slack-max-api-mcp 1.0.6 → 1.0.8

package/.env.example

@@ -25,6 +25,10 @@ SLACK_CLIENT_SECRET=
 # SLACK_GATEWAY_SHARED_SECRET=change-this-to-long-random-secret
 # SLACK_GATEWAY_CLIENT_API_KEY=change-this-to-random-client-key
 # SLACK_GATEWAY_ALLOW_PUBLIC=false
+# SLACK_GATEWAY_PUBLIC_ONBOARD=true
+# SLACK_GATEWAY_PUBLIC_ONBOARD_API_KEY=change-this-to-random-client-key
+# SLACK_GATEWAY_PUBLIC_ONBOARD_EXPOSE_API_KEY=false
+# SLACK_GATEWAY_PUBLIC_ONBOARD_PROFILE_PREFIX=auto
 # SLACK_INVITE_TOKEN_DEFAULT_DAYS=7
 #
 # Client-side (each local Codex/Claude machine):
@@ -34,10 +38,19 @@ SLACK_CLIENT_SECRET=
 
 # Optional auto-onboarding trigger for interactive `slack-max-api-mcp` runs
 # SLACK_AUTO_ONBOARD=true
+# Built-in default team gateway used when no auto-onboard gateway is set:
+# SLACK_DEFAULT_TEAM_GATEWAY_URL=https://43.202.54.65.sslip.io
+# SLACK_DEFAULT_TEAM_GATEWAY_INSECURE_TLS=true
+# SLACK_GATEWAY_INSECURE_TLS=true
 # SLACK_AUTO_ONBOARD_URL=https://mcp-gateway.example.com/onboard.ps1?token=...
 # or
 # SLACK_AUTO_ONBOARD_GATEWAY=https://mcp-gateway.example.com
 # SLACK_AUTO_ONBOARD_TOKEN=invite-token-issued-by-gateway
+# Optional tokenless variant:
+# SLACK_AUTO_ONBOARD_GATEWAY=https://mcp-gateway.example.com
+# SLACK_AUTO_ONBOARD_PROFILE_PREFIX=auto
+# SLACK_AUTO_ONBOARD_PROFILE=
+# SLACK_ONBOARD_SKIP_TLS_VERIFY=false
 
 # Legacy/manual token mode (optional)
 # SLACK_BOT_TOKEN=xoxb-your-bot-token

package/README.md

@@ -62,17 +62,26 @@ Slack Web API를 Codex/Claude Code에서 바로 사용할 수 있게 만든 `std
 2. USER 토큰 사용 시 메시지/파일 검색, 채널 읽기, 메시지 전송 가능
 3. BOT으로 검색은 토큰 타입 제한(`not_allowed_token_type`)이 있어 USER 토큰 사용 권장
 
-## 설치 및 실행
-
-```powershell
-npm install -g slack-max-api-mcp@latest
-slack-max-api-mcp
-```
-
-또는:
-
-```powershell
-npx -y slack-max-api-mcp
+## 설치 및 실행
+
+```powershell
+npm install -g slack-max-api-mcp@latest
+slack-max-api-mcp
+```
+
+팀원 기본 온보딩(현재 패키지 기본값):
+1. 추가 환경변수 없이 `slack-max-api-mcp` 실행 시 자동 온보딩 시도
+2. 기본 게이트웨이: `https://43.202.54.65.sslip.io`
+3. 승인 후 Codex 등록 1회:
+
+```powershell
+codex mcp add slack-max -- npx -y slack-max-api-mcp
+```
+
+또는:
+
+```powershell
+npx -y slack-max-api-mcp
 ```
 
 ## Codex / Claude Code 연결
@@ -110,37 +119,50 @@ setx SLACK_GATEWAY_PORT "8790"
 setx SLACK_GATEWAY_PUBLIC_BASE_URL "https://your-gateway.example.com"
 setx SLACK_GATEWAY_SHARED_SECRET "long-random-shared-secret"
 setx SLACK_GATEWAY_CLIENT_API_KEY "long-random-client-api-key"
+setx SLACK_GATEWAY_PUBLIC_ONBOARD "true"
+setx SLACK_GATEWAY_PUBLIC_ONBOARD_API_KEY "long-random-client-api-key"
 npx -y slack-max-api-mcp gateway start
 ```
 
-운영자가 팀원용 원클릭 초대 커맨드 생성:
+주의:
+1. `SLACK_GATEWAY_PUBLIC_ONBOARD=true`는 토큰 없는 온보딩을 허용합니다.
