memory-journal-mcp 4.4.2 → 5.0.0

package/playwright.config.ts

@@ -0,0 +1,29 @@
+import { defineConfig, devices } from '@playwright/test'
+
+export default defineConfig({
+    testDir: './tests/e2e',
+    fullyParallel: false,
+    forbidOnly: !!process.env.CI,
+    retries: process.env.CI ? 2 : 0,
+    workers: 1,
+    reporter: 'list',
+    use: {
+        baseURL: 'http://localhost:3100',
+        trace: 'on-first-retry',
+    },
+    projects: [
+        {
+            name: 'api',
+            use: { ...devices['Desktop Chrome'] },
+        },
+    ],
+    webServer: {
+        command:
+            'node dist/cli.js --transport http --port 3100 --db ./test-e2e.db --backup-interval 1 --keep-backups 3 --vacuum-interval 2 --rebuild-index-interval 2',
+        url: 'http://localhost:3100/health',
+        reuseExistingServer: !process.env.CI,
+        timeout: 15000,
+        stdout: 'pipe',
+        stderr: 'pipe',
+    },
+})

package/releases/v4.5.0.md

@@ -0,0 +1,116 @@
+# v4.5.0 - Automated Scheduling, Security Hardening & Quality Improvements
+
+**Released: March 2, 2026**
+
+## Highlights
+
+### ⏰ Automated Scheduler (HTTP/SSE Only)
+
+New in-process scheduler runs periodic maintenance jobs for long-running HTTP/SSE server processes:
+
+- `--backup-interval <minutes>` — Automated database backups with cleanup
+- `--keep-backups <count>` — Max backups to retain (default: 5)
+- `--vacuum-interval <minutes>` — Database optimization (`PRAGMA optimize`)
+- `--rebuild-index-interval <minutes>` — Full vector index rebuild
+
+Each job is error-isolated. Status visible via `memory://health`.
+
+### 🔒 Security Hardening
+
+Comprehensive security improvements across the entire stack:
+
+- **HTTP Transport** — Rate limiting (100 req/min), CSP headers, Cache-Control, Referrer-Policy, CORS wildcard warning
+- **Input Validation** — `entry_type` and `significance_type` now constrained to Zod enums; date format validation via regex
+- **Dead Code Wiring** — `sanitizeSearchQuery()` and `assertNoPathTraversal()` now active in code paths
+- **Foreign Keys** — `PRAGMA foreign_keys = ON` enforced at database initialization
+- **Path Traversal** — `exportToFile()` now protected with `assertNoPathTraversal()`
+- **Logger Hardening** — `LOG_LEVEL` validated; `setLevel()` guarded against invalid values
+- **Removed dead code** — SQL injection detection functions that provided false sense of security
+- **CI** — Blocking `npm audit` and TruffleHog steps; Node.js test matrix aligned to `>=24.0.0`
+
+### ✅ Test Coverage → 92%
+
+Expanded test suite from 549 → 590 tests, raising line coverage from 88.59% → 92.06%:
+
+- SIGINT shutdown handlers for all three transport modes
+- Prompt handlers with proper arguments
+- `SqliteAdapter` backup edge cases
+- GitHub integration error paths
+
+### 📝 Cursor Rule for Session Management
+
+Added `hooks/cursor/memory-journal.mdc` — an `alwaysApply` Cursor rule that instructs agents to read `memory://briefing` at session start and create a retrospective at session end. This is the most reliable mechanism for session behavior in Cursor.
+
+## Added
+
+- **Automated Scheduler** — `Scheduler.ts` module with CLI flags for backup, vacuum, and index rebuild intervals
+- **Cursor Rule** — `hooks/cursor/memory-journal.mdc` for reliable session management
+- **Cursor `sessionEnd` Hook** — `hooks/cursor/hooks.json` + `session-end.sh` audit script
+
+## Improved
+
+- **Test Coverage** — 88.59% → 92.06% line coverage (549 → 590 tests)
+- **Database I/O** — Debounced `scheduleSave()` reduces disk writes on rapid mutations
+- **Vector Index Rebuild** — Paginated fetching (200/page) + parallel batch embedding (5 at a time)
+- **Server Startup** — Eliminated duplicate `getTools()` call
+- **GitHub API** — TTL response cache (5 min) with automatic invalidation on mutations
+
+## Fixed
+
+- **Session Start briefing in Cursor** — Added `user-memory-journal-mcp` server name for Cursor compatibility
+- **`deleteOldBackups` Test Isolation** — Fixed flaky test by cleaning up pre-existing backups
+- **`share_with_team` Not Setting `isPersonal`** — `create_entry` with `share_with_team: true` now correctly sets `isPersonal: false`
+- **Path Traversal Test Assertion** — Updated to assert `PathTraversalError` type
+- **Tool Handler Test Fix** — Updated to use valid `entry_type` enum value
+
+## Security
+
+- Wire dead-code security utilities (F-001, F-002)
+- HTTP security headers: CSP, Cache-Control, Referrer-Policy (F-003)
+- `PRAGMA foreign_keys = ON` (F-005)
+- CORS wildcard warning (F-006)
+- `entry_type` / `significance_type` enum constraints
+- Date format validation on all date string fields
+- HTTP rate limiting (100 req/min per IP)
+- Remove dead SQL injection detection code
+- `exportToFile()` path traversal protection
+- `getRawDb()` safety documentation
+- Logger `LOG_LEVEL` validation (L1) and `setLevel()` guard (L2)
+- CI `security-scan` Node version alignment (L3)
+
+## Changed
+
+- `@types/node`: 25.3.2 → 25.3.3 (patch)
+- `globals`: 17.3.0 → 17.4.0 (minor)
+- `minimatch` override: 10.2.3 → 10.2.4 (patch)
+- `tar` override: 7.5.8 → 7.5.9 (patch)
+
+## Removed
+
+- **Unused `cors` dependency** — CORS handled by custom middleware
+
+## CI/CD
+
+- Removed Dependabot auto-merge workflow
+- Trivy Action updated to 0.34.0
+- Node.js test matrix aligned: `[24.x, 25.x]`
+- Blocking `npm audit` in CI pipeline
+- Blocking TruffleHog secret scanning
+
+## Documentation
+
+- Revised `hooks/README.md` with progressive enhancement model
+- Updated Session Management in README.md and DOCKER_README.md
+- SECURITY.md rewrite for TypeScript era
+- Team collaboration in READMEs with wiki links
+- Rate limiting documentation
+
+---
+
+```bash
+# npm
+npm install -g memory-journal-mcp@4.5.0
+
+# Docker
+docker pull writenotenow/memory-journal-mcp:v4.5.0
+```

