nxtrace
diff --git a/‎AGENTS.md‎
Lines changed: 45 additions & 0 deletions b/‎AGENTS.md‎
Lines changed: 45 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 78 additions & 6 deletions b/‎README.md‎
Lines changed: 78 additions & 6 deletions
diff --git a/‎README_zh_CN.md‎
Lines changed: 80 additions & 6 deletions b/‎README_zh_CN.md‎
Lines changed: 80 additions & 6 deletions
@@ -263,6 +263,47 @@
 - `server/trace_handler.go`：traceroute handler
 - `server/cache_handler.go`：缓存
 
+## Deploy WebUI / MCP / Agent Skill（2026-04 追加）
+
+- MCP 只属于完整版 `nexttrace`，`nexttrace-tiny` / `ntr` 不注册 WebUI/MCP flags。
+- `--mcp` 只能与 `--deploy` 同用；单独传 `--mcp` 必须报错。
+- `--deploy --mcp` 不提供 stdio MCP，只通过 deploy 网络服务在 `/mcp` 暴露 Streamable HTTP，使用官方 `github.com/modelcontextprotocol/go-sdk`。
+- `server.RunWithOptions(options, onReady)` 是 deploy 新入口；`server.Options` 包含 `ListenAddr`、`EnableMCP`、`AuthEnabled`、`DeployToken`。
+- deploy 鉴权规则：
+  - 监听 `127.0.0.1`、`::1`、`localhost` 默认免 token。
+  - 监听 `0.0.0.0`、`::`、非 loopback IP/host 时默认启用 token。
+  - 外网监听且用户未提供 token 时启动生成随机 token 并输出到 stdout。
+  - `--deploy-token` 优先于 `NEXTTRACE_DEPLOY_TOKEN`；手动 token 不回显。
+  - `AuthEnabled=true` 但 token 为空时必须 fail closed。
+  - WebUI 走 `/auth/login`，成功后写 HttpOnly cookie。
+  - API/MCP/WS 支持 `Authorization: Bearer <token>`、`X-NextTrace-Token` 和 cookie。
+  - 不支持 URL query token，尤其 WebSocket 不允许 query token。
+- auth middleware 覆盖 `/`、`/assets/*`、`/api/*`、`/ws/trace`、`/mcp`。
+- `/mcp` 不要用 `router.Any("/mcp")`，会与 Gin 的静态资源 wildcard `/*path` 冲突；当前只注册 `GET`、`POST`、`DELETE`。
+- MCP 与 Web 共用 `internal/service`，不要在 MCP tool 中拼 CLI 参数再反调 CLI。
+- MCP tool 输出以 `structuredContent` 为主；schema 要把参数状态分成 `supported`、`not_applicable`、`not_yet_supported`。
+- 当前 MCP tools：
+  - `nexttrace_capabilities`
+  - `nexttrace_traceroute`
+  - `nexttrace_mtr_report`
+  - `nexttrace_mtr_raw`
+  - `nexttrace_mtu_trace`
+  - `nexttrace_speed_test`
+  - `nexttrace_annotate_ips`
+  - `nexttrace_geo_lookup`
+  - `nexttrace_globalping_trace`
+  - `nexttrace_globalping_limits`
+  - `nexttrace_globalping_get_measurement`
+- Globalping MCP 使用 service 专用模型，不复用 CLI `--from` 的单结果输出模型；`nexttrace_globalping_trace` 应返回 `measurement_id`、`status`、`probes_count` 和按 probe 展开的 `results[]`。
+- Globalping MCP 当前支持 `target`、`locations[]`、`limit`、`protocol`、`port`、`packets`、`ip_version`；不支持本地 `source/dev/dot_server/packet_size/tos/ttl_interval`。
+- Repo Skill 位于 `skills/nexttrace/`，入口是 `skills/nexttrace/SKILL.md`；更新 MCP tool 或参数时必须同步 skill references。
+- deploy/MCP 相关回归建议至少覆盖：
+  - `go test ./...`
+  - `node --test server/web/assets/*.test.cjs`
+  - `go test -tags flavor_tiny ./cmd ./server`
+  - `go test -tags flavor_ntr ./cmd ./server`
+  - 本地 MCP smoke，traceroute 在 macOS 可显式传 `source_device`（例如 `en8`）。
+
 ## DoT 与 Geo DNS
 
