affine-mcp-server 1.4.0 → 1.6.0

package/README.md

@@ -2,7 +2,7 @@
 
 A Model Context Protocol (MCP) server that integrates with AFFiNE (self‑hosted or cloud). It exposes AFFiNE workspaces and documents to AI assistants over stdio.
 
-[![Version](https://img.shields.io/badge/version-1.4.0-blue)](https://github.com/dawncr0w/affine-mcp-server/releases)
+[![Version](https://img.shields.io/badge/version-1.6.0-blue)](https://github.com/dawncr0w/affine-mcp-server/releases)
 [![MCP SDK](https://img.shields.io/badge/MCP%20SDK-1.17.2-green)](https://github.com/modelcontextprotocol/typescript-sdk)
 [![CI](https://github.com/dawncr0w/affine-mcp-server/actions/workflows/ci.yml/badge.svg)](https://github.com/dawncr0w/affine-mcp-server/actions/workflows/ci.yml)
 [![License](https://img.shields.io/badge/license-MIT-yellow)](LICENSE)
@@ -16,15 +16,16 @@ A Model Context Protocol (MCP) server that integrates with AFFiNE (self‑hosted
 - Purpose: Manage AFFiNE workspaces and documents through MCP
 - Transport: stdio only (Claude Desktop / Codex compatible)
 - Auth: Token, Cookie, or Email/Password (priority order)
-- Tools: 32 focused tools with WebSocket-based document editing
+- Tools: 43 focused tools with WebSocket-based document editing
 - Status: Active
  
-> New in v1.4.0: Added `read_doc` for document content snapshots (blocks + plain text), plus Cursor setup/troubleshooting guidance.
+> New in v1.6.0: Added tag workflows, markdown import/export/replace workflows, and direct database editing tools (`add_database_column`, `add_database_row`) with end-to-end validation coverage.
 
 ## Features
 
 - Workspace: create (with initial doc), read, update, delete
-- Documents: list/get/read/publish/revoke + create/append paragraph/delete (WebSocket‑based)
+- Documents: list/get/read/publish/revoke + create/append/replace/delete + markdown import/export + tags (WebSocket‑based)
+- Database workflows: create database blocks, then add columns/rows via MCP tools
 - Comments: full CRUD and resolve
 - Version History: list
 - Users & Tokens: current user, sign in, profile/settings, and personal access tokens
@@ -53,7 +54,51 @@ Note: From v1.2.2+ the CLI wrapper (`bin/affine-mcp`) ensures Node runs the ESM
 
 ## Configuration
 
-Configure via environment variables (shell or app config). `.env` files are no longer recommended.
+### Interactive login (recommended)
+
+The easiest way to configure credentials:
+
+```bash
+npm i -g affine-mcp-server
+affine-mcp login
+```
+
+This stores credentials in `~/.config/affine-mcp/config` (mode 600). The MCP server reads them automatically — no environment variables needed.
+
+**AFFiNE Cloud** (`app.affine.pro`): you'll be prompted to paste an API token from Settings → Integrations → MCP Server.
+
+**Self-hosted instances**: you can choose between email/password (recommended — auto-generates an API token) or pasting a token manually.
+
+```
+$ affine-mcp login
+Affine MCP Server — Login
+
+Affine URL [https://app.affine.pro]: https://my-affine.example.com
+
+Auth method — [1] Email/password (recommended)  [2] Paste API token: 1
+Email: user@example.com
+Password: ****
+Signing in...
+✓ Signed in as: User Name <user@example.com>
+
+Generating API token...
+✓ Created token: ut_abc123... (name: affine-mcp-2026-02-18)
+
+Detecting workspaces...
+  Found 1 workspace: abc-def-123  (by User Name, 1 member, 2/10/2026)
+  Auto-selected.
+
+✓ Saved to /home/user/.config/affine-mcp/config (mode 600)
+The MCP server will use these credentials automatically.
+```
+
+Other CLI commands:
+- `affine-mcp status` — show current config and test connection
+- `affine-mcp logout` — remove stored credentials
+
+### Environment variables
+
+You can also configure via environment variables (they override the config file):
 
