@mseep/affine-mcp-server 2.3.0

package/dist/markdown/render.js

@@ -0,0 +1,227 @@
+function addWarning(state, warning) {
+    if (!state.warningSet.has(warning)) {
+        state.warningSet.add(warning);
+        state.warnings.push(warning);
+    }
+}
+function formatQuote(text) {
+    const lines = text.split("\n");
+    return lines.map(line => `> ${line}`);
+}
+function formatCallout(lines) {
+    return [
+        "> [!NOTE]",
+        ...lines.map(line => line.length > 0 ? `> ${line}` : ">"),
+    ];
+}
+function escapePipe(value) {
+    return value.replace(/\|/g, "\\|");
+}
+function renderTable(tableData) {
+    if (tableData.length === 0) {
+        return ["| |", "| --- |"];
+    }
+    const columns = tableData.reduce((max, row) => Math.max(max, row.length), 0);
+    if (columns === 0) {
+        return ["| |", "| --- |"];
+    }
+    const normalized = tableData.map(row => {
+        const copy = [...row];
+        while (copy.length < columns) {
+            copy.push("");
+        }
+        return copy;
+    });
+    const header = normalized[0].map(escapePipe);
+    const separator = new Array(columns).fill("---");
+    const body = normalized.slice(1).map(row => `| ${row.map(cell => escapePipe(cell ?? "")).join(" | ")} |`);
+    return [
+        `| ${header.join(" | ")} |`,
+        `| ${separator.join(" | ")} |`,
+        ...body,
+    ];
+}
+function childList(block) {
+    return Array.isArray(block.childIds) ? block.childIds : [];
+}
+function renderBlock(blockId, listDepth, state) {
+    if (state.visited.has(blockId)) {
+        return { lines: [], isList: false };
+    }
+    state.visited.add(blockId);
+    const block = state.blocksById.get(blockId);
+    if (!block) {
+        state.unsupportedCount += 1;
+        addWarning(state, `Missing block '${blockId}' while exporting markdown.`);
+        return { lines: [], isList: false };
+    }
+    const text = (block.text ?? "").trim();
+    const flavour = block.flavour ?? "";
+    const type = block.type ?? "";
+    const children = childList(block);
+    switch (flavour) {
+        case "affine:paragraph": {
+            let lines = [];
+            if (/^h[1-6]$/.test(type)) {
+                const level = Number(type.slice(1));
+                lines = [`${"#".repeat(level)} ${text}`.trimEnd()];
+            }
+            else if (type === "quote") {
+                lines = formatQuote(text);
+            }
+            else {
+                lines = [text];
+            }
+            for (const childId of children) {
+                const child = renderBlock(childId, listDepth, state);
+                if (child.lines.length > 0) {
+                    lines.push(...child.lines);
+                }
+            }
+            return { lines: lines.filter(line => line.length > 0), isList: false };
+        }
+        case "affine:list": {
+            const indent = "  ".repeat(Math.max(0, listDepth));
+            const style = type === "numbered" ? "numbered" : type === "todo" ? "todo" : "bulleted";
+            const marker = style === "numbered"
+                ? "1."
+                : style === "todo"
+                    ? block.checked
+                        ? "- [x]"
+                        : "- [ ]"
+                    : "-";
+            const lines = [`${indent}${marker}${text ? ` ${text}` : ""}`];
+            for (const childId of children) {
+                const child = state.blocksById.get(childId);
+                const nextDepth = child?.flavour === "affine:list" ? listDepth + 1 : listDepth;
+                const rendered = renderBlock(childId, nextDepth, state);
+                if (rendered.lines.length > 0) {
+                    lines.push(...rendered.lines);
+                }
+            }
+            return { lines, isList: true };
+        }
+        case "affine:code": {
+            const language = block.language ?? "";
+            const lines = [`\`\`\`${language}`, block.text ?? "", "\`\`\`"];
+            return { lines, isList: false };
+        }
+        case "affine:divider":
+            return { lines: ["---"], isList: false };
+        case "affine:bookmark":
+        case "affine:embed-youtube":
+        case "affine:embed-github":
+        case "affine:embed-figma":
