OneNote MCP Server

DESIGN.md•41.6 KiB

# OneNote MCP Server - Design & Requirements Document **Version:** 1.0 **Last Updated:** February 22, 2026 **Document Status:** Living Document --- ## Table of Contents 1. [Executive Summary](#executive-summary) 2. [Problem Statement](#problem-statement) 3. [Goals & Objectives](#goals-objectives) 4. [Requirements Specification](#requirements-specification) 5. [System Architecture](#system-architecture) 6. [Component Design](#component-design) 7. [API Specifications](#api-specifications) 8. [Data Models](#data-models) 9. [Authentication & Security](#authentication-security) 10. [Performance Considerations](#performance-considerations) 11. [Error Handling Strategy](#error-handling-strategy) 12. [Testing Strategy](#testing-strategy) 13. [Deployment Architecture](#deployment-architecture) 14. [Scalability & Future Enhancements](#scalability-future-enhancements) 15. [Appendices](#appendices) --- ## Executive Summary The OneNote MCP Server is a middleware service that enables AI language models to interact with Microsoft OneNote through the Model Context Protocol (MCP). It acts as a bridge between AI assistants and the Microsoft Graph API, providing a secure, efficient, and user-friendly interface for reading, writing, and managing OneNote content. **Key Value Propositions:** - Enables AI-powered note-taking and knowledge management - Provides natural language interface to OneNote operations - Maintains security through OAuth2 device code flow - Handles complex API interactions transparently - Supports advanced operations (search, filtering, content manipulation) --- ## Problem Statement ### Current Challenges 1. **AI Integration Gap** - AI assistants lack native integration with personal knowledge bases - Users must manually copy/paste between AI conversations and note-taking apps - No programmatic way for AI to access or modify user notes 2. **API Complexity** - Microsoft Graph API requires authentication, token management, and complex request handling - Pagination logic is non-trivial for large datasets - HTML content processing requires specialized parsing - Rate limiting and error handling add complexity 3. **User Workflow Friction** - Context switching between AI assistant and OneNote disrupts productivity - No unified interface for AI-powered note management - Difficult to leverage AI for searching and organizing existing notes ### Solution Approach Build a Model Context Protocol (MCP) server that: - Abstracts Microsoft Graph API complexity - Provides simple, well-defined tools for AI assistants - Handles authentication, pagination, and error recovery - Processes content in multiple formats (HTML, plain text, markdown) - Enables AI to become a true productivity partner --- ## Goals & Objectives ### Primary Goals 1. **Seamless AI Integration** - Enable AI assistants to read and write OneNote content naturally - Support all common OneNote operations through simple tool calls - Provide multiple content formats for different use cases 2. **Robust & Reliable** - Handle authentication lifecycle automatically - Gracefully manage API rate limits and errors - Support large-scale operations (100+ notebooks, 1000+ pages) 3. **Secure by Design** - Implement OAuth2 best practices - Minimize attack surface - Protect user credentials and tokens 4. **High Performance** - Efficient pagination for large result sets - Smart caching where appropriate - Minimal latency for common operations ### Secondary Goals - Extensibility for future Microsoft Graph endpoints - Comprehensive logging for debugging - Well-documented API surface - Language-agnostic design principles --- ## Requirements Specification ### Functional Requirements #### FR-1: Authentication - **FR-1.1:** Support OAuth2 Device Code Flow for user authentication - **FR-1.2:** Persist access tokens securely to local filesystem - **FR-1.3:** Automatically refresh tokens before expiration - **FR-1.4:** Support custom Azure AD application registrations - **FR-1.5:** Validate token scopes on startup #### FR-2: Read Operations - **FR-2.1:** List all notebooks accessible to authenticated user - **FR-2.2:** List sections within a specific notebook - **FR-2.3:** List pages within a specific section - **FR-2.4:** Retrieve page content in multiple formats (HTML, text, summary) - **FR-2.5:** Search pages by title across all notebooks - **FR-2.6:** Search pages by creation/modification date - **FR-2.7:** Search within page content (not just titles) - **FR-2.8:** Filter pages by user who created/modified them - **FR-2.9:** Support pagination for all list operations #### FR-3: Write Operations - **FR-3.1:** Create new pages with HTML or