@hayodev/crystallize-mcp 0.1.1

package/build/src/client.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Crystallize API client wrapper.
+ *
+ * Thin layer over @crystallize/js-api-client that adds:
+ * - Deep link generation to the Crystallize UI
+ * - Consistent config from env vars
+ */
+import type { ClientInterface } from '@crystallize/js-api-client';
+import type { CrystallizeConfig } from './types.js';
+export declare class CrystallizeClient {
+    readonly api: ClientInterface;
+    readonly config: CrystallizeConfig;
+    constructor(config: CrystallizeConfig);
+    /** Generate a deep link to an item in the Crystallize UI. */
+    itemLink(itemId: string, type?: string, language?: string): string;
+    /** Generate a deep link to a shape in the Crystallize UI. */
+    shapeLink(shapeIdentifier: string, language?: string): string;
+    /** Generate a deep link to an order in the Crystallize UI. */
+    orderLink(orderId: string, language?: string): string;
+    /**
+     * Build config from env vars, falling back to OS keychain for credentials.
+     * Use this in the server binary. Use fromEnv() in tests.
+     */
+    static fromEnvOrKeychain(): Promise<CrystallizeClient>;
+    /** Build config from environment variables only. */
+    static fromEnv(): CrystallizeClient;
+}
+//# sourceMappingURL=client.d.ts.map

package/build/src/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,4BAA4B,CAAC;AAIlE,OAAO,KAAK,EAAE,iBAAiB,EAAW,MAAM,YAAY,CAAC;AAgB7D,qBAAa,iBAAiB;IAC5B,SAAgB,GAAG,EAAE,eAAe,CAAC;IACrC,SAAgB,MAAM,EAAE,iBAAiB,CAAC;gBAE9B,MAAM,EAAE,iBAAiB;IAWrC,6DAA6D;IAC7D,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,SAAa,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM;IAKtE,6DAA6D;IAC7D,SAAS,CAAC,eAAe,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM;IAK7D,8DAA8D;IAC9D,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM;IAKrD;;;OAGG;WACU,iBAAiB,IAAI,OAAO,CAAC,iBAAiB,CAAC;IA4D5D,oDAAoD;IACpD,MAAM,CAAC,OAAO,IAAI,iBAAiB;CA8BpC"}

