@elitedcs/ghl-mcp 3.16.1 → 3.17.0

package/CHANGELOG.md

@@ -1,5 +1,20 @@
 # Changelog
 
+## 3.17.0 — Multi-tenant bootstrap, internal hardening, test coverage
+
+**No new tools — still 212 across 43 modules. Internal hardening + a multi-tenant fix.**
+
+### Multi-tenant: bootstrap from a client company's Firebase
+
+A multi-tenant-only install (an agency operating purely in clients' accounts, no home Firebase) previously got **none** of the Firebase-gated tools: `WorkflowBuilderClient.fromEnv()` returned null, so every gated module skipped registration even after `register_company_firebase`. Now, when there's no home Firebase, the builder client bootstraps from the first registered company that has both Firebase creds and a registered location (`fromFirstCompany`). `switch_location` still routes to other companies afterward. Token rotation on a bootstrapped install now persists back to that company's `firebaseByCompany` slot instead of being dropped (the same class of bug Don Harris hit with home-token persistence).
+
+### Internal hardening
+
+- **`safeTool()` consistency.** Migrated the Firebase-gated modules (memberships, reputation, email campaigns, email-template/snippet internal tools) from hand-rolled `try/catch` + `jsonResponse` to the `safeTool()` wrapper, matching the public-API tools and the type-safety standard.
+- **Extracted request-body builders** (`buildCoursePayload`, `buildCategoryPayload`, `buildLessonPayload`, `buildOfferPayload`, `buildSnippetPayload`, `buildReviewsQuery`) as pure, exported functions.
+- **+16 unit tests** (101 → 117) locking in the v3.16.0 request shapes and the nested-`filterParams` reviews query, plus the new multi-tenant bootstrap + its rotation persistence.
+- **Doc count drift:** fixed remaining stale "8 / 30 / 168" tool counts in `setup_ghl_mcp`, `health_check`, and the README tool table (now consistently 163 base / 49 Firebase-gated / 212 total).
+
 ## 3.16.1 — Docs: correct enable_workflow_builder tool counts
 
 **No tool changes. Still 212 tools across 43 modules (163 without Firebase, 49 Firebase-gated).**

package/README.md

@@ -451,7 +451,7 @@ To unlock full builder access across multiple clients from one install:
 |---|---|
 | `get_mcp_version` | Check installed version against the latest published to npm. Confirms an upgrade landed after restarting Claude. Available even before GHL credentials are configured. |
 | `health_check` | Run a full health check: npm registry + version status, GHL API key validity, default location reachability, Firebase auth status, token registry presence. Use when something feels broken. |
-| `enable_workflow_builder` | Add Firebase credentials to an existing install to unlock 30 additional tools across 6 modules (workflow builder, funnel builder, form builder, pipeline builder, workflow cloner, validate_workflow). No need to re-enter license / API key / location ID. Run this any time after the basic setup, on the buyer's schedule. |
+| `enable_workflow_builder` | Add Firebase credentials to an existing install to unlock 49 additional Firebase-gated tools (workflow builder, funnel builder, form builder, pipeline builder, workflow cloner, smart lists, reputation, email campaigns, email templates, memberships, validate_workflow). No need to re-enter license / API key / location ID. Run this any time after the basic setup, on the buyer's schedule. |
 
 ### Other Modules
 

package/dist/index.js

@@ -31,7 +31,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "@elitedcs/ghl-mcp",
-      version: "3.16.1",
+      version: "3.17.0",
       description: "GoHighLevel MCP Server for Claude. 212 tools \u2014 full CRM, automation, marketing control, and the only programmatic GHL workflow builder, now multi-tenant across client accounts.",
       main: "dist/index.js",
       bin: {
@@ -514,6 +514,19 @@ var TokenRegistry = class {
       name: token.name
     }));
   }
+  /**
+   * Find the first registered location belonging to a company. Used to
+   * bootstrap the workflow-builder client from a company Firebase entry when
+   * the install has no home Firebase (multi-tenant-only installs).