 - `--dot-server` 不仅影响目标域名解析，也影响 GeoIP API / LeoMoe FastIP 的域名解析链路。
@@ -321,6 +362,10 @@
 - MTR TUI 颜色：`printer/mtr_tui_color.go`
 - WS handler：`server/ws_handler.go`（~449 行）
 - 前端：`server/web/assets/app.js`
+- deploy auth：`server/auth.go`
+- deploy MCP：`server/mcp.go`
+- Web/MCP 共享服务层：`internal/service/`
+- Repo Agent Skill：`skills/nexttrace/`
 - Geo DoT 解析：`util/dns_resolver.go`
 - Geo HTTP 客户端：`util/http_client_geo.go`
 - FastIP：`util/latency.go`
 
@@ -186,7 +186,7 @@ Starting from this release, NextTrace is published in **three flavors** under th
 | MTR wide (`-w`)       |         ✅         |        —         |      ✅      |
 | MTR raw (`--raw`)     |         ✅         |        —         |      ✅      |
 | Globalping (`--from`) |         ✅         |        —         |      —       |
-| WebUI (`--deploy`)    |         ✅         |        —         |      —       |
+| WebUI (`--deploy`) / MCP (`--deploy --mcp`) |        ✅         |        —         |      —       |
 | Fast Trace (`-F`)     |         ✅         |        ✅        |      —       |
 | Default mode          |     traceroute     |    traceroute    |   MTR TUI    |
 | Binary name           |    `nexttrace`     | `nexttrace-tiny` |    `ntr`     |
@@ -195,9 +195,9 @@ Starting from this release, NextTrace is published in **three flavors** under th
 
 ### Feature Matrix
 
-- **`nexttrace`** — Full-featured build. Includes traceroute, standalone MTU, CDN speed test, IP annotation, MTR, Globalping, Fast Trace, and WebUI.
-- **`nexttrace-tiny`** — Lightweight build. Keeps normal traceroute, standalone MTU, and Fast Trace. No CDN speed test / IP annotation / MTR / Globalping / WebUI. Suitable for embedded or minimal environments.
-- **`ntr`** — MTR-focused build. Runs MTR TUI by default. No normal traceroute mode, standalone `--mtu`, CDN speed test, IP annotation, Globalping, Fast Trace, or WebUI.
+- **`nexttrace`** — Full-featured build. Includes traceroute, standalone MTU, CDN speed test, IP annotation, MTR, Globalping, Fast Trace, WebUI, and deploy MCP.
+- **`nexttrace-tiny`** — Lightweight build. Keeps normal traceroute, standalone MTU, and Fast Trace. No CDN speed test / IP annotation / MTR / Globalping / WebUI / MCP. Suitable for embedded or minimal environments.
+- **`ntr`** — MTR-focused build. Runs MTR TUI by default. No normal traceroute mode, standalone `--mtu`, CDN speed test, IP annotation, Globalping, Fast Trace, WebUI, or MCP.
 
 ### Manual Build
 
@@ -701,6 +701,7 @@ NextTrace currently reads the following environment variables. For boolean switc
 | `NEXTTRACE_TOKEN` | unset | Pre-supplied LeoMoeAPI bearer token; when present, token fetching via PoW is skipped. |
 | `NEXTTRACE_POWPROVIDER` | `api.nxtrace.org` | Select the PoW provider. The built-in non-default alias is `sakura`. |
 | `NEXTTRACE_DEPLOY_ADDR` | unset | Default listen address for `--deploy` when `--listen` is not provided. |
+| `NEXTTRACE_DEPLOY_TOKEN` | unset | Token for `--deploy` WebUI/API/WebSocket/MCP access. CLI `--deploy-token` takes precedence. |
 | `NEXTTRACE_ALLOW_CROSS_ORIGIN` | `0` | Only for `--deploy`: allow cross-origin browser access to the Web UI / API. Disabled by default for safety. |
 
