nemonicon-cli 0.1.1

package/dist/index.js

@@ -0,0 +1,1634 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { Command as Command14 } from "commander";
+
+// src/commands/auth.ts
+import { Command } from "commander";
+
+// src/lib/config.ts
+import { existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+var CONFIG_DIR = join(homedir(), ".nemonicon");
+var CONFIG_FILE = join(CONFIG_DIR, "config.json");
+function getConfigPath() {
+  return CONFIG_FILE;
+}
+function hasCredentials(c) {
+  return typeof c.token === "string" || typeof c.accessToken === "string";
+}
+function isShapedConfig(parsed) {
+  if (!parsed || typeof parsed !== "object") return false;
+  return typeof parsed.apiUrl === "string";
+}
+function loadPartialConfig() {
+  const envToken = process.env.NEMONICON_CLI_TOKEN;
+  const envUrl = process.env.NEMONICON_API_URL;
+  if (envToken) {
+    return {
+      token: envToken,
+      apiUrl: envUrl ?? "https://preview.nemonicon.com",
+      protectionBypass: process.env.NEMONICON_PROTECTION_BYPASS || void 0,
+      authMethod: "static"
+    };
+  }
+  if (!existsSync(CONFIG_FILE)) return null;
+  try {
+    const raw = readFileSync(CONFIG_FILE, "utf-8");
+    const parsed = JSON.parse(raw);
+    if (!isShapedConfig(parsed)) return null;
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+function loadConfig() {
+  const partial = loadPartialConfig();
+  if (!partial) return null;
+  if (!hasCredentials(partial)) return null;
+  return partial;
+}
+function saveConfig(config) {
+  if (!existsSync(CONFIG_DIR)) {
+    mkdirSync(CONFIG_DIR, { recursive: true, mode: 448 });
+  }
+  writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2) + "\n", {
+    encoding: "utf-8",
+    mode: 384
+  });
+}
+function updateTokens(patch) {
+  const current = loadConfig();
+  if (!current) {
+    throw new Error(
+      "Cannot update tokens: no existing config. Run `nemonicon login` first."
+    );
+  }
+  const merged = {
+    ...current,
+    authMethod: "oauth",
+    accessToken: patch.accessToken,
+    refreshToken: patch.refreshToken,
+    accessTokenExpiresAt: patch.accessTokenExpiresAt,
+    clientId: patch.clientId ?? current.clientId
+  };
+  if (merged.accessToken) delete merged.token;
+  saveConfig(merged);
+  return merged;
+}
+function clearOauthTokens() {
+  const current = loadConfig();
+  if (!current) return null;
+  const next = { ...current };
+  delete next.accessToken;
+  delete next.refreshToken;
+  delete next.accessTokenExpiresAt;
+  delete next.authMethod;
+  saveConfig(next);
+  return next;
+}
+function deleteConfig() {
+  if (!existsSync(CONFIG_FILE)) return false;
+  unlinkSync(CONFIG_FILE);
+  return true;
+}
+function requireConfig() {
+  const config = loadConfig();
+  if (!config) {
+    console.error(
+      "Not authenticated. Run `nemonicon login` to sign in with your browser,"
+    );
+    console.error(
+      "or `nemonicon auth <token> --api-url <url>` to use a long-lived token."
+    );
+    process.exit(1);
+  }
+  return config;
+}
+
+// src/lib/oauth.ts
+import { createHash, randomBytes } from "crypto";
+import { spawn } from "child_process";
+import { createServer } from "http";
+var LOOPBACK_PORTS = [
+  33418,
+  33419,
+  33420,
+  33421,
+  33422,
+  33423,
+  33424,
+  33425,
+  33426,
+  33427
+];
+var REDIRECT_URIS = LOOPBACK_PORTS.map(
+  (p) => `http://127.0.0.1:${p}/callback`
+);
+var SCOPE = "mcp";
+var CLIENT_NAME = "Nemonicon CLI";
+var OauthError = class extends Error {
+  constructor(code, message) {
+    super(message);
+    this.code = code;
+    this.name = "OauthError";
+  }
+  code;
+};
+function buildHeaders(protectionBypass) {
+  const h = {
+    "Content-Type": "application/json",
+    Accept: "application/json"
+  };
+  if (protectionBypass) h["x-vercel-protection-bypass"] = protectionBypass;
+  return h;
+}
+function buildFormHeaders(protectionBypass) {
+  const h = {
+    "Content-Type": "application/x-www-form-urlencoded",
+    Accept: "application/json"
+  };
+  if (protectionBypass) h["x-vercel-protection-bypass"] = protectionBypass;
+  return h;
+}
+async function discoverEndpoints(apiUrl, protectionBypass) {
+  const base = apiUrl.replace(/\/+$/, "");
+  const fallback = {
+    authorizationEndpoint: `${base}/api/oauth/authorize`,
+    tokenEndpoint: `${base}/api/oauth/token`,
+    registrationEndpoint: `${base}/api/oauth/register`
+  };
+  try {
+    const res = await fetch(`${base}/.well-known/oauth-authorization-server`, {
+      headers: buildHeaders(protectionBypass)
+    });
+    if (!res.ok) return fallback;
+    const meta = await res.json();
+    return {
+      authorizationEndpoint: typeof meta.authorization_endpoint === "string" ? meta.authorization_endpoint : fallback.authorizationEndpoint,
+      tokenEndpoint: typeof meta.token_endpoint === "string" ? meta.token_endpoint : fallback.tokenEndpoint,
+      registrationEndpoint: typeof meta.registration_endpoint === "string" ? meta.registration_endpoint : fallback.registrationEndpoint
+    };
+  } catch {
+    return fallback;
+  }
+}
+async function registerClient(registrationEndpoint, protectionBypass) {
+  const res = await fetch(registrationEndpoint, {
+    method: "POST",
+    headers: buildHeaders(protectionBypass),
+    body: JSON.stringify({
+      client_name: CLIENT_NAME,
+      redirect_uris: REDIRECT_URIS,
+      grant_types: ["authorization_code", "refresh_token"],
+      response_types: ["code"],
+      token_endpoint_auth_method: "none",
+      scope: SCOPE
+    })
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new OauthError(
+      "registration_failed",
+      `Client registration failed (${res.status}): ${text.slice(0, 500)}`
+    );
+  }
+  const body = await res.json();
+  if (typeof body.client_id !== "string") {
+    throw new OauthError(
+      "registration_failed",
+      "Registration response did not include a client_id."