package/build/src/client.js

@@ -0,0 +1,124 @@
+/**
+ * Crystallize API client wrapper.
+ *
+ * Thin layer over @crystallize/js-api-client that adds:
+ * - Deep link generation to the Crystallize UI
+ * - Consistent config from env vars
+ */
+import { createClient } from '@crystallize/js-api-client';
+import { readCredentials } from './credentials.js';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+function expandPath(p) {
+    return p.startsWith('~/') ? join(homedir(), p.slice(2)) : p;
+}
+function parsePiiMode() {
+    const raw = process.env.CRYSTALLIZE_PII_MODE ?? 'full';
+    if (!['full', 'masked', 'none'].includes(raw)) {
+        throw new Error(`Invalid CRYSTALLIZE_PII_MODE: "${raw}". Must be "full", "masked", or "none".`);
+    }
+    return raw;
+}
+export class CrystallizeClient {
+    api;
+    config;
+    constructor(config) {
+        this.config = { piiMode: 'full', ...config };
+        this.api = createClient({
+            tenantIdentifier: config.tenantIdentifier,
+            tenantId: config.tenantId,
+            accessTokenId: config.accessTokenId,
+            accessTokenSecret: config.accessTokenSecret,
+            staticAuthToken: config.staticAuthToken,
+        });
+    }
+    /** Generate a deep link to an item in the Crystallize UI. */
+    itemLink(itemId, type = 'document', language) {
+        const lang = language ?? this.config.defaultLanguage ?? 'en';
+        return `https://app.crystallize.com/@${this.config.tenantIdentifier}/${lang}/catalogue/${type}/${itemId}`;
+    }
+    /** Generate a deep link to a shape in the Crystallize UI. */
+    shapeLink(shapeIdentifier, language) {
+        const lang = language ?? this.config.defaultLanguage ?? 'en';
+        return `https://app.crystallize.com/@${this.config.tenantIdentifier}/${lang}/settings/shapes/${shapeIdentifier}`;
+    }
+    /** Generate a deep link to an order in the Crystallize UI. */
+    orderLink(orderId, language) {
+        const lang = language ?? this.config.defaultLanguage ?? 'en';
+        return `https://app.crystallize.com/@${this.config.tenantIdentifier}/${lang}/orders/${orderId}`;
+    }
+    /**
+     * Build config from env vars, falling back to OS keychain for credentials.
+     * Use this in the server binary. Use fromEnv() in tests.
+     */
+    static async fromEnvOrKeychain() {
+        const tenantIdentifier = process.env.CRYSTALLIZE_TENANT_IDENTIFIER;
+        if (!tenantIdentifier) {
+            throw new Error('CRYSTALLIZE_TENANT_IDENTIFIER is required.\n' +
+                'Set it in your environment or MCP client config.');
+        }
+        const accessMode = (process.env.CRYSTALLIZE_ACCESS_MODE ??
+            'read');
+        if (!['read', 'write', 'admin'].includes(accessMode)) {
+            throw new Error(`Invalid CRYSTALLIZE_ACCESS_MODE: "${accessMode}". Must be "read", "write", or "admin".`);
+        }
+        // Env vars take priority; fall back to keychain for secrets only
+        let accessTokenId = process.env.CRYSTALLIZE_ACCESS_TOKEN_ID;
+        let accessTokenSecret = process.env.CRYSTALLIZE_ACCESS_TOKEN_SECRET;
+        let staticAuthToken = process.env.CRYSTALLIZE_STATIC_AUTH_TOKEN;
+        if (!accessTokenId && !staticAuthToken) {
+            const stored = await readCredentials();
+            accessTokenId = stored.accessTokenId;
+            accessTokenSecret = stored.accessTokenSecret;
+            staticAuthToken = stored.staticAuthToken;
+        }
+        const client = new CrystallizeClient({
+            tenantIdentifier,
+            tenantId: process.env.CRYSTALLIZE_TENANT_ID,
+            accessTokenId,
+            accessTokenSecret,
+            staticAuthToken,
+            accessMode,
+            piiMode: parsePiiMode(),
+            auditLog: process.env.CRYSTALLIZE_AUDIT_LOG
+                ? expandPath(process.env.CRYSTALLIZE_AUDIT_LOG)
+                : undefined,
+        });
+        // Bootstrap tenant ID and default language from PIM API
+        if (!client.config.tenantId || !client.config.defaultLanguage) {
+            const data = (await client.api.pimApi(`query GetTenantMeta($identifier: String!) {
+          tenant { get(identifier: $identifier) { id defaults { language } } }
+        }`, { identifier: tenantIdentifier }));
+            client.config.tenantId ??= data.tenant.get.id;
+            client.config.defaultLanguage ??=
+                data.tenant.get.defaults?.language ?? 'en';
+        }
+        return client;
+    }
+    /** Build config from environment variables only. */
+    static fromEnv() {
+        const tenantIdentifier = process.env.CRYSTALLIZE_TENANT_IDENTIFIER;
+        if (!tenantIdentifier) {
+            throw new Error('CRYSTALLIZE_TENANT_IDENTIFIER is required.\n' +
+                'Set it in your environment or MCP client config.');
+        }
+        const accessMode = (process.env.CRYSTALLIZE_ACCESS_MODE ??
+            'read');
+        if (!['read', 'write', 'admin'].includes(accessMode)) {
+            throw new Error(`Invalid CRYSTALLIZE_ACCESS_MODE: "${accessMode}". Must be "read", "write", or "admin".`);
+        }
+        return new CrystallizeClient({
+            tenantIdentifier,
+            tenantId: process.env.CRYSTALLIZE_TENANT_ID,
+            accessTokenId: process.env.CRYSTALLIZE_ACCESS_TOKEN_ID,
+            accessTokenSecret: process.env.CRYSTALLIZE_ACCESS_TOKEN_SECRET,
+            staticAuthToken: process.env.CRYSTALLIZE_STATIC_AUTH_TOKEN,
+            accessMode,
+            piiMode: parsePiiMode(),
+            auditLog: process.env.CRYSTALLIZE_AUDIT_LOG
+                ? expandPath(process.env.CRYSTALLIZE_AUDIT_LOG)
+                : undefined,
+        });
+    }
+}
+//# sourceMappingURL=client.js.map

