@jtalk22/slack-mcp 4.1.0 → 4.2.0

package/lib/token-store.js

@@ -8,7 +8,7 @@
  * 4. Chrome auto-extraction (fallback)
  */
 
-import { readFileSync, writeFileSync, existsSync, renameSync, unlinkSync, chmodSync, copyFileSync, mkdtempSync } from "fs";
+import { readFileSync, writeFileSync, existsSync, renameSync, unlinkSync, chmodSync, copyFileSync, mkdtempSync, statSync, readdirSync } from "fs";
 import { homedir, platform, tmpdir } from "os";
 import { join } from "path";
 import { execFileSync } from "child_process";
@@ -20,6 +20,12 @@ const KEYCHAIN_SERVICE = "slack-mcp-server";
 // Platform detection
 const IS_MACOS = platform() === 'darwin';
 
+// Default Chrome user-data dir on macOS
+const DEFAULT_CHROME_BASE = join(homedir(), 'Library', 'Application Support', 'Google', 'Chrome');
+
+// Slack xoxc- token regex: 3 numeric segments then a hex signature
+const XOXC_TOKEN_RE = /xoxc-[0-9]+-[0-9]+-[0-9]+-[a-f0-9]{20,}/g;
+
 // Refresh lock to prevent concurrent extraction attempts
 let refreshInProgress = null;
 let lastExtractionError = null;
@@ -65,13 +71,45 @@ export function getFromFile() {
     return {
       token: data.SLACK_TOKEN,
       cookie: data.SLACK_COOKIE,
-      updatedAt: data.updated_at || data.UPDATED_AT || null
+      updatedAt: data.updated_at || data.UPDATED_AT || null,
+      lastAutoHealAttempt: data.last_auto_heal_attempt || null,
+      lastAutoHealError: data.last_auto_heal_error || null,
+      stuckSince: data.stuck_since || null
     };
   } catch (e) {
     return null;
   }
 }
 
+/**
+ * Persist auto-heal telemetry into the token file.
+ * Best-effort: silent on failure (tokens are more important than metadata).
+ * error === null indicates a successful auto-heal; any non-null string is an
+ * error code (e.g. "apple_events_javascript_disabled"). When the error code
+ * changes, stuck_since is reset; when it stays the same across attempts,
+ * stuck_since is preserved so downstream consumers can detect a long-running
+ * stuck state.
+ */
+export function saveAutoHealTelemetry({ attemptAt, error }) {
+  if (!existsSync(TOKEN_FILE)) return;
+  try {
+    const data = JSON.parse(readFileSync(TOKEN_FILE, "utf-8"));
+    data.last_auto_heal_attempt = attemptAt;
+    if (error) {
+      if (data.last_auto_heal_error !== error) {
+        data.stuck_since = attemptAt;
+      }
+      data.last_auto_heal_error = error;
+    } else {
+      data.last_auto_heal_error = null;
+      data.stuck_since = null;
+    }
+    atomicWriteSync(TOKEN_FILE, JSON.stringify(data, null, 2));
+  } catch (e) {
+    // Silent: telemetry must never break the auto-heal hot path.
+  }
+}
+
 /**
  * Atomic write to prevent file corruption from concurrent writes
  */
@@ -109,7 +147,65 @@ const SLACK_TOKEN_PATHS = [
   `window.boot_data?.api_token`,
 ];
 
