create-walle 0.4.1 → 0.4.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-walle",
-  "version": "0.4.1",
+  "version": "0.4.3",
   "description": "Set up Wall-E — your personal digital twin",
   "bin": {
     "create-walle": "bin/create-walle.js"

package/template/README.md

@@ -56,16 +56,44 @@ The first run auto-creates `.env`, `wall-e-config.json`, and `~/.walle/data/`. F
 
 All configuration lives in `.env` (auto-generated on first run). Edit directly or use the browser setup page.
 
+### API Authentication
+
+Wall-E supports three ways to connect to Claude:
+
+**Option A: Direct Anthropic API key**
+```env
+ANTHROPIC_API_KEY=sk-ant-...
+```
+
+**Option B: Portkey / API gateway**
+```env
+ANTHROPIC_BASE_URL=https://your-gateway.example.com/v1
+ANTHROPIC_AUTH_TOKEN=sk-ant-api03-unused
+ANTHROPIC_CUSTOM_HEADERS_B64=<base64-encoded headers>
+```
+
+**Option C: Corporate devbox (auto-detected)**
+If you use `devbox ai -c claude`, Wall-E auto-reads your gateway credentials from `~/.devbox/secrets/claude/auth_headers` — no config needed.
+
+### Environment Variables
+
 | Variable | Required | Description |
 |---|---|---|
-| `ANTHROPIC_API_KEY` | Yes | Your Anthropic API key (set via browser setup) |
+| `ANTHROPIC_API_KEY` | Yes* | Anthropic API key or Portkey key |
+| `ANTHROPIC_BASE_URL` | No | API gateway URL (for Portkey, corporate proxies) |
+| `ANTHROPIC_AUTH_TOKEN` | No | Auth token when using a gateway |
+| `ANTHROPIC_CUSTOM_HEADERS_B64` | No | Base64-encoded custom headers (Portkey virtual keys, metadata) |
 | `WALLE_OWNER_NAME` | Auto | Your name (auto-detected from `git config`) |
+| `CTM_PORT` | No | Dashboard port (default: `3456`) |
+| `WALL_E_PORT` | No | Wall-E API port (default: `CTM_PORT + 1`) |
 | `WALL_E_DATA_DIR` | No | Data directory (default: `~/.walle/data`) |
 | `CTM_DATA_DIR` | No | CTM data directory (default: `~/.walle/data`) |
 | `SLACK_TOKEN` | No | Slack token (set via OAuth — click "Connect" in setup) |
 | `SLACK_OWNER_USER_ID` | No | Your Slack user ID |
 | `SLACK_OWNER_HANDLE` | No | Your Slack handle |
 
+*Not required if using a gateway (`ANTHROPIC_BASE_URL`) or devbox auto-detection.
+
 ## Bundled Skills
 
 Wall-E ships with skills that run on a schedule to keep your brain up to date:

package/template/claude-task-manager/server.js

@@ -107,26 +107,6 @@ const server = http.createServer((req, res) => {
     }
   }
 