+        case "affine:embed-loom":
+        case "affine:embed-iframe": {
+            const url = (block.url ?? "").trim();
+            if (!url) {
+                state.unsupportedCount += 1;
+                addWarning(state, `Bookmark/embed block '${blockId}' had no URL and was skipped.`);
+                return { lines: [], isList: false };
+            }
+            const label = (block.caption ?? "").trim() || text || url;
+            return { lines: [`[${label}](${url})`], isList: false };
+        }
+        case "affine:image": {
+            const source = (block.sourceId ?? "").trim();
+            if (!source) {
+                state.unsupportedCount += 1;
+                addWarning(state, `Image block '${blockId}' had no sourceId and was skipped.`);
+                return { lines: [], isList: false };
+            }
+            const alt = (block.caption ?? "").trim() || "image";
+            return { lines: [`![${alt}](affine://blob/${source})`], isList: false };
+        }
+        case "affine:table": {
+            if (!block.tableData || block.tableData.length === 0) {
+                state.unsupportedCount += 1;
+                addWarning(state, `Table block '${blockId}' had no readable cell data.`);
+                return { lines: ["| |", "| --- |"], isList: false };
+            }
+            return {
+                lines: renderTable(block.tableData),
+                isList: false,
+            };
+        }
+        case "affine:callout": {
+            const contentLines = [];
+            for (const childId of children) {
+                const child = renderBlock(childId, listDepth, state);
+                if (child.lines.length > 0) {
+                    if (contentLines.length > 0 && !child.isList) {
+                        contentLines.push("");
+                    }
+                    contentLines.push(...child.lines);
+                }
+            }
+            if (contentLines.length === 0 && text.length > 0) {
+                contentLines.push(text);
+            }
+            return {
+                lines: formatCallout(contentLines),
+                isList: false,
+            };
+        }
+        case "affine:note":
+        case "affine:page":
+        case "affine:surface": {
+            const chunks = [];
+            for (const childId of children) {
+                const child = renderBlock(childId, listDepth, state);
+                if (child.lines.length > 0) {
+                    if (chunks.length > 0 && !child.isList) {
+                        chunks.push("");
+                    }
+                    chunks.push(...child.lines);
+                }
+            }
+            return { lines: chunks, isList: false };
+        }
+        default: {
+            state.unsupportedCount += 1;
+            addWarning(state, `Unsupported AFFiNE block flavour '${flavour || "unknown"}' was exported as a comment placeholder.`);
+            return {
+                lines: [`<!-- unsupported: flavour=${flavour || "unknown"} blockId=${blockId} -->`],
+                isList: false,
+            };
+        }
+    }
+}
+export function renderBlocksToMarkdown(input) {
+    const state = {
+        blocksById: input.blocksById,
+        warnings: [],
+        warningSet: new Set(),
+        unsupportedCount: 0,
+        visited: new Set(),
+    };
+    const chunks = [];
+    for (const rootId of input.rootBlockIds) {
+        const rendered = renderBlock(rootId, 0, state);
+        if (rendered.lines.length > 0) {
+            chunks.push(rendered);
+        }
+    }
+    const lines = [];
+    for (let i = 0; i < chunks.length; i += 1) {
+        const chunk = chunks[i];
+        if (i > 0) {
+            const previous = chunks[i - 1];
+            const shouldInsertBlank = !(previous.isList && chunk.isList);
+            if (shouldInsertBlank) {
+                lines.push("");
+            }
+        }
+        lines.push(...chunk.lines);
+    }
+    return {
+        markdown: lines.join("\n").trimEnd(),
+        warnings: state.warnings,
+        lossy: state.unsupportedCount > 0,
+        stats: {
+            blockCount: state.visited.size,
+            unsupportedCount: state.unsupportedCount,
+        },
+    };
+}

package/dist/markdown/types.js

@@ -0,0 +1 @@