markdown content - **FR-3.2:** Update entire page content while preserving metadata - **FR-3.3:** Append content to existing pages - **FR-3.4:** Update page titles independently - **FR-3.5:** Find and replace text within pages - **FR-3.6:** Add structured content (tables, formatted notes) #### FR-4: Content Processing - **FR-4.1:** Convert HTML to readable plain text - **FR-4.2:** Generate text summaries with configurable length - **FR-4.3:** Convert markdown to HTML - **FR-4.4:** Preserve formatting during transformations - **FR-4.5:** Handle Unicode and special characters correctly #### FR-5: Productivity Features - **FR-5.1:** Quick daily note creation with auto-formatted dates - **FR-5.2:** Find changes made by current user within date range - **FR-5.3:** Prevent duplicate daily note creation - **FR-5.4:** Support natural date expressions ("today", "monday") ### Non-Functional Requirements #### NFR-1: Performance - **NFR-1.1:** Page list operations complete within 5 seconds for 100 pages - **NFR-1.2:** Search operations scan 1000+ pages within 30 seconds - **NFR-1.3:** Content retrieval completes within 2 seconds per page - **NFR-1.4:** Support concurrent requests without blocking #### NFR-2: Reliability - **NFR-2.1:** 99.9% uptime during user sessions - **NFR-2.2:** Automatic retry with exponential backoff for transient failures - **NFR-2.3:** Graceful degradation when API limits are reached - **NFR-2.4:** No data loss during failures #### NFR-3: Security - **NFR-3.1:** Tokens stored with appropriate filesystem permissions - **NFR-3.2:** No tokens logged or transmitted insecurely - **NFR-3.3:** Minimal scopes requested (principle of least privilege) - **NFR-3.4:** Input validation on all user-provided data #### NFR-4: Usability - **NFR-4.1:** Clear error messages with actionable guidance - **NFR-4.2:** Progress indicators for long-running operations - **NFR-4.3:** Comprehensive documentation and examples - **NFR-4.4:** Tool names and parameters follow consistent conventions #### NFR-5: Maintainability - **NFR-5.1:** Modular architecture with clear separation of concerns - **NFR-5.2:** Comprehensive test coverage (>80% line coverage) - **NFR-5.3:** Code follows language-specific best practices - **NFR-5.4:** API versioning strategy for breaking changes --- ## System Architecture ### High-Level Architecture ```text ┌─────────────────────────────────────────────────────────────┐ │ AI Assistant │ │ (Claude, GPT, etc.) │ └────────────────────┬────────────────────────────────────────┘ │ │ MCP Protocol (stdio) │ ┌────────────────────▼────────────────────────────────────────┐ │ OneNote MCP Server │ │ ┌──────────────────────────────────────────────────────┐ │ │ │ MCP Protocol Handler │ │ │ │ - Tool registration │ │ │ │ - Request/response serialization │ │ │ │ - Schema validation │ │ │ └────────────┬─────────────────────────────────────────┘ │ │ │ │ │ ┌────────────▼─────────────────────────────────────────┐ │ │ │ Business Logic Layer │ │ │ │ - Authentication management │ │ │ │ - Content processing │ │ │ │ - Pagination handling │ │ │ │ - Error recovery │ │ │ └────────────┬─────────────────────────────────────────┘ │ │ │ │ │ ┌────────────▼─────────────────────────────────────────┐ │ │ │ API Client Layer │ │ │ │ - Graph API client wrapper │ │ │ │ - Rate limit handling │ │ │ │ - Retry logic │ │ │ └────────────┬─────────────────────────────────────────┘ │ │ │ │ │ ┌────────────▼─────────────────────────────────────────┐ │ │ │ Token Storage │ │ │ │ - Filesystem persistence │ │ │ │ - Token refresh logic │ │ │ └──────────────────────────────────────────────────────┘ │ └────────────────────┬────────────────────────────────────────┘ │ │ HTTPS (OAuth2 + Graph API) │ ┌────────────────────▼────────────────────────────────────────┐ │ Microsoft Graph API │ │ /v1.0/me/onenote/* │ └──────────────────────────────────────────────────────────────┘ ``` ### Component Interactions 1. **AI Assistant → MCP Server** - Communication via stdio (standard input/output) - JSON-RPC 2.0 protocol for tool invocation - Schema-validated parameters 2. **MCP Server → Graph API** - HTTPS REST API calls - OAuth2 Bearer token authentication - JSON request/response bodies 3. **Token Management** - Device Code Flow for initial authentication - Token persistence to filesystem - Automatic refresh before expiration ### Design Patterns #### 1. Adapter Pattern - MCP Server adapts Graph API to MCP protocol - Translates between different data representations #### 2. Facade Pattern - Simple tool interface hides complex API operations - Single method call may trigger multiple API requests #### 3. Strategy Pattern - Different content formatting strategies (HTML, text, summary) - Pluggable authentication providers #### 4. Retry Pattern - Exponential backoff for transient failures - Circuit breaker for persistent errors #### 5. Repository Pattern - Token storage abstraction - Could support multiple storage backends --- ## Component Design ### 1. MCP Protocol Handler **Responsibility:** Bridge between MCP protocol and application logic **Key Functions:** - Tool registration and discovery - Request deserialization and validation - Response serialization - Error message formatting **Interfaces:** ```text ToolRegistry: - registerTool(name, schema, handler) - listTools() → Tool[] - invokeTool(name, params) → Result RequestHandler: - handleToolCall(request) → response - validateSchema(params, schema) → errors[] ``` ### 2. Authentication Manager **Responsibility:** OAuth2 flow and token lifecycle management **Key Functions:** - Initiate device code flow - Poll for authorization completion - Store tokens securely - Refresh tokens before expiration - Validate token scopes **Interfaces:** ```text AuthenticationService: - startDeviceCodeFlow() → DeviceCodeInfo - waitForAuthorization() → AccessToken - loadToken() → AccessToken | null - saveToken(token) → void - refreshToken(token) → AccessToken - validateScopes(token, requiredScopes) → boolean ``` **State Machine:** ```text [Unauthenticated] → startDeviceCodeFlow() → [Awaiting User Auth] [Awaiting User Auth] → waitForAuthorization() → [Authenticated] [Authenticated] → tokenExpiring() → refreshToken() → [Authenticated] [Authenticated] → tokenInvalid() → [Unauthenticated] ``` ### 3. Graph API Client **Responsibility:** Communicate with Microsoft Graph API **Key Functions:** - HTTP request/response handling - Rate limit detection and backoff - Pagination traversal - Error classification and recovery **Interfaces:** ```text GraphClient: - get(endpoint, params) → Response - post(endpoint, data) → Response - patch(endpoint, data) → Response - paginate(endpoint, params) → AsyncIterator<Response> RetryPolicy: - shouldRetry(error) → boolean - getBackoffDelay(attempt) → milliseconds - isRateLimitError(error) → boolean ``` ### 4. Content Processor **Responsibility:** Transform content between formats **Key Functions:** - HTML to plain text conversion - Markdown to HTML conversion - Text summarization - Structure extraction (headings, lists, tables) **Interfaces:** ```text ContentFormatter: - toPlainText(html) → string - toSummary(html, maxLength) → string - toHtml(markdown) → string - extractStructure(html) → DocumentStructure TextExtractor: - removeScripts(html) → string - extractHeadings(html) → Heading[] - extractLists(html) → List[] - extractTables(html) → Table[] ``` ### 5. Tool Implementations **Responsibility:** Implement specific MCP tools **Categories:** - **Authentication Tools:** authenticate, saveAccessToken - **Discovery Tools:** listNotebooks, listSections, listPagesInSection - **Search Tools:** searchPages, searchPagesByDate, searchPageContent - **Read Tools:** getPageContent, getPageByTitle - **Write Tools:** createPage, updatePageContent, appendToPage - **Edit Tools:** updatePageTitle, replaceTextInPage, addNoteToPage, addTableToPage - **Productivity Tools:** getMyRecentChanges, createDailyNote **Common Interface:** ```text Tool: - name: string - description: string - inputSchema: Schema - execute(params) → Result | Error ``` ### 6. Token Storage **Responsibility:** Persist authentication tokens **Key Functions:** - Write token to filesystem - Read token from filesystem - Verify file permissions - Handle corrupted token files **Interfaces:** ```text TokenStore: - save(token) → void | Error - load() → Token | null | Error - exists() → boolean - delete() → void | Error TokenFormat: - serialize(token) → string - deserialize(data) → Token | Error ``` --- ## API Specifications ### MCP Tool Catalog #### Authentication Tools ##### `authenticate` **Purpose:** Initiate OAuth2 device code flow **Input Schema:** ```json { "type": "object", "properties": {}, "required": [] } ``` **Output:** ```json { "userCode": "A1B2-C3D4", "verificationUrl": "https://microsoft.com/devicelogin", "expiresIn": 900, "interval": 5, "message": "Please visit the URL and enter the code to authenticate" } ``` **Errors:** - `AuthenticationTimeout`: User didn't complete auth within time limit - `AuthenticationDenied`: User denied permission request ##### `saveAccessToken` **Purpose:** Verify and load existing access token **Input Schema:** ```json { "type": "object", "properties": {}, "required": [] } ``` **Output:** ```json { "success": true, "userInfo": { "displayName": "John Doe", "email": "john@example.com" }, "expiresOn": "2026-02-22T18:00:00Z" } ``` #### Read