npm - @jtalk22/slack-mcp - Versions diffs - 4.1.0 → 4.1.2 - Mend

@jtalk22/slack-mcp 4.1.0 → 4.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md CHANGED Viewed

@@ -24,7 +24,7 @@ Slack's official MCP server requires a registered app, admin approval, and [does
 This server uses your browser's session tokens instead. If you can see it in Slack, your AI agent can see it too. No app install, no scopes, no admin.
-**Stealth Mode:** Session tokens leave zero footprint in your workspace admin panel. No bot user appears, no app install shows up, no audit trail. Your AI agent operates with the same invisibility as your browser tab.
+**Session-token transport:** No bot user appears in the workspace admin panel, no app install shows up, no audit trail entry is created. Your AI agent operates with the same workspace footprint as your browser tab — nothing more, nothing less.
 ![OAuth vs Chrome DB Decryption](docs/images/diagram-oauth-comparison.svg)
@@ -40,7 +40,7 @@ This server uses your browser's session tokens instead. If you can see it in Sla
 | Works with Codex CLI | No | **Yes** |
 | Setup time | ~30 min | **~2 min** |
 | Tools | Limited | **16** |
-| Visible to admins | Yes | **No — Stealth Mode** |
+| Visible to admins | Yes | **No — session-token transport** |
 ## Quick Start per Client
@@ -230,7 +230,15 @@ On macOS, tokens are auto-extracted from Chrome — `env` block is optional.
 <details>
 <summary><strong>Claude Web / Remote MCP</strong></summary>
-Hosted version with permanent OAuth tokens coming soon. See [mcp.revasserlabs.com](https://mcp.revasserlabs.com) for updates.
+Hosted tiers at [mcp.revasserlabs.com](https://mcp.revasserlabs.com):
+| Tier | Price | What it owns |
+|------|-------|-------------|
+| Self-host | Free | Local stdio, all 16 tools, MIT licensed |
+| Solo | $19/mo | Managed endpoint + OAuth 2.1 bridge (required for Claude.ai web) + encrypted storage |
+| Team | $49/mo | Solo features + multi-seat routing |
+| Turnkey Team Launch | from $2,500+ | Dedicated instance + 30-day setup support |
+| Managed Reliability | from $800/mo+ | SLA-backed instance + incident response |
 </details>
@@ -270,6 +278,14 @@ Session tokens (`xoxc-` + `xoxd-`) from your browser. If you can see it in Slack
 Tokens expire. The server notices before you do — proactive health monitoring, automatic refresh on macOS, warnings when tokens age out. File writes are atomic (temp file → chmod → rename) to prevent corruption. Concurrent refresh attempts are mutex-locked.
+## What's New in 4.1.2
+- **LevelDB extraction** — reads tokens directly from Chrome's LevelDB store. No live Slack tab required, no AppleScript flag dependency.
+- **Multi-profile enumeration** — automatically picks the freshest Chrome profile. Override with `SLACK_MCP_CHROME_USER_DATA_DIR`, `SLACK_MCP_CHROME_PROFILE`, or `SLACK_MCP_EXTRACTION_MODE`.
+- **Explicit shutdown handlers** — SIGTERM/SIGINT/SIGHUP/stdin EOF/stdin error all exit cleanly. Zero zombie processes.
+Full release notes in [docs/INDEX.md](docs/INDEX.md) and on [GitHub releases/latest](https://github.com/jtalk22/slack-mcp-server/releases/latest).
 ## Hosted HTTP Mode
 For remote MCP endpoints (Cloudflare Worker, VPS, etc.):
@@ -326,4 +342,4 @@ Not affiliated with Slack Technologies, Inc. Uses browser session credentials
 ---
-Hosted version with semantic search, AI summaries, and permanent OAuth — coming soon at [mcp.revasserlabs.com](https://mcp.revasserlabs.com)
+Hosted tiers live at [mcp.revasserlabs.com](https://mcp.revasserlabs.com): Solo $19/mo, Team $49/mo, Turnkey Team Launch from $2,500+, Managed Reliability from $800/mo+. Hosted owns the managed MCP endpoint, the OAuth 2.1 bridge into Claude.ai, encrypted credential storage, and the structural absence of the zombie-process class. It does not replace Chrome — the user still pastes `xoxc-`/`xoxd-` at setup.