+2. 게이트웨이가 비공개(`SLACK_GATEWAY_ALLOW_PUBLIC=false`)라면 `SLACK_GATEWAY_PUBLIC_ONBOARD_API_KEY`를 함께 설정해야 팀원 로컬 클라이언트가 API 호출할 수 있습니다.
+
+### 팀원 경험 (토큰 전달 없이 권장)
 
 ```powershell
-npx -y slack-max-api-mcp gateway invite --profile woobin --team T0AHNJ8QN0N
+npx -y slack-max-api-mcp onboard run
 ```
 
-위 명령이 팀원에게 전달할 "원클릭 설치 커맨드"를 출력합니다.
+자동 동작:
+1. 로컬 클라이언트 설정 파일(`~/.slack-max-api-mcp/client.json`) 작성
+2. 브라우저 OAuth 승인 페이지 자동 오픈
+3. Slack Allow 승인
+4. 완료 후 Codex에서 바로 사용
 
-### 팀원 경험 (입력값 없이 원클릭)
+승인 후 Codex 연결(최초 1회):
 
 ```powershell
-powershell -ExecutionPolicy Bypass -Command "irm 'https://your-gateway.example.com/onboard.ps1?token=...' | iex"
+codex mcp add slack-max -- npx -y slack-max-api-mcp
 ```
 
-스크립트가 자동으로 수행:
-1. `slack-max-api-mcp` 설치
-2. 로컬 클라이언트 설정 파일(`~/.slack-max-api-mcp/client.json`) 작성
-3. 브라우저 OAuth 승인 페이지 자동 오픈
+### 팀원 경험 (초대토큰 기반, 기존 방식)
 
-승인 후 Codex 연결(최초 1회):
+운영자가 팀원용 원클릭 초대 커맨드 생성:
 
 ```powershell
-codex mcp add slack-max -- npx -y slack-max-api-mcp
+npx -y slack-max-api-mcp gateway invite --profile woobin --team T0AHNJ8QN0N
+```
+
+위 명령이 팀원에게 전달할 "원클릭 설치 커맨드"를 출력합니다.
+
+```powershell
+powershell -ExecutionPolicy Bypass -Command "irm 'https://your-gateway.example.com/onboard.ps1?token=...' | iex"
 ```
 
 ### 팀원 경험 (설치 후 `slack-max-api-mcp`만 실행)
 
-운영자가 아래 값을 사전에 배포(이미지/스크립트/MDM)하면 팀원은 다음만 수행하면 됩니다.
+현재 패키지 기본 게이트웨이(`https://43.202.54.65.sslip.io`)를 계속 사용할 경우 팀원은 다음만 수행하면 됩니다.
 
 ```powershell
 npm install -g slack-max-api-mcp@latest
@@ -153,9 +175,10 @@ slack-max-api-mcp
 3. Slack Allow 승인
 4. 완료 후 Codex에서 바로 사용
 
-필요한 사전 배포값(팀원이 직접 입력하지 않아도 됨):
-1. `SLACK_AUTO_ONBOARD_URL` 또는
-2. `SLACK_AUTO_ONBOARD_GATEWAY` + `SLACK_AUTO_ONBOARD_TOKEN`
+게이트웨이 주소를 바꿔야 할 때만(운영자):
+1. `SLACK_DEFAULT_TEAM_GATEWAY_URL`
+2. `SLACK_DEFAULT_TEAM_GATEWAY_INSECURE_TLS` (`true/false`)
+3. 또는 기존 방식대로 `SLACK_AUTO_ONBOARD_URL`, `SLACK_AUTO_ONBOARD_GATEWAY` 사용 가능
 
 ## 2) 단독/개인 운영: 로컬 OAuth 모드
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "slack-max-api-mcp",
-  "version": "1.0.6",
+  "version": "1.0.8",
   "description": "Slack MCP server (stdio) for Codex and Claude Code",
   "main": "src/slack-mcp-server.js",
   "bin": {
@@ -27,6 +27,7 @@
   "type": "commonjs",
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.27.1",
+    "undici": "^7.16.0",
     "zod": "^4.3.6"
   }
 }

package/src/slack-mcp-server.js

@@ -6,6 +6,7 @@ const http = require("node:http");
 const path = require("node:path");
 const crypto = require("node:crypto");
 const { spawn } = require("node:child_process");
+const { Agent, fetch: undiciFetch } = require("undici");
 const { McpServer } = require("@modelcontextprotocol/sdk/server/mcp.js");
 const { StdioServerTransport } = require("@modelcontextprotocol/sdk/server/stdio.js");
 const { z } = require("zod");
@@ -48,17 +49,43 @@ const GATEWAY_ALLOW_PUBLIC = process.env.SLACK_GATEWAY_ALLOW_PUBLIC === "true";
 const GATEWAY_SHARED_SECRET = process.env.SLACK_GATEWAY_SHARED_SECRET || GATEWAY_API_KEY;
 const GATEWAY_CLIENT_API_KEY =
   process.env.SLACK_GATEWAY_CLIENT_API_KEY || GATEWAY_API_KEY || GATEWAY_SHARED_SECRET;
+const GATEWAY_PUBLIC_ONBOARD_ENABLED = process.env.SLACK_GATEWAY_PUBLIC_ONBOARD === "true";
+const GATEWAY_PUBLIC_ONBOARD_EXPOSE_API_KEY =