package/build/src/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/client.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAE1D,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAGjC,SAAS,UAAU,CAAC,CAAS;IAC3B,OAAO,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC9D,CAAC;AAED,SAAS,YAAY;IACnB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,MAAM,CAAC;IACvD,IAAI,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CACb,kCAAkC,GAAG,yCAAyC,CAC/E,CAAC;IACJ,CAAC;IACD,OAAO,GAAc,CAAC;AACxB,CAAC;AAED,MAAM,OAAO,iBAAiB;IACZ,GAAG,CAAkB;IACrB,MAAM,CAAoB;IAE1C,YAAY,MAAyB;QACnC,IAAI,CAAC,MAAM,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC;QAC7C,IAAI,CAAC,GAAG,GAAG,YAAY,CAAC;YACtB,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;YACzC,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,iBAAiB,EAAE,MAAM,CAAC,iBAAiB;YAC3C,eAAe,EAAE,MAAM,CAAC,eAAe;SACxC,CAAC,CAAC;IACL,CAAC;IAED,6DAA6D;IAC7D,QAAQ,CAAC,MAAc,EAAE,IAAI,GAAG,UAAU,EAAE,QAAiB;QAC3D,MAAM,IAAI,GAAG,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,eAAe,IAAI,IAAI,CAAC;QAC7D,OAAO,gCAAgC,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,IAAI,cAAc,IAAI,IAAI,MAAM,EAAE,CAAC;IAC5G,CAAC;IAED,6DAA6D;IAC7D,SAAS,CAAC,eAAuB,EAAE,QAAiB;QAClD,MAAM,IAAI,GAAG,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,eAAe,IAAI,IAAI,CAAC;QAC7D,OAAO,gCAAgC,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,IAAI,oBAAoB,eAAe,EAAE,CAAC;IACnH,CAAC;IAED,8DAA8D;IAC9D,SAAS,CAAC,OAAe,EAAE,QAAiB;QAC1C,MAAM,IAAI,GAAG,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,eAAe,IAAI,IAAI,CAAC;QAC7D,OAAO,gCAAgC,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,IAAI,WAAW,OAAO,EAAE,CAAC;IAClG,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,KAAK,CAAC,iBAAiB;QAC5B,MAAM,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC;QACnE,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CACb,8CAA8C;gBAC5C,kDAAkD,CACrD,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB;YACrD,MAAM,CAAoC,CAAC;QAC7C,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YACrD,MAAM,IAAI,KAAK,CACb,qCAAqC,UAAU,yCAAyC,CACzF,CAAC;QACJ,CAAC;QAED,iEAAiE;QACjE,IAAI,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC;QAC5D,IAAI,iBAAiB,GAAG,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC;QACpE,IAAI,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC;QAEhE,IAAI,CAAC,aAAa,IAAI,CAAC,eAAe,EAAE,CAAC;YACvC,MAAM,MAAM,GAAG,MAAM,eAAe,EAAE,CAAC;YACvC,aAAa,GAAG,MAAM,CAAC,aAAa,CAAC;YACrC,iBAAiB,GAAG,MAAM,CAAC,iBAAiB,CAAC;YAC7C,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;QAC3C,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,iBAAiB,CAAC;YACnC,gBAAgB;YAChB,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,qBAAqB;YAC3C,aAAa;YACb,iBAAiB;YACjB,eAAe;YACf,UAAU;YACV,OAAO,EAAE,YAAY,EAAE;YACvB,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,qBAAqB;gBACzC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC;gBAC/C,CAAC,CAAC,SAAS;SACd,CAAC,CAAC;QAEH,wDAAwD;QACxD,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;YAC9D,MAAM,IAAI,GAAG,CAAC,MAAM,MAAM,CAAC,GAAG,CAAC,MAAM,CACnC;;UAEE,EACF,EAAE,UAAU,EAAE,gBAAgB,EAAE,CACjC,CAEA,CAAC;YACF,MAAM,CAAC,MAAM,CAAC,QAAQ,KAAK,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9C,MAAM,CAAC,MAAM,CAAC,eAAe;gBAC3B,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,IAAI,IAAI,CAAC;QAC/C,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,oDAAoD;IACpD,MAAM,CAAC,OAAO;QACZ,MAAM,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC;QACnE,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CACb,8CAA8C;gBAC5C,kDAAkD,CACrD,CAAC;QACJ,CAAC;QAED,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB;YACrD,MAAM,CAAoC,CAAC;QAC7C,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YACrD,MAAM,IAAI,KAAK,CACb,qCAAqC,UAAU,yCAAyC,CACzF,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,iBAAiB,CAAC;YAC3B,gBAAgB;YAChB,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,qBAAqB;YAC3C,aAAa,EAAE,OAAO,CAAC,GAAG,CAAC,2BAA2B;YACtD,iBAAiB,EAAE,OAAO,CAAC,GAAG,CAAC,+BAA+B;YAC9D,eAAe,EAAE,OAAO,CAAC,GAAG,CAAC,6BAA6B;YAC1D,UAAU;YACV,OAAO,EAAE,YAAY,EAAE;YACvB,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,qBAAqB;gBACzC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC;gBAC/C,CAAC,CAAC,SAAS;SACd,CAAC,CAAC;IACL,CAAC;CACF"}

package/build/src/credentials.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Credential storage for crystallize-mcp.
+ *
+ * Provides keychain-backed credential storage via keytar (optional dependency).
+ * Falls back gracefully if keytar is unavailable (no keyring daemon, native
+ * binding mismatch, headless Linux, etc.).
+ *
+ * Storage keys:
+ *   service:  crystallize-mcp
+ *   accounts: access-token-id, access-token-secret, static-auth-token
+ */
+export interface StoredCredentials {
+    accessTokenId?: string;
+    accessTokenSecret?: string;
+    staticAuthToken?: string;
+}
+/** Read stored credentials from the OS keychain. Returns empty object if keytar unavailable. */
+export declare function readCredentials(): Promise<StoredCredentials>;
+/** Store credentials in the OS keychain. Throws if keytar is unavailable. */
+export declare function writeCredentials(creds: StoredCredentials): Promise<void>;
+/** Remove all stored credentials from the OS keychain. */
+export declare function deleteCredentials(): Promise<void>;
+/** True if keytar loaded successfully and can reach the OS keyring. */
+export declare function isKeychainAvailable(): Promise<boolean>;
+//# sourceMappingURL=credentials.d.ts.map

package/build/src/credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../src/credentials.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,MAAM,WAAW,iBAAiB;IAChC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AA8BD,gGAAgG;AAChG,wBAAsB,eAAe,IAAI,OAAO,CAAC,iBAAiB,CAAC,CAuBlE;AAED,6EAA6E;AAC7E,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,iBAAiB,GACvB,OAAO,CAAC,IAAI,CAAC,CA6Bf;AAED,0DAA0D;AAC1D,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC,CAevD;AAED,uEAAuE;AACvE,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,OAAO,CAAC,CAY5D"}

