@hoststack.dev/mcp 0.1.0

package/dist/index.js

@@ -0,0 +1,1418 @@
+// src/server-factory.ts
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { HostStack } from "@hoststack.dev/sdk";
+
+// src/api-client.ts
+var ApiClient = class {
+  constructor(apiKey, baseUrl) {
+    this.apiKey = apiKey;
+    this.baseUrl = baseUrl;
+  }
+  get headers() {
+    return {
+      Authorization: `Bearer ${this.apiKey}`,
+      "Content-Type": "application/json"
+    };
+  }
+  async get(path, params) {
+    const url = new URL(`${this.baseUrl}${path}`);
+    if (params) {
+      for (const [key, value] of Object.entries(params)) {
+        if (value !== void 0) url.searchParams.set(key, String(value));
+      }
+    }
+    const res = await fetch(url.toString(), { headers: this.headers });
+    return this.handle(res);
+  }
+  async post(path, body) {
+    const init = {
+      method: "POST",
+      headers: this.headers
+    };
+    if (body !== void 0) init.body = JSON.stringify(body);
+    const res = await fetch(`${this.baseUrl}${path}`, init);
+    return this.handle(res);
+  }
+  async patch(path, body) {
+    const res = await fetch(`${this.baseUrl}${path}`, {
+      method: "PATCH",
+      headers: this.headers,
+      body: JSON.stringify(body)
+    });
+    return this.handle(res);
+  }
+  async delete(path) {
+    const res = await fetch(`${this.baseUrl}${path}`, {
+      method: "DELETE",
+      headers: this.headers
+    });
+    return this.handle(res);
+  }
+  async handle(res) {
+    if (!res.ok) {
+      const error = await res.json().catch(() => ({ error: res.statusText }));
+      throw new Error(error.error ?? `API error: ${res.status}`);
+    }
+    if (res.status === 204) {
+      return void 0;
+    }
+    return res.json();
+  }
+};
+
+// src/prompts/registry.ts
+var prompts = [];
+function definePrompt(def) {
+  prompts.push({
+    name: def.name,
+    description: def.description,
+    args: def.args,
+    handler: def.handler
+  });
+}
+function listPromptDefinitions() {
+  return prompts;
+}
+function attachPrompts(server, ctx) {
+  const register = server.prompt.bind(server);
+  for (const def of prompts) {
+    register(def.name, def.description, def.args, (args) => def.handler(args, ctx));
+  }
+}
+function userMessage(text) {
+  return { role: "user", content: { type: "text", text } };
+}
+
+// src/resources/registry.ts
+var resources = [];
+function defineResource(def) {
+  resources.push(def);
+}
+function listResourceDefinitions() {
+  return resources;
+}
+function attachResources(server, ctx) {
+  for (const def of resources) {
+    server.resource(
+      def.name,
+      def.uri,
+      {
+        description: def.description,
+        ...def.mimeType ? { mimeType: def.mimeType } : {}
+      },
+      (uri) => def.read(uri, ctx)
+    );
+  }
+}
+function jsonResource(uri, data) {
+  return {
+    contents: [
+      {
+        uri: uri.toString(),
+        mimeType: "application/json",
+        text: JSON.stringify(data, null, 2)
+      }
+    ]
+  };
+}
+
+// src/registry.ts
+var tools = [];
+function defineTool(def) {
+  tools.push({
+    name: def.name,
+    category: def.category,
+    description: def.description,
+    input: def.input,
+    handler: def.handler
+  });
+}
+function listToolDefinitions() {
+  return tools;
+}
+function attachTools(server, ctx, sink) {
+  const register = server.tool.bind(server);
+  for (const def of tools) {
+    register(def.name, def.description, def.input, async (args) => {
+      const startedAt = /* @__PURE__ */ new Date();
+      const start = performance.now();
+      let ok = true;
+      let errorCode = null;
+      try {
+        const result = await def.handler(args, ctx);
+        if (result.isError) {
+          ok = false;
+          errorCode = "tool_error";
+        }
+        return result;
+      } catch (err) {
+        ok = false;
+        errorCode = err instanceof Error ? (err.name || "Error").slice(0, 64) : "unknown_error";
+        throw err;
+      } finally {
+        if (sink) {
+          const durationMs = Math.round(performance.now() - start);
+          const event = {
+            tool: def.name,
+            durationMs,
+            ok,
+            errorCode,
+            inputHash: hashArgs(args),
+            startedAt
+          };
+          Promise.resolve().then(() => sink(event)).catch(() => void 0);
+        }
+      }
+    });
+  }
+}
+function hashArgs(args) {
+  try {
+    const json = JSON.stringify(args);
+    const bunGlobal = globalThis.Bun;
+    if (bunGlobal?.hash) {
+      return bunGlobal.hash(json).toString(16);
+    }
+    return `len:${json.length}`;
+  } catch {
+    return null;
+  }
+}
+
+// src/prompts/deploy-prompts.ts
+import { z } from "zod";
+definePrompt({
+  name: "diagnose_failed_deploy",
+  description: "Walk the agent through diagnosing a failed deploy: pull the latest deploys for the named service, find the most recent failure, fetch its build/deploy logs, and propose a fix. Stops at suggestion \u2014 does not retrigger automatically.",
+  args: {
+    service_id: z.string().describe("Service publicId (e.g. svc_abc123).")
+  },
+  handler: async ({ service_id }) => {
+    const text = `Goal: diagnose the most recent failed deploy on service ${service_id} and propose a fix.
+
+Plan (use these tools in order):
+1. \`list_deploys({ service_id: "${service_id}" })\` \u2014 pull recent deploys, newest first. Identify the most recent deploy with status \`failed\` (or \`cancelled\` if the user wants to investigate that too). Capture its publicId, branch, and commitSha.
+2. \`get_deploy_logs({ service_id: "${service_id}", deploy_id: "<dpl_\u2026>" })\` \u2014 read the full build output. Scan for: stack traces, "ERROR" / "error:" lines, exit codes, missing env vars, OOM-killed signals, network failures pulling dependencies.
+3. \`get_service({ service_id: "${service_id}" })\` \u2014 confirm the service's runtime, plan, and whether autoDeploy is on. Plan tier matters because OOMs at small tiers point at \`maxMemoryMb\`.
+4. (Optional) \`list_env_vars({ service_id: "${service_id}" })\` \u2014 only if the build error mentions a missing variable. Don't fetch otherwise; values are masked anyway.
+
+Then write a short diagnosis for the user with three sections:
+- **Root cause** \u2014 one sentence pointing at the actual failure line.
+- **Evidence** \u2014 3\u20136 line excerpt from the logs that proves the diagnosis.
+- **Suggested fix** \u2014 concrete next steps, including which tool to call (e.g. "set MISSING_KEY with set_env_var, then trigger_deploy"). Do NOT call trigger_deploy automatically; the user decides.
+
+If the deploy logs are empty or only contain queued/pending markers, surface that \u2014 the build never started, which is its own class of bug (likely a builder-pool or quota issue).`;
+    return { messages: [userMessage(text)] };
+  }
+});
+definePrompt({
+  name: "deploy_status_check",
+  description: "Quick orientation prompt: who am I, what's running, and is anything currently deploying? Useful at the start of a session.",
+  args: {},
+  handler: async () => {
+    const text = `Goal: produce a 30-second status check on this HostStack team.
+
+Plan:
+1. \`get_me()\` \u2014 confirm which user + team the API key belongs to.
+2. \`list_services()\` \u2014 every service with current status (running, suspended, building, deploying, failed). Note any service in a non-running state.
+3. For each service whose status is \`building\` or \`deploying\`, call \`list_deploys({ service_id })\` and surface the latest deploy's commitMessage + author.