Operations ##### `listNotebooks` **Purpose:** Retrieve all notebooks **Input Schema:** ```json { "type": "object", "properties": {}, "required": [] } ``` **Output:** ```json { "notebooks": [ { "id": "notebook-id-1", "displayName": "Personal", "createdDateTime": "2025-01-01T00:00:00Z", "lastModifiedDateTime": "2026-02-20T15:30:00Z", "webUrl": "https://onenote.com/..." } ], "count": 5 } ``` ##### `searchPagesByDate` **Purpose:** Find pages within date range **Input Schema:** ```json { "type": "object", "properties": { "days": { "type": "number", "description": "Number of days to search back", "default": 1 }, "query": { "type": "string", "description": "Optional keyword filter" }, "dateField": { "type": "string", "enum": ["created", "modified", "both"], "default": "modified" }, "includeContent": { "type": "boolean", "default": false } }, "required": [] } ``` **Output:** ```json { "pages": [ { "id": "page-id", "title": "Daily Note - 2/22/26", "notebookName": "Work", "sectionName": "Standup", "createdDateTime": "2026-02-22T08:00:00Z", "lastModifiedDateTime": "2026-02-22T09:30:00Z", "webUrl": "https://onenote.com/...", "content": "..." // if includeContent=true } ], "count": 12, "searchParams": { "dateRange": "2026-02-15 to 2026-02-22", "query": "standup" } } ``` #### Write Operations ##### `createPage` **Purpose:** Create a new OneNote page **Input Schema:** ```json { "type": "object", "properties": { "title": { "type": "string", "description": "Page title" }, "content": { "type": "string", "description": "Page content (HTML or markdown)" }, "sectionId": { "type": "string", "description": "Target section ID (optional, uses default if omitted)" } }, "required": ["title", "content"] } ``` **Output:** ```json { "success": true, "pageId": "new-page-id", "title": "My New Page", "webUrl": "https://onenote.com/...", "createdDateTime": "2026-02-22T10:00:00Z" } ``` **Errors:** - `SectionNotFound`: Specified section doesn't exist - `InvalidContent`: Content format is invalid - `QuotaExceeded`: User has reached storage limit ##### `appendToPage` **Purpose:** Add content to end of existing page **Input Schema:** ```json { "type": "object", "properties": { "pageId": { "type": "string", "description": "Target page ID" }, "content": { "type": "string", "description": "Content to append" }, "addTimestamp": { "type": "boolean", "default": true }, "addSeparator": { "type": "boolean", "default": true } }, "required": ["pageId", "content"] } ``` **Output:** ```json { "success": true, "pageId": "page-id", "message": "Content appended successfully" } ``` --- ## Data Models ### Core Entities #### Notebook ```text Notebook { id: string (UUID) displayName: string createdDateTime: ISO8601 lastModifiedDateTime: ISO8601 isDefault: boolean webUrl: URL sections: Section[] (lazy-loaded) } ``` #### Section ```text Section { id: string (UUID) displayName: string createdDateTime: ISO8601 lastModifiedDateTime: ISO8601 isDefault: boolean parentNotebook: Notebook pagesUrl: URL } ``` #### Page ```text Page { id: string (UUID) title: string createdDateTime: ISO8601 lastModifiedDateTime: ISO8601 contentUrl: URL webUrl: URL level: integer (0-based indentation) order: integer (position within section) createdByAppId: string lastModifiedByAppId: string } ``` #### PageContent ```text PageContent { pageId: string htmlContent: string plainText: string (computed) summary: string (computed) wordCount: integer (computed) lastFetched: ISO8601 } ``` ### Authentication Models #### AccessToken ```text AccessToken { token: string (JWT or opaque) tokenType: "Bearer" expiresOn: ISO8601 scopes: string[] refreshToken: string (optional) clientId: string userId: string (optional) } ``` #### DeviceCodeInfo ```text DeviceCodeInfo { userCode: string deviceCode: string (internal) verificationUrl: URL expiresIn: integer (seconds) interval: integer (polling seconds) message: string } ``` ### Error Models #### ErrorResponse ```text ErrorResponse { error: { code: string (e.g., "itemNotFound", "unauthenticated") message: string (human-readable) details: object (optional, additional context) requestId: string (for support/debugging) timestamp: ISO8601 } } ``` --- ## Authentication & Security ### OAuth2 Device Code Flow **Flow Sequence:** 1. **Initiation** - Client requests device code from Microsoft Identity Platform - Server receives device code, user code, and verification URL 2. **User Authorization** - User navigates to verification URL in browser - User enters user code and signs in - User consents to requested scopes 3. **Token Acquisition** - Server polls token endpoint at specified interval - Upon user consent, receives access token and optional refresh token - Server persists token securely 4. **Token Usage** - Access token included in Authorization header for Graph API calls - Token validated by Microsoft Graph API on each request 5. **Token Refresh** - Before token expiration, server requests new token - Refresh token exchanged for new access token - Process transparent to end user ### Security Measures #### Token Protection - **Storage:** Filesystem with restricted permissions (600/-rw-------) - **Transmission:** Only over HTTPS to Microsoft endpoints - **Logging:** Token values never logged or displayed - **Lifecycle:** Automatic expiration and refresh #### Scope Management - **Minimal Scopes:** Request only necessary permissions - `Notes.Read`: Read OneNote content - `Notes.ReadWrite`: Modify existing OneNote content - `Notes.Create`: Create new pages/sections - `User.Read`: Get user profile information - **No Write Access to Notebooks/Sections:** Cannot delete or restructure #### Input Validation - **Schema Validation:** All tool inputs validated against JSON schemas - **HTML Sanitization:** User-provided HTML sanitized before sending to OneNote - **SQL Injection Prevention:** N/A (no SQL database) - **Path Traversal Prevention:** Validate all file paths for token storage #### Error Handling - **No Sensitive Data Leakage:** Error messages don't expose tokens or internal details - **Fail Securely:** Authentication failures don't leave system in vulnerable state - **Audit Logging:** Security events logged for review ### Threat Model ```text | Threat | Mitigation | |--------|------------| | Token theft from filesystem | Restricted file permissions, encrypt at rest | | Man-in-the-middle attack | HTTPS required, certificate validation | | Token replay attack | Short token lifetime, HTTPS transport | | Unauthorized scope escalation | Validate scopes on token load | | Cross-site scripting (XSS) | Sanitize user HTML input | | Denial of service | Rate limiting, request timeouts | ``` --- ## Performance Considerations ### Optimization Strategies #### 1. Pagination - **Challenge:** OneNote accounts can have 100+ notebooks, 1000+ pages - **Solution:** Implement cursor-based pagination using `@odata.nextLink` - **Benefit:** Constant memory usage regardless of dataset size **Implementation:** ```text Function: paginateGraphRequest(endpoint, params) results = [] url = buildInitialUrl(endpoint, params) while url != null: response = httpGet(url) results.extend(response.value) url = response.@odata.nextLink return results ``` #### 2. Rate Limit Handling - **Challenge:** Microsoft Graph has rate limits (varies by endpoint) - **Solution:** Exponential backoff with jitter - **Benefit:** Automatic recovery from rate limit errors **Backoff Formula:** ```text delay = min(maxDelay, baseDelay * (2 ^ attemptNumber)) + random(0, jitter) ``` #### 3. Content Streaming - **Challenge:** Large HTML pages consume memory - **Solution:** Stream processing for text extraction - **Benefit:** Lower memory footprint, faster processing #### 4. Concurrent Requests - **Challenge:** Sequential API calls slow for bulk operations - **Solution:** Parallel requests with concurrency limit - **Benefit:** Faster search across multiple notebooks **Concurrency Control:** ```text maxConcurrent = 5 semaphore = Semaphore(maxConcurrent) async Function: searchAllNotebooks(query) tasks = [] for notebook in notebooks: tasks.add(searchNotebook(notebook, query)) return await parallel(tasks, semaphore) ``` ### Performance Targets ```text | Operation | Target | Measurement | |-----------|--------|-------------| | List 100 notebooks | < 3 seconds | Time to complete | | Search 1000 pages | < 30 seconds | Time to scan all | | Retrieve page content | < 2 seconds | Time to fetch + process | | Create new page | < 3 seconds | Time from request to confirmation | | Update page content | < 3 seconds | Time from request to confirmation | ``` ### Caching Strategy **Not Implemented (By Design):** - OneNote content changes frequently - Stale data unacceptable for user workflow - Cache invalidation complex across distributed system - Simplicity preferred over potential performance gain **Future Enhancement:** - Short-lived cache (30-60 seconds) for repeated queries - Cache invalidation on write operations - User-configurable cache duration --- ## Error Handling Strategy ### Error Classification #### 1. Transient Errors (Retry) - **Network timeouts:** TCP connection failures, DNS resolution errors - **Rate limiting (429):** Too many requests to Graph API - **Server errors (5xx):** Microsoft Graph temporary outage - **Gateway timeouts (504):** Slow backend response **Handling:** Automatic retry with exponential backoff #### 2. Client