@xmemo/client 0.4.155 → 0.4.156

package/src/commands/setup.js

@@ -0,0 +1,190 @@
+import {
+  hasFlag,
+  optionValue,
+  parsePositiveInteger,
+  stringValue
+} from '../args.js';
+import { baseUrlOption } from '../base-url.js';
+import {
+  DEFAULT_PROXY_PORT
+} from '../constants.js';
+import {
+  buildSetupPlan,
+  ensureDiscoveryService
+} from '../discovery.js';
+import { UsageError } from '../errors.js';
+import {
+  endpointUrl,
+  fetchJson,
+  normalizeBaseUrl
+} from '../http.js';
+import { writeLine } from '../io.js';
+import {
+  MCP_CLIENTS,
+  supportedMcpClients
+} from '../mcp/clients.js';
+import { mergeCopilotMcpConfig } from '../mcp/copilot-proxy.js';
+import { detectClient } from '../mcp/detect.js';
+import {
+  agentIdentity,
+  envReferenceIdentity
+} from '../mcp/identity.js';
+import {
+  confirmProfileInstall,
+  defaultProfileTarget,
+  profileClientConfig,
+  profileInstallResult
+} from '../profile.js';
+import {
+  clientSetupPlan,
+  copilotSetupPlan,
+  normalizeSetupClientId,
+  positionalClientArg,
+  supportedSetupClientIds,
+  writeSetupSummary
+} from '../setup.js';
+
+export async function setupCommand(args, io) {
+  const positionalClientId = positionalClientArg(args, MCP_CLIENTS);
+  const optionArgs = positionalClientId ? args.slice(1) : args;
+  const baseUrl = normalizeBaseUrl(baseUrlOption(optionArgs, io.env));
+  const outputJson = hasFlag(optionArgs, '--json');
+  const shortClientSetup = Boolean(positionalClientId);
+  const setupAll = hasFlag(optionArgs, '--all');
+  
+  let clientId = null;
+  try {
+    clientId = normalizeSetupClientId(positionalClientId ?? optionValue(optionArgs, '--client'), MCP_CLIENTS);
+  } catch (error) {
+    if (!setupAll) {
+      throw error;
+    }
+  }
+
+  if (setupAll && clientId) {
+    throw new UsageError('Cannot specify both --all and a specific client.');
+  }
+
+  const dryRun = hasFlag(optionArgs, '--dry-run') || hasFlag(optionArgs, '--preview');
+  const writeConfig = !dryRun && (hasFlag(optionArgs, '--write') || hasFlag(optionArgs, '--yes') || shortClientSetup || (setupAll && (hasFlag(optionArgs, '--write') || hasFlag(optionArgs, '--yes'))));
+  const timeoutMs = parsePositiveInteger(optionValue(optionArgs, '--timeout-ms') ?? '5000', '--timeout-ms');
+
+  if (writeConfig && !clientId && !setupAll) {
+    throw new UsageError(`Setup --write requires --client <${supportedSetupClientIds(MCP_CLIENTS).join('|')}> or --all so the CLI never writes broad config implicitly.`);
+  }
+
+  const discoveryUrl = endpointUrl(baseUrl, '/.well-known/memory-os.json');
+  const discovery = await fetchJson(discoveryUrl, timeoutMs, io);
+  ensureDiscoveryService(discovery, discoveryUrl);
+
+  const statusUrl = stringValue(discovery, ['urls', 'onboarding_status'])
+    ?? stringValue(discovery, ['onboarding_status_url'])
+    ?? endpointUrl(baseUrl, '/v1/onboarding/status');
+  const status = await fetchJson(statusUrl, timeoutMs, io);
+  const setupPlan = buildSetupPlan({
+    baseUrl,
+    discoveryUrl,
+    statusUrl,
+    discovery,
+    status,
+    localClients: supportedMcpClients()
+  });
+
+  if (setupAll) {
+    setupPlan.detectedClients = [];
+    const scanIds = ['codex', 'cursor', 'copilot-cli', 'gemini-cli', 'antigravity', 'antigravity-ide', 'antigravity2', 'antigravity-cli', 'windsurf', 'cline', 'continue', 'claude-desktop', 'qwen', 'opencode', 'trae', 'trae-solo'];
+    for (const scanId of scanIds) {
+      const detection = await detectClient(scanId, io.env, MCP_CLIENTS);
+      if (detection.detected) {
+        let clientPlan;
+        if (scanId === 'copilot-cli') {
+          const proxyPort = parsePositiveInteger(optionValue(optionArgs, '--port') ?? String(DEFAULT_PROXY_PORT), '--port');
+          clientPlan = copilotSetupPlan(setupPlan.mcpUrl, proxyPort, io.env);
+          clientPlan.configPath = detection.path;