package/releases/v5.0.0.md

@@ -0,0 +1,105 @@
+# v5.0.0 — Major Architecture & Security Release
+
+**Release Date:** March 6, 2026
+
+This is a major release featuring a complete architectural overhaul, comprehensive security hardening, a new E2E test suite, redesigned team collaboration, and deterministic error handling across all 42 tools.
+
+## ✨ Highlights
+
+- **Architecture Overhaul** — Tool handler monolith (3,428 lines) split into 12 focused modules. Resource handlers, prompt handlers, types, mutation tools, and HTTP transport all modularized similarly.
+- **Team Collaboration Redesign** — Rebuilt from scratch with separate team database (`TEAM_DB_PATH`), author attribution, cross-DB search, and 3 dedicated tools (`team_create_entry`, `team_get_recent`, `team_search`).
+- **Deterministic Error Handling** — All 42 tool handlers wrapped with `formatHandlerError()` returning structured `{ success: false, error }` responses. Dual-schema validation pattern ensures Zod errors also produce structured responses.
+- **20+ Security Improvements** — Bearer token authentication, HSTS, timing-safe token comparison, shell-free git detection, Docker hardening, CI pipeline action pinning, and more.
+- **Playwright E2E Test Suite** — 8 spec files (47 tests) testing HTTP/SSE transport end-to-end: health, protocols, security headers, auth, sessions, tools, resources, stateless mode, and scheduler.
+- **Dual HTTP Transport** — Streamable HTTP (`/mcp`) + Legacy SSE (`/sse`) running simultaneously in stateful mode.
+
+## 🆕 Added
+
+- **Playwright E2E Test Suite** — `health.spec.ts`, `protocols.spec.ts`, `security.spec.ts`, `auth.spec.ts`, `sessions.spec.ts`, `tools.spec.ts`, `resources.spec.ts`, `stateless.spec.ts`, `scheduler.spec.ts`
+- **Legacy SSE Transport** — `GET /sse` + `POST /messages?sessionId=<id>` for backward-compatible MCP 2024-11-05 clients (stateful mode only)
+- **Health Endpoint** — `GET /health` returns `{ status: "healthy", timestamp }`
+- **Root Info Endpoint** — `GET /` returns server name, version, endpoints, docs link
+- **404 Handler** — Unknown paths return `{ error: "Not found" }`
+- **`DB_PATH` Environment Variable** — Database path via env block (precedence: CLI `--db` > `DB_PATH` > `./memory_journal.db`)
+- **`--auth-token` CLI Option** — Bearer token authentication for HTTP transport (`MCP_AUTH_TOKEN` env)
+- **`Permissions-Policy` Header** — 6th security header: `camera=(), microphone=(), geolocation=()`
+- **Team Collaboration** — `TEAM_DB_PATH`, `TEAM_AUTHOR`, `share_with_team`, `memory://team/recent`, `memory://team/statistics`
+- Tool count: 39 → 42 · Tool groups: 8 → 9 · Resources: 20 → 22
+
+## 🔒 Security
+
+- **Trigger Name Validation** — `SAFE_IDENTIFIER_RE` regex in `migrateSchema()` prevents SQL injection via crafted trigger names
+- **Query Limit Caps** — `.max(500)` on all `limit` parameters (10 schemas)
+- **TruffleHog Pinned** — `@main` → `@v3.93.7`
+- **Docker Scout Official Action** — Replaces `curl | sh` installer with `docker/scout-action@v1.18.2`
+- **Gitleaks Blocking** — Removed `continue-on-error: true`; leaks now fail the workflow
+- **Gitleaks Pinned** — `@v2` → `@v2.3.9`
+- **Bearer Token Auth** — Optional `--auth-token` with `MCP_AUTH_TOKEN` env support
+- **SSE Session Timeout** — Legacy SSE sessions expire after 30 min idle
+- **`searchByDateRange` Limit** — `LIMIT 500` prevents unbounded result sets
