Merge branch 'pr-125'

# Conflicts: # client/src/api/client.ts # client/src/i18n/translations/ar.ts # client/src/i18n/translations/es.ts # client/src/i18n/translations/fr.ts # client/src/i18n/translations/nl.ts # client/src/i18n/translations/ru.ts # client/src/i18n/translations/zh.ts # client/src/pages/AdminPage.tsx # client/src/pages/SettingsPage.tsx # server/package.json # server/src/db/migrations.ts # server/src/index.ts # server/src/routes/admin.ts
2026-03-30 23:10:34 +02:00
parent ce4b8088ec 3dd15499e6
commit faebc62917
32 changed files with 3504 additions and 55 deletions
--- a/server/src/db/migrations.ts
+++ b/server/src/db/migrations.ts
@@ -394,6 +394,35 @@ function runMigrations(db: Database.Database): void {
        CREATE INDEX IF NOT EXISTS idx_audit_log_created ON audit_log(created_at DESC);
      `);
    },
+    // MCP long-lived API tokens
+    () => db.exec(`
+      CREATE TABLE IF NOT EXISTS mcp_tokens (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+        name TEXT NOT NULL,
+        token_hash TEXT NOT NULL,
+        token_prefix TEXT NOT NULL,
+        created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+        last_used_at DATETIME
+      )
+    `),
+    // MCP addon entry
+    () => {
+      try {
+        db.prepare("INSERT OR IGNORE INTO addons (id, name, description, type, icon, enabled, sort_order) VALUES (?, ?, ?, ?, ?, ?, ?)")
+          .run('mcp', 'MCP', 'Model Context Protocol for AI assistant integration', 'integration', 'Terminal', 0, 12);
+      } catch {}
+    },
+    // Index on mcp_tokens.token_hash
+    () => db.exec(`
+      CREATE UNIQUE INDEX IF NOT EXISTS idx_mcp_tokens_hash ON mcp_tokens(token_hash)
+    `),
+    // Ensure MCP addon type is 'integration'
+    () => {
+      try {
+        db.prepare("UPDATE addons SET type = 'integration' WHERE id = 'mcp'").run();
+      } catch {}
+    },
  ];

  if (currentVersion < migrations.length) {
--- a/server/src/db/seeds.ts
+++ b/server/src/db/seeds.ts
@@ -33,6 +33,7 @@ function seedAddons(db: Database.Database): void {
      { id: 'documents', name: 'Documents', description: 'Store and manage travel documents', type: 'trip', icon: 'FileText', enabled: 1, sort_order: 2 },
      { id: 'vacay', name: 'Vacay', description: 'Personal vacation day planner with calendar view', type: 'global', icon: 'CalendarDays', enabled: 1, sort_order: 10 },
      { id: 'atlas', name: 'Atlas', description: 'World map of your visited countries with travel stats', type: 'global', icon: 'Globe', enabled: 1, sort_order: 11 },
+      { id: 'mcp', name: 'MCP', description: 'Model Context Protocol for AI assistant integration', type: 'integration', icon: 'Terminal', enabled: 0, sort_order: 12 },
      { id: 'collab', name: 'Collab', description: 'Notes, polls, and live chat for trip collaboration', type: 'trip', icon: 'Users', enabled: 1, sort_order: 6 },
    ];
    const insertAddon = db.prepare('INSERT OR IGNORE INTO addons (id, name, description, type, icon, enabled, sort_order) VALUES (?, ?, ?, ?, ?, ?, ?)');
--- a/server/src/index.ts
+++ b/server/src/index.ts
@@ -197,6 +197,12 @@ app.use('/api/notifications', notificationRoutes);
 import shareRoutes from './routes/share';
 app.use('/api', shareRoutes);

+// MCP endpoint (Streamable HTTP transport, per-user auth)
+import { mcpHandler, closeMcpSessions } from './mcp';
+app.post('/mcp', mcpHandler);
+app.get('/mcp', mcpHandler);
+app.delete('/mcp', mcpHandler);
+
 // Serve static files in production
 if (process.env.NODE_ENV === 'production') {
  const publicPath = path.join(__dirname, '../public');