package/build/src/credentials.js

@@ -0,0 +1,104 @@
+/**
+ * Credential storage for crystallize-mcp.
+ *
+ * Provides keychain-backed credential storage via keytar (optional dependency).
+ * Falls back gracefully if keytar is unavailable (no keyring daemon, native
+ * binding mismatch, headless Linux, etc.).
+ *
+ * Storage keys:
+ *   service:  crystallize-mcp
+ *   accounts: access-token-id, access-token-secret, static-auth-token
+ */
+const SERVICE = 'crystallize-mcp';
+/** Attempt to load @napi-rs/keyring keytar compat shim. Returns null if unavailable. */
+async function loadKeytar() {
+    try {
+        // Use the keytar-compatible shim — same API, Rust/NAPI-RS backend.
+        // Dynamic import with unknown cast: @napi-rs/keyring is an optional dep,
+        // so TypeScript has no types for it at compile time.
+        const mod = (await import('@napi-rs/keyring/keytar.js'));
+        if (typeof mod.getPassword !== 'function') {
+            return null;
+        }
+        return mod;
+    }
+    catch {
+        return null;
+    }
+}
+/** Read stored credentials from the OS keychain. Returns empty object if keytar unavailable. */
+export async function readCredentials() {
+    const kt = await loadKeytar();
+    if (!kt) {
+        return {};
+    }
+    try {
+        const [accessTokenId, accessTokenSecret, staticAuthToken] = await Promise.all([
+            kt.getPassword(SERVICE, 'access-token-id'),
+            kt.getPassword(SERVICE, 'access-token-secret'),
+            kt.getPassword(SERVICE, 'static-auth-token'),
+        ]);
+        return {
+            accessTokenId: accessTokenId ?? undefined,
+            accessTokenSecret: accessTokenSecret ?? undefined,
+            staticAuthToken: staticAuthToken ?? undefined,
+        };
+    }
+    catch {
+        // Keyring daemon not running, permission denied, etc.
+        return {};
+    }
+}
+/** Store credentials in the OS keychain. Throws if keytar is unavailable. */
+export async function writeCredentials(creds) {
+    const kt = await loadKeytar();
+    if (!kt) {
+        throw new Error('keytar is not available on this system.\n' +
+            'Install it with: npm install -g keytar\n' +
+            'Or set credentials as environment variables instead.');
+    }
+    const writes = [];
+    if (creds.accessTokenId) {
+        writes.push(kt.setPassword(SERVICE, 'access-token-id', creds.accessTokenId));
+    }
+    if (creds.accessTokenSecret) {
+        writes.push(kt.setPassword(SERVICE, 'access-token-secret', creds.accessTokenSecret));
+    }
+    if (creds.staticAuthToken) {
+        writes.push(kt.setPassword(SERVICE, 'static-auth-token', creds.staticAuthToken));
+    }
+    await Promise.all(writes);
+}
+/** Remove all stored credentials from the OS keychain. */
+export async function deleteCredentials() {
+    const kt = await loadKeytar();
+    if (!kt) {
+        return;
+    }
+    try {
+        await Promise.all([
+            kt.deletePassword(SERVICE, 'access-token-id'),
+            kt.deletePassword(SERVICE, 'access-token-secret'),
+            kt.deletePassword(SERVICE, 'static-auth-token'),
+        ]);
+    }
+    catch {
+        // best-effort
+    }
+}
+/** True if keytar loaded successfully and can reach the OS keyring. */
+export async function isKeychainAvailable() {
+    const kt = await loadKeytar();
+    if (!kt) {
+        return false;
+    }
+    try {
+        // Probe with a read — cheap and non-destructive
+        await kt.getPassword(SERVICE, '_probe');
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=credentials.js.map