+    );
+  }
+  return body.client_id;
+}
+function generatePkce() {
+  const codeVerifier = randomBytes(32).toString("base64url");
+  const codeChallenge = createHash("sha256").update(codeVerifier).digest("base64url");
+  const state = randomBytes(16).toString("base64url");
+  return { codeVerifier, codeChallenge, state };
+}
+function buildAuthorizeUrl(authorizationEndpoint, params) {
+  const url = new URL(authorizationEndpoint);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("client_id", params.clientId);
+  url.searchParams.set("redirect_uri", params.redirectUri);
+  url.searchParams.set("scope", SCOPE);
+  url.searchParams.set("state", params.state);
+  url.searchParams.set("code_challenge", params.codeChallenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  return url.toString();
+}
+var SUCCESS_HTML = `<!doctype html>
+<html><head><meta charset="utf-8"><title>Nemonicon CLI</title>
+<style>
+body { font-family: system-ui, sans-serif; background: #0b0b0e; color: #e7e7ea;
+  display: flex; align-items: center; justify-content: center; min-height: 100vh; margin: 0; }
+.box { text-align: center; padding: 2rem 3rem; border: 1px solid #2a2a30;
+  border-radius: 12px; background: #14141a; }
+h1 { margin: 0 0 .5rem; font-size: 1.25rem; }
+p { margin: 0; color: #9b9ba3; }
+</style></head>
+<body><div class="box"><h1>You're signed in.</h1><p>You can close this tab and return to your terminal.</p></div></body></html>`;
+var ERROR_HTML = (msg) => `<!doctype html>
+<html><head><meta charset="utf-8"><title>Nemonicon CLI</title>
+<style>
+body { font-family: system-ui, sans-serif; background: #0b0b0e; color: #e7e7ea;
+  display: flex; align-items: center; justify-content: center; min-height: 100vh; margin: 0; }
+.box { text-align: center; padding: 2rem 3rem; border: 1px solid #4a1f24;
+  border-radius: 12px; background: #1a1115; max-width: 28rem; }
+h1 { margin: 0 0 .5rem; font-size: 1.25rem; color: #ff8585; }
+p { margin: 0; color: #9b9ba3; word-break: break-word; }
+</style></head>
+<body><div class="box"><h1>Sign-in failed.</h1><p>${msg}</p></div></body></html>`;
+async function startCallbackServer() {
+  for (const port of LOOPBACK_PORTS) {
+    const server = createServer();
+    try {
+      await new Promise((resolve, reject) => {
+        const onError = (err) => {
+          server.removeListener("listening", onListening);
+          reject(err);
+        };
+        const onListening = () => {
+          server.removeListener("error", onError);
+          resolve();
+        };
+        server.once("error", onError);
+        server.once("listening", onListening);
+        server.listen(port, "127.0.0.1");
+      });
+      const addr = server.address();
+      return {
+        server,
+        port: addr.port,
+        redirectUri: `http://127.0.0.1:${addr.port}/callback`
+      };
+    } catch (err) {
+      const code = err.code;
+      if (code === "EADDRINUSE" || code === "EACCES") continue;
+      throw err;
+    }
+  }
+  throw new OauthError(
+    "ports_busy",
+    `All loopback ports (${LOOPBACK_PORTS[0]}-${LOOPBACK_PORTS[LOOPBACK_PORTS.length - 1]}) are in use. Close any other Nemonicon CLI login attempts and retry.`
+  );
+}
+function waitForCallback(server, expectedState, timeoutMs = 5 * 60 * 1e3) {
+  return new Promise((resolve, reject) => {
+    const timer = setTimeout(() => {
+      cleanup();
+      reject(new OauthError("timeout", "Timed out waiting for browser callback (5 minutes)."));
+    }, timeoutMs);
+    const handler = (req, res) => {
+      const url = new URL(req.url ?? "/", "http://127.0.0.1");
+      if (url.pathname !== "/callback") {
+        res.statusCode = 404;
+        res.end("Not found");
+        return;
+      }
+      const error = url.searchParams.get("error");
+      if (error) {
+        const desc = url.searchParams.get("error_description") ?? "no description provided";
+        res.statusCode = 400;
+        res.setHeader("Content-Type", "text/html; charset=utf-8");
+        res.end(ERROR_HTML(`${error}: ${desc}`));
+        cleanup();
+        reject(new OauthError(error, `${error}: ${desc}`));
+        return;
+      }
+      const code = url.searchParams.get("code");
+      const state = url.searchParams.get("state");
+      if (!code || !state) {
+        res.statusCode = 400;
+        res.setHeader("Content-Type", "text/html; charset=utf-8");
+        res.end(ERROR_HTML("Missing code or state in callback."));
+        cleanup();
+        reject(new OauthError("invalid_callback", "Missing code or state."));
+        return;
+      }
+      if (state !== expectedState) {
+        res.statusCode = 400;
+        res.setHeader("Content-Type", "text/html; charset=utf-8");
+        res.end(ERROR_HTML("State mismatch \u2014 possible CSRF. Aborting."));
+        cleanup();
+        reject(new OauthError("state_mismatch", "State mismatch \u2014 possible CSRF."));
+        return;
+      }
+      res.statusCode = 200;
+      res.setHeader("Content-Type", "text/html; charset=utf-8");
+      res.end(SUCCESS_HTML);
+      cleanup();
+      resolve(code);
+    };
+    function cleanup() {
+      clearTimeout(timer);
+      server.removeListener("request", handler);
+      server.close();
+    }
+    server.on("request", handler);
+  });
+}
+function openBrowser(url) {
+  try {
+    const platform = process.platform;
+    let command;
+    let args;
+    if (platform === "darwin") {
+      command = "open";
+      args = [url];
+    } else if (platform === "win32") {
+      command = "cmd";
+      args = ["/c", "start", "", url];
+    } else {
+      command = "xdg-open";
+      args = [url];
+    }
+    const child = spawn(command, args, {
+      detached: true,
+      stdio: "ignore"
+    });
+    child.on("error", () => {
+    });
+    child.unref();
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function exchangeCode(tokenEndpoint, params, protectionBypass) {
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    code: params.code,
+    client_id: params.clientId,
+    redirect_uri: params.redirectUri,
+    code_verifier: params.codeVerifier
+  });
+  const res = await fetch(tokenEndpoint, {
+    method: "POST",
+    headers: buildFormHeaders(protectionBypass),
+    body: body.toString()
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    let parsed = {};
+    try {
+      parsed = JSON.parse(text);
+    } catch {
+    }
+    throw new OauthError(
+      parsed.error ?? "token_exchange_failed",
+      parsed.error_description ?? `Token exchange failed (${res.status}): ${text.slice(0, 500)}`
+    );
+  }
+  return await res.json();
+}
+async function refreshAccessToken(tokenEndpoint, params, protectionBypass) {
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: params.refreshToken,
+    client_id: params.clientId
+  });
+  const res = await fetch(tokenEndpoint, {
+    method: "POST",
+    headers: buildFormHeaders(protectionBypass),
+    body: body.toString()
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    let parsed = {};
+    try {
+      parsed = JSON.parse(text);
+    } catch {
+    }
+    throw new OauthError(
+      parsed.error ?? "refresh_failed",
+      parsed.error_description ?? `Token refresh failed (${res.status}): ${text.slice(0, 500)}`
+    );
+  }
+  return await res.json();
+}
+
+// src/lib/api.ts
+var REFRESH_SKEW_MS = 6e4;
+var ApiClient = class {
+  baseUrl;
+  protectionBypass;
+  mode;
+  // Static-token mode
+  staticToken;
+  // OAuth mode
+  accessToken;
+  refreshToken;
+  expiresAt;
+  // epoch ms
+  clientId;
+  constructor(config) {
+    this.baseUrl = config.apiUrl.replace(/\/+$/, "");
+    this.protectionBypass = config.protectionBypass;
+    if (config.accessToken && config.refreshToken && config.clientId) {
+      this.mode = "oauth";
+      this.accessToken = config.accessToken;
+      this.refreshToken = config.refreshToken;
+      this.clientId = config.clientId;
+      this.expiresAt = config.accessTokenExpiresAt ? Date.parse(config.accessTokenExpiresAt) : 0;
+    } else if (config.token) {
+      this.mode = "static";
+      this.staticToken = config.token;
+    } else {
+      throw new Error(
+        "Invalid config: neither static token nor full OAuth credentials are present."