@@ -242,6 +248,7 @@ const server = app.listen(PORT, () => {
 function shutdown(signal: string): void {
  console.log(`\n${signal} received — shutting down gracefully...`);
  scheduler.stop();
+  closeMcpSessions();
  server.close(() => {
    console.log('HTTP server closed');
    const { closeDb } = require('./db/database');
--- a/server/src/mcp/index.ts
+++ b/server/src/mcp/index.ts
@@ -0,0 +1,189 @@
+import { Request, Response } from 'express';
+import { randomUUID, createHash } from 'crypto';
+import jwt from 'jsonwebtoken';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp';
+import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp';
+import { JWT_SECRET } from '../config';
+import { db } from '../db/database';
+import { User } from '../types';
+import { registerResources } from './resources';
+import { registerTools } from './tools';
+
+interface McpSession {
+  server: McpServer;
+  transport: StreamableHTTPServerTransport;
+  userId: number;
+  lastActivity: number;
+}
+
+const sessions = new Map<string, McpSession>();
+
+const SESSION_TTL_MS = 60 * 60 * 1000; // 1 hour
+const MAX_SESSIONS_PER_USER = 5;
+const RATE_LIMIT_WINDOW_MS = 60 * 1000; // 1 minute
+const RATE_LIMIT_MAX = 60; // requests per minute per user
+
+interface RateLimitEntry {
+  count: number;
+  windowStart: number;
+}
+const rateLimitMap = new Map<number, RateLimitEntry>();
+
+function isRateLimited(userId: number): boolean {
+  const now = Date.now();
+  const entry = rateLimitMap.get(userId);
+  if (!entry || now - entry.windowStart > RATE_LIMIT_WINDOW_MS) {
+    rateLimitMap.set(userId, { count: 1, windowStart: now });
+    return false;
+  }
+  entry.count += 1;
+  return entry.count > RATE_LIMIT_MAX;
+}
+
+function countSessionsForUser(userId: number): number {
+  const cutoff = Date.now() - SESSION_TTL_MS;
+  let count = 0;
+  for (const session of sessions.values()) {
+    if (session.userId === userId && session.lastActivity >= cutoff) count++;
+  }
+  return count;
+}
+
+const sessionSweepInterval = setInterval(() => {
+  const cutoff = Date.now() - SESSION_TTL_MS;
+  for (const [sid, session] of sessions) {
+    if (session.lastActivity < cutoff) {
+      try { session.server.close(); } catch { /* ignore */ }
+      try { session.transport.close(); } catch { /* ignore */ }
+      sessions.delete(sid);
+    }
+  }
+  const rateCutoff = Date.now() - RATE_LIMIT_WINDOW_MS;
+  for (const [uid, entry] of rateLimitMap) {
+    if (entry.windowStart < rateCutoff) rateLimitMap.delete(uid);
+  }
+}, 10 * 60 * 1000); // sweep every 10 minutes
+
+// Prevent the interval from keeping the process alive if nothing else is running
+sessionSweepInterval.unref();
+
+function verifyToken(authHeader: string | undefined): User | null {
+  const token = authHeader && authHeader.split(' ')[1];
+  if (!token) return null;
+
+  // Long-lived MCP API token (trek_...)
+  if (token.startsWith('trek_')) {
+    const hash = createHash('sha256').update(token).digest('hex');
+    const row = db.prepare(`
+      SELECT u.id, u.username, u.email, u.role
+      FROM mcp_tokens mt
+      JOIN users u ON mt.user_id = u.id
+      WHERE mt.token_hash = ?
+    `).get(hash) as User | undefined;
+    if (row) {
+      // Update last_used_at (fire-and-forget, non-blocking)
+      db.prepare('UPDATE mcp_tokens SET last_used_at = CURRENT_TIMESTAMP WHERE token_hash = ?').run(hash);
+      return row;
+    }
+    return null;
+  }
+
+  // Short-lived JWT
+  try {
+    const decoded = jwt.verify(token, JWT_SECRET) as { id: number };
+    const user = db.prepare(
+      'SELECT id, username, email, role FROM users WHERE id = ?'