+   */
+  firstLocationForCompany(companyId) {
+    for (const [locationId2, token] of Object.entries(this.data.tokens)) {
+      if (token.companyId === companyId) {
+        return { locationId: locationId2, apiKey: token.apiKey };
+      }
+    }
+    return void 0;
+  }
   /**
    * Update the home Firebase refresh token (called on rotation)
    */
@@ -1226,6 +1239,37 @@ var WorkflowBuilderClient = class _WorkflowBuilderClient {
       registry: registry2
     });
   }
+  /**
+   * Bootstrap from a registered CLIENT company's Firebase when there is no home
+   * Firebase (multi-tenant-only install — e.g. an agency operating purely in
+   * clients' accounts). Without this, fromEnv() returns null and every
+   * Firebase-gated tool fails to register even after register_company_firebase.
+   *
+   * Picks the first company that has both Firebase creds and a registered
+   * location, and makes that company the active (and "home") slot. switch_location
+   * can still route to other companies afterward. Returns null if no such pair
+   * exists. The chosen company is treated as home, so token rotation persists
+   * back to its firebaseByCompany slot (see persistRotatedToken).
+   */
+  static fromFirstCompany(registry2) {
+    if (!registry2) return null;
+    for (const { companyId } of registry2.listCompanyFirebases()) {
+      const fb = registry2.getCompanyFirebase(companyId);
+      const loc = registry2.firstLocationForCompany(companyId);
+      if (fb && loc) {
+        return new _WorkflowBuilderClient({
+          firebaseApiKey: fb.apiKey,
+          refreshToken: fb.refreshToken,
+          apiKey: loc.apiKey,
+          locationId: loc.locationId,
+          userId: fb.userId,
+          companyId,
+          registry: registry2
+        });
+      }
+    }
+    return null;
+  }
   /**
    * Get a fresh Firebase ID token using the refresh token.
    * Uses a promise lock to prevent concurrent refresh races.
@@ -1278,9 +1322,12 @@ var WorkflowBuilderClient = class _WorkflowBuilderClient {
    */
   persistRotatedToken(newToken) {
     const company = this.currentCompanyId;
-    const isClientCompany = company !== void 0 && company !== this.homeCompanyId && this.registry?.getCompanyFirebase(company) !== void 0;
-    if (isClientCompany) {
+    const hasCompanySlot = company !== void 0 && this.registry?.getCompanyFirebase(company) !== void 0;
+    if (hasCompanySlot) {
       this.registry?.updateCompanyFirebaseRefreshToken(company, newToken);
+      if (company === this.homeCompanyId) {
+        this.homeRefreshToken = newToken;
+      }
       return;
     }
     if (company === void 0 || company === this.homeCompanyId) {
@@ -3972,7 +4019,8 @@ ${text2}`);
     const text = await response.text();
     return text ? JSON.parse(text) : { ok: true };
   }
-  server2.tool(
+  safeTool(
+    server2,
     "delete_email_template",
     "Permanently delete an email template ('builder') by id. This is a HARD delete \u2014 the template is removed, not archived (use archive_email_template if you want a reversible remove). Requires Firebase auth; the public bearer API can't do this. Get the templateId from list_email_templates. WARNING: irreversible. If the template is referenced by a workflow email action or a draft campaign, deleting it will break that reference.",
     {
@@ -3980,16 +4028,12 @@ ${text2}`);
       locationId: import_zod25.z.string().optional().describe("Location ID. Falls back to the active builder client's location.")
     },
     async ({ templateId, locationId: locationId2 }) => {
-      try {
-        const loc = locationId2 ?? client.locationId;
-        const result = await builderRequest("DELETE", `/data/${templateId}?locationId=${loc}`);
-        return jsonResponse(result);
-      } catch (error) {
-        return errorResponse(error);
-      }
+      const loc = locationId2 ?? client.locationId;
+      return builderRequest("DELETE", `/data/${templateId}?locationId=${loc}`);
     }
   );
-  server2.tool(
+  safeTool(
+    server2,
     "rename_email_template",
     "Rename an existing email template ('builder'). Updates the display title only; the HTML content and sender settings are left untouched. Requires Firebase auth; the public bearer API can't do this. Get the templateId from list_email_templates.",
     {
@@ -3998,16 +4042,12 @@ ${text2}`);
       locationId: import_zod25.z.string().optional().describe("Location ID. Falls back to the active builder client's location.")