+4. \`list_activity_log({ per_page: 10 })\` \u2014 last 10 audit events to spot recent changes (deploys triggered, env vars edited, services restarted).
+
+Write a status report shaped like:
+
+> **Team**: <name>
+> **Services**: <n> total \u2014 <breakdown by status>
+> **In flight**: <list of building/deploying services with commit info, or "none">
+> **Recent activity**: <3-5 most relevant events from the audit log, newest first>
+
+Keep it tight (under 200 words). The user can drill in with follow-up tools.`;
+    return { messages: [userMessage(text)] };
+  }
+});
+definePrompt({
+  name: "rotate_secret",
+  description: "Guide the agent through rotating an env-var secret on a service. Lists current vars to confirm the target key exists, asks the user for the new value, sets it, and offers to trigger a deploy.",
+  args: {
+    service_id: z.string().describe("Service publicId."),
+    key: z.string().describe("Env-var key to rotate (e.g. DATABASE_URL).")
+  },
+  handler: async ({ service_id, key }) => {
+    const text = `Goal: rotate the secret \`${key}\` on service ${service_id}.
+
+Plan:
+1. \`list_env_vars({ service_id: "${service_id}" })\` \u2014 confirm \`${key}\` exists. Note its \`isSecret\` flag (it should be true; if not, flag this \u2014 you're about to mark it secret on rotation, which is a behaviour change).
+2. **Ask the user for the new value before calling any write tool.** The agent must NOT invent or generate the secret; it has to come from the user's clipboard / vault. Phrase the ask explicitly: "Paste the new value for ${key} (it will be encrypted at rest and masked everywhere except the running container)."
+3. Once the user provides the value:
+   - \`set_env_var({ service_id: "${service_id}", key: "${key}", value: "<new value>", is_secret: true })\` \u2014 upserts by key.
+4. After the write succeeds, ask the user whether to redeploy (so the new value lands in the running container). If yes:
+   - \`trigger_deploy({ service_id: "${service_id}" })\` \u2014 kicks off a build with the rotated secret.
+   - \`get_deploy({ service_id: "${service_id}", deploy_id: "<dpl_\u2026>" })\` \u2014 poll until status is \`live\` or \`failed\`. On failure, hand off to \`diagnose_failed_deploy\`.
+
+Safety rails:
+- Never echo the new value back in your reply; the user should verify it from their own source of truth, not from your context window.
+- If the user says "generate a new one", suggest \`openssl rand -hex 32\` (or similar) for them to run locally and paste in. Do NOT generate it for them \u2014 secrets that pass through an LLM context are no longer secrets.
+- If \`set_env_var\` returned \`action: "created"\` instead of \`"updated"\`, the key didn't exist before. Pause and confirm with the user \u2014 they may have typo'd the key name.`;
+    return { messages: [userMessage(text)] };
+  }
+});
+
+// src/lib/shape.ts
+var INTERNAL_FIELDS = /* @__PURE__ */ new Set([
+  "teamId",
+  "team_id",
+  "userId",
+  "user_id",
+  "accountId",
+  "account_id",
+  "tenantId",
+  "tenant_id",
+  "createdById",
+  "updatedById"
+]);
+function isObject(value) {
+  return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+function dropNullsAndInternals(obj) {
+  const out = {};
+  for (const [key, value] of Object.entries(obj)) {
+    if (INTERNAL_FIELDS.has(key)) continue;
+    if (value === null || value === void 0) continue;
+    out[key] = value;
+  }
+  return out;
+}
+function shape(value) {
+  if (Array.isArray(value)) return value.map(shape);
+  if (isObject(value)) return dropNullsAndInternals(value);
+  return value;
+}
+function shapeAll(arr, shaper) {
+  if (!Array.isArray(arr)) return [];
+  return arr.map(shaper);
+}
+function shapeList(response, key, shaper) {
+  if (!isObject(response)) return { items: [] };
+  return { items: shapeAll(response[key], shaper) };
+}
+function shapeProject(value) {
+  return isObject(value) ? dropNullsAndInternals(value) : {};
+}
+function shapeService(value) {
+  return isObject(value) ? dropNullsAndInternals(value) : {};
+}
+function shapeDeploy(value) {
+  return isObject(value) ? dropNullsAndInternals(value) : {};
+}
+function shapeDatabase(value) {
+  return isObject(value) ? dropNullsAndInternals(value) : {};
+}
+function shapeDomain(value) {
+  return isObject(value) ? dropNullsAndInternals(value) : {};
+}
+function shapeEnvVar(value) {
+  return isObject(value) ? dropNullsAndInternals(value) : {};
+}
+function shapeCronExecution(value) {
+  return isObject(value) ? dropNullsAndInternals(value) : {};
+}
+function shapeActivity(value) {
+  return isObject(value) ? dropNullsAndInternals(value) : {};
+}
+function shapeUser(value) {
+  return isObject(value) ? dropNullsAndInternals(value) : {};
+}
+function shapeTeam(value) {
+  return isObject(value) ? dropNullsAndInternals(value) : {};
+}
+
+// src/resources/hoststack-resources.ts
+defineResource({
+  kind: "static",
+  name: "team",
+  uri: "hoststack://team",
+  description: "Authenticated team identity + a quick orientation snapshot. Includes the team record, the user behind the API key, and counts of projects and services so an agent can decide whether to fan out into list_projects / list_services without an extra round-trip.",
+  mimeType: "application/json",
+  read: async (uri, { hoststack, api, resolveTeamId }) => {
+    const teamId = await resolveTeamId();
+    const [me, projectsResult, servicesResult] = await Promise.all([
+      api.get("/api/auth/me").catch(() => null),
+      hoststack.projects.list(teamId).catch(() => ({ projects: [] })),
+      hoststack.services.list(teamId).catch(() => ({ services: [] }))
+    ]);
+    const projects = projectsResult.projects.slice(0, 10).map(shapeProject);
+    const services = servicesResult.services.slice(0, 10).map(shapeService);
+    return jsonResource(uri, {
+      user: me?.user ? shapeUser(me.user) : null,
+      team: me?.team ? shapeTeam(me.team) : null,
+      project_count: projectsResult.projects.length,
+      service_count: servicesResult.services.length,
+      // First 10 of each so the resource stays small while still useful
+      // for orientation. Use list_projects / list_services for the full set.
