k-linkedin-mcp 0.1.0 → 0.2.1

package/.gitlab-ci.yml

@@ -1,15 +1,11 @@
 # linkedin-mcp — GitLab CI/CD Pipeline
-# Stages: test → build image → deploy to homelab
+# test: shared runner (bun image)
+# deploy: homelab runner (runs directly on the server — no SSH needed)
 
 stages:
   - test
-  - build
   - deploy
 
-variables:
-  IMAGE_NAME: registry.gitlab.com/kpihx-labs/linkedin-mcp
-  CONTAINER_NAME: linkedin_mcp
-
 # ── Test ──────────────────────────────────────────────────────────────────────
 
 test:
@@ -18,61 +14,48 @@ test:
   script:
     - bun install --frozen-lockfile
     - bun test
-  coverage: '/\d+ pass/'
-  artifacts:
-    reports:
-      junit: test-results.xml
-    when: always
-    expire_in: 7 days
   rules:
     - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
     - if: '$CI_COMMIT_BRANCH == "main"'
     - if: '$CI_COMMIT_BRANCH == "develop"'
 
-# ── Build Docker image ────────────────────────────────────────────────────────
-
-build:
-  stage: build
-  image: docker:27
-  services:
-    - docker:27-dind
-  before_script:
-    - echo "$CI_REGISTRY_PASSWORD" | docker login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin
-  script:
-    - docker build -t $IMAGE_NAME:$CI_COMMIT_SHORT_SHA -t $IMAGE_NAME:latest .
-    - docker push $IMAGE_NAME:$CI_COMMIT_SHORT_SHA
-    - docker push $IMAGE_NAME:latest
-  rules:
-    - if: '$CI_COMMIT_BRANCH == "main"'
-
 # ── Deploy to Homelab ─────────────────────────────────────────────────────────
 
 deploy:
   stage: deploy
-  image: alpine:3.20
-  before_script:
-    - apk add --no-cache openssh-client
-    - mkdir -p ~/.ssh
-    - echo "$HOMELAB_SSH_KEY" > ~/.ssh/id_ed25519
-    - chmod 600 ~/.ssh/id_ed25519
-    - ssh-keyscan -H $HOMELAB_HOST >> ~/.ssh/known_hosts
+  tags:
+    - homelab
+  only:
+    - main
+  needs:
+    - test
   script:
+    - echo "Deploying linkedin-mcp to the homelab..."
+    - cd deploy
+    - echo "LINKEDIN_CLIENT_ID=$LINKEDIN_CLIENT_ID"                         > .env
+    - echo "LINKEDIN_CLIENT_SECRET=$LINKEDIN_CLIENT_SECRET"                >> .env
+    - echo "TELEGRAM_LINKEDIN_HOMELAB_TOKEN=$TELEGRAM_LINKEDIN_HOMELAB_TOKEN" >> .env
+    - echo "TELEGRAM_CHAT_IDS=$TELEGRAM_CHAT_IDS"                          >> .env
+    - echo "LINKEDIN_MCP_HTTP_HOST=0.0.0.0"                                >> .env
+    - echo "LINKEDIN_MCP_HTTP_PORT=8095"                                   >> .env
+    - echo "LINKEDIN_MCP_HTTP_PATH=/mcp"                                   >> .env
+    - echo "LINKEDIN_MCP_PUBLIC_URL=https://linkedin.kpihx-labs.com"       >> .env
+    - echo "LINKEDIN_STATE_DIR=/data/state"                                >> .env
+    - docker compose -p linkedin-mcp config -q
+    - docker rm -f linkedin-mcp || true
+    - docker compose -p linkedin-mcp up -d --build --remove-orphans
     - |
-      ssh -i ~/.ssh/id_ed25519 kpihx@$HOMELAB_HOST "
-        echo '$CI_REGISTRY_PASSWORD' | docker login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin
-        docker pull $IMAGE_NAME:latest
-        cd ~/stacks/linkedin-mcp && docker compose pull && docker compose up -d --remove-orphans
-        docker image prune -f
-      "
-  environment:
-    name: homelab
-    url: https://linkedin.kpihx-labs.com
-  rules:
-    - if: '$CI_COMMIT_BRANCH == "main"'
-  needs: [build]
-
-# ── Variables to define in GitLab CI/CD Settings → Variables ─────────────────
-# HOMELAB_SSH_KEY    — private SSH key for homelab deploy user (masked, protected)
-# HOMELAB_HOST       — homelab IP/hostname reachable from CI runner (masked)
-# CI_REGISTRY_USER   — GitLab container registry user (auto)
-# CI_REGISTRY_PASSWORD — GitLab registry password / deploy token (masked)
+      for attempt in $(seq 1 20); do
+        status="$(docker inspect --format '{{if .State.Health}}{{.State.Health.Status}}{{else}}starting{{end}}' linkedin-mcp 2>/dev/null || true)"
+        if [ "$status" = "healthy" ]; then
+          break
+        fi
+        if [ "$status" = "unhealthy" ]; then
+          docker logs --tail 200 linkedin-mcp
+          exit 1
+        fi
+        sleep 3
+      done
+    - docker inspect --format '{{.State.Health.Status}}' linkedin-mcp | grep -qx healthy
+    - docker exec linkedin-mcp bun -e "fetch('http://127.0.0.1:8095/health').then(r=>{if(!r.ok)process.exit(1);console.log('health OK')}).catch(()=>process.exit(1))"
+    - docker image prune -f