     },
     async ({ templateId, name, locationId: locationId2 }) => {
-      try {
-        const loc = locationId2 ?? client.locationId;
-        const result = await builderRequest("PATCH", `/${templateId}`, { locationId: loc, name });
-        return jsonResponse(result);
-      } catch (error) {
-        return errorResponse(error);
-      }
+      const loc = locationId2 ?? client.locationId;
+      return builderRequest("PATCH", `/${templateId}`, { locationId: loc, name });
     }
   );
-  server2.tool(
+  safeTool(
+    server2,
     "archive_email_template",
     "Archive (or unarchive) an email template ('builder'). Archiving removes it from the active templates list without deleting it \u2014 a reversible alternative to delete_email_template. Requires Firebase auth. Get the templateId from list_email_templates.",
     {
@@ -4016,16 +4056,12 @@ ${text2}`);
       locationId: import_zod25.z.string().optional().describe("Location ID. Falls back to the active builder client's location.")
     },
     async ({ templateId, archived, locationId: locationId2 }) => {
-      try {
-        const loc = locationId2 ?? client.locationId;
-        const result = await builderRequest("PATCH", `/${templateId}`, { locationId: loc, archived: archived ?? true });
-        return jsonResponse(result);
-      } catch (error) {
-        return errorResponse(error);
-      }
+      const loc = locationId2 ?? client.locationId;
+      return builderRequest("PATCH", `/${templateId}`, { locationId: loc, archived: archived ?? true });
     }
   );
-  server2.tool(
+  safeTool(
+    server2,
     "create_sms_template",
     "Create an SMS/text template (a 'snippet') for quick-insert into the conversations composer and SMS workflow actions. The body can include merge fields like {{contact.first_name}}. Set type to 'email' to create an HTML email snippet instead. Returns the created snippet including its id. Requires Firebase auth \u2014 the public bearer key returns 401 on this endpoint.",
     {
@@ -4035,35 +4071,34 @@ ${text2}`);
       locationId: import_zod25.z.string().optional().describe("Location ID. Falls back to the active builder client's location.")
     },
     async ({ name, body, type, locationId: locationId2 }) => {
-      try {
-        const loc = locationId2 ?? client.locationId;
-        const headers = await client.buildHeaders();
-        const response = await fetch(`${SNIPPETS_BASE}/${loc}`, {
-          method: "POST",
-          headers,
-          body: JSON.stringify({
-            name,
-            template: { body, attachments: [] },
-            useForLiveChat: false,
-            urlAttachments: [],
-            type: type ?? "sms",
-            isFolder: false,
-            parentId: ""
-          })
-        });
-        if (!response.ok) {
-          const text2 = await response.text();
-          throw new Error(`Snippets API Error ${response.status}: POST /snippets/${loc}
+      const loc = locationId2 ?? client.locationId;
+      const headers = await client.buildHeaders();
+      const response = await fetch(`${SNIPPETS_BASE}/${loc}`, {
+        method: "POST",
+        headers,
+        body: JSON.stringify(buildSnippetPayload({ name, body, type }))
+      });
+      if (!response.ok) {
+        const text2 = await response.text();
+        throw new Error(`Snippets API Error ${response.status}: POST /snippets/${loc}
 ${text2}`);
-        }
-        const text = await response.text();
-        return jsonResponse(text ? JSON.parse(text) : { ok: true });
-      } catch (error) {
-        return errorResponse(error);
       }
+      const text = await response.text();
+      return text ? JSON.parse(text) : { ok: true };
     }
   );
 }
+function buildSnippetPayload(o) {
+  return {
+    name: o.name,
+    template: { body: o.body, attachments: [] },
+    useForLiveChat: false,
+    urlAttachments: [],
+    type: o.type ?? "sms",
+    isFolder: false,
+    parentId: ""
+  };
+}
 
 // src/tools/trigger-links.ts
 var import_zod26 = require("zod");
@@ -5827,7 +5862,7 @@ Note: Firebase credentials rejected (${fb.error}). Saved without Workflow Builde
       });
       const toolCount = workflowBuilderEnabled ? "212" : "163";
       const wfLine = workflowBuilderEnabled ? "Workflow Builder: enabled." : "Workflow Builder: not configured (optional).";