-  // Slack OAuth callback (browser redirect — no auth token, must be before auth check)
-  if (url.pathname === '/api/slack/callback' && req.method === 'GET') {
-    try {
-      const slackMcp = require('../wall-e/tools/slack-mcp');
-      const code = url.searchParams.get('code');
-      const state = url.searchParams.get('state');
-      slackMcp.handleOAuthCallback(code, state).then(result => {
-        res.writeHead(200, { 'Content-Type': 'text/html' });
-        res.end(result.html);
-      }).catch(err => {
-        res.writeHead(500, { 'Content-Type': 'text/html' });
-        res.end('<html><body>OAuth error: ' + err.message + '</body></html>');
-      });
-    } catch (e) {
-      res.writeHead(500, { 'Content-Type': 'text/html' });
-      res.end('<html><body>Slack module not available: ' + e.message + '</body></html>');
-    }
-    return;
-  }
-
   // API routes
   if (url.pathname.startsWith('/api/')) {
     if (!isLocalhost(req)) {
@@ -311,34 +291,38 @@ function handleApi(req, res, url) {
         const apiKey = typeof data.api_key === 'string'
           ? data.api_key.replace(/[\r\n\s]/g, '').slice(0, 200)
           : '';
-        // Gateway config (corporate Portkey/cybertron setups)
-        const gw = data.gateway;
+        // Gateway config (corporate Portkey/cybertron setups) — sanitize values
+        let gw = null;
+        if (data.gateway && data.gateway.base_url) {
+          gw = {
+            base_url: String(data.gateway.base_url).replace(/[\r\n]/g, '').slice(0, 500),
+            auth_token: String(data.gateway.auth_token || 'sk-ant-api03-unused').replace(/[\r\n]/g, '').slice(0, 500),
+            custom_headers_b64: String(data.gateway.custom_headers_b64 || '').replace(/[\r\n\s]/g, '').slice(0, 2000),
+          };
+        }
         // Accept any non-empty key (Anthropic, Portkey, or other providers)
         const envPath = path.resolve(__dirname, '..', '.env');
         const lines = [];
-        // Read existing .env, strip lines we're about to replace
-        const stripPatterns = [/^#?\s*WALLE_OWNER_NAME=/, /^#?\s*ANTHROPIC_API_KEY=/, /^#?\s*ANTHROPIC_BASE_URL=/, /^#?\s*ANTHROPIC_AUTH_TOKEN=/, /^#?\s*ANTHROPIC_CUSTOM_HEADERS_B64=/];
+        // Build set of keys we're about to write
+        const keysToReplace = new Set();
+        if (ownerName) keysToReplace.add('WALLE_OWNER_NAME');
+        if (apiKey) keysToReplace.add('ANTHROPIC_API_KEY');
+        if (gw) { keysToReplace.add('ANTHROPIC_BASE_URL'); keysToReplace.add('ANTHROPIC_AUTH_TOKEN'); keysToReplace.add('ANTHROPIC_CUSTOM_HEADERS_B64'); }
+        // Read existing .env, keep lines that aren't being replaced
         try {
           const existing = fs.readFileSync(envPath, 'utf8');
           for (const line of existing.split('\n')) {
-            const shouldStrip = (apiKey || gw) && stripPatterns.some(p => p.test(line));
-            if (!shouldStrip || (!apiKey && !gw)) lines.push(line);
-            else if (!ownerName || !line.match(/WALLE_OWNER_NAME/)) {
-              // Only strip if we have a replacement
-              if (stripPatterns.some(p => p.test(line))) continue;
-              lines.push(line);
-            }
-          }
-          // Also strip owner name line if we have a new one
-          if (ownerName) {
-            const idx = lines.findIndex(l => /^#?\s*WALLE_OWNER_NAME=/.test(l));
-            if (idx >= 0) lines.splice(idx, 1);
+            const m = line.match(/^\s*#?\s*([A-Z_]+)\s*=/);
+            if (m && keysToReplace.has(m[1])) continue; // skip — will re-add below
+            lines.push(line);
           }
         } catch { lines.push('# Wall-E configuration'); lines.push(''); }
-        // Add values
+        // Strip trailing blank lines
+        while (lines.length > 0 && lines[lines.length - 1].trim() === '') lines.pop();
+        lines.push('');
+        // Add new values
         if (ownerName) {
-          const insertIdx = lines.findIndex(l => !l.startsWith('#') && l.trim() !== '') || lines.length;
-          lines.splice(insertIdx, 0, `WALLE_OWNER_NAME=${ownerName}`);
+          lines.push(`WALLE_OWNER_NAME=${ownerName}`);
           process.env.WALLE_OWNER_NAME = ownerName;
         }
         if (gw) {

package/template/docs/site/guides/configuration.md

@@ -1,4 +1,3 @@
-# Configuration
 
 Wall-E is configured through environment variables (`.env` file) and a JSON config file.
 