+          if (writeConfig) {
+            await mergeCopilotMcpConfig(clientPlan.configPath, clientPlan.proxyUrl);
+            clientPlan.written = true;
+          }
+        } else {
+          const client = MCP_CLIENTS.get(scanId);
+          const identity = writeConfig ? await agentIdentity(scanId, io.env) : envReferenceIdentity(scanId);
+          clientPlan = clientSetupPlan(scanId, client, setupPlan.mcpUrl, io.env, identity);
+          clientPlan.configPath = detection.path;
+          if (writeConfig) {
+            await client.writeConfig(clientPlan.configPath, setupPlan.mcpUrl, identity);
+            clientPlan.written = true;
+            if (profileClientConfig(scanId)) {
+              const installProfile = hasFlag(optionArgs, '--yes') || hasFlag(optionArgs, '--profile');
+              if (installProfile) {
+                const profileTarget = defaultProfileTarget(scanId, io.env);
+                const profileResult = await profileInstallResult(scanId, profileTarget, { write: true });
+                clientPlan.behaviorProfile = profileResult;
+                if (scanId === 'codex') {
+                  clientPlan.codexProfile = profileResult;
+                }
+              }
+            }
+          }
+        }
+        setupPlan.detectedClients.push(clientPlan);
+      }
+    }
+  } else if (clientId) {
+    if (clientId === 'copilot-cli') {
+      const proxyPort = parsePositiveInteger(optionValue(optionArgs, '--port') ?? String(DEFAULT_PROXY_PORT), '--port');
+      setupPlan.selectedClient = copilotSetupPlan(setupPlan.mcpUrl, proxyPort, io.env);
+      if (writeConfig) {
+        await mergeCopilotMcpConfig(setupPlan.selectedClient.configPath, setupPlan.selectedClient.proxyUrl);
+        setupPlan.selectedClient.written = true;
+      }
+    } else {
+      const client = MCP_CLIENTS.get(clientId);
+      if (!client) {
+        throw new UsageError(`Unsupported MCP client: ${clientId}. Supported clients: ${supportedSetupClientIds(MCP_CLIENTS).join(', ')}.`);
+      }
+
+      const identity = writeConfig ? await agentIdentity(clientId, io.env) : envReferenceIdentity(clientId);
+      setupPlan.selectedClient = clientSetupPlan(clientId, client, setupPlan.mcpUrl, io.env, identity);
+      if (writeConfig) {
+        await client.writeConfig(setupPlan.selectedClient.configPath, setupPlan.mcpUrl, identity);
+        setupPlan.selectedClient.written = true;
+      }
+
+      if (shortClientSetup && profileClientConfig(clientId)) {
+        const profileTarget = optionValue(optionArgs, '--profile-target')
+          ?? optionValue(optionArgs, '--target')
+          ?? defaultProfileTarget(clientId, io.env);
+        let installProfile = false;
+        let prompted = false;
+        let skipped = false;
+        if (hasFlag(optionArgs, '--no-profile')) {
+          skipped = true;
+        } else if (dryRun) {
+          installProfile = false;
+        } else if (writeConfig) {
+          installProfile = outputJson || hasFlag(optionArgs, '--yes') || hasFlag(optionArgs, '--profile');
+          if (!installProfile && !outputJson) {
+            prompted = true;
+            installProfile = await confirmProfileInstall(clientId, profileTarget, io);
+          }
+        }
+        const profileResult = await profileInstallResult(clientId, profileTarget, { write: installProfile });
+        profileResult.prompted = prompted;
+        profileResult.accepted = installProfile;
+        profileResult.skipped = skipped;
+        setupPlan.selectedClient.behaviorProfile = profileResult;
+        if (clientId === 'codex') {
+          setupPlan.selectedClient.codexProfile = profileResult;
+        }
+      }
+    }
+  }
+
+  if (outputJson) {
+    writeLine(io.stdout, JSON.stringify(setupPlan, null, 2));
+    return 0;
+  }
+
+  writeSetupSummary(setupPlan, io);
+  return 0;
+}