package/CHANGELOG.md

@@ -2,6 +2,35 @@
 
 ---
 
+## [0.2.1] — 2026-03-22
+
+### Fixed
+- [x] `setAccessToken` now async with best-effort `GET /v2/userinfo` — populates `member_id`, `name`, `email` in token.json (required for posting tools that call `_memberUrn()`)
+- [x] Status CLI display: `State dir` instead of `Admin env file` path
+- [x] Redirect URI dynamically computed from port override in `runOAuthFlow` (was using hardcoded `config.oauth.redirect_uri`)
+
+### Added
+- [x] linkedin-mcp registered in Codex (`~/.codex/config.toml`), Copilot (`~/.copilot/mcp-config.json`), Vibe (`~/.vibe/config.toml`) — HTTP primary + stdio fallback
+
+---
+
+## [0.2.0] — 2026-03-22
+
+### Added
+- [x] Unified credential management — CLI, HTTP, Telegram: `client-id set/unset`, `client-secret set/unset`, `token set/unset`
+- [x] Admin env file pattern (`LINKEDIN_ADMIN_ENV_FILE`, default `/data/linkedin-admin.env`) — persists credentials across restarts
+- [x] `auth --port N` option to avoid `EADDRINUSE` (default port moved to 3001 via `config.json`)
+- [x] OAuth callback port externalized to `config.json` (DEFAULTS remain 3000 as last-resort fallback only)
+- [x] New HTTP POST routes: `/admin/{client-id,client-secret,token}/{set,unset}`
+- [x] New Telegram commands: `/token_set`, `/token_unset`, `/client_id_set`, `/client_id_unset`, `/client_secret_set`, `/client_secret_unset`
+- [x] Status table: shows `LINKEDIN_CLIENT_ID`, `LINKEDIN_CLIENT_SECRET`, `OAuth Token` — Telegram token removed
+- [x] 61 tests (18 new) — all pass
+
+### Fixed
+- [x] `TELEGRAM_LINKEDIN_TOKEN` → `TELEGRAM_LINKEDIN_HOMELAB_TOKEN` reference in HTTP status handler
+
+---
+
 ## [0.1.0] — 2026-03-22
 