package/lib/slack-client.js CHANGED Viewed

@@ -9,12 +9,19 @@
  * - Proactive token health checking
  */
-import { loadTokens, saveTokens, extractFromChrome } from "./token-store.js";
+import {
+  loadTokens,
+  saveTokens,
+  extractFromChrome,
+  getLastExtractionError,
+  saveAutoHealTelemetry,
+} from "./token-store.js";
 // ============ Configuration ============
 const TOKEN_WARNING_AGE = 10 * 24 * 60 * 60 * 1000;   // 10 days
 const TOKEN_CRITICAL_AGE = 13 * 24 * 60 * 60 * 1000;  // 13 days
+const STUCK_THRESHOLD_MS = 24 * 60 * 60 * 1000;       // Escalate to 'stuck' after 24h of repeated auto-heal failures
 const REFRESH_COOLDOWN = 60 * 60 * 1000;        // 1 hour between refresh attempts
 const USER_CACHE_MAX_SIZE = 500;
 const USER_CACHE_TTL = 60 * 60 * 1000;          // 1 hour
@@ -113,14 +120,21 @@ export async function checkTokenHealth(logger = console) {
     ? Math.round(tokenAge / (60 * 60 * 1000) * 10) / 10
     : null;
+  // Read auto-heal telemetry (only populated when source is "file")
+  let lastAutoHealAttempt = creds.lastAutoHealAttempt || null;
+  let lastAutoHealError = creds.lastAutoHealError || null;
+  let stuckSince = creds.stuckSince || null;
   // Attempt proactive refresh if token is getting old
   if (hasKnownAge && tokenAge > TOKEN_WARNING_AGE && Date.now() - lastRefreshAttempt > REFRESH_COOLDOWN) {
     lastRefreshAttempt = Date.now();
+    const attemptAt = new Date().toISOString();
     logger.error?.(`Token is ${ageHours}h old, attempting proactive refresh...`);
     const newTokens = extractFromChrome();
     if (newTokens) {
       saveTokens(newTokens.token, newTokens.cookie);
+      saveAutoHealTelemetry({ attemptAt, error: null });
       logger.error?.('Proactively refreshed tokens from Chrome');
       return {
         healthy: true,
@@ -129,35 +143,59 @@ export async function checkTokenHealth(logger = console) {
         age_known: true,
         age_state: 'fresh',
         source: 'chrome-auto',
+        last_auto_heal_attempt: attemptAt,
+        last_auto_heal_error: null,
+        stuck_since: null,
         message: 'Tokens refreshed successfully'
       };
     } else {
-      logger.error?.('Could not refresh from Chrome (is Slack tab open?)');
+      const extractionError = getLastExtractionError();
+      const errorCode = extractionError?.code || 'chrome_extraction_failed';
+      saveAutoHealTelemetry({ attemptAt, error: errorCode });
+      lastAutoHealAttempt = attemptAt;
+      if (lastAutoHealError !== errorCode) {
+        stuckSince = attemptAt;
+      }
+      lastAutoHealError = errorCode;
+      logger.error?.(`Could not refresh from Chrome: ${extractionError?.message || 'unknown error'}`);
     }
   }
+  const stuckSinceMs = stuckSince ? new Date(stuckSince).getTime() : Number.NaN;
+  const isStuck = Number.isFinite(stuckSinceMs)
+    && (Date.now() - stuckSinceMs) > STUCK_THRESHOLD_MS
+    && !!lastAutoHealError;
   return {
     healthy: !hasKnownAge || tokenAge < TOKEN_CRITICAL_AGE,
     age_hours: ageHours,
     age_known: hasKnownAge,
-    age_state: !hasKnownAge
-      ? 'unknown'
-      : tokenAge > TOKEN_CRITICAL_AGE
-        ? 'critical'
-        : tokenAge > TOKEN_WARNING_AGE
-          ? 'warning'
-          : 'healthy',
+    age_state: isStuck
+      ? 'stuck'
+      : !hasKnownAge
+        ? 'unknown'
+        : tokenAge > TOKEN_CRITICAL_AGE
+          ? 'critical'
+          : tokenAge > TOKEN_WARNING_AGE
+            ? 'warning'
+            : 'healthy',
     warning: hasKnownAge && tokenAge > TOKEN_WARNING_AGE,
     critical: hasKnownAge && tokenAge > TOKEN_CRITICAL_AGE,
+    stuck: isStuck,
     source: creds.source,
     updated_at: creds.updatedAt,
-    message: !hasKnownAge
-      ? 'Token age unknown (missing timestamp) - auth can still be valid'
-      : tokenAge > TOKEN_CRITICAL_AGE
-        ? 'Token may expire soon - open Slack in Chrome'
-        : tokenAge > TOKEN_WARNING_AGE
-          ? 'Token is getting old - will auto-refresh if Slack tab is open'
-          : 'Token is healthy'
+    last_auto_heal_attempt: lastAutoHealAttempt,
+    last_auto_heal_error: lastAutoHealError,
+    stuck_since: stuckSince,