@@ -10,43 +9,74 @@ Copy `.env.example` to `.env` at the project root:
 cp .env.example .env
 ```
 
-### Required
+### API Authentication
 
-| Variable | Description |
-|---|---|
-| `ANTHROPIC_API_KEY` | Your Anthropic API key. Required for Wall-E chat, think/reflect loops, and agent-mode skills. |
-| `WALLE_OWNER_NAME` | Your full name. Used in system prompts and memory attribution. |
+Wall-E needs access to the Claude API. Three options:
 
-### Data Storage
+**Option A: Direct Anthropic API key**
 
-| Variable | Default | Description |
-|---|---|---|
-| `WALL_E_DATA_DIR` | `~/.walle/data` | Directory for Wall-E's brain database and backups |
-| `CTM_DATA_DIR` | `~/.walle/data` | Directory for CTM's database, images, and backups |
+The simplest setup — get a key from [console.anthropic.com](https://console.anthropic.com/settings/keys):
 
-### Slack Integration {#slack}
+```env
+ANTHROPIC_API_KEY=sk-ant-...
+```
 
-| Variable | Description |
-|---|---|
-| `SLACK_TOKEN` | Slack user or bot token (starts with `xoxb-` or `xoxp-`) |
-| `SLACK_BOT_TOKEN` | Slack bot token (for DM channel) |
-| `SLACK_OWNER_USER_ID` | Your Slack user ID (e.g., `U0XXXXXXXX`). Used to detect message direction. |
-| `SLACK_OWNER_HANDLE` | Your Slack handle (e.g., `your.name`). Used in search queries. |
+**Option B: Portkey / API gateway**
 
-### API Gateway
+For teams using [Portkey](https://portkey.ai) or a corporate API gateway:
 
-| Variable | Description |
-|---|---|
-| `ANTHROPIC_BASE_URL` | Override API endpoint (e.g., for Portkey gateway) |
-| `ANTHROPIC_CUSTOM_HEADERS_B64` | Base64-encoded JSON headers for the gateway |
+```env
+ANTHROPIC_BASE_URL=https://your-gateway.example.com/v1
+ANTHROPIC_AUTH_TOKEN=your-portkey-api-key
+ANTHROPIC_CUSTOM_HEADERS_B64=<base64-encoded custom headers>
+```
+
+The custom headers carry your Portkey virtual key, provider config, and metadata. Encode them as base64:
+
+```bash
+echo -n 'x-portkey-api-key: YOUR_KEY
+x-portkey-provider: anthropic
+x-portkey-virtual-key: YOUR_VIRTUAL_KEY' | base64
+```
+
+**Option C: Corporate devbox (auto-detected)**
+
+If your company manages Claude Code via devbox (`devbox ai -c claude`), Wall-E auto-reads the gateway credentials from `~/.devbox/secrets/claude/auth_headers` on startup. No configuration needed.
+
+### Core Settings
+
+| Variable | Required | Default | Description |
+|---|---|---|---|
+| `ANTHROPIC_API_KEY` | Yes* | — | Anthropic API key or Portkey key |
+| `ANTHROPIC_BASE_URL` | No | — | API gateway URL (Portkey, corporate proxies) |
+| `ANTHROPIC_AUTH_TOKEN` | No | — | Auth token when using a gateway |
+| `ANTHROPIC_CUSTOM_HEADERS_B64` | No | — | Base64-encoded custom headers (Portkey virtual keys) |
+| `WALLE_OWNER_NAME` | Auto | from `git config` | Your full name |
+
+*Not required if using a gateway or devbox auto-detection.
 
 ### Server
 
 | Variable | Default | Description |
 |---|---|---|
-| `CTM_PORT` | `3456` | CTM HTTP server port |
-| `CTM_HOST` | `127.0.0.1` | CTM bind address |
-| `WALL_E_PORT` | `3457` | Wall-E standalone HTTP port (when running separately) |
+| `CTM_PORT` | `3456` | Dashboard port |
+| `WALL_E_PORT` | `CTM_PORT + 1` | Wall-E API port |
+| `CTM_HOST` | `127.0.0.1` | Bind address |
+
+### Data Storage
+
+| Variable | Default | Description |
+|---|---|---|
+| `WALL_E_DATA_DIR` | `~/.walle/data` | Wall-E's brain database and backups |
+| `CTM_DATA_DIR` | `~/.walle/data` | CTM's database, images, and backups |
+
+### Slack Integration {#slack}
+
+| Variable | Description |
+|---|---|
+| `SLACK_TOKEN` | Slack user or bot token (set via OAuth in the setup page) |
+| `SLACK_OWNER_USER_ID` | Your Slack user ID (e.g., `U0XXXXXXXX`) — for message direction detection |
+| `SLACK_OWNER_HANDLE` | Your Slack handle (e.g., `your.name`) — for search queries |
 
 ## Wall-E Config File
 

package/template/docs/site/src/content/docs/guides/configuration.md

@@ -14,43 +14,74 @@ Copy `.env.example` to `.env` at the project root:
 cp .env.example .env
 ```
 
-### Required
+### API Authentication
 
-| Variable | Description |
-|---|---|
-| `ANTHROPIC_API_KEY` | Your Anthropic API key. Required for Wall-E chat, think/reflect loops, and agent-mode skills. |
-| `WALLE_OWNER_NAME` | Your full name. Used in system prompts and memory attribution. |
+Wall-E needs access to the Claude API. Three options:
 