+- **Docker Production-Only Dependencies** — `npm ci --omit=dev` in production image
+- **CORS `Authorization` Header** — Added for bearer token support
+- **Timing-Safe Auth** — `crypto.timingSafeEqual()` for token comparison
+- **HSTS Header** — Conditional `Strict-Transport-Security` behind reverse proxy
+- **Docker Compose Hardening** — `read_only: true`, `tmpfs`, generic token placeholder, explicit `NODE_ENV`
+- **Shell-Free Git** — `execFileSync('git', [...])` replaces `execSync('git config ...')`
+
+## ⚡ Improved
+
+- **Batch Tag Fetching** — N+1 elimination: `getRecentEntries(50)` reduced from 51 queries to 2
+- **Batch Tag Linking** — Single `INSERT OR IGNORE` + `SELECT ... WHERE name IN (...)`
+- **Tool Dispatch Cache** — O(1) `Map` lookup instead of rebuilding 42 definitions per call
+- **Conditional JOIN in `searchByDateRange`** — Tag tables only JOINed when tag filter provided
+- **Consolidated `getStatistics` Queries** — 5 sequential `db.exec()` → 3 with `SUM(CASE ...)`
+- **Dual-Schema Validation** — Relaxed schemas for SDK, strict schemas in handlers
+
+## 🐛 Fixed
+
+- **Entry Type Enum** — Added 6 missing types (`technical_note`, `development_note`, `enhancement`, `milestone`, `system_integration_test`, `test_entry`)
+- **`get_github_milestones` State Filter** — `state: "all"` no longer silently defaults to `"open"`
+- **Legacy Database Migration** — `migrateSchema()` adds missing columns + drops FTS5 triggers
+- **`list_tags` Null Count** — `COALESCE(usage_count, 0)` prevents null validation failures
+- **Output Schema Error Responses** — All schemas now accept `{ success: false, error }` responses
+- **Multi-Session Connect Crash** — Close-before-reconnect pattern for concurrent HTTP sessions
+- **Backup Error Path** — Error responses now pass Zod output validation
+- **`share_with_team` Not Setting `isPersonal`** — Fixed `create_entry` with `share_with_team: true`
+- **Legacy SSE `start()` Redundancy** — Eliminated duplicate `sseTransport.start()` call
+
+## 🔄 Changed
+
+- **HTTP Transport Modularized** — `McpServer.ts` (813 → ~450 lines) → `src/transports/http.ts`
+- **`ToolDefinition.handler` Return Type** — `Promise<unknown>` → `unknown` (supports sync+async)
+- **Dependency Updates** — `@types/node` 25.3.3→25.3.5, `express-rate-limit` 8.2.1→8.3.0, `sql.js` 1.14.0→1.14.1
+
+## 🗑️ Removed
+
+- Legacy team collaboration system (rebuilt from scratch)
+- Tool handler monolith `src/handlers/tools/index.ts` (replaced by 12 modules)
+- Unused `cors` and `@types/cors` packages
+- Database files reorganized into `data/` directory
+
+## 🔄 CI/CD
+
+- **CodeQL Default Setup Disabled** — Custom workflow is now sole scanner
+- **CodeQL `actions` Language** — Added to replace Default Setup coverage
+- **Trivy Action** — 0.34.0 → 0.34.1
+
+## 📖 Documentation
+
+- Cursor Rule for session management (`hooks/cursor/memory-journal.mdc`)
+- Revised hooks/README.md with progressive enhancement model
+- SECURITY.md rewritten for current architecture
+- Team collaboration documented in READMEs
+- Wiki security page expanded (16-item checklist)
+
+---
+
+**Full Changelog:** [v4.5.0...v5.0.0](https://github.com/neverinfamous/memory-journal-mcp/compare/v4.5.0...v5.0.0)
+
+**Install/Update:**
+
+```bash
+npm install -g memory-journal-mcp@5.0.0
+# or
+docker pull writenotenow/memory-journal-mcp:v5.0.0
+```

