trace-mcp 1.20.1 → 1.22.0

package/LICENSE

@@ -1,137 +1,21 @@
-Elastic License 2.0 + Ethical Use Addendum
-
-Copyright 2026 Nikolai Vysotskyi
-
-URL: https://www.elastic.co/licensing/elastic-license
-
-## Acceptance
-
-By using the software, you agree to all of the terms and conditions below.
-
-## Copyright License
-
-The licensor grants you a non-exclusive, royalty-free, worldwide,
-non-sublicensable, non-transferable license to use, copy, distribute, make
-available, and prepare derivative works of the software, in each case subject
-to the limitations and conditions below.
-
-## Limitations
-
-You may not provide the software to third parties as a hosted or managed
-service, where the service provides users with access to any substantial set
-of the features or functionality of the software.
-
-You may not alter, remove, or obscure any licensing, copyright, or other
-notices of the licensor in the software. Any use of the licensor's trademarks
-is subject to applicable law.
-
-## Ethical Use Restrictions
-
-In addition to the limitations above, you may NOT use, deploy, integrate, or
-incorporate this software (in whole or in part, directly or indirectly) in any
-of the following contexts:
-
-### 1. Military and Warfare
-
-(a) Military operations, including but not limited to combat planning,
-    logistics of armed conflict, targeting, and battlefield management.
-(b) Development, production, testing, maintenance, or deployment of weapons,
-    weapons systems, munitions, or military-grade equipment.
-(c) Military intelligence gathering or military reconnaissance.
-
-### 2. Violence and Harm
-
-(a) Any project, product, or service whose purpose or foreseeable effect is to
-    facilitate, promote, or cause physical violence against individuals or
-    groups.
-(b) Development or operation of autonomous systems designed to cause physical
-    harm to persons.
-
-### 3. Surveillance
-
-(a) Mass surveillance of populations, including but not limited to: collection,
-    aggregation, or analysis of personal data of individuals without their
-    informed, voluntary consent and without lawful authority.
-(b) Social scoring systems that rank, classify, or restrict individuals' rights
-    or access to services based on aggregated behavioral data.
-(c) Facial recognition or biometric identification systems used for tracking
-    individuals without their explicit consent.
-
-### 4. Discrimination and Oppression
-
-(a) Any use that facilitates discrimination, oppression, or persecution of
-    individuals or groups based on race, ethnicity, national origin, religion,
-    gender, sexual orientation, disability, or political opinion.
-(b) Any use in systems designed to suppress freedom of expression, freedom of
-    assembly, or freedom of the press.
-
-## Ethical Restrictions Apply to Derivative Works
-
-Any derivative work based on this software, in whole or in part, must retain
-and be subject to the Ethical Use Restrictions set forth above. You may not
-re-license, sublicense, or otherwise distribute derivative works under terms
-that remove, weaken, or circumvent these restrictions.
-
-## Clarifications
-
-- Use by civilian government agencies for non-military, non-surveillance
-  purposes (e.g., healthcare, education, public infrastructure) is permitted.
-- Use by medical or humanitarian organizations, including those operating in
-  conflict zones for the purpose of saving lives, is permitted.
-- Security research, defensive cybersecurity, and lawful penetration testing
-  are permitted.
-- Standard business analytics and application monitoring that process only
-  aggregated, anonymized data are not considered surveillance.
-- Law enforcement use is permitted only where it does not conflict with the
-  Ethical Use Restrictions above.
-
-## Notices
-
-You must ensure that anyone who gets a copy of any part of the software from
-you also gets a copy of these terms.
-
-If you modify the software, you must include in any modified copies of the
-software prominent notices stating that you have modified the software.
-
-## No Other Rights
-
-These terms do not imply any licenses other than those expressly granted in
-these terms.
-
-## Termination
-
-If you use the software in violation of these terms, such use is not licensed,
-and your licenses will automatically terminate. If the licensor provides you
-with a notice of your violation, and you cease all violation of these terms no
-later than 30 days after you receive that notice, your licenses will be
-reinstated retroactively. However, if you violate these terms after such
-reinstatement, any additional violation of these terms will cause your licenses
-to terminate automatically and permanently.
-
-## No Liability
-
-As far as the law allows, the software comes as is, without any warranty or
-condition, and the licensor will not be liable to you for any damages arising
-out of these terms or the use or nature of the software, under any kind of
-legal claim.
-
-## Definitions
-
-The **licensor** is the entity offering these terms, and the **software** is
-the software the licensor makes available under these terms, including any
-portion of it.
-
-**you** refers to the individual or entity agreeing to these terms, including
-any legal entity, sole proprietorship, or other organization that you work for,
-plus all organizations that have control over, are under the control of, or are
-under common control with that organization. **control** means ownership of
-substantially all the assets of an entity, or the power to direct its
-management and policies by vote, contract, or otherwise. Control can be direct
-or indirect.
-
-**your licenses** are all the licenses granted to you for the software under
-these terms.
-
-**use** means anything you do with the software requiring one of your licenses.
-
-**trademark** means trademarks, service marks, and similar rights.
+MIT License
+
+Copyright (c) 2026 Nikolai Vysotskyi
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -4,6 +4,13 @@
 