package/build/src/credentials.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../../src/credentials.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,MAAM,OAAO,GAAG,iBAAiB,CAAC;AAkBlC,wFAAwF;AACxF,KAAK,UAAU,UAAU;IACvB,IAAI,CAAC;QACH,mEAAmE;QACnE,yEAAyE;QACzE,qDAAqD;QACrD,MAAM,GAAG,GAAG,CAAC,MAAM,MAAM,CACvB,4BAAsC,CACvC,CAA4B,CAAC;QAC9B,IAAI,OAAO,GAAG,CAAC,WAAW,KAAK,UAAU,EAAE,CAAC;YAC1C,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,gGAAgG;AAChG,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,MAAM,EAAE,GAAG,MAAM,UAAU,EAAE,CAAC;IAC9B,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,CAAC,aAAa,EAAE,iBAAiB,EAAE,eAAe,CAAC,GACvD,MAAM,OAAO,CAAC,GAAG,CAAC;YAChB,EAAE,CAAC,WAAW,CAAC,OAAO,EAAE,iBAAiB,CAAC;YAC1C,EAAE,CAAC,WAAW,CAAC,OAAO,EAAE,qBAAqB,CAAC;YAC9C,EAAE,CAAC,WAAW,CAAC,OAAO,EAAE,mBAAmB,CAAC;SAC7C,CAAC,CAAC;QAEL,OAAO;YACL,aAAa,EAAE,aAAa,IAAI,SAAS;YACzC,iBAAiB,EAAE,iBAAiB,IAAI,SAAS;YACjD,eAAe,EAAE,eAAe,IAAI,SAAS;SAC9C,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,sDAAsD;QACtD,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,6EAA6E;AAC7E,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,KAAwB;IAExB,MAAM,EAAE,GAAG,MAAM,UAAU,EAAE,CAAC;IAC9B,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,MAAM,IAAI,KAAK,CACb,2CAA2C;YACzC,0CAA0C;YAC1C,sDAAsD,CACzD,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAoB,EAAE,CAAC;IAEnC,IAAI,KAAK,CAAC,aAAa,EAAE,CAAC;QACxB,MAAM,CAAC,IAAI,CACT,EAAE,CAAC,WAAW,CAAC,OAAO,EAAE,iBAAiB,EAAE,KAAK,CAAC,aAAa,CAAC,CAChE,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,iBAAiB,EAAE,CAAC;QAC5B,MAAM,CAAC,IAAI,CACT,EAAE,CAAC,WAAW,CAAC,OAAO,EAAE,qBAAqB,EAAE,KAAK,CAAC,iBAAiB,CAAC,CACxE,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,eAAe,EAAE,CAAC;QAC1B,MAAM,CAAC,IAAI,CACT,EAAE,CAAC,WAAW,CAAC,OAAO,EAAE,mBAAmB,EAAE,KAAK,CAAC,eAAe,CAAC,CACpE,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;AAC5B,CAAC;AAED,0DAA0D;AAC1D,MAAM,CAAC,KAAK,UAAU,iBAAiB;IACrC,MAAM,EAAE,GAAG,MAAM,UAAU,EAAE,CAAC;IAC9B,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO;IACT,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,CAAC,GAAG,CAAC;YAChB,EAAE,CAAC,cAAc,CAAC,OAAO,EAAE,iBAAiB,CAAC;YAC7C,EAAE,CAAC,cAAc,CAAC,OAAO,EAAE,qBAAqB,CAAC;YACjD,EAAE,CAAC,cAAc,CAAC,OAAO,EAAE,mBAAmB,CAAC;SAChD,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,cAAc;IAChB,CAAC;AACH,CAAC;AAED,uEAAuE;AACvE,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,MAAM,EAAE,GAAG,MAAM,UAAU,EAAE,CAAC;IAC9B,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,CAAC;QACH,gDAAgD;QAChD,MAAM,EAAE,CAAC,WAAW,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACxC,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/build/src/errors.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Categorized error handling for actionable error messages.
+ */
+import type { ErrorCategory } from './types.js';
+export declare class CrystallizeToolError extends Error {
+    readonly category: ErrorCategory;
+    readonly hint?: string | undefined;
+    constructor(message: string, category: ErrorCategory, hint?: string | undefined);
+}
+/** Format an error into a user-friendly message with actionable hints. */
+export declare function formatError(error: unknown): string;
+//# sourceMappingURL=errors.d.ts.map

package/build/src/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAEhD,qBAAa,oBAAqB,SAAQ,KAAK;aAG3B,QAAQ,EAAE,aAAa;aACvB,IAAI,CAAC,EAAE,MAAM;gBAF7B,OAAO,EAAE,MAAM,EACC,QAAQ,EAAE,aAAa,EACvB,IAAI,CAAC,EAAE,MAAM,YAAA;CAKhC;AAED,0EAA0E;AAC1E,wBAAgB,WAAW,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CA0DlD"}

package/build/src/errors.js

@@ -0,0 +1,66 @@
+/**
+ * Categorized error handling for actionable error messages.
+ */
+export class CrystallizeToolError extends Error {
+    category;
+    hint;
+    constructor(message, category, hint) {
+        super(message);
+        this.category = category;
+        this.hint = hint;
+        this.name = 'CrystallizeToolError';
+    }
+}
+/** Format an error into a user-friendly message with actionable hints. */
+export function formatError(error) {
+    if (error instanceof CrystallizeToolError) {
+        const parts = [`Error: ${error.message}`];
+        if (error.hint) {
+            parts.push(`Hint: ${error.hint}`);
+        }
+        return parts.join('\n');
+    }
+    let message;
+    if (error instanceof Error) {
+        message = error.message;
+    }
+    else if (typeof error === 'object' && error !== null) {
+        const obj = error;
+        // GraphQL errors array: { errors: [{ message: "..." }] }
+        if (Array.isArray(obj.errors) &&
+            obj.errors.length > 0 &&
+            typeof obj.errors[0].message === 'string') {
+            message = obj.errors
+                .map(e => e.message)
+                .join('; ');
+        }
+        else if ('message' in obj) {
+            message = String(obj.message);
+        }
+        else {
+            message = JSON.stringify(error);
+        }
+    }
+    else {
+        message = String(error);
+    }
+    // Detect common API error patterns and add hints
+    if (message.includes('401') ||
+        message.includes('Unauthorized') ||
+        message.includes('authentication')) {
+        return `Error: Authentication failed.\nHint: Check CRYSTALLIZE_ACCESS_TOKEN_ID and CRYSTALLIZE_ACCESS_TOKEN_SECRET env vars.`;
+    }
+    if (message.includes('403') || message.includes('Forbidden')) {
+        return `Error: Access denied.\nHint: Your token may lack the required permissions, or set CRYSTALLIZE_ACCESS_MODE=write for write operations.`;
+    }
+    if (message.includes('429') || message.includes('rate limit')) {
+        return `Error: API rate limited.\nHint: Wait a moment and retry.`;
+    }
+    if (message.includes('404') ||
+        message.includes('not found') ||
+        message.includes('Not Found')) {
+        return `Error: ${message}\nHint: Check the path or identifier — use browse_catalogue or list_shapes to explore what's available.`;
+    }
+    return `Error: ${message}`;
+}
+//# sourceMappingURL=errors.js.map