 ### Added
@@ -12,5 +41,5 @@
 - [x] Token lifecycle management — 60-day expiry tracking, `tokenSummary` with days_left
 - [x] Test suite — 41 tests, 5 files, 0 live API calls (mocked fetch + temp dirs)
 - [x] Docker image (`oven/bun:1-slim`) + `deploy/docker-compose.yml` with Traefik labels
-- [x] GitLab CI — test → build → deploy pipeline
+- [x] GitLab CI — test → deploy pipeline (homelab runner, no SSH)
 - [x] Editable install via `bun link`

package/Dockerfile

@@ -16,6 +16,7 @@ RUN chmod +x /app/src/main.js /app/src/admin.js /app/src/admin/cli.js \
 
 ENV NODE_ENV=production
 ENV LINKEDIN_STATE_DIR=/data/state
+ENV LINKEDIN_ADMIN_ENV_FILE=/data/linkedin-admin.env
 ENV LINKEDIN_MCP_HTTP_HOST=0.0.0.0
 ENV LINKEDIN_MCP_HTTP_PORT=8095
 ENV LINKEDIN_MCP_HTTP_PATH=/mcp

package/PRIVACY.md

@@ -0,0 +1,36 @@
+# Privacy Policy — linkedin-mcp
+
+**Last updated: 2026-03-22**
+
+## Overview
+
+`linkedin-mcp` is a personal tool used exclusively by its author (KpihX / Ivann KAMDEM).
+It is not a public service and has no end-users other than the author.
+
+## Data collected
+
+This application does **not** collect, store, or share any personal data from third parties.
+
+The only data persisted is:
+
+- **LinkedIn OAuth token** — stored locally on the author's own infrastructure (`~/.mcps/linkedin/token.json`), containing the access token, expiry date, and the author's own LinkedIn member ID, name, and email. This data is never transmitted to any third party.
+- **Admin logs** — operational log lines (auth events, command invocations) stored locally in `~/.mcps/linkedin/linkedin-admin.log`. These logs are never transmitted externally.
+
+## LinkedIn API usage
+
+This application uses the official LinkedIn OAuth 2.0 API with the following scopes:
+
+- `openid` — identity verification
+- `profile` — read own profile
+- `email` — read own email
+- `w_member_social` — post, like, and comment as the authenticated member
+
+All API calls are made exclusively on behalf of the authenticated member (the author) to their own LinkedIn account.
+
+## Third-party services
+
+No analytics, tracking, telemetry, or third-party SDKs are included.
+
+## Contact
+
+For any questions: [GitHub](https://github.com/KpihX/linkedin-mcp)

package/README.md

@@ -34,29 +34,30 @@ linkedin-mcp/
 │   ├── http_app.js      ← Express HTTP app: /health /admin/* /mcp
 │   ├── .env.example     ← required secrets template
 │   └── admin/
-│       ├── cli.js       ← Commander CLI (auth / status / logout / logs / health / urls / guide)
-│       ├── service.js   ← shared text helpers (statusSummaryText, healthSummaryText, …)
-│       ├── oauth.js     ← LinkedIn OAuth 2.0 + OIDC flow
-│       └── telegram.js  ← optional Telegram bot admin
+│       ├── cli.js       ← Commander CLI (auth / status / logout / logs / health / urls
+│       │                               / client-id / client-secret / token)
+│       ├── service.js   ← unified admin kernel — single source of truth for all surfaces
+│       ├── oauth.js     ← LinkedIn OAuth 2.0 + OIDC flow (configurable callback port)
+│       └── telegram.js  ← optional Telegram bot admin (15 commands)
 ├── tools/
 │   ├── registry.js      ← listTools() + callTool()
 │   ├── guide.js         ← linkedin_guide
 │   ├── profile.js       ← linkedin_get_profile, linkedin_auth_status
 │   ├── posts.js         ← linkedin_create_post, linkedin_create_image_post, linkedin_delete_post
 │   └── social.js        ← linkedin_like_post, linkedin_create_comment
-├── tests/               ← bun test (41 tests, 0 deps on live API)
+├── tests/               ← bun test (61 tests, 0 deps on live API)
 ├── deploy/
 │   ├── docker-compose.yml
 │   └── docker-compose.override.example.yml
 ├── Dockerfile
 ├── .gitlab-ci.yml
-└── config.json          ← non-secret defaults (port 8095, state dir, scopes)
+└── config.json          ← non-secret defaults (port 8095, OAuth port 3001, state dir, scopes)
 ```
 
 **Transport strategy:**
 
