@cloudgrid-io/mcp 0.2.7 → 0.3.0

package/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -43,30 +43,57 @@ It speaks MCP over stdio. Point any MCP client at the `cloudgrid-mcp` command.
 
 ## Tools
 
+### Direct-API tools (both editions)
+
 | Tool | Wraps | Notes |
 |---|---|---|
-| `cloudgrid_drop` | `POST /api/v2/drop/auto` | Artifact drop. Anonymous, or owned if signed in. No CLI. Direct API. |
+| `cloudgrid_drop` | `POST /api/v2/drop/auto` | Artifact drop. Anonymous, or owned if signed in. Direct API. |
 | `cloudgrid_claim` | `POST /api/v2/anon-claim` | Claim an anonymous drop into the signed-in account. Direct API. |
-| `cloudgrid_login` | `GET /auth/login` | Start a CLI-free sign-in; returns a URL to open. Calls the API directly. |
+| `cloudgrid_login` | `GET /auth/login` | Start a CLI-free sign-in; returns a URL to open. Direct API. |
 | `cloudgrid_login_status` | `GET /auth/status` | Finish the sign-in; saves the token to the shared CLI credentials. |
 | `cloudgrid_visibility` | `PATCH /api/v2/inspirations/<id>` | Change who can see a drop (private, space, authenticated, org, link). Needs sign-in. Direct API; also in the web edition. |
-| `cloudgrid_init` | `cloudgrid init` | Register an app or agent; optionally seed a web service. |
-| `cloudgrid_plug` | `cloudgrid plug` | Deploy a directory or URL. |
-| `cloudgrid_logs` | `cloudgrid logs` | Snapshot of recent logs. Does not stream. |
-| `cloudgrid_share` | `cloudgrid visibility set` | Set visibility, default link. |
-| `cloudgrid_feedback` | `cloudgrid feedback list` | Read the org feedback feed. |
-| `cloudgrid_brain` | `cloudgrid brain refresh` | Re-run the Grid Brain hooks. |
 
 `cloudgrid_drop`, `cloudgrid_claim`, `cloudgrid_visibility`, and the two
-`cloudgrid_login` tools do not wrap the CLI — they call the API directly, so they
+`cloudgrid_login` tools do not wrap the CLI -- they call the API directly, so they
 also work in the web edition where no CLI exists. `cloudgrid_login` writes the same
 `~/.cloudgrid/credentials` the CLI uses, so the two share one identity.
 
+### CLI-wrapping tools (local edition only)
+
+| Tool | Wraps | Notes |
+|---|---|---|
+| `cloudgrid_init` | `cloudgrid init` | Register an app or agent; optionally seed a web service. |
+| `cloudgrid_plug` | `cloudgrid plug` | Deploy a directory or URL. |
+| `cloudgrid_logs` | `cloudgrid logs` | Snapshot of recent logs. Does not stream. Read-only. |
+| `cloudgrid_share` | `cloudgrid visibility set` | Set visibility, default link. |
+| `cloudgrid_feedback` | `cloudgrid feedback list` | Read the org feedback feed. Read-only. |
+| `cloudgrid_brain` | `cloudgrid brain refresh` | Re-run the Grid Brain hooks. |
+| `cloudgrid_whoami` | `cloudgrid whoami` | Show the signed-in user and active org. Read-only. |
+| `cloudgrid_use` | `cloudgrid use` | Switch the active org. |
+| `cloudgrid_logout` | `cloudgrid logout` | Sign out and clear local credentials. Destructive. |
+| `cloudgrid_status` | `cloudgrid status` | Org dashboard or entity detail. Read-only. |
+| `cloudgrid_info` | `cloudgrid info` | Entity metadata. Read-only. |
+| `cloudgrid_builds` | `cloudgrid builds` | Recent builds and deploys. Read-only. |
+| `cloudgrid_grid` | `cloudgrid grid` | List entities on the hub. Read-only. |
+| `cloudgrid_rename` | `cloudgrid rename` | Rename an entity. |
+| `cloudgrid_unplug` | `cloudgrid unplug` | Take an entity off the grid. Destructive; requires confirm. |
+| `cloudgrid_delete` | `cloudgrid delete` | Archive and delete an entity. Destructive; requires confirm. |
+| `cloudgrid_rollback` | `cloudgrid rollback` | Rollback to a previous version. |
+| `cloudgrid_versions` | `cloudgrid versions` | List published versions. Read-only. |
+| `cloudgrid_env` | `cloudgrid env` | Get, set, or list environment variables. |
+| `cloudgrid_secrets` | `cloudgrid secrets` | Set or list secret names. Never returns secret values. |
+| `cloudgrid_scaffold` | `cloudgrid scaffold` | Generate starter files. |
+| `cloudgrid_doctor` | `cloudgrid doctor` | Run local diagnostics. Read-only. |
+| `cloudgrid_open` | `cloudgrid open` | Return the public URL. Does not open a browser. Read-only. |
+
 `cloudgrid_share` and `cloudgrid_visibility` overlap on purpose: `cloudgrid_share`
 wraps the CLI and defaults to `link`; `cloudgrid_visibility` is direct API, takes an
-explicit scope, and defaults its target to the session's last drop — it is the one
+explicit scope, and defaults its target to the session's last drop -- it is the one
 the web edition gets.
 