+      );
+    }
+  }
+  get tokenEndpoint() {
+    return `${this.baseUrl}/api/oauth/token`;
+  }
+  currentToken() {
+    if (this.mode === "oauth") return this.accessToken;
+    return this.staticToken;
+  }
+  buildHeaders() {
+    const headers = {
+      Authorization: `Bearer ${this.currentToken()}`,
+      "Content-Type": "application/json"
+    };
+    if (this.protectionBypass) {
+      headers["x-vercel-protection-bypass"] = this.protectionBypass;
+    }
+    return headers;
+  }
+  /**
+   * If we're in OAuth mode and the access token is near expiry, refresh it.
+   * Pulls in any rotation that another concurrent CLI invocation may have
+   * persisted to disk before failing the rotation ourselves.
+   */
+  async ensureFreshToken() {
+    if (this.mode !== "oauth") return;
+    const now = Date.now();
+    if (this.expiresAt && this.expiresAt - now > REFRESH_SKEW_MS) return;
+    await this.performRefresh();
+  }
+  async performRefresh() {
+    if (this.mode !== "oauth") return;
+    try {
+      await this.tryRefresh(this.refreshToken);
+    } catch (err) {
+      if (err instanceof OauthError && err.code === "invalid_grant") {
+        const fresh = loadConfig();
+        if (fresh?.refreshToken && fresh.refreshToken !== this.refreshToken) {
+          this.refreshToken = fresh.refreshToken;
+          this.accessToken = fresh.accessToken ?? this.accessToken;
+          this.expiresAt = fresh.accessTokenExpiresAt ? Date.parse(fresh.accessTokenExpiresAt) : 0;
+          try {
+            await this.tryRefresh(this.refreshToken);
+            return;
+          } catch (err2) {
+            this.handleRefreshFailure(err2);
+          }
+        }
+        this.handleRefreshFailure(err);
+      }
+      this.handleRefreshFailure(err);
+    }
+  }
+  async tryRefresh(refreshToken) {
+    const tokens = await refreshAccessToken(
+      this.tokenEndpoint,
+      { refreshToken, clientId: this.clientId },
+      this.protectionBypass
+    );
+    if (!tokens.refresh_token) {
+      throw new OauthError(
+        "refresh_failed",
+        "Server did not return a rotated refresh_token."
+      );
+    }
+    const expiresAtIso = new Date(
+      Date.now() + tokens.expires_in * 1e3
+    ).toISOString();
+    this.accessToken = tokens.access_token;
+    this.refreshToken = tokens.refresh_token;
+    this.expiresAt = Date.parse(expiresAtIso);
+    updateTokens({
+      accessToken: tokens.access_token,
+      refreshToken: tokens.refresh_token,
+      accessTokenExpiresAt: expiresAtIso,
+      clientId: this.clientId
+    });
+  }
+  handleRefreshFailure(err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.error(
+      `
+Your Nemonicon session has expired (${msg}).
+Run \`nemonicon login\` to sign in again.`
+    );
+    try {
+      clearOauthTokens();
+    } catch {
+    }
+    process.exit(1);
+  }
+  async request(path, options = {}, retryOn401 = true) {
+    await this.ensureFreshToken();
+    const url = `${this.baseUrl}${path}`;
+    let res;
+    try {
+      res = await fetch(url, {
+        ...options,
+        headers: {
+          ...this.buildHeaders(),
+          ...options.headers
+        }
+      });
+    } catch (error) {
+      const msg = error instanceof Error ? error.message : String(error);
+      throw new Error(
+        `Network error reaching ${url}: ${msg}
+  Check that the API URL is correct and the server is reachable.`
+      );
+    }
+    if (res.status === 401 && this.mode === "oauth" && retryOn401) {
+      await this.performRefresh();
+      return this.request(path, options, false);
+    }
+    if (!res.ok) {
+      const text = await res.text().catch(() => "");
+      const detail = text || res.statusText;
+      let hint = "";
+      if (res.status === 401) {
+        if (this.mode === "oauth") {
+          hint = "\n  Your session may have been revoked. Run `nemonicon login` to sign in again.";
+        } else {
+          hint = "\n  Your token may be invalid or expired. Generate a new one at /settings/cli,\n  or run `nemonicon login` to sign in via OAuth instead.";
+        }
+      } else if (res.status === 403) {
+        hint = "\n  Access forbidden. If this is a Vercel preview deployment, you may need\n  to pass --protection-bypass <secret> during auth.\n  Find the secret in Vercel > Settings > Deployment Protection.";
+      } else if (res.status === 404) {
+        hint = "\n  Endpoint not found. Check that the API URL is correct and the\n  server has the latest deployment with CLI token support.";
+      } else if (res.status >= 500) {
+        hint = "\n  Server error. The api_tokens table may not be migrated yet.";
+      }
+      throw new Error(
+        `API ${res.status} ${res.statusText} \u2014 ${path}
+  Response: ${detail.slice(0, 500)}${hint}`
+      );
+    }
+    if (res.status === 204) {
+      return void 0;
+    }
+    const contentType = res.headers.get("Content-Type") ?? "";
+    if (contentType.includes("text/html") && !path.includes("export?format=md")) {
+      throw new Error(
+        `Received HTML instead of JSON from ${path}.
+  This usually means Vercel Deployment Protection is blocking the request.
+  Re-run auth with --protection-bypass <secret> to fix this.