package/src/commands/update.js

@@ -0,0 +1,57 @@
+import { hasFlag } from '../args.js';
+import {
+  COMMAND_NAME,
+  PACKAGE_NAME
+} from '../constants.js';
+import { UsageError } from '../errors.js';
+import { writeLine } from '../io.js';
+import {
+  npmExecutable,
+  runProcess
+} from '../runtime.js';
+
+export async function updateCommand(args, io) {
+  const outputJson = hasFlag(args, '--json');
+  const dryRun = hasFlag(args, '--dry-run');
+  const npmCommand = npmExecutable();
+  const npmArgs = ['install', '-g', `${PACKAGE_NAME}@latest`];
+  const report = {
+    package: PACKAGE_NAME,
+    command: [npmCommand, ...npmArgs],
+    dryRun,
+    tokenSent: false,
+    projectFilesModified: false
+  };
+
+  const commandToDisplay = report.command.map(c => c === 'npm.cmd' ? 'npm' : c).join(' ');
+
+  if (dryRun) {
+    if (outputJson) {
+      writeLine(io.stdout, JSON.stringify(report, null, 2));
+    } else {
+      writeLine(io.stdout, `Update command: ${commandToDisplay}`);
+      writeLine(io.stdout, 'Dry run only; no changes made.');
+    }
+    return 0;
+  }
+
+  if (!outputJson) {
+    writeLine(io.stdout, `Updating ${PACKAGE_NAME} to the latest version...`);
+    writeLine(io.stdout, `Running: ${commandToDisplay}`);
+  }
+  const result = await runProcess(npmCommand, npmArgs, io, { stream: !outputJson });
+  report.exitCode = result.code;
+  report.completed = result.code === 0;
+
+  if (outputJson) {
+    writeLine(io.stdout, JSON.stringify(report, null, 2));
+  }
+  if (result.code !== 0) {
+    const detail = result.stderr.trim() || result.stdout.trim() || `exit code ${result.code}`;
+    throw new UsageError(`Update failed: ${detail}`);
+  }
+  if (!outputJson) {
+    writeLine(io.stdout, `Update complete. Run \`${COMMAND_NAME} --version\` to confirm.`);
+  }
+  return 0;
+}