+      projects_preview: projects,
+      services_preview: services
+    });
+  }
+});
+
+// src/tools/activity-log.ts
+import { z as z2 } from "zod";
+
+// src/lib/respond.ts
+var SUMMARY_MAX_LEN = 500;
+function respond({ summary, data }) {
+  const trimmed = summary.trim();
+  if (trimmed.length === 0) {
+    throw new Error("respond(): summary must be non-empty");
+  }
+  if (trimmed.length > SUMMARY_MAX_LEN) {
+    throw new Error(`respond(): summary too long (${trimmed.length} > ${SUMMARY_MAX_LEN})`);
+  }
+  const blocks = [{ type: "text", text: trimmed }];
+  if (data !== void 0) {
+    blocks.push({
+      type: "text",
+      text: "```json\n" + JSON.stringify(data, null, 2) + "\n```"
+    });
+  }
+  const result = { content: blocks };
+  if (data !== void 0) {
+    result.structuredContent = toStructuredContent(data);
+  }
+  return result;
+}
+function respondError(message, data) {
+  const blocks = [{ type: "text", text: `Error: ${message}` }];
+  if (data !== void 0) {
+    blocks.push({
+      type: "text",
+      text: "```json\n" + JSON.stringify(data, null, 2) + "\n```"
+    });
+  }
+  const result = { content: blocks, isError: true };
+  if (data !== void 0) {
+    result.structuredContent = toStructuredContent(data);
+  }
+  return result;
+}
+function toStructuredContent(data) {
+  if (data !== null && typeof data === "object" && !Array.isArray(data)) {
+    return data;
+  }
+  return { result: data };
+}
+
+// src/tools/activity-log.ts
+defineTool({
+  name: "list_activity_log",
+  category: "activity-log",
+  description: [
+    "List the team activity audit log: who did what, when. Backed by /api/activity-log/:teamId.",
+    "",
+    'When to use: investigate why a service was changed unexpectedly ("who deleted that env var?"), correlate a deploy with a user, or pull recent admin events for a status update.',
+    "",
+    "Inputs (all optional):",
+    "  - page: 1-based page index (default 1).",
+    "  - per_page: items per page (default 25, hard cap 100).",
+    '  - action: filter to a specific action (e.g. "service.created", "deploy.triggered").',
+    '  - resource_type: filter by resource type (e.g. "service", "deploy", "domain").',
+    "  - user_id: filter by acting user numeric ID.",
+    "",
+    "Returns: { items: ActivityLogEntry[], meta? } \u2014 each entry has id, action, resourceType, resourceId, actorEmail, ipAddress, createdAt, and a context payload.",
+    "",
+    'Example: list_activity_log({ resource_type: "deploy", per_page: 10 }) \u2192 { items: [{ action: "deploy.triggered", actorEmail: "ada@\u2026", \u2026 }], meta: { total: 47, page: 1 } }'
+  ].join("\n"),
+  input: {
+    page: z2.number().int().positive().optional().describe("Page index, 1-based."),
+    per_page: z2.number().int().positive().max(100).optional().describe("Items per page, hard cap 100."),
+    action: z2.string().optional().describe('Action filter, e.g. "service.created".'),
+    resource_type: z2.string().optional().describe("Resource type filter."),
+    user_id: z2.number().int().positive().optional().describe("Numeric acting-user filter.")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const params = {};
+    if (args.page !== void 0) params["page"] = String(args.page);
+    if (args.per_page !== void 0) params["perPage"] = String(args.per_page);
+    if (args.action !== void 0) params["action"] = args.action;
+    if (args.resource_type !== void 0) params["resourceType"] = args.resource_type;
+    if (args.user_id !== void 0) params["userId"] = String(args.user_id);
+    const response = await ctx.api.get(
+      `/api/activity-log/${teamId}`,
+      params
+    );
+    const items = Array.isArray(response.data) ? response.data.map(shapeActivity) : [];
+    const data = { items };
+    if (response.meta !== void 0) data.meta = shape(response.meta);
+    return respond({
+      summary: items.length === 0 ? "No activity log entries match the given filters." : `Returned ${items.length} activity log entr${items.length === 1 ? "y" : "ies"}.`,
+      data
+    });
+  }
+});
+
+// src/tools/cron.ts
+import { z as z3 } from "zod";
+defineTool({
+  name: "list_cron_executions",
+  category: "cron",
+  description: [
+    "List recent execution records for a cron service (newest first).",
+    "",
+    'When to use: investigating whether a scheduled job ran on time, finding the most recent failure, or auditing cron run-times. Only works on services of type "cron"; for web services this returns an error.',
+    "",
+    "Inputs:",
+    "  - service_id: publicId of the cron service.",
+    "  - limit (optional): how many executions to fetch (default 50, max enforced server-side).",
+    "",
+    "Returns: { items: CronExecution[] } \u2014 id, publicId, status (succeeded|failed|running|queued), startedAt, finishedAt, exitCode, triggeredBy.",
+    "",
+    'Example: list_cron_executions({ service_id: "svc_cron" }) \u2192 { items: [{ status: "succeeded", exitCode: 0, \u2026 }, \u2026] }'
+  ].join("\n"),
+  input: {
+    service_id: z3.string().describe("Cron service publicId."),
+    limit: z3.number().int().positive().max(200).optional().describe("Max executions to return (default 50).")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const opts = args.limit !== void 0 ? { limit: args.limit } : void 0;
+    const response = await ctx.hoststack.cron.list(teamId, args.service_id, opts);
+    const data = shapeList(response, "executions", shapeCronExecution);
+    const summary = data.items.length === 0 ? `No cron executions yet for ${args.service_id}.` : `Found ${data.items.length} cron execution${data.items.length === 1 ? "" : "s"} for ${args.service_id}.`;
+    return respond({ summary, data });
+  }
+});
+defineTool({
+  name: "get_cron_execution",
+  category: "cron",
+  description: [
+    "Fetch a single cron execution record. Includes status, exit code, and timing.",
+    "",
+    "When to use: drilling into a specific run after list_cron_executions surfaced a failure, or correlating an execution timestamp with logs.",
+    "",
+    "Inputs:",
+    "  - service_id: publicId of the cron service.",
+    "  - execution_id: publicId of the execution record.",
+    "",
+    "Returns: { execution: CronExecution }.",
+    "",
+    'Example: get_cron_execution({ service_id: "svc_cron", execution_id: "exe_xyz" }) \u2192 { execution: { status: "failed", exitCode: 1, \u2026 } }'
+  ].join("\n"),
+  input: {
+    service_id: z3.string().describe("Cron service publicId."),
+    execution_id: z3.string().describe("Execution publicId.")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const response = await ctx.hoststack.cron.get(teamId, args.service_id, args.execution_id);
+    const data = { execution: shapeCronExecution(response.execution) };
+    const status = data.execution && "status" in data.execution ? data.execution.status : "unknown";
+    return respond({ summary: `Execution ${args.execution_id} ${status}.`, data });
+  }
+});
+
+// src/tools/databases.ts
+import { z as z4 } from "zod";
+defineTool({
+  name: "list_databases",
+  category: "databases",
+  description: [
+    "List managed databases (Postgres, Redis, MySQL, MariaDB, MongoDB, Meilisearch, NATS) inside a project.",
+    "",
+    "When to use: an agent needs to know what data stores exist in a project before connecting a service or running a migration. Pair with list_projects to discover project IDs.",
+    "",
+    "Inputs:",
+    "  - project_id: numeric project ID (from list_projects).",
+    "",
+    "Returns: { items: Database[] } \u2014 id, publicId, name, type, status, version, projectId, createdAt.",
+    "",
+    'Example: list_databases({ project_id: 12 }) \u2192 { items: [{ publicId: "db_\u2026", type: "postgres", status: "running", \u2026 }] }'
+  ].join("\n"),
+  input: {
+    project_id: z4.number().int().positive().describe("Numeric project ID (from list_projects).")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const response = await ctx.hoststack.databases.list(teamId, args.project_id);
+    const data = shapeList(response, "databases", shapeDatabase);
+    const summary = data.items.length === 0 ? `No databases in project ${args.project_id}.` : `Found ${data.items.length} database${data.items.length === 1 ? "" : "s"} in project ${args.project_id}.`;
+    return respond({ summary, data });
+  }
+});
+defineTool({
+  name: "get_database",
+  category: "databases",
+  description: [
+    "Fetch a single managed database by ID. Includes status, type, version, and project link.",