+    ).get(decoded.id) as User | undefined;
+    return user || null;
+  } catch {
+    return null;
+  }
+}
+
+export async function mcpHandler(req: Request, res: Response): Promise<void> {
+  const mcpAddon = db.prepare("SELECT enabled FROM addons WHERE id = 'mcp'").get() as { enabled: number } | undefined;
+  if (!mcpAddon || !mcpAddon.enabled) {
+    res.status(403).json({ error: 'MCP is not enabled' });
+    return;
+  }
+
+  const user = verifyToken(req.headers['authorization']);
+  if (!user) {
+    res.status(401).json({ error: 'Access token required' });
+    return;
+  }
+
+  if (isRateLimited(user.id)) {
+    res.status(429).json({ error: 'Too many requests. Please slow down.' });
+    return;
+  }
+
+  const sessionId = req.headers['mcp-session-id'] as string | undefined;
+
+  // Resume an existing session
+  if (sessionId) {
+    const session = sessions.get(sessionId);
+    if (!session) {
+      res.status(404).json({ error: 'Session not found' });
+      return;
+    }
+    if (session.userId !== user.id) {
+      res.status(403).json({ error: 'Session belongs to a different user' });
+      return;
+    }
+    session.lastActivity = Date.now();
+    await session.transport.handleRequest(req, res, req.body);
+    return;
+  }
+
+  // Only POST can initialize a new session
+  if (req.method !== 'POST') {
+    res.status(400).json({ error: 'Missing mcp-session-id header' });
+    return;
+  }
+
+  if (countSessionsForUser(user.id) >= MAX_SESSIONS_PER_USER) {
+    res.status(429).json({ error: 'Session limit reached. Close an existing session before opening a new one.' });
+    return;
+  }
+
+  // Create a new per-user MCP server and session
+  const server = new McpServer({ name: 'trek', version: '1.0.0' });
+  registerResources(server, user.id);
+  registerTools(server, user.id);
+
+  const transport = new StreamableHTTPServerTransport({
+    sessionIdGenerator: () => randomUUID(),
+    onsessioninitialized: (sid) => {
+      sessions.set(sid, { server, transport, userId: user.id, lastActivity: Date.now() });
+    },
+    onsessionclosed: (sid) => {
+      sessions.delete(sid);
+    },
+  });
+
+  await server.connect(transport);
+  await transport.handleRequest(req, res, req.body);
+}
+
+/** Terminate all active MCP sessions for a specific user (e.g. on token revocation). */
+export function revokeUserSessions(userId: number): void {
+  for (const [sid, session] of sessions) {
+    if (session.userId === userId) {
+      try { session.server.close(); } catch { /* ignore */ }
+      try { session.transport.close(); } catch { /* ignore */ }
+      sessions.delete(sid);
+    }
+  }
+}
+
+/** Close all active MCP sessions (call during graceful shutdown). */
+export function closeMcpSessions(): void {
+  clearInterval(sessionSweepInterval);
+  for (const [, session] of sessions) {
+    try { session.server.close(); } catch { /* ignore */ }
+    try { session.transport.close(); } catch { /* ignore */ }
+  }
+  sessions.clear();
+  rateLimitMap.clear();
+}
--- a/server/src/mcp/resources.ts
+++ b/server/src/mcp/resources.ts
@@ -0,0 +1,304 @@
+import { McpServer, ResourceTemplate } from '@modelcontextprotocol/sdk/server/mcp';
+import { db, canAccessTrip } from '../db/database';
+
+const TRIP_SELECT = `
+  SELECT t.*,
+    (SELECT COUNT(*) FROM days d WHERE d.trip_id = t.id) as day_count,
+    (SELECT COUNT(*) FROM places p WHERE p.trip_id = t.id) as place_count,
+    CASE WHEN t.user_id = :userId THEN 1 ELSE 0 END as is_owner,
+    u.username as owner_username,
+    (SELECT COUNT(*) FROM trip_members tm WHERE tm.trip_id = t.id) as shared_count
+  FROM trips t
+  JOIN users u ON u.id = t.user_id
+`;
+
+function parseId(value: string | string[]): number | null {
+  const n = Number(Array.isArray(value) ? value[0] : value);
+  return Number.isInteger(n) && n > 0 ? n : null;
+}
+
+function accessDenied(uri: string) {
+  return {
+    contents: [{
+      uri,
+      mimeType: 'application/json',