 #### IP Database / Third-Party Providers
@@ -738,8 +739,9 @@ Usage: nexttrace [-h|--help] [--init] [-4|--ipv4] [-6|--ipv6] [-T|--tcp]
                  [-j|--json] [-c|--classic] [-f|--first <integer>] [-M|--map]
                  [-e|--disable-mpls] [-V|--version]
                  [-s|--source "<value>"] [--source-port <integer>] [-D|--dev
-                 "<value>"] [--listen "<value>"] [--deploy] [-z|--send-time
-                 <integer>] [-i|--ttl-time <integer>] [--timeout <integer>]
+                 "<value>"] [--listen "<value>"] [--deploy-token "<value>"]
+                 [--mcp] [--deploy] [-z|--send-time <integer>]
+                 [-i|--ttl-time <integer>] [--timeout <integer>]
                  [--psize <integer>] [--dot-server
                  (dnssb|aliyun|dnspod|google|cloudflare)] [-g|--language
                  (en|cn)] [-C|--no-color] [--from "<value>"] [-t|--mtr]
@@ -822,6 +824,10 @@ Arguments:
                                      interface
       --listen                       Set listen address for web console (e.g.
                                      127.0.0.1:30080)
+      --deploy-token                 Set bearer token for --deploy
+                                     WebUI/API/WebSocket/MCP access
+      --mcp                          Enable MCP endpoint under --deploy at
+                                     /mcp
       --deploy                       Start the Gin powered web console
   -z  --send-time                    Advanced: per-packet gap [ms] inside the
                                      same TTL group. Lower is faster; raise to
@@ -895,6 +901,72 @@ For WebSocket continuous tracing, MTR now streams per-event payloads with `type:
 
 [https://github.com/nxtrace/nexttracewebapi](https://github.com/nxtrace/nexttracewebapi)
 
+## Deploy WebUI and MCP
+
+The full `nexttrace` binary can expose the local WebUI/API/WebSocket server:
+
+```bash
+nexttrace --deploy
+```
+
+MCP is a deploy submode and is exposed over the same network stack at `/mcp`:
+
+```bash
+nexttrace --deploy --mcp
+nexttrace --deploy --mcp --listen 0.0.0.0:1080 --deploy-token "$TOKEN"
+```
+
+Loopback listen addresses (`127.0.0.1`, `::1`, `localhost`) are tokenless by default. External listen addresses require a token; if none is set with `--deploy-token` or `NEXTTRACE_DEPLOY_TOKEN`, NextTrace generates one and prints it to stdout. API, WebSocket, and MCP clients may use `Authorization: Bearer <token>` or `X-NextTrace-Token`; browser WebUI users can sign in at `/auth/login`.
+
+### Register MCP in Agent clients
+
+Start NextTrace first. The MCP endpoint is Streamable HTTP, not stdio:
+
+```text
+http://127.0.0.1:1080/mcp
+```
+
+For external listeners or manually configured tokens, pass the token in an HTTP header. Do not put deploy tokens in URL query strings.
+
+Generic MCP client config:
+
+```json
+{
+  "mcp": {
+    "servers": {
+      "nexttrace": {
+        "url": "http://127.0.0.1:1080/mcp",
+        "transport": "streamable-http",
+        "headers": {
+          "Authorization": "Bearer <token>"
+        }
+      }
+    }
+  }
+}
+```
+
+OpenClaw can save the same server definition with [`openclaw mcp set`](https://docs.openclaw.ai/cli/mcp):
+
+```bash
+openclaw mcp set nexttrace '{
+  "url": "http://127.0.0.1:1080/mcp",
+  "transport": "streamable-http",
+  "headers": {
+    "Authorization": "Bearer <token>"
+  }
+}'
+```
+
+`openclaw mcp set` only saves the MCP server definition. It does not start NextTrace or verify that the endpoint is reachable, so run `nexttrace --deploy --mcp` first.
+
+Useful first tool calls for Agents:
+
+- `nexttrace_capabilities`
+- `nexttrace_traceroute`
+- `nexttrace_globalping_trace`
+- `nexttrace_globalping_limits`
+
 ## NextTraceroute
 
 `NextTraceroute` is a root-free Android route tracing application that defaults to using the `NextTrace API`, developed by @surfaceocean.  
 