package/scripts/generate-server-instructions.ts

@@ -0,0 +1,176 @@
+/**
+ * Generates src/constants/ServerInstructions.ts from src/constants/server-instructions.md
+ *
+ * Reads the markdown source file, splits it by section delimiters,
+ * escapes for template literals, and produces the full TypeScript module
+ * with types, constants, and the generateInstructions function.
+ *
+ * Usage: node scripts/generate-server-instructions.ts
+ */
+
+import { readFileSync, writeFileSync } from 'node:fs'
+import { dirname, resolve } from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+const __dirname = dirname(fileURLToPath(import.meta.url))
+const projectRoot = resolve(__dirname, '..')
+
+const mdPath = resolve(projectRoot, 'src/constants/server-instructions.md')
+const tsPath = resolve(projectRoot, 'src/constants/ServerInstructions.ts')
+
+// Read plain markdown source
+const markdown = readFileSync(mdPath, 'utf-8')
+
+// Section names in order
+const SECTION_NAMES = ['ESSENTIAL', 'GITHUB', 'SERVER_ACCESS', 'TOOL_PARAMETER_REFERENCE']
+
+/**
+ * Parse sections from markdown using <!-- SECTION:NAME --> delimiters
+ */
+function parseSections(content) {
+    const sections = {}
+
+    for (let i = 0; i < SECTION_NAMES.length; i++) {
+        const name = SECTION_NAMES[i]
+        const startMarker = '<!-- SECTION:' + name + ' -->'
+        const startIdx = content.indexOf(startMarker)
+
+        if (startIdx === -1) {
+            throw new Error('Missing section marker: ' + startMarker)
+        }
+
+        const contentStart = startIdx + startMarker.length
+
+        // Find next section marker or end of file
+        let contentEnd
+        if (i + 1 < SECTION_NAMES.length) {
+            const nextMarker = '<!-- SECTION:' + SECTION_NAMES[i + 1] + ' -->'
+            contentEnd = content.indexOf(nextMarker)
+            if (contentEnd === -1) {
+                throw new Error('Missing section marker: ' + nextMarker)
+            }
+        } else {
+            contentEnd = content.length
+        }
+
+        // Trim leading/trailing whitespace but preserve internal structure
+        sections[name] = content.slice(contentStart, contentEnd).trim()
+    }
+
+    return sections
+}
+
+/**
+ * Escape content for use inside a JS/TS template literal
+ */
+function escapeForTemplateLiteral(content) {
+    return content.replace(/\\/g, '\\\\').replace(/`/g, '\\`').replace(/\$\{/g, '\\${')
+}
+
+const sections = parseSections(markdown)
+
+// Read the function body template (static TypeScript code after the constants)
+const FUNCTION_BODY = readFileSync(
+    resolve(projectRoot, 'scripts/server-instructions-function-body.ts'),
+    'utf-8'
+)
+
+// Build the TypeScript file using string concatenation to avoid nested escaping
+const lines = []
+
+lines.push('/**')
+lines.push(' * Server instructions for Memory Journal MCP.')
+lines.push(' *')
+lines.push(' * ⚠️  AUTO-GENERATED — DO NOT EDIT THIS FILE DIRECTLY')
+lines.push(' *     Edit src/constants/server-instructions.md instead,')
+lines.push(' *     then run: npm run generate:instructions')
+lines.push(' *')
