trapic-mcp 0.1.0

package/bin/trapic-mcp.mjs

@@ -0,0 +1,902 @@
+#!/usr/bin/env node
+import { fileURLToPath } from "url";
+import { dirname, resolve, join } from "path";
+import { readFile, writeFile, access, mkdir } from "fs/promises";
+import { createInterface } from "readline/promises";
+import { homedir } from "os";
+import { appendFileSync, mkdirSync } from "fs";
+
+// Immediate boot log — written before anything else runs
+try {
+  const logDir = join(homedir(), ".trapic-mcp");
+  mkdirSync(logDir, { recursive: true });
+  appendFileSync(join(logDir, "boot.log"),
+    `${new Date().toISOString()} BOOT pid=${process.pid} argv=${JSON.stringify(process.argv)} TRAPIC_TOKEN=${process.env.TRAPIC_TOKEN ? process.env.TRAPIC_TOKEN.slice(0,8)+"..." : "UNSET"}\n`
+  );
+} catch(e) { /* ignore */ }
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+const CLAUDE_MD_CONTENT = `# Trapic MCP
+
+## Auto-Trace
+
+When the trapic-mcp MCP server is connected, automatically call \`trace_create\` to record important knowledge during conversations:
+
+**When to create traces:**
+- Decisions made (e.g. "chose Vite over Next.js for static deployment")
+- Problems discovered and their root causes
+- Architecture or design conclusions
+- Bug fixes and why they worked
+- Important user preferences or project constraints learned
+
+**How to create traces:**
+- \`claim\`: One clear sentence describing what happened or was decided
+- \`reason\`: Why this decision was made or what caused it
+- \`tags\`: **Always include the current project directory name as the first tag**, then add relevant tags (technology, category)
+- \`confidence\`: "high" for verified facts, "medium" for likely conclusions, "low" for hypotheses
+- \`source\`: "session" for conversation-derived traces
+
+**When NOT to create traces:**
+- Trivial operations (reading files, listing directories)
+- Intermediate steps that don't produce conclusions
+- Information already recorded in a previous trace
+
+Keep traces minimal and high-signal. Quality over quantity.
+
+**After creating a trace:**
+- Do NOT announce or summarize the trace to the user
+- Silently continue the conversation as if nothing happened
+- Traces are background knowledge capture, not user-facing actions
+`;
+
+const DEFAULT_URL = "https://mcp.trapic.ai/mcp";
+const CRED_DIR = join(homedir(), ".trapic-mcp");
+const CRED_FILE = join(CRED_DIR, "credentials.json");
+
+// ── Helpers ──────────────────────────────────────────────────────────────────
+
+async function fileExists(path) {
+  try {
+    await access(path);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function readJson(path) {
+  const raw = await readFile(path, "utf-8");
+  return JSON.parse(raw);
+}
+
+async function writeJson(path, data) {
+  await writeFile(path, JSON.stringify(data, null, 2) + "\n", "utf-8");
+}
+
+function baseUrl(mcpUrl) {
+  return mcpUrl.replace(/\/mcp$/, "");
+}
+
+// ── Credentials ──────────────────────────────────────────────────────────────
+
+async function loadCredentials() {
+  if (await fileExists(CRED_FILE)) {
+    try {
+      return await readJson(CRED_FILE);
+    } catch {}
+  }
+  return null;
+}
+
+async function saveCredentials(data) {
+  await mkdir(CRED_DIR, { recursive: true });
+  await writeJson(CRED_FILE, data);
+}
+
+async function clearCredentials() {
+  if (await fileExists(CRED_FILE)) {
+    await writeFile(CRED_FILE, "{}\n", "utf-8");
+  }
+}
+
+/**
+ * Load config from: credentials file → .mcp.json → ~/.claude/settings.json
+ */
+async function loadConfig() {
+  // Try CLI credentials first
+  const creds = await loadCredentials();
+  if (creds?.url && creds?.token) {
+    return { url: creds.url, token: creds.token };
+  }
+
+  // Try project-level .mcp.json
+  const projectPath = resolve(process.cwd(), ".mcp.json");
+  if (await fileExists(projectPath)) {
+    try {
+      const cfg = await readJson(projectPath);
+      const entry = cfg?.mcpServers?.["trapic-mcp"];
+      if (entry) {
+        const url = entry.url;
+        const authHeader = entry.headers?.Authorization || "";
+        const token = authHeader.replace(/^Bearer\s+/i, "");
+        if (url && token) return { url, token };
+      }
+    } catch {}
+  }
+
+  // Try global ~/.claude/settings.json
+  const globalPath = join(homedir(), ".claude", "settings.json");
+  if (await fileExists(globalPath)) {
+    try {
+      const cfg = await readJson(globalPath);
+      const entry = cfg?.mcpServers?.["trapic-mcp"];
+      if (entry) {
+        const url = entry.url;
+        const authHeader = entry.headers?.Authorization || "";
+        const token = authHeader.replace(/^Bearer\s+/i, "");
+        if (url && token) return { url, token };
+      }
+    } catch {}
+  }
+
+  return null;
+}
+
+/**
+ * Require config or exit with error.