-// Chrome profile directories to search (in priority order)
+// Fallback profile list used when Local State JSON can't be read
+const FALLBACK_CHROME_PROFILES = ['Default', 'Profile 1', 'Profile 2', 'Profile 3', 'Profile 4', 'Profile 5'];
+
+// ============ Chrome profile discovery ============
+
+/**
+ * Resolve the Chrome user-data directory.
+ * Override with SLACK_MCP_CHROME_USER_DATA_DIR for non-standard installations
+ * (e.g. a portable Chrome, a test profile, or a Chrome Canary layout).
+ */
+function getChromeBase() {
+  return process.env.SLACK_MCP_CHROME_USER_DATA_DIR || DEFAULT_CHROME_BASE;
+}
+
+/**
+ * Extraction mode config:
+ *   "auto"       - LevelDB first, AppleScript fallback (default)
+ *   "leveldb"    - On-disk only, never touch AppleScript (CI-safe, headless-safe)
+ *   "applescript"- Legacy AppleScript-only path
+ */
+function getExtractionMode() {
+  const mode = (process.env.SLACK_MCP_EXTRACTION_MODE || 'auto').toLowerCase();
+  return ['auto', 'leveldb', 'applescript'].includes(mode) ? mode : 'auto';
+}
+
+/**
+ * Enumerate all Chrome profiles present on this machine, newest cookie DB first.
+ * SLACK_MCP_CHROME_PROFILE can pin a single profile (exact directory name).
+ * Falls back to the legacy hardcoded list if Local State is unreadable.
+ */
+function enumerateChromeProfiles() {
+  const envProfile = process.env.SLACK_MCP_CHROME_PROFILE;
+  if (envProfile) return [envProfile];
+
+  const base = getChromeBase();
+  const localStatePath = join(base, 'Local State');
+
+  let profiles = [];
+  try {
+    const localState = JSON.parse(readFileSync(localStatePath, 'utf-8'));
+    profiles = Object.keys(localState.profile?.info_cache || {});
+  } catch {
+    profiles = [...FALLBACK_CHROME_PROFILES];
+  }
+
+  if (profiles.length === 0) profiles = [...FALLBACK_CHROME_PROFILES];
+
+  // Rank profiles by cookie-db mtime descending so the freshest Slack session wins.
+  const ranked = profiles.map(p => {
+    const cookiePath = join(base, p, 'Cookies');
+    let mtime = 0;
+    try { mtime = statSync(cookiePath).mtimeMs; } catch {}
+    return { name: p, mtime };
+  });
+  ranked.sort((a, b) => b.mtime - a.mtime);
+  return ranked.map(x => x.name);
+}
+
+// Chrome profile directories to search (legacy helper retained for back-compat)
 const CHROME_PROFILES = ['Default', 'Profile 1', 'Profile 2', 'Profile 3'];
 
 function normalizeExtractionError(error) {
@@ -155,76 +251,118 @@ function normalizeExtractionError(error) {
 }
 
 /**
- * Extract the Slack session cookie from Chrome's encrypted cookie database.
- * The `d` cookie is HttpOnly — JavaScript cannot access it via document.cookie.
- * This reads Chrome's SQLite cookie store and decrypts using the Keychain-stored key.
+ * Extract the Slack `d` cookie from a specific Chrome profile's cookie DB.
+ * Returns the decrypted xoxd- cookie string or null if this profile has no
+ * Slack session or decryption fails.
+ *
+ * Chrome holds a WAL lock on the live DB; we copy-then-query for safety.
  */
-function extractCookieFromChromeDB() {
-  const chromeBase = join(homedir(), 'Library', 'Application Support', 'Google', 'Chrome');
+function extractCookieForProfile(profileDir) {
+  const cookiesPath = join(profileDir, 'Cookies');
+  if (!existsSync(cookiesPath)) return null;
 
-  // Find the first profile with a Slack d cookie
-  for (const profile of CHROME_PROFILES) {
-    const cookiesPath = join(chromeBase, profile, 'Cookies');
-    if (!existsSync(cookiesPath)) continue;
+  const tmpDir = mkdtempSync(join(tmpdir(), 'slack-mcp-'));
+  const tmpDb = join(tmpDir, 'Cookies');
+  try {
+    copyFileSync(cookiesPath, tmpDb);
 