package/build/src/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,MAAM,OAAO,oBAAqB,SAAQ,KAAK;IAG3B;IACA;IAHlB,YACE,OAAe,EACC,QAAuB,EACvB,IAAa;QAE7B,KAAK,CAAC,OAAO,CAAC,CAAC;QAHC,aAAQ,GAAR,QAAQ,CAAe;QACvB,SAAI,GAAJ,IAAI,CAAS;QAG7B,IAAI,CAAC,IAAI,GAAG,sBAAsB,CAAC;IACrC,CAAC;CACF;AAED,0EAA0E;AAC1E,MAAM,UAAU,WAAW,CAAC,KAAc;IACxC,IAAI,KAAK,YAAY,oBAAoB,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,CAAC,UAAU,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QAC1C,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;YACf,KAAK,CAAC,IAAI,CAAC,SAAS,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QACpC,CAAC;QACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,IAAI,OAAe,CAAC;IACpB,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;QAC3B,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC;IAC1B,CAAC;SAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACvD,MAAM,GAAG,GAAG,KAAgC,CAAC;QAC7C,yDAAyD;QACzD,IACE,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC;YACzB,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;YACrB,OAAQ,GAAG,CAAC,MAAM,CAAC,CAAC,CAA6B,CAAC,OAAO,KAAK,QAAQ,EACtE,CAAC;YACD,OAAO,GAAI,GAAG,CAAC,MAAgC;iBAC5C,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;iBACnB,IAAI,CAAC,IAAI,CAAC,CAAC;QAChB,CAAC;aAAM,IAAI,SAAS,IAAI,GAAG,EAAE,CAAC;YAC5B,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAC1B,CAAC;IAED,iDAAiD;IACjD,IACE,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC;QACvB,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;QAChC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAClC,CAAC;QACD,OAAO,sHAAsH,CAAC;IAChI,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7D,OAAO,uIAAuI,CAAC;IACjJ,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9D,OAAO,0DAA0D,CAAC;IACpE,CAAC;IAED,IACE,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC;QACvB,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC7B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,EAC7B,CAAC;QACD,OAAO,UAAU,OAAO,yGAAyG,CAAC;IACpI,CAAC;IAED,OAAO,UAAU,OAAO,EAAE,CAAC;AAC7B,CAAC"}

package/build/src/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Crystallize MCP Server.
+ *
+ * Provides headless commerce tools for AI agents via the Model Context Protocol.
+ */
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { CrystallizeClient } from './client.js';
+export declare function createCrystallizeMcpServer(client?: CrystallizeClient): {
+    server: McpServer;
+    client: CrystallizeClient;
+};
+//# sourceMappingURL=index.d.ts.map

package/build/src/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAuBhD,wBAAgB,0BAA0B,CAAC,MAAM,CAAC,EAAE,iBAAiB,GAAG;IACtE,MAAM,EAAE,SAAS,CAAC;IAClB,MAAM,EAAE,iBAAiB,CAAC;CAC3B,CAsEA"}

package/build/src/index.js

@@ -0,0 +1,83 @@
+/**
+ * Crystallize MCP Server.
+ *
+ * Provides headless commerce tools for AI agents via the Model Context Protocol.
+ */
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { CrystallizeClient } from './client.js';
+import { formatError } from './errors.js';
+import { AuditLogger, summariseResult } from './audit.js';
+// Tool groups
+import { catalogueTools } from './tools/catalogue.js';
+import { shapeTools } from './tools/shapes.js';
+import { discoveryTools } from './tools/discovery.js';
+import { orderTools } from './tools/orders.js';
+import { customerTools } from './tools/customers.js';
+/** Access mode hierarchy: read < write < admin. */
+const ACCESS_LEVELS = {
+    read: 0,
+    write: 1,
+    admin: 2,
+};
+function hasAccess(required, current) {
+    return ACCESS_LEVELS[current] >= ACCESS_LEVELS[required];
+}
+export function createCrystallizeMcpServer(client) {
+    const crystallize = client ?? CrystallizeClient.fromEnv();
+    const server = new McpServer({
+        name: 'crystallize-mcp',
+        version: '0.1.0',
+    }, {
+        capabilities: {
+            tools: {},
+        },
+    });
+    // Collect all tool definitions
+    const allTools = [
+        ...catalogueTools(crystallize),
+        ...shapeTools(crystallize),
+        ...discoveryTools(crystallize),
+        ...orderTools(crystallize),
+        ...customerTools(crystallize),
+    ];
+    // Audit logger — only active if CRYSTALLIZE_AUDIT_LOG is set
+    const audit = crystallize.config.auditLog
+        ? new AuditLogger(crystallize.config.auditLog)
+        : null;
+    // Register tools that match the current access mode
+    for (const tool of allTools) {
+        const requiredMode = tool.mode ?? 'read';
+        if (!hasAccess(requiredMode, crystallize.config.accessMode)) {
+            continue;
+        }
+        server.tool(tool.name, tool.description, tool.schema, async (params) => {
+            try {
+                const result = await tool.handler(params);
+                audit?.log({
+                    ts: new Date().toISOString(),
+                    tool: tool.name,
+                    params,
+                    result: summariseResult(result),
+                    tenant: crystallize.config.tenantIdentifier,
+                });
+                return result;
+            }
+            catch (error) {
+                const errorResult = {
+                    content: [{ type: 'text', text: formatError(error) }],
+                    isError: true,
+                };
+                audit?.log({
+                    ts: new Date().toISOString(),
+                    tool: tool.name,
+                    params,
+                    result: 'error',
+                    tenant: crystallize.config.tenantIdentifier,
+                });
+                return errorResult;
+            }
+        });
+    }
+    return { server, client: crystallize };
+}
+//# sourceMappingURL=index.js.map