-### Data Storage
+**Option A: Direct Anthropic API key**
 
-| Variable | Default | Description |
-|---|---|---|
-| `WALL_E_DATA_DIR` | `~/.walle/data` | Directory for Wall-E's brain database and backups |
-| `CTM_DATA_DIR` | `~/.walle/data` | Directory for CTM's database, images, and backups |
+The simplest setup — get a key from [console.anthropic.com](https://console.anthropic.com/settings/keys):
 
-### Slack Integration {#slack}
+```env
+ANTHROPIC_API_KEY=sk-ant-...
+```
 
-| Variable | Description |
-|---|---|
-| `SLACK_TOKEN` | Slack user or bot token (starts with `xoxb-` or `xoxp-`) |
-| `SLACK_BOT_TOKEN` | Slack bot token (for DM channel) |
-| `SLACK_OWNER_USER_ID` | Your Slack user ID (e.g., `U0XXXXXXXX`). Used to detect message direction. |
-| `SLACK_OWNER_HANDLE` | Your Slack handle (e.g., `your.name`). Used in search queries. |
+**Option B: Portkey / API gateway**
 
-### API Gateway
+For teams using [Portkey](https://portkey.ai) or a corporate API gateway:
 
-| Variable | Description |
-|---|---|
-| `ANTHROPIC_BASE_URL` | Override API endpoint (e.g., for Portkey gateway) |
-| `ANTHROPIC_CUSTOM_HEADERS_B64` | Base64-encoded JSON headers for the gateway |
+```env
+ANTHROPIC_BASE_URL=https://your-gateway.example.com/v1
+ANTHROPIC_AUTH_TOKEN=your-portkey-api-key
+ANTHROPIC_CUSTOM_HEADERS_B64=<base64-encoded custom headers>
+```
+
+The custom headers carry your Portkey virtual key, provider config, and metadata. Encode them as base64:
+
+```bash
+echo -n 'x-portkey-api-key: YOUR_KEY
+x-portkey-provider: anthropic
+x-portkey-virtual-key: YOUR_VIRTUAL_KEY' | base64
+```
+
+**Option C: Corporate devbox (auto-detected)**
+
+If your company manages Claude Code via devbox (`devbox ai -c claude`), Wall-E auto-reads the gateway credentials from `~/.devbox/secrets/claude/auth_headers` on startup. No configuration needed.
+
+### Core Settings
+
+| Variable | Required | Default | Description |
+|---|---|---|---|
+| `ANTHROPIC_API_KEY` | Yes* | — | Anthropic API key or Portkey key |
+| `ANTHROPIC_BASE_URL` | No | — | API gateway URL (Portkey, corporate proxies) |
+| `ANTHROPIC_AUTH_TOKEN` | No | — | Auth token when using a gateway |
+| `ANTHROPIC_CUSTOM_HEADERS_B64` | No | — | Base64-encoded custom headers (Portkey virtual keys) |
+| `WALLE_OWNER_NAME` | Auto | from `git config` | Your full name |
+
+*Not required if using a gateway or devbox auto-detection.
 
 ### Server
 
 | Variable | Default | Description |
 |---|---|---|
-| `CTM_PORT` | `3456` | CTM HTTP server port |
-| `CTM_HOST` | `127.0.0.1` | CTM bind address |
-| `WALL_E_PORT` | `3457` | Wall-E standalone HTTP port (when running separately) |
+| `CTM_PORT` | `3456` | Dashboard port |
+| `WALL_E_PORT` | `CTM_PORT + 1` | Wall-E API port |
+| `CTM_HOST` | `127.0.0.1` | Bind address |
+
+### Data Storage
+
+| Variable | Default | Description |
+|---|---|---|
+| `WALL_E_DATA_DIR` | `~/.walle/data` | Wall-E's brain database and backups |
+| `CTM_DATA_DIR` | `~/.walle/data` | CTM's database, images, and backups |
+
+### Slack Integration {#slack}
+
+| Variable | Description |
+|---|---|
+| `SLACK_TOKEN` | Slack user or bot token (set via OAuth in the setup page) |
+| `SLACK_OWNER_USER_ID` | Your Slack user ID (e.g., `U0XXXXXXXX`) — for message direction detection |
+| `SLACK_OWNER_HANDLE` | Your Slack handle (e.g., `your.name`) — for search queries |
 