-      const wfTip = workflowBuilderEnabled ? "" : "\nTo enable Workflow Builder later (8 extra tools): run enable_workflow_builder with your three Firebase values. No need to re-enter license/API key/location ID.";
+      const wfTip = workflowBuilderEnabled ? "" : "\nTo enable Workflow Builder later (49 extra Firebase-gated tools): run enable_workflow_builder with your three Firebase values. No need to re-enter license/API key/location ID.";
       return {
         content: [{
           type: "text",
@@ -6934,23 +6969,20 @@ ${text2}`);
     if (!text) return {};
     return JSON.parse(text);
   }
-  server2.tool(
+  safeTool(
+    server2,
     "get_review_link_list",
-    "List the review-link destinations configured for a location \u2014 the platforms (Google, Facebook, etc.) where review requests send contacts. Each entry has a label and the public review URL. Useful for: building review-request workflows (the workflow goal condition `review_request_clicked` references these review-link ids), and auditing which review platforms a sub-account has connected. NOTE: listing the actual reviews that come BACK (and responding to them) is not yet available \u2014 that endpoint needs a DevTools capture against a live account with connected review platforms.",
+    "List the review-link destinations configured for a location \u2014 the platforms (Google, Facebook, etc.) where review requests send contacts. Each entry has a label and the public review URL. Useful for: building review-request workflows (the workflow goal condition `review_request_clicked` references these review-link ids), and auditing which review platforms a sub-account has connected.",
     {
       locationId: import_zod43.z.string().optional().describe("Location ID. Falls back to the active builder client's location.")
     },
     async ({ locationId: locationId2 }) => {
-      try {
-        const loc = locationId2 ?? client.locationId;
-        const result = await reputationRequest("GET", `/integrations/review-link-list?locationId=${loc}`);
-        return jsonResponse(result);
-      } catch (error) {
-        return errorResponse(error);
-      }
+      const loc = locationId2 ?? client.locationId;
+      return reputationRequest("GET", `/integrations/review-link-list?locationId=${loc}`);
     }
   );
-  server2.tool(
+  safeTool(
+    server2,
     "list_reviews",
     "List the reviews a location has received (Google, Facebook, etc.) with rating, author, text, reply status, and source. Supports paging and an optional rating filter. NOTE: location is resolved through nested filter params internally \u2014 a flat locationId is what caused the long-standing 'No Location Found' error, now fixed. Responding to a review is not yet available via API. Requires Firebase auth.",
     {
@@ -6961,33 +6993,31 @@ ${text2}`);
       includeDeleted: import_zod43.z.boolean().optional().describe("Include deleted reviews. Defaults to false.")
     },
     async ({ locationId: locationId2, pageNumber, pageSize, rating, includeDeleted }) => {
-      try {
-        const loc = locationId2 ?? client.locationId;
-        const q = [
-          `filterParams[locationId][0][value]=${encodeURIComponent(loc)}`,
-          `filterParams[locationId][0][condition]=eq`,
-          `filterParams[deleted][0][value]=${includeDeleted ? "true" : "false"}`,
-          `filterParams[deleted][0][condition]=eq`
-        ];
-        if (rating !== void 0) {
-          q.push(`filterParams[rating][0][value]=${rating}`);
-          q.push(`filterParams[rating][0][condition]=eq`);
-        }
-        q.push(`sortParams[dateAdded]=-1`);
-        q.push(`pageNumber=${pageNumber ?? 1}`);
-        q.push(`pageSize=${pageSize ?? 10}`);
-        const query = q.map((p) => {
-          const i = p.indexOf("=");
-          return `${encodeURIComponent(p.slice(0, i))}=${p.slice(i + 1)}`;
-        }).join("&");
-        const result = await reputationRequest("GET", `/reviews?${query}`);
-        return jsonResponse(result);
-      } catch (error) {
-        return errorResponse(error);
-      }
+      const loc = locationId2 ?? client.locationId;
+      return reputationRequest("GET", buildReviewsQuery(loc, { pageNumber, pageSize, rating, includeDeleted }));
     }
   );
 }
+function buildReviewsQuery(locationId2, opts = {}) {
