@tuskydp/cli 0.1.0 → 0.1.1

package/src/commands/vault.ts

@@ -0,0 +1,132 @@
+import type { Command } from 'commander';
+import chalk from 'chalk';
+import inquirer from 'inquirer';
+import { cliConfig } from '../config.js';
+import { getSDKClientFromParent } from '../sdk.js';
+import { createTable, formatBytes, shortId } from '../lib/output.js';
+import { resolveVault } from '../lib/resolve.js';
+
+export function registerVaultCommands(program: Command) {
+  const vault = program.command('vault').description('Manage vaults');
+
+  vault.command('create <name>')
+    .description('Create a new vault (private/encrypted by default)')
+    .option('--public', 'Create as public vault (unencrypted, shareable via URL)')
+    .option('--description <text>', 'Vault description')
+    .action(async (name: string, options) => {
+      const sdk = getSDKClientFromParent(vault);
+      const visibility = options.public ? 'public' as const : 'private' as const;
+
+      if (visibility === 'private') {
+        try {
+          const { setupComplete } = await sdk.account.getEncryptionParams();
+          if (!setupComplete) {
+            console.log(chalk.red('Encryption must be set up before creating private vaults.'));
+            console.log(chalk.dim('  Run: tusky encryption setup'));
+            return;
+          }
+        } catch {
+          // If endpoint fails, proceed anyway
+        }
+      }
+
+      const created = await sdk.vaults.create({ name, description: options.description, visibility });
+      const icon = visibility === 'private' ? 'private' : 'public';
+      console.log(chalk.green(`Created ${visibility} vault [${icon}] "${created.name}" (${created.id})`));
+    });
+
+  vault.command('list')
+    .description('List all vaults')
+    .action(async () => {
+      const sdk = getSDKClientFromParent(vault);
+      const format = program.opts().format || cliConfig.get('outputFormat');
+      const vaults = await sdk.vaults.list();
+
+      if (format === 'json') {
+        console.log(JSON.stringify(vaults, null, 2));
+        return;
+      }
+
+      if (vaults.length === 0) {
+        console.log(chalk.dim('No vaults found.'));
+        return;
+      }
+
+      const table = createTable(['Name', 'Slug', 'Visibility', 'Files', 'Size', 'ID']);
+      for (const v of vaults) {
+        const visIcon = v.visibility === 'private' ? 'private' : 'public';
+        table.push([
+          v.isDefault ? `${v.name} ${chalk.dim('(default)')}` : v.name,
+          v.slug,
+          visIcon,
+          String(v.fileCount),
+          formatBytes(v.totalSizeBytes),
+          chalk.dim(shortId(v.id)),
+        ]);
+      }
+      console.log(table.toString());
+    });
+
+  vault.command('info <vault>')
+    .description('Show vault details')
+    .action(async (vaultRef: string) => {
+      const sdk = getSDKClientFromParent(vault);
+      const format = program.opts().format || cliConfig.get('outputFormat');
+      const vaultId = await resolveVault(sdk, vaultRef);
+      const v = await sdk.vaults.get(vaultId);
+
+      if (format === 'json') {
+        console.log(JSON.stringify(v, null, 2));
+        return;
+      }
+
+      console.log(`Name:        ${v.name}`);
+      console.log(`Slug:        ${v.slug}`);
+      console.log(`Visibility:  ${v.visibility === 'private' ? 'private' : 'public'}`);
+      console.log(`Description: ${v.description || chalk.dim('(none)')}`);
+      console.log(`Files:       ${v.fileCount}`);
+      console.log(`Total Size:  ${formatBytes(v.totalSizeBytes)}`);
+      console.log(`Default:     ${v.isDefault ? 'Yes' : 'No'}`);
+      console.log(`Created:     ${new Date(v.createdAt).toLocaleString()}`);
+      console.log(`ID:          ${v.id}`);
+    });
+
+  vault.command('rename <vault> <new-name>')
+    .description('Rename a vault')
+    .action(async (vaultRef: string, newName: string) => {
+      const sdk = getSDKClientFromParent(vault);
+      const vaultId = await resolveVault(sdk, vaultRef);
+      await sdk.vaults.update(vaultId, { name: newName });
+      console.log(chalk.green(`Vault renamed to "${newName}"`));
+    });
+
+  vault.command('delete <vault>')
+    .description('Delete a vault')
+    .option('--force', 'Delete vault and all its files')
+    .action(async (vaultRef: string, options) => {
+      const sdk = getSDKClientFromParent(vault);
+      const vaultId = await resolveVault(sdk, vaultRef);
+
+      if (!options.force) {
+        const answers = await inquirer.prompt([{
+          type: 'confirm',
+          name: 'confirm',
+          message: 'Delete vault? This cannot be undone.',
+          default: false,
+        }]);
+        if (!answers.confirm) return;
+      }
+
+      await sdk.vaults.delete(vaultId, { force: options.force });
+      console.log(chalk.green('Vault deleted.'));
+    });
+
+  vault.command('set-default <vault>')
+    .description('Set the default vault for uploads')
+    .action(async (vaultRef: string) => {
+      const sdk = getSDKClientFromParent(vault);
+      const vaultId = await resolveVault(sdk, vaultRef);
+      cliConfig.set('defaultVault', vaultId);
+      console.log(chalk.green(`Default vault set to ${vaultRef}`));
+    });
+}