+    "",
+    "When to use: confirming the version of a database before generating connection strings, or checking the status of a recently created database. To retrieve the actual connection credentials, use the dashboard \u2014 credentials are intentionally not exposed via this MCP tool.",
+    "",
+    "Inputs:",
+    '  - database_id: publicId of the database (e.g. "db_\u2026").',
+    "",
+    "Returns: { database: Database }.",
+    "",
+    'Example: get_database({ database_id: "db_xyz" }) \u2192 { database: { type: "postgres", version: "16", status: "running", \u2026 } }'
+  ].join("\n"),
+  input: {
+    database_id: z4.string().describe("Database publicId (e.g. db_xyz).")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const response = await ctx.hoststack.databases.get(teamId, args.database_id);
+    const data = { database: shapeDatabase(response.database) };
+    const type = data.database && "type" in data.database ? data.database.type : "unknown";
+    const status = data.database && "status" in data.database ? data.database.status : "unknown";
+    return respond({ summary: `Database ${args.database_id} (${type}) is ${status}.`, data });
+  }
+});
+
+// src/tools/deploys.ts
+import { z as z5 } from "zod";
+defineTool({
+  name: "list_deploys",
+  category: "deploys",
+  description: [
+    "List deploys for a service in reverse-chronological order (newest first).",
+    "",
+    "When to use: investigating a recent deploy outcome, finding the last successful deploy ID, comparing run-times, or just checking deploy history before triggering a new one.",
+    "",
+    "Inputs:",
+    '  - service_id: publicId of the service (e.g. "svc_abc123"). Use list_services to find it.',
+    "",
+    "Returns: { items: Deploy[] } \u2014 each deploy includes id, publicId, status (pending|building|deploying|live|failed|cancelled), commitSha, commitMessage, branch, triggeredBy, startedAt, finishedAt, durationMs.",
+    "",
+    'Example: list_deploys({ service_id: "svc_abc" }) \u2192 { items: [{ publicId: "dpl_\u2026", status: "live", commitMessage: "Fix login", \u2026 }, \u2026] }'
+  ].join("\n"),
+  input: {
+    service_id: z5.string().describe("Service publicId (e.g. svc_abc123).")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const response = await ctx.hoststack.deploys.list(teamId, args.service_id);
+    const data = shapeList(response, "deploys", shapeDeploy);
+    const summary = data.items.length === 0 ? `No deploys yet for service ${args.service_id}.` : `Found ${data.items.length} deploy${data.items.length === 1 ? "" : "s"} for service ${args.service_id}.`;
+    return respond({ summary, data });
+  }
+});
+defineTool({
+  name: "get_deploy",
+  category: "deploys",
+  description: [
+    "Fetch a single deploy by ID, including its current status, commit metadata, and timestamps.",
+    "",
+    "When to use: drilling into the details of a specific deploy after list_deploys, polling a build's status, or grabbing the commit SHA so you can correlate logs with code.",
+    "",
+    "Inputs:",
+    "  - service_id: publicId of the service.",
+    '  - deploy_id: publicId of the deploy (e.g. "dpl_\u2026").',
+    "",
+    "Returns: { deploy: Deploy } \u2014 full deploy record (status, commitSha, commitMessage, branch, durationMs, finishedAt, etc).",
+    "",
+    'Example: get_deploy({ service_id: "svc_abc", deploy_id: "dpl_xyz" }) \u2192 { deploy: { status: "live", \u2026 } }'
+  ].join("\n"),
+  input: {
+    service_id: z5.string().describe("Service publicId."),
+    deploy_id: z5.string().describe("Deploy publicId.")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const response = await ctx.hoststack.deploys.get(teamId, args.service_id, args.deploy_id);
+    const data = { deploy: shapeDeploy(response.deploy) };
+    const status = data.deploy && typeof data.deploy === "object" && "status" in data.deploy ? data.deploy.status : "unknown";
+    return respond({ summary: `Deploy ${args.deploy_id} is ${status}.`, data });
+  }
+});
+defineTool({
+  name: "trigger_deploy",
+  category: "deploys",
+  description: [
+    "Kick off a new deploy from the latest commit on the service branch. Optionally clear the build cache for a clean rebuild.",
+    "",
+    'When to use: the user explicitly asks to deploy ("ship it", "redeploy", "kick off a new build"). For services with auto-deploy enabled, a fresh git push already triggers a deploy automatically \u2014 only call this for manual triggers, cache-clearing, or after a config change.',
+    "",
+    "Inputs:",
+    "  - service_id: publicId of the service.",
+    "  - clear_cache (optional): boolean \u2014 discard the cached build layers. Default false.",
+    "",
+    'Returns: { deploy: Deploy } \u2014 the new deploy record. Status will start as "pending" then transition through "building" \u2192 "deploying" \u2192 "live" or "failed".',
+    "",
+    'Example: trigger_deploy({ service_id: "svc_abc" }) \u2192 { deploy: { publicId: "dpl_\u2026", status: "pending", \u2026 } }'
+  ].join("\n"),
+  input: {
+    service_id: z5.string().describe("Service publicId."),
+    clear_cache: z5.boolean().optional().describe("Clear the build cache (default false).")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const input = {};
+    if (args.clear_cache !== void 0) input.clearCache = args.clear_cache;
+    const response = await ctx.hoststack.deploys.trigger(teamId, args.service_id, input);
+    const data = { deploy: shapeDeploy(response.deploy) };
+    const publicId = data.deploy && "publicId" in data.deploy ? data.deploy.publicId : "unknown";
+    return respond({
+      summary: `Triggered deploy ${publicId} on service ${args.service_id}.`,
+      data
+    });
+  }
+});
+defineTool({
+  name: "cancel_deploy",
+  category: "deploys",
+  description: [
+    "Cancel a running deploy. Stops the build/deploy pipeline mid-flight; the previously live revision keeps serving traffic.",
+    "",
+    "When to use: the user notices a bad commit was pushed and wants to abort before it lands, or a build is hanging. Has no effect on already-finished deploys.",
+    "",
+    "Inputs:",
+    "  - service_id: publicId of the service.",
+    "  - deploy_id: publicId of the deploy to cancel.",
+    "",
+    "Returns: { ok: true }.",
+    "",
+    'Example: cancel_deploy({ service_id: "svc_abc", deploy_id: "dpl_xyz" }) \u2192 { ok: true }'
+  ].join("\n"),
+  input: {
+    service_id: z5.string().describe("Service publicId."),
+    deploy_id: z5.string().describe("Deploy publicId.")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    await ctx.hoststack.deploys.cancel(teamId, args.service_id, args.deploy_id);
+    return respond({
+      summary: `Cancelled deploy ${args.deploy_id} on service ${args.service_id}.`,
+      data: { ok: true }
+    });
+  }
+});
+defineTool({
+  name: "get_deploy_logs",
+  category: "deploys",
+  description: [
+    "Fetch the build/deploy logs for a single deploy. Returns the entire log buffer the agent can the search for errors.",
+    "",
+    "When to use: a deploy failed and you need to read the build output to diagnose. Pair with get_deploy to find a failed deploy_id, then call this. For runtime (post-deploy) logs of the running container, use get_service_logs instead.",
+    "",
+    "Inputs:",
+    "  - service_id: publicId of the service.",
+    "  - deploy_id: publicId of the deploy.",
+    "",
+    "Returns: { logs: string } \u2014 full build output as a single string. May be truncated by the API if the deploy is still in progress.",
+    "",
+    'Example: get_deploy_logs({ service_id: "svc_abc", deploy_id: "dpl_xyz" }) \u2192 { logs: "Building\u2026\\nStep 1/8\u2026\\n\u2026" }'
+  ].join("\n"),
+  input: {
+    service_id: z5.string().describe("Service publicId."),
+    deploy_id: z5.string().describe("Deploy publicId.")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const response = await ctx.hoststack.deploys.getLogs(teamId, args.service_id, args.deploy_id);
+    const logs = typeof response.logs === "string" ? response.logs : "";
+    const lines = logs ? logs.split("\n").length : 0;
+    return respond({
+      summary: `Fetched ${lines} log line${lines === 1 ? "" : "s"} for deploy ${args.deploy_id}.`,
+      data: { logs }
+    });
+  }
+});
+
+// src/tools/domains.ts
+import { z as z6 } from "zod";
+defineTool({
+  name: "list_domains",
+  category: "domains",
+  description: [
+    "List every custom domain attached to the team's services.",
+    "",