+  const q = [
+    `filterParams[locationId][0][value]=${locationId2}`,
+    `filterParams[locationId][0][condition]=eq`,
+    `filterParams[deleted][0][value]=${opts.includeDeleted ? "true" : "false"}`,
+    `filterParams[deleted][0][condition]=eq`
+  ];
+  if (opts.rating !== void 0) {
+    q.push(`filterParams[rating][0][value]=${opts.rating}`);
+    q.push(`filterParams[rating][0][condition]=eq`);
+  }
+  q.push(`sortParams[dateAdded]=-1`);
+  q.push(`pageNumber=${opts.pageNumber ?? 1}`);
+  q.push(`pageSize=${opts.pageSize ?? 10}`);
+  const query = q.map((p) => {
+    const i = p.indexOf("=");
+    return `${encodeURIComponent(p.slice(0, i))}=${encodeURIComponent(p.slice(i + 1))}`;
+  }).join("&");
+  return `/reviews?${query}`;
+}
 
 // src/tools/email-campaigns.ts
 var import_zod44 = require("zod");
@@ -6995,7 +7025,8 @@ var SVC_BASE = "https://services.leadconnectorhq.com";
 function registerEmailCampaignTools(server2, builderClient) {
   const client = builderClient;
   if (!client) return;
-  server2.tool(
+  safeTool(
+    server2,
     "create_email_campaign",
     "Create an email campaign / broadcast DRAFT from an existing email template. Requires a templateId (create one first with create_email_template). The campaign is created as a draft \u2014 to actually SEND or schedule it, finish in the GHL UI: the send/schedule endpoint isn't available through the API yet. There's also no API delete for campaigns, so drafts created here are removed via the GHL UI. Despite those limits, this gets the campaign 90% built \u2014 template, subject, sender, name all set programmatically.",
     {
@@ -7010,36 +7041,32 @@ function registerEmailCampaignTools(server2, builderClient) {
       locationId: import_zod44.z.string().optional().describe("Location ID. Falls back to the active builder client's location.")
     },
     async ({ templateId, name, subject, fromName, fromEmail, isPlainText, enableResendToUnopened, hasUtmTracking, locationId: locationId2 }) => {
-      try {
-        const loc = locationId2 ?? client.locationId;
-        const body = { locationId: loc, templateId };
-        if (name !== void 0) body.name = name;
-        if (subject !== void 0) body.subject = subject;
-        if (fromName !== void 0) body.fromName = fromName;
-        if (fromEmail !== void 0) body.fromEmail = fromEmail;
-        if (isPlainText !== void 0) body.isPlainText = isPlainText;
-        if (enableResendToUnopened !== void 0) body.enableResendToUnopened = enableResendToUnopened;
-        if (hasUtmTracking !== void 0) body.hasUtmTracking = hasUtmTracking;
-        const headers = await client.buildHeaders();
-        const response = await fetch(`${SVC_BASE}/emails/schedule`, {
-          method: "POST",
-          headers,
-          body: JSON.stringify(body)
-        });
-        if (!response.ok) {
-          const text2 = await response.text();
-          throw new Error(`Email Campaign API Error ${response.status}: POST /emails/schedule
+      const loc = locationId2 ?? client.locationId;
+      const body = { locationId: loc, templateId };
+      if (name !== void 0) body.name = name;
+      if (subject !== void 0) body.subject = subject;
+      if (fromName !== void 0) body.fromName = fromName;
+      if (fromEmail !== void 0) body.fromEmail = fromEmail;
+      if (isPlainText !== void 0) body.isPlainText = isPlainText;
+      if (enableResendToUnopened !== void 0) body.enableResendToUnopened = enableResendToUnopened;
+      if (hasUtmTracking !== void 0) body.hasUtmTracking = hasUtmTracking;
+      const headers = await client.buildHeaders();
+      const response = await fetch(`${SVC_BASE}/emails/schedule`, {
+        method: "POST",
+        headers,
+        body: JSON.stringify(body)
+      });
+      if (!response.ok) {
+        const text2 = await response.text();
+        throw new Error(`Email Campaign API Error ${response.status}: POST /emails/schedule
 ${text2}`);
-        }
-        const text = await response.text();
-        const result = text ? JSON.parse(text) : {};
-        return jsonResponse({
-          ...result,
-          _note: "Campaign created as a DRAFT. To send or schedule it, open it in the GHL UI (Marketing \u2192 Emails) \u2014 the send endpoint isn't available via API. To delete a draft, use the GHL UI."