+  process.env.SLACK_GATEWAY_PUBLIC_ONBOARD_EXPOSE_API_KEY === "true";
+const GATEWAY_PUBLIC_ONBOARD_API_KEY = process.env.SLACK_GATEWAY_PUBLIC_ONBOARD_API_KEY || "";
+const GATEWAY_PUBLIC_ONBOARD_PROFILE_PREFIX =
+  process.env.SLACK_GATEWAY_PUBLIC_ONBOARD_PROFILE_PREFIX || "auto";
 const GATEWAY_STATE_TTL_MS = Number(process.env.SLACK_GATEWAY_STATE_TTL_MS || 15 * 60 * 1000);
 const INVITE_TOKEN_DEFAULT_DAYS = Number(process.env.SLACK_INVITE_TOKEN_DEFAULT_DAYS || 7);
 const AUTO_ONBOARD_ENABLED = process.env.SLACK_AUTO_ONBOARD !== "false";
+const DEFAULT_TEAM_GATEWAY_URL =
+  process.env.SLACK_DEFAULT_TEAM_GATEWAY_URL || "https://43.202.54.65.sslip.io";
+const DEFAULT_TEAM_GATEWAY_INSECURE_TLS =
+  process.env.SLACK_DEFAULT_TEAM_GATEWAY_INSECURE_TLS !== "false";
+const GATEWAY_INSECURE_TLS =
+  process.env.SLACK_GATEWAY_INSECURE_TLS === "true"
+    ? true
+    : process.env.SLACK_GATEWAY_INSECURE_TLS === "false"
+    ? false
+    : null;
 const AUTO_ONBOARD_GATEWAY =
-  process.env.SLACK_AUTO_ONBOARD_GATEWAY || process.env.SLACK_ONBOARD_GATEWAY_URL || "";
+  process.env.SLACK_AUTO_ONBOARD_GATEWAY ||
+  process.env.SLACK_ONBOARD_GATEWAY_URL ||
+  DEFAULT_TEAM_GATEWAY_URL;
+const AUTO_ONBOARD_PROFILE = process.env.SLACK_AUTO_ONBOARD_PROFILE || "";
 const AUTO_ONBOARD_TOKEN = process.env.SLACK_AUTO_ONBOARD_TOKEN || process.env.SLACK_ONBOARD_TOKEN || "";
 const AUTO_ONBOARD_URL = process.env.SLACK_AUTO_ONBOARD_URL || process.env.SLACK_ONBOARD_URL || "";
+const AUTO_ONBOARD_PROFILE_PREFIX = process.env.SLACK_AUTO_ONBOARD_PROFILE_PREFIX || "auto";
 const ONBOARD_PACKAGE_SPEC =
   process.env.SLACK_ONBOARD_PACKAGE_SPEC ||
   process.env.SLACK_ONBOARD_INSTALL_SPEC ||
   "slack-max-api-mcp@latest";
+const ONBOARD_SKIP_TLS_VERIFY = process.env.SLACK_ONBOARD_SKIP_TLS_VERIFY === "true";
+const INSECURE_TLS_DISPATCHER = new Agent({
+  connect: {
+    rejectUnauthorized: false,
+  },
+});
 
 function parseSimpleEnvFile(filePath) {
   if (!fs.existsSync(filePath)) return {};
@@ -88,11 +115,63 @@ function parseScopeList(raw) {
   return [...new Set(String(raw).split(",").map((part) => part.trim()).filter(Boolean))];
 }
 
+function normalizeOnboardNamePart(value, fallback) {
+  const normalized = String(value || "")
+    .trim()
+    .toLowerCase()
+    .replace(/[^a-z0-9_-]+/g, "-")
+    .replace(/^-+|-+$/g, "");
+  if (!normalized) return fallback;
+  return normalized;
+}
+
+function createAutoOnboardProfileName(prefix = "auto") {
+  let username = "user";
+  try {
+    username = os.userInfo().username || process.env.USERNAME || process.env.USER || "user";
+  } catch {
+    username = process.env.USERNAME || process.env.USER || "user";
+  }
+  const host = os.hostname() || "host";
+  const profilePrefix = normalizeOnboardNamePart(prefix, "auto");
+  const userPart = normalizeOnboardNamePart(username, "user");
+  const hostPart = normalizeOnboardNamePart(host, "host");
+  const rand = crypto.randomBytes(3).toString("hex");
+  return `${profilePrefix}-${userPart}-${hostPart}-${rand}`.slice(0, 80);
+}
+
 function ensureParentDirectory(filePath) {
   const dirPath = path.dirname(filePath);
   fs.mkdirSync(dirPath, { recursive: true });
 }
 
+function normalizeBaseUrl(url) {