+    "When to use: enumerate live domains, audit DNS verification status, or find which service a hostname resolves to before troubleshooting routing.",
+    "",
+    "Returns: { items: Domain[] } \u2014 id, publicId, hostname, serviceId, verified, dnsTargets, sslStatus, createdAt.",
+    "",
+    'Example: list_domains() \u2192 { items: [{ hostname: "api.example.com", verified: true, sslStatus: "active", \u2026 }] }'
+  ].join("\n"),
+  input: {},
+  handler: async (_args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const response = await ctx.hoststack.domains.list(teamId);
+    const data = shapeList(response, "domains", shapeDomain);
+    const summary = data.items.length === 0 ? "No custom domains configured." : `Found ${data.items.length} custom domain${data.items.length === 1 ? "" : "s"}.`;
+    return respond({ summary, data });
+  }
+});
+defineTool({
+  name: "add_domain",
+  category: "domains",
+  description: [
+    "Attach a custom hostname to the team \u2014 optionally pinned to a specific service. After adding, point your DNS at the targets returned and call verify_domain.",
+    "",
+    "When to use: the user wants to put a custom domain in front of a HostStack service (e.g. point api.example.com at svc_abc). The hostname must be unique across the team.",
+    "",
+    "Inputs:",
+    '  - hostname: the domain to add (e.g. "api.example.com").',
+    "  - service_id (optional): publicId of the service to bind to. If omitted, the domain is added unbound and you can attach it later with update_domain.",
+    "",
+    "Returns: { domain: Domain } \u2014 includes dnsTargets you must configure (CNAME / A records).",
+    "",
+    'Example: add_domain({ hostname: "api.example.com", service_id: "svc_abc" }) \u2192 { domain: { hostname: "api.example.com", dnsTargets: [...], verified: false, \u2026 } }'
+  ].join("\n"),
+  input: {
+    hostname: z6.string().min(3).max(253).describe("Fully-qualified hostname (e.g. api.example.com)."),
+    service_id: z6.string().optional().describe("Optional service publicId to bind to.")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const input = { domain: args.hostname };
+    if (args.service_id !== void 0) input.serviceId = args.service_id;
+    const response = await ctx.hoststack.domains.add(teamId, input);
+    const data = { domain: shapeDomain(response.domain) };
+    return respond({
+      summary: `Added domain ${args.hostname}. Configure DNS, then call verify_domain.`,
+      data
+    });
+  }
+});
+defineTool({
+  name: "verify_domain",
+  category: "domains",
+  description: [
+    "Trigger DNS verification for a previously-added domain. HostStack checks that the dnsTargets returned by add_domain are configured at the registrar.",
+    "",
+    "When to use: the user has set up DNS records and is ready to flip the domain live. Returns success when verification passes; the domain stays in pending state if DNS is still propagating.",
+    "",
+    "Inputs:",
+    "  - domain_id: publicId of the domain (from list_domains or add_domain).",
+    "",
+    "Returns: { ok: true }. Re-call list_domains to inspect the updated verified flag and SSL status.",
+    "",
+    'Example: verify_domain({ domain_id: "dom_xyz" }) \u2192 { ok: true }'
+  ].join("\n"),
+  input: {
+    domain_id: z6.string().describe("Domain publicId.")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    await ctx.hoststack.domains.verify(teamId, args.domain_id);
+    return respond({ summary: `Triggered DNS verification for ${args.domain_id}.`, data: { ok: true } });
+  }
+});
+defineTool({
+  name: "remove_domain",
+  category: "domains",
+  description: [
+    "Detach a custom hostname from the team. DESTRUCTIVE: the domain stops routing immediately and any pinned service must fall back to its default hostname.",
+    "",
+    "When to use: the user wants to retire a custom domain. Confirm with the user first \u2014 the change is immediate and cannot be undone except by re-adding the domain and re-verifying DNS.",
+    "",
+    "Inputs:",
+    "  - domain_id: publicId of the domain to remove.",
+    "",
+    "Returns: { ok: true }.",
+    "",
+    'Example: remove_domain({ domain_id: "dom_xyz" }) \u2192 { ok: true }'
+  ].join("\n"),
+  input: {
+    domain_id: z6.string().describe("Domain publicId.")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    await ctx.hoststack.domains.remove(teamId, args.domain_id);
+    return respond({ summary: `Removed domain ${args.domain_id}.`, data: { ok: true } });
+  }
+});
+
+// src/tools/env-vars.ts
+import { z as z7 } from "zod";
+defineTool({
+  name: "list_env_vars",
+  category: "env-vars",
+  description: [
+    'List environment variables for a service. Secret values are masked server-side ("\u2022\u2022\u2022\u2022\u2022\u2022"); only non-secret values come through in the clear.',
+    "",
+    "When to use: auditing what configuration a service has, finding the key for a value the user mentions by name, or confirming a variable was set after a write. Never assume the value field is plaintext for secret rows \u2014 it is masked.",
+    "",
+    "Inputs:",
+    "  - service_id: publicId of the service.",
+    "",
+    "Returns: { items: EnvVar[] } \u2014 id, publicId, key, value (masked if isSecret), isSecret, target, linkedDatabaseId, createdAt.",
+    "",
+    'Example: list_env_vars({ service_id: "svc_abc" }) \u2192 { items: [{ key: "DATABASE_URL", value: "\u2022\u2022\u2022\u2022\u2022\u2022", isSecret: true }, { key: "PORT", value: "3000", isSecret: false }] }'
+  ].join("\n"),
+  input: {
+    service_id: z7.string().describe("Service publicId.")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const response = await ctx.hoststack.envVars.list(teamId, args.service_id);
+    const data = shapeList(response, "envVars", shapeEnvVar);
+    const summary = data.items.length === 0 ? `No env vars set on service ${args.service_id}.` : `Found ${data.items.length} env var${data.items.length === 1 ? "" : "s"} on service ${args.service_id}.`;
+    return respond({ summary, data });
+  }
+});
+defineTool({
+  name: "set_env_var",
+  category: "env-vars",
+  description: [
+    "Upsert a single environment variable on a service: creates the key if missing, updates the value if it already exists. Match is by key (case-sensitive).",
+    "",
+    "When to use: rotate a secret, add a new config knob, or change a value the user dictated. The MCP layer looks up the existing var by key first; you do not need to know the env-var ID.",
+    "",
+    "Inputs:",
+    "  - service_id: publicId of the service.",
+    '  - key: env-var name (e.g. "DATABASE_URL").',
+    "  - value: new value (will be encrypted at rest if is_secret=true).",
+    "  - is_secret (optional): true marks the value as secret (masked on read). Default true for safety; pass false for boring config like PORT or NODE_ENV.",
+    "",
+    'Returns: { envVar: EnvVar, action: "created" | "updated" }.',
+    "",
+    'Example: set_env_var({ service_id: "svc_abc", key: "DATABASE_URL", value: "postgres://\u2026", is_secret: true }) \u2192 { envVar: { key: "DATABASE_URL", value: "\u2022\u2022\u2022\u2022\u2022\u2022", \u2026 }, action: "updated" }'
+  ].join("\n"),
+  input: {
+    service_id: z7.string().describe("Service publicId."),
+    key: z7.string().min(1).max(128).describe("Env-var key."),
+    value: z7.string().describe("New value."),
+    is_secret: z7.boolean().optional().describe("Mark as secret (encrypted, masked on read). Default true.")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const isSecret = args.is_secret ?? true;
+    const existing = await ctx.hoststack.envVars.list(teamId, args.service_id);
+    const match = existing.envVars.find((v) => v.key === args.key);
+    if (match) {
+      const response2 = await ctx.hoststack.envVars.update(teamId, args.service_id, String(match.id), {
+        value: args.value,
+        isSecret
+      });
+      const data2 = {
+        envVar: shapeEnvVar(response2.envVar),
+        action: "updated"
+      };
+      return respond({ summary: `Updated ${args.key} on service ${args.service_id}.`, data: data2 });
+    }
+    const response = await ctx.hoststack.envVars.create(teamId, args.service_id, {
+      key: args.key,
+      value: args.value,
+      isSecret
+    });
+    const data = {
+      envVar: shapeEnvVar(response.envVar),
+      action: "created"
+    };
+    return respond({ summary: `Created ${args.key} on service ${args.service_id}.`, data });
+  }
+});
+defineTool({
+  name: "delete_env_var",