-        });
-      } catch (error) {
-        return errorResponse(error);
       }
+      const text = await response.text();
+      const result = text ? JSON.parse(text) : {};
+      return {
+        ...result,
+        _note: "Campaign created as a DRAFT. To send or schedule it, open it in the GHL UI (Marketing \u2192 Emails) \u2014 the send endpoint isn't available via API. To delete a draft, use the GHL UI."
+      };
     }
   );
 }
@@ -7066,23 +7093,20 @@ ${text2}`);
     if (!text) return {};
     return JSON.parse(text);
   }
-  server2.tool(
+  safeTool(
+    server2,
     "list_membership_offers",
-    "List a location's membership offers and products in one call. Returns { products: [...], offers: [...] }. Products are courses/communities; offers are the access grants (what a contact gets enrolled in). Use the returned ids with membership trigger conditions like offer_access_granted / product_completed. READ-ONLY \u2014 creating offers/products happens in the GHL Memberships UI.",
+    "List a location's membership offers and products in one call. Returns { products: [...], offers: [...] }. Products are courses/communities; offers are the access grants (what a contact gets enrolled in). Use the returned ids with membership trigger conditions like offer_access_granted / product_completed.",
     {
       locationId: import_zod45.z.string().optional().describe("Location ID. Falls back to the active builder client's location.")
     },
     async ({ locationId: locationId2 }) => {
-      try {
-        const loc = locationId2 ?? client.locationId;
-        const result = await membershipRequest(`/smart-list/offers-products/${loc}`);
-        return jsonResponse(result);
-      } catch (error) {
-        return errorResponse(error);
-      }
+      const loc = locationId2 ?? client.locationId;
+      return membershipRequest(`/smart-list/offers-products/${loc}`);
     }
   );
-  server2.tool(
+  safeTool(
+    server2,
     "list_membership_categories",
     "List all membership/course categories in a location. Categories group lessons inside a course/product. Use the returned ids with the category_completed / category_started trigger conditions. READ-ONLY.",
     {
@@ -7090,16 +7114,12 @@ ${text2}`);
       locationId: import_zod45.z.string().optional().describe("Location ID. Falls back to the active builder client's location.")
     },
     async ({ limit, locationId: locationId2 }) => {
-      try {
-        const loc = locationId2 ?? client.locationId;
-        const result = await membershipRequest(`/smart-list/location/${loc}/workflow?type=category&limit=${limit ?? 1e5}`);
-        return jsonResponse(result);
-      } catch (error) {
-        return errorResponse(error);
-      }
+      const loc = locationId2 ?? client.locationId;
+      return membershipRequest(`/smart-list/location/${loc}/workflow?type=category&limit=${limit ?? 1e5}`);
     }
   );
-  server2.tool(
+  safeTool(
+    server2,
     "list_membership_lessons",
     "List all membership/course lessons in a location. Use the returned ids with the lesson_completed / lesson_started trigger conditions. READ-ONLY.",
     {
@@ -7107,16 +7127,12 @@ ${text2}`);
       locationId: import_zod45.z.string().optional().describe("Location ID. Falls back to the active builder client's location.")
     },
     async ({ limit, locationId: locationId2 }) => {
-      try {
-        const loc = locationId2 ?? client.locationId;
-        const result = await membershipRequest(`/smart-list/location/${loc}/workflow?type=lesson&limit=${limit ?? 1e5}`);
-        return jsonResponse(result);
-      } catch (error) {
-        return errorResponse(error);
-      }
+      const loc = locationId2 ?? client.locationId;
+      return membershipRequest(`/smart-list/location/${loc}/workflow?type=lesson&limit=${limit ?? 1e5}`);
     }
   );
-  server2.tool(
+  safeTool(
+    server2,
     "create_course",
     "Create a membership course (a 'product') in a location. Creates the course shell with a title and description; add categories (create_membership_category) and lessons (create_membership_lesson) into it, and an offer (create_membership_offer) to grant access. Returns the new product, including its id. Requires Firebase auth.",
     {
@@ -7125,19 +7141,12 @@ ${text2}`);
       locationId: import_zod45.z.string().optional().describe("Location ID. Falls back to the active builder client's location.")