Errors (No Retry) - **Authentication (401):** Invalid or expired token - **Authorization (403):** Insufficient permissions - **Not found (404):** Resource doesn't exist - **Bad request (400):** Invalid input parameters **Handling:** Return error to user with actionable message #### 3. Application Errors - **Validation errors:** Schema validation failures - **Business logic errors:** Duplicate daily note, invalid date format - **Content processing errors:** Malformed HTML, encoding issues **Handling:** Return descriptive error with suggested fix #### 4. Critical Errors - **Token storage failures:** Cannot read/write token file - **MCP protocol errors:** Cannot communicate with AI assistant - **Initialization failures:** Cannot start server **Handling:** Log error, attempt graceful shutdown, notify user ### Error Response Format **Standardized Structure:** ```json { "success": false, "error": { "code": "PAGE_NOT_FOUND", "message": "The requested page could not be found", "details": { "pageId": "abc-123", "suggestion": "Verify the page ID and ensure the page exists" }, "requestId": "uuid-for-debugging", "timestamp": "2026-02-22T10:30:00Z" } } ``` **Error Codes:** - `AUTHENTICATION_REQUIRED`: User must authenticate - `TOKEN_EXPIRED`: Token needs refresh - `INVALID_INPUT`: Input validation failed - `RESOURCE_NOT_FOUND`: Notebook/section/page doesn't exist - `QUOTA_EXCEEDED`: User storage limit reached - `RATE_LIMIT_EXCEEDED`: API rate limit hit - `NETWORK_ERROR`: Network connectivity issue - `INTERNAL_ERROR`: Unexpected server error ### Retry Logic **Configuration:** ```text maxRetries = 3 baseDelay = 1000ms maxDelay = 30000ms jitter = 500ms retriableStatusCodes = [408, 429, 500, 502, 503, 504] ``` **Algorithm:** ```text Function: retryWithBackoff(operation, maxRetries) for attempt in 1..maxRetries: try: return operation() catch error: if not isRetriable(error): throw error if attempt == maxRetries: throw error delay = calculateBackoff(attempt) sleep(delay) throw MaxRetriesExceededError ``` ### Logging Strategy **Log Levels:** - **ERROR:** Critical failures requiring attention - **WARN:** Recoverable errors, degraded functionality - **INFO:** Important state changes, successful operations - **DEBUG:** Detailed diagnostic information **Logged Events:** - Authentication success/failure - API requests and responses (sanitized) - Retry attempts - Validation errors - Performance metrics **Security Considerations:** - Never log access tokens - Sanitize user input in logs - Rotate log files to prevent disk fill --- ## Testing Strategy ### Test Pyramid ```text ┌────────────────┐ │ E2E Tests │ <- Manual, Real API │ (13 tests) │ ├────────────────┤ │ Integration │ <- Mocked API, Real Logic │ (20 tests) │ ├────────────────┤ │ Unit Tests │ <- Isolated Functions │ (33 tests) │ └────────────────┘ ``` ### Test Categories #### 1. Unit Tests **Scope:** Individual functions in isolation **Covered:** - HTML to text conversion - Markdown to HTML conversion - Text summarization - Date parsing and formatting - Input validation **Approach:** - Pure function testing - No external dependencies - Fast execution (< 100ms total) - High code coverage (>80%) **Example:** ```text Test: extractReadableText() Input: "<html><body><h1>Title</h1><p>Content</p></body></html>" Expected: "Title\n-----\nContent\n\n" Assert: output matches expected format ``` #### 2. Integration Tests **Scope:** Component interactions with mocked APIs **Covered:** - Authentication flow (mocked OAuth endpoints) - Graph API calls (mocked HTTP responses) - Token storage and retrieval - Pagination logic - Error handling **Approach:** - Mock external dependencies (HTTP, filesystem) - Test realistic scenarios - Verify correct API calls made - Check error recovery **Tools:** - HTTP mocking library (e.g., nock) - Filesystem mocking (in-memory) **Example:** ```text Test: listNotebooks with pagination Mock: Graph API returns 2 pages of notebooks Execute: listNotebooks() Assert: All notebooks returned, correct API calls made ``` #### 3. End-to-End Tests **Scope:** Real API calls with actual OneNote account **Covered:** - Authentication with real OAuth flow - All read operations - All write operations - Search and filter operations - Error scenarios (404, rate limits) **Approach:** - Manual execution (not in CI) - Test OneNote account - Cleanup test data after run - Verify against real API behavior **Example:** ```text Test: Create and retrieve daily note 1. Authenticate with test account 2. Create daily note for today 3. Search for newly created note 4. Retrieve note content 5. Verify content matches 6. Clean up test note ``` ### Test Coverage Goals ```text | Category | Target