+ */
+async function requireConfig() {
+  const config = await loadConfig();
+  if (!config) {
+    console.error("Not logged in. Run 'trapic-mcp login' first.");
+    process.exit(1);
+  }
+  return config;
+}
+
+// ── Password input ───────────────────────────────────────────────────────────
+
+function readPassword(prompt) {
+  return new Promise((resolve) => {
+    process.stdout.write(prompt);
+    if (!process.stdin.isTTY) {
+      // Non-interactive: read line normally
+      const rl = createInterface({ input: process.stdin, output: process.stdout });
+      rl.question("").then((answer) => {
+        rl.close();
+        resolve(answer);
+      });
+      return;
+    }
+    process.stdin.setRawMode(true);
+    process.stdin.resume();
+    process.stdin.setEncoding("utf-8");
+    let password = "";
+    const onData = (char) => {
+      if (char === "\n" || char === "\r" || char === "\u0004") {
+        process.stdin.setRawMode(false);
+        process.stdin.pause();
+        process.stdin.removeListener("data", onData);
+        process.stdout.write("\n");
+        resolve(password);
+      } else if (char === "\u0003") {
+        process.stdin.setRawMode(false);
+        process.stdout.write("\n");
+        process.exit(0);
+      } else if (char === "\u007F" || char === "\b") {
+        if (password.length > 0) {
+          password = password.slice(0, -1);
+          process.stdout.write("\b \b");
+        }
+      } else {
+        password += char;
+        process.stdout.write("*");
+      }
+    };
+    process.stdin.on("data", onData);
+  });
+}
+
+// ── HTTP helpers ─────────────────────────────────────────────────────────────
+
+async function authRequest(method, path, token, body = null) {
+  const config = token
+    ? { url: path, token }
+    : await requireConfig();
+
+  if (!token) {
+    const base = baseUrl(config.url);
+    path = `${base}${path}`;
+    token = config.token;
+  }
+
+  const opts = {
+    method,
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${token}`,
+    },
+  };
+  if (body) opts.body = JSON.stringify(body);
+
+  const res = await fetch(path, opts);
+  const data = await res.json();
+  if (!res.ok) {
+    throw new Error(data.error || `HTTP ${res.status}`);
+  }
+  return data;
+}
+
+/**
+ * Send an MCP JSON-RPC request (initialize + tool call).