+  Find the secret in Vercel > Settings > Deployment Protection.`
+      );
+    }
+    if (contentType.includes("application/json")) {
+      return res.json();
+    }
+    return res.text();
+  }
+  async listTopics() {
+    return this.request("/api/knowledge?limit=100");
+  }
+  async createTopic(input) {
+    return this.request("/api/knowledge", {
+      method: "POST",
+      body: JSON.stringify(input)
+    });
+  }
+  async exportTopic(topicId, format = "md") {
+    return this.request(`/api/knowledge/${topicId}/export?format=${format}`);
+  }
+  async importMarkdown(content, title) {
+    return this.request("/api/knowledge/import", {
+      method: "POST",
+      body: JSON.stringify({
+        format: "markdown",
+        content,
+        ...title ? { title } : {}
+      })
+    });
+  }
+  async bulkCreateOutline(topicId, items, parentId) {
+    return this.request(`/api/knowledge/${topicId}/outline/bulk`, {
+      method: "POST",
+      body: JSON.stringify({
+        items,
+        ...parentId ? { parentId } : {}
+      })
+    });
+  }
+  /**
+   * Call an MCP tool via the JSON-RPC endpoint at /api/mcp.
+   *
+   * This is used for tools that don't have dedicated REST endpoints
+   * (`get_outline`, `update_item`, `delete_item`, `bulk_update_items`).
+   * The HTTP MCP server delegates to `lib/mcp/tools.ts` so semantics stay
+   * identical between stdio and HTTP transports.
+   */
+  async callTool(name, args) {
+    const res = await this.request("/api/mcp", {
+      method: "POST",
+      body: JSON.stringify({
+        jsonrpc: "2.0",
+        id: Date.now(),
+        method: "tools/call",
+        params: { name, arguments: args }
+      })
+    });
+    if (res.error) {
+      throw new Error(`MCP error ${res.error.code}: ${res.error.message}`);
+    }
+    const result = res.result ?? {};
+    const content = Array.isArray(result.content) ? result.content : [];
+    const text = content.filter(
+      (c) => typeof c.text === "string"
+    ).map((c) => c.text).join("\n");
+    return { text, isError: result.isError === true };
+  }
+  /** Fetch a topic outline as a structured tree (calls `get_outline` MCP tool). */
+  async getOutline(topicId) {
+    const res = await this.callTool("get_outline", { topicId });
+    if (res.isError) {
+      throw new Error(res.text);
+    }
+    return JSON.parse(res.text);
+  }
+  /** Update a single outline item (calls `update_item` MCP tool). */
+  async updateOutlineItem(itemId, payload) {
+    const args = { itemId };
+    if (payload.content !== void 0) args.content = payload.content;
+    if (payload.parentId !== void 0) args.parentId = payload.parentId;
+    if (payload.sortOrder !== void 0) args.sortOrder = payload.sortOrder;
+    const res = await this.callTool("update_item", args);
+    if (res.isError) {
+      throw new Error(res.text);
+    }
+    return { message: res.text };
+  }
+  /** Delete a single outline item (calls `delete_item` MCP tool). */
+  async deleteOutlineItem(itemId) {
+    const res = await this.callTool("delete_item", { itemId });
+    if (res.isError) {
+      throw new Error(res.text);
+    }
+    return { message: res.text };
+  }
+  /** Atomically apply multiple updates (calls `bulk_update_items` MCP tool). */
+  async bulkUpdateOutlineItems(topicId, updates) {
+    const res = await this.callTool("bulk_update_items", { topicId, updates });
+    if (res.isError) {
+      throw new Error(res.text);
+    }
+    return { message: res.text };
+  }
+  /** Connectivity and auth check. Returns the error message on failure. */
+  async verify() {
+    try {
+      await this.listTopics();
+      return { ok: true };
+    } catch (error) {
+      return {
+        ok: false,
+        error: error instanceof Error ? error.message : String(error)
+      };
+    }
+  }
+};
+
+// src/commands/auth.ts
+import { createInterface } from "readline";
+var DEFAULT_API_URL = "https://preview.nemonicon.com";
+function prompt(question, defaultValue) {
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  const suffix = defaultValue ? ` (${defaultValue})` : "";
+  return new Promise((resolve) => {
+    rl.question(`${question}${suffix}: `, (answer) => {
+      rl.close();
+      resolve(answer.trim() || defaultValue || "");
+    });
+  });
+}
+var authCommand = new Command("auth").description("Authenticate the CLI with a token").argument("<token>", "API token from the Nemonicon settings page").option("--api-url <url>", "API server URL").option(
+  "--protection-bypass <secret>",
+  "Vercel Deployment Protection bypass secret (for preview deployments)"
+).action(
+  async (token, options) => {
+    let apiUrl = options.apiUrl;
+    if (!apiUrl) {
+      apiUrl = await prompt("API URL", DEFAULT_API_URL);
+    }
+    apiUrl = apiUrl.replace(/\/+$/, "");
+    const config = {
+      apiUrl,
+      token,
+      protectionBypass: options.protectionBypass || void 0
+    };
+    saveConfig(config);
+    console.log(`Verifying token against ${apiUrl}...`);
+    console.log(`  POST ${apiUrl}/api/knowledge?limit=100`);
+    const client = new ApiClient(config);
+    const result = await client.verify();
+    if (!result.ok) {
+      console.error("\nAuthentication failed:\n");
+      console.error(result.error);
+      console.error(
+        `
+Config was saved to ~/.nemonicon/config.json \u2014 you can edit it manually.`
+      );
+      process.exit(1);
+    }
+    console.log("\nAuthenticated successfully.");
+    console.log(`Config saved to ~/.nemonicon/config.json`);
+  }
+);
+
+// src/commands/login.ts
+import { Command as Command2 } from "commander";
+import { createInterface as createInterface2 } from "readline";
+var DEFAULT_API_URL2 = "https://preview.nemonicon.com";
+function prompt2(question, defaultValue) {
+  const rl = createInterface2({ input: process.stdin, output: process.stdout });
+  const suffix = defaultValue ? ` (${defaultValue})` : "";
+  return new Promise((resolve) => {
+    rl.question(`${question}${suffix}: `, (answer) => {
+      rl.close();
+      resolve(answer.trim() || defaultValue || "");
+    });
+  });
+}
+var loginCommand = new Command2("login").description(
+  "Sign in to Nemonicon via your browser using OAuth 2.1 + PKCE"
+).option("--api-url <url>", "API server URL").option(
+  "--protection-bypass <secret>",
+  "Vercel Deployment Protection bypass secret (for preview deployments)"
+).option(
+  "--no-browser",
+  "Print the authorization URL instead of opening the browser automatically"
+).action(
+  async (options) => {
+    const existing = loadPartialConfig();
+    let apiUrl = options.apiUrl ?? existing?.apiUrl;
+    if (!apiUrl) {
+      apiUrl = await prompt2("API URL", DEFAULT_API_URL2);
+    }
+    apiUrl = apiUrl.replace(/\/+$/, "");
+    const protectionBypass = options.protectionBypass ?? existing?.protectionBypass;
+    console.log(`Discovering OAuth endpoints at ${apiUrl}...`);
+    const endpoints = await discoverEndpoints(apiUrl, protectionBypass);
+    let clientId = existing?.clientId;
+    if (!clientId) {
+      console.log("Registering CLI as an OAuth client...");
+      clientId = await registerClient(
+        endpoints.registrationEndpoint,
+        protectionBypass
+      );
+      const next = {
+        apiUrl,
+        clientId,
+        protectionBypass,
+        ...existing?.token ? { token: existing.token } : {},
+        ...existing?.authMethod ? { authMethod: existing.authMethod } : {}
+      };
+      saveConfig(next);
+    }
+    console.log("Starting local callback server...");
+    const { server, redirectUri } = await startCallbackServer();
+    const pkce = generatePkce();
+    const authorizeUrl = buildAuthorizeUrl(endpoints.authorizationEndpoint, {
+      clientId,
+      redirectUri,
+      codeChallenge: pkce.codeChallenge,
+      state: pkce.state
+    });
+    console.log("");
+    const opened = options.browser !== false ? openBrowser(authorizeUrl) : false;
+    if (opened) {
+      console.log("Opened your browser to sign in. If nothing happened, visit:");
+    } else {
+      console.log("Open this URL in your browser to sign in:");
+    }
+    console.log(`  ${authorizeUrl}`);
+    console.log("");
+    console.log("Waiting for sign-in to complete (5 min timeout)...");
+    let code;
+    try {
+      code = await waitForCallback(server, pkce.state);
+    } catch (err) {
+      server.close();
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(`
+Sign-in failed: ${msg}`);
+      process.exit(1);
+    }
+    console.log("Exchanging authorization code for tokens...");
+    let tokens;
+    try {
+      tokens = await exchangeCode(
+        endpoints.tokenEndpoint,
+        {
+          code,
+          clientId,
+          redirectUri,
+          codeVerifier: pkce.codeVerifier
+        },
+        protectionBypass
+      );
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(`
+Token exchange failed: ${msg}`);
+      process.exit(1);
+    }
+    if (!tokens.refresh_token) {
+      console.error(
+        "\nServer did not return a refresh_token. Refusing to save partial credentials."