package/src/constants.js

@@ -0,0 +1,32 @@
+export const PRODUCT_NAME = 'XMemo';
+export const PACKAGE_NAME = '@xmemo/client';
+export const FALLBACK_PACKAGE_NAME = '@yonro/xmemo-client';
+export const COMMAND_NAME = 'xmemo';
+export const LEGACY_COMMAND_NAME = 'memory-os';
+export { CLI_VERSION } from './version.js';
+export const DEFAULT_SERVICE_URL = 'https://xmemo.dev';
+export const TOKEN_ENV_VAR = 'XMEMO_KEY';
+export const LEGACY_TOKEN_ENV_VAR = 'MEMORY_OS_MCP_TOKEN';
+export const AGENT_ID_ENV_VAR = 'XMEMO_AGENT_ID';
+export const AGENT_INSTANCE_ENV_VAR = 'XMEMO_AGENT_INSTANCE_ID';
+export const AGENT_ID_HEADER = 'X-Memory-OS-Agent-ID';
+export const AGENT_INSTANCE_HEADER = 'X-Memory-OS-Agent-Instance-ID';
+export const MCP_SERVER_NAME = 'XMemo';
+export const LEGACY_MCP_SERVER_NAMES = ['memory_os', 'memory-os'];
+export const CODEX_PROFILE_TARGET = 'AGENTS.md';
+export const CODEX_PROFILE_MARKER_START = '<!-- memory-os:codex-profile:start -->';
+export const CODEX_PROFILE_MARKER_END = '<!-- memory-os:codex-profile:end -->';
+export const CLIENT_PROFILE_TARGETS = {
+  cursor: '.cursor/rules/xmemo-memory.md',
+  'gemini-cli': 'GEMINI.md',
+  antigravity: 'GEMINI.md',
+  trae: '.trae/rules/xmemo-memory.md',
+  'trae-solo': '.trae/rules/xmemo-memory.md'
+};
+export const CLIENT_PROFILE_MARKER_START = '<!-- xmemo:profile:start -->';
+export const CLIENT_PROFILE_MARKER_END = '<!-- xmemo:profile:end -->';
+export const PROFILE_MARKER_PREFIX = 'memory-os:memory-profile';
+export const DEVICE_LOGIN_START_PATH = '/api/v1/auth/device/start';
+export const DEVICE_LOGIN_TOKEN_PATH = '/api/v1/auth/device/token';
+export const DEFAULT_PROXY_HOST = '127.0.0.1';
+export const DEFAULT_PROXY_PORT = 8765;

package/src/discovery.js

@@ -0,0 +1,102 @@
+import { arrayValue, booleanValue, stringValue } from './args.js';
+import { TOKEN_ENV_VAR } from './constants.js';
+import { UsageError } from './errors.js';
+import { endpointUrl, fetchJson } from './http.js';
+import { isPlainObject } from './runtime.js';
+
+export function ensureDiscoveryService(discovery, discoveryUrl) {
+  const service = stringValue(discovery, ['service']);
+  if (service && service !== 'memory-os') {
+    throw new UsageError(`Discovery document at ${discoveryUrl} is for '${service}', not 'memory-os'.`);
+  }
+}
+
+export function buildSetupPlan({ baseUrl, discoveryUrl, statusUrl, discovery, status, localClients }) {
+  const apiBase = stringValue(discovery, ['urls', 'api_base'])
+    ?? stringValue(discovery, ['api_base_url'])
+    ?? baseUrl;
+  const mcpUrl = stringValue(discovery, ['urls', 'mcp'])
+    ?? stringValue(discovery, ['mcp_url'])
+    ?? endpointUrl(apiBase, '/mcp');