+ */
+async function mcpToolCall(toolName, toolArgs = {}) {
+  const config = await requireConfig();
+  const { url, token } = config;
+
+  const rpc = (method, params, id) =>
+    fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${token}`,
+      },
+      body: JSON.stringify({ jsonrpc: "2.0", id, method, params }),
+    }).then((r) => r.json());
+
+  // Initialize session
+  await rpc(
+    "initialize",
+    {
+      protocolVersion: "2025-03-26",
+      capabilities: {},
+      clientInfo: { name: "trapic-mcp-cli", version: "1.0.0" },
+    },
+    1
+  );
+
+  // Call tool
+  const result = await rpc(
+    "tools/call",
+    { name: toolName, arguments: toolArgs },
+    2
+  );
+
+  const content = result?.result?.content;
+  if (!content?.length) return null;
+
+  const textBlock = content.find((c) => c.type === "text");
+  if (!textBlock) return null;
+
+  try {
+    return JSON.parse(textBlock.text);
+  } catch {
+    return textBlock.text;
+  }
+}
+
+// ── Formatting helpers ───────────────────────────────────────────────────────
+
+function fmtDate(iso) {
+  if (!iso) return "—";
+  return new Date(iso).toLocaleDateString("en-CA"); // YYYY-MM-DD
+}
+
+function fmtRelative(iso) {
+  if (!iso) return "never";
+  const diff = Date.now() - new Date(iso).getTime();
+  const mins = Math.floor(diff / 60000);
+  if (mins < 1) return "just now";
+  if (mins < 60) return `${mins}m ago`;
+  const hours = Math.floor(mins / 60);
+  if (hours < 24) return `${hours}h ago`;
+  const days = Math.floor(hours / 24);
+  return `${days}d ago`;
+}
+
+function truncate(str, max = 60) {
+  if (!str || str.length <= max) return str || "";
+  return str.slice(0, max - 1) + "…";
+}
+
+// ── Commands ─────────────────────────────────────────────────────────────────
+
+async function cmdServe() {
+  // Debug log file
+  const debugLog = join(homedir(), ".trapic-mcp", "debug.log");
+  await mkdir(dirname(debugLog), { recursive: true }).catch(() => {});
+  const logMsg = (msg) => {
+    const ts = new Date().toISOString();
+    writeFile(debugLog, `${ts} ${msg}\n`, { flag: "a" }).catch(() => {});
+    process.stderr.write(`[trapic-mcp] ${msg}\n`);
+  };
+
+  // Load token from env or credentials file
+  const token = process.env.TRAPIC_TOKEN || (await loadConfig())?.token;
+  const url = process.env.TRAPIC_URL || (await loadConfig())?.url || DEFAULT_URL;
+
+  logMsg(`serve mode starting, url=${url}, token=${token ? token.slice(0, 8) + "..." : "NONE"}`);
+  logMsg(`TRAPIC_TOKEN env: ${process.env.TRAPIC_TOKEN ? process.env.TRAPIC_TOKEN.slice(0, 8) + "..." : "UNSET"}`);
+
+  if (!token) {
+    process.stderr.write(
+      "Error: No auth token found.\n" +
+      "Set TRAPIC_TOKEN env var or run 'npx trapic-mcp login' first.\n"
+    );
+    process.exit(1);
+  }
+
+  // Stdio proxy: read JSON-RPC from stdin, forward to remote server, write to stdout
+  const rl = createInterface({ input: process.stdin });
+  let sessionId = null;
+
+  rl.on("line", async (line) => {
+    if (!line.trim()) return;
+    try {
+      const message = JSON.parse(line);
+      logMsg(`→ ${message.method || "response"} (id=${message.id})`);
+      const headers = {
+        "Content-Type": "application/json",
+        "Accept": "application/json, text/event-stream",
+        "Authorization": `Bearer ${token}`,
+      };
+      if (sessionId) headers["mcp-session-id"] = sessionId;
+
+      logMsg(`→ sending to ${url} with auth=${token.slice(0,8)}...`);
+      const res = await fetch(url, {
+        method: "POST",
+        headers,
+        body: JSON.stringify(message),
+      });
+
+      const newSessionId = res.headers.get("mcp-session-id");
+      if (newSessionId) sessionId = newSessionId;
+
+      logMsg(`← status=${res.status} content-type=${res.headers.get("content-type")}`);
+      const contentType = res.headers.get("content-type") || "";
+      if (contentType.includes("text/event-stream")) {
+        const text = await res.text();
+        logMsg(`← SSE body: ${text.slice(0, 300)}`);
+        for (const chunk of text.split("\n")) {
+          if (chunk.startsWith("data: ") && chunk.slice(6).trim()) {
+            process.stdout.write(chunk.slice(6) + "\n");
+          }
+        }
+      } else {
+        const json = await res.json();
+        logMsg(`← JSON response: ${JSON.stringify(json).slice(0, 300)}`);
+        process.stdout.write(JSON.stringify(json) + "\n");