+export {};

package/dist/oauth.js

@@ -0,0 +1,154 @@
+import { createRemoteJWKSet, jwtVerify } from "jose";
+import { discoverAuthorizationServerMetadata } from "@modelcontextprotocol/sdk/client/auth.js";
+const ALLOWED_JWT_ALGORITHMS = [
+    "RS256",
+    "RS384",
+    "RS512",
+    "PS256",
+    "PS384",
+    "PS512",
+    "ES256",
+    "ES384",
+    "ES512",
+    "EdDSA",
+];
+const metadataCache = new Map();
+const jwksCache = new Map();
+function isLoopbackHostname(hostname) {
+    return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1";
+}
+export function isLoopbackUrl(url) {
+    try {
+        return isLoopbackHostname(new URL(url).hostname);
+    }
+    catch {
+        return false;
+    }
+}
+export function getOAuthResourceUrl(publicBaseUrl) {
+    const normalized = publicBaseUrl.replace(/\/$/, "");
+    return normalized.endsWith("/mcp") ? normalized : `${normalized}/mcp`;
+}
+export function getOAuthProtectedResourceMetadataUrl(publicBaseUrl) {
+    return `${publicBaseUrl.replace(/\/$/, "")}/.well-known/oauth-protected-resource`;
+}
+export function getOAuthProtectedResourceMetadataPaths(publicBaseUrl) {
+    const primaryPath = new URL(getOAuthProtectedResourceMetadataUrl(publicBaseUrl)).pathname;
+    const resourcePath = new URL(getOAuthResourceUrl(publicBaseUrl)).pathname;
+    const aliasPath = `/.well-known/oauth-protected-resource${resourcePath === "/" ? "" : resourcePath}`;
+    return [...new Set([primaryPath, aliasPath])];
+}
+export function buildOAuthProtectedResourceMetadata(config) {
+    return {
+        resource: getOAuthResourceUrl(config.publicBaseUrl),
+        authorization_servers: [config.issuerUrl],
+        scopes_supported: config.scopes,
+    };
+}
+export function validateOAuthConfig(config, opts) {
+    if (opts.allowAnyOrigin) {
+        throw new Error("AFFINE_MCP_HTTP_ALLOW_ALL_ORIGINS=true is not allowed when AFFINE_MCP_AUTH_MODE=oauth.");
+    }
+    if (opts.httpAuthToken) {
+        throw new Error("AFFINE_MCP_HTTP_TOKEN is not allowed when AFFINE_MCP_AUTH_MODE=oauth.");
+    }
+    const publicUrl = new URL(config.publicBaseUrl);
+    const issuerUrl = new URL(config.issuerUrl);
+    if (publicUrl.protocol !== "https:" && !isLoopbackHostname(publicUrl.hostname)) {
+        throw new Error("AFFINE_MCP_PUBLIC_BASE_URL must use HTTPS for non-local OAuth deployments.");
+    }
+    if (issuerUrl.protocol !== "https:" && !isLoopbackHostname(issuerUrl.hostname)) {
+        throw new Error("AFFINE_OAUTH_ISSUER_URL must use HTTPS for non-local OAuth deployments.");
+    }
+}
+function buildAudienceList(config) {
+    const publicBaseUrl = config.publicBaseUrl.replace(/\/$/, "");
+    const resourceUrl = getOAuthResourceUrl(config.publicBaseUrl);
+    return [...new Set([publicBaseUrl, resourceUrl])];
+}
+function getScopesFromPayload(payload) {
+    const scopes = new Set();
+    if (typeof payload.scope === "string") {
+        for (const scope of payload.scope.split(/\s+/).map((entry) => entry.trim()).filter(Boolean)) {
+            scopes.add(scope);
+        }
+    }
+    const scp = payload.scp;
+    if (typeof scp === "string") {
+        for (const scope of scp.split(/\s+/).map((entry) => entry.trim()).filter(Boolean)) {
+            scopes.add(scope);
+        }
+    }
+    else if (Array.isArray(scp)) {
+        for (const scope of scp) {
+            if (typeof scope === "string" && scope.trim()) {
+                scopes.add(scope.trim());
+            }
+        }
+    }
+    return [...scopes];
+}
+async function loadAuthorizationServerMetadata(issuerUrl) {
+    let pending = metadataCache.get(issuerUrl);
+    if (!pending) {
+        pending = (async () => {
+            const discovered = await discoverAuthorizationServerMetadata(new URL(issuerUrl));
+            if (!discovered?.issuer || typeof discovered.issuer !== "string") {
+                throw new Error(`Could not discover authorization server metadata from ${issuerUrl}`);
+            }
+            if (!("jwks_uri" in discovered) || typeof discovered.jwks_uri !== "string" || !discovered.jwks_uri) {
+                throw new Error(`Authorization server metadata from ${issuerUrl} did not provide jwks_uri`);
+            }
+            return {
+                issuer: discovered.issuer,