     },
     async ({ title, description, locationId: locationId2 }) => {
-      try {
-        const loc = locationId2 ?? client.locationId;
-        const result = await membershipRequest(`/locations/${loc}/products`, "POST", {
-          title,
-          description: description ?? ""
-        });
-        return jsonResponse(result);
-      } catch (error) {
-        return errorResponse(error);
-      }
+      const loc = locationId2 ?? client.locationId;
+      return membershipRequest(`/locations/${loc}/products`, "POST", buildCoursePayload({ title, description }));
     }
   );
-  server2.tool(
+  safeTool(
+    server2,
     "create_membership_category",
     "Create a category (module/section) inside a membership course. Categories group lessons. Needs the productId of the course (from create_course or list_membership_offers). Returns the new category, including its id (use it as categoryId when creating lessons). Requires Firebase auth.",
     {
@@ -7150,29 +7159,12 @@ ${text2}`);
       locationId: import_zod45.z.string().optional().describe("Location ID. Falls back to the active builder client's location.")
     },
     async ({ title, productId, description, visibility, sequenceNo, dripDays, locationId: locationId2 }) => {
-      try {
-        const loc = locationId2 ?? client.locationId;
-        const result = await membershipRequest(`/locations/${loc}/categories`, "POST", {
-          title,
-          productId,
-          visibility: visibility ?? "published",
-          sequenceNo: sequenceNo ?? 0,
-          dripDays: dripDays ?? 0,
-          description: description ?? "",
-          parentCategory: null,
-          posterImage: "",
-          lockedBy: null,
-          lockedByCategory: null,
-          commentPermission: null,
-          metadata: null
-        });
-        return jsonResponse(result);
-      } catch (error) {
-        return errorResponse(error);
-      }
+      const loc = locationId2 ?? client.locationId;
+      return membershipRequest(`/locations/${loc}/categories`, "POST", buildCategoryPayload({ title, productId, description, visibility, sequenceNo, dripDays }));
     }
   );
-  server2.tool(
+  safeTool(
+    server2,
     "create_membership_lesson",
     "Create a lesson (a 'post') inside a membership course category. Needs both the categoryId (from create_membership_category) and the productId of the course. Description is the lesson body as HTML. Returns the new lesson, including its id. Requires Firebase auth.",
     {
@@ -7186,32 +7178,12 @@ ${text2}`);
       locationId: import_zod45.z.string().optional().describe("Location ID. Falls back to the active builder client's location.")
     },
     async ({ title, categoryId, productId, description, contentType, visibility, sequenceNo, locationId: locationId2 }) => {
-      try {
-        const loc = locationId2 ?? client.locationId;
-        const result = await membershipRequest(`/locations/${loc}/posts`, "POST", {
-          title,
-          description: description ?? "",
-          categoryId,
-          productId,
-          visibility: visibility ?? "published",
-          sequenceNo: sequenceNo ?? 0,
-          posterImage: null,
-          commentStatus: "visible",
-          contentType: contentType ?? "video",
-          commentPermission: "enabled",
-          lockedByPost: null,
-          lockedByCategory: null,
-          certificateTemplateId: null,
-          metaData: null,
-          contentId: null
-        });
-        return jsonResponse(result);
-      } catch (error) {
-        return errorResponse(error);
-      }
+      const loc = locationId2 ?? client.locationId;
+      return membershipRequest(`/locations/${loc}/posts`, "POST", buildLessonPayload({ title, categoryId, productId, description, contentType, visibility, sequenceNo }));
     }
   );
-  server2.tool(
+  safeTool(
+    server2,
     "create_membership_offer",
     "Create a membership offer \u2014 the access grant that enrolls contacts into one or more courses/products. Link it to course product ids. Defaults to a free offer; for paid, set type to 'recurring' or 'one_time' with an amount. Returns the new offer, including its id (referenced by the offer_access_granted trigger). Requires Firebase auth.",
     {
@@ -7223,24 +7195,60 @@ ${text2}`);
       locationId: import_zod45.z.string().optional().describe("Location ID. Falls back to the active builder client's location.")
