@eraserlabs/eraser-mcp 0.7.0 → 0.8.0

package/dist/oauth/pkce.d.ts

@@ -0,0 +1,3 @@
+import type { PKCEPair } from './types';
+export declare function generatePKCE(): PKCEPair;
+//# sourceMappingURL=pkce.d.ts.map

package/dist/oauth/pkce.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/oauth/pkce.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAExC,wBAAgB,YAAY,IAAI,QAAQ,CAQvC"}

package/dist/oauth/pkce.js

@@ -0,0 +1,45 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generatePKCE = generatePKCE;
+const crypto = __importStar(require("crypto"));
+function generatePKCE() {
+    const codeVerifier = crypto.randomBytes(32).toString('base64url');
+    const codeChallenge = crypto
+        .createHash('sha256')
+        .update(codeVerifier)
+        .digest('base64url');
+    return { codeVerifier, codeChallenge };
+}

package/dist/oauth/token-storage.d.ts

@@ -0,0 +1,6 @@
+import type { StoredCredentials } from './types';
+export declare function loadCredentials(apiUrl: string): StoredCredentials | null;
+export declare function saveCredentials(credentials: StoredCredentials, apiUrl: string): void;
+export declare function clearCredentials(apiUrl: string): void;
+export declare function isTokenExpired(credentials: StoredCredentials): boolean;
+//# sourceMappingURL=token-storage.d.ts.map

package/dist/oauth/token-storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-storage.d.ts","sourceRoot":"","sources":["../../src/oauth/token-storage.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAajD,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,iBAAiB,GAAG,IAAI,CAWxE;AAED,wBAAgB,eAAe,CAAC,WAAW,EAAE,iBAAiB,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAKpF;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAMrD;AAED,wBAAgB,cAAc,CAAC,WAAW,EAAE,iBAAiB,GAAG,OAAO,CAGtE"}

package/dist/oauth/token-storage.js

@@ -0,0 +1,83 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadCredentials = loadCredentials;
+exports.saveCredentials = saveCredentials;
+exports.clearCredentials = clearCredentials;
+exports.isTokenExpired = isTokenExpired;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const crypto = __importStar(require("crypto"));
+const CREDENTIALS_DIR = path.join(os.homedir(), '.eraser');
+/**
+ * Returns a credentials file path scoped to the given API base URL so that
+ * production, staging, and local-dev tokens never overwrite each other.
+ */
+function credentialsFilePath(apiUrl) {
+    const hash = crypto.createHash('sha256').update(apiUrl).digest('hex').slice(0, 12);
+    return path.join(CREDENTIALS_DIR, `credentials-${hash}.json`);
+}
+function loadCredentials(apiUrl) {
+    try {
+        const file = credentialsFilePath(apiUrl);
+        if (!fs.existsSync(file)) {
+            return null;
+        }
+        const data = fs.readFileSync(file, 'utf-8');
+        return JSON.parse(data);
+    }
+    catch {
+        return null;
+    }
+}
+function saveCredentials(credentials, apiUrl) {
+    fs.mkdirSync(CREDENTIALS_DIR, { recursive: true });
+    fs.writeFileSync(credentialsFilePath(apiUrl), JSON.stringify(credentials, null, 2), {
+        mode: 0o600,
+    });
+}
+function clearCredentials(apiUrl) {
+    try {
+        fs.unlinkSync(credentialsFilePath(apiUrl));
+    }
+    catch {
+        // File doesn't exist, that's fine
+    }
+}
+function isTokenExpired(credentials) {
+    // Consider expired if less than 5 minutes remaining
+    return Date.now() > credentials.expiresAt - 5 * 60 * 1000;
+}

package/dist/oauth/types.d.ts

@@ -0,0 +1,26 @@
+export interface OAuthConfig {
+    authorizationEndpoint: string;
+    tokenEndpoint: string;
+    clientId: string;
+    redirectUri: string;
+    scopes: string[];
+    resource: string;
+}
+export interface TokenResponse {
+    access_token: string;
+    token_type: string;
+    expires_in: number;
+    refresh_token: string;
+    scope: string;
+}
+export interface StoredCredentials {
+    accessToken: string;
+    refreshToken: string;
+    expiresAt: number;
+    scope: string;
+}
+export interface PKCEPair {
+    codeVerifier: string;
+    codeChallenge: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/oauth/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/oauth/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,WAAW;IAC1B,qBAAqB,EAAE,MAAM,CAAC;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,QAAQ;IACvB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;CACvB"}

package/dist/oauth/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/stdio.d.ts