+All tools carry MCP annotations (`readOnlyHint`, `destructiveHint`,
+`openWorldHint`) for clients that support them.
+
 ## Test
 
 A smoke test spawns the server with a real MCP client, lists the tools, and calls

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloudgrid-io/mcp",
-  "version": "0.2.7",
+  "version": "0.3.0",
   "description": "MCP server for CloudGrid. Two editions: a local stdio server (full toolset) and a hosted web server (light, CLI-free toolset) over MCP Streamable HTTP.",
   "type": "module",
   "bin": {
@@ -22,7 +22,6 @@
     "smoke:web": "node test/smoke-web.mjs",
     "smoke:redrop": "node test/smoke-redrop.mjs",
     "smoke:oauth": "node test/smoke-oauth.mjs",
-    "lint:cloudbuild": "npx -y yaml-lint cloudbuild.yaml",
     "test:auth": "node test/auth.test.mjs"
   },
   "dependencies": {
@@ -31,10 +30,9 @@
     "zod": "^3.23.0"
   },
   "license": "Apache-2.0",
-  "homepage": "https://github.com/cloudgrid-io/skills/tree/main/mcp-server",
+  "homepage": "https://github.com/cloudgrid-io/mcp",
   "repository": {
     "type": "git",
-    "url": "https://github.com/cloudgrid-io/skills.git",
-    "directory": "mcp-server"
+    "url": "https://github.com/cloudgrid-io/mcp.git"
   }
 }

package/src/tools.js

@@ -120,10 +120,8 @@ async function runDrop(ctx, { html, path: filePath, filename, anonymous, org, fr
     }
   }
 
-  // Anonymous path on a hosted server: present the trusted-server credential so the
-  // platform keys the anon-drop cap on the per-user id instead of the shared cluster
-  // egress IP. A missing/bad secret silently falls back to the IP cap server-side, so
-  // this is safe to send whenever configured. Only the web edition sets ctx.trustedServer.
+  // Hosted server: attach the trusted-server credential when available.
+  // Falls back gracefully server-side if absent. Only the web edition sets ctx.trustedServer.
   if (!headers["Authorization"] && ctx.trustedServer?.secret && ctx.trustedServer?.endUserId) {
     headers["X-CloudGrid-Trusted-Server-Auth"] = ctx.trustedServer.secret;
     headers["X-CloudGrid-Trusted-Server-End-User"] = ctx.trustedServer.endUserId;
@@ -138,11 +136,9 @@ async function runDrop(ctx, { html, path: filePath, filename, anonymous, org, fr
   }
 