+  const tokenPortalUrl = stringValue(discovery, ['urls', 'token_portal'])
+    ?? stringValue(discovery, ['token_portal_url'])
+    ?? stringValue(status, ['requirements', 'token_portal_url']);
+  const tokenEnvVar = stringValue(discovery, ['auth', 'token_env_var'])
+    ?? stringValue(status, ['requirements', 'token_env_var'])
+    ?? TOKEN_ENV_VAR;
+
+  return {
+    schemaVersion: '1.0',
+    baseUrl,
+    discoveryUrl,
+    statusUrl,
+    apiBase,
+    mcpUrl,
+    guideUrl: stringValue(discovery, ['urls', 'guide']) ?? endpointUrl(apiBase, '/guide'),
+    docsUrl: stringValue(discovery, ['urls', 'docs']),
+    tokenPortalUrl,
+    tokenEnvVar,
+    onboardingReady: booleanValue(status, ['ready']),
+    supportedClients: discoveryMcpClients(discovery),
+    localClients,
+    privacy: {
+      telemetry: false,
+      tokenSent: false,
+      tokenEmbeddedInConfig: false
+    },
+    boundaries: {
+      clientAllowed: arrayValue(discovery, ['agent_boundary', 'client_allowed'])
+        ?? arrayValue(status, ['agent_boundary', 'client_allowed'])
+        ?? [],
+      adminRequired: arrayValue(discovery, ['agent_boundary', 'admin_required'])
+        ?? arrayValue(status, ['agent_boundary', 'admin_required'])
+        ?? []
+    }
+  };
+}
+
+export async function bestEffortRootVersion(discovery, timeoutMs, io) {
+  const rootDiscoveryUrl = stringValue(discovery, ['urls', 'root_discovery']);
+  if (!rootDiscoveryUrl) {
+    return {};
+  }
+  try {
+    const rootDiscovery = await fetchJson(rootDiscoveryUrl, timeoutMs, io);
+    return { version: stringValue(rootDiscovery, ['version']) ?? undefined };
+  } catch (error) {
+    return { error: error.message };
+  }
+}
+
+export function discoveryMcpUrl(discovery, baseUrl) {
+  return stringValue(discovery, ['api', 'mcp', 'url'])
+    ?? stringValue(discovery, ['urls', 'mcp'])
+    ?? endpointUrl(baseUrl, '/mcp');
+}
+
+export function agentDiscoveryClientIds(discovery) {
+  const clients = Array.isArray(discovery?.clients) ? discovery.clients : [];
+  const ids = clients
+    .filter((client) => isPlainObject(client) && typeof client.id === 'string')
+    .map((client) => client.id);
+  if (ids.length > 0) {
+    return ids;
+  }
+  const supported = arrayValue(discovery, ['supported_clients']);
+  return supported ?? [];
+}
+
+export function discoveryMcpClients(discovery) {
+  const clients = discovery?.clients?.mcp;
+  if (!Array.isArray(clients)) {
+    return [];
+  }
+
+  return clients
+    .filter((client) => isPlainObject(client) && typeof client.id === 'string')
+    .map((client) => ({
+      id: client.id,
+      configEndpoint: typeof client.config_endpoint === 'string' ? client.config_endpoint : null
+    }));
+}
+