+                jwks_uri: discovered.jwks_uri,
+            };
+        })();
+        metadataCache.set(issuerUrl, pending);
+    }
+    return pending;
+}
+export async function probeOAuthReadiness(config) {
+    const metadata = await loadAuthorizationServerMetadata(config.issuerUrl);
+    if (!metadata.jwks_uri) {
+        throw new Error("Authorization server metadata is missing jwks_uri");
+    }
+    return {
+        issuer: metadata.issuer,
+        jwksUri: metadata.jwks_uri,
+    };
+}
+function getJwks(metadata) {
+    if (!metadata.jwks_uri) {
+        throw new Error("Authorization server metadata is missing jwks_uri");
+    }
+    let jwks = jwksCache.get(metadata.jwks_uri);
+    if (!jwks) {
+        jwks = createRemoteJWKSet(new URL(metadata.jwks_uri));
+        jwksCache.set(metadata.jwks_uri, jwks);
+    }
+    return jwks;
+}
+export async function verifyOAuthAccessToken(token, config) {
+    const metadata = await loadAuthorizationServerMetadata(config.issuerUrl);
+    const { payload } = await jwtVerify(token, getJwks(metadata), {
+        issuer: metadata.issuer,
+        audience: buildAudienceList(config),
+        algorithms: [...ALLOWED_JWT_ALGORITHMS],
+        clockTolerance: config.clockSkewSeconds,
+    });
+    if (typeof payload.exp !== "number" || !Number.isFinite(payload.exp)) {
+        throw new Error("Token does not include a valid exp claim");
+    }
+    const scopes = getScopesFromPayload(payload);
+    return {
+        clientId: typeof payload.client_id === "string"
+            ? payload.client_id
+            : typeof payload.azp === "string"
+                ? payload.azp
+                : null,
+        expiresAt: payload.exp,
+        scopes,
+        subject: typeof payload.sub === "string" ? payload.sub : null,
+    };
+}

package/dist/sse.js

@@ -0,0 +1,261 @@
+import { randomUUID } from "node:crypto";
+import express from "express";
+import cors from "cors";
+import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
+import { registerHttpDiagnosticsRoutes } from "./httpDiagnostics.js";
+import { createHttpAuthState, registerHttpAuthRoutes } from "./httpAuth.js";
+export async function startHttpMcpServer(createMcpServer, port, config) {
+    // --- HTTP host binding ---
+    // AFFINE_MCP_HTTP_HOST: network interface to bind (default: "127.0.0.1" — loopback only).
+    // Set to "0.0.0.0" for Docker / remote deployments (Render, Railway, etc.).
+    const host = (process.env.AFFINE_MCP_HTTP_HOST || "127.0.0.1").trim();
+    // --- Bearer Token guard (AFFINE_MCP_HTTP_TOKEN) ---
+    // When set, all requests to /mcp, /sse and /messages must include:
+    //   Authorization: Bearer <token>   OR   ?token=<token> (fallback for limited clients)
+    // When the server is bound to 0.0.0.0 without a token, a startup warning is emitted.
+    const httpAuthToken = process.env.AFFINE_MCP_HTTP_TOKEN?.trim();
+    if (!httpAuthToken && host === "0.0.0.0") {
+        console.warn("[affine-mcp] WARNING: HTTP MCP server is bound to 0.0.0.0 without AFFINE_MCP_HTTP_TOKEN. " +
+            "The endpoint is unprotected. Set AFFINE_MCP_HTTP_TOKEN for public deployments.");
+    }
+    // Use a plain Express app here so it can fully control JSON parser ordering/limits.
+    // `createMcpExpressApp()` installs its own JSON parser first, which can enforce
+    // a smaller default limit before the intended 50mb parser runs on /mcp.
+    const app = express();
+    const jsonBody = express.json({ limit: "50mb" });
+    // --- CORS origin allowlist ---
+    // AFFINE_MCP_HTTP_ALLOWED_ORIGINS: comma-separated list, e.g. "https://app.example.com,http://localhost:3000".
+    // AFFINE_MCP_HTTP_ALLOW_ALL_ORIGINS=true: explicit opt-in to allow any origin (use with caution).
+    // Default (no env set): only loopback addresses (localhost / 127.0.0.1 / ::1) are allowed.
+    //
+    // CORS is applied per-route (/mcp, /sse, /messages) — not globally — to minimise attack surface.
+    const allowAnyOrigin = process.env.AFFINE_MCP_HTTP_ALLOW_ALL_ORIGINS === "true";
+    const allowedOrigins = (process.env.AFFINE_MCP_HTTP_ALLOWED_ORIGINS || "")
+        .split(",")
+        .map((o) => o.trim())
+        .filter(Boolean);
+    // Returns true if origin is a loopback address (http or https, any port).
