k-linkedin-mcp 0.2.0 → 0.2.1

package/CHANGELOG.md

@@ -2,21 +2,35 @@
 
 ---
 
+## [0.2.1] — 2026-03-22
+
+### Fixed
+- [x] `setAccessToken` now async with best-effort `GET /v2/userinfo` — populates `member_id`, `name`, `email` in token.json (required for posting tools that call `_memberUrn()`)
+- [x] Status CLI display: `State dir` instead of `Admin env file` path
+- [x] Redirect URI dynamically computed from port override in `runOAuthFlow` (was using hardcoded `config.oauth.redirect_uri`)
+
+### Added
+- [x] linkedin-mcp registered in Codex (`~/.codex/config.toml`), Copilot (`~/.copilot/mcp-config.json`), Vibe (`~/.vibe/config.toml`) — HTTP primary + stdio fallback
+
+---
+
 ## [0.2.0] — 2026-03-22
 
 ### Added
 - [x] Unified credential management — CLI, HTTP, Telegram: `client-id set/unset`, `client-secret set/unset`, `token set/unset`
 - [x] Admin env file pattern (`LINKEDIN_ADMIN_ENV_FILE`, default `/data/linkedin-admin.env`) — persists credentials across restarts
 - [x] `auth --port N` option to avoid `EADDRINUSE` (default port moved to 3001 via `config.json`)
-- [x] OAuth callback port externalized to `config.json` (not hardcoded — DEFAULTS remain 3000 as last-resort fallback)
+- [x] OAuth callback port externalized to `config.json` (DEFAULTS remain 3000 as last-resort fallback only)
 - [x] New HTTP POST routes: `/admin/{client-id,client-secret,token}/{set,unset}`
 - [x] New Telegram commands: `/token_set`, `/token_unset`, `/client_id_set`, `/client_id_unset`, `/client_secret_set`, `/client_secret_unset`
-- [x] Status table cleaned: shows `LINKEDIN_CLIENT_ID`, `LINKEDIN_CLIENT_SECRET`, `OAuth Token` — Telegram token removed
+- [x] Status table: shows `LINKEDIN_CLIENT_ID`, `LINKEDIN_CLIENT_SECRET`, `OAuth Token` — Telegram token removed
 - [x] 61 tests (18 new) — all pass
 
 ### Fixed
 - [x] `TELEGRAM_LINKEDIN_TOKEN` → `TELEGRAM_LINKEDIN_HOMELAB_TOKEN` reference in HTTP status handler
 
+---
+
 ## [0.1.0] — 2026-03-22
 
 ### Added
@@ -27,5 +41,5 @@
 - [x] Token lifecycle management — 60-day expiry tracking, `tokenSummary` with days_left
 - [x] Test suite — 41 tests, 5 files, 0 live API calls (mocked fetch + temp dirs)
 - [x] Docker image (`oven/bun:1-slim`) + `deploy/docker-compose.yml` with Traefik labels
-- [x] GitLab CI — test → build → deploy pipeline
+- [x] GitLab CI — test → deploy pipeline (homelab runner, no SSH)
 - [x] Editable install via `bun link`