-    // Copy DB to temp location (Chrome holds a WAL lock on the original)
-    const tmpDir = mkdtempSync(join(tmpdir(), 'slack-mcp-'));
-    const tmpDb = join(tmpDir, 'Cookies');
-    try {
-      copyFileSync(cookiesPath, tmpDb);
+    const queryResult = execFileSync('sqlite3', [
+      tmpDb,
+      "SELECT hex(encrypted_value) FROM cookies WHERE host_key LIKE '%.slack.com%' AND name = 'd' LIMIT 1;"
+    ], { encoding: 'utf-8', timeout: 5000 }).trim();
 
-      // Query for the encrypted d cookie
-      const queryResult = execFileSync('sqlite3', [
-        tmpDb,
-        "SELECT hex(encrypted_value) FROM cookies WHERE host_key LIKE '%.slack.com%' AND name = 'd' LIMIT 1;"
-      ], { encoding: 'utf-8', timeout: 5000 }).trim();
+    try { unlinkSync(tmpDb); unlinkSync(tmpDir); } catch {}
 
-      // Clean up temp files
-      try { unlinkSync(tmpDb); unlinkSync(tmpDir); } catch {}
+    if (!queryResult) return null;
 
-      if (!queryResult) continue;
+    const encrypted = Buffer.from(queryResult, 'hex');
+    if (encrypted.length < 4) return null;
 
-      // Convert hex back to buffer
-      const encrypted = Buffer.from(queryResult, 'hex');
-      if (encrypted.length < 4) continue;
+    // Chrome Safe Storage password (per-machine, stored in macOS Keychain)
+    const safeStoragePassword = execFileSync('security', [
+      'find-generic-password', '-s', 'Chrome Safe Storage', '-w'
+    ], { encoding: 'utf-8', timeout: 5000 }).trim();
 
-      // Get Chrome Safe Storage password from Keychain
-      const safeStoragePassword = execFileSync('security', [
-        'find-generic-password', '-s', 'Chrome Safe Storage', '-w'
-      ], { encoding: 'utf-8', timeout: 5000 }).trim();
+    // macOS Chrome cookies: v10 prefix + AES-128-CBC
+    const prefix = encrypted.subarray(0, 3).toString('utf-8');
+    if (prefix !== 'v10') return null;
 
-      // Chrome macOS cookies: v10 prefix + AES-128-CBC
-      const prefix = encrypted.subarray(0, 3).toString('utf-8');
-      if (prefix !== 'v10') continue;
+    const ciphertext = encrypted.subarray(3);
+    const key = pbkdf2Sync(safeStoragePassword, 'saltysalt', 1003, 16, 'sha1');
+    const iv = Buffer.alloc(16, ' ');
 
-      const ciphertext = encrypted.subarray(3);
+    const decipher = createDecipheriv('aes-128-cbc', key, iv);
+    let decrypted;
+    try {
+      decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    } catch {
+      return null;
+    }
 
-      // Derive key: PBKDF2-SHA1, 1003 iterations, salt 'saltysalt', 16-byte key
-      const key = pbkdf2Sync(safeStoragePassword, 'saltysalt', 1003, 16, 'sha1');
-      const iv = Buffer.alloc(16, ' '); // 16 space characters
+    const text = decrypted.toString('utf-8');
+    const xoxdIndex = text.indexOf('xoxd-');
+    if (xoxdIndex < 0) return null;
+    return text.substring(xoxdIndex);
+  } catch {
+    try { unlinkSync(tmpDb); unlinkSync(tmpDir); } catch {}
+    return null;
+  }
+}
 
-      const decipher = createDecipheriv('aes-128-cbc', key, iv);
-      let decrypted;
-      try {
-        decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
-      } catch {
-        continue; // Decryption failed for this profile, try next
-      }
+/**
+ * Legacy helper: walk CHROME_PROFILES and return the first cookie found.
+ * Retained so existing callers that only want a cookie string keep working.
+ */
+function extractCookieFromChromeDB() {
+  const base = getChromeBase();
+  for (const profile of enumerateChromeProfiles()) {
+    const cookie = extractCookieForProfile(join(base, profile));
+    if (cookie) return cookie;
+  }
+  return null;
+}
 