   const form = new FormData();
-  // Redrop (anon-redrop spec §6): a re-drop in the same session updates the previous
-  // drop in place — same URL, new version. `fresh: true` forces a new drop. Sent for
-  // BOTH anonymous and authed callers: the platform validates ownership and silently
-  // falls back to create, so this never hard-fails (authed in-place lands when the
-  // platform extends the gate; until then the fallback equals today's behavior).
+  // Redrop: a re-drop in the same session updates the previous drop in place (same URL,
+  // new version). `fresh: true` forces a new drop. The platform validates ownership and
+  // falls back to create if the caller does not own the previous drop.
   // Field appended before the artifact so streaming parsers see it.
   if (fresh !== true && ctx.state.lastDrop?.entity_id) {
     form.append("previous_id", ctx.state.lastDrop.entity_id);
@@ -320,6 +316,8 @@ async function runVisibility(ctx, { target, visibility, org }) {
 // Registers the tools onto `server`. ctx.edition decides whether the CLI-wrapping
 // tools are included (they need a local machine).
 export function registerTools(server, ctx) {
+  // ── Direct-API tools (both editions) ──────────────────────────────────────
+
   // Drop — both editions.
   server.tool(
     "cloudgrid_drop",
@@ -335,6 +333,7 @@ export function registerTools(server, ctx) {
         .optional()
         .describe("Force a new drop even if you already dropped in this session (default: update in place)."),
     },
+    { readOnlyHint: false, destructiveHint: false, openWorldHint: true },
     async (input) => {
       try {
         return ok(await runDrop(ctx, input || {}));
@@ -352,6 +351,7 @@ export function registerTools(server, ctx) {
       claim_token: z.string().optional().describe("The claim token from an anonymous drop."),
       claim_url: z.string().optional().describe("The claim_url from an anonymous drop; the token is read from it."),
     },
+    { readOnlyHint: false, destructiveHint: false, openWorldHint: true },
     async (input) => {
       try {
         return ok(await runClaim(ctx, input || {}));
@@ -367,6 +367,7 @@ export function registerTools(server, ctx) {
     "cloudgrid_login",
     "Start a CLI-free CloudGrid sign-in. Use when the user wants to log in, sign in, or authenticate, or to claim an anonymous drop. Returns a URL to open in the browser; then call cloudgrid_login_status to finish. Uses CloudGrid's existing OAuth.",
     {},
+    { readOnlyHint: false, destructiveHint: false, openWorldHint: true },
     async () => {
       const code = newLoginCode();
       ctx.state.pendingLoginCode = code;
@@ -385,6 +386,7 @@ export function registerTools(server, ctx) {
     {
       code: z.string().optional().describe("The sign-in code. Defaults to the most recent cloudgrid_login."),
     },
+    { readOnlyHint: false, destructiveHint: false, openWorldHint: true },
     async (input) => {
       const code = input?.code || ctx.state.pendingLoginCode;
       if (!code) return fail("No sign-in is in progress. Run cloudgrid_login first.");
@@ -423,6 +425,7 @@ export function registerTools(server, ctx) {
       target: z.string().optional().describe("Entity id. Defaults to this session's last drop."),
       org: z.string().optional().describe("Org of the entity. Defaults to the active org."),
     },
+    { readOnlyHint: false, destructiveHint: false, openWorldHint: true },
     async (input) => {
       try {
         return ok(await runVisibility(ctx, input || {}));
@@ -434,7 +437,8 @@ export function registerTools(server, ctx) {
 
   if (ctx.edition !== "local") return; // web edition stops here — no CLI tools
 
-  // ── CLI-wrapping tools (local edition only) ──
+  // ── CLI-wrapping tools (local edition only) ───────────────────────────────
+
   server.tool(
     "cloudgrid_init",
     "Register a new CloudGrid app or agent, optionally seeding a web service. Wraps `cloudgrid init`.",
@@ -446,6 +450,7 @@ export function registerTools(server, ctx) {
       dir: z.string().optional().describe("Target directory. Defaults to ./<name>."),
       org: z.string().optional().describe("Override the active org for this init."),
     },
+    { readOnlyHint: false, destructiveHint: false, openWorldHint: true },
     cliTool(({ kind, name, type, description, dir, org }) => {
       const args = ["init", kind, name];
       if (type) args.push("--type", type);
@@ -464,6 +469,7 @@ export function registerTools(server, ctx) {
       org: z.string().optional().describe("Pick or override the org."),
       no_deploy: z.boolean().optional().describe("Register the entity but do not build or deploy."),
     },
+    { readOnlyHint: false, destructiveHint: false, openWorldHint: true },
     cliTool(({ target, org, no_deploy }) => {
       const args = ["plug"];
       if (target) args.push(target);
@@ -482,6 +488,7 @@ export function registerTools(server, ctx) {
       tail: z.number().int().positive().optional().describe("Number of recent lines. Default 100."),
       since: z.string().optional().describe("Only logs newer than this, e.g. 5m, 1h, 2d."),
     },
+    { readOnlyHint: true, destructiveHint: false, openWorldHint: true },
     cliTool(({ name, tail, since }) => {
       const args = ["logs"];
       if (name) args.push(name);
@@ -498,6 +505,7 @@ export function registerTools(server, ctx) {
       name: z.string().describe("Entity slug."),
       mode: z.enum(["link", "private", "authenticated", "org", "space"]).optional().describe("Visibility mode. Default link."),
     },
+    { readOnlyHint: false, destructiveHint: false, openWorldHint: true },
     cliTool(({ name, mode }) => ["visibility", "set", name, mode ?? "link"]),
   );
 