package/src/env.js

@@ -0,0 +1,81 @@
+import { hasFlag, optionValue } from './args.js';
+import { baseUrlOption } from './base-url.js';
+import {
+  AGENT_ID_ENV_VAR,
+  AGENT_INSTANCE_ENV_VAR,
+  COMMAND_NAME,
+  PRODUCT_NAME,
+  TOKEN_ENV_VAR
+} from './constants.js';
+import { UsageError } from './errors.js';
+import { normalizeBaseUrl } from './http.js';
+import { writeLine } from './io.js';
+
+export function envCommand(args, io) {
+  const subcommand = args[0] ?? 'help';
+  if (subcommand === 'help' || subcommand === '--help' || subcommand === '-h') {
+    writeLine(io.stdout, 'Env commands:');
+    writeLine(io.stdout, `  ${COMMAND_NAME} env example [--shell bash|powershell|cmd] [--base-url <url>] [--json]`);
+    return 0;
+  }
+  if (subcommand !== 'example') {
+    throw new UsageError(`Unknown env command: ${subcommand}`);
+  }
+
+  const baseUrl = normalizeBaseUrl(baseUrlOption(args.slice(1), io.env));
+  const outputJson = hasFlag(args, '--json');
+  const shell = optionValue(args, '--shell') ?? (process.platform === 'win32' ? 'powershell' : 'bash');
+  const placeholder = '<paste-token-from-your-secret-store>';
+  const payload = {
+    XMEMO_URL: baseUrl,
+    XMEMO_BASE_URL: baseUrl,
+    MEMORY_OS_URL: baseUrl,
+    MEMORY_OS_BASE_URL: baseUrl,
+    [TOKEN_ENV_VAR]: placeholder,
+    [AGENT_ID_ENV_VAR]: '<agent-family>',
+    [AGENT_INSTANCE_ENV_VAR]: '<stable-random-id-for-this-local-agent>'
+  };
+
+  if (outputJson) {
+    writeLine(io.stdout, JSON.stringify(payload, null, 2));
+    return 0;
+  }
+
+  if (shell === 'powershell') {
+    writeLine(io.stdout, `[Environment]::SetEnvironmentVariable('XMEMO_URL', '${baseUrl}', 'User')`);
+    writeLine(io.stdout, `[Environment]::SetEnvironmentVariable('XMEMO_BASE_URL', '${baseUrl}', 'User')`);
+    writeLine(io.stdout, `[Environment]::SetEnvironmentVariable('MEMORY_OS_URL', '${baseUrl}', 'User')`);
+    writeLine(io.stdout, `[Environment]::SetEnvironmentVariable('MEMORY_OS_BASE_URL', '${baseUrl}', 'User')`);
+    writeLine(io.stdout, `[Environment]::SetEnvironmentVariable('${TOKEN_ENV_VAR}', '${placeholder}', 'User')`);
+    writeLine(io.stdout, `[Environment]::SetEnvironmentVariable('${AGENT_ID_ENV_VAR}', '<agent-family>', 'User')`);
+    writeLine(io.stdout, `[Environment]::SetEnvironmentVariable('${AGENT_INSTANCE_ENV_VAR}', '<stable-random-id-for-this-local-agent>', 'User')`);
+  } else if (shell === 'cmd') {
+    writeLine(io.stdout, `setx XMEMO_URL "${baseUrl}"`);
+    writeLine(io.stdout, `setx XMEMO_BASE_URL "${baseUrl}"`);
+    writeLine(io.stdout, `setx MEMORY_OS_URL "${baseUrl}"`);
+    writeLine(io.stdout, `setx MEMORY_OS_BASE_URL "${baseUrl}"`);
+    writeLine(io.stdout, `setx ${TOKEN_ENV_VAR} "${placeholder}"`);
+    writeLine(io.stdout, `setx ${AGENT_ID_ENV_VAR} "<agent-family>"`);
+    writeLine(io.stdout, `setx ${AGENT_INSTANCE_ENV_VAR} "<stable-random-id-for-this-local-agent>"`);
+  } else {
+    writeLine(io.stdout, `export XMEMO_URL="${baseUrl}"`);
+    writeLine(io.stdout, `export XMEMO_BASE_URL="${baseUrl}"`);
+    writeLine(io.stdout, `export MEMORY_OS_URL="${baseUrl}"`);
+    writeLine(io.stdout, `export MEMORY_OS_BASE_URL="${baseUrl}"`);
+    writeLine(io.stdout, `export ${TOKEN_ENV_VAR}="${placeholder}"`);
+    writeLine(io.stdout, `export ${AGENT_ID_ENV_VAR}="<agent-family>"`);
+    writeLine(io.stdout, `export ${AGENT_INSTANCE_ENV_VAR}="<stable-random-id-for-this-local-agent>"`);
+  }
+  return 0;
+}
+
+export function writePrivacy(io) {
+  writeLine(io.stdout, `${PRODUCT_NAME} CLI privacy and security defaults:`);
+  writeLine(io.stdout, '- No telemetry or analytics.');
+  writeLine(io.stdout, '- `status` does not send tokens.');
+  writeLine(io.stdout, `- MCP configs reference ${TOKEN_ENV_VAR}; token values are not embedded.`);
+  writeLine(io.stdout, `- Agent instance IDs are non-secret and stored in user-scoped config outside git.`);
+  writeLine(io.stdout, '- `login` and `token add` store credentials in the user-scoped XMemo CLI config directory.');
+  writeLine(io.stdout, '- Legacy `token set` plaintext storage requires explicit --allow-plaintext.');
+  writeLine(io.stdout, '- npm publishing is restricted by package.json files whitelist.');
+}

package/src/errors.js

@@ -0,0 +1,6 @@
+export class UsageError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = 'UsageError';
+  }
+}