package/README.md

@@ -34,29 +34,30 @@ linkedin-mcp/
 │   ├── http_app.js      ← Express HTTP app: /health /admin/* /mcp
 │   ├── .env.example     ← required secrets template
 │   └── admin/
-│       ├── cli.js       ← Commander CLI (auth / status / logout / logs / health / urls / guide)
-│       ├── service.js   ← shared text helpers (statusSummaryText, healthSummaryText, …)
-│       ├── oauth.js     ← LinkedIn OAuth 2.0 + OIDC flow
-│       └── telegram.js  ← optional Telegram bot admin
+│       ├── cli.js       ← Commander CLI (auth / status / logout / logs / health / urls
+│       │                               / client-id / client-secret / token)
+│       ├── service.js   ← unified admin kernel — single source of truth for all surfaces
+│       ├── oauth.js     ← LinkedIn OAuth 2.0 + OIDC flow (configurable callback port)
+│       └── telegram.js  ← optional Telegram bot admin (15 commands)
 ├── tools/
 │   ├── registry.js      ← listTools() + callTool()
 │   ├── guide.js         ← linkedin_guide
 │   ├── profile.js       ← linkedin_get_profile, linkedin_auth_status
 │   ├── posts.js         ← linkedin_create_post, linkedin_create_image_post, linkedin_delete_post
 │   └── social.js        ← linkedin_like_post, linkedin_create_comment
-├── tests/               ← bun test (41 tests, 0 deps on live API)
+├── tests/               ← bun test (61 tests, 0 deps on live API)
 ├── deploy/
 │   ├── docker-compose.yml
 │   └── docker-compose.override.example.yml
 ├── Dockerfile
 ├── .gitlab-ci.yml
-└── config.json          ← non-secret defaults (port 8095, state dir, scopes)
+└── config.json          ← non-secret defaults (port 8095, OAuth port 3001, state dir, scopes)
 ```
 
 **Transport strategy:**
 
 ```
-Agent / Claude / Gemini
+Agent / Claude / Gemini / Codex / Copilot / Vibe
          │
          ├─── HTTP (homelab) ──→  https://linkedin.kpihx-labs.com/mcp   (primary)
          └─── stdio (local)  ──→  ~/.bun/bin/linkedin-mcp serve         (fallback)
@@ -84,37 +85,59 @@ Agent / Claude / Gemini
 ### CLI (`linkedin-admin`)
 
 ```bash
-linkedin-admin auth          # Run OAuth flow — opens browser, saves token
-linkedin-admin status        # Token status + profile
-linkedin-admin status --json # Machine-readable JSON
-linkedin-admin logout        # Clear saved token
-linkedin-admin logs --lines 50
-linkedin-admin health        # HTTP server reachability
-linkedin-admin urls          # All public/private endpoints
-linkedin-admin guide         # Full help text
+# Authentication
+linkedin-admin auth [--port N]     # OAuth flow — opens browser, saves token (default port 3001)
+linkedin-admin token set <value>   # Set access token directly (fetches profile, no browser)
+linkedin-admin token unset         # Clear stored token (same as logout)
+linkedin-admin logout              # Clear stored token
+
+# Credential management (stored in admin env file)
+linkedin-admin client-id set <v>   # Set LINKEDIN_CLIENT_ID
+linkedin-admin client-id unset     # Clear LINKEDIN_CLIENT_ID
+linkedin-admin client-secret set <v>
+linkedin-admin client-secret unset
+
+# Status & observability
+linkedin-admin status              # Credentials table + token summary
+linkedin-admin status --json       # Machine-readable JSON
+linkedin-admin logs [--lines 50]   # Tail admin log
+linkedin-admin health              # HTTP server reachability
+linkedin-admin urls                # All public/private endpoints
 ```
 
 ### HTTP admin
 
-| Endpoint | Description |
-|----------|-------------|
-| `GET /health` | Liveness probe |
-| `GET /admin/status` | Token status + Telegram runtime state |
-| `GET /admin/help` | All commands reference |
-| `GET /admin/logs?lines=50` | Recent admin log tail |
-| `POST /mcp` | MCP Streamable HTTP transport |
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `/health` | GET | Liveness probe |
+| `/admin/status` | GET | Full runtime status (token + Telegram state) |
+| `/admin/help` | GET | All commands reference |
+| `/admin/logs?lines=50` | GET | Recent admin log tail |
+| `/admin/client-id/set` | POST | Body: `{ "value": "..." }` |
+| `/admin/client-id/unset` | POST | Clear LINKEDIN_CLIENT_ID |
+| `/admin/client-secret/set` | POST | Body: `{ "value": "..." }` |
+| `/admin/client-secret/unset` | POST | Clear LINKEDIN_CLIENT_SECRET |
+| `/admin/token/set` | POST | Body: `{ "value": "..." }` — sets token + fetches profile |
+| `/admin/token/unset` | POST | Clear stored token |
+| `/mcp` | POST/GET/DELETE | MCP Streamable HTTP transport |
 