+      }
+    } catch (err) {
+      logMsg(`Proxy error: ${err.message}\n${err.stack}`);
+    }
+  });
+}
+
+async function cmdServeDev() {
+  await import(resolve(__dirname, "../dist/index.js"));
+}
+
+async function cmdLogin() {
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+
+  try {
+    const serverUrl =
+      (await rl.question(`Server URL [${DEFAULT_URL}]: `)).trim() || DEFAULT_URL;
+    const email = (await rl.question("Email: ")).trim();
+
+    if (!email) {
+      console.error("Error: Email is required.");
+      process.exit(1);
+    }
+
+    // Close readline before raw-mode password input
+    rl.close();
+    const password = await readPassword("Password: ");
+
+    if (!password) {
+      console.error("Error: Password is required.");
+      process.exit(1);
+    }
+
+    const base = baseUrl(serverUrl);
+    console.log("\nLogging in...");
+
+    const res = await fetch(`${base}/auth/login`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ email, password }),
+    });
+
+    const data = await res.json();
+    if (!res.ok) {
+      console.error(`Login failed: ${data.error}`);
+      process.exit(1);
+    }
+
+    // Save CLI credentials
+    const mcpUrl = serverUrl.endsWith("/mcp") ? serverUrl : `${serverUrl}/mcp`;
+    await saveCredentials({ url: mcpUrl, token: data.token, email: data.user.email });
+    console.log(`Logged in as ${data.user.email}`);
+    console.log(`Credentials saved to ${CRED_FILE}`);
+
+    // Configure Claude Code integration
+    const rl2 = createInterface({ input: process.stdin, output: process.stdout });
+    try {
+      const setupClaude = (
+        await rl2.question("\nConfigure for Claude Code? [Y/n]: ")
+      ).trim().toLowerCase();
+
+      if (setupClaude !== "n" && setupClaude !== "no") {
+        const scope = (
+          await rl2.question("Scope — global or project? [global]: ")
+        ).trim().toLowerCase();
+
+        const mcpEntry = {
+          command: "npx",
+          args: ["-y", "trapic-mcp"],
+          env: { TRAPIC_TOKEN: data.token },
+        };
+
+        if (scope === "project") {
+          const mcpJsonPath = resolve(process.cwd(), ".mcp.json");
+          let config = {};
+          if (await fileExists(mcpJsonPath)) {
+            try { config = await readJson(mcpJsonPath); } catch {}
+          }
+          if (!config.mcpServers) config.mcpServers = {};
+          config.mcpServers["trapic"] = mcpEntry;
+          await writeJson(mcpJsonPath, config);
+          console.log(`Wrote to ${mcpJsonPath}`);
+        } else {
+          const claudeDir = join(homedir(), ".claude");
+          await mkdir(claudeDir, { recursive: true });
+          const mcpJsonPath = join(claudeDir, "mcp.json");
+          let mcpConfig = {};
+          if (await fileExists(mcpJsonPath)) {
+            try { mcpConfig = await readJson(mcpJsonPath); } catch {}
+          }
+          if (!mcpConfig.mcpServers) mcpConfig.mcpServers = {};
+          mcpConfig.mcpServers["trapic"] = mcpEntry;
+          await writeJson(mcpJsonPath, mcpConfig);
+          console.log(`Wrote to ${mcpJsonPath}`);
+        }
+
+        // Generate CLAUDE.md if missing
+        const claudeMdPath = resolve(process.cwd(), "CLAUDE.md");
+        if (!(await fileExists(claudeMdPath))) {
+          await writeFile(claudeMdPath, CLAUDE_MD_CONTENT, "utf-8");
+          console.log(`Generated ${claudeMdPath}`);
+        }
+      }
+    } finally {
+      rl2.close();
+    }
+
+    console.log("\nDone! Run 'trapic-mcp whoami' to verify.");
+  } catch (err) {
+    if (err.code !== "ERR_USE_AFTER_CLOSE") {
+      console.error(`Error: ${err.message}`);
+      process.exit(1);
+    }
+  }
+}
+
+async function cmdLogout() {
+  const config = await loadConfig();
+  if (!config) {
+    console.log("Not logged in.");
+    return;
+  }
+
+  try {
+    const base = baseUrl(config.url);
+    await fetch(`${base}/auth/logout`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${config.token}`,
+      },
+    });
+    console.log("Token revoked on server.");
+  } catch (err) {
+    console.error(`Warning: Could not revoke token on server: ${err.message}`);
+  }
+
+  // Clear local credentials
+  await clearCredentials();
+
+  // Clean up .mcp.json
+  const mcpJsonPath = resolve(process.cwd(), ".mcp.json");
+  if (await fileExists(mcpJsonPath)) {
+    try {
+      const cfg = await readJson(mcpJsonPath);