+      text: JSON.stringify({ error: 'Trip not found or access denied' }),
+    }],
+  };
+}
+
+function jsonContent(uri: string, data: unknown) {
+  return {
+    contents: [{
+      uri,
+      mimeType: 'application/json',
+      text: JSON.stringify(data, null, 2),
+    }],
+  };
+}
+
+export function registerResources(server: McpServer, userId: number): void {
+  // List all accessible trips
+  server.registerResource(
+    'trips',
+    'trek://trips',
+    { description: 'All trips the user owns or is a member of' },
+    async (uri) => {
+      const trips = db.prepare(`
+        ${TRIP_SELECT}
+        LEFT JOIN trip_members m ON m.trip_id = t.id AND m.user_id = :userId
+        WHERE (t.user_id = :userId OR m.user_id IS NOT NULL) AND t.is_archived = 0
+        ORDER BY t.created_at DESC
+      `).all({ userId });
+      return jsonContent(uri.href, trips);
+    }
+  );
+
+  // Single trip detail
+  server.registerResource(
+    'trip',
+    new ResourceTemplate('trek://trips/{tripId}', { list: undefined }),
+    { description: 'A single trip with metadata and member count' },
+    async (uri, { tripId }) => {
+      const id = parseId(tripId);
+      if (id === null || !canAccessTrip(id, userId)) return accessDenied(uri.href);
+      const trip = db.prepare(`
+        ${TRIP_SELECT}
+        LEFT JOIN trip_members m ON m.trip_id = t.id AND m.user_id = :userId
+        WHERE t.id = :tripId AND (t.user_id = :userId OR m.user_id IS NOT NULL)
+      `).get({ userId, tripId: id });
+      return jsonContent(uri.href, trip);
+    }
+  );
+
+  // Days with assigned places
+  server.registerResource(
+    'trip-days',
+    new ResourceTemplate('trek://trips/{tripId}/days', { list: undefined }),
+    { description: 'Days of a trip with their assigned places' },
+    async (uri, { tripId }) => {
+      const id = parseId(tripId);
+      if (id === null || !canAccessTrip(id, userId)) return accessDenied(uri.href);
+
+      const days = db.prepare(
+        'SELECT * FROM days WHERE trip_id = ? ORDER BY day_number ASC'
+      ).all(id) as { id: number; day_number: number; date: string | null; title: string | null; notes: string | null }[];
+
+      const dayIds = days.map(d => d.id);
+      const assignmentsByDay: Record<number, unknown[]> = {};
+
+      if (dayIds.length > 0) {
+        const placeholders = dayIds.map(() => '?').join(',');
+        const assignments = db.prepare(`
+          SELECT da.id, da.day_id, da.order_index, da.notes as assignment_notes,
+            p.id as place_id, p.name, p.address, p.lat, p.lng, p.category_id,
+            COALESCE(da.assignment_time, p.place_time) as place_time,
+            c.name as category_name, c.color as category_color, c.icon as category_icon
+          FROM day_assignments da
+          JOIN places p ON da.place_id = p.id
+          LEFT JOIN categories c ON p.category_id = c.id
+          WHERE da.day_id IN (${placeholders})
+          ORDER BY da.order_index ASC, da.created_at ASC
+        `).all(...dayIds) as (Record<string, unknown> & { day_id: number })[];
+
+        for (const a of assignments) {
+          if (!assignmentsByDay[a.day_id]) assignmentsByDay[a.day_id] = [];
+          assignmentsByDay[a.day_id].push(a);
+        }
+      }
+
+      const result = days.map(d => ({ ...d, assignments: assignmentsByDay[d.id] || [] }));
+      return jsonContent(uri.href, result);
+    }
+  );
+
+  // Places in a trip
+  server.registerResource(
+    'trip-places',
+    new ResourceTemplate('trek://trips/{tripId}/places', { list: undefined }),
+    { description: 'All places/POIs saved in a trip' },
+    async (uri, { tripId }) => {
+      const id = parseId(tripId);
+      if (id === null || !canAccessTrip(id, userId)) return accessDenied(uri.href);
+      const places = db.prepare(`
+        SELECT p.*, c.name as category_name, c.color as category_color, c.icon as category_icon
+        FROM places p
+        LEFT JOIN categories c ON p.category_id = c.id
+        WHERE p.trip_id = ?