+  category: "env-vars",
+  description: [
+    "Remove an environment variable from a service by key (case-sensitive).",
+    "",
+    "When to use: cleaning up unused config, or rotating away from a leaked secret. The MCP looks up the env-var ID from the key automatically.",
+    "",
+    "Inputs:",
+    "  - service_id: publicId of the service.",
+    "  - key: env-var name to delete.",
+    "",
+    "Returns: { ok: true } on success. Returns an error if the key was not found.",
+    "",
+    'Example: delete_env_var({ service_id: "svc_abc", key: "OLD_FLAG" }) \u2192 { ok: true }'
+  ].join("\n"),
+  input: {
+    service_id: z7.string().describe("Service publicId."),
+    key: z7.string().min(1).max(128).describe("Env-var key to delete.")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const existing = await ctx.hoststack.envVars.list(teamId, args.service_id);
+    const match = existing.envVars.find((v) => v.key === args.key);
+    if (!match) {
+      return respondError(
+        `Env var "${args.key}" not found on service ${args.service_id}.`,
+        { key: args.key, service_id: args.service_id }
+      );
+    }
+    await ctx.hoststack.envVars.delete(teamId, args.service_id, String(match.id));
+    return respond({
+      summary: `Deleted ${args.key} from service ${args.service_id}.`,
+      data: { ok: true }
+    });
+  }
+});
+defineTool({
+  name: "bulk_set_env_vars",
+  category: "env-vars",
+  description: [
+    "Replace the entire env-var set on a service with the given list. Equivalent to deleting all current vars and creating the supplied ones \u2014 use with care.",
+    "",
+    "When to use: importing a .env file, mirroring config from a sibling service, or doing a clean reset. For incremental changes, use set_env_var per key \u2014 bulk_set is destructive for any key not in the supplied list.",
+    "",
+    "Inputs:",
+    "  - service_id: publicId of the service.",
+    "  - env_vars: array of { key, value, is_secret? }. is_secret defaults to true per row.",
+    "",
+    "Returns: { ok: true }. Re-list with list_env_vars to confirm the new state.",
+    "",
+    'Example: bulk_set_env_vars({ service_id: "svc_abc", env_vars: [{ key: "PORT", value: "3000", is_secret: false }, { key: "DATABASE_URL", value: "\u2026", is_secret: true }] }) \u2192 { ok: true }'
+  ].join("\n"),
+  input: {
+    service_id: z7.string().describe("Service publicId."),
+    env_vars: z7.array(
+      z7.object({
+        key: z7.string().min(1).max(128),
+        value: z7.string(),
+        is_secret: z7.boolean().optional()
+      })
+    ).max(500).describe("Array of env-var rows. Hard cap 500.")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const payload = {
+      envVars: args.env_vars.map((v) => {
+        const row = {
+          key: v.key,
+          value: v.value
+        };
+        if (v.is_secret !== void 0) row.isSecret = v.is_secret;
+        return row;
+      })
+    };
+    await ctx.hoststack.envVars.bulkSet(teamId, args.service_id, payload);
+    return respond({
+      summary: `Replaced env-var set on service ${args.service_id} with ${args.env_vars.length} entr${args.env_vars.length === 1 ? "y" : "ies"}.`,
+      data: { ok: true, count: args.env_vars.length }
+    });
+  }
+});
+
+// src/tools/meta.ts
+defineTool({
+  name: "get_me",
+  category: "meta",
+  description: [
+    "Return the user and team identity bound to the current API key. Useful at the start of a conversation to confirm which account the agent is operating on, especially when a user has multiple HostStack environments.",
+    "",
+    "When to use: orient yourself at the start of a session, confirm which team the API key targets, or surface the email/team-name in a reply to the user.",
+    "",
+    "Returns: { user: { id, email, name, ... }, team?: { id, publicId, name, plan, ... } }.",
+    "",
+    'Example: get_me() \u2192 { user: { id: 1, email: "ada@\u2026", \u2026 }, team: { id: 7, name: "acme", plan: "pro" } }'
+  ].join("\n"),
+  input: {},
+  handler: async (_args, ctx) => {
+    const me = await ctx.api.get("/api/auth/me");
+    const data = {
+      user: shapeUser(me.user)
+    };
+    if (me.team) data.team = shapeTeam(me.team);
+    const teamLabel = me.team && typeof me.team === "object" && "name" in me.team ? ` on team ${me.team.name}` : "";
+    const userEmail = me.user && typeof me.user === "object" && "email" in me.user ? me.user.email : "unknown";
+    return respond({ summary: `Authenticated as ${userEmail}${teamLabel}.`, data });
+  }
+});
+
+// src/tools/projects.ts
+import { z as z8 } from "zod";
+defineTool({
+  name: "list_projects",
+  category: "projects",
+  description: [
+    "List every project in the active HostStack team.",
+    "",
+    "When to use: the agent needs an overview of what projects exist before drilling into services, deploys, or databases. Use this as the first step when the user mentions a project by name and you need to resolve its ID.",
+    "",
+    "Returns: { items: Project[] } \u2014 each project includes id, publicId, name, description, createdAt.",
+    "",
+    'Example: list_projects() \u2192 { items: [{ id: 12, publicId: "prj_\u2026", name: "billing-api", \u2026 }] }'
+  ].join("\n"),
+  input: {},
+  handler: async (_args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const response = await ctx.hoststack.projects.list(teamId);
+    const data = shapeList(response, "projects", shapeProject);
+    const summary = data.items.length === 0 ? "No projects yet \u2014 create one in the dashboard or via create_project." : `Found ${data.items.length} project${data.items.length === 1 ? "" : "s"}.`;
+    return respond({ summary, data });
+  }
+});
+defineTool({
+  name: "create_project",
+  category: "projects",
+  description: [
+    "Create a new project (logical grouping of services + databases).",
+    "",
+    "When to use: the user wants to set up a new app or environment in HostStack. Projects are a free organisational layer \u2014 they don't cost anything until you add services or databases inside them.",
+    "",
+    "Inputs:",
+    "  - name: human-readable project name (1\u201360 chars).",
+    "  - description (optional): short blurb shown in the dashboard.",
+    '  - region (optional): "fsn1" (Falkenstein) | "nbg1" (Nuremberg) | "hel1" (Helsinki). Default depends on team plan.',
+    "",
+    "Returns: { project: Project } \u2014 includes the new id and publicId.",
+    "",
+    'Example: create_project({ name: "billing-api", description: "Stripe webhooks", region: "fsn1" }) \u2192 { project: { id: 12, publicId: "prj_\u2026", \u2026 } }'
+  ].join("\n"),
+  input: {
+    name: z8.string().min(1).max(60).describe("Project name (1\u201360 chars)."),
+    description: z8.string().max(500).optional().describe("Short description (\u2264500 chars)."),
+    region: z8.enum(["fsn1", "nbg1", "hel1"]).optional().describe("Hetzner region: fsn1 | nbg1 | hel1.")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const input = { name: args.name };
+    if (args.description !== void 0) input.description = args.description;
+    if (args.region !== void 0) input.region = args.region;
+    const response = await ctx.hoststack.projects.create(teamId, input);
+    const data = { project: shapeProject(response.project) };
+    const publicId = data.project && "publicId" in data.project ? data.project.publicId : "unknown";
+    return respond({ summary: `Created project "${args.name}" (${publicId}).`, data });
+  }
+});
+defineTool({
+  name: "update_project",
+  category: "projects",
+  description: [
+    "Rename a project or update its description.",
+    "",
+    "When to use: the user wants to fix a typo in a project name, attach a clearer description, or align the dashboard label with their internal naming.",
+    "",
+    "Inputs (all optional, at least one required):",
+    "  - project_id: publicId of the project (required).",
+    "  - name: new name (1\u201360 chars).",
+    "  - description: new description (\u2264500 chars).",
+    "",
+    "Returns: { project: Project } \u2014 the updated record.",
+    "",
+    'Example: update_project({ project_id: "prj_abc", name: "billing-prod" }) \u2192 { project: { name: "billing-prod", \u2026 } }'
+  ].join("\n"),
+  input: {
+    project_id: z8.string().describe("Project publicId."),
+    name: z8.string().min(1).max(60).optional().describe("New name (1\u201360 chars)."),
+    description: z8.string().max(500).optional().describe("New description (\u2264500 chars).")