-      // Find xoxd- in decrypted data (Chrome prepends internal metadata bytes)
-      const text = decrypted.toString('utf-8');
-      const xoxdIndex = text.indexOf('xoxd-');
-      if (xoxdIndex < 0) continue;
+/**
+ * Extract a Slack xoxc- token by reading the on-disk LevelDB for a profile.
+ * This is the preferred path:
+ *   - No AppleScript required
+ *   - No "Allow JavaScript from Apple Events" Chrome dev flag required
+ *   - No live Slack tab required — the token just has to have been cached
+ *     at some point during normal use
+ *   - Works headlessly, works in CI, works when Chrome is closed
+ *
+ * We scan .ldb and .log files newest-first so the freshest cached token wins.
+ */
+function extractTokenFromLevelDB(profileDir) {
+  const ldbDir = join(profileDir, 'Local Storage', 'leveldb');
+  if (!existsSync(ldbDir)) return null;
 
-      return text.substring(xoxdIndex);
-    } catch (e) {
-      // Clean up on error and try next profile
-      try { unlinkSync(tmpDb); } catch {}
-      try { unlinkSync(tmpDir); } catch {}
+  let files;
+  try {
+    files = readdirSync(ldbDir)
+      .filter(f => /\.(ldb|log)$/.test(f))
+      .map(f => {
+        const p = join(ldbDir, f);
+        let mtime = 0;
+        try { mtime = statSync(p).mtimeMs; } catch {}
+        return { path: p, mtime };
+      })
+      .sort((a, b) => b.mtime - a.mtime);
+  } catch {
+    return null;
+  }
+
+  for (const f of files) {
+    try {
+      // Binary encoding avoids UTF-8 re-interpretation of snappy-compressed blocks
+      const txt = readFileSync(f.path).toString('binary');
+      XOXC_TOKEN_RE.lastIndex = 0;
+      const matches = txt.match(XOXC_TOKEN_RE);
+      if (matches && matches.length) return matches[0];
+    } catch {
       continue;
     }
   }
-
   return null;
 }
 
@@ -272,11 +410,27 @@ end tell`;
 /**
  * Extract tokens from Chrome (macOS only).
  *
- * Token: AppleScript executes JS in Chrome to read localStorage (requires
- *   "Allow JavaScript from Apple Events" in Chrome > View > Developer).
- * Cookie: Reads Chrome's encrypted SQLite cookie database directly. The `d`
- *   session cookie is HttpOnly and cannot be accessed via document.cookie.
- *   Decryption uses the Chrome Safe Storage key from macOS Keychain.
+ * Two extraction paths:
+ *
+ *   1. LevelDB (preferred, default "auto" mode tries this first):
+ *      Cookie: Reads the encrypted SQLite cookie DB and decrypts with the
+ *              Chrome Safe Storage key from macOS Keychain.
+ *      Token:  Reads the on-disk LevelDB under Local Storage and regex-matches
+ *              any cached xoxc- token. Works without a live Slack tab, without
+ *              the AppleScript dev flag, and works when Chrome is closed.
+ *
+ *   2. AppleScript (legacy fallback, or forced with SLACK_MCP_EXTRACTION_MODE=applescript):
+ *      Cookie: Same SQLite-backed path.
+ *      Token:  Drives Chrome via AppleScript to run JS against localStorage.
+ *              Requires Chrome > View > Developer > "Allow JavaScript from
+ *              Apple Events" AND a live app.slack.com tab. Kept because it
+ *              grabs the token from whichever workspace is actually active
+ *              right now, which can differ from what's cached on disk.
+ *
+ * Environment overrides:
+ *   SLACK_MCP_CHROME_USER_DATA_DIR  - base Chrome dir (default ~/Library/Application Support/Google/Chrome)
+ *   SLACK_MCP_CHROME_PROFILE        - pin a single profile directory name
+ *   SLACK_MCP_EXTRACTION_MODE       - auto | leveldb | applescript
  */
 function extractFromChromeInternal() {
   lastExtractionError = null;
@@ -285,56 +439,85 @@ function extractFromChromeInternal() {
     lastExtractionError = {
       code: "unsupported_platform",
       message: "Chrome auto-extraction is only available on macOS.",
-      detail: "Use manual token setup on this platform."
+      detail: "Use manual token setup on this platform, or set SLACK_TOKEN and SLACK_COOKIE env vars."
     };
     return null;
   }
 