@@ -187,7 +187,7 @@ Document Language: [English](README.md) | 简体中文
 | MTR 宽报告（`-w`）      |          ✅           |        —         |     ✅     |
 | MTR 原始输出（`--raw`） |          ✅           |        —         |     ✅     |
 | Globalping（`--from`）  |          ✅           |        —         |     —      |
-| WebUI（`--deploy`）     |          ✅           |        —         |     —      |
+| WebUI（`--deploy`）/ MCP（`--deploy --mcp`） |          ✅           |        —         |     —      |
 | 快速跟踪（`-F`）        |          ✅           |        ✅        |     —      |
 | 默认运行模式            |      traceroute       |    traceroute    |  MTR TUI   |
 | 二进制名                |      `nexttrace`      | `nexttrace-tiny` |   `ntr`    |
@@ -196,9 +196,9 @@ Document Language: [English](README.md) | 简体中文
 
 ### 功能对比
 
-- **`nexttrace`** — 完整版。包含 traceroute、独立 MTU、CDN 测速、IP 文本标注、MTR、Globalping、Fast Trace 与 WebUI。
-- **`nexttrace-tiny`** — 精简版。保留常规 traceroute、独立 MTU 和 Fast Trace；不含 CDN 测速 / IP 文本标注 / MTR / Globalping / WebUI。适合嵌入式或极简环境。
-- **`ntr`** — MTR 专用版。默认启动 MTR TUI。不含常规 traceroute、独立 `--mtu`、CDN 测速、IP 文本标注、Globalping、Fast Trace 与 WebUI。
+- **`nexttrace`** — 完整版。包含 traceroute、独立 MTU、CDN 测速、IP 文本标注、MTR、Globalping、Fast Trace、WebUI（`--deploy`）与 MCP（`--deploy --mcp`）。
+- **`nexttrace-tiny`** — 精简版。保留常规 traceroute、独立 MTU 和 Fast Trace；不含 CDN 测速 / IP 文本标注 / MTR / Globalping / WebUI / MCP。适合嵌入式或极简环境。
+- **`ntr`** — MTR 专用版。默认启动 MTR TUI。不含常规 traceroute、独立 `--mtu`、CDN 测速、IP 文本标注、Globalping、Fast Trace、WebUI 或 MCP。
 
 ### 手动编译
 
@@ -677,6 +677,7 @@ NextTrace 当前会读取下列环境变量。对于布尔开关，只识别 `1`
 | `NEXTTRACE_TOKEN` | 未设置 | 预置 LeoMoeAPI Bearer Token；设置后将跳过 PoW 取 token 流程。 |
 | `NEXTTRACE_POWPROVIDER` | `api.nxtrace.org` | 指定 PoW 服务提供方；当前内置的非默认别名为 `sakura`。 |
 | `NEXTTRACE_DEPLOY_ADDR` | 未设置 | `--deploy` 模式下，当未传 `--listen` 时使用的默认监听地址。 |
+| `NEXTTRACE_DEPLOY_TOKEN` | 未设置 | `--deploy` WebUI/API/WebSocket/MCP 访问 token。CLI `--deploy-token` 优先级更高。 |
 | `NEXTTRACE_ALLOW_CROSS_ORIGIN` | `0` | 仅对 `--deploy` 生效：是否允许跨站浏览器访问 Web UI / API。默认关闭以保证安全。 |
 