+    message: isStuck
+      ? `Auto-heal has been failing since ${stuckSince} (last error: ${lastAutoHealError}). Open Chrome > View > Developer > Allow JavaScript from Apple Events, then run npm run tokens:auto.`
+      : !hasKnownAge
+        ? 'Token age unknown (missing timestamp) - auth can still be valid'
+        : tokenAge > TOKEN_CRITICAL_AGE
+          ? 'Token may expire soon - open Slack in Chrome'
+          : tokenAge > TOKEN_WARNING_AGE
+            ? 'Token is getting old - will auto-refresh if Slack tab is open'
+            : 'Token is healthy'
   };
 }
@@ -250,13 +288,28 @@ export async function slackAPI(method, params = {}, options = {}) {
     // Handle auth errors with auto-retry
     if ((data.error === "invalid_auth" || data.error === "token_expired") && retryOnAuthFail) {
       logger.error?.("Token expired, attempting Chrome auto-extraction...");
+      const attemptAt = new Date().toISOString();
       const chromeTokens = extractFromChrome();
       if (chromeTokens) {
         saveTokens(chromeTokens.token, chromeTokens.cookie);
+        saveAutoHealTelemetry({ attemptAt, error: null });
         // Retry the request
         return slackAPI(method, params, { ...options, retryOnAuthFail: false });
       }
-      throw new Error(`${data.error} - Tokens expired. Open Slack in Chrome and use slack_refresh_tokens.`);
+      const extractionError = getLastExtractionError() || {
+        code: 'chrome_extraction_failed',
+        message: 'Auto-heal attempted but no structured error surfaced.',
+        detail: null
+      };
+      saveAutoHealTelemetry({ attemptAt, error: extractionError.code });
+      const err = new Error(
+        `Slack auth failed (${data.error}) and auto-heal could not refresh tokens: ${extractionError.message}`
+      );
+      err.code = 'token_auth_failed';
+      err.slack_error = data.error;
+      err.extraction_error = extractionError;
+      err.next_action = 'Open http://localhost:3000 and click Refresh, OR run `npm run tokens:auto` with Slack open in Chrome, OR check Chrome > View > Developer > Allow JavaScript from Apple Events.';
+      throw err;
     }
     throw new Error(data.error || "Slack API error");
   }

package/lib/token-store.js CHANGED Viewed

@@ -8,7 +8,7 @@
  * 4. Chrome auto-extraction (fallback)
  */
-import { readFileSync, writeFileSync, existsSync, renameSync, unlinkSync, chmodSync, copyFileSync, mkdtempSync } from "fs";
+import { readFileSync, writeFileSync, existsSync, renameSync, unlinkSync, chmodSync, copyFileSync, mkdtempSync, statSync, readdirSync } from "fs";
 import { homedir, platform, tmpdir } from "os";
 import { join } from "path";
 import { execFileSync } from "child_process";
@@ -20,6 +20,12 @@ const KEYCHAIN_SERVICE = "slack-mcp-server";
 // Platform detection
 const IS_MACOS = platform() === 'darwin';
+// Default Chrome user-data dir on macOS
+const DEFAULT_CHROME_BASE = join(homedir(), 'Library', 'Application Support', 'Google', 'Chrome');
+// Slack xoxc- token regex: 3 numeric segments then a hex signature
+const XOXC_TOKEN_RE = /xoxc-[0-9]+-[0-9]+-[0-9]+-[a-f0-9]{20,}/g;
 // Refresh lock to prevent concurrent extraction attempts
 let refreshInProgress = null;
 let lastExtractionError = null;
@@ -65,13 +71,45 @@ export function getFromFile() {
     return {
       token: data.SLACK_TOKEN,
       cookie: data.SLACK_COOKIE,
-      updatedAt: data.updated_at || data.UPDATED_AT || null
+      updatedAt: data.updated_at || data.UPDATED_AT || null,
+      lastAutoHealAttempt: data.last_auto_heal_attempt || null,
+      lastAutoHealError: data.last_auto_heal_error || null,
+      stuckSince: data.stuck_since || null
     };
   } catch (e) {
     return null;
   }
 }
+/**
+ * Persist auto-heal telemetry into the token file.
+ * Best-effort: silent on failure (tokens are more important than metadata).
+ * error === null indicates a successful auto-heal; any non-null string is an
+ * error code (e.g. "apple_events_javascript_disabled"). When the error code
+ * changes, stuck_since is reset; when it stays the same across attempts,
+ * stuck_since is preserved so downstream consumers can detect a long-running
+ * stuck state.