+  return String(url || "").trim().replace(/\/+$/, "");
+}
+
+function normalizeUrlOrigin(url) {
+  try {
+    const parsed = new URL(String(url || "").trim());
+    return `${parsed.protocol}//${parsed.host}`.replace(/\/+$/, "");
+  } catch {
+    return normalizeBaseUrl(url);
+  }
+}
+
+function shouldUseInsecureGatewayTls(url) {
+  if (!url) return false;
+  if (GATEWAY_INSECURE_TLS !== null) return GATEWAY_INSECURE_TLS;
+  if (!DEFAULT_TEAM_GATEWAY_INSECURE_TLS) return false;
+  return normalizeUrlOrigin(url) === normalizeUrlOrigin(DEFAULT_TEAM_GATEWAY_URL);
+}
+
+async function fetchWithOptionalInsecureGatewayTls(url, options) {
+  if (!shouldUseInsecureGatewayTls(url)) {
+    return undiciFetch(url, options);
+  }
+  return undiciFetch(url, { ...(options || {}), dispatcher: INSECURE_TLS_DISPATCHER });
+}
+
 function emptyTokenStore() {
   return { version: 1, default_profile: null, profiles: {} };
 }
@@ -320,7 +399,8 @@ async function callSlackApiViaGateway(method, params = {}, tokenOverride, option
     throw new Error("Gateway URL is missing. Set SLACK_GATEWAY_URL to use gateway mode.");
   }
 
-  const response = await fetch(`${runtimeGateway.url}/api/slack/call`, {
+  const gatewayCallUrl = `${runtimeGateway.url}/api/slack/call`;
+  const response = await fetchWithOptionalInsecureGatewayTls(gatewayCallUrl, {
     method: "POST",
     headers: buildGatewayAuthHeaders(runtimeGateway.apiKey),
     body: JSON.stringify({
@@ -370,7 +450,8 @@ async function slackHttpViaGateway(input) {
     throw new Error("Gateway URL is missing. Set SLACK_GATEWAY_URL to use gateway mode.");
   }
 
-  const response = await fetch(`${runtimeGateway.url}/api/slack/http`, {
+  const gatewayHttpUrl = `${runtimeGateway.url}/api/slack/http`;
+  const response = await fetchWithOptionalInsecureGatewayTls(gatewayHttpUrl, {
     method: "POST",
     headers: buildGatewayAuthHeaders(runtimeGateway.apiKey),
     body: JSON.stringify({
@@ -632,12 +713,20 @@ async function runAutoOnboardingIfPossible() {
   }
 
   if (AUTO_ONBOARD_GATEWAY && AUTO_ONBOARD_TOKEN) {
-    await runOnboardStart([
-      "--gateway",
-      AUTO_ONBOARD_GATEWAY,
-      "--token",
-      AUTO_ONBOARD_TOKEN,
-    ]);
+    const args = ["--gateway", AUTO_ONBOARD_GATEWAY, "--token", AUTO_ONBOARD_TOKEN];
+    if (AUTO_ONBOARD_PROFILE) args.push("--profile", AUTO_ONBOARD_PROFILE);
+    await runOnboardStart(args);
+    return true;
+  }
+
+  if (AUTO_ONBOARD_GATEWAY) {
+    const args = ["--gateway", AUTO_ONBOARD_GATEWAY];
+    if (AUTO_ONBOARD_PROFILE) {
+      args.push("--profile", AUTO_ONBOARD_PROFILE);
+    } else if (AUTO_ONBOARD_PROFILE_PREFIX) {
+      args.push("--profile", createAutoOnboardProfileName(AUTO_ONBOARD_PROFILE_PREFIX));
+    }
+    await runOnboardStart(args);
     return true;
   }
 
@@ -976,9 +1065,13 @@ function printOnboardHelp() {
     "Slack Max onboarding helper",
     "",
     "Usage:",
-    "  slack-max-api-mcp onboard run --gateway https://gateway.example.com --token <invite_token>",
+    "  slack-max-api-mcp onboard run [--gateway https://gateway.example.com] [--token <invite_token>]",
+    "    [--profile NAME] [--team T123] [--scope a,b] [--user-scope c,d]",