+        ORDER BY p.created_at DESC
+      `).all(id);
+      return jsonContent(uri.href, places);
+    }
+  );
+
+  // Budget items
+  server.registerResource(
+    'trip-budget',
+    new ResourceTemplate('trek://trips/{tripId}/budget', { list: undefined }),
+    { description: 'Budget and expense items for a trip' },
+    async (uri, { tripId }) => {
+      const id = parseId(tripId);
+      if (id === null || !canAccessTrip(id, userId)) return accessDenied(uri.href);
+      const items = db.prepare(
+        'SELECT * FROM budget_items WHERE trip_id = ? ORDER BY category ASC, created_at ASC'
+      ).all(id);
+      return jsonContent(uri.href, items);
+    }
+  );
+
+  // Packing checklist
+  server.registerResource(
+    'trip-packing',
+    new ResourceTemplate('trek://trips/{tripId}/packing', { list: undefined }),
+    { description: 'Packing checklist for a trip' },
+    async (uri, { tripId }) => {
+      const id = parseId(tripId);
+      if (id === null || !canAccessTrip(id, userId)) return accessDenied(uri.href);
+      const items = db.prepare(
+        'SELECT * FROM packing_items WHERE trip_id = ? ORDER BY sort_order ASC, created_at ASC'
+      ).all(id);
+      return jsonContent(uri.href, items);
+    }
+  );
+
+  // Reservations (flights, hotels, restaurants)
+  server.registerResource(
+    'trip-reservations',
+    new ResourceTemplate('trek://trips/{tripId}/reservations', { list: undefined }),
+    { description: 'Reservations (flights, hotels, restaurants) for a trip' },
+    async (uri, { tripId }) => {
+      const id = parseId(tripId);
+      if (id === null || !canAccessTrip(id, userId)) return accessDenied(uri.href);
+      const reservations = db.prepare(`
+        SELECT r.*, d.day_number, p.name as place_name
+        FROM reservations r
+        LEFT JOIN days d ON r.day_id = d.id
+        LEFT JOIN places p ON r.place_id = p.id
+        WHERE r.trip_id = ?
+        ORDER BY r.reservation_time ASC, r.created_at ASC
+      `).all(id);
+      return jsonContent(uri.href, reservations);
+    }
+  );
+
+  // Day notes
+  server.registerResource(
+    'day-notes',
+    new ResourceTemplate('trek://trips/{tripId}/days/{dayId}/notes', { list: undefined }),
+    { description: 'Notes for a specific day in a trip' },
+    async (uri, { tripId, dayId }) => {
+      const tId = parseId(tripId);
+      const dId = parseId(dayId);
+      if (tId === null || dId === null || !canAccessTrip(tId, userId)) return accessDenied(uri.href);
+      const notes = db.prepare(
+        'SELECT * FROM day_notes WHERE day_id = ? AND trip_id = ? ORDER BY sort_order ASC, created_at ASC'
+      ).all(dId, tId);
+      return jsonContent(uri.href, notes);
+    }
+  );
+
+  // Accommodations (hotels, rentals) per trip
+  server.registerResource(
+    'trip-accommodations',
+    new ResourceTemplate('trek://trips/{tripId}/accommodations', { list: undefined }),
+    { description: 'Accommodations (hotels, rentals) for a trip with check-in/out details' },
+    async (uri, { tripId }) => {
+      const id = parseId(tripId);
+      if (id === null || !canAccessTrip(id, userId)) return accessDenied(uri.href);
+      const accommodations = db.prepare(`
+        SELECT da.*, p.name as place_name, p.address as place_address, p.lat, p.lng,
+          ds.day_number as start_day_number, de.day_number as end_day_number
+        FROM day_accommodations da
+        JOIN places p ON da.place_id = p.id
+        LEFT JOIN days ds ON da.start_day_id = ds.id
+        LEFT JOIN days de ON da.end_day_id = de.id
+        WHERE da.trip_id = ?
+        ORDER BY ds.day_number ASC
+      `).all(id);
+      return jsonContent(uri.href, accommodations);
+    }
+  );
+
+  // Trip members (owner + collaborators)
+  server.registerResource(
+    'trip-members',
+    new ResourceTemplate('trek://trips/{tripId}/members', { list: undefined }),
+    { description: 'Owner and collaborators of a trip' },
+    async (uri, { tripId }) => {
+      const id = parseId(tripId);
+      if (id === null || !canAccessTrip(id, userId)) return accessDenied(uri.href);
+      const trip = db.prepare('SELECT user_id FROM trips WHERE id = ?').get(id) as { user_id: number } | undefined;
+      if (!trip) return accessDenied(uri.href);
+      const owner = db.prepare('SELECT id, username, avatar FROM users WHERE id = ?').get(trip.user_id) as Record<string, unknown> | undefined;
+      const members = db.prepare(`
+        SELECT u.id, u.username, u.avatar, tm.added_at
+        FROM trip_members tm
+        JOIN users u ON tm.user_id = u.id
+        WHERE tm.trip_id = ?