 ```
-Agent / Claude / Gemini
+Agent / Claude / Gemini / Codex / Copilot / Vibe
          │
          ├─── HTTP (homelab) ──→  https://linkedin.kpihx-labs.com/mcp   (primary)
          └─── stdio (local)  ──→  ~/.bun/bin/linkedin-mcp serve         (fallback)
@@ -84,37 +85,59 @@ Agent / Claude / Gemini
 ### CLI (`linkedin-admin`)
 
 ```bash
-linkedin-admin auth          # Run OAuth flow — opens browser, saves token
-linkedin-admin status        # Token status + profile
-linkedin-admin status --json # Machine-readable JSON
-linkedin-admin logout        # Clear saved token
-linkedin-admin logs --lines 50
-linkedin-admin health        # HTTP server reachability
-linkedin-admin urls          # All public/private endpoints
-linkedin-admin guide         # Full help text
+# Authentication
+linkedin-admin auth [--port N]     # OAuth flow — opens browser, saves token (default port 3001)
+linkedin-admin token set <value>   # Set access token directly (fetches profile, no browser)
+linkedin-admin token unset         # Clear stored token (same as logout)
+linkedin-admin logout              # Clear stored token
+
+# Credential management (stored in admin env file)
+linkedin-admin client-id set <v>   # Set LINKEDIN_CLIENT_ID
+linkedin-admin client-id unset     # Clear LINKEDIN_CLIENT_ID
+linkedin-admin client-secret set <v>
+linkedin-admin client-secret unset
+
+# Status & observability
+linkedin-admin status              # Credentials table + token summary
+linkedin-admin status --json       # Machine-readable JSON
+linkedin-admin logs [--lines 50]   # Tail admin log
+linkedin-admin health              # HTTP server reachability
+linkedin-admin urls                # All public/private endpoints
 ```
 
 ### HTTP admin
 
-| Endpoint | Description |
-|----------|-------------|
-| `GET /health` | Liveness probe |
-| `GET /admin/status` | Token status + Telegram runtime state |
-| `GET /admin/help` | All commands reference |
-| `GET /admin/logs?lines=50` | Recent admin log tail |
-| `POST /mcp` | MCP Streamable HTTP transport |
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `/health` | GET | Liveness probe |
+| `/admin/status` | GET | Full runtime status (token + Telegram state) |
+| `/admin/help` | GET | All commands reference |
+| `/admin/logs?lines=50` | GET | Recent admin log tail |
+| `/admin/client-id/set` | POST | Body: `{ "value": "..." }` |
+| `/admin/client-id/unset` | POST | Clear LINKEDIN_CLIENT_ID |
+| `/admin/client-secret/set` | POST | Body: `{ "value": "..." }` |
+| `/admin/client-secret/unset` | POST | Clear LINKEDIN_CLIENT_SECRET |
+| `/admin/token/set` | POST | Body: `{ "value": "..." }` — sets token + fetches profile |
+| `/admin/token/unset` | POST | Clear stored token |
+| `/mcp` | POST/GET/DELETE | MCP Streamable HTTP transport |
 
 ### Telegram bot (optional)
 
-Set `TELEGRAM_LINKEDIN_TOKEN` + `TELEGRAM_CHAT_IDS` and the server polls every 5 s.
+Set `TELEGRAM_LINKEDIN_HOMELAB_TOKEN` + `TELEGRAM_CHAT_IDS` — server polls every 5 s.
 