+    "  slack-max-api-mcp onboard quick [--gateway https://gateway.example.com]",
     "  slack-max-api-mcp onboard help",
     "",
+    `Default gateway (if omitted): ${DEFAULT_TEAM_GATEWAY_URL}`,
+    "If --token is omitted, it uses gateway public onboarding endpoint (/onboard/bootstrap).",
     "This command writes local client config and opens the Slack OAuth approval page automatically.",
   ];
   console.log(lines.join("\n"));
@@ -986,13 +1079,33 @@ function printOnboardHelp() {
 
 async function runOnboardStart(args) {
   const { options } = parseCliArgs(args);
-  const gateway = String(options.gateway || options.url || "").replace(/\/+$/, "");
+  const gateway = normalizeBaseUrl(options.gateway || options.url || DEFAULT_TEAM_GATEWAY_URL);
   const token = String(options.token || "");
-  if (!gateway || !token) {
-    throw new Error("Usage: slack-max-api-mcp onboard run --gateway <url> --token <invite_token>");
+  if (!gateway) {
+    throw new Error(
+      "Usage: slack-max-api-mcp onboard run [--gateway <url>] [--token <invite_token>] [--profile <name>]"
+    );
   }
 
-  const response = await fetch(`${gateway}/onboard/resolve?token=${encodeURIComponent(token)}`, {
+  const requestedProfile =
+    String(options.profile || "").trim() || createAutoOnboardProfileName(AUTO_ONBOARD_PROFILE_PREFIX);
+  const requestedTeam = String(options.team || "").trim();
+  const requestedScope = parseScopeList(options.scope || "").join(",");
+  const requestedUserScope = parseScopeList(options["user-scope"] || options.user_scope || "").join(",");
+
+  const onboardingUrl = token
+    ? `${gateway}/onboard/resolve?token=${encodeURIComponent(token)}`
+    : (() => {
+        const params = new URLSearchParams();
+        if (requestedProfile) params.set("profile", requestedProfile);
+        if (requestedTeam) params.set("team", requestedTeam);
+        if (requestedScope) params.set("scope", requestedScope);
+        if (requestedUserScope) params.set("user_scope", requestedUserScope);
+        const query = params.toString();
+        return `${gateway}/onboard/bootstrap${query ? `?${query}` : ""}`;
+      })();
+
+  const response = await fetchWithOptionalInsecureGatewayTls(onboardingUrl, {
     method: "GET",
     headers: { Accept: "application/json" },
   });
@@ -1006,14 +1119,23 @@ async function runOnboardStart(args) {
   }
 
   if (!response.ok || !data?.ok) {
+    if (!token && response.status === 404) {
+      throw new Error("Onboarding failed: public onboarding is disabled on gateway (enable SLACK_GATEWAY_PUBLIC_ONBOARD=true).");
+    }
     throw new Error(`Onboarding failed: ${data?.error || `http_${response.status}`}`);
   }
 
   const resolvedGatewayUrl = String(data.gateway_url || gateway).replace(/\/+$/, "");
   const resolvedApiKey = String(data.gateway_api_key || "");
-  const profile = String(data.profile || "");
+  const profile = String(data.profile || requestedProfile || "");
   const oauthStartUrl = String(data.oauth_start_url || "");
 
+  if (data.requires_gateway_api_key && !resolvedApiKey) {
+    throw new Error(
+      "Gateway requires API key but onboarding response did not provide one. Enable public gateway access or set SLACK_GATEWAY_PUBLIC_ONBOARD_API_KEY."