+ */
+export function saveAutoHealTelemetry({ attemptAt, error }) {
+  if (!existsSync(TOKEN_FILE)) return;
+  try {
+    const data = JSON.parse(readFileSync(TOKEN_FILE, "utf-8"));
+    data.last_auto_heal_attempt = attemptAt;
+    if (error) {
+      if (data.last_auto_heal_error !== error) {
+        data.stuck_since = attemptAt;
+      }
+      data.last_auto_heal_error = error;
+    } else {
+      data.last_auto_heal_error = null;
+      data.stuck_since = null;
+    }
+    atomicWriteSync(TOKEN_FILE, JSON.stringify(data, null, 2));
+  } catch (e) {
+    // Silent: telemetry must never break the auto-heal hot path.
+  }
+}
 /**
  * Atomic write to prevent file corruption from concurrent writes
  */
@@ -109,7 +147,65 @@ const SLACK_TOKEN_PATHS = [
   `window.boot_data?.api_token`,
 ];
-// Chrome profile directories to search (in priority order)
+// Fallback profile list used when Local State JSON can't be read
+const FALLBACK_CHROME_PROFILES = ['Default', 'Profile 1', 'Profile 2', 'Profile 3', 'Profile 4', 'Profile 5'];
+// ============ Chrome profile discovery ============
+/**
+ * Resolve the Chrome user-data directory.
+ * Override with SLACK_MCP_CHROME_USER_DATA_DIR for non-standard installations
+ * (e.g. a portable Chrome, a test profile, or a Chrome Canary layout).
+ */
+function getChromeBase() {
+  return process.env.SLACK_MCP_CHROME_USER_DATA_DIR || DEFAULT_CHROME_BASE;
+}
+/**
+ * Extraction mode config:
+ *   "auto"       - LevelDB first, AppleScript fallback (default)
+ *   "leveldb"    - On-disk only, never touch AppleScript (CI-safe, headless-safe)
+ *   "applescript"- Legacy AppleScript-only path
+ */
+function getExtractionMode() {
+  const mode = (process.env.SLACK_MCP_EXTRACTION_MODE || 'auto').toLowerCase();
+  return ['auto', 'leveldb', 'applescript'].includes(mode) ? mode : 'auto';
+}
+/**
+ * Enumerate all Chrome profiles present on this machine, newest cookie DB first.
+ * SLACK_MCP_CHROME_PROFILE can pin a single profile (exact directory name).
+ * Falls back to the legacy hardcoded list if Local State is unreadable.
+ */
+function enumerateChromeProfiles() {
+  const envProfile = process.env.SLACK_MCP_CHROME_PROFILE;
+  if (envProfile) return [envProfile];
+  const base = getChromeBase();
+  const localStatePath = join(base, 'Local State');
+  let profiles = [];
+  try {
+    const localState = JSON.parse(readFileSync(localStatePath, 'utf-8'));
+    profiles = Object.keys(localState.profile?.info_cache || {});
+  } catch {
+    profiles = [...FALLBACK_CHROME_PROFILES];
+  }
+  if (profiles.length === 0) profiles = [...FALLBACK_CHROME_PROFILES];
+  // Rank profiles by cookie-db mtime descending so the freshest Slack session wins.
+  const ranked = profiles.map(p => {
+    const cookiePath = join(base, p, 'Cookies');
+    let mtime = 0;
+    try { mtime = statSync(cookiePath).mtimeMs; } catch {}
+    return { name: p, mtime };
+  });
+  ranked.sort((a, b) => b.mtime - a.mtime);
+  return ranked.map(x => x.name);
+}
+// Chrome profile directories to search (legacy helper retained for back-compat)
 const CHROME_PROFILES = ['Default', 'Profile 1', 'Profile 2', 'Profile 3'];
 function normalizeExtractionError(error) {
@@ -155,76 +251,118 @@ function normalizeExtractionError(error) {
 }
 /**
- * Extract the Slack session cookie from Chrome's encrypted cookie database.
- * The `d` cookie is HttpOnly — JavaScript cannot access it via document.cookie.
- * This reads Chrome's SQLite cookie store and decrypts using the Keychain-stored key.
+ * Extract the Slack `d` cookie from a specific Chrome profile's cookie DB.
+ * Returns the decrypted xoxd- cookie string or null if this profile has no
+ * Slack session or decryption fails.
+ *
+ * Chrome holds a WAL lock on the live DB; we copy-then-query for safety.