 - Required: `AFFINE_BASE_URL`
 - Auth (choose one): `AFFINE_API_TOKEN` | `AFFINE_COOKIE` | `AFFINE_EMAIL` + `AFFINE_PASSWORD`
@@ -62,8 +107,42 @@ Configure via environment variables (shell or app config). `.env` files are no l
 Authentication priority:
 1) `AFFINE_API_TOKEN` → 2) `AFFINE_COOKIE` → 3) `AFFINE_EMAIL` + `AFFINE_PASSWORD`
 
+> **Cloudflare note**: `AFFINE_EMAIL`/`AFFINE_PASSWORD` auth requires programmatic access to `/api/auth/sign-in`. AFFiNE Cloud (`app.affine.pro`) is behind Cloudflare, which blocks these requests. Use `AFFINE_API_TOKEN` for cloud, or use `affine-mcp login` which handles this automatically. Email/password works for self-hosted instances without Cloudflare.
+
 ## Quick Start
 
+### Claude Code
+
+After running `affine-mcp login`, add to your project's `.mcp.json`:
+
+```json
+{
+  "mcpServers": {
+    "affine": {
+      "command": "affine-mcp"
+    }
+  }
+}
+```
+
+No `env` block needed — the server reads `~/.config/affine-mcp/config` automatically.
+
+If you prefer explicit env vars instead of the config file:
+
+```json
+{
+  "mcpServers": {
+    "affine": {
+      "command": "affine-mcp",
+      "env": {
+        "AFFINE_BASE_URL": "https://app.affine.pro",
+        "AFFINE_API_TOKEN": "ut_xxx"
+      }
+    }
+  }
+}
+```
+
 ### Claude Desktop
 