@@ -509,6 +517,7 @@ export function registerTools(server, ctx) {
       limit: z.number().int().positive().max(200).optional().describe("Number of events. Default 50, max 200."),
       org: z.string().optional().describe("Read another org's feed where you have access."),
     },
+    { readOnlyHint: true, destructiveHint: false, openWorldHint: true },
     cliTool(({ since, limit, org }) => {
       const args = ["feedback", "list"];
       if (since) args.push("--since", since);
@@ -526,6 +535,7 @@ export function registerTools(server, ctx) {
       wait: z.boolean().optional().describe("Wait for the refresh to finish. Default true."),
       org: z.string().optional().describe("Target an entity in another org."),
     },
+    { readOnlyHint: false, destructiveHint: false, openWorldHint: true },
     cliTool(({ name, wait, org }) => {
       const args = ["brain", "refresh", name];
       if (wait !== false) args.push("--wait");
@@ -533,6 +543,214 @@ export function registerTools(server, ctx) {
       return args;
     }),
   );
+
+  // ── New CLI-wrapping tools (local edition only) ───────────────────────────
+
+  server.tool(
+    "cloudgrid_whoami",
+    "Show the signed-in user and active org. Wraps `cloudgrid whoami`.",
+    {},
+    { readOnlyHint: true, destructiveHint: false, openWorldHint: true },
+    cliTool(() => ["whoami"]),
+  );
+
+  server.tool(
+    "cloudgrid_use",
+    "Switch the active org. Wraps `cloudgrid use`.",
+    { org: z.string().describe("Org slug to switch to.") },
+    { readOnlyHint: false, destructiveHint: false, openWorldHint: true },
+    cliTool(({ org }) => ["use", org]),
+  );
+
+  server.tool(
+    "cloudgrid_logout",
+    "Sign out and clear local credentials. Wraps `cloudgrid logout`.",
+    {},
+    { readOnlyHint: false, destructiveHint: true, openWorldHint: true },
+    cliTool(() => ["logout"]),
+  );
+
+  server.tool(
+    "cloudgrid_status",
+    "Org dashboard, entity detail, or deploy snapshot. Wraps `cloudgrid status`.",
+    { name: z.string().optional().describe("Entity name or trace id. Omit for the org dashboard.") },
+    { readOnlyHint: true, destructiveHint: false, openWorldHint: true },
+    cliTool(({ name }) => (name ? ["status", name] : ["status"])),
+  );
+
+  server.tool(
+    "cloudgrid_info",
+    "Show metadata for a CloudGrid entity. Wraps `cloudgrid info`.",
+    { name: z.string().optional().describe("Entity name. Omit for the entity linked to the current directory.") },
+    { readOnlyHint: true, destructiveHint: false, openWorldHint: true },
+    cliTool(({ name }) => {
+      const args = ["info"];
+      if (name) args.push(name);
+      return args;
+    }),
+  );
+
+  server.tool(
+    "cloudgrid_builds",
+    "List recent builds and deploys for an entity. Wraps `cloudgrid builds`.",
+    {
+      name: z.string().optional().describe("Entity name. Omit for the entity linked to the current directory."),
+      limit: z.number().int().positive().optional().describe("Number of builds to show."),
+    },
+    { readOnlyHint: true, destructiveHint: false, openWorldHint: true },
+    cliTool(({ name, limit }) => {
+      const args = ["builds"];
+      if (name) args.push(name);
+      if (limit) args.push("--limit", String(limit));
+      return args;
+    }),
+  );
+
+  server.tool(
+    "cloudgrid_grid",
+    "List entities on the hub or org. Wraps `cloudgrid grid`.",
+    { org: z.string().optional().describe("Org slug. Omit for the active org.") },
+    { readOnlyHint: true, destructiveHint: false, openWorldHint: true },
+    cliTool(({ org }) => (org ? ["grid", "--org", org] : ["grid"])),
+  );
+
+  server.tool(
+    "cloudgrid_rename",
+    "Rename a CloudGrid entity. Wraps `cloudgrid rename`.",
+    {
+      name: z.string().describe("Current entity slug."),
+      new_name: z.string().describe("New slug."),
+    },
+    { readOnlyHint: false, destructiveHint: false, openWorldHint: true },
+    cliTool(({ name, new_name }) => ["rename", name, new_name]),
+  );
+
+  server.tool(
+    "cloudgrid_unplug",
+    "Take an entity off the grid. Destructive. Wraps `cloudgrid unplug`.",
+    {
+      name: z.string().describe("Entity slug to take down (required)."),
+      confirm: z.literal(true).describe("Must be true to proceed."),
+    },
+    { readOnlyHint: false, destructiveHint: true, openWorldHint: true },
+    cliTool(({ name }) => ["unplug", name]),