Coverage | Rationale | |----------|-----------------|-----------| | Unit Tests | >90% | Pure functions, easy to test | | Integration Tests | >70% | Complex mocking, focus on critical paths | | E2E Tests | 100% of tools | Validate all user-facing functionality | ``` ### Continuous Integration **Pipeline:** 1. **Lint:** Check code style and potential bugs 2. **Unit Tests:** Run fast, isolated tests 3. **Integration Tests:** Run with mocked dependencies 4. **Coverage Report:** Generate and publish coverage metrics 5. **Security Audit:** Check for vulnerabilities in dependencies **Triggers:** - Every commit to main branch - Every pull request - Nightly builds **Matrix Testing:** - **Operating Systems:** Linux, macOS, Windows - **Runtime Versions:** Node.js 18.x, 20.x, 22.x ### Testing Anti-Patterns to Avoid ❌ **Don't:** - Test implementation details - Make real API calls in unit/integration tests - Share state between tests - Ignore test failures - Skip edge cases ✅ **Do:** - Test behavior and outputs - Mock external dependencies - Isolate test cases - Fix failures immediately - Test error paths --- ## Deployment Architecture ### Deployment Models #### 1. Local Development **Use Case:** Developer testing and debugging **Architecture:** ```text Developer Machine ├── IDE / Text Editor ├── OneNote MCP Server (running locally) ├── AI Assistant (Claude Desktop / Cursor) └── Token Storage (.access-token.txt) ``` **Characteristics:** - Direct stdio communication - Local token storage - Hot reload for development #### 2. User Installation **Use Case:** End user productivity **Architecture:** ```text User Machine ├── AI Assistant (Claude Desktop) │ └── MCP Server Config (claude_desktop_config.json) ├── OneNote MCP Server │ ├── Node.js Runtime │ ├── Dependencies (npm packages) │ └── Token Storage └── Microsoft Graph API (cloud) ``` **Installation Steps:** 1. Install Node.js (if not present) 2. Clone or download server repository 3. Run `npm install` 4. Configure AI assistant to use server 5. Authenticate on first use #### 3. Multi-User Deployment (Future) **Use Case:** Team or organization **Architecture:** ```text Central Server ├── OneNote MCP Server Instances (per user) ├── Token Database (encrypted) ├── Load Balancer └── Monitoring / Logging Users ├── User 1 → AI Assistant → HTTP Proxy → Server ├── User 2 → AI Assistant → HTTP Proxy → Server └── User N → AI Assistant → HTTP Proxy → Server ``` **Considerations:** - Secure token isolation per user - Horizontal scaling for concurrent users - Centralized logging and monitoring - User authentication and authorization ### Configuration Management **Environment Variables:** ```bash # Required AZURE_CLIENT_ID=<your-azure-app-client-id> # Optional LOG_LEVEL=info|debug|warn|error TOKEN_STORAGE_PATH=/custom/path/to/token API_TIMEOUT_MS=30000 MAX_RETRIES=3 ``` **Configuration File (Optional):** ```json { "server": { "name": "onenote", "version": "1.0.0" }, "auth": { "clientId": "${AZURE_CLIENT_ID}", "scopes": ["Notes.Read", "Notes.ReadWrite", "Notes.Create", "User.Read"], "tokenPath": ".access-token.txt" }, "api": { "baseUrl": "https://graph.microsoft.com/v1.0", "timeout": 30000, "maxRetries": 3 }, "performance": { "maxConcurrentRequests": 5, "paginationLimit": 100 } } ``` ### Packaging & Distribution **Distribution Formats:** 1. **Source Code (GitHub):** Clone and install dependencies 2. **npm Package (Future):** `npm install -g @your-org/onenote-mcp` 3. **Binary Executable (Future):** Bundled Node.js + app **Version Management:** - Semantic versioning (MAJOR.MINOR.PATCH) - Changelog for each release - Migration guides for breaking changes ### Monitoring & Observability **Metrics to Track:** - Request count by tool - Success/failure rate - Average response time - Rate limit hits - Authentication failures - Active users (in multi-user deployment) **Health Checks:** - Server startup success - Graph API connectivity - Token validity - Disk space for logs **Alerting:** - High error rate - Authentication failures spike - API degradation --- ## Scalability & Future Enhancements ### Current Limitations 1. **Single User:** One token file per server instance 2. **No Caching:** Every request hits Microsoft Graph API 3. **Synchronous Processing:** One operation at a time 4. **Limited Offline Support:** Requires internet connectivity ### Scalability Considerations #### Horizontal Scaling **Challenge:** Support multiple concurrent users **Approach:** - Containerize server (Docker) - Deploy multiple instances with load balancer - Isolated token storage per user - Session affinity for user requests **Architecture:** ```text Load Balancer ├── Server Instance 1 (User A, User B) ├── Server Instance 