+    const isLoopbackOrigin = (origin) => {
+        try {
+            const { protocol, hostname } = new URL(origin);
+            if (protocol !== "http:" && protocol !== "https:")
+                return false;
+            return (hostname === "localhost" ||
+                hostname === "127.0.0.1" ||
+                hostname === "::1");
+        }
+        catch {
+            return false;
+        }
+    };
+    const corsOptions = {
+        origin: (origin, callback) => {
+            // Non-browser clients (curl, MCP Inspector, server-to-server) send no Origin header.
+            // CORS is a browser mechanism only; the token guard covers programmatic access.
+            if (!origin)
+                return callback(null, true);
+            if (allowAnyOrigin)
+                return callback(null, true);
+            const allowed = allowedOrigins.length > 0
+                ? allowedOrigins.includes(origin)
+                : isLoopbackOrigin(origin);
+            return allowed
+                ? callback(null, true)
+                : callback(new Error("Origin not allowed"));
+        },
+        methods: ["GET", "POST", "DELETE", "OPTIONS"],
+        allowedHeaders: ["Content-Type", "Authorization", "mcp-session-id"],
+        exposedHeaders: ["mcp-session-id"],
+    };
+    // Wraps cors() to return an explicit 403 on rejected origins (rather than silently
+    // withholding CORS headers, which still lets the request reach the handler).
+    const corsMiddleware = (req, res, next) => {
+        cors(corsOptions)(req, res, (err) => {
+            if (err) {
+                if (!res.headersSent)
+                    res.status(403).send("Forbidden: Origin not allowed");
+                return;
+            }
+            if (res.headersSent || res.writableEnded)
+                return;
+            next();
+        });
+    };
+    const authState = createHttpAuthState(config, { allowAnyOrigin, httpAuthToken });
+    // Validates the Bearer token on all non-preflight requests.
+    // The auth scheme match is case-insensitive for client compatibility.
+    // OPTIONS is allowed through so CORS preflight can complete before auth is checked.
+    const { authMiddleware } = authState;
+    registerHttpAuthRoutes(app, authState, corsMiddleware);
+    registerHttpDiagnosticsRoutes(app, config, authState, corsMiddleware);
+    // Explicit preflight handlers for the legacy SSE routes.
+    app.options("/sse", corsMiddleware);
+    app.options("/messages", corsMiddleware);
+    const transports = {};
+    // ===========================================================================
+    // STREAMABLE HTTP TRANSPORT — MCP protocol 2025-03-26
+    // Single endpoint /mcp (GET / POST / DELETE) replaces the old two-endpoint SSE
+    // pattern. Use this for all new integrations.
+    // ===========================================================================
+    app.all("/mcp", corsMiddleware, authMiddleware, async (req, res) => {
+        console.error(`[affine-mcp] Received ${req.method} request to /mcp`);
+        try {
+            // mcp-session-id header can technically be string | string[]; normalise.
+            const sidHeader = req.headers["mcp-session-id"];
+            const sessionId = Array.isArray(sidHeader) ? sidHeader[0] : sidHeader;
+            let transport;
+            const existing = sessionId ? transports[sessionId] : undefined;
+            if (existing instanceof StreamableHTTPServerTransport) {
+                transport = existing;
+            }
+            else if (!sessionId && req.method === "POST") {
+                // Parse body only for the initialize POST (lazy — avoids consuming the stream early).
+                await new Promise((resolve, reject) => {
+                    jsonBody(req, res, (err) => (err ? reject(err) : resolve()));
+                });
+                if (!isInitializeRequest(req.body)) {
+                    res.status(400).json({
+                        jsonrpc: "2.0",
+                        error: {
+                            code: -32000,
+                            message: "Bad Request: Not an initialize request",
+                        },
+                        id: null,
+                    });
+                    return;
+                }
+                transport = new StreamableHTTPServerTransport({
+                    sessionIdGenerator: () => randomUUID(),
+                    onsessioninitialized: (sid) => {
+                        console.error(`[affine-mcp] StreamableHTTP session initialized: ${sid}`);
+                        transports[sid] = transport;
+                    },
+                });
+                transport.onclose = () => {
+                    const sid = transport.sessionId;
+                    if (sid && transports[sid]) {
+                        console.error(`[affine-mcp] StreamableHTTP session closed: ${sid}`);
+                        delete transports[sid];
+                    }
+                };
+                const server = await createMcpServer();
+                await server.connect(transport);
+            }
+            else {
+                res.status(400).json({
+                    jsonrpc: "2.0",
+                    error: {
+                        code: -32000,
+                        message: "Bad Request: No valid session ID or not an initialize request",
+                    },
+                    id: null,
+                });
+                return;
+            }
+            // Ensure JSON body is available for subsequent POST requests within the session.