+  );
+
+  server.tool(
+    "cloudgrid_delete",
+    "Archive and delete a CloudGrid entity. Destructive. Wraps `cloudgrid delete`.",
+    {
+      name: z.string().describe("Entity slug to delete (required)."),
+      confirm: z.literal(true).describe("Must be true to proceed."),
+    },
+    { readOnlyHint: false, destructiveHint: true, openWorldHint: true },
+    cliTool(({ name }) => ["delete", name]),
+  );
+
+  server.tool(
+    "cloudgrid_rollback",
+    "Rollback an entity to a previous version. Wraps `cloudgrid rollback`.",
+    {
+      name: z.string().describe("Entity slug."),
+      to: z.string().optional().describe("Target version tag or id. Omit to roll back one version."),
+    },
+    { readOnlyHint: false, destructiveHint: false, openWorldHint: true },
+    cliTool(({ name, to }) => {
+      const args = ["rollback", name];
+      if (to) args.push("--to", to);
+      return args;
+    }),
+  );
+
+  server.tool(
+    "cloudgrid_versions",
+    "List published versions for an entity. Wraps `cloudgrid versions`.",
+    { name: z.string().optional().describe("Entity name. Omit for the entity linked to the current directory.") },
+    { readOnlyHint: true, destructiveHint: false, openWorldHint: true },
+    cliTool(({ name }) => {
+      const args = ["versions"];
+      if (name) args.push(name);
+      return args;
+    }),
+  );
+
+  server.tool(
+    "cloudgrid_env",
+    "Manage environment variables for an entity. Wraps `cloudgrid env`.",
+    {
+      action: z.enum(["get", "set", "list"]).describe("get, set, or list."),
+      name: z.string().describe("Entity slug."),
+      key: z.string().optional().describe("Variable name. Required for get and set."),
+      value: z.string().optional().describe("Variable value. Required for set."),
+    },
+    { readOnlyHint: false, destructiveHint: false, openWorldHint: true },
+    cliTool(({ action, name, key, value }) => {
+      if (action === "set") {
+        if (!key || value === undefined) throw new Error("key and value are required for set");
+        return ["env", "set", name, key, value];
+      }
+      if (action === "get") {
+        if (!key) throw new Error("key is required for get");
+        return ["env", "get", name, key];
+      }
+      return ["env", "list", name];
+    }),
+  );
+
+  server.tool(
+    "cloudgrid_secrets",
+    "Set or list secret names for an entity. Never returns secret values. Wraps `cloudgrid secrets`.",
+    {
+      action: z.enum(["set", "list"]).describe("set or list (names only)."),
+      name: z.string().describe("Entity slug."),
+      key: z.string().optional().describe("Secret name. Required for set."),
+      value: z.string().optional().describe("Secret value. Required for set."),
+    },
+    { readOnlyHint: false, destructiveHint: false, openWorldHint: true },
+    cliTool(({ action, name, key, value }) => {
+      if (action === "set") {
+        if (!key || value === undefined) throw new Error("key and value are required for set");
+        return ["secrets", "set", name, key, value];
+      }
+      return ["secrets", "list", name];
+    }),
+  );
+
+  server.tool(
+    "cloudgrid_scaffold",
+    "Generate starter files for a CloudGrid entity. Wraps `cloudgrid scaffold`.",
+    {
+      template: z.string().optional().describe("Template name."),
+      dir: z.string().optional().describe("Target directory."),
+    },
+    { readOnlyHint: false, destructiveHint: false, openWorldHint: true },
+    cliTool(({ template, dir }) => {
+      const args = ["scaffold"];
+      if (template) args.push(template);
+      if (dir) args.push("--dir", dir);
+      return args;
+    }),
+  );
+
+  server.tool(
+    "cloudgrid_doctor",
+    "Run CloudGrid diagnostics on the local environment. Wraps `cloudgrid doctor`.",
+    {},
+    { readOnlyHint: true, destructiveHint: false, openWorldHint: true },
+    cliTool(() => ["doctor"]),
+  );
+
+  server.tool(
+    "cloudgrid_open",
+    "Return the public URL for an entity. Does not open a browser. Wraps `cloudgrid open --url`.",
+    { name: z.string().optional().describe("Entity name. Omit for the entity linked to the current directory.") },
+    { readOnlyHint: true, destructiveHint: false, openWorldHint: true },
+    cliTool(({ name }) => {
+      const args = ["open", "--url"];
+      if (name) args.push(name);
+      return args;
+    }),
+  );
 }
 
 export { decodeJwt };