+lines.push(' * These instructions are automatically sent to MCP clients during initialization,')
+lines.push(' * providing guidance for AI agents on tool usage.')
+lines.push(' *')
+lines.push(' * Optimized for token efficiency with tiered instruction levels.')
+lines.push(' */')
+lines.push('')
+lines.push("import type { ToolGroup } from '../types/index.js'")
+lines.push("import { TOOL_GROUPS } from '../filtering/ToolFilter.js'")
+lines.push('')
+lines.push('/**')
+lines.push(' * Resource definition for instruction generation')
+lines.push(' */')
+lines.push('export interface ResourceDefinition {')
+lines.push('    uri: string')
+lines.push('    name: string')
+lines.push('    description?: string')
+lines.push('}')
+lines.push('')
+lines.push('/**')
+lines.push(' * Prompt definition for instruction generation')
+lines.push(' */')
+lines.push('export interface PromptDefinition {')
+lines.push('    name: string')
+lines.push('    description?: string')
+lines.push('}')
+lines.push('')
+lines.push('/**')
+lines.push(' * Latest entry snapshot for initial briefing')
+lines.push(' */')
+lines.push('export interface LatestEntrySnapshot {')
+lines.push('    id: number')
+lines.push('    timestamp: string')
+lines.push('    entryType: string')
+lines.push('    content: string')
+lines.push('}')
+lines.push('')
+lines.push('/**')
+lines.push(' * Instruction detail level for token efficiency')
+lines.push(' * - essential: ~200 tokens - Core behaviors only (for token-constrained clients)')
+lines.push(' * - standard: ~400 tokens - + GitHub patterns (default)')
+lines.push(' * - full: ~600 tokens - + tool/resource listings')
+lines.push(' */')
+lines.push("export type InstructionLevel = 'essential' | 'standard' | 'full'")
+lines.push('')
+lines.push('/**')
+lines.push(' * Essential behavioral guidance (~200 tokens)')
+lines.push(' * Core patterns every AI agent should follow.')
+lines.push(' */')
+lines.push(
+    'const ESSENTIAL_INSTRUCTIONS = `' + escapeForTemplateLiteral(sections.ESSENTIAL) + '\n`'
+)
+lines.push('')
+lines.push('/**')
+lines.push(' * GitHub integration patterns (~150 additional tokens)')
+lines.push(' */')
+lines.push('const GITHUB_INSTRUCTIONS = `\n' + escapeForTemplateLiteral(sections.GITHUB) + '\n`')
+lines.push('')
+lines.push('/**')
+lines.push(' * Server access instructions - critical for AI agents to call tools correctly')
+lines.push(' */')
+lines.push(
+    'const SERVER_ACCESS_INSTRUCTIONS = `\n' +
+        escapeForTemplateLiteral(sections.SERVER_ACCESS) +
+        '\n`'
+)
+lines.push('')
+lines.push('/**')
+lines.push(' * Tool parameter reference - essential for correct tool invocation')
+lines.push(' */')
+lines.push(
+    'const TOOL_PARAMETER_REFERENCE = `\n' +
+        escapeForTemplateLiteral(sections.TOOL_PARAMETER_REFERENCE) +
+        '\n`'
+)
+lines.push('')
+lines.push(FUNCTION_BODY)
+lines.push('')
+
+const tsContent = lines.join('\n')
+
+writeFileSync(tsPath, tsContent, 'utf-8')
+
+process.stderr.write(
+    '✅ Generated ServerInstructions.ts (' +
+        tsContent.length.toLocaleString() +
+        ' bytes) from server-instructions.md (' +
+        markdown.length.toLocaleString() +
+        ' bytes)\n'
+)