+    );
+  }
+
   saveClientConfig({
     version: 1,
     gateway_url: resolvedGatewayUrl,
@@ -1032,6 +1154,9 @@ async function runOnboardStart(args) {
   console.log(`[onboard] client config saved: ${CLIENT_CONFIG_PATH}`);
   console.log(`[onboard] gateway: ${resolvedGatewayUrl}`);
   if (profile) console.log(`[onboard] profile: ${profile}`);
+  if (data.mode === "public_onboard") {
+    console.log("[onboard] mode: public_onboard (tokenless)");
+  }
   console.log("[onboard] Next: approve in browser, then use Codex MCP as usual.");
 }
 
@@ -1042,7 +1167,7 @@ async function runOnboardCli(args) {
     printOnboardHelp();
     return;
   }
-  if (subcommand === "run" || subcommand === "start") {
+  if (subcommand === "run" || subcommand === "start" || subcommand === "quick") {
     await runOnboardStart(rest);
     return;
   }
@@ -1150,15 +1275,65 @@ function buildOauthStartUrlFromInvitePayload(gatewayBaseUrl, payload) {
   return `${gatewayBaseUrl.replace(/\/+$/, "")}/oauth/start${params.toString() ? `?${params.toString()}` : ""}`;
 }
 
-function buildOnboardPowerShellScript({ gatewayBaseUrl, token }) {
+function buildPublicOnboardPayload(gatewayBaseUrl, params = {}) {
+  const profile = String(params.profile || "").trim() || createAutoOnboardProfileName(GATEWAY_PUBLIC_ONBOARD_PROFILE_PREFIX);
+  const team = String(params.team || process.env.SLACK_OAUTH_TEAM_ID || "").trim();
+  const scope = parseScopeList(params.scope || DEFAULT_OAUTH_BOT_SCOPES).join(",");
+  const userScope = parseScopeList(params.user_scope || DEFAULT_OAUTH_USER_SCOPES).join(",");
+  const payload = {
+    gateway_url: gatewayBaseUrl,
+    gateway_api_key: "",
+    profile,
+    team,
+    scope,
+    user_scope: userScope,
+  };
+  if (GATEWAY_ALLOW_PUBLIC) {
+    payload.gateway_api_key = "";
+  } else if (GATEWAY_PUBLIC_ONBOARD_API_KEY) {
+    payload.gateway_api_key = GATEWAY_PUBLIC_ONBOARD_API_KEY;
+  } else if (GATEWAY_PUBLIC_ONBOARD_EXPOSE_API_KEY) {
+    payload.gateway_api_key = GATEWAY_CLIENT_API_KEY || "";
+  }
+  const oauthStartUrl = buildOauthStartUrlFromInvitePayload(gatewayBaseUrl, payload);
+  return {
+    ok: true,
+    mode: "public_onboard",
+    gateway_url: payload.gateway_url,
+    gateway_api_key: payload.gateway_api_key,
+    profile: payload.profile,
+    oauth_start_url: oauthStartUrl,
+    requires_gateway_api_key: !GATEWAY_ALLOW_PUBLIC,
+  };
+}
+
+function buildOnboardPowerShellScript({ gatewayBaseUrl, token, profile, team, scope, userScope }) {
   const safeGateway = String(gatewayBaseUrl || "").replace(/'/g, "''");
   const safeToken = String(token || "").replace(/'/g, "''");
+  const safeProfile = String(profile || "").replace(/'/g, "''");
+  const safeTeam = String(team || "").replace(/'/g, "''");
+  const safeScope = String(scope || "").replace(/'/g, "''");
+  const safeUserScope = String(userScope || "").replace(/'/g, "''");
   const safePackageSpec = String(ONBOARD_PACKAGE_SPEC || "").replace(/'/g, "''");
-  return [
+  const onboardCommandParts = [`npx -y '${safePackageSpec}' onboard run --gateway '${safeGateway}'`];
+  if (safeToken) onboardCommandParts.push(`--token '${safeToken}'`);
+  if (safeProfile) onboardCommandParts.push(`--profile '${safeProfile}'`);