+        ORDER BY tm.added_at ASC
+      `).all(id);
+      return jsonContent(uri.href, {
+        owner: owner ? { ...owner, role: 'owner' } : null,
+        members,
+      });
+    }
+  );
+
+  // Collab notes for a trip
+  server.registerResource(
+    'trip-collab-notes',
+    new ResourceTemplate('trek://trips/{tripId}/collab-notes', { list: undefined }),
+    { description: 'Shared collaborative notes for a trip' },
+    async (uri, { tripId }) => {
+      const id = parseId(tripId);
+      if (id === null || !canAccessTrip(id, userId)) return accessDenied(uri.href);
+      const notes = db.prepare(`
+        SELECT cn.*, u.username
+        FROM collab_notes cn
+        JOIN users u ON cn.user_id = u.id
+        WHERE cn.trip_id = ?
+        ORDER BY cn.pinned DESC, cn.updated_at DESC
+      `).all(id);
+      return jsonContent(uri.href, notes);
+    }
+  );
+
+  // All place categories (global, no trip filter)
+  server.registerResource(
+    'categories',
+    'trek://categories',
+    { description: 'All available place categories (id, name, color, icon) for use when creating places' },
+    async (uri) => {
+      const categories = db.prepare(
+        'SELECT id, name, color, icon FROM categories ORDER BY name ASC'
+      ).all();
+      return jsonContent(uri.href, categories);
+    }
+  );
+
+  // User's bucket list
+  server.registerResource(
+    'bucket-list',
+    'trek://bucket-list',
+    { description: 'Your personal travel bucket list' },
+    async (uri) => {
+      const items = db.prepare(
+        'SELECT * FROM bucket_list WHERE user_id = ? ORDER BY created_at DESC'
+      ).all(userId);
+      return jsonContent(uri.href, items);
+    }
+  );
+
+  // User's visited countries
+  server.registerResource(
+    'visited-countries',
+    'trek://visited-countries',
+    { description: 'Countries you have marked as visited in Atlas' },
+    async (uri) => {
+      const countries = db.prepare(
+        'SELECT country_code, created_at FROM visited_countries WHERE user_id = ? ORDER BY created_at DESC'
+      ).all(userId);
+      return jsonContent(uri.href, countries);
+    }
+  );
+}
--- a/server/src/mcp/tools.ts
+++ b/server/src/mcp/tools.ts
--- a/server/src/routes/admin.ts
+++ b/server/src/routes/admin.ts
@@ -8,6 +8,7 @@ import { db } from '../db/database';
 import { authenticate, adminOnly } from '../middleware/auth';
 import { AuthRequest, User, Addon } from '../types';
 import { writeAudit, getClientIp } from '../services/auditLog';
+import { revokeUserSessions } from '../mcp';

 const router = express.Router();

@@ -547,4 +548,22 @@ router.put('/addons/:id', (req: Request, res: Response) => {
  res.json({ addon: { ...updated, enabled: !!updated.enabled, config: JSON.parse(updated.config || '{}') } });
 });

+router.get('/mcp-tokens', (req: Request, res: Response) => {
+  const tokens = db.prepare(`
+    SELECT t.id, t.name, t.token_prefix, t.created_at, t.last_used_at, t.user_id, u.username
+    FROM mcp_tokens t
+    JOIN users u ON u.id = t.user_id
+    ORDER BY t.created_at DESC
+  `).all();
+  res.json({ tokens });
+});
+
+router.delete('/mcp-tokens/:id', (req: Request, res: Response) => {
+  const token = db.prepare('SELECT id, user_id FROM mcp_tokens WHERE id = ?').get(req.params.id) as { id: number; user_id: number } | undefined;
+  if (!token) return res.status(404).json({ error: 'Token not found' });
+  db.prepare('DELETE FROM mcp_tokens WHERE id = ?').run(req.params.id);
+  revokeUserSessions(token.user_id);
+  res.json({ success: true });
+});
+