+      const key = cfg?.mcpServers?.["trapic"] ? "trapic" : "trapic-mcp";
+      if (cfg?.mcpServers?.[key]) {
+        delete cfg.mcpServers[key];
+        await writeJson(mcpJsonPath, cfg);
+        console.log(`Removed ${key} from ${mcpJsonPath}`);
+      }
+    } catch {}
+  }
+
+  // Clean up ~/.claude/mcp.json
+  const claudeMcpPath = join(homedir(), ".claude", "mcp.json");
+  if (await fileExists(claudeMcpPath)) {
+    try {
+      const cfg = await readJson(claudeMcpPath);
+      const key = cfg?.mcpServers?.["trapic"] ? "trapic" : "trapic-mcp";
+      if (cfg?.mcpServers?.[key]) {
+        delete cfg.mcpServers[key];
+        await writeJson(claudeMcpPath, cfg);
+        console.log(`Removed ${key} from ${claudeMcpPath}`);
+      }
+    } catch {}
+  }
+
+  console.log("Logged out.");
+}
+
+async function cmdWhoami() {
+  const config = await requireConfig();
+  const base = baseUrl(config.url);
+
+  try {
+    const data = await authRequest("GET", `${base}/auth/whoami`, config.token);
+
+    console.log(`User:    ${data.user.email}`);
+    console.log(`ID:      ${data.user.id}`);
+    console.log(`Joined:  ${fmtDate(data.user.created_at)}`);
+    console.log();
+    if (data.token) {
+      console.log(`Token:   ${data.token.token_prefix}*** (${data.token.name})`);
+      console.log(`Created: ${fmtDate(data.token.created_at)}`);
+      console.log(`Used:    ${fmtRelative(data.token.last_used_at)}`);
+    }
+    if (data.stats) {
+      console.log();
+      console.log(`Active traces: ${data.stats.active_traces}`);
+    }
+  } catch (err) {
+    console.error(`Error: ${err.message}`);
+    process.exit(1);
+  }
+}
+
+async function cmdInit() {
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+
+  try {
+    const url = (await rl.question(`MCP server URL [${DEFAULT_URL}]: `)).trim() || DEFAULT_URL;
+    const token = (await rl.question("API token (tr_xxx): ")).trim();
+
+    if (!token) {
+      console.error("Error: API token is required.");
+      process.exit(1);
+    }
+
+    const scopeFlags = process.argv.slice(3);
+    let scope = "project";
+    if (scopeFlags.includes("--global")) scope = "global";
+    if (scopeFlags.includes("--project")) scope = "project";
+
+    if (!scopeFlags.includes("--global") && !scopeFlags.includes("--project")) {
+      const answer = (
+        await rl.question(
+          "Scope — global (~/.claude/settings.json) or project (.mcp.json)? [project]: "
+        )
+      ).trim().toLowerCase();
+      if (answer === "global") scope = "global";
+    }
+
+    const mcpEntry = {
+      command: "npx",
+      args: ["-y", "trapic-mcp"],
+      env: { TRAPIC_TOKEN: token },
+    };
+
+    if (scope === "global") {
+      const claudeDir = join(homedir(), ".claude");
+      await mkdir(claudeDir, { recursive: true });
+      const mcpJsonPath = join(claudeDir, "mcp.json");
+      let mcpConfig = {};
+      if (await fileExists(mcpJsonPath)) {
+        try { mcpConfig = await readJson(mcpJsonPath); } catch {}
+      }
+      if (!mcpConfig.mcpServers) mcpConfig.mcpServers = {};
+      mcpConfig.mcpServers["trapic"] = mcpEntry;
+      await writeJson(mcpJsonPath, mcpConfig);
+      console.log(`\nWrote trapic config to ${mcpJsonPath}`);
+    } else {
+      const mcpJsonPath = resolve(process.cwd(), ".mcp.json");
+      let config = {};
+      if (await fileExists(mcpJsonPath)) {
+        try { config = await readJson(mcpJsonPath); } catch {}
+      }
+      if (!config.mcpServers) config.mcpServers = {};
+      config.mcpServers["trapic"] = mcpEntry;
+      await writeJson(mcpJsonPath, config);
+      console.log(`\nWrote trapic config to ${mcpJsonPath}`);
+    }
+
+    const claudeMdPath = resolve(process.cwd(), "CLAUDE.md");
+    if (!(await fileExists(claudeMdPath))) {
+      await writeFile(claudeMdPath, CLAUDE_MD_CONTENT, "utf-8");
+      console.log(`Generated ${claudeMdPath} with auto-trace instructions.`);
+    } else {
+      console.log(`CLAUDE.md already exists — skipped generation.`);
+    }
+
+    // Also save to CLI credentials
+    const mcpUrl = url.endsWith("/mcp") ? url : `${url}/mcp`;
+    await saveCredentials({ url: mcpUrl, token });
+
+    console.log(`
+Setup complete! Next steps:
+  1. Start a Claude Code session in this project
+  2. The trapic-mcp server will connect automatically
+  3. Traces will be created as you work
+
+Run "trapic-mcp whoami" to verify the connection.
