@elitedcs/ghl-mcp 3.27.1 → 3.28.0

package/CHANGELOG.md

@@ -1,5 +1,59 @@
 # Changelog
 
+## 3.28.0 — Tool allowlist (issue #1): cut context cost on big installs
+
+Two new optional env vars let you gate which tools register at startup so
+unused schemas never load into context. Closes [issue #1](https://github.com/drjerryrelth/ghl-command-feedback/issues/1).
+
+**New env vars (both optional, both default-empty):**
+
+- `GHL_ENABLED_MODULES` — comma-separated module names to register
+  (e.g. `contacts,conversations,locations,custom-objects`).
+- `GHL_ENABLED_TOOLS` — comma-separated tool names to register
+  (e.g. `search_contacts,get_contact,update_custom_value`).
+
+**Filter precedence:**
+
+- Neither set → every tool registers (backward compatible).
+- Modules only → tools in those modules register.
+- Tools only → those exact tool names register.
+- Both set → UNION (a tool registers if its module is enabled OR its
+  name is explicitly listed).
+
+**Always-on tools** never get filtered out, so setup and recovery still
+work even with a heavily-restricted allowlist:
+`setup_ghl_mcp`, `request_license`, `get_mcp_version`,
+`auto_capture_firebase_script`, `enable_workflow_builder`, `health_check`.
+
+**Validation + logging:**
+
+- Whitespace and commas both work as separators. Matching is case-insensitive.
+- Unrecognized names log a one-line WARNING to stderr and are ignored
+  (startup never aborts).
+- When the allowlist is active, startup logs one summary:
+  `Tool allowlist active: registered N of M tools (modules=[...]; explicit-tools=[...])`.
+- When unset, zero extra noise — existing logs are unchanged.
+
+**Motivation (from the issue):** running 25+ registered locations with
+all 212 tools registered burned tokens on every message in chats that
+didn't need GHL. Now buyers can restrict the surface to the modules
+they actually use.
+
+## 3.27.2 — Fix license metadata: MIT → Proprietary
+
+Metadata-only release. Corrects the npm package's stated license, which
+was wrongly set to MIT and contradicted the paid/proprietary nature of
+the product.
+
+- `package.json` `license` field: `"MIT"` → `"SEE LICENSE IN LICENSE"`
+- `LICENSE` file replaced with the actual proprietary commercial license
+  (Copyright Elite DCs, LLC; usage requires a paid license from
+  elitedcs.com/ghl-mcp-server; no redistribution, no reverse engineering,
+  no license-gate circumvention).
+
+No code changes. Same 212-tool surface as 3.27.1. The runtime license-key
+validation flow is unchanged.
+
 ## 3.27.1 — README: real buyer testimonials + 30-day guarantee
 
 Documentation-only release. Surfaces four real, verbatim buyer replies on the npm package README:

package/LICENSE

@@ -1,21 +1,23 @@
-MIT License
+GHL Command - Proprietary Software License
+Copyright (c) 2026 Elite DCs, LLC. All rights reserved.
 
-Copyright (c) 2026 Elite DCs, LLC
+1. Overview
+GHL Command (the "Software") is commercial, proprietary software owned by Elite DCs, LLC (the "Licensor"). The Software is licensed, not sold. Use of the Software requires a valid paid license obtained from https://elitedcs.com/ghl-mcp-server.
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+2. License Grant
+Subject to payment of the applicable fee and ongoing compliance with the Licensor's then-current commercial terms, Licensor grants the purchaser a non-exclusive, non-transferable, revocable license to install and use the Software on the number of machines specified at purchase. No other rights are granted.
 
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+3. Restrictions
+Except as expressly permitted by the commercial terms or by applicable law, you may not: (a) copy, modify, or create derivative works of the Software; (b) distribute, sublicense, sell, rent, lease, or otherwise transfer the Software; (c) reverse engineer, decompile, or disassemble the Software, or attempt to derive its source code; (d) remove or alter any proprietary notices; or (e) circumvent or disable any license-validation or activation mechanism.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+4. Ownership
+The Software and all intellectual property rights therein are and remain the exclusive property of Elite DCs, LLC. This license does not transfer any ownership interest.
+
+5. No Warranty
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT.
+
+6. Limitation of Liability
+TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT SHALL ELITE DCS, LLC BE LIABLE FOR ANY CLAIM, DAMAGES, OR OTHER LIABILITY, WHETHER IN CONTRACT, TORT, OR OTHERWISE, ARISING FROM, OUT OF, OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+7. Contact
+Elite DCs, LLC - https://elitedcs.com/ghl-mcp-server

