parsed.token;
+      if (parsed.cookie) cookie = parsed.cookie;
+    } catch (_) {
+      // Not valid JSON — fall through to raw token
+    }
   }
 
-  print();
-  print(`${colors.bold}Step 4:${colors.reset} Go to ${colors.cyan}Application${colors.reset} tab → ${colors.cyan}Cookies${colors.reset} → slack.com`);
-  print(`         Find the '${colors.cyan}d${colors.reset}' cookie and copy its value`);
-  print();
+  // Treat as raw token
+  if (!token) {
+    token = trimmed;
+    if (!token.startsWith('xoxc-')) {
+      error("Invalid input. Expected a token starting with 'xoxc-'");
+      return false;
+    }
+  }
+
+  // On macOS, try to extract cookie from Chrome's cookie database automatically
+  if (!cookie && IS_MACOS) {
+    print();
+    print("Extracting session cookie from Chrome...");
+    const chromeTokens = extractFromChrome();
+    if (chromeTokens?.cookie) {
+      cookie = chromeTokens.cookie;
+      success("Cookie extracted from Chrome automatically");
+    } else {
+      warn("Could not extract cookie automatically.");
+      print(`  Paste the cookie manually. In Chrome: ${colors.cyan}Application${colors.reset} tab → ${colors.cyan}Cookies${colors.reset} → find '${colors.cyan}d${colors.reset}'`);
+      print();
+      const cookieInput = await question(rl, `${colors.bold}Paste cookie (xoxd-...):${colors.reset} `);
+      cookie = cookieInput.trim();
+    }
+  }
 
-  const cookie = await question(rl, `${colors.bold}Paste your cookie:${colors.reset} `);
+  // Non-macOS: always ask for cookie
+  if (!cookie) {
+    print();
+    print(`Paste the cookie. In Chrome: ${colors.cyan}Application${colors.reset} tab → ${colors.cyan}Cookies${colors.reset} → find '${colors.cyan}d${colors.reset}'`);
+    print();
+    const cookieInput = await question(rl, `${colors.bold}Paste cookie (xoxd-...):${colors.reset} `);
+    cookie = cookieInput.trim();
+  }
 
   if (!cookie.startsWith('xoxd-')) {
     error("Invalid cookie. Cookie should start with 'xoxd-'");

package/server.json

@@ -2,7 +2,7 @@
   "$schema": "https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json",
   "name": "io.github.jtalk22/slack-mcp-server",
   "title": "Slack MCP Server",
-  "description": "Slack MCP server. Session-based auth, 16 tools, stdio transport. Works with any MCP client.",
+  "description": "Slack MCP without OAuth — no app registration, no admin approval. Works with Claude Code, Cursor, Copilot (where the official server doesn't). 16 tools, one command.",
   "websiteUrl": "https://mcp.revasserlabs.com",
   "icons": [
     {
@@ -17,7 +17,7 @@
     "url": "https://github.com/jtalk22/slack-mcp-server",
     "source": "github"
   },
-  "version": "4.0.0",
+  "version": "4.1.2",
   "remotes": [
     {
       "type": "streamable-http",
@@ -28,7 +28,7 @@
     {
       "registryType": "npm",
       "identifier": "@jtalk22/slack-mcp",
-      "version": "4.0.0",
+      "version": "4.1.2",
       "transport": {
         "type": "stdio"
       },

package/src/server.js

@@ -290,6 +290,22 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
         };
     }
   } catch (error) {
+    if (error?.code === "token_auth_failed") {
+      return {
+        content: [{
+          type: "text",
+          text: JSON.stringify({
+            status: "error",
+            code: "token_auth_failed",
+            message: String(error?.message || error),
+            slack_error: error.slack_error || null,
+            extraction_error: error.extraction_error || null,
+            next_action: error.next_action || "Open http://localhost:3000 and click Refresh, OR run `npm run tokens:auto` with Slack open in Chrome, OR check Chrome > View > Developer > Allow JavaScript from Apple Events."
+          }, null, 2)
+        }],
+        isError: true
+      };
+    }
     return {
       content: [{
         type: "text",
@@ -323,8 +339,9 @@ async function main() {
   }
 
   // Background token health check (every 4 hours)
-  // Use unref() so this timer doesn't prevent the process from exiting
-  // when the MCP transport closes (prevents zombie processes)
+  // unref() alone doesn't prevent StdioServerTransport from keeping the event
+  // loop alive after the MCP client disconnects — we add explicit shutdown
+  // handlers below to kill zombie processes on stdin EOF and signals.
   const backgroundTimer = setInterval(async () => {
     try {
       const health = await checkTokenHealth(console);
@@ -339,6 +356,23 @@ async function main() {
   }, BACKGROUND_REFRESH_INTERVAL);
   backgroundTimer.unref();
 
+  // Explicit shutdown path prevents the zombie-process pileup we were seeing
+  // when Claude Code or another MCP client disconnected without signalling.
+  // StdioServerTransport doesn't exit the event loop on its own when stdin EOFs.
+  let shuttingDown = false;
+  const shutdown = (reason) => {
+    if (shuttingDown) return;
+    shuttingDown = true;
+    try { clearInterval(backgroundTimer); } catch {}
+    console.error(`slack-mcp-server exiting: ${reason}`);
+    process.exit(0);
+  };
+  process.on("SIGTERM", () => shutdown("SIGTERM"));
+  process.on("SIGINT", () => shutdown("SIGINT"));
+  process.on("SIGHUP", () => shutdown("SIGHUP"));
+  process.stdin.on("end", () => shutdown("stdin end (MCP client disconnected)"));
+  process.stdin.on("error", (err) => shutdown(`stdin error: ${err?.message || err}`));
+
   // Start server
   const transport = new StdioServerTransport();
   await server.connect(transport);