package/build/src/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAG1D,cAAc;AACd,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAErD,mDAAmD;AACnD,MAAM,aAAa,GAA+B;IAChD,IAAI,EAAE,CAAC;IACP,KAAK,EAAE,CAAC;IACR,KAAK,EAAE,CAAC;CACT,CAAC;AAEF,SAAS,SAAS,CAAC,QAAoB,EAAE,OAAmB;IAC1D,OAAO,aAAa,CAAC,OAAO,CAAC,IAAI,aAAa,CAAC,QAAQ,CAAC,CAAC;AAC3D,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,MAA0B;IAInE,MAAM,WAAW,GAAG,MAAM,IAAI,iBAAiB,CAAC,OAAO,EAAE,CAAC;IAE1D,MAAM,MAAM,GAAG,IAAI,SAAS,CAC1B;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,OAAO;KACjB,EACD;QACE,YAAY,EAAE;YACZ,KAAK,EAAE,EAAE;SACV;KACF,CACF,CAAC;IAEF,+BAA+B;IAC/B,MAAM,QAAQ,GAAqB;QACjC,GAAG,cAAc,CAAC,WAAW,CAAC;QAC9B,GAAG,UAAU,CAAC,WAAW,CAAC;QAC1B,GAAG,cAAc,CAAC,WAAW,CAAC;QAC9B,GAAG,UAAU,CAAC,WAAW,CAAC;QAC1B,GAAG,aAAa,CAAC,WAAW,CAAC;KAC9B,CAAC;IAEF,6DAA6D;IAC7D,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,QAAQ;QACvC,CAAC,CAAC,IAAI,WAAW,CAAC,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC;QAC9C,CAAC,CAAC,IAAI,CAAC;IAET,oDAAoD;IACpD,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC5B,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,IAAI,MAAM,CAAC;QACzC,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,WAAW,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;YAC5D,SAAS;QACX,CAAC;QAED,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,IAAI,EACT,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,MAA6C,EAClD,KAAK,EAAE,MAA+B,EAAE,EAAE;YACxC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;gBAC1C,KAAK,EAAE,GAAG,CAAC;oBACT,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;oBAC5B,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,MAAM;oBACN,MAAM,EAAE,eAAe,CAAC,MAAM,CAAC;oBAC/B,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC,gBAAgB;iBAC5C,CAAC,CAAC;gBACH,OAAO,MAAM,CAAC;YAChB,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,WAAW,GAAG;oBAClB,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC9D,OAAO,EAAE,IAAI;iBACd,CAAC;gBACF,KAAK,EAAE,GAAG,CAAC;oBACT,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;oBAC5B,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,MAAM;oBACN,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC,gBAAgB;iBAC5C,CAAC,CAAC;gBACH,OAAO,WAAW,CAAC;YACrB,CAAC;QACH,CAAC,CACF,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;AACzC,CAAC"}

package/build/src/pii.d.ts

@@ -0,0 +1,20 @@
+/**
+ * PII masking utilities.
+ *
+ * Masks personal data in customer and order responses based on the
+ * configured CRYSTALLIZE_PII_MODE.
+ */
+import type { PiiMode } from './types.js';
+export type { PiiMode };
+/** Mask an email: `hani@example.com` → `h***@example.com` */
+export declare function maskEmail(email: string): string;
+/** Mask a phone number: keeps only last 4 digits → `***-1264` */
+export declare function maskPhone(phone: string): string;
+/** Strip an address down to city + country only. */
+export declare function maskAddress<T>(addr: T): T;
+/**
+ * Apply PII masking to a flat object with known field names.
+ * Always returns a new object — never mutates the original.
+ */
+export declare function maskFields<T extends Record<string, unknown>>(obj: T, mode: PiiMode): T;
+//# sourceMappingURL=pii.d.ts.map

package/build/src/pii.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pii.d.ts","sourceRoot":"","sources":["../../src/pii.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAC1C,YAAY,EAAE,OAAO,EAAE,CAAC;AAExB,6DAA6D;AAC7D,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAM/C;AAED,iEAAiE;AACjE,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAM/C;AAED,oDAAoD;AACpD,wBAAgB,WAAW,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,CAgBzC;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC1D,GAAG,EAAE,CAAC,EACN,IAAI,EAAE,OAAO,GACZ,CAAC,CA6CH"}