 ### Telegram bot (optional)
 
-Set `TELEGRAM_LINKEDIN_TOKEN` + `TELEGRAM_CHAT_IDS` and the server polls every 5 s.
+Set `TELEGRAM_LINKEDIN_HOMELAB_TOKEN` + `TELEGRAM_CHAT_IDS` — server polls every 5 s.
 
 | Command | Action |
 |---------|--------|
 | `/start` `/help` | Full command reference |
-| `/status` | Token + service status |
+| `/status` | Credentials + token status |
 | `/health` | HTTP server health |
 | `/urls` | Endpoint map |
 | `/logs [n]` | Last n admin log lines (default 20) |
+| `/token_set <value>` | Set access token (fetches profile) |
+| `/token_unset` | Clear stored token |
+| `/client_id_set <value>` | Set LINKEDIN_CLIENT_ID |
+| `/client_id_unset` | Clear LINKEDIN_CLIENT_ID |
+| `/client_secret_set <value>` | Set LINKEDIN_CLIENT_SECRET |
+| `/client_secret_unset` | Clear LINKEDIN_CLIENT_SECRET |
 
 ---
 
@@ -124,14 +147,21 @@ Set `TELEGRAM_LINKEDIN_TOKEN` + `TELEGRAM_CHAT_IDS` and the server polls every 5
 
 1. Go to [LinkedIn Developer Portal](https://developer.linkedin.com)
 2. Create an app → add products: **"Sign In with LinkedIn using OpenID Connect"** + **"Share on LinkedIn"**
-3. Set redirect URI: `http://localhost:3000/callback`
+3. Set redirect URI: `http://localhost:3001/callback`
 4. Note `Client ID` and `Client Secret`
 
 ### 2. Configure secrets
 
 ```bash
-cp src/.env.example .env
+# Option A — via admin CLI (written to admin env file)
+linkedin-admin client-id set <your_client_id>
+linkedin-admin client-secret set <your_client_secret>
+
+# Option B — via .env file
+cp src/.env.example src/.env
 # Fill in LINKEDIN_CLIENT_ID and LINKEDIN_CLIENT_SECRET
+
+# Option C — via bw-env / kshrc (injected at login shell)
 ```
 
 ### 3. Install & authenticate
@@ -140,8 +170,14 @@ cp src/.env.example .env
 bun install
 bun link              # editable install: ~/.bun/bin/linkedin-mcp + linkedin-admin
 
-linkedin-admin auth   # opens browser → authorizes → saves token
-linkedin-admin status # verify token is valid
+# Full OAuth flow (browser consent)
+linkedin-admin auth   # default port 3001
+linkedin-admin auth --port 3002  # if 3001 is busy
+
+# Or set access token directly (server/headless contexts)
+linkedin-admin token set <your_access_token>
+
+linkedin-admin status # verify credentials and token
 ```
 
 ### 4. Start MCP server
@@ -159,9 +195,9 @@ linkedin-mcp serve-http
 ## Docker / Homelab deployment
 
 ```bash
-cp deploy/docker-compose.yml docker-compose.yml
-cp deploy/docker-compose.override.example.yml docker-compose.override.yml
-# Edit docker-compose.override.yml with your secrets
+cd deploy
+cp docker-compose.override.example.yml docker-compose.override.yml
+# Edit override with your secrets (or rely on CI env injection)
 