 Add to your Claude Desktop configuration:
@@ -78,7 +157,23 @@ Add to your Claude Desktop configuration:
     "affine": {
       "command": "affine-mcp",
       "env": {
-        "AFFINE_BASE_URL": "https://your-affine-instance.com",
+        "AFFINE_BASE_URL": "https://app.affine.pro",
+        "AFFINE_API_TOKEN": "ut_xxx"
+      }
+    }
+  }
+}
+```
+
+Or with email/password for self-hosted instances (not supported on AFFiNE Cloud — see Cloudflare note above):
+
+```json
+{
+  "mcpServers": {
+    "affine": {
+      "command": "affine-mcp",
+      "env": {
+        "AFFINE_BASE_URL": "https://your-self-hosted-affine.com",
         "AFFINE_EMAIL": "you@example.com",
         "AFFINE_PASSWORD": "secret!",
         "AFFINE_LOGIN_AT_START": "async"
@@ -89,28 +184,21 @@ Add to your Claude Desktop configuration:
 ```
 
 Tips
-- Prefer `AFFINE_COOKIE` or `AFFINE_API_TOKEN` for zero‑latency startup.
+- Prefer `affine-mcp login` or `AFFINE_API_TOKEN` for zero‑latency startup.
 - If your password contains `!` (zsh history expansion), wrap it in single quotes in shells or use the JSON config above.
 
 ### Codex CLI
 
 Register the MCP server with Codex:
 
-- Global install path (fastest)
-  - `npm i -g affine-mcp-server`
-  - `codex mcp add affine --env AFFINE_BASE_URL=https://your-affine-instance.com --env 'AFFINE_EMAIL=you@example.com' --env 'AFFINE_PASSWORD=secret!' --env AFFINE_LOGIN_AT_START=async -- affine-mcp`
-
-- Use npx (no global install)
-  - `codex mcp add affine --env AFFINE_BASE_URL=https://your-affine-instance.com --env 'AFFINE_EMAIL=you@example.com' --env 'AFFINE_PASSWORD=secret!' --env AFFINE_LOGIN_AT_START=async -- npx -y -p affine-mcp-server affine-mcp`
+- With config file (after `affine-mcp login`):
+  - `codex mcp add affine -- affine-mcp`
 
-- Token or cookie (no startup login)
-  - Token: `codex mcp add affine --env AFFINE_BASE_URL=https://... --env AFFINE_API_TOKEN=... -- affine-mcp`
-  - Cookie: `codex mcp add affine --env AFFINE_BASE_URL=https://... --env "AFFINE_COOKIE=affine_session=...; affine_csrf=..." -- affine-mcp`
+- With API token:
+  - `codex mcp add affine --env AFFINE_BASE_URL=https://app.affine.pro --env AFFINE_API_TOKEN=ut_xxx -- affine-mcp`
 
-Notes
-- MCP name: `affine`
-- Command: `affine-mcp`
-- Environment: `AFFINE_BASE_URL` + one auth method (`AFFINE_API_TOKEN` | `AFFINE_COOKIE` | `AFFINE_EMAIL`/`AFFINE_PASSWORD`)
+- With email/password (self-hosted only):
+  - `codex mcp add affine --env AFFINE_BASE_URL=https://your-self-hosted-affine.com --env 'AFFINE_EMAIL=you@example.com' --env 'AFFINE_PASSWORD=secret!' --env AFFINE_LOGIN_AT_START=async -- affine-mcp`
 
 ### Cursor
 
@@ -124,8 +212,8 @@ Project-local (`.cursor/mcp.json`) example:
     "affine": {
       "command": "affine-mcp",
       "env": {
-        "AFFINE_BASE_URL": "https://your-affine-instance.com",
-        "AFFINE_API_TOKEN": "apt_xxx"
+        "AFFINE_BASE_URL": "https://app.affine.pro",
+        "AFFINE_API_TOKEN": "ut_xxx"
       }
     }
   }
@@ -141,8 +229,8 @@ If you prefer `npx`:
       "command": "npx",
       "args": ["-y", "-p", "affine-mcp-server", "affine-mcp"],
       "env": {
-        "AFFINE_BASE_URL": "https://your-affine-instance.com",
-        "AFFINE_API_TOKEN": "apt_xxx"
+        "AFFINE_BASE_URL": "https://app.affine.pro",
+        "AFFINE_API_TOKEN": "ut_xxx"
       }
     }
   }
@@ -159,14 +247,25 @@ If you prefer `npx`:
 - `delete_workspace` – delete workspace permanently
 
 ### Documents
-- `list_docs` – list documents with pagination
+- `list_docs` – list documents with pagination (includes `node.tags`)
+- `list_tags` – list all tags in a workspace
+- `list_docs_by_tag` – list documents by tag
 - `get_doc` – get document metadata
 - `read_doc` – read document block content and plain text snapshot (WebSocket)
+- `export_doc_markdown` – export document content as markdown
 - `publish_doc` – make document public
 - `revoke_doc` – revoke public access
 - `create_doc` – create a new document (WebSocket)
+- `create_doc_from_markdown` – create a document from markdown content
+- `create_tag` – create a reusable workspace-level tag
+- `add_tag_to_doc` – attach a tag to a document