 <h1 align="center">trace-mcp</h1>
 
+<p align="center">
+  <a href="https://glama.ai/mcp/servers/nikolai-vysotskyi/trace-mcp"><img src="https://glama.ai/mcp/servers/nikolai-vysotskyi/trace-mcp/badges/score.svg" alt="Glama score" /></a>
+  <a href="https://www.npmjs.com/package/trace-mcp"><img src="https://img.shields.io/npm/v/trace-mcp" alt="npm version" /></a>
+  <img src="https://img.shields.io/node/v/trace-mcp" alt="Node.js version" />
+  <a href="LICENSE"><img src="https://img.shields.io/badge/license-MIT-blue" alt="License" /></a>
+</p>
+
 <p align="center">
   <strong>Framework-aware code intelligence MCP server — 14 frameworks, 7 ORMs, 12 UI libraries, 20+ other integrations (53 total) across 68 languages. Up to 99% token reduction.</strong>
 </p>
@@ -23,7 +30,7 @@
 | "What did we discuss about GraphQL last month?" | Verbatim conversation fragments with file references | `search_sessions` — FTS5 search across all past session content |
 | "Show me the request flow from URL to rendered page" | Route → Middleware → Controller → Service → View with prop mapping | `get_request_flow` — framework-aware edge traversal |
 | "Find all untested code in this module" | Symbols classified as "unreached" or "imported but never called in tests" | `get_untested_symbols` — test-to-source mapping |
-| "What's the impact of this API change on other services?" | Cross-federation client calls with confidence scores | `get_federation_impact` — topology graph traversal |
+| "What's the impact of this API change on other services?" | Cross-subproject client calls with confidence scores | `get_subproject_impact` — topology graph traversal |
 | "Orient me — I just opened this project" | Project identity + active decisions + memory stats in ~300 tokens | `get_wake_up` — layered context assembly |
 
 **Three things no other tool does:**
@@ -79,7 +86,7 @@ Tools that help AI agents read code with fewer tokens — AST parsing, outlines,
 | Call graph | ✅ bidirectional, graph-based | ❌ | ❌ | ❌ | ✅ AST-based, bidirectional | ✅ trace_call_path | ✅ refs/importers |
 | Refactoring tools | ✅ rename, extract, dead code, codemod | ❌ | ❌ | ❌ | ❌ (dead code detect only) | ❌ | ❌ |
 | Security scanning | ✅ OWASP Top-10, taint | ✅ Secretlint | ❌ | ❌ | ❌ | ❌ | ❌ |
-| Multi-repo federation | ✅ cross-repo API linking | ✅ remote repos | ❌ | ❌ | ✅ GitHub repos | ❌ | ❌ |
+| Multi-repo subprojects | ✅ cross-repo API linking | ✅ remote repos | ❌ | ❌ | ✅ GitHub repos | ❌ | ❌ |
 | Session memory | ✅ built-in | ❌ | ✅ SQLite journal | ❌ | ✅ index persistence | ✅ persistent graph | ❌ |
 | Written in | TypeScript | TypeScript | TypeScript | Python | Python | C | Go |
 