 ## Wall-E Config File
 

package/template/wall-e/api-walle.js

@@ -213,8 +213,12 @@ function handleWalleApi(req, res, url) {
         jsonResponse(res, { ok: true, already: true });
         return true;
       }
-      // Start OAuth — opens browser, callback handled by CTM server route
-      slackMcp.authenticate();
+      // Start OAuth — opens browser, temp server on port 3118 handles callback
+      slackMcp.authenticate().then(() => {
+        console.log('[wall-e] Slack OAuth completed');
+      }).catch(err => {
+        console.error('[wall-e] Slack OAuth failed:', err.message);
+      });
       jsonResponse(res, { ok: true, pending: true });
     } catch (e) {
       jsonResponse(res, { error: e.message }, 500);

package/template/wall-e/brain.js

@@ -13,6 +13,33 @@ try {
   });
 } catch {}
 
+// Auto-detect corporate Claude Code gateway (devbox) if not already configured.
+// The devbox `claude` wrapper stores auth headers at ~/.devbox/secrets/claude/auth_headers
+// but only injects them as env vars when running `claude` directly.
+// This lets Wall-E use the same gateway when started from a regular terminal.
+// Skip if already configured with real credentials; detect if missing or only has dummy token
+const _hasRealKey = process.env.ANTHROPIC_API_KEY && process.env.ANTHROPIC_API_KEY !== 'sk-ant-api03-unused';
+if (!process.env.ANTHROPIC_CUSTOM_HEADERS_B64 && !_hasRealKey) {
+  try {
+    const _authFile = path.join(process.env.HOME, '.devbox', 'secrets', 'claude', 'auth_headers');
+    const _headers = fs.readFileSync(_authFile, 'utf8').trim();
+    if (_headers) {
+      process.env.ANTHROPIC_CUSTOM_HEADERS_B64 = Buffer.from(_headers).toString('base64');
+      if (!process.env.ANTHROPIC_CUSTOM_HEADERS) process.env.ANTHROPIC_CUSTOM_HEADERS = _headers;
+      if (!process.env.ANTHROPIC_AUTH_TOKEN) process.env.ANTHROPIC_AUTH_TOKEN = 'sk-ant-api03-unused';
+      // Detect gateway URL from devbox claude wrapper
+      if (!process.env.ANTHROPIC_BASE_URL) {
+        try {
+          const _claudeScript = fs.readFileSync(path.join(process.env.HOME, '.devbox', 'ai', 'claude', 'claude'), 'utf8');
+          const _vpnMatch = _claudeScript.match(/VPN_CHECK_URL="(https?:\/\/[^"]+)"/);
+          if (_vpnMatch) process.env.ANTHROPIC_BASE_URL = _vpnMatch[1] + '/v1';
+        } catch {}
+      }
+      console.log('[brain] Auto-detected devbox Claude gateway auth');
+    }
+  } catch {}
+}
+
 const DATA_DIR = process.env.WALL_E_DATA_DIR || path.join(process.env.HOME, '.walle', 'data');
 const DEFAULT_DB_PATH = path.join(DATA_DIR, 'wall-e-brain.db');
 const BACKUP_DIR = path.join(DATA_DIR, 'backups');

package/template/wall-e/tools/slack-mcp.js

@@ -6,15 +6,10 @@ const path = require('path');
 
 const SLACK_MCP_URL = 'https://mcp.slack.com/mcp';
 const CLIENT_ID = '1601185624273.8899143856786';
+const CALLBACK_PORT = 3118; // Must match Slack's registered redirect_uri for this client_id
+const CALLBACK_URL = `http://localhost:${CALLBACK_PORT}/callback`;
 const TOKEN_FILE = path.join(process.env.HOME, '.claude', 'wall-e-slack-token.json');
 
-// OAuth callback is handled by CTM server at /api/slack/callback
-// so it works on whatever port CTM is running on (no separate server needed).
-function getCallbackUrl() {
-  const port = process.env.CTM_PORT || '3456';
-  return `http://localhost:${port}/api/slack/callback`;
-}
-
 // ── Token persistence ──
 
 function loadToken() {
@@ -43,15 +38,15 @@ function generatePKCE() {
   return { verifier, challenge };
 }
 