+- `remove_tag_from_doc` – detach a tag from a document
 - `append_paragraph` – append a paragraph block (WebSocket)
-- `append_block` – append slash-command style blocks (`heading/list/todo/code/divider/quote`)
+- `append_block` – append canonical block types (text/list/code/media/embed/database/edgeless) with strict validation and placement control (`data_view` currently falls back to database)
+- `add_database_column` – add a column to a database block (`rich-text`, `select`, `multi-select`, `number`, `checkbox`, `link`, `date`)
+- `add_database_row` – add a row to a database block with values mapped by column name/ID
+- `append_markdown` – append markdown content to an existing document
+- `replace_doc_with_markdown` – replace the main note content with markdown content
 - `delete_doc` – delete a document (WebSocket)
 
 ### Comments
@@ -210,13 +309,16 @@ npm run pack:check
 
 - `tool-manifest.json` is the source of truth for publicly exposed tool names.
 - CI validates that `registerTool(...)` declarations match the manifest exactly.
+- For full environment verification, run `npm run test:e2e` (Docker + MCP + Playwright).
+- Additional focused runners: `npm run test:db-create`, `npm run test:bearer`, `npm run test:playwright`.
 
 ## Troubleshooting
 
 Authentication
-- Email/Password: ensure your instance allows password auth and credentials are valid
+- **Cloudflare (403 "Just a moment...")**: AFFiNE Cloud (`app.affine.pro`) uses Cloudflare protection, which blocks programmatic sign-in via `/api/auth/sign-in`. Use `AFFINE_API_TOKEN` instead, or run `affine-mcp login` which guides you through the right method automatically. Email/password auth only works for self-hosted instances.
+- Email/Password: only works on self-hosted instances without Cloudflare. Ensure your instance allows password auth and credentials are valid.
 - Cookie: copy cookies (e.g., `affine_session`, `affine_csrf`) from the browser DevTools after login
-- Token: generate a personal access token; verify it hasn't expired
+- Token: generate a personal access token; verify it hasn't expired. Run `affine-mcp status` to test.
 - Startup timeouts: v1.2.2+ includes a CLI wrapper fix and default async login to avoid blocking the MCP handshake. Set `AFFINE_LOGIN_AT_START=sync` only if needed.
 
 Connection
@@ -243,6 +345,18 @@ Workspace visibility
 
 ## Version History
 
+### 1.6.0 (2026‑02‑24)
+- Added 11 document workflow tools: tags (`list_tags`, `list_docs_by_tag`, `create_tag`, `add_tag_to_doc`, `remove_tag_from_doc`), markdown roundtrip (`export_doc_markdown`, `create_doc_from_markdown`, `append_markdown`, `replace_doc_with_markdown`), and database operations (`add_database_column`, `add_database_row`)
+- Added interactive CLI commands: `affine-mcp login`, `affine-mcp status`, `affine-mcp logout`
+- Added Docker + Playwright E2E pipeline and CI workflow for auth/database regression checks
+- Tool surface increased from 32 to 43 canonical tools
+- Added release test commands (`test:e2e`, `test:db-create`, `test:bearer`, `test:playwright`) and package dependencies for markdown conversion + Playwright
+
+### 1.5.0 (2026‑02‑13)
+- Expanded `append_block` from Step1 to Step4 profiles: canonical text/list/code/divider/callout/latex/table/bookmark/media/embed plus `database`, `data_view`, `surface_ref`, `frame`, `edgeless_text`, `note` (`data_view` currently mapped to database for stability)
+- Added strict field validation and canonical parent enforcement for page/note/surface containers
+- Added local integration runner coverage for all 30 append_block cases against a live AFFINE server
+
 ### 1.4.0 (2026‑02‑13)
 - Added `read_doc` for reading document block snapshot + plain text
 - Added Cursor setup examples and troubleshooting notes for JSON-RPC method usage

package/dist/auth.js

@@ -1,4 +1,5 @@
 import { fetch } from "undici";
+const AUTH_FETCH_TIMEOUT_MS = 30_000;
 function extractCookiePairs(setCookies) {
     const pairs = [];
     for (const sc of setCookies) {
@@ -8,16 +9,38 @@ function extractCookiePairs(setCookies) {
     }
     return pairs.join("; ");
 }
+/** Reject cookie values containing CR/LF to prevent header injection. */