 docker compose up -d
 ```
@@ -170,6 +206,10 @@ Traefik labels in `deploy/docker-compose.yml` expose:
 - `https://linkedin.kpihx-labs.com` (primary private trusted route)
 - `https://linkedin.homelab` (fallback)
 
+The container persists all state in `/data` (Docker volume):
+- `/data/state/token.json` — OAuth token
+- `/data/linkedin-admin.env` — credentials written by `token set` / `client-id set`
+
 ---
 
 ## Agent registration
@@ -192,11 +232,9 @@ Traefik labels in `deploy/docker-compose.yml` expose:
 ```json
 {
   "name": "linkedin-mcp",
-  "version": "0.1.0",
+  "version": "0.2.1",
   "mcpServers": {
-    "linkedin-mcp": {
-      "httpUrl": "https://linkedin.kpihx-labs.com/mcp"
-    },
+    "linkedin-mcp": { "httpUrl": "https://linkedin.kpihx-labs.com/mcp" },
     "linkedin-mcp--fallback": {
       "command": "/home/kpihx/.bun/bin/linkedin-mcp",
       "args": ["serve"]
@@ -205,12 +243,49 @@ Traefik labels in `deploy/docker-compose.yml` expose:
 }
 ```
 
+### Codex (`~/.codex/config.toml`)
+
+```toml
+[mcp_servers.linkedin_mcp]
+url = "https://linkedin.kpihx-labs.com/mcp"
+
+[mcp_servers.linkedin_mcp_fallback]
+command = "/home/kpihx/.bun/bin/linkedin-mcp"
+args = ["serve"]
+```
+
+### Copilot (`~/.copilot/mcp-config.json`)
+
+```json
+"linkedin_mcp": { "type": "http", "url": "https://linkedin.kpihx-labs.com/mcp" },
+"linkedin_mcp_fallback": {
+  "type": "stdio",
+  "command": "/home/kpihx/.bun/bin/linkedin-mcp",
+  "args": ["serve"]
+}
+```
+
+### Vibe (`~/.vibe/config.toml`)
+
+```toml
+[[mcp_servers]]
+name = "linkedin"
+transport = "http"
+url = "https://linkedin.kpihx-labs.com/mcp"
+
+[[mcp_servers]]
+name = "linkedin_fallback"
+transport = "stdio"
+command = "/home/kpihx/.bun/bin/linkedin-mcp"
+args = ["serve"]
+```
+
 ---
 
 ## Tests
 
 ```bash
-bun test           # 41 tests, 5 files, 0 live API calls
+bun test           # 61 tests, 5 files, 0 live API calls
 bun test --watch   # watch mode
 ```
 
@@ -223,11 +298,14 @@ All tests use mocked `fetch` and temp directories — no credentials needed.
 LinkedIn personal OAuth tokens expire in **60 days**. There is no refresh token for non-Partner apps.
 