  */
-function extractCookieFromChromeDB() {
-  const chromeBase = join(homedir(), 'Library', 'Application Support', 'Google', 'Chrome');
+function extractCookieForProfile(profileDir) {
+  const cookiesPath = join(profileDir, 'Cookies');
+  if (!existsSync(cookiesPath)) return null;
-  // Find the first profile with a Slack d cookie
-  for (const profile of CHROME_PROFILES) {
-    const cookiesPath = join(chromeBase, profile, 'Cookies');
-    if (!existsSync(cookiesPath)) continue;
+  const tmpDir = mkdtempSync(join(tmpdir(), 'slack-mcp-'));
+  const tmpDb = join(tmpDir, 'Cookies');
+  try {
+    copyFileSync(cookiesPath, tmpDb);
-    // Copy DB to temp location (Chrome holds a WAL lock on the original)
-    const tmpDir = mkdtempSync(join(tmpdir(), 'slack-mcp-'));
-    const tmpDb = join(tmpDir, 'Cookies');
-    try {
-      copyFileSync(cookiesPath, tmpDb);
+    const queryResult = execFileSync('sqlite3', [
+      tmpDb,
+      "SELECT hex(encrypted_value) FROM cookies WHERE host_key LIKE '%.slack.com%' AND name = 'd' LIMIT 1;"
+    ], { encoding: 'utf-8', timeout: 5000 }).trim();
-      // Query for the encrypted d cookie
-      const queryResult = execFileSync('sqlite3', [
-        tmpDb,
-        "SELECT hex(encrypted_value) FROM cookies WHERE host_key LIKE '%.slack.com%' AND name = 'd' LIMIT 1;"
-      ], { encoding: 'utf-8', timeout: 5000 }).trim();
+    try { unlinkSync(tmpDb); unlinkSync(tmpDir); } catch {}
-      // Clean up temp files
-      try { unlinkSync(tmpDb); unlinkSync(tmpDir); } catch {}
+    if (!queryResult) return null;
-      if (!queryResult) continue;
+    const encrypted = Buffer.from(queryResult, 'hex');
+    if (encrypted.length < 4) return null;
-      // Convert hex back to buffer
-      const encrypted = Buffer.from(queryResult, 'hex');
-      if (encrypted.length < 4) continue;
+    // Chrome Safe Storage password (per-machine, stored in macOS Keychain)
+    const safeStoragePassword = execFileSync('security', [
+      'find-generic-password', '-s', 'Chrome Safe Storage', '-w'
+    ], { encoding: 'utf-8', timeout: 5000 }).trim();
-      // Get Chrome Safe Storage password from Keychain
-      const safeStoragePassword = execFileSync('security', [
-        'find-generic-password', '-s', 'Chrome Safe Storage', '-w'
-      ], { encoding: 'utf-8', timeout: 5000 }).trim();
+    // macOS Chrome cookies: v10 prefix + AES-128-CBC
+    const prefix = encrypted.subarray(0, 3).toString('utf-8');
+    if (prefix !== 'v10') return null;
-      // Chrome macOS cookies: v10 prefix + AES-128-CBC
-      const prefix = encrypted.subarray(0, 3).toString('utf-8');
-      if (prefix !== 'v10') continue;
+    const ciphertext = encrypted.subarray(3);
+    const key = pbkdf2Sync(safeStoragePassword, 'saltysalt', 1003, 16, 'sha1');
+    const iv = Buffer.alloc(16, ' ');
-      const ciphertext = encrypted.subarray(3);
+    const decipher = createDecipheriv('aes-128-cbc', key, iv);
+    let decrypted;
+    try {
+      decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    } catch {
+      return null;
+    }
-      // Derive key: PBKDF2-SHA1, 1003 iterations, salt 'saltysalt', 16-byte key
-      const key = pbkdf2Sync(safeStoragePassword, 'saltysalt', 1003, 16, 'sha1');
-      const iv = Buffer.alloc(16, ' '); // 16 space characters
+    const text = decrypted.toString('utf-8');
+    const xoxdIndex = text.indexOf('xoxd-');
+    if (xoxdIndex < 0) return null;
+    return text.substring(xoxdIndex);
+  } catch {
+    try { unlinkSync(tmpDb); unlinkSync(tmpDir); } catch {}
+    return null;
+  }
+}
-      const decipher = createDecipheriv('aes-128-cbc', key, iv);
-      let decrypted;
-      try {
-        decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
-      } catch {
-        continue; // Decryption failed for this profile, try next
-      }
+/**
+ * Legacy helper: walk CHROME_PROFILES and return the first cookie found.
+ * Retained so existing callers that only want a cookie string keep working.