package/README.md

@@ -709,9 +709,48 @@ Source repo is private. Contributors need an invitation from `drjerryrelth`. The
 | `GHL_USER_ID` | No* | Your GHL user ID. Required for workflow builder tools. |
 | `GHL_FIREBASE_API_KEY` | No* | Firebase API key from GHL's auth system. Required for workflow builder tools. |
 | `GHL_FIREBASE_REFRESH_TOKEN` | No* | Firebase refresh token. Required for workflow builder tools. May rotate periodically. |
+| `GHL_ENABLED_MODULES` | No | Comma-separated module names to limit which tool groups register at startup (e.g. `contacts,conversations,locations`). Unset = every module registers (default). See "Reducing context / token usage" below. |
+| `GHL_ENABLED_TOOLS` | No | Comma-separated individual tool names to register (e.g. `search_contacts,get_contact,update_custom_value`). Set alongside `GHL_ENABLED_MODULES` to add specific tools on top of whole-module enables. |
 
 *Required only for the workflow builder (internal API) tools. The standard API tools work without these.
 
+### Reducing context / token usage
+
+Every registered MCP tool's schema is shipped to the model on every message. With 212 tools that's a meaningful per-message context cost even in chats that never touch GHL. If you only use a slice of GHL Command, restrict the tool surface with `GHL_ENABLED_MODULES` and/or `GHL_ENABLED_TOOLS`:
+
+```jsonc
+// Claude Desktop config — enable whole modules
+"env": {
+  "GHL_API_KEY": "pit-...",
+  "GHL_LOCATION_ID": "...",
+  "GHL_ENABLED_MODULES": "contacts,conversations,locations,custom-objects"
+}
+```
+
+```jsonc
+// Or pin to individual tools
+"env": {
+  "GHL_API_KEY": "pit-...",
+  "GHL_LOCATION_ID": "...",
+  "GHL_ENABLED_TOOLS": "search_contacts,get_contact,update_custom_value"
+}
+```
+
+Rules of the road:
+
+- **Neither set → every tool registers** (default, backward compatible — your existing config keeps working unchanged).
+- **`GHL_ENABLED_MODULES` only** → register tools in those modules.
+- **`GHL_ENABLED_TOOLS` only** → register only those exact tool names.
+- **Both set** → register the **union**: a tool registers if its module is in `GHL_ENABLED_MODULES` OR its name is in `GHL_ENABLED_TOOLS`. (Whole modules plus a few extra tools.)
+- Whitespace and commas both work as separators. Matching is case-insensitive.
+- Always-on tools register regardless of the allowlist so setup and recovery still work: `setup_ghl_mcp`, `request_license`, `get_mcp_version`, `auto_capture_firebase_script`, `enable_workflow_builder`, `health_check`.
+- Unrecognized module/tool names log a one-line WARNING to stderr and are ignored. Startup never aborts.
+- On startup with the allowlist active, the server logs one summary line: `Tool allowlist active: registered N of M tools (...)`.
+
+**Valid module names** (use these in `GHL_ENABLED_MODULES`):
+
+`contacts`, `conversations`, `opportunities`, `calendars`, `locations`, `workflows`, `funnels`, `forms`, `surveys`, `payments`, `products`, `invoices`, `campaigns`, `users`, `media`, `social-planner`, `courses`, `businesses`, `blogs`, `emails`, `trigger-links`, `custom-objects`, `associations`, `estimates`, `coupons`, `webhooks`, `documents`, `bulk-operations`, `account-export`, `template-deployer`, `workflow-builder`, `funnel-builder`, `form-builder`, `pipeline-builder`, `workflow-cloner`, `smart-lists`, `reputation`, `email-campaigns`, `email-builder`, `memberships`, `validators`, `diagnostics`, `location-switcher`
+
 ---
 
 ## Troubleshooting

package/dist/index.js

@@ -31,7 +31,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "@elitedcs/ghl-mcp",
-      version: "3.27.1",
+      version: "3.28.0",
       mcpName: "io.github.drjerryrelth/ghl-command",
       description: "GoHighLevel MCP Server for Claude. 212 tools \u2014 full CRM, automation, marketing control, and the only programmatic GHL workflow builder, now multi-tenant across client accounts.",
       main: "dist/index.js",
@@ -71,7 +71,7 @@ var require_package = __commonJS({
         "agency"
       ],
       author: "Elite DCs, LLC",
-      license: "MIT",
+      license: "SEE LICENSE IN LICENSE",
       homepage: "https://elitedcs.com/ghl-mcp-server",
       repository: {
         type: "git",
@@ -1776,6 +1776,89 @@ ${errorBody}`
   }
 };
 