@@ -6,6 +6,12 @@
  * with the Eraser API via stdio transport.
  *
  * Usage:
+ *   npx @eraserlabs/eraser-mcp              # Normal mode (authenticates via OAuth)
+ *   npx @eraserlabs/eraser-mcp login        # Manually trigger login
+ *   npx @eraserlabs/eraser-mcp logout       # Clear saved credentials
+ *   npx @eraserlabs/eraser-mcp whoami       # Show current auth status
+ *
+ * For CI/CD and headless environments, set ERASER_API_TOKEN to bypass the OAuth flow:
  *   ERASER_API_TOKEN=your-token npx @eraserlabs/eraser-mcp
  *
  * Or configure in .cursor/mcp.json:
@@ -13,8 +19,7 @@
  *     "mcpServers": {
  *       "eraser": {
  *         "command": "npx",
- *         "args": ["@eraserlabs/eraser-mcp"],
- *         "env": { "ERASER_API_TOKEN": "your-token" }
+ *         "args": ["@eraserlabs/eraser-mcp"]
  *       }
  *     }
  *   }

package/dist/stdio.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"stdio.d.ts","sourceRoot":"","sources":["../src/stdio.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;GAmBG"}
+{"version":3,"file":"stdio.d.ts","sourceRoot":"","sources":["../src/stdio.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG"}

