From bf23b2d2f2f6ce38bdd98b56ebeda074173b5b7c Mon Sep 17 00:00:00 2001 From: jubnl Date: Fri, 10 Apr 2026 02:17:54 +0200 Subject: [PATCH] fix(mcp): surface static token deprecation via server instructions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The deprecation warning was registered as an MCP prompt that clients must explicitly fetch — it never fired automatically. Move it to the ServerOptions.instructions field, which is returned in the initialize response and automatically read by Claude and other MCP clients as system context. --- server/src/mcp/index.ts | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/server/src/mcp/index.ts b/server/src/mcp/index.ts index 167e4c15..e362ffac 100644 --- a/server/src/mcp/index.ts +++ b/server/src/mcp/index.ts @@ -162,15 +162,25 @@ export async function mcpHandler(req: Request, res: Response): Promise { } // Create a new per-user MCP server and session - const server = new McpServer({ - name: 'TREK MCP', - version: '1.0.0', - capabilities: { - resources: { listChanged: true }, - tools: { listChanged: true }, - prompts: { listChanged: true }, + const server = new McpServer( + { + name: 'TREK MCP', + version: '1.0.0', }, - }); + { + capabilities: { + resources: { listChanged: true }, + tools: { listChanged: true }, + prompts: { listChanged: true }, + }, + ...(isStaticToken && { + instructions: + '⚠️ IMPORTANT: This MCP session is authenticated with a static API token (trek_…). ' + + 'Static token authentication is deprecated and will be removed in a future version of TREK. ' + + 'Please inform the user that they must migrate to OAuth 2.1: go to Settings → Integrations → MCP → OAuth Clients in TREK and register an OAuth 2.1 application for their MCP client.', + }), + } + ); registerResources(server, user.id, scopes); registerTools(server, user.id, scopes, isStaticToken);