package/src/help.js

@@ -0,0 +1,58 @@
+import {
+  CLI_VERSION,
+  COMMAND_NAME,
+  LEGACY_COMMAND_NAME,
+  PACKAGE_NAME,
+  PRODUCT_NAME
+} from './constants.js';
+import { writeLine } from './io.js';
+
+export function writeHelp(io) {
+  writeLine(io.stdout, `======================================================================`);
+  writeLine(io.stdout, ` 🧠  ${PRODUCT_NAME} CLI (Version ${CLI_VERSION}) — Cloud Memory Orchestration Utility`);
+  writeLine(io.stdout, `======================================================================`);
+  writeLine(io.stdout, `Official package: ${PACKAGE_NAME} | Legacy command: ${LEGACY_COMMAND_NAME}`);
+  writeLine(io.stdout, '');
+  writeLine(io.stdout, '💡 CORE ONBOARDING & SETUP COMMANDS:');
+  writeLine(io.stdout, `  ${COMMAND_NAME} setup --all [--write] [--profile]`);
+  writeLine(io.stdout, `      Auto-detects all local client installations (Cursor, VS Code, Continue, Trae, etc.).`);
+  writeLine(io.stdout, `      Merges XMemo MCP configs. Pass --profile to auto-inject workspace prompt rules.`);
+  writeLine(io.stdout, `      *Dry-run by default unless --write (or --yes/-y) is specified for safety.*`);
+  writeLine(io.stdout, '');
+  writeLine(io.stdout, `  ${COMMAND_NAME} setup <client-id> [--url <url>] [--no-profile] [--json]`);
+  writeLine(io.stdout, `      Runs interactive setup wizard for a single client (e.g. cursor, gemini, antigravity).`);
+  writeLine(io.stdout, `      Detects active workspace to auto-inject project-scoped instruction rules.`);
+  writeLine(io.stdout, '');
+  writeLine(io.stdout, `  ${COMMAND_NAME} login [--from-stdin] [--base-url <url>]`);
+  writeLine(io.stdout, `      Starts secure OAuth2 browser-based device login flow to register the CLI.`);
+  writeLine(io.stdout, '');
+  writeLine(io.stdout, '🛡️  DIAGNOSTICS & SYSTEM AUDIT:');
+  writeLine(io.stdout, `  ${COMMAND_NAME} doctor [--base-url <url>] [--json]`);
+  writeLine(io.stdout, `      Performs structural diagnostics (Node version, Cloud connectivity, API compatibility, security).`);
+  writeLine(io.stdout, '');
+  writeLine(io.stdout, `  ${COMMAND_NAME} status [--url <url>] [--json]`);
+  writeLine(io.stdout, `      Probes and audits XMemo core service endpoints, readiness states, and network health.`);
+  writeLine(io.stdout, '');
+  writeLine(io.stdout, '📋 MCP & CREDENTIAL MANAGEMENT:');
+  writeLine(io.stdout, `  ${COMMAND_NAME} mcp list`);
+  writeLine(io.stdout, `      Lists all natively supported client integrations and configurations.`);
+  writeLine(io.stdout, '');
+  writeLine(io.stdout, `  ${COMMAND_NAME} mcp config --client <client-id> [--base-url <url>] [--json]`);
+  writeLine(io.stdout, `      Generates and outputs raw MCP config snippet templates without writing to files.`);
+  writeLine(io.stdout, '');
+  writeLine(io.stdout, `  ${COMMAND_NAME} mcp add <client-id> [--write] [--config <path>]`);
+  writeLine(io.stdout, `      Directly adds XMemo MCP server config snippet to the specified client settings file.`);
+  writeLine(io.stdout, '');
+  writeLine(io.stdout, `  ${COMMAND_NAME} profile install <client-id> [--target <path>] [--dry-run]`);
+  writeLine(io.stdout, `      Injects/updates instruction rules prompt in target workspace rules files (Cursor/Gemini).`);
+  writeLine(io.stdout, '');
+  writeLine(io.stdout, `  ${COMMAND_NAME} token status [--verify] | ${COMMAND_NAME} token add --from-stdin`);
+  writeLine(io.stdout, `      Checks local static credential states or manually saves XMEMO_KEY for key-auth fallbacks.`);
+  writeLine(io.stdout, '');
+  writeLine(io.stdout, '🔐 SECURITY & PRIVACY BY DESIGN:');
+  writeLine(io.stdout, '  - ZERO Telemetry: We never collect private workspace data or usage metrics.');
+  writeLine(io.stdout, '  - Git Protection: API tokens are kept securely in system environment variables (XMEMO_KEY)');
+  writeLine(io.stdout, '    or in user-scoped credentials.json file. They are never written to project configs.');
+  writeLine(io.stdout, '  - AST Merge Safety: Config writes only touch and append the XMemo keys, preserving all other servers.');
+  writeLine(io.stdout, '======================================================================');
+}