@@ -97,7 +104,7 @@ Tools that persist context across AI agent sessions — activity logs, knowledge
 | Auto-extraction from sessions | ✅ pattern-based (0 LLM calls) | ✅ via hooks | ✅ AI-compressed | ❌ | ❌ | ❌ |
 | Wake-up context | ✅ ~300 tok (code-linked decisions) | ✅ ~170 tok (AAAK) | ❌ | ❌ | ❌ | ❌ |
 | Decision enrichment in tools | ✅ impact/plan_turn/resume | ❌ standalone | ❌ | ❌ | ❌ | ❌ |
-| Service/federation scoping | ✅ decisions per service | ✅ wings per project | ❌ | ❌ | ❌ | ❌ |
+| Service/subproject scoping | ✅ decisions per service | ✅ wings per project | ❌ | ❌ | ❌ | ❌ |
 | Token usage analytics | ✅ per-tool cost breakdown | ❌ | partial | ❌ | ❌ | ❌ |
 | Code intelligence included | ✅ 130+ tools | ❌ | ❌ | ❌ | ❌ | ❌ |
 | Works as standalone memory | ❌ code-focused | ✅ general-purpose | ❌ Claude-specific | ✅ agent-agnostic | ✅ agent-agnostic | ✅ project-scoped |
@@ -137,7 +144,7 @@ _¹ mcp-local-rag and knowledge-rag are document RAG tools (PDF, DOCX, Markdown)
 | MCP tools | 120+ | ~35 | ~15 | ~20 | ~25 | 90 | 139 |
 | Session memory | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ |
 | CI/PR reports | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
-| Multi-repo federation | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
+| Multi-repo subprojects | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
 | Security scanning | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ |
 | Refactoring tools | ✅ | ✅ rename, symbol editing | ❌ | ❌ | ❌ | ❌ | ❌ |
 | Architecture governance | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ |
@@ -221,7 +228,8 @@ trace-mcp benchmark /path/to/project
 - **Call graph & DI tree** — bidirectional call graphs with 4-tier resolution confidence, optional LSP enrichment for compiler-grade accuracy, NestJS dependency injection
 - **ORM model context** — relationships, schema, metadata for 7 ORMs
 - **Dead code & test gap detection** — find untested exports/symbols (with "unreached" vs "imported_not_called" classification), dead code, per-symbol test reach in impact analysis
-- **Multi-service federation** — link graphs across services via API contracts; cross-service impact analysis; service-scoped decisions
+- **Security scanning & MCP server analysis** — OWASP Top-10 pattern scanning, taint analysis (source→sink data flow), MCP security context export for [skill-scan](https://github.com/kkdub/skill-scan) enrichment (tool annotations verification, capability classification, sensitive data flows)
+- **Multi-service subprojects** — link graphs across services via API contracts; cross-service impact analysis; service-scoped decisions
 - **AI-powered analysis** — semantic search with zero-config local ONNX embeddings (no API keys needed), plus optional LLM summarization via Ollama/OpenAI
 
 ### Supported stack
@@ -329,7 +337,7 @@ All trace-mcp state is centralized:
 ~/.trace-mcp/
   .config.json              # global config + per-project settings
   registry.json             # registered projects
-  topology.db               # cross-service topology + federation graph
+  topology.db               # cross-service topology + subproject graph
   decisions.db              # decision memory + session content (cross-session knowledge graph)
   index/
     my-app-a1b2c3d4e5f6.db  # per-project databases (named by project + hash)
@@ -552,7 +560,7 @@ query_decisions(include_invalidated=true)       → full history
 
 ### Service scoping
 
-In projects with multiple services (federations), decisions can be scoped:
+In projects with multiple services (subprojects), decisions can be scoped:
 
 ```
 add_decision(title="Use JWT", service_name="auth-api")
@@ -564,67 +572,69 @@ query_decisions()                              → all project decisions
 
 ---
 
-## Federation
+## Subprojects
+
+A **subproject** is any working repository that is part of your project's ecosystem: microservices, frontends, backends, shared libraries, CLI tools, etc.
 
-A **federation** (= service) is an individual microservice or service root within a project — frontend, backend, parser, etc. Each directory with its own root marker (`package.json`, `composer.json`, `go.mod`, etc.) is a federation. A project contains one or more federations; the project itself is not a federation.
+Each directory with its own root marker (`package.json`, `composer.json`, `go.mod`, etc.) is a subproject. A project contains one or more subprojects; the project itself is not a subproject.
 
-trace-mcp **links dependency graphs across federations** — if federation A calls an API endpoint in federation B, trace-mcp knows that changing that endpoint in B breaks clients in A. Federations can live inside the project directory or be added from outside.
+trace-mcp **links dependency graphs across subprojects** — if subproject A calls an API endpoint in subproject B, trace-mcp knows that changing that endpoint in B breaks clients in A. Subprojects can live inside the project directory or be added from outside.
 
 ### How it works
 
-Federation is **automatic by default**. Every time a project is indexed (`serve`, `serve-http`, or `index`), trace-mcp:
+Subproject discovery is **automatic by default**. Every time a project is indexed (`serve`, `serve-http`, or `index`), trace-mcp:
 
-1. **Detects federations** within the project root:
+1. **Detects subprojects** within the project root:
    - **Docker Compose** — parses `docker-compose.yml` / `compose.yml`
    - **Flat workspace** — first-level subdirs with root markers (e.g. `project/frontend/` + `project/backend/`)
    - **Grouped workspace** — two-level structure (e.g. `project/org/service-a/`)
-   - **Monolith fallback** — treats root as a single federation
-2. **Registers** each federation bound to the project in `~/.trace-mcp/topology.db`
+   - **Monolith fallback** — treats root as a single subproject
+2. **Registers** each subproject bound to the project in `~/.trace-mcp/topology.db`
 3. **Parses** API contracts — OpenAPI/Swagger, GraphQL SDL, Protobuf/gRPC
 4. **Scans** code for HTTP client calls (fetch, axios, Http::, requests, http.Get, gRPC stubs, GraphQL operations)
-5. **Links** discovered calls to known endpoints from other federations
-6. **Creates** cross-federation dependency edges
+5. **Links** discovered calls to known endpoints from other subprojects
+6. **Creates** cross-subproject dependency edges
 
 ### Example
 