+// src/tools/tool-filter.ts
+var ALWAYS_ON_TOOL_NAMES = /* @__PURE__ */ new Set([
+  "setup_ghl_mcp",
+  "request_license",
+  "get_mcp_version",
+  "auto_capture_firebase_script",
+  "enable_workflow_builder",
+  "health_check"
+]);
+function parseList(raw) {
+  if (raw === void 0) return null;
+  const items = raw.split(/[,\s]+/).map((x) => x.trim().toLowerCase()).filter((x) => x.length > 0);
+  return items.length > 0 ? items : null;
+}
+function parseAllowlist(env) {
+  const moduleList = parseList(env.GHL_ENABLED_MODULES);
+  const toolList = parseList(env.GHL_ENABLED_TOOLS);
+  return {
+    enabledModules: moduleList ? new Set(moduleList) : null,
+    enabledTools: toolList ? new Set(toolList) : null,
+    rawModuleInput: moduleList,
+    rawToolInput: toolList
+  };
+}
+function isAllowlistActive(config3) {
+  return config3.enabledModules !== null || config3.enabledTools !== null;
+}
+function shouldRegister(toolName, moduleName, config3) {
+  if (ALWAYS_ON_TOOL_NAMES.has(toolName)) return true;
+  if (!isAllowlistActive(config3)) return true;
+  const toolLower = toolName.toLowerCase();
+  const moduleLower = moduleName.toLowerCase();
+  const moduleEnabled = config3.enabledModules?.has(moduleLower) ?? false;
+  const toolEnabled = config3.enabledTools?.has(toolLower) ?? false;
+  return moduleEnabled || toolEnabled;
+}
+function wrapServerForModule(realServer, moduleName, config3, attemptedTools, registeredTools) {
+  return new Proxy(realServer, {
+    get(target, prop, receiver) {
+      if (prop === "tool") {
+        return (name, ...rest) => {
+          attemptedTools.add(name);
+          if (!shouldRegister(name, moduleName, config3)) {
+            return void 0;
+          }
+          registeredTools.add(name);
+          return target.tool(name, ...rest);
+        };
+      }
+      return Reflect.get(target, prop, receiver);
+    }
+  });
+}
+function validateAndLog(config3, knownModules, attemptedTools, registeredTools, log = (m) => process.stderr.write(m)) {
+  if (!isAllowlistActive(config3)) return;
+  if (config3.rawModuleInput) {
+    const knownLower = new Set([...knownModules].map((m) => m.toLowerCase()));
+    const unknown = config3.rawModuleInput.filter((m) => !knownLower.has(m));
+    if (unknown.length > 0) {
+      log(
+        `[ghl-mcp] WARNING: GHL_ENABLED_MODULES has unrecognized name(s): ${unknown.join(", ")}. Known modules: ${[...knownModules].sort().join(", ")}.
+`
+      );
+    }
+  }
+  if (config3.rawToolInput) {
+    const attemptedLower = new Set([...attemptedTools].map((t) => t.toLowerCase()));
+    const unknown = config3.rawToolInput.filter((t) => !attemptedLower.has(t));
+    if (unknown.length > 0) {
+      log(
+        `[ghl-mcp] WARNING: GHL_ENABLED_TOOLS has unrecognized name(s): ${unknown.join(", ")}.
+`
+      );
+    }
+  }
+  const moduleSummary = config3.enabledModules && config3.enabledModules.size > 0 ? `modules=[${[...config3.enabledModules].sort().join(",")}]` : "modules=(none)";
+  const toolSummary = config3.enabledTools && config3.enabledTools.size > 0 ? `explicit-tools=[${[...config3.enabledTools].sort().join(",")}]` : "explicit-tools=(none)";
+  log(
+    `[ghl-mcp] Tool allowlist active: registered ${registeredTools.size} of ${attemptedTools.size} tools (${moduleSummary}; ${toolSummary}).
+`
+  );
+}
+
 // src/tools/contacts.ts
 var import_zod6 = require("zod");
 