 #### IP 数据库 / 第三方服务
@@ -714,8 +715,9 @@ Usage: nexttrace [-h|--help] [--init] [-4|--ipv4] [-6|--ipv6] [-T|--tcp]
                  [-j|--json] [-c|--classic] [-f|--first <integer>] [-M|--map]
                  [-e|--disable-mpls] [-V|--version]
                  [-s|--source "<value>"] [--source-port <integer>] [-D|--dev
-                 "<value>"] [--listen "<value>"] [--deploy] [-z|--send-time
-                 <integer>] [-i|--ttl-time <integer>] [--timeout <integer>]
+                 "<value>"] [--listen "<value>"] [--deploy-token "<value>"]
+                 [--mcp] [--deploy] [-z|--send-time <integer>]
+                 [-i|--ttl-time <integer>] [--timeout <integer>]
                  [--psize <integer>] [--dot-server
                  (dnssb|aliyun|dnspod|google|cloudflare)] [-g|--language
                  (en|cn)] [-C|--no-color] [--from "<value>"] [-t|--mtr]
@@ -798,6 +800,10 @@ Arguments:
                                      interface
       --listen                       Set listen address for web console (e.g.
                                      127.0.0.1:30080)
+      --deploy-token                 Set bearer token for --deploy
+                                     WebUI/API/WebSocket/MCP access
+      --mcp                          Enable MCP endpoint under --deploy at
+                                     /mcp
       --deploy                       Start the Gin powered web console
   -z  --send-time                    Advanced: per-packet gap [ms] inside the
                                      same TTL group. Lower is faster; raise to
@@ -895,6 +901,74 @@ nexttrace --pow-provider sakura
 
 [https://github.com/nxtrace/nexttracewebapi](https://github.com/nxtrace/nexttracewebapi)
 
+## Deploy WebUI 与 MCP
+
+完整版 `nexttrace` 可以启动本机 WebUI/API/WebSocket 服务：
+
+```bash
+nexttrace --deploy
+```
+
+MCP 是 deploy 的子模式，复用同一套网络服务栈并暴露在 `/mcp`：
+
+```bash
+nexttrace --deploy --mcp
+nexttrace --deploy --mcp --listen 0.0.0.0:1080 --deploy-token "$TOKEN"
+```
+
+监听 loopback 地址（`127.0.0.1`、`::1`、`localhost`）时默认免 token。监听外网地址时必须启用 token；如果没有通过 `--deploy-token` 或 `NEXTTRACE_DEPLOY_TOKEN` 设置，NextTrace 会启动时随机生成 token 并输出到 stdout。若 stdout 会被日志系统、CI 控制台或平台采集，建议通过 `--deploy-token` 或 `NEXTTRACE_DEPLOY_TOKEN` 显式提供 token，避免泄漏。API、WebSocket 与 MCP 客户端可使用 `Authorization: Bearer <token>` 或 `X-NextTrace-Token`；浏览器 WebUI 用户可访问 `/auth/login` 登录。
+
+### 在 Agent 客户端注册 MCP
+
+先启动 NextTrace。MCP endpoint 是 Streamable HTTP，不是 stdio：
+
+```text
+http://127.0.0.1:1080/mcp
+```
+
+监听外网地址或手动配置 token 时，把 token 放在 HTTP header 中。不要把 deploy token 放进 URL query。
+
+通用 MCP 客户端配置示例：
+
+```json
+{
+  "mcp": {
+    "servers": {
+      "nexttrace": {
+        "url": "http://127.0.0.1:1080/mcp",
+        "transport": "streamable-http",
+        "headers": {
+          "Authorization": "Bearer <token>"
+        }
+      }
+    }
+  }
+}
+```
+
+也可以把 `headers` 改为使用 `X-NextTrace-Token: <token>`，与 `Authorization: Bearer <token>` 等价。
+
+OpenClaw 可通过 [`openclaw mcp set`](https://docs.openclaw.ai/zh-CN/cli/mcp) 保存同样的 server 定义：
+
+```bash
+openclaw mcp set nexttrace '{
+  "url": "http://127.0.0.1:1080/mcp",
+  "transport": "streamable-http",
+  "headers": {
+    "Authorization": "Bearer <token>"
+  }
+}'
+```
+
+`openclaw mcp set` 只保存 MCP server 定义；它不会启动 NextTrace，也不会验证 endpoint 是否可达，所以需要先运行 `nexttrace --deploy --mcp`。
+
+下面列出的项为 MCP 协议中 `tools[].name` 的工具名/ID，客户端在 MCP Tool Calling 中引用这些 ID，而不是把它们当作 HTTP path。Agent 接入后可先调用：
+
+- `nexttrace_capabilities`
+- `nexttrace_traceroute`
+- `nexttrace_globalping_trace`
+- `nexttrace_globalping_limits`
+
 ## NextTraceroute
 
 `NextTraceroute`，一款默认使用`NextTrace API`的免`root`安卓版路由跟踪应用，由 @surfaceocean 开发。