-// Pending OAuth state (set during authenticate, consumed by handleOAuthCallback)
-let _pendingOAuth = null;
-
 /**
- * Start OAuth flow: opens browser, callback handled by CTM server.
- * Returns immediately — the token is saved when CTM receives the callback.
+ * Start OAuth flow: spins up a temporary callback server on port 3118
+ * (the registered redirect_uri for this Slack client_id), opens browser,
+ * and waits for Slack to redirect back with the auth code.
+ *
+ * The server runs inside the same Node process as CTM, so EDR/antivirus
+ * won't flag it as a new suspicious process.
  */
-function authenticate() {
-  // Check if we already have a valid token
+async function authenticate() {
   const existing = loadToken();
   if (existing && existing.access_token) {
     return existing.access_token;
@@ -59,89 +54,87 @@ function authenticate() {
 
   const { verifier, challenge } = generatePKCE();
   const state = crypto.randomBytes(16).toString('hex');
-  const redirectUri = getCallbackUrl();
-
-  _pendingOAuth = { verifier, state, redirectUri, createdAt: Date.now() };
-
-  const scopes = 'search:read.public,search:read.private,search:read.mpim,search:read.im,search:read.files,search:read.users,chat:write,channels:history,groups:history,mpim:history,im:history,canvases:read,users:read,users:read.email';
-  const authUrl = `https://slack.com/oauth/v2_user/authorize?client_id=${CLIENT_ID}&scope=${encodeURIComponent(scopes)}&redirect_uri=${encodeURIComponent(redirectUri)}&state=${state}&code_challenge=${challenge}&code_challenge_method=S256`;
-
-  console.log('[slack-mcp] Opening browser for Slack OAuth...');
-  console.log('[slack-mcp] Callback URL:', redirectUri);
-
-  const { execFile } = require('child_process');
-  execFile('open', [authUrl], (err) => {
-    if (err) console.error('[slack-mcp] Failed to open browser:', err.message);
-  });
-
-  return null; // Token not yet available — will be set by callback
-}
-
-/**
- * Handle the OAuth callback from Slack (called by CTM server route).
- * Returns { ok, html } or { error, html }.
- */
-async function handleOAuthCallback(code, returnedState) {
-  if (!_pendingOAuth) {
-    return { error: 'No pending OAuth flow. Click "Connect" again.', html: errorPage('No pending OAuth flow. Go back and click Connect again.') };
-  }
-
-  // Expire after 10 minutes
-  if (Date.now() - _pendingOAuth.createdAt > 600000) {
-    _pendingOAuth = null;
-    return { error: 'OAuth flow expired.', html: errorPage('OAuth flow expired. Go back and click Connect again.') };
-  }
-
-  if (returnedState !== _pendingOAuth.state) {
-    _pendingOAuth = null;
-    return { error: 'State mismatch.', html: errorPage('OAuth state mismatch. Please try again.') };
-  }
-
-  if (!code) {
-    _pendingOAuth = null;
-    return { error: 'No code.', html: errorPage('No authorization code received from Slack.') };
-  }
 
-  try {
-    const tokenResp = await fetch('https://slack.com/api/oauth.v2.user.access', {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-      body: new URLSearchParams({
-        client_id: CLIENT_ID,
-        code,
-        code_verifier: _pendingOAuth.verifier,
-        redirect_uri: _pendingOAuth.redirectUri,
-      }),
+  return new Promise((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      server.close();
+      reject(new Error('OAuth flow timed out (5min). Click Connect again.'));
+    }, 300000);
+
+    const server = http.createServer(async (req, res) => {
+      const url = new URL(req.url, `http://localhost:${CALLBACK_PORT}`);
+      if (url.pathname !== '/callback') { res.writeHead(404); res.end(); return; }
+
+      const code = url.searchParams.get('code');
+      const returnedState = url.searchParams.get('state');
+
+      if (returnedState !== state) {
+        res.writeHead(200, { 'Content-Type': 'text/html' });
+        res.end(errorPage('OAuth state mismatch. Please try again.'));
+        clearTimeout(timeout); server.close(); reject(new Error('State mismatch')); return;
+      }
+      if (!code) {
+        res.writeHead(200, { 'Content-Type': 'text/html' });
+        res.end(errorPage('No authorization code received.'));
+        clearTimeout(timeout); server.close(); reject(new Error('No code')); return;
+      }
+
+      try {
+        const tokenResp = await fetch('https://slack.com/api/oauth.v2.user.access', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+          body: new URLSearchParams({ client_id: CLIENT_ID, code, code_verifier: verifier, redirect_uri: CALLBACK_URL }),
+        });
+        const tokenData = await tokenResp.json();
+        if (!tokenData.ok) throw new Error(tokenData.error);
+
+        const tokenInfo = {
+          access_token: tokenData.access_token || tokenData.authed_user?.access_token,
+          refresh_token: tokenData.refresh_token,
+          team_id: tokenData.team?.id || tokenData.team_id,
+          team_name: tokenData.team?.name,
+          user_id: tokenData.user_id || tokenData.authed_user?.id,
+          scope: tokenData.scope || tokenData.authed_user?.scope,
+          obtained_at: new Date().toISOString(),
+        };
+        saveToken(tokenInfo);
+
+        res.writeHead(200, { 'Content-Type': 'text/html' });
+        res.end(successPage());
+        clearTimeout(timeout); server.close();
+        console.log('[slack-mcp] OAuth completed — team:', tokenInfo.team_name);
+        resolve(tokenInfo.access_token);
+      } catch (err) {
+        res.writeHead(200, { 'Content-Type': 'text/html' });
+        res.end(errorPage('Token exchange failed: ' + err.message));
+        clearTimeout(timeout); server.close(); reject(err);
+      }
     });
-    const tokenData = await tokenResp.json();
 