 | Command | Action |
 |---------|--------|
 | `/start` `/help` | Full command reference |
-| `/status` | Token + service status |
+| `/status` | Credentials + token status |
 | `/health` | HTTP server health |
 | `/urls` | Endpoint map |
 | `/logs [n]` | Last n admin log lines (default 20) |
+| `/token_set <value>` | Set access token (fetches profile) |
+| `/token_unset` | Clear stored token |
+| `/client_id_set <value>` | Set LINKEDIN_CLIENT_ID |
+| `/client_id_unset` | Clear LINKEDIN_CLIENT_ID |
+| `/client_secret_set <value>` | Set LINKEDIN_CLIENT_SECRET |
+| `/client_secret_unset` | Clear LINKEDIN_CLIENT_SECRET |
 
 ---
 
@@ -124,14 +147,21 @@ Set `TELEGRAM_LINKEDIN_TOKEN` + `TELEGRAM_CHAT_IDS` and the server polls every 5
 
 1. Go to [LinkedIn Developer Portal](https://developer.linkedin.com)
 2. Create an app → add products: **"Sign In with LinkedIn using OpenID Connect"** + **"Share on LinkedIn"**
-3. Set redirect URI: `http://localhost:3000/callback`
+3. Set redirect URI: `http://localhost:3001/callback`
 4. Note `Client ID` and `Client Secret`
 
 ### 2. Configure secrets
 
 ```bash
-cp src/.env.example .env
+# Option A — via admin CLI (written to admin env file)
+linkedin-admin client-id set <your_client_id>
+linkedin-admin client-secret set <your_client_secret>
+
+# Option B — via .env file
+cp src/.env.example src/.env
 # Fill in LINKEDIN_CLIENT_ID and LINKEDIN_CLIENT_SECRET
+
+# Option C — via bw-env / kshrc (injected at login shell)
 ```
 
 ### 3. Install & authenticate
@@ -140,8 +170,14 @@ cp src/.env.example .env
 bun install
 bun link              # editable install: ~/.bun/bin/linkedin-mcp + linkedin-admin
 
-linkedin-admin auth   # opens browser → authorizes → saves token
-linkedin-admin status # verify token is valid
+# Full OAuth flow (browser consent)
+linkedin-admin auth   # default port 3001
+linkedin-admin auth --port 3002  # if 3001 is busy
+
+# Or set access token directly (server/headless contexts)
+linkedin-admin token set <your_access_token>
+
+linkedin-admin status # verify credentials and token
 ```
 
 ### 4. Start MCP server
@@ -159,9 +195,9 @@ linkedin-mcp serve-http
 ## Docker / Homelab deployment
 
 ```bash
-cp deploy/docker-compose.yml docker-compose.yml
-cp deploy/docker-compose.override.example.yml docker-compose.override.yml
-# Edit docker-compose.override.yml with your secrets
+cd deploy
+cp docker-compose.override.example.yml docker-compose.override.yml
+# Edit override with your secrets (or rely on CI env injection)
 