2 (User C, User D) └── Server Instance N (User X, User Y) Shared Storage └── Encrypted Token Database ``` #### Vertical Scaling **Challenge:** Handle large notebooks efficiently **Approach:** - Increase memory for large HTML processing - Optimize pagination logic - Stream processing for content extraction - Parallel API requests ### Future Enhancements #### 1. Advanced Search - **Full-text search across all pages** - Index page content locally - Support fuzzy matching and synonyms - Relevance ranking - **Semantic search** - Vector embeddings for pages - AI-powered similarity search - Related note discovery #### 2. Collaborative Features - **Share notes with other users** - Generate shareable links - Collaborate on pages in real-time - Track changes by multiple users - **Team workspaces** - Organization-wide notebooks - Role-based access control - Audit logging #### 3. Offline Capabilities - **Local cache for read operations** - Sync OneNote content to local database - Serve cached content when offline - Background sync when online - **Write queue** - Queue write operations when offline - Automatic sync when connectivity restored - Conflict resolution #### 4. Enhanced Content Processing - **AI-powered summarization** - Use LLM to generate summaries - Extract key points automatically - Sentiment analysis - **Content classification** - Auto-tagging based on content - Category suggestions - Duplicate detection #### 5. Backup & Sync - **Automated backups** - Export notebooks to local storage - Version history for pages - Restore from backup - **Cross-platform sync** - Sync with other note apps (Notion, Evernote) - Import/export in standard formats (Markdown, PDF) - Migration tools #### 6. Developer Tools - **SDK for custom integrations** - Client libraries (Python, JavaScript, Go) - Plugin system for extensions - Webhook support - **GraphQL API (Alternative)** - More flexible querying - Reduce over-fetching - Better client-side caching #### 7. Performance Optimizations - **HTTP/2 multiplexing** - Multiple concurrent requests - Reduced latency - **Content compression** - Gzip/Brotli for large HTML - Reduce bandwidth usage - **Intelligent prefetching** - Predict likely next requests - Preload commonly accessed pages - Background refresh #### 8. Security Enhancements - **Multi-factor authentication** - Require MFA for sensitive operations - Conditional access policies - **Encryption at rest** - Encrypt token storage - Secure key management - **Audit logging** - Track all user actions - Compliance reporting - Anomaly detection ### Roadmap ### Phase 1: Foundation (Complete) - ✅ Core MCP server implementation - ✅ OAuth2 authentication - ✅ Basic CRUD operations - ✅ Search and filter - ✅ Content processing - ✅ Comprehensive testing ### Phase 2: Enhancement (Current) - 🔄 Performance optimizations - 🔄 Advanced search features - 🔄 Better error messages - 🔄 Documentation improvements ### Phase 3: Scale (Planned) - Multi-user support - Caching layer - Advanced productivity features - Analytics and insights ### Phase 4: Enterprise (Future) - Team collaboration - Compliance features - SSO integration - Premium support --- ## Appendices ### Appendix A: Glossary - **MCP (Model Context Protocol):** Standard protocol for AI assistants to interact with external tools - **Graph API:** Microsoft's unified API for accessing Microsoft 365 services - **OAuth2:** Industry-standard protocol for authorization - **Device Code Flow:** OAuth2 flow for devices without browsers - **Pagination:** Technique for retrieving large datasets in chunks - **Exponential Backoff:** Strategy for spacing out retry attempts - **JSDOM:** JavaScript implementation of web standards for HTML parsing ### Appendix B: References - [Model Context Protocol Specification](https://modelcontextprotocol.io/) - [Microsoft Graph API Documentation](https://learn.microsoft.com/en-us/graph/) - [OAuth 2.0 Device Authorization Grant](https://oauth.net/2/device-flow/) - [OneNote API Reference](https://learn.microsoft.com/en-us/graph/api/resources/onenote) ### Appendix C: Changelog ## Version 1.0 (February 22, 2026) - Initial design document - Complete architecture specification - Comprehensive requirements documentation --- **Document Maintenance:** - Review quarterly for accuracy - Update when major features added - Incorporate lessons learned from production - Gather feedback from developers and users **Contributors:** - Primary Author: Development Team - Technical Reviewers: Architecture Team - Last Review: February 22, 2026

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/dcpurnell/onenote-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

DESIGN.md•41.6 KiB