+  if (safeTeam) onboardCommandParts.push(`--team '${safeTeam}'`);
+  if (safeScope) onboardCommandParts.push(`--scope '${safeScope}'`);
+  if (safeUserScope) onboardCommandParts.push(`--user-scope '${safeUserScope}'`);
+
+  const lines = [
     "$ErrorActionPreference = 'Stop'",
     "if (-not (Get-Command npx -ErrorAction SilentlyContinue)) { throw 'npx is required. Install Node.js first.' }",
-    `npx -y '${safePackageSpec}' onboard run --gateway '${safeGateway}' --token '${safeToken}'`,
-  ].join("\r\n");
+  ];
+  if (ONBOARD_SKIP_TLS_VERIFY) {
+    lines.push("$env:NODE_TLS_REJECT_UNAUTHORIZED='0'");
+  }
+  lines.push(onboardCommandParts.join(" "));
+  if (ONBOARD_SKIP_TLS_VERIFY) {
+    lines.push("Remove-Item Env:NODE_TLS_REJECT_UNAUTHORIZED -ErrorAction SilentlyContinue");
+  }
+  return lines.join("\r\n");
 }
 
 function createGatewayInviteTokenFromOptions(options = {}) {
@@ -1259,12 +1434,33 @@ async function startGatewayServer() {
 
       if (method === "GET" && requestUrl.pathname === "/onboard.ps1") {
         const token = requestUrl.searchParams.get("token") || "";
-        const secret = requireGatewayInviteSecret();
-        const payload = parseAndVerifyInviteToken(token, secret);
-        const script = buildOnboardPowerShellScript({
-          gatewayBaseUrl: payload.gateway_url || gatewayBaseUrl,
-          token,
-        });
+        let script = "";
+        if (token) {
+          const secret = requireGatewayInviteSecret();
+          const payload = parseAndVerifyInviteToken(token, secret);
+          script = buildOnboardPowerShellScript({
+            gatewayBaseUrl: payload.gateway_url || gatewayBaseUrl,
+            token,
+          });
+        } else {
+          if (!GATEWAY_PUBLIC_ONBOARD_ENABLED) {
+            sendJson(res, 404, { ok: false, error: "public_onboard_disabled" });
+            return;
+          }
+          const profile =
+            requestUrl.searchParams.get("profile") ||
+            createAutoOnboardProfileName(GATEWAY_PUBLIC_ONBOARD_PROFILE_PREFIX);
+          const team = requestUrl.searchParams.get("team") || "";
+          const scope = requestUrl.searchParams.get("scope") || "";
+          const userScope = requestUrl.searchParams.get("user_scope") || "";
+          script = buildOnboardPowerShellScript({
+            gatewayBaseUrl,
+            profile,
+            team,
+            scope,
+            userScope,
+          });
+        }
         res.writeHead(200, {
           "Content-Type": "text/plain; charset=utf-8",
           "Cache-Control": "no-store",
@@ -1273,6 +1469,21 @@ async function startGatewayServer() {
         return;
       }
 
+      if (method === "GET" && requestUrl.pathname === "/onboard/bootstrap") {
+        if (!GATEWAY_PUBLIC_ONBOARD_ENABLED) {
+          sendJson(res, 404, { ok: false, error: "public_onboard_disabled" });
+          return;
+        }
+        const payload = buildPublicOnboardPayload(gatewayBaseUrl, {
+          profile: requestUrl.searchParams.get("profile") || "",
+          team: requestUrl.searchParams.get("team") || "",
+          scope: requestUrl.searchParams.get("scope") || "",
+          user_scope: requestUrl.searchParams.get("user_scope") || "",