-  // Extract cookie from Chrome's encrypted cookie database
-  let cookie;
-  try {
-    cookie = extractCookieFromChromeDB();
-  } catch (e) {
-    lastExtractionError = normalizeExtractionError(e);
-    return null;
-  }
+  const mode = getExtractionMode();
+  const base = getChromeBase();
+  const profiles = enumerateChromeProfiles();
 
-  if (!cookie) {
+  if (profiles.length === 0) {
     lastExtractionError = {
-      code: "cookie_not_found",
-      message: "Could not extract Slack session cookie from Chrome.",
-      detail: "Ensure you are logged into Slack at app.slack.com in Chrome."
+      code: "no_chrome_profiles",
+      message: "No Chrome profiles found.",
+      detail: `Looked under ${base}. Set SLACK_MCP_CHROME_USER_DATA_DIR if Chrome is installed elsewhere.`
     };
     return null;
   }
 
-  // Extract token via AppleScript (localStorage)
-  let token;
-  try {
-    token = extractTokenFromChrome();
-  } catch (e) {
-    lastExtractionError = normalizeExtractionError(e);
-    // If we got the cookie but not the token, give a specific error
-    if (cookie && !token) {
+  // --- Path 1: LevelDB (no AppleScript, no live tab needed) ---
+  if (mode === 'leveldb' || mode === 'auto') {
+    for (const profileName of profiles) {
+      const profileDir = join(base, profileName);
+      const cookie = extractCookieForProfile(profileDir);
+      if (!cookie) continue;
+      const token = extractTokenFromLevelDB(profileDir);
+      if (!token) continue;
+      return { token, cookie, profile: profileName, extraction_mode: 'leveldb' };
+    }
+
+    if (mode === 'leveldb') {
+      lastExtractionError = {
+        code: "leveldb_no_matching_profile",
+        message: "No Chrome profile had both a Slack cookie and a cached xoxc- token on disk.",
+        detail: `Profiles checked: ${profiles.join(', ')}. Open Slack in Chrome and sign in once, then retry. SLACK_MCP_CHROME_PROFILE can pin a specific profile.`
+      };
+      return null;
+    }
+    // Fall through to AppleScript
+  }
+
+  // --- Path 2: AppleScript + SQLite (legacy, requires live tab + dev flag) ---
+  if (mode === 'applescript' || mode === 'auto') {
+    let cookieSeen = null;
+    for (const profileName of profiles) {
+      const profileDir = join(base, profileName);
+      const cookie = extractCookieForProfile(profileDir);
+      if (!cookie) continue;
+      cookieSeen = cookie;
+
+      let token;
+      try {
+        token = extractTokenFromChrome();
+      } catch (e) {
+        lastExtractionError = normalizeExtractionError(e);
+        continue;
+      }
+      if (token) {
+        return { token, cookie, profile: profileName, extraction_mode: 'applescript' };
+      }
+    }
+
+    if (cookieSeen && !lastExtractionError) {
       lastExtractionError = {
         code: "apple_events_javascript_disabled",
-        message: "Cookie extracted, but token extraction requires a Chrome setting.",
-        detail: "In Chrome: View > Developer > Allow JavaScript from Apple Events. Then retry."
+        message: "Cookie extracted, but AppleScript could not read the Slack token from localStorage.",
+        detail: "Enable Chrome > View > Developer > Allow JavaScript from Apple Events, then retry. Or set SLACK_MCP_EXTRACTION_MODE=leveldb to skip AppleScript entirely."
       };
+      return null;
     }
-    return null;
   }
 