 export default router;
--- a/server/src/routes/auth.ts
+++ b/server/src/routes/auth.ts
@@ -12,6 +12,8 @@ import { db } from '../db/database';
 import { authenticate, demoUploadBlock } from '../middleware/auth';
 import { JWT_SECRET } from '../config';
 import { encryptMfaSecret, decryptMfaSecret } from '../services/mfaCrypto';
+import { randomBytes, createHash } from 'crypto';
+import { revokeUserSessions } from '../mcp';
 import { AuthRequest, User } from '../types';
 import { writeAudit, getClientIp } from '../services/auditLog';

@@ -742,4 +744,48 @@ router.post('/mfa/disable', authenticate, rateLimiter(5, RATE_LIMIT_WINDOW), (re
  res.json({ success: true, mfa_enabled: false });
 });

+// --- MCP Token Management ---
+
+router.get('/mcp-tokens', authenticate, (req: Request, res: Response) => {
+  const authReq = req as AuthRequest;
+  const tokens = db.prepare(
+    'SELECT id, name, token_prefix, created_at, last_used_at FROM mcp_tokens WHERE user_id = ? ORDER BY created_at DESC'
+  ).all(authReq.user.id);
+  res.json({ tokens });
+});
+
+router.post('/mcp-tokens', authenticate, rateLimiter(5, RATE_LIMIT_WINDOW), (req: Request, res: Response) => {
+  const authReq = req as AuthRequest;
+  const { name } = req.body;
+  if (!name?.trim()) return res.status(400).json({ error: 'Token name is required' });
+  if (name.trim().length > 100) return res.status(400).json({ error: 'Token name must be 100 characters or less' });
+
+  const tokenCount = (db.prepare('SELECT COUNT(*) as count FROM mcp_tokens WHERE user_id = ?').get(authReq.user.id) as { count: number }).count;
+  if (tokenCount >= 10) return res.status(400).json({ error: 'Maximum of 10 tokens per user reached' });
+
+  const rawToken = 'trek_' + randomBytes(24).toString('hex');
+  const tokenHash = createHash('sha256').update(rawToken).digest('hex');
+  const tokenPrefix = rawToken.slice(0, 13); // "trek_" + 8 hex chars
+
+  const result = db.prepare(
+    'INSERT INTO mcp_tokens (user_id, name, token_hash, token_prefix) VALUES (?, ?, ?, ?)'
+  ).run(authReq.user.id, name.trim(), tokenHash, tokenPrefix);
+
+  const token = db.prepare(
+    'SELECT id, name, token_prefix, created_at, last_used_at FROM mcp_tokens WHERE id = ?'
+  ).get(result.lastInsertRowid);
+
+  res.status(201).json({ token: { ...(token as object), raw_token: rawToken } });
+});
+
+router.delete('/mcp-tokens/:id', authenticate, (req: Request, res: Response) => {
+  const authReq = req as AuthRequest;
+  const { id } = req.params;
+  const token = db.prepare('SELECT id FROM mcp_tokens WHERE id = ? AND user_id = ?').get(id, authReq.user.id);
+  if (!token) return res.status(404).json({ error: 'Token not found' });
+  db.prepare('DELETE FROM mcp_tokens WHERE id = ?').run(id);
+  revokeUserSessions(authReq.user.id);
+  res.json({ success: true });
+});
+
 export default router;
--- a/server/src/routes/files.ts
+++ b/server/src/routes/files.ts
@@ -85,7 +85,7 @@ router.get('/', authenticate, (req: Request, res: Response) => {

  // Get all file_links for this trip's files
  const fileIds = files.map(f => f.id);
-  let linksMap: Record<number, number[]> = {};
+  let linksMap: Record<number, { file_id: number; reservation_id: number | null; place_id: number | null }[]> = {};
  if (fileIds.length > 0) {
    const placeholders = fileIds.map(() => '?').join(',');
    const links = db.prepare(`SELECT file_id, reservation_id, place_id FROM file_links WHERE file_id IN (${placeholders})`).all(...fileIds) as { file_id: number; reservation_id: number | null; place_id: number | null }[];