 ```bash
-# Index a project — federations are auto-detected
+# Index a project — subprojects are auto-detected
 cd ~/projects/my-app && trace-mcp add
 # → auto-detects: my-app/user-service (has openapi.yaml)
 # →               my-app/order-service (has axios.get('/api/users/{id}'))
 # → links order-service → user-service via /api/users/{id}
 
-# Or add an external federation manually
-trace-mcp federation add --repo=~/projects/external-auth --project=~/projects/my-app
+# Or add an external subproject manually
+trace-mcp subproject add --repo=~/projects/external-auth --project=~/projects/my-app
 
-# Check cross-federation impact
-trace-mcp federation impact --endpoint=/api/users
-# → "GET /api/users/{id} is called by 2 client(s) in 1 federation(s)"
+# Check cross-subproject impact
+trace-mcp subproject impact --endpoint=/api/users
+# → "GET /api/users/{id} is called by 2 client(s) in 1 subproject(s)"
 #   [order-service] src/services/user-client.ts:42 (axios, confidence: 85%)
 ```
 
-### Federation CLI
+### Subproject CLI
 
 ```bash
-# Add a federation (inside or outside project dir)
-trace-mcp federation add --repo=../service-b --project=. [--contract=openapi.yaml] [--name=my-service]
-trace-mcp federation remove <name-or-path>
-trace-mcp federation list [--project=.] [--json]
-trace-mcp federation sync           # re-scan all federations
-trace-mcp federation impact --endpoint=/api/users [--method=GET] [--service=user-svc]
+# Add a subproject (inside or outside project dir)
+trace-mcp subproject add --repo=../service-b --project=. [--contract=openapi.yaml] [--name=my-service]
+trace-mcp subproject remove <name-or-path>
+trace-mcp subproject list [--project=.] [--json]
+trace-mcp subproject sync           # re-scan all subprojects
+trace-mcp subproject impact --endpoint=/api/users [--method=GET] [--service=user-svc]
 ```
 
 ### MCP tools
 
 | Tool | What it does |
 |---|---|
-| `get_federation_graph` | All federations, their connections, and stats |
-| `get_federation_impact` | Cross-federation impact: what breaks if endpoint X changes (resolves to symbol level) |
-| `get_federation_clients` | Find all client calls across federations that call a specific endpoint |
-| `federation_add_repo` | Add a federation via MCP (bound to current project, or specify `project`) |
-| `federation_sync` | Re-scan all federations |
+| `get_subproject_graph` | All subprojects, their connections, and stats |
+| `get_subproject_impact` | Cross-subproject impact: what breaks if endpoint X changes (resolves to symbol level) |
+| `get_subproject_clients` | Find all client calls across subprojects that call a specific endpoint |
+| `subproject_add_repo` | Add a subproject via MCP (bound to current project, or specify `project`) |
+| `subproject_sync` | Re-scan all subprojects |
 
-> Federation builds on top of the topology system. See [Configuration](docs/configuration.md#topology--federation) for options.
+> Subproject management builds on top of the topology system. See [Configuration](docs/configuration.md#topology--subprojects) for options.
 
 ---
 
@@ -702,7 +712,7 @@ The full workflow is in [`.github/workflows/ci.yml`](.github/workflows/ci.yml)
 
 ## License
 
-[Elastic License 2.0 + Ethical Use Addendum](LICENSE) — free for personal and internal use. See LICENSE for full terms.
+[MIT](LICENSE)
 
 ---