+      );
+      process.exit(1);
+    }
+    const expiresAt = new Date(
+      Date.now() + tokens.expires_in * 1e3
+    ).toISOString();
+    const finalConfig = {
+      apiUrl,
+      clientId,
+      protectionBypass,
+      authMethod: "oauth",
+      accessToken: tokens.access_token,
+      refreshToken: tokens.refresh_token,
+      accessTokenExpiresAt: expiresAt
+    };
+    saveConfig(finalConfig);
+    console.log("Verifying access...");
+    const client = new ApiClient(finalConfig);
+    const result = await client.verify();
+    if (!result.ok) {
+      console.error("\nAuthentication succeeded but verification failed:\n");
+      console.error(result.error);
+      console.error(
+        "\nConfig was saved to ~/.nemonicon/config.json \u2014 you can edit it manually."
+      );
+      process.exit(1);
+    }
+    console.log("\nSigned in successfully.");
+    console.log("Config saved to ~/.nemonicon/config.json");
+  }
+);
+
+// src/commands/logout.ts
+import { Command as Command3 } from "commander";
+var logoutCommand = new Command3("logout").description(
+  "Clear OAuth tokens from ~/.nemonicon/config.json (preserves apiUrl and clientId)"
+).option(
+  "--purge",
+  "Delete the entire ~/.nemonicon/config.json file instead of just the tokens"
+).action((options) => {
+  const existing = loadConfig();
+  if (!existing) {
+    console.log("Not signed in.");
+    return;
+  }
+  if (options.purge) {
+    const removed = deleteConfig();
+    if (removed) {
+      console.log(`Deleted ${getConfigPath()}.`);
+    } else {
+      console.log("No config file to remove.");
+    }
+    return;
+  }
+  const next = clearOauthTokens();
+  if (!next) {
+    console.log("No config file to update.");
+    return;
+  }
+  if (next.token) {
+    console.log(
+      "Cleared OAuth tokens. A static `token` is still set in your config \u2014 run `nemonicon logout --purge` to wipe everything."
+    );
+  } else {
+    console.log(
+      "Signed out. Run `nemonicon login` to sign in again. (apiUrl and clientId were preserved for faster re-login.)"
+    );
+  }
+});
+
+// src/commands/list.ts
+import { Command as Command4 } from "commander";
+var listCommand = new Command4("list").description("List all knowledge topics").option("--json", "Output as JSON").action(async (options) => {
+  const config = requireConfig();
+  const client = new ApiClient(config);
+  try {
+    const topics = await client.listTopics();
+    if (options.json) {
+      console.log(JSON.stringify(topics, null, 2));
+      return;
+    }
+    if (topics.length === 0) {
+      console.log("No topics found.");
+      return;
+    }
+    const header = "ID	Title	Tags	Updated";
+    const rows = topics.map((t) => {
+      const tags = t.tags.length > 0 ? t.tags.join(", ") : "-";
+      const updated = new Date(t.updatedAt).toLocaleDateString();
+      return `${t.id}	${t.title}	${tags}	${updated}`;
+    });
+    console.log(header);
+    console.log("-".repeat(80));
+    for (const row of rows) {
+      console.log(row);
+    }
+    console.log(`
+${topics.length} topic(s)`);
+  } catch (error) {
+    console.error(
+      "Failed to list topics:",
+      error instanceof Error ? error.message : error
+    );
+    process.exit(1);
+  }
+});
+
+// src/commands/show.ts
+import { Command as Command5 } from "commander";
+var showCommand = new Command5("show").description("Show a topic's outline as markdown").argument("<topicId>", "Topic ID to display").action(async (topicId) => {
+  const config = requireConfig();
+  const client = new ApiClient(config);
+  try {
+    const markdown = await client.exportTopic(topicId, "md");
+    console.log(markdown);
+  } catch (error) {
+    console.error(
+      "Failed to show topic:",
+      error instanceof Error ? error.message : error
+    );
+    process.exit(1);
+  }
+});
+
+// src/commands/outline.ts
+import { Command as Command6 } from "commander";
+function renderTree(nodes, depth = 0) {
+  const lines = [];
+  for (const node of nodes) {
+    const indent = "  ".repeat(depth);
+    lines.push(`${indent}- ${node.content}  [${node.id}]`);
+    if (node.children.length > 0) {
+      lines.push(...renderTree(node.children, depth + 1));
+    }
+  }
+  return lines;
+}
+var outlineCommand = new Command6("outline").description("Show a topic's outline as a tree with stable item IDs").argument("<topicId>", "Topic ID to display").option("--json", "Emit raw JSON instead of pretty-printed tree").action(async (topicId, options) => {
+  const config = requireConfig();
+  const client = new ApiClient(config);
+  try {
+    const tree = await client.getOutline(topicId);
+    if (options.json) {
+      console.log(JSON.stringify(tree, null, 2));
+      return;
+    }
+    console.log(`# ${tree.title}  [${tree.topicId}]`);
+    console.log("");
+    const lines = renderTree(tree.items);
+    if (lines.length === 0) {
+      console.log("(empty topic)");
+    } else {
+      for (const line of lines) console.log(line);
+    }
+  } catch (error) {
+    console.error(
+      "Failed to fetch outline:",
+      error instanceof Error ? error.message : error
+    );
+    process.exit(1);
+  }
+});
+
+// src/commands/create.ts
+import { Command as Command7 } from "commander";
+import { readFileSync as readFileSync2 } from "fs";
+var createCommand = new Command7("create").description("Create a new knowledge topic from a markdown file").argument("<file>", "Path to markdown file").option("--title <title>", "Override the topic title (default: from H1)").option("--description <desc>", "Topic description").option("--icon <icon>", "Topic icon (emoji)").option("--color <color>", "Topic color").option("--tags <tags>", "Comma-separated tags").action(
+  async (file, options) => {