     },
     async ({ title, productIds, type, amount, currency, locationId: locationId2 }) => {
-      try {
-        const loc = locationId2 ?? client.locationId;
-        const result = await membershipRequest(`/locations/${loc}/offers`, "POST", {
-          title,
-          type: type ?? "free",
-          isLivePaymentMode: true,
-          locationId: loc,
-          productIds,
-          amount: amount ?? 0,
-          currency: currency ?? "USD"
-        });
-        return jsonResponse(result);
-      } catch (error) {
-        return errorResponse(error);
-      }
+      const loc = locationId2 ?? client.locationId;
+      return membershipRequest(`/locations/${loc}/offers`, "POST", buildOfferPayload({ title, productIds, type, amount, currency, locationId: loc }));
     }
   );
 }
+function buildCoursePayload(o) {
+  return { title: o.title, description: o.description ?? "" };
+}
+function buildCategoryPayload(o) {
+  return {
+    title: o.title,
+    productId: o.productId,
+    visibility: o.visibility ?? "published",
+    sequenceNo: o.sequenceNo ?? 0,
+    dripDays: o.dripDays ?? 0,
+    description: o.description ?? "",
+    parentCategory: null,
+    posterImage: "",
+    lockedBy: null,
+    lockedByCategory: null,
+    commentPermission: null,
+    metadata: null
+  };
+}
+function buildLessonPayload(o) {
+  return {
+    title: o.title,
+    description: o.description ?? "",
+    categoryId: o.categoryId,
+    productId: o.productId,
+    visibility: o.visibility ?? "published",
+    sequenceNo: o.sequenceNo ?? 0,
+    posterImage: null,
+    commentStatus: "visible",
+    contentType: o.contentType ?? "video",
+    commentPermission: "enabled",
+    lockedByPost: null,
+    lockedByCategory: null,
+    certificateTemplateId: null,
+    metaData: null,
+    contentId: null
+  };
+}
+function buildOfferPayload(o) {
+  return {
+    title: o.title,
+    type: o.type ?? "free",
+    isLivePaymentMode: true,
+    locationId: o.locationId,
+    productIds: o.productIds,
+    amount: o.amount ?? 0,
+    currency: o.currency ?? "USD"
+  };
+}
 
 // src/tools/template-deployer.ts
 var import_zod46 = require("zod");
@@ -8033,7 +8041,7 @@ function registerDiagnosticTools(server2, installedVersion, client, builderClien
       })();
       const firebasePromise = (async () => {
         if (!builderClient) {
-          return { name: "Firebase auth (workflow builder)", status: "skip", detail: "Not configured. The 8 workflow builder tools need Firebase credentials. The other 168 tools work fine without. To add it: run enable_workflow_builder with the three Firebase values from your GHL browser session (see elitedcs.com/ghl-mcp-firebase for DevTools steps)." };
+          return { name: "Firebase auth (workflow builder)", status: "skip", detail: "Not configured. The 49 Firebase-gated tools need Firebase credentials. The other 163 tools work fine without. To add it: run enable_workflow_builder with the three Firebase values from your GHL browser session (see elitedcs.com/ghl-mcp-firebase for DevTools steps)." };
         }
         const result = await builderClient.checkAuth();
         const activeCompany = builderClient.getCurrentCompanyId();
@@ -8131,7 +8139,7 @@ function registerAllTools(server2, client, registry2, mcpVersion) {
   for (const [register] of publicApiTools) {
     register(server2, client);
   }
-  const builderClient = WorkflowBuilderClient.fromEnv(registry2);
+  const builderClient = WorkflowBuilderClient.fromEnv(registry2) ?? WorkflowBuilderClient.fromFirstCompany(registry2);
   registerWorkflowBuilderTools(server2, builderClient);
   registerFunnelBuilderTools(server2, builderClient);
   registerFormBuilderTools(server2, builderClient);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elitedcs/ghl-mcp",
-  "version": "3.16.1",
+  "version": "3.17.0",
   "description": "GoHighLevel MCP Server for Claude. 212 tools — full CRM, automation, marketing control, and the only programmatic GHL workflow builder, now multi-tenant across client accounts.",
   "main": "dist/index.js",
   "bin": {