-  if (!token) {
+  if (!lastExtractionError) {
     lastExtractionError = {
-      code: "token_not_found",
-      message: "Could not extract Slack token from Chrome.",
-      detail: "Ensure a Slack workspace is open in Chrome (not just the landing page). If Chrome blocks AppleScript, enable View > Developer > Allow JavaScript from Apple Events."
+      code: "extraction_failed_all_paths",
+      message: "Could not extract Slack credentials via LevelDB or AppleScript.",
+      detail: `Profiles checked: ${profiles.join(', ')}. Ensure you are logged into Slack at app.slack.com in Chrome at least once.`
     };
-    return null;
   }
-
-  return { token, cookie };
+  return null;
 }
 
 /**
@@ -384,7 +567,10 @@ function getStoredTokens() {
       token: fileTokens.token,
       cookie: fileTokens.cookie,
       source: "file",
-      updatedAt: fileTokens.updatedAt
+      updatedAt: fileTokens.updatedAt,
+      lastAutoHealAttempt: fileTokens.lastAutoHealAttempt,
+      lastAutoHealError: fileTokens.lastAutoHealError,
+      stuckSince: fileTokens.stuckSince
     };
   }
 

package/lib/tools.js

@@ -399,5 +399,165 @@ export const TOOLS = [
       idempotentHint: true,
       openWorldHint: true
     }
+  },
+  // ============ Workflow Profile Primitives (OSS) ============
+  // Local JSON storage at ~/.slack-mcp-workflows.json. Defines the
+  // structural primitive that the hosted AI brain (smart_search,
+  // catch_me_up, triage) consumes to return structured JSON.
+  {
+    name: "slack_workflow_save",
+    description: "Save or update a workflow profile that binds a workflow_kind (support_inbox | incident_room | exec_brief | product_launch_watch | custom) to channels, priority people, retention mode, and summary cadence. Stored locally at ~/.slack-mcp-workflows.json. Hosted brain reads these to return structured JSON per the workflow_kind.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        profile_name: {
+          type: "string",
+          description: "Unique name for this workflow profile (e.g. 'morning-exec-brief', 'on-call-rotation')"
+        },
+        workflow_kind: {
+          type: "string",
+          enum: ["support_inbox", "incident_room", "exec_brief", "product_launch_watch", "custom"],
+          description: "Workflow kind. Determines structured JSON output shape from the hosted AI brain."
+        },
+        channels: {
+          type: "array",
+          items: { type: "string" },
+          description: "Slack channel IDs to read (e.g. ['C012345', 'C067890'])"
+        },
+        priority_people: {
+          type: "array",
+          items: { type: "string" },
+          description: "Slack user IDs whose messages get extra weight in summaries"
+        },
+        retention_mode: {
+          type: "string",
+          enum: ["ephemeral", "persistent"],
+          description: "Token retention mode for hosted execution. Default ephemeral."
+        },
+        summary_cadence: {
+          type: "string",
+          enum: ["on_demand", "daily_8am", "weekly_monday"],
+          description: "When the hosted brain auto-runs slack_catch_me_up against this profile. on_demand only on hosted free; daily_8am and weekly_monday require Pro or Team."
+        }
+      },
+      required: ["profile_name", "workflow_kind"]
+    },
+    annotations: {
+      title: "Save Workflow Profile",
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: false
+    }
+  },
+  {
+    name: "slack_workflows",
+    description: "List all saved workflow profiles from ~/.slack-mcp-workflows.json. Optionally filter by workflow_kind. Returns profile_name, channels, priority_people, retention_mode, summary_cadence, structured_keys, created_at, updated_at.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        workflow_kind: {
+          type: "string",
+          enum: ["support_inbox", "incident_room", "exec_brief", "product_launch_watch", "custom"],
+          description: "Optional filter — return only profiles of this workflow_kind"
+        }
+      }
+    },
+    annotations: {
+      title: "List Workflow Profiles",
+      readOnlyHint: true,