+    const config = requireConfig();
+    const client = new ApiClient(config);
+    let content;
+    try {
+      content = readFileSync2(file, "utf-8");
+    } catch {
+      console.error(`Cannot read file: ${file}`);
+      process.exit(1);
+    }
+    if (!content.trim()) {
+      console.error("File is empty.");
+      process.exit(1);
+    }
+    try {
+      const result = await client.importMarkdown(content, options.title);
+      console.log(
+        JSON.stringify(
+          {
+            topicId: result.topic.id,
+            title: result.topic.title,
+            itemsCreated: result.itemsCreated
+          },
+          null,
+          2
+        )
+      );
+    } catch (error) {
+      console.error(
+        "Failed to create topic:",
+        error instanceof Error ? error.message : error
+      );
+      process.exit(1);
+    }
+  }
+);
+
+// src/commands/append.ts
+import { Command as Command8 } from "commander";
+import { readFileSync as readFileSync3 } from "fs";
+
+// src/lib/markdown.ts
+function markdownToTree(markdown) {
+  const lines = markdown.split("\n");
+  const root = { content: "", children: [] };
+  const stack = [
+    { node: root, depth: -1 }
+  ];
+  for (const raw of lines) {
+    if (/^#\s+/.test(raw)) continue;
+    const bullet = raw.match(/^(\s*)[-*+]\s+(.*)$/);
+    if (!bullet) continue;
+    const indent = bullet[1].replace(/\t/g, "  ").length;
+    const depth = Math.floor(indent / 2);
+    const content = bullet[2];
+    const node = { content, children: [] };
+    while (stack.length > 1 && stack[stack.length - 1].depth >= depth) {
+      stack.pop();
+    }
+    stack[stack.length - 1].node.children.push(node);
+    stack.push({ node, depth });
+  }
+  return root.children;
+}
+
+// src/commands/append.ts
+var appendCommand = new Command8("append").description("Append outline items to an existing topic").argument("<topicId>", "Topic ID to append to").argument("<file>", "Path to markdown file with bullet items").option("--parent <parentId>", "Attach under a specific outline item").action(
+  async (topicId, file, options) => {
+    const config = requireConfig();
+    const client = new ApiClient(config);
+    let content;
+    try {
+      content = readFileSync3(file, "utf-8");
+    } catch {
+      console.error(`Cannot read file: ${file}`);
+      process.exit(1);
+    }
+    if (!content.trim()) {
+      console.error("File is empty.");
+      process.exit(1);
+    }
+    const tree = markdownToTree(content);
+    if (tree.length === 0) {
+      console.error("No bullet items found in the markdown file.");
+      process.exit(1);
+    }
+    try {
+      const result = await client.bulkCreateOutline(
+        topicId,
+        tree,
+        options.parent
+      );
+      console.log(JSON.stringify(result, null, 2));
+    } catch (error) {
+      console.error(
+        "Failed to append items:",
+        error instanceof Error ? error.message : error
+      );
+      process.exit(1);
+    }
+  }
+);
+
+// src/commands/update.ts
+import { Command as Command9 } from "commander";
+import { readFileSync as readFileSync4 } from "fs";
+var updateCommand = new Command9("update").description("Update a single outline item (content, parent, and/or sortOrder)").argument("<itemId>", "Item ID to update").option("--content <text>", "New text content for the item").option(
+  "--content-file <path>",
+  "Read new content from a file (use this for multi-line text)"
+).option(
+  "--parent <uuid|null>",
+  "Move under a different parent. Pass `null` to move to the topic root."
+).option("--sort <int>", "New sort order among siblings", (v) => parseInt(v, 10)).action(
+  async (itemId, options) => {
+    const config = requireConfig();
+    const client = new ApiClient(config);
+    const payload = {};
+    if (options.content !== void 0 && options.contentFile !== void 0) {
+      console.error("Pass either --content or --content-file, not both.");
+      process.exit(1);
+    }
+    if (options.content !== void 0) {
+      payload.content = options.content;
+    } else if (options.contentFile !== void 0) {
+      try {
+        payload.content = readFileSync4(options.contentFile, "utf-8");
+      } catch {
+        console.error(`Cannot read file: ${options.contentFile}`);
+        process.exit(1);
+      }
+    }
+    if (options.parent !== void 0) {
+      payload.parentId = options.parent === "null" ? null : options.parent;
+    }
+    if (options.sort !== void 0) {
+      if (!Number.isInteger(options.sort)) {
+        console.error("--sort must be an integer.");
+        process.exit(1);
+      }
+      payload.sortOrder = options.sort;
+    }
+    if (Object.keys(payload).length === 0) {
+      console.error(
+        "Provide at least one of --content, --content-file, --parent, or --sort."
+      );
+      process.exit(1);
+    }
+    try {
+      const result = await client.updateOutlineItem(itemId, payload);
+      console.log(result.message);
+    } catch (error) {
+      console.error(
+        "Failed to update item:",
+        error instanceof Error ? error.message : error
+      );
+      process.exit(1);
+    }
+  }
+);
+
+// src/commands/delete.ts
+import { Command as Command10 } from "commander";
+import { createInterface as createInterface3 } from "readline";
+function confirm(question) {
+  const rl = createInterface3({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => {
+    rl.question(`${question} [y/N] `, (answer) => {
+      rl.close();
+      resolve(/^y(es)?$/i.test(answer.trim()));
+    });
+  });
+}
+var deleteCommand = new Command10("delete").description(
+  "Delete a single outline item. Direct children are reparented to the deleted item's grandparent."