 ```
-Day 0   →  linkedin-admin auth   (OAuth flow, browser consent)
-Day 55+ →  linkedin-admin status  (shows days_left, warns if < 7)
+Day 0   →  linkedin-admin auth          (OAuth flow, browser consent)
+           OR  linkedin-admin token set  (direct token, headless/server)
+Day 55+ →  linkedin-admin status        (shows days_left)
 Day 60  →  token invalid, re-run auth
 ```
 
+Both flows produce a complete `token.json` with `member_id` populated — required for all posting tools.
+
 ---
 
 ## License

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "k-linkedin-mcp",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "description": "MCP server for LinkedIn — intent-first posting, profile management, and professional networking over stdio and HTTP.",
   "main": "src/main.js",
   "bin": {

package/src/admin/cli.js

@@ -25,7 +25,6 @@ const { loadConfig, resolveEnv, ENV_VARS } = require("../config");
 const { tokenSummary, clearToken }         = require("../token");
 const { runOAuthFlow }                     = require("./oauth");
 const {
-  adminEnvFilePath,
   adminHelpText,
   appendAdminLog,
   getLogsText,
@@ -34,6 +33,7 @@ const {
   setAccessToken,
   setClientId,
   setClientSecret,
+  stateDir,
   statusSummaryText,
   unsetAccessToken,
   unsetClientId,
@@ -178,7 +178,7 @@ program
     }
 
     console.log();
-    console.log(`Admin env file : ${adminEnvFilePath()}`);
+    console.log(`State dir : ${stateDir()}`);
     console.log();
 
     // Credentials table
@@ -297,8 +297,8 @@ const tokenCmd = program
 tokenCmd
   .command("set <value>")
   .description("Set access token directly (bypasses OAuth flow, 60-day default expiry).")
-  .action((value) => {
-    setAccessToken(value);
+  .action(async (value) => {
+    await setAccessToken(value);
     console.log("\nAccess token set successfully. linkedin-mcp is ready.\n");
   });
 

package/src/admin/service.js

@@ -124,11 +124,27 @@ function unsetClientSecret() {
 
 /**
  * Persist an access token directly (bypasses OAuth flow).
- * Writes to token.json with a 60-day default expiry.
+ * Does a best-effort GET /v2/userinfo to populate member_id, name, email
+ * in token.json — required for posting tools. If the fetch fails (bad token
+ * or no network), the token is still saved without profile info.
  */
-function setAccessToken(value) {
-  const config = loadConfig();
-  saveToken(config, { access_token: value, expires_in: 5184000 });
+async function setAccessToken(value) {
+  const config    = loadConfig();
+  const tokenData = { access_token: value, expires_in: 5184000 };
+
+  try {
+    const res = await fetch("https://api.linkedin.com/v2/userinfo", {
+      headers: { Authorization: `Bearer ${value}` },
+    });
+    if (res.ok) {
+      const profile = await res.json();
+      if (profile.sub)   tokenData.member_id = profile.sub;
+      if (profile.name)  tokenData.name      = profile.name;
+      if (profile.email) tokenData.email     = profile.email;
+    }
+  } catch { /* best-effort only — token is saved regardless */ }
+
+  saveToken(config, tokenData);
   appendAdminLog(`token set (${_maskValue(value)})`);
 }
 

package/src/admin/telegram.js

@@ -105,7 +105,7 @@ async function dispatchTelegramCommand(command, args) {
   if (command === "/token_set") {
     const value = args[0];
     if (!value) return "Usage: /token_set <access_token>";
-    setAccessToken(value);
+    await setAccessToken(value);
     return "Access token set successfully. linkedin-mcp is ready.";
   }
 

package/src/http_app.js

@@ -162,10 +162,10 @@ function adminClientSecretUnsetHandler() {
 }
 
 function adminTokenSetHandler() {
-  return (req, res) => {
+  return async (req, res) => {
     const { value } = req.body || {};
     if (!value) return res.status(400).json({ ok: false, error: "Missing 'value' in request body" });
-    setAccessToken(String(value));
+    await setAccessToken(String(value));
     res.json({ ok: true, action: "token set" });
   };
 }

package/tests/admin_service.test.js

@@ -161,16 +161,16 @@ describe("credential management (setClientSecret / unsetClientSecret)", () => {
 });
 
 describe("credential management (setAccessToken / unsetAccessToken)", () => {
-  test("setAccessToken writes token.json", () => {
-    setAccessToken("my-test-access-token");
+  test("setAccessToken writes token.json", async () => {
+    await setAccessToken("my-test-access-token");
     const tokenPath = require("path").join(TEST_STATE_DIR, "token.json");
     expect(fs.existsSync(tokenPath)).toBe(true);
     const data = JSON.parse(fs.readFileSync(tokenPath, "utf-8"));
     expect(data.access_token).toBe("my-test-access-token");
   });
 
-  test("unsetAccessToken removes token.json", () => {
-    setAccessToken("temp-token");
+  test("unsetAccessToken removes token.json", async () => {
+    await setAccessToken("temp-token");
     unsetAccessToken();
     const tokenPath = require("path").join(TEST_STATE_DIR, "token.json");
     expect(fs.existsSync(tokenPath)).toBe(false);

package/tests/telegram.test.js

@@ -138,7 +138,7 @@ describe("dispatchTelegramCommand — credential management", () => {
   });
 
   test("/token_unset clears the access token", async () => {
-    await dispatchTelegramCommand("/token_set", ["temp-token"]);
+    await dispatchTelegramCommand("/token_set", ["temp-token"]); // network fails gracefully
     const reply = await dispatchTelegramCommand("/token_unset", []);
     expect(reply).toContain("cleared");
     const tokenPath = path.join(TEST_STATE_DIR, "token.json");