+ */
+function extractCookieFromChromeDB() {
+  const base = getChromeBase();
+  for (const profile of enumerateChromeProfiles()) {
+    const cookie = extractCookieForProfile(join(base, profile));
+    if (cookie) return cookie;
+  }
+  return null;
+}
-      // Find xoxd- in decrypted data (Chrome prepends internal metadata bytes)
-      const text = decrypted.toString('utf-8');
-      const xoxdIndex = text.indexOf('xoxd-');
-      if (xoxdIndex < 0) continue;
+/**
+ * Extract a Slack xoxc- token by reading the on-disk LevelDB for a profile.
+ * This is the preferred path:
+ *   - No AppleScript required
+ *   - No "Allow JavaScript from Apple Events" Chrome dev flag required
+ *   - No live Slack tab required — the token just has to have been cached
+ *     at some point during normal use
+ *   - Works headlessly, works in CI, works when Chrome is closed
+ *
+ * We scan .ldb and .log files newest-first so the freshest cached token wins.
+ */
+function extractTokenFromLevelDB(profileDir) {
+  const ldbDir = join(profileDir, 'Local Storage', 'leveldb');
+  if (!existsSync(ldbDir)) return null;
-      return text.substring(xoxdIndex);
-    } catch (e) {
-      // Clean up on error and try next profile
-      try { unlinkSync(tmpDb); } catch {}
-      try { unlinkSync(tmpDir); } catch {}
+  let files;
+  try {
+    files = readdirSync(ldbDir)
+      .filter(f => /\.(ldb|log)$/.test(f))
+      .map(f => {
+        const p = join(ldbDir, f);
+        let mtime = 0;
+        try { mtime = statSync(p).mtimeMs; } catch {}
+        return { path: p, mtime };
+      })
+      .sort((a, b) => b.mtime - a.mtime);
+  } catch {
+    return null;
+  }
+  for (const f of files) {
+    try {
+      // Binary encoding avoids UTF-8 re-interpretation of snappy-compressed blocks
+      const txt = readFileSync(f.path).toString('binary');
+      XOXC_TOKEN_RE.lastIndex = 0;
+      const matches = txt.match(XOXC_TOKEN_RE);
+      if (matches && matches.length) return matches[0];
+    } catch {
       continue;
     }
   }
   return null;
 }
@@ -272,11 +410,27 @@ end tell`;
 /**
  * Extract tokens from Chrome (macOS only).
  *
- * Token: AppleScript executes JS in Chrome to read localStorage (requires
- *   "Allow JavaScript from Apple Events" in Chrome > View > Developer).
- * Cookie: Reads Chrome's encrypted SQLite cookie database directly. The `d`
- *   session cookie is HttpOnly and cannot be accessed via document.cookie.
- *   Decryption uses the Chrome Safe Storage key from macOS Keychain.
+ * Two extraction paths:
+ *
+ *   1. LevelDB (preferred, default "auto" mode tries this first):
+ *      Cookie: Reads the encrypted SQLite cookie DB and decrypts with the
+ *              Chrome Safe Storage key from macOS Keychain.
+ *      Token:  Reads the on-disk LevelDB under Local Storage and regex-matches
+ *              any cached xoxc- token. Works without a live Slack tab, without
+ *              the AppleScript dev flag, and works when Chrome is closed.
+ *
+ *   2. AppleScript (legacy fallback, or forced with SLACK_MCP_EXTRACTION_MODE=applescript):
+ *      Cookie: Same SQLite-backed path.
+ *      Token:  Drives Chrome via AppleScript to run JS against localStorage.
+ *              Requires Chrome > View > Developer > "Allow JavaScript from
+ *              Apple Events" AND a live app.slack.com tab. Kept because it
+ *              grabs the token from whichever workspace is actually active
+ *              right now, which can differ from what's cached on disk.
+ *
+ * Environment overrides:
+ *   SLACK_MCP_CHROME_USER_DATA_DIR  - base Chrome dir (default ~/Library/Application Support/Google/Chrome)
+ *   SLACK_MCP_CHROME_PROFILE        - pin a single profile directory name
+ *   SLACK_MCP_EXTRACTION_MODE       - auto | leveldb | applescript
  */
 function extractFromChromeInternal() {
   lastExtractionError = null;
@@ -285,56 +439,85 @@ function extractFromChromeInternal() {
     lastExtractionError = {
       code: "unsupported_platform",
       message: "Chrome auto-extraction is only available on macOS.",
-      detail: "Use manual token setup on this platform."
+      detail: "Use manual token setup on this platform, or set SLACK_TOKEN and SLACK_COOKIE env vars."