package/src/config.ts

@@ -0,0 +1,38 @@
+import Conf from 'conf';
+
+export interface TuskyDPConfig {
+  apiUrl: string;
+  apiKey?: string;
+  defaultVault?: string;
+  outputFormat: 'table' | 'json' | 'plain';
+  encryptionEnabled: boolean;
+}
+
+export const cliConfig = new Conf<TuskyDPConfig>({
+  projectName: 'tuskydp',
+  defaults: {
+    apiUrl: 'https://api.tusky.ai',
+    outputFormat: 'table',
+    encryptionEnabled: true,
+  },
+});
+
+export function getApiUrl(override?: string): string {
+  return override || process.env.TUSKYDP_API_URL || cliConfig.get('apiUrl');
+}
+
+export function getApiKey(override?: string): string {
+  const key = override || process.env.TUSKYDP_API_KEY || cliConfig.get('apiKey');
+  if (!key) {
+    console.error('Not authenticated. Run: tusky login');
+    process.exit(1);
+  }
+  return key;
+}
+
+const VALID_FORMATS = new Set(['table', 'json', 'plain']);
+
+export function getOutputFormat(override?: string): 'table' | 'json' | 'plain' {
+  if (override && VALID_FORMATS.has(override)) return override as 'table' | 'json' | 'plain';
+  return cliConfig.get('outputFormat');
+}