package/scripts/server-instructions-function-body.ts

@@ -0,0 +1,77 @@
+/**
+ * Generate dynamic instructions based on enabled tools, resources, prompts, and latest entry
+ *
+ * @param enabledTools - Set of enabled tool names
+ * @param resources - Available resource definitions
+ * @param prompts - Available prompt definitions
+ * @param latestEntry - Optional latest entry for context snapshot
+ * @param level - Instruction detail level (default: 'standard')
+ */
+export function generateInstructions(
+    enabledTools: Set<string>,
+    _resources: ResourceDefinition[],
+    prompts: PromptDefinition[],
+    latestEntry?: LatestEntrySnapshot,
+    level: InstructionLevel = 'standard'
+): string {
+    let instructions = ESSENTIAL_INSTRUCTIONS
+
+    // Add latest entry snapshot for immediate context (compact format)
+    if (latestEntry) {
+        const preview = latestEntry.content.slice(0, 120)
+        instructions += `\n**Latest**: #${String(latestEntry.id)} (${latestEntry.timestamp}) ${latestEntry.entryType}\n> ${preview}${latestEntry.content.length > 120 ? '...' : ''}\n`
+    }
+
+    // Standard and full levels include GitHub patterns
+    if (level === 'standard' || level === 'full') {
+        instructions += GITHUB_INSTRUCTIONS
+    }
+
+    // Full level includes server access instructions and tool parameter reference
+    if (level === 'full') {
+        instructions += SERVER_ACCESS_INSTRUCTIONS
+        instructions += TOOL_PARAMETER_REFERENCE
+
+        // Add active tools summary
+        const activeGroups = getActiveToolGroups(enabledTools)
+        if (activeGroups.length > 0) {
+            instructions += `\n## Active Tools (${String(enabledTools.size)})\n`
+            for (const { group, tools } of activeGroups) {
+                instructions += `**${group}**: ${tools.map((t) => `\`${t}\``).join(', ')}\n`
+            }
+        }
+
+        // Add prompts section
+        if (prompts.length > 0) {
+            instructions += `\n## Prompts (${String(prompts.length)})\n`
+            instructions += 'Pre-built templates and guided workflows:\n'
+            for (const prompt of prompts) {
+                instructions += `- \`${prompt.name}\` - ${prompt.description ?? ''}\n`
+            }
+        }
+    }
+
+    return instructions
+}
+
+/**
+ * Get active tool groups with their enabled tools
+ */
+function getActiveToolGroups(enabledTools: Set<string>): { group: ToolGroup; tools: string[] }[] {
+    const activeGroups: { group: ToolGroup; tools: string[] }[] = []
+
+    for (const [group, allTools] of Object.entries(TOOL_GROUPS) as [ToolGroup, string[]][]) {
+        const enabledInGroup = allTools.filter((tool) => enabledTools.has(tool))
+        if (enabledInGroup.length > 0) {
+            activeGroups.push({ group, tools: enabledInGroup })
+        }
+    }
+
+    return activeGroups
+}
+
+/**
+ * Static instructions for backward compatibility
+ * @deprecated Use generateInstructions() instead for dynamic content
+ */
+export const SERVER_INSTRUCTIONS = ESSENTIAL_INSTRUCTIONS + GITHUB_INSTRUCTIONS