+  },
+  handler: async (args, ctx) => {
+    if (args.name === void 0 && args.description === void 0) {
+      return respond({
+        summary: "No fields to update \u2014 pass `name` and/or `description`.",
+        data: {}
+      });
+    }
+    const teamId = await ctx.resolveTeamId();
+    const input = {};
+    if (args.name !== void 0) input.name = args.name;
+    if (args.description !== void 0) input.description = args.description;
+    const response = await ctx.hoststack.projects.update(teamId, args.project_id, input);
+    const data = { project: shapeProject(response.project) };
+    return respond({ summary: `Updated project ${args.project_id}.`, data });
+  }
+});
+defineTool({
+  name: "get_project",
+  category: "projects",
+  description: [
+    "Fetch a single project by ID. Includes name, description, and timestamps.",
+    "",
+    "When to use: confirming a project exists before creating resources inside it, or pulling the canonical name/description for a reply to the user.",
+    "",
+    "Inputs:",
+    '  - project_id: publicId of the project (e.g. "prj_abc123").',
+    "",
+    "Returns: { project: Project }.",
+    "",
+    'Example: get_project({ project_id: "prj_abc" }) \u2192 { project: { id: 12, name: "billing", \u2026 } }'
+  ].join("\n"),
+  input: {
+    project_id: z8.string().describe("Project publicId (e.g. prj_abc123).")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const response = await ctx.hoststack.projects.get(teamId, args.project_id);
+    const data = { project: shapeProject(response.project) };
+    const name = data.project && "name" in data.project ? data.project.name : args.project_id;
+    return respond({ summary: `Project "${name}".`, data });
+  }
+});
+
+// src/tools/services.ts
+import { z as z9 } from "zod";
+defineTool({
+  name: "list_services",
+  category: "services",
+  description: [
+    "List every service (web, worker, cron, private) in the active HostStack team.",
+    "",
+    "When to use: the agent needs to find a service by name, check what is deployed, or pick a target for a follow-up tool (logs, deploys, env vars). This is the canonical way to resolve a publicId from a human-friendly name.",
+    "",
+    "Returns: { items: Service[] } \u2014 each service includes id, publicId, name, type, status, projectId, repoUrl, branch, runtime, createdAt.",
+    "",
+    'Example: list_services() \u2192 { items: [{ id: 31, publicId: "svc_\u2026", name: "api", type: "web", status: "running", \u2026 }] }'
+  ].join("\n"),
+  input: {},
+  handler: async (_args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const response = await ctx.hoststack.services.list(teamId);
+    const data = shapeList(response, "services", shapeService);
+    const summary = data.items.length === 0 ? "No services yet \u2014 create one with create_service or via the dashboard." : `Found ${data.items.length} service${data.items.length === 1 ? "" : "s"}.`;
+    return respond({ summary, data });
+  }
+});
+defineTool({
+  name: "get_service",
+  category: "services",
+  description: [
+    "Fetch a single service by ID, including its current status and configuration summary.",
+    "",
+    "When to use: drilling into a service after list_services, checking deploy/runtime status, or grabbing the repo+branch before triggering a deploy.",
+    "",
+    "Inputs:",
+    '  - service_id: publicId of the service (e.g. "svc_abc123").',
+    "",
+    "Returns: { service: Service } \u2014 type, status, runtime, repoUrl, branch, autoDeploy, region, plan, createdAt, updatedAt.",
+    "",
+    'Example: get_service({ service_id: "svc_abc" }) \u2192 { service: { type: "web", status: "running", \u2026 } }'
+  ].join("\n"),
+  input: {
+    service_id: z9.string().describe("Service publicId (e.g. svc_abc123).")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const response = await ctx.hoststack.services.get(teamId, args.service_id);
+    const data = { service: shapeService(response.service) };
+    const status = data.service && "status" in data.service ? data.service.status : "unknown";
+    return respond({ summary: `Service ${args.service_id} is ${status}.`, data });
+  }
+});
+defineTool({
+  name: "get_service_metrics",
+  category: "services",
+  description: [
+    "Fetch the latest CPU, memory, network, and request-rate metrics for a service.",
+    "",
+    "When to use: a service is reportedly slow, you suspect resource pressure, or you want a quick health snapshot before scaling. Returns a single point-in-time sample, not a time series.",
+    "",
+    "Inputs:",
+    "  - service_id: publicId of the service.",
+    "",
+    "Returns: { metrics: { cpu, memory, network, requests } } \u2014 values are normalised utilisation/throughput numbers.",
+    "",
+    'Example: get_service_metrics({ service_id: "svc_abc" }) \u2192 { metrics: { cpu: 0.42, memory: 0.71, \u2026 } }'
+  ].join("\n"),
+  input: {
+    service_id: z9.string().describe("Service publicId.")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const response = await ctx.hoststack.services.getMetrics(teamId, args.service_id);
+    const data = { metrics: shape(response.metrics) };
+    return respond({ summary: `Metrics snapshot for service ${args.service_id}.`, data });
+  }
+});
+defineTool({
+  name: "update_service",
+  category: "services",
+  description: [
+    "Rename a service. Only the human-readable name changes \u2014 the publicId is permanent.",
+    "",
+    "When to use: the user wants to relabel a service in the dashboard. For deeper config edits (build command, branch, scale, plan), use update_service_config.",
+    "",
+    "Inputs:",
+    "  - service_id: publicId of the service.",
+    "  - name: new name (1\u201360 chars).",
+    "",
+    "Returns: { service: Service }.",
+    "",
+    'Example: update_service({ service_id: "svc_abc", name: "api-prod" }) \u2192 { service: { name: "api-prod", \u2026 } }'
+  ].join("\n"),
+  input: {
+    service_id: z9.string().describe("Service publicId."),
+    name: z9.string().min(1).max(60).describe("New service name (1\u201360 chars).")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const response = await ctx.hoststack.services.update(teamId, args.service_id, {
+      name: args.name
+    });
+    const data = { service: shapeService(response.service) };
+    return respond({ summary: `Renamed service ${args.service_id} to "${args.name}".`, data });
+  }
+});
+defineTool({
+  name: "update_service_config",
+  category: "services",
+  description: [
+    "Update build/runtime configuration for a service: build command, start command, branch, root directory, dockerfile path, auto-deploy flag, instance count, plan tier. All fields optional \u2014 pass only what you want to change.",
+    "",
+    "When to use: the user wants to tweak how a service builds or runs without redeploying manually. Updating any field marked dispatch-eligible (branch, build/start command, plan, root, dockerfile) typically triggers a follow-up deploy automatically; instance count scales without redeploying.",
+    "",
+    "Inputs:",
+    "  - service_id: publicId of the service.",
+    "  - build_command, start_command (optional): shell commands.",
+    "  - branch (optional): git branch to track.",
+    "  - root_directory, dockerfile_path (optional): build context overrides.",
+    "  - auto_deploy (optional): boolean \u2014 auto-deploy on git push.",