     };
     return null;
   }
-  // Extract cookie from Chrome's encrypted cookie database
-  let cookie;
-  try {
-    cookie = extractCookieFromChromeDB();
-  } catch (e) {
-    lastExtractionError = normalizeExtractionError(e);
-    return null;
-  }
+  const mode = getExtractionMode();
+  const base = getChromeBase();
+  const profiles = enumerateChromeProfiles();
-  if (!cookie) {
+  if (profiles.length === 0) {
     lastExtractionError = {
-      code: "cookie_not_found",
-      message: "Could not extract Slack session cookie from Chrome.",
-      detail: "Ensure you are logged into Slack at app.slack.com in Chrome."
+      code: "no_chrome_profiles",
+      message: "No Chrome profiles found.",
+      detail: `Looked under ${base}. Set SLACK_MCP_CHROME_USER_DATA_DIR if Chrome is installed elsewhere.`
     };
     return null;
   }
-  // Extract token via AppleScript (localStorage)
-  let token;
-  try {
-    token = extractTokenFromChrome();
-  } catch (e) {
-    lastExtractionError = normalizeExtractionError(e);
-    // If we got the cookie but not the token, give a specific error
-    if (cookie && !token) {
+  // --- Path 1: LevelDB (no AppleScript, no live tab needed) ---
+  if (mode === 'leveldb' || mode === 'auto') {
+    for (const profileName of profiles) {
+      const profileDir = join(base, profileName);
+      const cookie = extractCookieForProfile(profileDir);
+      if (!cookie) continue;
+      const token = extractTokenFromLevelDB(profileDir);
+      if (!token) continue;
+      return { token, cookie, profile: profileName, extraction_mode: 'leveldb' };
+    }
+    if (mode === 'leveldb') {
+      lastExtractionError = {
+        code: "leveldb_no_matching_profile",
+        message: "No Chrome profile had both a Slack cookie and a cached xoxc- token on disk.",
+        detail: `Profiles checked: ${profiles.join(', ')}. Open Slack in Chrome and sign in once, then retry. SLACK_MCP_CHROME_PROFILE can pin a specific profile.`
+      };
+      return null;
+    }
+    // Fall through to AppleScript
+  }
+  // --- Path 2: AppleScript + SQLite (legacy, requires live tab + dev flag) ---
+  if (mode === 'applescript' || mode === 'auto') {
+    let cookieSeen = null;
+    for (const profileName of profiles) {
+      const profileDir = join(base, profileName);
+      const cookie = extractCookieForProfile(profileDir);
+      if (!cookie) continue;
+      cookieSeen = cookie;
+      let token;
+      try {
+        token = extractTokenFromChrome();
+      } catch (e) {
+        lastExtractionError = normalizeExtractionError(e);
+        continue;
+      }
+      if (token) {
+        return { token, cookie, profile: profileName, extraction_mode: 'applescript' };
+      }
+    }
+    if (cookieSeen && !lastExtractionError) {
       lastExtractionError = {
         code: "apple_events_javascript_disabled",
-        message: "Cookie extracted, but token extraction requires a Chrome setting.",
-        detail: "In Chrome: View > Developer > Allow JavaScript from Apple Events. Then retry."
+        message: "Cookie extracted, but AppleScript could not read the Slack token from localStorage.",
+        detail: "Enable Chrome > View > Developer > Allow JavaScript from Apple Events, then retry. Or set SLACK_MCP_EXTRACTION_MODE=leveldb to skip AppleScript entirely."
       };
+      return null;
     }
-    return null;
   }
-  if (!token) {
+  if (!lastExtractionError) {
     lastExtractionError = {
-      code: "token_not_found",
-      message: "Could not extract Slack token from Chrome.",
-      detail: "Ensure a Slack workspace is open in Chrome (not just the landing page). If Chrome blocks AppleScript, enable View > Developer > Allow JavaScript from Apple Events."
