On March 21, 2026 I made the first commit for TraceTree. I built it because static analysis is a lie, you can’t trust what a package says it does, you have to watch what it actually does at runtime.
at that time, the industry was just realizing that 96% of mcp vulnerabilities were only catchable at runtime.
because i built tracetree as a general-purpose runtime engine, it was already the solution. today, i’ve officially added first-class mcp support. static scanning is a suggestion, but runtime is the truth.
the industry is finally waking up to runtime vulnarabilities . I just happened to set the alarm slightly early.