package/server.json

@@ -3,12 +3,12 @@
     "name": "io.github.neverinfamous/memory-journal-mcp",
     "title": "Memory Journal MCP",
     "description": "MCP server– Project memory system with GitHub-aware context, knowledge graphs, and CI/PR timelines",
-    "version": "4.4.2",
+    "version": "4.5.0",
     "packages": [
         {
             "registryType": "oci",
-            "identifier": "docker.io/writenotenow/memory-journal-mcp:v4.4.2",
-            "version": "4.4.2",
+            "identifier": "docker.io/writenotenow/memory-journal-mcp:v4.5.0",
+            "version": "4.5.0",
             "transport": {
                 "type": "stdio"
             }

package/src/cli.ts

@@ -17,12 +17,41 @@ program
     .option('--port <number>', 'HTTP port (for http transport)', '3000')
     .option('--server-host <host>', 'Server bind host for HTTP transport (default: localhost)')
     .option('--stateless', 'Use stateless HTTP mode (no session management)')
-    .option('--db <path>', 'Database path', './memory_journal.db')
+    .option(
+        '--db <path>',
+        'Database path (env: DB_PATH)',
+        process.env['DB_PATH'] ?? './memory_journal.db'
+    )
+    .option(
+        '--team-db <path>',
+        'Team database path (env: TEAM_DB_PATH)',
+        process.env['TEAM_DB_PATH'] ?? undefined
+    )
     .option('--tool-filter <filter>', 'Tool filter string (e.g., "starter", "core,search")')
     .option('--default-project <number>', 'Default GitHub Project number')
     .option('--auto-rebuild-index', 'Rebuild vector index on server startup')
     .option('--cors-origin <origin>', 'CORS allowed origin for HTTP transport (default: *)')
+    .option(
+        '--auth-token <token>',
+        'Bearer token for HTTP transport authentication (env: MCP_AUTH_TOKEN)'
+    )
     .option('--log-level <level>', 'Log level: debug, info, warning, error', 'info')
+    .option(
+        '--backup-interval <minutes>',
+        'Automated backup interval in minutes, HTTP only (0 = disabled)',
+        '0'
+    )
+    .option('--keep-backups <count>', 'Max backups to retain during automated cleanup', '5')
+    .option(
+        '--vacuum-interval <minutes>',
+        'Database optimize interval in minutes, HTTP only (0 = disabled)',
+        '0'
+    )
+    .option(
+        '--rebuild-index-interval <minutes>',
+        'Vector index rebuild interval in minutes, HTTP only (0 = disabled)',
+        '0'
+    )
     .action(
         async (options: {
             transport: string
@@ -30,11 +59,17 @@ program
             serverHost?: string
             stateless?: boolean
             db: string
+            teamDb?: string
             toolFilter?: string
             defaultProject: string
             autoRebuildIndex?: boolean
             corsOrigin?: string
+            authToken?: string
             logLevel: string
+            backupInterval: string
+            keepBackups: string
+            vacuumInterval: string
+            rebuildIndexInterval: string
         }) => {
             // Set log level
             logger.setLevel(options.logLevel as 'debug' | 'info' | 'warning' | 'error')
@@ -48,6 +83,7 @@ program
                 transport: options.transport,
                 stateless: options.stateless ?? false,
                 db: options.db,
+                ...(options.teamDb ? { teamDb: options.teamDb } : {}),
                 ...(host ? { host } : {}),
             })
 
@@ -58,6 +94,7 @@ program
                     host,
                     statelessHttp: options.stateless === true,
                     dbPath: options.db,
+                    teamDbPath: options.teamDb,
                     toolFilter: options.toolFilter,
                     defaultProjectNumber: options.defaultProject
                         ? parseInt(options.defaultProject, 10)
@@ -67,6 +104,13 @@ program
                     autoRebuildIndex:
                         options.autoRebuildIndex ?? process.env['AUTO_REBUILD_INDEX'] === 'true',
                     corsOrigin: options.corsOrigin,
+                    authToken: options.authToken,
+                    scheduler: {
+                        backupIntervalMinutes: parseInt(options.backupInterval, 10),
+                        keepBackups: parseInt(options.keepBackups, 10),
+                        vacuumIntervalMinutes: parseInt(options.vacuumInterval, 10),
+                        rebuildIndexIntervalMinutes: parseInt(options.rebuildIndexInterval, 10),
+                    },
                 })
             } catch (error) {
                 logger.error('Failed to start server', {