package/src/crypto.ts

@@ -0,0 +1,130 @@
+import {
+  createHash,
+  createHmac,
+  randomBytes,
+  createCipheriv,
+  createDecipheriv,
+  pbkdf2Sync,
+} from 'crypto';
+
+const PBKDF2_ITERATIONS = 600_000;
+const AES_ALGO = 'aes-256-gcm' as const;
+const VERIFIER_CONTEXT = 'tuskydp-key-verifier-v1';
+
+export function deriveMasterKey(passphrase: string, salt: Buffer): Buffer {
+  return pbkdf2Sync(passphrase, salt, PBKDF2_ITERATIONS, 32, 'sha256');
+}
+
+export function computeVerifier(masterKey: Buffer): Buffer {
+  return createHmac('sha256', masterKey)
+    .update(VERIFIER_CONTEXT)
+    .digest();
+}
+
+export function verifyPassphrase(masterKey: Buffer, expectedVerifier: Buffer): boolean {
+  const computed = computeVerifier(masterKey);
+  if (computed.length !== expectedVerifier.length) return false;
+  let diff = 0;
+  for (let i = 0; i < computed.length; i++) diff |= computed[i] ^ expectedVerifier[i];
+  return diff === 0;
+}
+
+export function generateSalt(): Buffer {
+  return randomBytes(16);
+}
+
+export function generateRecoveryKey(): Buffer {
+  return randomBytes(32);
+}
+
+export function generateMasterKey(): Buffer {
+  return randomBytes(32);
+}
+
+export function wrapMasterKey(masterKey: Buffer, recoveryKey: Buffer): Buffer {
+  const wrapIv = randomBytes(12);
+  const cipher = createCipheriv(AES_ALGO, recoveryKey, wrapIv);
+  const wrapped = Buffer.concat([cipher.update(masterKey), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([wrapIv, wrapped, tag]);
+}
+
+export function unwrapMasterKey(wrappedData: Buffer, recoveryKey: Buffer): Buffer {
+  const wrapIv = wrappedData.subarray(0, 12);
+  const wrapped = wrappedData.subarray(12, wrappedData.length - 16);
+  const tag = wrappedData.subarray(wrappedData.length - 16);
+  const decipher = createDecipheriv(AES_ALGO, recoveryKey, wrapIv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(wrapped), decipher.final()]);
+}
+
+export function encryptBuffer(plaintext: Buffer, masterKey: Buffer): {
+  ciphertext: Buffer;
+  wrappedKey: string;
+  iv: string;
+  plaintextChecksum: string;
+} {
+  // Hash plaintext
+  const plaintextChecksum = createHash('sha256').update(plaintext).digest('hex');
+
+  // Generate random per-file key and IV
+  const fileKey = randomBytes(32);
+  const fileIv = randomBytes(12);
+
+  // Encrypt file
+  const cipher = createCipheriv(AES_ALGO, fileKey, fileIv);
+  const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  const ciphertext = Buffer.concat([encrypted, authTag]);
+
+  // Wrap file key with master key
+  const wrapIv = randomBytes(12);
+  const wrapCipher = createCipheriv(AES_ALGO, masterKey, wrapIv);
+  const wrappedKeyData = Buffer.concat([wrapCipher.update(fileKey), wrapCipher.final()]);
+  const wrapTag = wrapCipher.getAuthTag();
+  const wrappedKeyFull = Buffer.concat([wrapIv, wrappedKeyData, wrapTag]);
+
+  return {
+    ciphertext,
+    wrappedKey: wrappedKeyFull.toString('base64'),
+    iv: fileIv.toString('base64'),
+    plaintextChecksum,
+  };
+}
+
+export function decryptBuffer(
+  ciphertext: Buffer,
+  wrappedKeyBase64: string,
+  ivBase64: string,
+  masterKey: Buffer,
+  expectedChecksum?: string,
+): Buffer {
+  // Unwrap file key
+  const wrappedKeyFull = Buffer.from(wrappedKeyBase64, 'base64');
+  const wrapIv = wrappedKeyFull.subarray(0, 12);
+  const wrappedKeyData = wrappedKeyFull.subarray(12, wrappedKeyFull.length - 16);
+  const wrapTag = wrappedKeyFull.subarray(wrappedKeyFull.length - 16);
+
+  const unwrapDecipher = createDecipheriv(AES_ALGO, masterKey, wrapIv);
+  unwrapDecipher.setAuthTag(wrapTag);
+  const fileKey = Buffer.concat([unwrapDecipher.update(wrappedKeyData), unwrapDecipher.final()]);
+
+  // Decrypt file
+  const fileIv = Buffer.from(ivBase64, 'base64');
+  const authTag = ciphertext.subarray(ciphertext.length - 16);
+  const encryptedData = ciphertext.subarray(0, ciphertext.length - 16);
+
+  const decipher = createDecipheriv(AES_ALGO, fileKey, fileIv);
+  decipher.setAuthTag(authTag);
+  const plaintext = Buffer.concat([decipher.update(encryptedData), decipher.final()]);
+
+  // Verify integrity
+  if (expectedChecksum) {
+    const actualChecksum = createHash('sha256').update(plaintext).digest('hex');
+    if (actualChecksum !== expectedChecksum) {
+      throw new Error('Integrity check failed — file may be corrupted');
+    }
+  }
+
+  return plaintext;
+}