+      idempotentHint: true,
+      openWorldHint: false
+    }
+  },
+  // ============ Hosted-Only AI Tools (OSS = upgrade stubs) ============
+  // These tool definitions appear in every MCP client's tool list so users
+  // discover them. The OSS handlers return a structured upgrade message
+  // pointing at mcp.revasserlabs.com — the hosted worker actually runs them.
+  {
+    name: "slack_smart_search",
+    description: "Semantic + lexical hybrid search across your indexed Slack history. Returns ranked results with relevance scores, channel context, thread context, and matched terms. Hosted-only (requires Vectorize + Workers AI). Free tier ships 10 calls/month; upgrade to Pro $9/mo for unlimited at mcp.revasserlabs.com/pricing.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        query: {
+          type: "string",
+          description: "Natural language or keyword query (semantic + lexical hybrid)"
+        },
+        channel_ids: {
+          type: "array",
+          items: { type: "string" },
+          description: "Optional — restrict search to these channel IDs"
+        },
+        days_back: {
+          type: "number",
+          description: "Optional — restrict search to the last N days (max 90 on Pro+, 7 on Free)"
+        },
+        limit: {
+          type: "number",
+          description: "Maximum results to return (default 10, max 50)"
+        }
+      },
+      required: ["query"]
+    },
+    annotations: {
+      title: "Smart Search (hosted)",
+      readOnlyHint: true,
+      idempotentHint: true,
+      openWorldHint: true
+    }
+  },
+  {
+    name: "slack_catch_me_up",
+    description: "Run a structured catch-up against a saved workflow profile. Returns structured JSON per the profile's workflow_kind: support_inbox returns {open_threads, ack_lag, owner_gaps, escalations, next_actions}; incident_room returns {incident_summary, timeline, open_risks, owner_gaps, next_actions}; exec_brief returns {summary, decisions, risks, asks, action_items}; product_launch_watch returns {launch_signals, feedback_themes, blockers, metrics, next_actions}; custom returns {summary, highlights, open_questions, next_actions}. Hosted-only. Free tier ships 3 calls/month; Pro $9/mo unlocks unlimited (scheduled morning DM at 8am workspace tz rolling out Q2 2026).",
+    inputSchema: {
+      type: "object",
+      properties: {
+        profile_name: {
+          type: "string",
+          description: "Name of a workflow profile saved via slack_workflow_save (or use --apply-template at install time to seed one)"
+        },
+        since: {
+          type: "string",
+          description: "Optional ISO8601 timestamp — only consider Slack messages newer than this. Default: 24 hours ago for daily-cadence profiles, 7 days for weekly."
+        }
+      },
+      required: ["profile_name"]
+    },
+    annotations: {
+      title: "Catch Me Up (hosted)",
+      readOnlyHint: true,
+      idempotentHint: false,
+      openWorldHint: true
+    }
+  },
+  {
+    name: "slack_triage",
+    description: "Classify and route Slack threads against a workflow profile. Returns triage decisions per thread: priority (low|medium|high|urgent), suggested owner, escalation flag, time-sensitivity, and a routing recommendation. Hosted-only. Free tier ships 5 triage runs per day; Pro $9/mo unlocks unlimited.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        profile_name: {
+          type: "string",
+          description: "Name of a workflow profile saved via slack_workflow_save"
+        },
+        channel_ids: {
+          type: "array",
+          items: { type: "string" },
+          description: "Optional — restrict triage to these channels (defaults to profile's channels)"
+        },
+        thread_ts: {
+          type: "string",
+          description: "Optional — triage a specific thread instead of the full inbox"
+        }
+      },
+      required: ["profile_name"]
+    },
+    annotations: {
+      title: "Triage (hosted)",
+      readOnlyHint: true,
+      idempotentHint: false,
+      openWorldHint: true
+    }
   }
 ];