package/dist/stdio.js

@@ -7,6 +7,12 @@
  * with the Eraser API via stdio transport.
  *
  * Usage:
+ *   npx @eraserlabs/eraser-mcp              # Normal mode (authenticates via OAuth)
+ *   npx @eraserlabs/eraser-mcp login        # Manually trigger login
+ *   npx @eraserlabs/eraser-mcp logout       # Clear saved credentials
+ *   npx @eraserlabs/eraser-mcp whoami       # Show current auth status
+ *
+ * For CI/CD and headless environments, set ERASER_API_TOKEN to bypass the OAuth flow:
  *   ERASER_API_TOKEN=your-token npx @eraserlabs/eraser-mcp
  *
  * Or configure in .cursor/mcp.json:
@@ -14,8 +20,7 @@
  *     "mcpServers": {
  *       "eraser": {
  *         "command": "npx",
- *         "args": ["@eraserlabs/eraser-mcp"],
- *         "env": { "ERASER_API_TOKEN": "your-token" }
+ *         "args": ["@eraserlabs/eraser-mcp"]
  *       }
  *     }
  *   }
@@ -58,9 +63,11 @@ const readline = __importStar(require("readline"));
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const tools_1 = require("./tools");
+const flow_1 = require("./oauth/flow");
 const API_URL = process.env.ERASER_API_URL || 'https://app.eraser.io/api/mcp';
 const ERASER_OUTPUT_DIR = process.env.ERASER_OUTPUT_DIR || '.eraser/scratchpad';
-const API_TOKEN = process.env.ERASER_API_TOKEN;
+// When set, use this token directly instead of the OAuth flow (for CI/CD and headless environments)
+const ERASER_API_TOKEN = process.env.ERASER_API_TOKEN;
 function sendResponse(response) {
     process.stdout.write(JSON.stringify(response) + '\n');
 }
@@ -71,7 +78,6 @@ function sendError(id, code, message, data) {
         error: { code, message, data },
     });
 }
-// Server capabilities and info for MCP handshake
 const SERVER_INFO = {
     name: 'eraser-mcp',
     version: '1.0.0',
@@ -79,7 +85,6 @@ const SERVER_INFO = {
 const SERVER_CAPABILITIES = {
     tools: {},
 };
-// Convert mcpTools to MCP tool list format
 function getToolsList() {
     return tools_1.mcpTools.map((tool) => ({
         name: tool.name,
@@ -87,10 +92,6 @@ function getToolsList() {
         inputSchema: tool.jsonSchema,
     }));
 }
-/**
- * Extracts the title from diagram code (looks for a line starting with "title ").
- * Normalizes it to a valid filename.
- */
 function extractTitleFromCode(code) {
     if (!code) {
         return undefined;
@@ -99,118 +100,287 @@ function extractTitleFromCode(code) {
     for (const line of lines) {
         const trimmed = line.trim();
         if (trimmed.toLowerCase().startsWith('title ')) {
-            const title = trimmed.slice(6).trim(); // Remove "title " prefix
-            // Normalize to filename: lowercase, replace spaces/special chars with hyphens
+            const title = trimmed.slice(6).trim();
             return title
                 .toLowerCase()
                 .replace(/[^a-z0-9]+/g, '-')
-                .replace(/^-+|-+$/g, ''); // Trim leading/trailing hyphens
+                .replace(/^-+|-+$/g, '');
         }
     }
     return undefined;
 }
-/**
- * Downloads an image from a URL and saves it locally.
- * Returns the local file path if successful, undefined otherwise.
- */
 async function saveImageLocally(imageUrl, diagramCode) {
     try {
         const outputDir = path.resolve(process.cwd(), ERASER_OUTPUT_DIR);
-        // Ensure output directory exists
         await fs.promises.mkdir(outputDir, { recursive: true });
-        // Generate filename from title or timestamp
         const title = extractTitleFromCode(diagramCode);
         const timestamp = Date.now();
         const filename = title ? `${title}-${timestamp}.png` : `diagram-${timestamp}.png`;
         const localPath = path.join(outputDir, filename);
-        // Fetch the image
         const response = await fetch(imageUrl);
         if (!response.ok) {
             return undefined;
         }
-        // Save to disk
         const buffer = Buffer.from(await response.arrayBuffer());
         await fs.promises.writeFile(localPath, buffer);
         return localPath;
     }
     catch {
-        // Silently fail - local saving is a nice-to-have
         return undefined;
     }
 }
+let cachedAccessToken = null;
+let mcpSessionId = null;
+let sessionInitError = null;
+// Serialize OAuth / session initialization to avoid concurrent performLogin() calls
+// racing for the same callback server port.
+let serverSessionPromise = null;
+async function getAccessToken() {
+    // API token mode: return directly, skip OAuth
+    if (ERASER_API_TOKEN) {
+        return ERASER_API_TOKEN;
+    }
+    if (!cachedAccessToken) {
+        cachedAccessToken = await (0, flow_1.ensureValidToken)();
+    }
+    return cachedAccessToken;
+}
+async function ensureServerSessionInternal() {
+    // API token mode: server handles team directly from the token — no session needed
+    if (ERASER_API_TOKEN) {
+        return;
+    }
+    if (mcpSessionId) {
+        return;
+    }
+    const runInitialize = async (accessToken) => {
+        const initRequest = {
+            jsonrpc: '2.0',
+            id: 'stdio-init',
+            method: 'initialize',
+            params: {
+                protocolVersion: '2025-11-25',
+                capabilities: {},
+                clientInfo: { name: 'eraser-mcp-stdio', version: '1.0.0' },
+            },
+        };
+        return fetch(API_URL, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                Authorization: `Bearer ${accessToken}`,
+            },
+            body: JSON.stringify(initRequest),
+        });
+    };
+    let accessToken = await getAccessToken();
+    let response = await runInitialize(accessToken);
+    if (response.status === 401) {
+        cachedAccessToken = null;
+        accessToken = await (0, flow_1.recoverAuthAfter401)();
+        cachedAccessToken = accessToken;
+        response = await runInitialize(accessToken);
+    }
+    if (response.status === 401) {
+        (0, flow_1.invalidateCredentials)();
+        cachedAccessToken = null;