package/src/index.ts

@@ -0,0 +1,79 @@
+import { Command } from 'commander';
+import chalk from 'chalk';
+import { registerAuthCommands } from './commands/auth.js';
+import { registerEncryptionCommands } from './commands/encryption.js';
+import { registerVaultCommands } from './commands/vault.js';
+import { registerFileCommands } from './commands/files.js';
+import { registerAccountCommands } from './commands/account.js';
+import { uploadCommand } from './commands/upload.js';
+import { downloadCommand } from './commands/download.js';
+import { rehydrateCommand } from './commands/rehydrate.js';
+import { registerTuiCommand } from './commands/tui.js';
+import { registerMcpCommands } from './commands/mcp.js';
+import { registerExportCommand } from './commands/export.js';
+import { registerDecryptCommand } from './commands/decrypt.js';
+
+const VERSION = '0.1.0';
+
+const program = new Command();
+
+program
+  .name('tusky')
+  .description('Tusky — Encrypted decentralized storage for developers, apps, and agents')
+  .version(VERSION)
+  .option('--api-key <key>', 'Override API key')
+  .option('--api-url <url>', 'Override API URL')
+  .option('--format <fmt>', 'Output format: table, json, plain', 'table')
+  .option('--quiet', 'Suppress non-essential output')
+  .option('--verbose', 'Show debug output')
+  .option('--no-color', 'Disable colored output')
+  .hook('preAction', () => {
+    const opts = program.opts();
+    // Disable chalk colors when --no-color is used
+    if (opts.color === false) {
+      chalk.level = 0;
+    }
+  });
+
+registerAuthCommands(program);
+registerEncryptionCommands(program);
+registerVaultCommands(program);
+registerFileCommands(program);
+registerAccountCommands(program);
+registerTuiCommand(program);
+registerMcpCommands(program);
+registerExportCommand(program);
+registerDecryptCommand(program);
+
+// Direct shortcuts for common operations
+program.command('upload <paths...>')
+  .description('Upload files')
+  .option('--vault <vault>', 'Target vault')
+  .option('--recursive', 'Upload directory contents')
+  .action(async (paths: string[], options) => {
+    await uploadCommand(paths, options, program);
+  });
+
+program.command('download <file-id>')
+  .description('Download a file')
+  .option('--output <path>', 'Output path')
+  .action(async (fileId: string, options) => {
+    await downloadCommand(fileId, options, program);
+  });
+
+program.command('rehydrate <blob-id>')
+  .description('Download a file directly from Walrus by blob ID')
+  .option('--output <path>', 'Output file path')
+  .action(async (blobId: string, options) => {
+    await rehydrateCommand(blobId, options, program);
+  });
+
+program.parseAsync().catch((err) => {
+  const opts = program.opts();
+  if (opts.verbose) {
+    console.error(err.stack || err.message);
+  } else {
+    console.error(err.message);
+  }
+  process.exit(1);
+});

package/src/lib/keyring.ts

@@ -0,0 +1,50 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync, unlinkSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import { createCipheriv, createDecipheriv, randomBytes, createHash } from 'crypto';
+
+const SESSION_DIR = join(homedir(), '.tusky');
+const SESSION_FILE = join(SESSION_DIR, 'session.enc');
+
+// Derive a machine-specific key from hostname + user
+function getMachineKey(): Buffer {
+  const machineId = `${homedir()}-tusky-session-key`;
+  return createHash('sha256').update(machineId).digest();
+}
+
+export function storeMasterKey(masterKey: Buffer): void {
+  mkdirSync(SESSION_DIR, { recursive: true, mode: 0o700 });
+  const key = getMachineKey();
+  const iv = randomBytes(12);
+  const cipher = createCipheriv('aes-256-gcm', key, iv);
+  const encrypted = Buffer.concat([cipher.update(masterKey), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  const data = Buffer.concat([iv, tag, encrypted]);
+  writeFileSync(SESSION_FILE, data, { mode: 0o600 });
+}
+
+export function loadMasterKey(): Buffer | null {
+  if (!existsSync(SESSION_FILE)) return null;
+  try {
+    const data = readFileSync(SESSION_FILE);
+    const key = getMachineKey();
+    const iv = data.subarray(0, 12);
+    const tag = data.subarray(12, 28);
+    const encrypted = data.subarray(28);
+    const decipher = createDecipheriv('aes-256-gcm', key, iv);
+    decipher.setAuthTag(tag);
+    return Buffer.concat([decipher.update(encrypted), decipher.final()]);
+  } catch {
+    return null;
+  }
+}
+
+export function clearSession(): void {
+  try {
+    if (existsSync(SESSION_FILE)) {
+      unlinkSync(SESSION_FILE);
+    }
+  } catch {
+    // Ignore
+  }
+}