+            if (req.method === "POST" && req.body === undefined) {
+                await new Promise((resolve, reject) => {
+                    jsonBody(req, res, (err) => (err ? reject(err) : resolve()));
+                });
+            }
+            await transport.handleRequest(req, res, req.body);
+        }
+        catch (e) {
+            console.error("[affine-mcp] Error handling /mcp request:", e);
+            if (!res.headersSent) {
+                res.status(500).json({
+                    jsonrpc: "2.0",
+                    error: { code: -32603, message: "Internal server error" },
+                    id: null,
+                });
+            }
+        }
+    });
+    // ===========================================================================
+    // LEGACY HTTP+SSE TRANSPORT — MCP protocol 2024-11-05
+    // Kept for backward compatibility with older MCP clients that have not yet
+    // migrated to the Streamable HTTP transport above.
+    // @deprecated — SSEServerTransport is deprecated by the SDK; use /mcp for new clients.
+    // ===========================================================================
+    app.get("/sse", corsMiddleware, authMiddleware, async (req, res) => {
+        try {
+            // @ts-ignore — intentional: SSEServerTransport retained for backward compat only
+            const transport = new SSEServerTransport("/messages", res);
+            const sessionId = transport.sessionId;
+            transports[sessionId] = transport;
+            res.on("close", () => {
+                console.error(`[affine-mcp] Legacy SSE session closed: ${sessionId}`);
+                delete transports[sessionId];
+            });
+            const server = await createMcpServer();
+            await server.connect(transport);
+            console.error(`[affine-mcp] Legacy SSE session established: ${sessionId}`);
+        }
+        catch (e) {
+            console.error("[affine-mcp] Error establishing legacy SSE stream:", e);
+            if (!res.headersSent)
+                res.status(500).send("Error establishing SSE stream");
+        }
+    });
+    app.post("/messages", corsMiddleware, authMiddleware, jsonBody, async (req, res) => {
+        const sessionId = typeof req.query.sessionId === "string"
+            ? req.query.sessionId
+            : undefined;
+        if (!sessionId) {
+            res.status(400).send("Missing sessionId parameter");
+            return;
+        }
+        const transport = transports[sessionId];
+        if (!(transport instanceof SSEServerTransport)) {
+            res.status(400).json({
+                jsonrpc: "2.0",
+                error: {
+                    code: -32000,
+                    message: "Bad Request: Session uses a different transport protocol",
+                },
+                id: null,
+            });
+            return;
+        }
+        try {
+            // @ts-ignore — intentional: SSEServerTransport retained for backward compat only
+            await transport.handlePostMessage(req, res, req.body);
+        }
+        catch (e) {
+            console.error("[affine-mcp] Error handling legacy SSE message:", e);
+            if (!res.headersSent)
+                res.status(500).send("Error handling POST message");
+        }
+    });
+    const server = app.listen(port, host, () => {
+        const displayHost = host === "0.0.0.0" ? "localhost" : host;
+        console.error(`[affine-mcp] MCP server listening on ${host}:${port}`);
+        console.error(`[affine-mcp] Streamable HTTP (2025-03-26): http://${displayHost}:${port}/mcp`);
+        console.error(`[affine-mcp] Legacy SSE     (2024-11-05): http://${displayHost}:${port}/sse`);
+        console.error(`[affine-mcp] Diagnostics: http://${displayHost}:${port}/healthz`);
+        console.error(`[affine-mcp] Readiness:   http://${displayHost}:${port}/readyz`);
+        if (authState.protectedResourceMetadataUrl) {
+            console.error(`[affine-mcp] Protected resource metadata: ${authState.protectedResourceMetadataUrl}`);
+        }
+    });
+    // Graceful shutdown: stop accepting new connections, then close active transports.
+    const shutdown = async (signal) => {
+        console.error(`[affine-mcp] ${signal} received - shutting down gracefully`);
+        server.close(() => {
+            void (async () => {
+                for (const sessionId in transports) {
+                    try {
+                        await transports[sessionId].close();
+                    }
+                    catch { }
+                    delete transports[sessionId];
+                }
+                process.exit(0);
+            })();
+        });
+    };
+    process.on("SIGINT", () => void shutdown("SIGINT"));
+    process.on("SIGTERM", () => void shutdown("SIGTERM"));
+}