+        throw new Error('Not authenticated with Eraser. Run `npx @eraserlabs/eraser-mcp login` to sign in.');
+    }
+    if (!response.ok) {
+        throw new Error(`Server initialize failed: ${response.status}`);
+    }
+    sessionInitError = null;
+    const sessionHeader = response.headers.get('Mcp-Session-Id');
+    if (sessionHeader) {
+        mcpSessionId = sessionHeader;
+    }
+    // MCP 2025-11-25: client MUST send notifications/initialized after initialize result.
+    const initializedNotif = {
+        jsonrpc: '2.0',
+        method: 'notifications/initialized',
+        params: {},
+    };
+    const postInitHeaders = {
+        'Content-Type': 'application/json',
+        Authorization: `Bearer ${accessToken}`,
+    };
+    if (mcpSessionId) {
+        postInitHeaders['Mcp-Session-Id'] = mcpSessionId;
+    }
+    try {
+        await fetch(API_URL, {
+            method: 'POST',
+            headers: postInitHeaders,
+            body: JSON.stringify(initializedNotif),
+        });
+    }
+    catch {
+        // Non-fatal if the server ignores the notification
+    }
+}
+/**
+ * Serialized wrapper for session initialization.
+ * Ensures only one OAuth/session init runs at a time to avoid concurrent
+ * performLogin() calls racing for the same callback server port.
+ */
+async function ensureServerSession() {
+    // API token mode: no session needed
+    if (ERASER_API_TOKEN) {
+        return;
+    }
+    // Already have a session
+    if (mcpSessionId) {
+        return;
+    }
+    // If there's already an in-flight init, wait on that promise
+    if (serverSessionPromise) {
+        return serverSessionPromise;
+    }
+    // Start a new init and store the promise so concurrent callers can await it
+    serverSessionPromise = ensureServerSessionInternal();
+    try {
+        await serverSessionPromise;
+    }
+    finally {
+        serverSessionPromise = null;
+    }
+}
 async function handleRequest(request) {
     const id = request.id ?? null;
-    // Handle MCP protocol methods locally
     if (request.method === 'initialize') {
+        // Respond to the local client with our capabilities
         sendResponse({
             jsonrpc: '2.0',
             id,
             result: {
-                protocolVersion: '2024-11-05',
+                protocolVersion: '2025-11-25',
                 capabilities: SERVER_CAPABILITIES,
                 serverInfo: SERVER_INFO,
             },
         });
+        // Proactively establish server session (so tools/call has a session ready).
+        // Capture any auth error so tool calls can surface it immediately.
+        try {
+            await ensureServerSession();
+            sessionInitError = null;
+        }
+        catch (err) {
+            sessionInitError = err instanceof Error ? err.message : 'Authentication failed';
+        }
         return;
     }
     if (request.method === 'notifications/initialized') {
-        // This is a notification, no response needed
         return;
     }
     if (request.method === 'tools/list') {
-        sendResponse({
-            jsonrpc: '2.0',
-            id,
-            result: {
-                tools: getToolsList(),
-            },
-        });
+        // Proxy to the remote server so identity tools (whoami, listTeams, selectTeam)
+        // defined server-side are included in the response.
+        try {
+            // If there was a previous init error, retry once before giving up.
+            // This allows recovery from transient network failures.
+            if (sessionInitError) {
+                sessionInitError = null;
+                mcpSessionId = null;
+            }
+            await ensureServerSession();
+            const accessToken = await getAccessToken();
+            const headers = {
+                'Content-Type': 'application/json',
+                Authorization: `Bearer ${accessToken}`,
+            };
+            if (mcpSessionId) {
+                headers['Mcp-Session-Id'] = mcpSessionId;
+            }
+            const response = await fetch(API_URL, {
+                method: 'POST',
+                headers,
+                body: JSON.stringify(request),
+            });
+            if (!response.ok) {
+                // Fall back to local tool list if server is unreachable
+                sendResponse({ jsonrpc: '2.0', id, result: { tools: getToolsList() } });
+                return;
+            }
+            const rpcResponse = (await response.json());
+            sendResponse(rpcResponse);
+        }
+        catch {
+            sendResponse({ jsonrpc: '2.0', id, result: { tools: getToolsList() } });
+        }
         return;
     }
-    // For tools/call, forward to the API
     if (request.method === 'tools/call') {
-        if (!API_TOKEN) {
-            sendError(id, -32000, 'ERASER_API_TOKEN environment variable is required');
-            return;
-        }
         try {
+            // If there was a previous init error, retry once before giving up.
+            // This allows recovery from transient network failures.
+            if (sessionInitError) {
+                sessionInitError = null;
+                mcpSessionId = null;
+            }
+            await ensureServerSession();
+            const accessToken = await getAccessToken();
+            const headers = {
+                'Content-Type': 'application/json',
+                Authorization: `Bearer ${accessToken}`,
+            };
+            if (mcpSessionId) {
+                headers['Mcp-Session-Id'] = mcpSessionId;
+            }
             const response = await fetch(API_URL, {
                 method: 'POST',
-                headers: {
-                    'Content-Type': 'application/json',
-                    Authorization: `Bearer ${API_TOKEN}`,
-                },
+                headers,
                 body: JSON.stringify(request),
             });
+            // Check for updated session token (e.g., after selectTeam)