+).argument("<itemId>", "Item ID to delete").option("--yes", "Skip the interactive confirmation prompt").action(async (itemId, options) => {
+  const config = requireConfig();
+  const client = new ApiClient(config);
+  if (!options.yes) {
+    const ok = await confirm(`Delete outline item ${itemId}?`);
+    if (!ok) {
+      console.log("Cancelled.");
+      return;
+    }
+  }
+  try {
+    const result = await client.deleteOutlineItem(itemId);
+    console.log(result.message);
+  } catch (error) {
+    console.error(
+      "Failed to delete item:",
+      error instanceof Error ? error.message : error
+    );
+    process.exit(1);
+  }
+});
+
+// src/commands/move.ts
+import { Command as Command11 } from "commander";
+var moveCommand = new Command11("move").description(
+  "Move an outline item to a different parent and/or sortOrder (alias for `update --parent/--sort`)"
+).argument("<itemId>", "Item ID to move").option(
+  "--parent <uuid|null>",
+  "New parent UUID, or `null` to move to the topic root"
+).option("--sort <int>", "New sort order among siblings", (v) => parseInt(v, 10)).action(
+  async (itemId, options) => {
+    const config = requireConfig();
+    const client = new ApiClient(config);
+    const payload = {};
+    if (options.parent !== void 0) {
+      payload.parentId = options.parent === "null" ? null : options.parent;
+    }
+    if (options.sort !== void 0) {
+      if (!Number.isInteger(options.sort)) {
+        console.error("--sort must be an integer.");
+        process.exit(1);
+      }
+      payload.sortOrder = options.sort;
+    }
+    if (Object.keys(payload).length === 0) {
+      console.error("Provide --parent and/or --sort.");
+      process.exit(1);
+    }
+    try {
+      const result = await client.updateOutlineItem(itemId, payload);
+      console.log(result.message);
+    } catch (error) {
+      console.error(
+        "Failed to move item:",
+        error instanceof Error ? error.message : error
+      );
+      process.exit(1);
+    }
+  }
+);
+
+// src/commands/bulk-update.ts
+import { Command as Command12 } from "commander";
+import { readFileSync as readFileSync5 } from "fs";
+var bulkUpdateCommand = new Command12("bulk-update").description(
+  "Atomically apply multiple updates to outline items in a single topic. The file should be JSON: an array of {id, content?, parentId?, sortOrder?} entries or an object {updates: [...]}."
+).argument("<topicId>", "Topic ID containing the items").argument("<file>", "JSON file with the update entries").action(async (topicId, file) => {
+  const config = requireConfig();
+  const client = new ApiClient(config);
+  let raw;
+  try {
+    raw = readFileSync5(file, "utf-8");
+  } catch {
+    console.error(`Cannot read file: ${file}`);
+    process.exit(1);
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (error) {
+    console.error(
+      "Invalid JSON in file:",
+      error instanceof Error ? error.message : error
+    );
+    process.exit(1);
+  }
+  let updates;
+  if (Array.isArray(parsed)) {
+    updates = parsed;
+  } else if (parsed && typeof parsed === "object" && Array.isArray(parsed.updates)) {
+    updates = parsed.updates;
+  } else {
+    console.error(
+      'File must contain a JSON array or an object with an "updates" array.'
+    );
+    process.exit(1);
+  }
+  if (updates.length === 0) {
+    console.error("No updates to apply.");
+    process.exit(1);
+  }
+  try {
+    const result = await client.bulkUpdateOutlineItems(topicId, updates);
+    console.log(result.message);
+  } catch (error) {
+    console.error(
+      "Failed to apply updates:",
+      error instanceof Error ? error.message : error
+    );
+    process.exit(1);
+  }
+});
+
+// src/commands/mcp.ts
+import { Command as Command13 } from "commander";
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import {
+  CallToolRequestSchema,
+  ListToolsRequestSchema
+} from "@modelcontextprotocol/sdk/types.js";
+
+// src/lib/tool-definitions.generated.ts
+var MCP_TOOLS = [
+  {
+    name: "list_topics",
+    description: "List all knowledge topics for the authenticated user. Returns id, title, description, tags, and updatedAt for each topic. Use this to discover existing topics before creating new ones or appending items.",
+    inputSchema: {
+      type: "object",
+      properties: {},
+      additionalProperties: false
+    }
+  },
+  {
+    name: "get_topic",
+    description: "Retrieve a knowledge topic and its full outline as markdown. Use this to read the contents of a topic for human review or to give the user context. If you need stable item IDs (for example to target a deep parent in `append_to_topic`, or to call `update_item`/`delete_item`), call `get_outline` instead \u2014 it returns a structured JSON tree with UUIDs.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        topicId: {
+          type: "string",
+          description: "UUID of the topic to fetch."
+        }
+      },
+      required: ["topicId"],
+      additionalProperties: false
+    }
+  },
+  {
+    name: "get_outline",
+    description: "Retrieve a knowledge topic's outline as a structured JSON tree, including each item's stable UUID. Use this when you need to target a specific node \u2014 e.g. as `parentId` for `append_to_topic`, or as `itemId` for `update_item`/`delete_item`. The response is JSON: `{ topicId, title, items: [{ id, content, sortOrder, children: [...] }] }`.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        topicId: {
+          type: "string",
+          description: "UUID of the topic to fetch."
+        }
+      },
+      required: ["topicId"],
+      additionalProperties: false
+    }
+  },
+  {
+    name: "create_topic",
+    description: "Create a new knowledge topic. Pass plain metadata (title, description, etc.) to make an empty topic, or pass markdown content to create a topic populated with an outline. The markdown should use a single H1 heading for the title (optional if `title` is provided) and bullet lists (`-`, `*`, `+`) with two-space indentation for hierarchy.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        title: {
+          type: "string",
+          description: "Title of the topic. Required when `markdown` is omitted; otherwise overrides the H1 in the markdown."
+        },
+        description: {
+          type: "string",
+          description: "Optional description of the topic."
+        },
+        icon: {
+          type: "string",
+          description: "Optional emoji icon (max 8 chars)."
+        },
+        color: {
+          type: "string",
+          description: "Optional theme color token (max 32 chars)."
+        },
+        tags: {
+          type: "array",
+          items: { type: "string" },
+          description: "Optional list of tag strings."
+        },
+        markdown: {
+          type: "string",
+          description: "Optional markdown body. When provided, the topic is created with an outline parsed from the bullets."
+        }
+      },
+      additionalProperties: false
+    }
+  },
+  {
+    name: "append_to_topic",
+    description: "Append outline items to an existing knowledge topic. Items are passed as a bullet-list markdown string (use `-`, `*`, or `+` with two-space indentation for nesting). Optionally attach the new items beneath an existing outline item via `parentId` \u2014 call `get_outline` first if you need to discover the UUID of a deep parent.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        topicId: {
+          type: "string",
+          description: "UUID of the topic to append to."
+        },
+        markdown: {
+          type: "string",
+          description: "Markdown bullet list. Each top-level bullet becomes a new outline item; nested bullets (indented by two spaces) become child items."
+        },
+        parentId: {
+          type: "string",
+          description: "Optional outline item UUID. When provided, the new items are nested under this item instead of at the topic root."