+    "  - instance_count (optional): integer \u22651 \u2014 manual scale.",
+    '  - plan (optional): plan tier slug (e.g. "starter", "standard", "pro").',
+    "",
+    "Returns: { config: ServiceConfig } \u2014 the updated config record.",
+    "",
+    'Example: update_service_config({ service_id: "svc_abc", instance_count: 3 }) \u2192 { config: { instanceCount: 3, \u2026 } }'
+  ].join("\n"),
+  input: {
+    service_id: z9.string().describe("Service publicId."),
+    build_command: z9.string().optional().describe("Build shell command."),
+    start_command: z9.string().optional().describe("Start shell command."),
+    branch: z9.string().optional().describe("Git branch to track."),
+    root_directory: z9.string().optional().describe("Build context root."),
+    dockerfile_path: z9.string().optional().describe("Path to Dockerfile relative to root."),
+    auto_deploy: z9.boolean().optional().describe("Auto-deploy on push."),
+    instance_count: z9.number().int().positive().optional().describe("Manual scale (\u22651)."),
+    plan: z9.string().optional().describe("Plan tier slug.")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const input = {};
+    if (args.build_command !== void 0) input["buildCommand"] = args.build_command;
+    if (args.start_command !== void 0) input["startCommand"] = args.start_command;
+    if (args.branch !== void 0) input["branch"] = args.branch;
+    if (args.root_directory !== void 0) input["rootDirectory"] = args.root_directory;
+    if (args.dockerfile_path !== void 0) input["dockerfilePath"] = args.dockerfile_path;
+    if (args.auto_deploy !== void 0) input["autoDeploy"] = args.auto_deploy;
+    if (args.instance_count !== void 0) input["instanceCount"] = args.instance_count;
+    if (args.plan !== void 0) input["plan"] = args.plan;
+    if (Object.keys(input).length === 0) {
+      return respond({ summary: "No fields to update.", data: {} });
+    }
+    const response = await ctx.hoststack.services.updateConfig(teamId, args.service_id, input);
+    const data = { config: shape(response.config) };
+    const fields = Object.keys(input).join(", ");
+    return respond({ summary: `Updated ${fields} on service ${args.service_id}.`, data });
+  }
+});
+defineTool({
+  name: "suspend_service",
+  category: "services",
+  description: [
+    "Suspend a service: stop all running instances and pause auto-deploys. The service stays configured and can be resumed later with resume_service.",
+    "",
+    "When to use: the user wants to temporarily stop traffic and billing without deleting the service (for example: dev environment overnight, debugging).",
+    "",
+    "Inputs:",
+    "  - service_id: publicId of the service.",
+    "",
+    "Returns: { ok: true }.",
+    "",
+    'Example: suspend_service({ service_id: "svc_dev" }) \u2192 { ok: true }'
+  ].join("\n"),
+  input: {
+    service_id: z9.string().describe("Service publicId.")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    await ctx.hoststack.services.suspend(teamId, args.service_id);
+    return respond({ summary: `Suspended service ${args.service_id}.`, data: { ok: true } });
+  }
+});
+defineTool({
+  name: "resume_service",
+  category: "services",
+  description: [
+    "Resume a previously suspended service: start instances back up and re-enable auto-deploys.",
+    "",
+    "When to use: the user wants to bring a suspended service back online. Pair with suspend_service.",
+    "",
+    "Inputs:",
+    "  - service_id: publicId of the service.",
+    "",
+    "Returns: { ok: true }.",
+    "",
+    'Example: resume_service({ service_id: "svc_dev" }) \u2192 { ok: true }'
+  ].join("\n"),
+  input: {
+    service_id: z9.string().describe("Service publicId.")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    await ctx.hoststack.services.resume(teamId, args.service_id);
+    return respond({ summary: `Resumed service ${args.service_id}.`, data: { ok: true } });
+  }
+});
+defineTool({
+  name: "get_service_logs",
+  category: "logs",
+  description: [
+    "Fetch a snapshot of the running container's recent runtime logs (stdout/stderr). For *deploy* logs (build output), use get_deploy_logs instead.",
+    "",
+    "When to use: a service is misbehaving in production and you need to read what it is currently logging. The tool returns a snapshot \u2014 there is no streaming over MCP. Re-call to get newer entries.",
+    "",
+    "Inputs:",
+    "  - service_id: publicId of the service.",
+    "  - lines (optional): tail size (default 200, max 1000).",
+    "  - since (optional): ISO-8601 timestamp; only return entries newer than this.",
+    '  - stream (optional): "stdout" | "stderr". Omit to combine.',
+    "",
+    "Returns: { logs: LogEntry[] | string } \u2014 each entry has { timestamp, level?, stream?, message }. Older HostStack agents return a single string blob.",
+    "",
+    'Example: get_service_logs({ service_id: "svc_abc", lines: 100 }) \u2192 { logs: [{ timestamp: "2026-04-25T\u2026", message: "GET /health 200" }, \u2026] }'
+  ].join("\n"),
+  input: {
+    service_id: z9.string().describe("Service publicId."),
+    lines: z9.number().int().positive().max(1e3).optional().describe("Tail size; default 200, hard cap 1000."),
+    since: z9.string().datetime().optional().describe("ISO-8601 timestamp lower bound."),
+    stream: z9.enum(["stdout", "stderr"]).optional().describe("Restrict to one stream.")
+  },
+  handler: async (args, ctx) => {
+    const teamId = await ctx.resolveTeamId();
+    const opts = {
+      lines: args.lines ?? 200
+    };
+    if (args.since) opts.since = args.since;
+    if (args.stream) opts.stream = args.stream;
+    const response = await ctx.hoststack.services.getRuntimeLogs(teamId, args.service_id, opts);
+    const count = Array.isArray(response.logs) ? response.logs.length : typeof response.logs === "string" ? response.logs.split("\n").length : 0;
+    return respond({
+      summary: `Fetched ${count} log line${count === 1 ? "" : "s"} for service ${args.service_id}.`,
+      data: { logs: response.logs }
+    });
+  }
+});
+
+// src/server-factory.ts
+var PACKAGE_NAME = "hoststack";
+var PACKAGE_VERSION = "0.1.0";
+function createMcpServer(options) {
+  const baseUrl = (options.baseUrl ?? "https://api.hoststack.dev").replace(/\/$/, "");
+  const hoststack = new HostStack({ apiKey: options.apiKey, baseUrl });
+  const api = new ApiClient(options.apiKey, baseUrl);
+  const server = new McpServer({
+    name: options.serverInfo?.name ?? PACKAGE_NAME,
+    version: options.serverInfo?.version ?? PACKAGE_VERSION
+  });
+  let teamIdPromise = null;
+  const resolveTeamId = () => {
+    if (!teamIdPromise) {
+      teamIdPromise = api.get("/api/auth/me").then((me) => {
+        if (!me.team?.id) {
+          throw new Error(
+            "No team bound to API key. Generate a team-scoped key in the dashboard."
+          );
+        }
+        return me.team.id;
+      });
+      teamIdPromise.catch(() => {
+        teamIdPromise = null;
+      });
+    }
+    return teamIdPromise;
+  };
+  const ctx = { hoststack, api, resolveTeamId };
+  attachTools(server, ctx, options.onToolCall);
+  attachPrompts(server, ctx);
+  attachResources(server, ctx);
+  return server;
+}
+export {
+  PACKAGE_NAME,
+  PACKAGE_VERSION,
+  createMcpServer,
+  listPromptDefinitions,
+  listResourceDefinitions,
+  listToolDefinitions
+};
+//# sourceMappingURL=index.js.map