+function assertNoCRLF(value, label) {
+    if (/[\r\n]/.test(value)) {
+        throw new Error(`${label} contains illegal CR/LF characters`);
+    }
+}
 export async function loginWithPassword(baseUrl, email, password) {
     const url = `${baseUrl.replace(/\/$/, "")}/api/auth/sign-in`;
-    const res = await fetch(url, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ email, password })
-    });
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), AUTH_FETCH_TIMEOUT_MS);
+    let res;
+    try {
+        res = await fetch(url, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ email, password }),
+            signal: controller.signal,
+        });
+    }
+    catch (err) {
+        if (err.name === "AbortError")
+            throw new Error(`Sign-in request timed out after ${AUTH_FETCH_TIMEOUT_MS / 1000}s`);
+        throw err;
+    }
+    finally {
+        clearTimeout(timer);
+    }
     if (!res.ok) {
-        const text = await res.text().catch(() => "");
-        throw new Error(`Sign-in failed: ${res.status} ${text}`);
+        const raw = await res.text().catch(() => "");
+        const sanitized = raw.replace(/<[^>]*>/g, "").replace(/\s+/g, " ").trim();
+        const truncated = sanitized.length > 200 ? sanitized.slice(0, 200) + "..." : sanitized;
+        throw new Error(`Sign-in failed: ${res.status} ${truncated}`);
     }
     const anyHeaders = res.headers;
     let setCookies = [];
@@ -33,5 +56,6 @@ export async function loginWithPassword(baseUrl, email, password) {
         throw new Error("Sign-in succeeded but no Set-Cookie received");
     }
     const cookieHeader = extractCookiePairs(setCookies);
+    assertNoCRLF(cookieHeader, "Cookie header from sign-in");
     return { cookieHeader };
 }

package/dist/cli.js

@@ -0,0 +1,288 @@
+import { fetch } from "undici";
+import * as fs from "fs";
+import * as readline from "readline";
+import { CONFIG_FILE, loadConfigFile, writeConfigFile, validateBaseUrl, VERSION } from "./config.js";
+import { loginWithPassword } from "./auth.js";
+const CLI_FETCH_TIMEOUT_MS = 30_000;
+class CliError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "CliError";
+    }
+}
+function ask(prompt, hidden = false) {
+    if (hidden && process.stdin.isTTY) {
+        return readHidden(prompt);
+    }
+    return new Promise((resolve) => {
+        const rl = readline.createInterface({
+            input: process.stdin,
+            output: process.stderr,
+            terminal: process.stdin.isTTY ?? false,
+        });
+        rl.question(prompt, (answer) => {
+            rl.close();
+            resolve((answer || "").trim());
+        });
+    });
+}
+/** Read a line with echo disabled using raw-mode stdin (no private API hacks). */
+function readHidden(prompt) {
+    return new Promise((resolve, reject) => {
+        process.stderr.write(prompt);
+        const buf = [];
+        process.stdin.setRawMode(true);
+        process.stdin.resume();
+        process.stdin.setEncoding("utf8");
+        const onData = (ch) => {
+            switch (ch) {
+                case "\r":
+                case "\n":
+                    cleanup();
+                    process.stderr.write("\n");
+                    resolve(buf.join(""));
+                    break;
+                case "\u0003": // Ctrl-C
+                    cleanup();
+                    process.stderr.write("\n");
+                    reject(new CliError("Aborted."));
+                    break;
+                case "\u007F": // Backspace
+                case "\b":
+                    buf.pop();
+                    break;
+                default:
+                    buf.push(ch);
+            }
+        };
+        const cleanup = () => {
+            process.stdin.setRawMode(false);
+            process.stdin.pause();
+            process.stdin.removeListener("data", onData);
+        };
+        process.stdin.on("data", onData);
+    });
+}
+async function gql(baseUrl, auth, query, variables) {
+    const headers = {
+        "Content-Type": "application/json",
+        "User-Agent": `affine-mcp-server/${VERSION}`,
+    };
+    if (auth.token)