+      code: "extraction_failed_all_paths",
+      message: "Could not extract Slack credentials via LevelDB or AppleScript.",
+      detail: `Profiles checked: ${profiles.join(', ')}. Ensure you are logged into Slack at app.slack.com in Chrome at least once.`
     };
-    return null;
   }
-  return { token, cookie };
+  return null;
 }
 /**
@@ -384,7 +567,10 @@ function getStoredTokens() {
       token: fileTokens.token,
       cookie: fileTokens.cookie,
       source: "file",
-      updatedAt: fileTokens.updatedAt
+      updatedAt: fileTokens.updatedAt,
+      lastAutoHealAttempt: fileTokens.lastAutoHealAttempt,
+      lastAutoHealError: fileTokens.lastAutoHealError,
+      stuckSince: fileTokens.stuckSince
     };
   }

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@jtalk22/slack-mcp",
   "mcpName": "io.github.jtalk22/slack-mcp-server",
-  "version": "4.1.0",
+  "version": "4.1.2",
   "description": "Slack MCP without OAuth — no app registration, no admin approval. Works with Claude Code, Cursor, Copilot (where the official server doesn't). 16 tools, one command.",
   "type": "module",
   "main": "src/server.js",

package/public/index.html CHANGED Viewed

@@ -255,8 +255,8 @@
   <div class="container">
     <h1>Slack Web API <span id="status" class="status"></span></h1>
     <div style="background:rgba(240,194,70,0.08);border:1px solid rgba(240,194,70,0.2);border-radius:8px;padding:8px 14px;margin-bottom:16px;display:flex;align-items:center;justify-content:space-between;flex-wrap:wrap;gap:8px;font-size:13px;color:#d4c48a">
-      <span>Hosted version coming soon — <strong style="color:#f0c246">permanent OAuth, semantic search, AI summaries</strong></span>
-      <a href="https://mcp.revasserlabs.com" style="color:#f0c246;font-weight:600;text-decoration:none;white-space:nowrap" target="_blank">Learn more &rarr;</a>
+      <span>Hosted tiers live — <strong style="color:#f0c246">managed MCP endpoint, OAuth bridge for Claude.ai, encrypted storage</strong></span>
+      <a href="https://mcp.revasserlabs.com" style="color:#f0c246;font-weight:600;text-decoration:none;white-space:nowrap" target="_blank">See tiers &rarr;</a>
     </div>
     <div class="grid">
       <div class="sidebar">

package/server.json CHANGED Viewed

@@ -17,7 +17,7 @@
     "url": "https://github.com/jtalk22/slack-mcp-server",
     "source": "github"
   },
-  "version": "4.1.0",
+  "version": "4.1.2",
   "remotes": [
     {
       "type": "streamable-http",
@@ -28,7 +28,7 @@
     {
       "registryType": "npm",
       "identifier": "@jtalk22/slack-mcp",
-      "version": "4.1.0",
+      "version": "4.1.2",
       "transport": {
         "type": "stdio"
       },

package/src/server.js CHANGED Viewed

@@ -290,6 +290,22 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
         };
     }
   } catch (error) {
+    if (error?.code === "token_auth_failed") {
+      return {
+        content: [{
+          type: "text",
+          text: JSON.stringify({
+            status: "error",
+            code: "token_auth_failed",
+            message: String(error?.message || error),
+            slack_error: error.slack_error || null,
+            extraction_error: error.extraction_error || null,
+            next_action: error.next_action || "Open http://localhost:3000 and click Refresh, OR run `npm run tokens:auto` with Slack open in Chrome, OR check Chrome > View > Developer > Allow JavaScript from Apple Events."
+          }, null, 2)
+        }],
+        isError: true
+      };
+    }
     return {
       content: [{
         type: "text",
@@ -323,8 +339,9 @@ async function main() {
   }
   // Background token health check (every 4 hours)
-  // Use unref() so this timer doesn't prevent the process from exiting
-  // when the MCP transport closes (prevents zombie processes)
+  // unref() alone doesn't prevent StdioServerTransport from keeping the event
+  // loop alive after the MCP client disconnects — we add explicit shutdown
+  // handlers below to kill zombie processes on stdin EOF and signals.
   const backgroundTimer = setInterval(async () => {
     try {
       const health = await checkTokenHealth(console);
@@ -339,6 +356,23 @@ async function main() {
   }, BACKGROUND_REFRESH_INTERVAL);
   backgroundTimer.unref();
+  // Explicit shutdown path prevents the zombie-process pileup we were seeing
+  // when Claude Code or another MCP client disconnected without signalling.
+  // StdioServerTransport doesn't exit the event loop on its own when stdin EOFs.
+  let shuttingDown = false;
+  const shutdown = (reason) => {
+    if (shuttingDown) return;
+    shuttingDown = true;
+    try { clearInterval(backgroundTimer); } catch {}
+    console.error(`slack-mcp-server exiting: ${reason}`);
+    process.exit(0);
+  };
+  process.on("SIGTERM", () => shutdown("SIGTERM"));
+  process.on("SIGINT", () => shutdown("SIGINT"));
+  process.on("SIGHUP", () => shutdown("SIGHUP"));
+  process.stdin.on("end", () => shutdown("stdin end (MCP client disconnected)"));
+  process.stdin.on("error", (err) => shutdown(`stdin error: ${err?.message || err}`));
   // Start server
   const transport = new StdioServerTransport();
   await server.connect(transport);