 docker compose up -d
 ```
@@ -170,6 +206,10 @@ Traefik labels in `deploy/docker-compose.yml` expose:
 - `https://linkedin.kpihx-labs.com` (primary private trusted route)
 - `https://linkedin.homelab` (fallback)
 
+The container persists all state in `/data` (Docker volume):
+- `/data/state/token.json` — OAuth token
+- `/data/linkedin-admin.env` — credentials written by `token set` / `client-id set`
+
 ---
 
 ## Agent registration
@@ -192,11 +232,9 @@ Traefik labels in `deploy/docker-compose.yml` expose:
 ```json
 {
   "name": "linkedin-mcp",
-  "version": "0.1.0",
+  "version": "0.2.1",
   "mcpServers": {
-    "linkedin-mcp": {
-      "httpUrl": "https://linkedin.kpihx-labs.com/mcp"
-    },
+    "linkedin-mcp": { "httpUrl": "https://linkedin.kpihx-labs.com/mcp" },
     "linkedin-mcp--fallback": {
       "command": "/home/kpihx/.bun/bin/linkedin-mcp",
       "args": ["serve"]
@@ -205,12 +243,49 @@ Traefik labels in `deploy/docker-compose.yml` expose:
 }
 ```
 
+### Codex (`~/.codex/config.toml`)
+
+```toml
+[mcp_servers.linkedin_mcp]
+url = "https://linkedin.kpihx-labs.com/mcp"
+
+[mcp_servers.linkedin_mcp_fallback]
+command = "/home/kpihx/.bun/bin/linkedin-mcp"
+args = ["serve"]
+```
+
+### Copilot (`~/.copilot/mcp-config.json`)
+
+```json
+"linkedin_mcp": { "type": "http", "url": "https://linkedin.kpihx-labs.com/mcp" },
+"linkedin_mcp_fallback": {
+  "type": "stdio",
+  "command": "/home/kpihx/.bun/bin/linkedin-mcp",
+  "args": ["serve"]
+}
+```
+
+### Vibe (`~/.vibe/config.toml`)
+
+```toml
+[[mcp_servers]]
+name = "linkedin"
+transport = "http"
+url = "https://linkedin.kpihx-labs.com/mcp"
+
+[[mcp_servers]]
+name = "linkedin_fallback"
+transport = "stdio"
+command = "/home/kpihx/.bun/bin/linkedin-mcp"
+args = ["serve"]
+```
+
 ---
 
 ## Tests
 
 ```bash
-bun test           # 41 tests, 5 files, 0 live API calls
+bun test           # 61 tests, 5 files, 0 live API calls
 bun test --watch   # watch mode
 ```
 
@@ -223,11 +298,14 @@ All tests use mocked `fetch` and temp directories — no credentials needed.
 LinkedIn personal OAuth tokens expire in **60 days**. There is no refresh token for non-Partner apps.
 
 ```
-Day 0   →  linkedin-admin auth   (OAuth flow, browser consent)
-Day 55+ →  linkedin-admin status  (shows days_left, warns if < 7)
+Day 0   →  linkedin-admin auth          (OAuth flow, browser consent)
+           OR  linkedin-admin token set  (direct token, headless/server)
+Day 55+ →  linkedin-admin status        (shows days_left)
 Day 60  →  token invalid, re-run auth
 ```
 
+Both flows produce a complete `token.json` with `member_id` populated — required for all posting tools.
+
 ---
 
 ## License

package/config.json

@@ -8,8 +8,8 @@
     "fallback_base_url": "https://linkedin.homelab"
   },
   "oauth": {
-    "redirect_port": 3000,
-    "redirect_uri": "http://localhost:3000/callback",
+    "redirect_port": 3001,
+    "redirect_uri": "http://localhost:3001/callback",
     "scopes": ["openid", "profile", "email", "w_member_social"]
   },
   "logging": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "k-linkedin-mcp",
-  "version": "0.1.0",
+  "version": "0.2.1",
   "description": "MCP server for LinkedIn — intent-first posting, profile management, and professional networking over stdio and HTTP.",
   "main": "src/main.js",
   "bin": {

package/src/.env.example

@@ -7,8 +7,8 @@ LINKEDIN_CLIENT_SECRET=your_client_secret_here
 # LINKEDIN_ACCESS_TOKEN=your_access_token_here
 
 # Optional: Telegram admin bot
-# TELEGRAM_LINKEDIN_TOKEN=your_bot_token_here   (from @BotFather)
-# TELEGRAM_CHAT_IDS=123456789,987654321         (comma-separated chat IDs)
+# TELEGRAM_LINKEDIN_HOMELAB_TOKEN=your_bot_token_here   (from @BotFather)
+# TELEGRAM_CHAT_IDS=123456789,987654321                 (comma-separated chat IDs)
 
 # Optional server overrides
 # LINKEDIN_MCP_HTTP_HOST=0.0.0.0