+        }
+      },
+      required: ["topicId", "markdown"],
+      additionalProperties: false
+    }
+  },
+  {
+    name: "update_item",
+    description: "Update a single outline item in place. Pass any subset of `content`, `parentId`, `sortOrder` \u2014 only the provided fields change. To move an item, pass `parentId` and/or `sortOrder`. Discover the item's UUID via `get_outline`.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        itemId: {
+          type: "string",
+          description: "UUID of the outline item to update."
+        },
+        content: {
+          type: "string",
+          description: "New text content for the item."
+        },
+        parentId: {
+          type: ["string", "null"],
+          description: "New parent item UUID, or `null` to move the item to the topic root. Must be in the same topic; cycles are rejected."
+        },
+        sortOrder: {
+          type: "integer",
+          description: "New sort order among siblings."
+        }
+      },
+      required: ["itemId"],
+      additionalProperties: false
+    }
+  },
+  {
+    name: "delete_item",
+    description: "Delete a single outline item. Any direct children of the deleted item are reparented to its grandparent (so they aren't orphaned). Discover the item's UUID via `get_outline`.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        itemId: {
+          type: "string",
+          description: "UUID of the outline item to delete."
+        }
+      },
+      required: ["itemId"],
+      additionalProperties: false
+    }
+  },
+  {
+    name: "bulk_update_items",
+    description: "Atomically update many outline items at once. Each entry can change `content`, `parentId`, and/or `sortOrder`. All updates run in a single transaction \u2014 if any item is rejected (e.g. cycle, foreign topic), nothing is applied.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        topicId: {
+          type: "string",
+          description: "UUID of the topic that contains every item being updated."
+        },
+        updates: {
+          type: "array",
+          minItems: 1,
+          maxItems: 500,
+          description: "1 to 500 update entries.",
+          items: {
+            type: "object",
+            properties: {
+              id: { type: "string", description: "UUID of the item to update." },
+              content: { type: "string" },
+              parentId: { type: ["string", "null"] },
+              sortOrder: { type: "integer" }
+            },
+            required: ["id"],
+            additionalProperties: false
+          }
+        }
+      },
+      required: ["topicId", "updates"],
+      additionalProperties: false
+    }
+  }
+];
+
+// src/commands/mcp.ts
+var mcpCommand = new Command13("mcp").description(
+  "Run a Model Context Protocol server (stdio) so Claude can read and write your knowledge base"
+).action(async () => {
+  const config = requireConfig();
+  const client = new ApiClient(config);
+  const server = new Server(
+    { name: "nemonicon", version: "0.1.0" },
+    { capabilities: { tools: {} } }
+  );
+  server.setRequestHandler(ListToolsRequestSchema, async () => ({
+    tools: MCP_TOOLS.map((t) => ({ ...t }))
+  }));
+  server.setRequestHandler(CallToolRequestSchema, async (req) => {
+    const { name, arguments: args } = req.params;
+    const input = args ?? {};
+    try {
+      switch (name) {
+        case "list_topics": {
+          const topics = await client.listTopics();
+          return {
+            content: [
+              {
+                type: "text",
+                text: topics.length === 0 ? "No topics yet." : topics.map(
+                  (t) => `- ${t.title} (id: ${t.id})${t.description ? ` \u2014 ${t.description}` : ""}`
+                ).join("\n")
+              }
+            ]
+          };
+        }
+        case "get_topic": {
+          const topicId = String(input.topicId ?? "");
+          if (!topicId) throw new Error("topicId is required");
+          const md = await client.exportTopic(topicId, "md");
+          return {
+            content: [{ type: "text", text: md || "(empty topic)" }]
+          };
+        }
+        case "create_topic": {
+          const title = typeof input.title === "string" ? input.title : void 0;
+          const markdown = typeof input.markdown === "string" ? input.markdown : void 0;
+          if (markdown && markdown.trim().length > 0) {
+            const result = await client.importMarkdown(markdown, title);
+            return {
+              content: [
+                {
+                  type: "text",
+                  text: `Created topic "${result.topic.title}" (id: ${result.topic.id}) with ${result.itemsCreated} item(s).`
+                }
+              ]
+            };
+          }
+          if (!title) {
+            throw new Error("Either `title` or `markdown` must be provided.");
+          }
+          const created = await client.createTopic({
+            title,
+            description: typeof input.description === "string" ? input.description : void 0,
+            icon: typeof input.icon === "string" ? input.icon : void 0,
+            color: typeof input.color === "string" ? input.color : void 0,
+            tags: Array.isArray(input.tags) ? input.tags.filter((t) => typeof t === "string") : void 0
+          });
+          return {
+            content: [
+              {
+                type: "text",
+                text: `Created topic "${created.title}" (id: ${created.id}).`
+              }
+            ]
+          };
+        }
+        case "append_to_topic": {
+          const topicId = String(input.topicId ?? "");
+          const markdown = String(input.markdown ?? "");
+          if (!topicId) throw new Error("topicId is required");
+          if (!markdown.trim()) throw new Error("markdown is required");
+          const tree = markdownToTree(markdown);
+          if (tree.length === 0) {
+            throw new Error(
+              "No bullet items found. Use `-`, `*`, or `+` for list items, with two-space indentation for nesting."
+            );
+          }
+          const parentId = typeof input.parentId === "string" && input.parentId ? input.parentId : void 0;
+          const result = await client.bulkCreateOutline(
+            topicId,
+            tree,
+            parentId
+          );
+          return {
+            content: [
+              {
+                type: "text",
+                text: `Appended ${result.itemsCreated} item(s) to topic ${topicId}${parentId ? ` under item ${parentId}` : ""}.`
+              }
+            ]
+          };
+        }
+        // The new tools (get_outline, update_item, delete_item,
+        // bulk_update_items) live only on the HTTP MCP server. The stdio
+        // server proxies them via JSON-RPC so semantics stay identical
+        // between transports.
+        case "get_outline":
+        case "update_item":
+        case "delete_item":
+        case "bulk_update_items": {
+          const res = await client.callTool(name, input);
+          return {
+            isError: res.isError,
+            content: [{ type: "text", text: res.text }]
+          };
+        }
+        default:
+          throw new Error(`Unknown tool: ${name}`);
+      }
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      return {
+        isError: true,
+        content: [{ type: "text", text: message }]
+      };
+    }
+  });
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+});
+
+// src/index.ts
+var program = new Command14();
+program.name("nemonicon").description("CLI tool for Nemonicon knowledge management").version("0.1.0");
+program.addCommand(loginCommand);
+program.addCommand(logoutCommand);
+program.addCommand(authCommand);
+program.addCommand(listCommand);
+program.addCommand(showCommand);
+program.addCommand(outlineCommand);
+program.addCommand(createCommand);
+program.addCommand(appendCommand);
+program.addCommand(updateCommand);
+program.addCommand(deleteCommand);
+program.addCommand(moveCommand);
+program.addCommand(bulkUpdateCommand);
+program.addCommand(mcpCommand);
+program.parse();