-    _pendingOAuth = null;
+    server.listen(CALLBACK_PORT, () => {
+      const scopes = 'search:read.public,search:read.private,search:read.mpim,search:read.im,search:read.files,search:read.users,chat:write,channels:history,groups:history,mpim:history,im:history,canvases:read,users:read,users:read.email';
+      const authUrl = `https://slack.com/oauth/v2_user/authorize?client_id=${CLIENT_ID}&scope=${encodeURIComponent(scopes)}&redirect_uri=${encodeURIComponent(CALLBACK_URL)}&state=${state}&code_challenge=${challenge}&code_challenge_method=S256`;
+      console.log('[slack-mcp] OAuth callback listening on port', CALLBACK_PORT);
 
-    if (!tokenData.ok) {
-      return { error: tokenData.error, html: errorPage('Slack OAuth error: ' + tokenData.error) };
-    }
+      const { execFile } = require('child_process');
+      execFile('open', [authUrl], (err) => {
+        if (err) console.error('[slack-mcp] Failed to open browser:', err.message);
+      });
+    });
 
-    const tokenInfo = {
-      access_token: tokenData.access_token || tokenData.authed_user?.access_token,
-      refresh_token: tokenData.refresh_token,
-      team_id: tokenData.team?.id || tokenData.team_id,
-      team_name: tokenData.team?.name,
-      user_id: tokenData.user_id || tokenData.authed_user?.id,
-      scope: tokenData.scope || tokenData.authed_user?.scope,
-      obtained_at: new Date().toISOString(),
-    };
-    saveToken(tokenInfo);
-
-    console.log('[slack-mcp] OAuth completed — team:', tokenInfo.team_name);
-    return { ok: true, html: successPage() };
-  } catch (err) {
-    _pendingOAuth = null;
-    return { error: err.message, html: errorPage('Token exchange failed: ' + err.message) };
-  }
+    server.on('error', (err) => {
+      clearTimeout(timeout);
+      if (err.code === 'EADDRINUSE') {
+        reject(new Error(`Port ${CALLBACK_PORT} is in use. Close any other OAuth flows and try again.`));
+      } else {
+        reject(new Error('OAuth callback server failed: ' + err.message));
+      }
+    });
+  });
 }
 
 function successPage() {
-  return '<html><body style="font-family:system-ui;text-align:center;padding:60px;background:#0d1117;color:#e6edf3"><h2 style="color:#3fb950">Wall-E connected to Slack!</h2><p style="color:#8b949e">You can close this tab and return to the setup page.</p></body></html>';
+  return '<html><body style="font-family:system-ui;text-align:center;padding:60px;background:#0d1117;color:#e6edf3"><h2 style="color:#3fb950">Wall-E connected to Slack!</h2><p style="color:#8b949e">You can close this tab.</p></body></html>';
 }
 
 function errorPage(msg) {
@@ -282,4 +275,4 @@ if (require.main === module) {
   }
 }
 
-module.exports = { authenticate, handleOAuthCallback, callSlackMcp, listSlackTools, isAuthenticated, loadToken, clearToken };
+module.exports = { authenticate, callSlackMcp, listSlackTools, isAuthenticated, loadToken, clearToken };