+        headers["Authorization"] = `Bearer ${auth.token}`;
+    if (auth.cookie)
+        headers["Cookie"] = auth.cookie;
+    const body = { query };
+    if (variables)
+        body.variables = variables;
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), CLI_FETCH_TIMEOUT_MS);
+    let res;
+    try {
+        res = await fetch(`${baseUrl}/graphql`, {
+            method: "POST",
+            headers,
+            body: JSON.stringify(body),
+            signal: controller.signal,
+        });
+    }
+    catch (err) {
+        if (err.name === "AbortError")
+            throw new Error(`Request timed out after ${CLI_FETCH_TIMEOUT_MS / 1000}s`);
+        throw err;
+    }
+    finally {
+        clearTimeout(timer);
+    }
+    if (!res.ok)
+        throw new Error(`HTTP ${res.status}`);
+    const json = await res.json();
+    if (json.errors)
+        throw new Error(json.errors.map((e) => e.message).join("; "));
+    return json.data;
+}
+async function detectWorkspace(baseUrl, auth) {
+    console.error("Detecting workspaces...");
+    try {
+        const data = await gql(baseUrl, auth, `query {
+      workspaces {
+        id createdAt memberCount
+        owner { name }
+      }
+    }`);
+        const workspaces = data.workspaces;
+        if (workspaces.length === 0) {
+            console.error("  No workspaces found.");
+            return "";
+        }
+        const formatWs = (w) => {
+            const owner = w.owner?.name || "unknown";
+            const members = w.memberCount ?? 0;
+            const date = w.createdAt ? new Date(w.createdAt).toLocaleDateString() : "";
+            const membersStr = members === 1 ? "1 member" : `${members} members`;
+            return `${w.id}  (by ${owner}, ${membersStr}, ${date})`;
+        };
+        if (workspaces.length === 1) {
+            console.error(`  Found 1 workspace: ${formatWs(workspaces[0])}`);
+            console.error("  Auto-selected.");
+            return workspaces[0].id;
+        }
+        console.error(`  Found ${workspaces.length} workspaces:`);
+        workspaces.forEach((w, i) => console.error(`    ${i + 1}) ${formatWs(w)}`));
+        const choice = (await ask(`\nSelect [1]: `)) || "1";
+        const idx = parseInt(choice, 10) - 1;
+        if (idx < 0 || idx >= workspaces.length) {
+            throw new CliError("Invalid selection.");
+        }
+        return workspaces[idx].id;
+    }
+    catch (err) {
+        if (err instanceof CliError)
+            throw err;
+        console.error(`  Could not list workspaces: ${err.message}`);
+        return "";
+    }
+}
+async function loginWithEmail(baseUrl) {
+    const email = await ask("Email: ");
+    const password = await ask("Password: ", true);
+    if (!email || !password) {
+        throw new CliError("Email and password are required.");
+    }
+    console.error("Signing in...");
+    let cookieHeader;
+    try {
+        ({ cookieHeader } = await loginWithPassword(baseUrl, email, password));
+    }
+    catch (err) {
+        throw new CliError(`Sign-in failed: ${err.message}`);
+    }
+    // Verify identity
+    const auth = { cookie: cookieHeader };
+    try {
+        const data = await gql(baseUrl, auth, "query { currentUser { name email } }");
+        console.error(`✓ Signed in as: ${data.currentUser.name} <${data.currentUser.email}>\n`);
+    }
+    catch (err) {
+        throw new CliError(`Session verification failed: ${err.message}`);
+    }
+    // Auto-generate an API token so the MCP server can use token auth (no cookie expiry issues)
+    console.error("Generating API token...");
+    let token;
+    try {
+        const data = await gql(baseUrl, auth, `mutation($input: GenerateAccessTokenInput!) { generateUserAccessToken(input: $input) { id name token } }`, { input: { name: `affine-mcp-${new Date().toISOString().slice(0, 10)}` } });
+        token = data.generateUserAccessToken.token;
+        console.error(`✓ Token created (name: ${data.generateUserAccessToken.name})\n`);
+    }
+    catch (err) {
+        throw new CliError(`Failed to generate token: ${err.message}\n` +
+            "You can create one manually in Affine Settings → Integrations → MCP Server");