+            const newSessionId = response.headers.get('Mcp-Session-Id');
+            if (newSessionId) {
+                mcpSessionId = newSessionId;
+            }
+            if (response.status === 401) {
+                // Token might be invalid/expired; try refresh_token before wiping credentials.
+                // In API token mode, the token is immutable — nothing to refresh.
+                if (ERASER_API_TOKEN) {
+                    const text = await response.text();
+                    sendError(id, -32000, `API token rejected (HTTP 401): ${text}`);
+                    return;
+                }
+                cachedAccessToken = null;
+                mcpSessionId = null;
+                cachedAccessToken = await (0, flow_1.recoverAuthAfter401)();
+                await ensureServerSession();
+                const newToken = await getAccessToken();
+                const retryHeaders = {
+                    'Content-Type': 'application/json',
+                    Authorization: `Bearer ${newToken}`,
+                };
+                if (mcpSessionId) {
+                    retryHeaders['Mcp-Session-Id'] = mcpSessionId;
+                }
+                const retryResponse = await fetch(API_URL, {
+                    method: 'POST',
+                    headers: retryHeaders,
+                    body: JSON.stringify(request),
+                });
+                const retrySessionId = retryResponse.headers.get('Mcp-Session-Id');
+                if (retrySessionId) {
+                    mcpSessionId = retrySessionId;
+                }
+                if (!retryResponse.ok) {
+                    const text = await retryResponse.text();
+                    sendError(id, -32000, `HTTP ${retryResponse.status}: ${text}`);
+                    return;
+                }
+                const rpcResponse = (await retryResponse.json());
+                await processAndSendResponse(rpcResponse, request);
+                return;
+            }
             if (!response.ok) {
                 const text = await response.text();
                 sendError(id, -32000, `HTTP ${response.status}: ${text}`);
                 return;
             }
             const rpcResponse = (await response.json());
-            // Try to save the image locally if there's an imageUrl in the result
-            if (rpcResponse.result) {
-                const result = rpcResponse.result;
-                if (result.content?.[0]?.type === 'text' && result.content[0].text) {
-                    try {
-                        const renderResult = JSON.parse(result.content[0].text);
-                        if (renderResult.imageUrl) {
-                            // Extract diagram code from request params for title extraction
-                            const params = request.params;
-                            const diagramCode = params?.arguments?.code;
-                            const localPath = await saveImageLocally(renderResult.imageUrl, diagramCode);
-                            if (localPath) {
-                                renderResult.localPath = localPath;
-                                result.content[0].text = JSON.stringify(renderResult);
-                            }
-                        }
-                    }
-                    catch {
-                        // If parsing fails, just return the original response
-                    }
-                }
-            }
-            sendResponse(rpcResponse);
+            await processAndSendResponse(rpcResponse, request);
         }
         catch (error) {
             const message = error instanceof Error ? error.message : 'Unknown error';
@@ -218,10 +388,32 @@ async function handleRequest(request) {
         }
         return;
     }
-    // Unknown method
     sendError(id, -32601, `Method not found: ${request.method}`);
 }
-function main() {
+async function processAndSendResponse(rpcResponse, request) {
+    if (rpcResponse.result) {
+        const result = rpcResponse.result;
+        if (result.content?.[0]?.type === 'text' && result.content[0].text) {
+            try {
+                const renderResult = JSON.parse(result.content[0].text);
+                if (renderResult.imageUrl) {
+                    const params = request.params;
+                    const diagramCode = params?.arguments?.code;
+                    const localPath = await saveImageLocally(renderResult.imageUrl, diagramCode);
+                    if (localPath) {
+                        renderResult.localPath = localPath;
+                        result.content[0].text = JSON.stringify(renderResult);
+                    }
+                }
+            }
+            catch {
+                // If parsing fails, just return the original response
+            }
+        }
+    }
+    sendResponse(rpcResponse);
+}
+function runStdioServer() {
     const rl = readline.createInterface({
         input: process.stdin,
         output: process.stdout,
@@ -246,10 +438,31 @@ function main() {
     rl.on('close', () => {
         process.exit(0);
     });
-    // Prevent unhandled promise rejections from crashing
     process.on('unhandledRejection', (error) => {
         const message = error instanceof Error ? error.message : 'Unknown error';
         sendError(null, -32000, `Unhandled error: ${message}`);
     });
 }
-main();
+async function main() {
+    const args = process.argv.slice(2);
+    const command = args[0];
+    switch (command) {
+        case 'login':
+            await (0, flow_1.performLogin)();
+            break;
+        case 'logout':
+            (0, flow_1.logout)();
+            break;
+        case 'whoami':
+            await (0, flow_1.whoami)();
+            break;
+        default:
+            // Default: run as MCP stdio server
+            runStdioServer();
+            break;
+    }
+}
+main().catch((err) => {
+    console.error(`Fatal error: ${err.message}`);
+    process.exit(1);
+});