@@ -8602,24 +8685,58 @@ var publicApiTools = [
   [registerAccountExportTools, "account-export"],
   [registerTemplateDeployerTools, "template-deployer"]
 ];
-function registerAllTools(server2, client, registry2, mcpVersion) {
-  for (const [register] of publicApiTools) {
-    register(server2, client);
+var internalApiTools = [
+  [registerWorkflowBuilderTools, "workflow-builder"],
+  [registerFunnelBuilderTools, "funnel-builder"],
+  [registerFormBuilderTools, "form-builder"],
+  [registerPipelineBuilderTools, "pipeline-builder"],
+  [registerWorkflowClonerTools, "workflow-cloner"],
+  [registerSmartListTools, "smart-lists"],
+  [registerReputationTools, "reputation"],
+  [registerEmailCampaignTools, "email-campaigns"],
+  [registerEmailBuilderInternalTools, "email-builder"],
+  [registerMembershipTools, "memberships"]
+];
+var VALIDATORS_MODULE = "validators";
+var DIAGNOSTICS_MODULE = "diagnostics";
+var LOCATION_SWITCHER_MODULE = "location-switcher";
+var KNOWN_MODULES = /* @__PURE__ */ new Set([
+  ...publicApiTools.map(([, label]) => label),
+  ...internalApiTools.map(([, label]) => label),
+  VALIDATORS_MODULE,
+  DIAGNOSTICS_MODULE,
+  LOCATION_SWITCHER_MODULE
+]);
+function registerAllTools(server2, client, registry2, mcpVersion, env = process.env) {
+  const config3 = parseAllowlist(env);
+  const attemptedTools = /* @__PURE__ */ new Set();
+  const registeredTools = /* @__PURE__ */ new Set();
+  const wrap = (moduleName) => wrapServerForModule(server2, moduleName, config3, attemptedTools, registeredTools);
+  for (const [register, moduleName] of publicApiTools) {
+    register(wrap(moduleName), client);
   }
   const builderClient = WorkflowBuilderClient.fromEnv(registry2) ?? WorkflowBuilderClient.fromFirstCompany(registry2);
-  registerWorkflowBuilderTools(server2, builderClient);
-  registerFunnelBuilderTools(server2, builderClient);
-  registerFormBuilderTools(server2, builderClient);
-  registerPipelineBuilderTools(server2, builderClient);
-  registerWorkflowClonerTools(server2, builderClient);
-  registerSmartListTools(server2, builderClient);
-  registerReputationTools(server2, builderClient);
-  registerEmailCampaignTools(server2, builderClient);
-  registerEmailBuilderInternalTools(server2, builderClient);
-  registerMembershipTools(server2, builderClient);
-  registerValidatorTools(server2, client, builderClient);
-  registerDiagnosticTools(server2, mcpVersion ?? "unknown", client, builderClient, registry2 ?? null);
-  registerLocationSwitcherTools(server2, client, builderClient, registry2, mcpVersion);
+  for (const [register, moduleName] of internalApiTools) {
+    register(wrap(moduleName), builderClient);
+  }
+  registerValidatorTools(wrap(VALIDATORS_MODULE), client, builderClient);
+  registerDiagnosticTools(
+    wrap(DIAGNOSTICS_MODULE),
+    mcpVersion ?? "unknown",
+    client,
+    builderClient,
+    registry2 ?? null
+  );
+  registerLocationSwitcherTools(
+    wrap(LOCATION_SWITCHER_MODULE),
+    client,
+    builderClient,
+    registry2,
+    mcpVersion
+  );
+  if (isAllowlistActive(config3)) {
+    validateAndLog(config3, KNOWN_MODULES, attemptedTools, registeredTools);
+  }
 }
 
 // src/attestation.ts

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elitedcs/ghl-mcp",
-  "version": "3.27.1",
+  "version": "3.28.0",
   "mcpName": "io.github.drjerryrelth/ghl-command",
   "description": "GoHighLevel MCP Server for Claude. 212 tools — full CRM, automation, marketing control, and the only programmatic GHL workflow builder, now multi-tenant across client accounts.",
   "main": "dist/index.js",
@@ -40,7 +40,7 @@
     "agency"
   ],
   "author": "Elite DCs, LLC",
-  "license": "MIT",
+  "license": "SEE LICENSE IN LICENSE",
   "homepage": "https://elitedcs.com/ghl-mcp-server",
   "repository": {
     "type": "git",