+    }
+    const workspaceId = await detectWorkspace(baseUrl, { token });
+    return { token, workspaceId };
+}
+async function loginWithToken(baseUrl) {
+    console.error("\nTo generate a token:");
+    console.error(`  1. Open ${baseUrl}/settings in your browser`);
+    console.error("  2. Account Settings → Integrations → MCP Server");
+    console.error("  3. Copy the Personal access token\n");
+    const token = await ask("API token: ", true);
+    if (!token) {
+        throw new CliError("No token provided.");
+    }
+    console.error("Testing connection...");
+    try {
+        const data = await gql(baseUrl, { token }, "query { currentUser { name email } }");
+        console.error(`✓ Authenticated as: ${data.currentUser.name} <${data.currentUser.email}>\n`);
+    }
+    catch (err) {
+        throw new CliError(`Authentication failed: ${err.message}`);
+    }
+    const workspaceId = await detectWorkspace(baseUrl, { token });
+    return { token, workspaceId };
+}
+async function login() {
+    console.error("Affine MCP Server — Login\n");
+    const existing = loadConfigFile();
+    if (existing.AFFINE_API_TOKEN) {
+        console.error(`Existing config: ${CONFIG_FILE}`);
+        console.error(`  URL:       ${existing.AFFINE_BASE_URL || "(default)"}`);
+        console.error(`  Token:     (set)`);
+        console.error(`  Workspace: ${existing.AFFINE_WORKSPACE_ID || "(none)"}\n`);
+        const overwrite = await ask("Overwrite? [y/N] ");
+        if (!/^[yY]$/.test(overwrite)) {
+            console.error("Keeping existing config.");
+            return;
+        }
+        console.error("");
+    }
+    const defaultUrl = "https://app.affine.pro";
+    const rawUrl = (await ask(`Affine URL [${defaultUrl}]: `)) || defaultUrl;
+    const baseUrl = validateBaseUrl(rawUrl);
+    const isSelfHosted = !baseUrl.includes("affine.pro");
+    let result;
+    if (isSelfHosted) {
+        const method = await ask("\nAuth method — [1] Email/password (recommended)  [2] Paste API token: ");
+        if (method === "2") {
+            result = await loginWithToken(baseUrl);
+        }
+        else {
+            result = await loginWithEmail(baseUrl);
+        }
+    }
+    else {
+        // Cloudflare blocks programmatic sign-in on app.affine.pro — token is the only option
+        result = await loginWithToken(baseUrl);
+    }
+    writeConfigFile({
+        AFFINE_BASE_URL: baseUrl,
+        AFFINE_API_TOKEN: result.token,
+        AFFINE_WORKSPACE_ID: result.workspaceId,
+    });
+    console.error(`\n✓ Saved to ${CONFIG_FILE} (mode 600)`);
+    console.error("The MCP server will use these credentials automatically.");
+}
+async function status() {
+    const config = loadConfigFile();
+    if (!config.AFFINE_API_TOKEN) {
+        throw new CliError("Not logged in. Run: affine-mcp login");
+    }
+    console.error(`Config: ${CONFIG_FILE}`);
+    console.error(`URL:       ${config.AFFINE_BASE_URL || "(default)"}`);
+    console.error(`Token:     (set)`);
+    console.error(`Workspace: ${config.AFFINE_WORKSPACE_ID || "(none)"}\n`);
+    try {
+        const data = await gql(config.AFFINE_BASE_URL || "https://app.affine.pro", { token: config.AFFINE_API_TOKEN }, "query { currentUser { name email } workspaces { id } }");
+        console.error(`User: ${data.currentUser.name} <${data.currentUser.email}>`);
+        console.error(`Workspaces: ${data.workspaces.length}`);
+    }
+    catch (err) {
+        throw new CliError(`Connection failed: ${err.message}`);
+    }
+}
+function logout() {
+    if (fs.existsSync(CONFIG_FILE)) {
+        fs.unlinkSync(CONFIG_FILE);
+        console.error(`Removed ${CONFIG_FILE}`);
+    }
+    else {
+        console.error("No config file found.");
+    }
+}
+const COMMANDS = { login, status, logout };
+export async function runCli(command) {
+    const fn = COMMANDS[command];
+    if (!fn)
+        return false;
+    try {
+        await fn();
+    }
+    catch (err) {
+        if (err instanceof CliError) {
+            console.error(`✗ ${err.message}`);
+            process.exit(1);
+        }
+        throw err;
+    }
+    return true;
+}