+`);
+  } finally {
+    rl.close();
+  }
+}
+
+async function cmdStatus() {
+  const config = await requireConfig();
+  console.log(`Server: ${config.url}\n`);
+
+  try {
+    const data = await mcpToolCall("trace_get_active", { limit: 5 });
+    if (!data) {
+      console.log("No active traces found.");
+      return;
+    }
+
+    const traceList = Array.isArray(data) ? data : data?.traces || data?.data || [];
+    const total = data?.total ?? data?.count ?? traceList.length;
+
+    console.log(`Active traces: ${total}`);
+    console.log("─".repeat(50));
+
+    if (traceList.length === 0) {
+      console.log("(no traces to display)");
+      return;
+    }
+
+    console.log("\nMost recent:");
+    for (const t of traceList.slice(0, 5)) {
+      console.log(`  ${fmtDate(t.created_at)}  ${truncate(t.claim || t.title || "(no claim)", 70)}`);
+    }
+    console.log();
+  } catch (err) {
+    console.error(`Error: ${err.message}`);
+    process.exit(1);
+  }
+}
+
+async function cmdSearch(query) {
+  if (!query) {
+    console.error("Usage: trapic-mcp search <query>");
+    process.exit(1);
+  }
+
+  console.log(`Searching: "${query}"\n`);
+
+  try {
+    const data = await mcpToolCall("trace_search", { query, limit: 20 });
+    if (!data) {
+      console.log("No results found.");
+      return;
+    }
+
+    const traces = Array.isArray(data) ? data : data?.traces || data?.data || [];
+    if (traces.length === 0) {
+      console.log("No results found.");
+      return;
+    }
+
+    console.log(`Found ${traces.length} result(s):\n`);
+    for (const t of traces) {
+      const sim = t.similarity != null ? `[${t.similarity.toFixed(2)}]` : "";
+      const tags = t.tags?.length ? `[${t.tags.join(", ")}]` : "";
+      const conf = t.confidence || "";
+
+      console.log(`  ${sim.padEnd(7)} ${truncate(t.claim || "(no claim)", 65)}`);
+      console.log(`          ${tags} ${conf} | ${fmtDate(t.created_at)}`);
+      if (t.reason) {
+        console.log(`          ${truncate(t.reason, 70)}`);
+      }
+      console.log();
+    }
+  } catch (err) {
+    console.error(`Error: ${err.message}`);
+    process.exit(1);
+  }
+}
+
+async function cmdList() {
+  const tagFlag = args.find((a) => a.startsWith("--tag="));
+  const tag = tagFlag ? tagFlag.split("=")[1] : undefined;
+  const limitFlag = args.find((a) => a.startsWith("--limit="));
+  const limit = limitFlag ? parseInt(limitFlag.split("=")[1]) : 20;
+
+  try {
+    const toolArgs = { limit };
+    if (tag) toolArgs.tags = [tag];
+
+    const data = await mcpToolCall("trace_get_active", toolArgs);
+    if (!data) {
+      console.log("No active traces.");
+      return;
+    }
+
+    const traces = Array.isArray(data) ? data : data?.traces || data?.data || [];
+    const total = data?.total ?? data?.count ?? traces.length;
+
+    console.log(`Active traces: ${total}${tag ? ` (tag: ${tag})` : ""}\n`);
+
+    if (traces.length === 0) {
+      console.log("(none)");
+      return;
+    }
+
+    for (const t of traces) {
+      const tags = t.tags?.length ? `[${t.tags.join(", ")}]` : "";
+      const conf = t.confidence ? t.confidence : "";
+      console.log(`  ${fmtDate(t.created_at)}  ${truncate(t.claim || "(no claim)", 60)}`);
+      console.log(`             ${tags} ${conf}`);
+      if (t.reason) {
+        console.log(`             ${truncate(t.reason, 65)}`);
+      }
+      console.log();
+    }
+  } catch (err) {
+    console.error(`Error: ${err.message}`);
+    process.exit(1);
+  }
+}
+
+async function cmdToken(subcommand) {
+  const config = await requireConfig();
+  const base = baseUrl(config.url);
+
+  switch (subcommand) {
+    case "list":
+    case "ls":
+    case undefined: {
+      const data = await authRequest("GET", `${base}/auth/tokens`, config.token);
+      const tokens = data.tokens || [];