package/src/lib/output.ts

@@ -0,0 +1,36 @@
+import Table from 'cli-table3';
+import chalk from 'chalk';
+
+export function formatBytes(bytes: number): string {
+  if (bytes <= 0) return '0 B';
+  const k = 1024;
+  const sizes = ['B', 'KB', 'MB', 'GB', 'TB'];
+  const i = Math.floor(Math.log(bytes) / Math.log(k));
+  return `${parseFloat((bytes / Math.pow(k, i)).toFixed(1))} ${sizes[i]}`;
+}
+
+export function createTable(head: string[]): Table.Table {
+  return new Table({
+    head: head.map(h => chalk.cyan(h)),
+    style: { head: [] },
+  });
+}
+
+export function formatDate(date: string | Date): string {
+  const d = new Date(date);
+  const now = new Date();
+  const diffMs = now.getTime() - d.getTime();
+  const diffMins = Math.floor(diffMs / 60000);
+  const diffHours = Math.floor(diffMs / 3600000);
+  const diffDays = Math.floor(diffMs / 86400000);
+
+  if (diffMins < 1) return 'just now';
+  if (diffMins < 60) return `${diffMins} min ago`;
+  if (diffHours < 24) return `${diffHours}h ago`;
+  if (diffDays < 7) return `${diffDays}d ago`;
+  return d.toLocaleDateString();
+}
+
+export function shortId(id: string): string {
+  return id.slice(0, 8) + '...';
+}

package/src/lib/progress.ts

@@ -0,0 +1,5 @@
+import ora from 'ora';
+
+export function createSpinner(text: string) {
+  return ora({ text, spinner: 'dots' });
+}

package/src/lib/resolve.ts

@@ -0,0 +1,26 @@
+import type { TuskyClient } from '@tuskydp/sdk';
+import { cliConfig } from '../config.js';
+
+export async function resolveVault(sdk: TuskyClient, vaultRef?: string): Promise<string> {
+  // If no vault specified, use the configured default
+  if (!vaultRef) {
+    const defaultVault = cliConfig.get('defaultVault');
+    if (defaultVault) return defaultVault;
+
+    // Fall back to the user's default vault
+    const vaults = await sdk.vaults.list();
+    const defaultV = vaults.find((v) => v.isDefault);
+    if (defaultV) return defaultV.id;
+
+    throw new Error('No default vault found. Create one with: tusky vault create <name>');
+  }
+
+  // If it looks like a UUID, use it directly
+  if (/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(vaultRef)) return vaultRef;
+
+  // Otherwise, treat it as a slug and look it up
+  const vaults = await sdk.vaults.list();
+  const match = vaults.find((v) => v.slug === vaultRef || v.name === vaultRef);
+  if (!match) throw new Error(`Vault "${vaultRef}" not found`);
+  return match.id;
+}

package/src/mcp/context.ts

@@ -0,0 +1,22 @@
+/**
+ * Shared context for MCP tool handlers.
+ *
+ * Holds the authenticated SDK client and (optionally) the unlocked
+ * master key for client-side encryption/decryption of private vault files.
+ */
+
+import type { TuskyClient } from '@tuskydp/sdk';
+
+export interface McpContext {
+  /** Authenticated Tusky SDK client. */
+  sdk: TuskyClient;
+
+  /**
+   * Returns the in-memory master key, or null if encryption was not
+   * unlocked (i.e. TUSKYDP_PASSWORD was not provided or setup is incomplete).
+   */
+  getMasterKey(): Buffer | null;
+
+  /** True when the master key is available for encrypt/decrypt operations. */
+  isEncryptionReady(): boolean;
+}