+        });
+        sendJson(res, 200, payload);
+        return;
+      }
+
       if (method === "GET" && requestUrl.pathname === "/onboard/resolve") {
         const token = requestUrl.searchParams.get("token") || "";
         const secret = requireGatewayInviteSecret();
@@ -1280,6 +1491,7 @@ async function startGatewayServer() {
         const oauthStartUrl = buildOauthStartUrlFromInvitePayload(gatewayBaseUrl, payload);
         sendJson(res, 200, {
           ok: true,
+          mode: "invite_token",
           gateway_url: payload.gateway_url || gatewayBaseUrl,
           gateway_api_key: payload.gateway_api_key || "",
           profile: payload.profile || "",
@@ -1475,6 +1687,9 @@ async function startGatewayServer() {
   );
   console.error(`[${SERVER_NAME}] oauth start URL: ${gatewayBaseUrl}/oauth/start`);
   console.error(`[${SERVER_NAME}] profile list URL: ${gatewayBaseUrl}/profiles`);
+  if (GATEWAY_PUBLIC_ONBOARD_ENABLED) {
+    console.error(`[${SERVER_NAME}] public onboard URL: ${gatewayBaseUrl}/onboard/bootstrap`);
+  }
 }
 
 function printGatewayHelp() {
@@ -1484,6 +1699,8 @@ function printGatewayHelp() {
     "Usage:",
     "  slack-max-api-mcp gateway start",
     "  slack-max-api-mcp gateway invite --profile woobin --team T123",
+    "  # tokenless onboarding endpoint (when enabled):",
+    "  #   https://gateway.example.com/onboard/bootstrap",
     "  slack-max-api-mcp gateway help",
     "",
     "Gateway env vars (server-side):",
@@ -1491,6 +1708,9 @@ function printGatewayHelp() {
     "  SLACK_GATEWAY_HOST, SLACK_GATEWAY_PORT, SLACK_GATEWAY_PUBLIC_BASE_URL",
     "  SLACK_GATEWAY_SHARED_SECRET (recommended)",
     "  SLACK_GATEWAY_CLIENT_API_KEY (optional, defaults to shared secret)",
+    "  SLACK_GATEWAY_PUBLIC_ONBOARD=true  # allow tokenless onboarding endpoint",
+    "  SLACK_GATEWAY_PUBLIC_ONBOARD_API_KEY=<client key>  # optional, used when gateway is not fully public",
+    "  SLACK_GATEWAY_PUBLIC_ONBOARD_EXPOSE_API_KEY=true   # fallback: expose client key as-is",
     "  SLACK_OAUTH_BOT_SCOPES, SLACK_OAUTH_USER_SCOPES",
     "",
     "Client env vars (mcp caller-side):",
@@ -1507,6 +1727,12 @@ function runGatewayInvite(args) {
   const onboardScriptUrl = `${gatewayBaseUrl}/onboard.ps1?token=${encodeURIComponent(token)}`;
   const oauthStartUrl = buildOauthStartUrlFromInvitePayload(gatewayBaseUrl, payload);
   const command = `powershell -ExecutionPolicy Bypass -Command "irm '${onboardScriptUrl}' | iex"`;
+  const commandCurlFallback = [
+    `$tmp = Join-Path $env:TEMP 'slack-onboard.ps1'`,
+    `curl.exe -k -sS '${onboardScriptUrl}' -o $tmp`,
+    `powershell -ExecutionPolicy Bypass -File $tmp`,
+    `Remove-Item $tmp -Force`,
+  ].join("; ");
 
   console.log("[gateway] invite token created");
   console.log(`[gateway] expires_at: ${new Date(Number(payload.exp)).toISOString()}`);
@@ -1514,6 +1740,8 @@ function runGatewayInvite(args) {
   console.log(`[gateway] oauth_start_url: ${oauthStartUrl}`);
   console.log("[gateway] one-click command for team member:");
   console.log(command);
+  console.log("[gateway] fallback command (self-signed TLS):");
+  console.log(commandCurlFallback);
 }
 
 async function runGatewayCli(args) {