package/build/src/pii.js

@@ -0,0 +1,85 @@
+/**
+ * PII masking utilities.
+ *
+ * Masks personal data in customer and order responses based on the
+ * configured CRYSTALLIZE_PII_MODE.
+ */
+/** Mask an email: `hani@example.com` → `h***@example.com` */
+export function maskEmail(email) {
+    const [local, domain] = email.split('@');
+    if (!local || !domain) {
+        return '***';
+    }
+    return `${local[0]}***@${domain}`;
+}
+/** Mask a phone number: keeps only last 4 digits → `***-1264` */
+export function maskPhone(phone) {
+    const digits = phone.replace(/\D/g, '');
+    if (digits.length < 4) {
+        return '***';
+    }
+    return `***-${digits.slice(-4)}`;
+}
+/** Strip an address down to city + country only. */
+export function maskAddress(addr) {
+    const masked = { ...addr };
+    for (const key of [
+        'street',
+        'street2',
+        'streetNumber',
+        'postalCode',
+        'state',
+        'email',
+        'phone',
+        'firstName',
+        'lastName',
+    ]) {
+        delete masked[key];
+    }
+    return masked;
+}
+/**
+ * Apply PII masking to a flat object with known field names.
+ * Always returns a new object — never mutates the original.
+ */
+export function maskFields(obj, mode) {
+    if (mode === 'full') {
+        return { ...obj };
+    }
+    const result = { ...obj };
+    if (mode === 'none') {
+        for (const key of [
+            'email',
+            'phone',
+            'companyName',
+            'taxNumber',
+            'birthDate',
+        ]) {
+            if (key in result) {
+                delete result[key];
+            }
+        }
+        if ('addresses' in result) {
+            delete result.addresses;
+        }
+        if ('firstName' in result) {
+            delete result.firstName;
+        }
+        if ('lastName' in result) {
+            delete result.lastName;
+        }
+        return result;
+    }
+    // mode === 'masked'
+    if (typeof result.email === 'string') {
+        result.email = maskEmail(result.email);
+    }
+    if (typeof result.phone === 'string') {
+        result.phone = maskPhone(result.phone);
+    }
+    if (Array.isArray(result.addresses)) {
+        result.addresses = result.addresses.map((addr) => maskAddress(addr));
+    }
+    return result;
+}
+//# sourceMappingURL=pii.js.map

package/build/src/pii.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pii.js","sourceRoot":"","sources":["../../src/pii.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,6DAA6D;AAC7D,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACzC,IAAI,CAAC,KAAK,IAAI,CAAC,MAAM,EAAE,CAAC;QACtB,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,OAAO,MAAM,EAAE,CAAC;AACpC,CAAC;AAED,iEAAiE;AACjE,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACxC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AACnC,CAAC;AAED,oDAAoD;AACpD,MAAM,UAAU,WAAW,CAAI,IAAO;IACpC,MAAM,MAAM,GAAG,EAAE,GAAG,IAAI,EAA6B,CAAC;IACtD,KAAK,MAAM,GAAG,IAAI;QAChB,QAAQ;QACR,SAAS;QACT,cAAc;QACd,YAAY;QACZ,OAAO;QACP,OAAO;QACP,OAAO;QACP,WAAW;QACX,UAAU;KACX,EAAE,CAAC;QACF,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC;IACD,OAAO,MAAW,CAAC;AACrB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,UAAU,CACxB,GAAM,EACN,IAAa;IAEb,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;QACpB,OAAO,EAAE,GAAG,GAAG,EAAE,CAAC;IACpB,CAAC;IAED,MAAM,MAAM,GAAG,EAAE,GAAG,GAAG,EAAE,CAAC;IAE1B,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;QACpB,KAAK,MAAM,GAAG,IAAI;YAChB,OAAO;YACP,OAAO;YACP,aAAa;YACb,WAAW;YACX,WAAW;SACH,EAAE,CAAC;YACX,IAAI,GAAG,IAAI,MAAM,EAAE,CAAC;gBAClB,OAAQ,MAAkC,CAAC,GAAG,CAAC,CAAC;YAClD,CAAC;QACH,CAAC;QACD,IAAI,WAAW,IAAI,MAAM,EAAE,CAAC;YAC1B,OAAQ,MAAkC,CAAC,SAAS,CAAC;QACvD,CAAC;QACD,IAAI,WAAW,IAAI,MAAM,EAAE,CAAC;YAC1B,OAAQ,MAAkC,CAAC,SAAS,CAAC;QACvD,CAAC;QACD,IAAI,UAAU,IAAI,MAAM,EAAE,CAAC;YACzB,OAAQ,MAAkC,CAAC,QAAQ,CAAC;QACtD,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,oBAAoB;IACpB,IAAI,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACpC,MAAkC,CAAC,KAAK,GAAG,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACtE,CAAC;IACD,IAAI,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACpC,MAAkC,CAAC,KAAK,GAAG,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACtE,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;QACnC,MAAkC,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,GAAG,CAClE,CAAC,IAA6B,EAAE,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,CACrD,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/build/src/tools/catalogue.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Catalogue tools — browse, get items, search, and product variants.
+ */
+import type { CrystallizeClient } from '../client.js';
+import type { ToolDefinition } from '../types.js';
+export declare function catalogueTools(client: CrystallizeClient): ToolDefinition[];
+//# sourceMappingURL=catalogue.d.ts.map

package/build/src/tools/catalogue.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"catalogue.d.ts","sourceRoot":"","sources":["../../../src/tools/catalogue.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACtD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAElD,wBAAgB,cAAc,CAAC,MAAM,EAAE,iBAAiB,GAAG,cAAc,EAAE,CAiT1E"}