package/src/mcp/server.ts

@@ -0,0 +1,140 @@
+/**
+ * MCP Server for Tusky — exposes Tusky storage as tools over stdio.
+ *
+ * Agents (Claude Code, Cursor, etc.) spawn this process and communicate
+ * via JSON-RPC over stdin/stdout.  All human-readable logging goes to
+ * stderr because stdout is reserved for the MCP protocol.
+ */
+
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { TuskyClient, TuskyError } from '@tuskydp/sdk';
+import {
+  deriveMasterKey,
+  verifyPassphrase,
+  unwrapMasterKey,
+} from '../crypto.js';
+import { loadMasterKey } from '../lib/keyring.js';
+import type { McpContext } from './context.js';
+
+// Tool registrars
+import { registerAccountTools } from './tools/account.js';
+import { registerVaultTools } from './tools/vaults.js';
+import { registerFolderTools } from './tools/folders.js';
+import { registerFileTools } from './tools/files.js';
+import { registerTrashTools } from './tools/trash.js';
+
+// ---------------------------------------------------------------------------
+// Encryption bootstrap
+// ---------------------------------------------------------------------------
+
+/**
+ * Attempt to unlock the master key using (in order):
+ *   1. TUSKYDP_PASSWORD env var  →  derive wrapping key  →  unwrap master key
+ *   2. Existing session file (~/.tusky/session.enc)
+ *
+ * Returns the master key Buffer, or null if neither method works.
+ */
+async function unlockMasterKey(sdk: TuskyClient): Promise<Buffer | null> {
+  const password = process.env.TUSKYDP_PASSWORD;
+
+  if (password) {
+    try {
+      const params = await sdk.account.getEncryptionParams();
+      if (!params.setupComplete) {
+        console.error('[tusky-mcp] Encryption not set up on this account. Skipping encryption unlock.');
+        return null;
+      }
+
+      const salt = Buffer.from(params.salt!, 'base64');
+      const verifier = Buffer.from(params.verifier!, 'base64');
+      const wrappingKey = deriveMasterKey(password, salt);
+
+      if (!verifyPassphrase(wrappingKey, verifier)) {
+        console.error('[tusky-mcp] TUSKYDP_PASSWORD is incorrect. Encryption will be unavailable.');
+        return null;
+      }
+
+      if (params.encryptedMasterKey) {
+        return unwrapMasterKey(Buffer.from(params.encryptedMasterKey, 'base64'), wrappingKey);
+      }
+      // Legacy accounts where wrapping key IS the master key
+      return wrappingKey;
+    } catch (err: any) {
+      console.error(`[tusky-mcp] Failed to unlock encryption: ${err.message}`);
+      return null;
+    }
+  }
+
+  // Fallback: try existing session file
+  const sessionKey = loadMasterKey();
+  if (sessionKey) {
+    console.error('[tusky-mcp] Using encryption key from existing session.');
+    return sessionKey;
+  }
+
+  return null;
+}
+
+// ---------------------------------------------------------------------------
+// Server lifecycle
+// ---------------------------------------------------------------------------
+
+export interface McpServerOptions {
+  apiKey: string;
+  apiUrl: string;
+}
+
+export async function startMcpServer(options: McpServerOptions): Promise<void> {
+  const { apiKey, apiUrl } = options;
+
+  // Create SDK client
+  const sdk = new TuskyClient({ apiKey, baseUrl: apiUrl });
+
+  // Validate connection by fetching account info
+  try {
+    const account = await sdk.account.get();
+    console.error(`[tusky-mcp] Authenticated as ${account.email} (${account.planName})`);
+  } catch (err: any) {
+    if (err instanceof TuskyError) {
+      console.error(`[tusky-mcp] Authentication failed: ${err.message}`);
+    } else {
+      console.error(`[tusky-mcp] Cannot reach Tusky API at ${apiUrl}: ${err.message}`);
+    }
+    process.exit(1);
+  }
+
+  // Unlock encryption (best effort)
+  const masterKey = await unlockMasterKey(sdk);
+  if (masterKey) {
+    console.error('[tusky-mcp] Encryption unlocked — private vault operations are available.');
+  } else {
+    console.error('[tusky-mcp] Encryption not unlocked — private vault encrypt/decrypt unavailable.');
+    console.error('[tusky-mcp] Set TUSKYDP_PASSWORD env var or run `tusky encryption unlock` first.');
+  }
+
+  // Build context
+  const ctx: McpContext = {
+    sdk,
+    getMasterKey: () => masterKey,
+    isEncryptionReady: () => masterKey !== null,
+  };
+
+  // Create MCP server
+  const server = new McpServer({
+    name: 'tusky',
+    version: '0.1.0',
+  });
+
+  // Register all tools
+  registerAccountTools(server, ctx);
+  registerVaultTools(server, ctx);
+  registerFolderTools(server, ctx);
+  registerFileTools(server, ctx);
+  registerTrashTools(server, ctx);
+
+  // Connect via stdio transport
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+  console.error('[tusky-mcp] MCP server running on stdio');
+}