+
+      if (tokens.length === 0) {
+        console.log("No tokens.");
+        return;
+      }
+
+      console.log("API Tokens:\n");
+      for (const t of tokens) {
+        const current = t.is_current ? " ← current" : "";
+        const revoked = t.revoked_at ? " [revoked]" : "";
+        const used = t.last_used_at ? fmtRelative(t.last_used_at) : "never";
+
+        console.log(
+          `  ${t.token_prefix}***  ${(t.name || "").padEnd(12)} Created: ${fmtDate(t.created_at)}  Used: ${used}${current}${revoked}`
+        );
+      }
+      console.log();
+      break;
+    }
+
+    case "create": {
+      const name = args[2] || "default";
+      try {
+        const data = await authRequest(
+          "POST",
+          `${base}/auth/tokens/create`,
+          config.token,
+          { name }
+        );
+        console.log(`Token created: ${data.token}`);
+        console.log(`Name: ${data.name}`);
+        console.log(`\nSave this token — it won't be shown again.`);
+      } catch (err) {
+        console.error(`Error: ${err.message}`);
+        process.exit(1);
+      }
+      break;
+    }
+
+    case "revoke": {
+      const tokenId = args[2];
+      if (!tokenId) {
+        console.error("Usage: trapic-mcp token revoke <token-id>");
+        console.error("Run 'trapic-mcp token list' to see token IDs.");
+        process.exit(1);
+      }
+
+      try {
+        await authRequest("POST", `${base}/auth/tokens/revoke`, config.token, {
+          token_id: tokenId,
+        });
+        console.log(`Token ${tokenId} revoked.`);
+      } catch (err) {
+        console.error(`Error: ${err.message}`);
+        process.exit(1);
+      }
+      break;
+    }
+
+    default:
+      console.error(`Unknown token subcommand: ${subcommand}`);
+      console.error("Available: list, create [name], revoke <id>");
+      process.exit(1);
+  }
+}
+
+// ── Main ─────────────────────────────────────────────────────────────────────
+
+const args = process.argv.slice(2);
+const command = args[0] || "serve";
+
+switch (command) {
+  case "serve":
+    await cmdServe();
+    break;
+  case "serve:dev":
+    await cmdServeDev();
+    break;
+  case "login":
+    await cmdLogin();
+    break;
+  case "logout":
+    await cmdLogout();
+    break;
+  case "whoami":
+    await cmdWhoami();
+    break;
+  case "init":
+    await cmdInit();
+    break;
+  case "status":
+    await cmdStatus();
+    break;
+  case "search":
+    await cmdSearch(args.slice(1).join(" "));
+    break;
+  case "list":
+  case "ls":
+    await cmdList();
+    break;
+  case "token":
+    await cmdToken(args[1]);
+    break;
+  default:
+    console.log(`trapic-mcp — CLI & MCP proxy for Trapic
+
+Usage:
+  trapic-mcp                     Start stdio proxy (for Claude Code)
+  trapic-mcp login               Login with email/password
+  trapic-mcp logout              Revoke token and clear credentials
+  trapic-mcp whoami              Show current user and token info
+  trapic-mcp init                Manual setup with token (--global | --project)
+  trapic-mcp status              Quick overview of active traces
+  trapic-mcp search <query>      Semantic search traces
+  trapic-mcp list [--tag=x]      List active traces (--limit=N)
+  trapic-mcp token list          List API tokens
+  trapic-mcp token create [name] Create new API token
+  trapic-mcp token revoke <id>   Revoke an API token
+  trapic-mcp serve:dev           Start local dev MCP server
+
+Environment:
+  TRAPIC_TOKEN                   API token (overrides credentials file)
+  TRAPIC_URL                     Server URL (default: ${DEFAULT_URL})
+`);
+    if (command !== "help" && command !== "--help" && command !== "-h") {
+      console.error(`Unknown command: ${command}`);
+      process.exit(1);
+    }
+    break;
+}