@sutraspaces/mcp-server 1.1.1 → 1.2.0

package/src/auth/pkce.js

@@ -0,0 +1,38 @@
+import { randomBytes, createHash } from "node:crypto";
+
+/**
+ * Generate a PKCE code_verifier: 32 random bytes → base64url (43 chars, well
+ * within the 43-128 spec limit).
+ */
+export function generateCodeVerifier() {
+  return base64url(randomBytes(32));
+}
+
+/**
+ * Derive the code_challenge from the verifier: base64url(SHA-256(verifier))
+ * with no padding.
+ */
+export function generateCodeChallenge(verifier) {
+  const hash = createHash("sha256").update(verifier).digest();
+  return base64url(hash);
+}
+
+/**
+ * Generate a random opaque state value for CSRF protection.
+ */
+export function generateState() {
+  return base64url(randomBytes(16));
+}
+
+/**
+ * Base64url encode a Buffer — no padding, + → -, / → _.
+ * @param {Buffer} buf
+ * @returns {string}
+ */
+function base64url(buf) {
+  return buf
+    .toString("base64")
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=/g, "");
+}

package/src/auth/store.js

@@ -0,0 +1,84 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync } from "node:fs";
+import { join } from "node:path";
+import { homedir } from "node:os";
+
+/**
+ * Return the path to the credentials file.
+ * Uses SUTRA_CONFIG_DIR env or ~/.sutra.
+ */
+function credentialsPath() {
+  const dir = process.env.SUTRA_CONFIG_DIR
+    ? process.env.SUTRA_CONFIG_DIR
+    : join(homedir(), ".sutra");
+  return { dir, file: join(dir, "credentials.json") };
+}
+
+/**
+ * Read the full credentials store from disk.
+ * Returns {} if missing or invalid.
+ * @returns {Record<string, object>}
+ */
+function readStore() {
+  const { file } = credentialsPath();
+  if (!existsSync(file)) return {};
+  try {
+    return JSON.parse(readFileSync(file, "utf8"));
+  } catch {
+    return {};
+  }
+}
+
+/**
+ * Write the full credentials store to disk.
+ * Creates the directory with mode 0700 if absent.
+ * Writes the file with mode 0600.
+ * @param {Record<string, object>} store
+ */
+function writeStore(store) {
+  const { dir, file } = credentialsPath();
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true, mode: 0o700 });
+  }
+  writeFileSync(file, JSON.stringify(store, null, 2), { mode: 0o600 });
+  // The `mode` option above is ignored when the file already exists, and is
+  // masked by the process umask even on creation. Enforce 0600/0700
+  // explicitly so the secrets are never left group/world-readable.
+  try {
+    chmodSync(file, 0o600);
+    chmodSync(dir, 0o700);
+  } catch {
+    // Best-effort on platforms without POSIX permissions (e.g. Windows).
+  }
+}
+
+/**
+ * Load cached credentials for the given issuer.
+ * @param {string} issuer
+ * @returns {{ access_token: string, refresh_token?: string, expires_at: number, scope?: string, token_endpoint: string } | null}
+ */
+export function load(issuer) {
+  const store = readStore();
+  return store[issuer] ?? null;
+}
+
+/**
+ * Persist credentials for the given issuer.
+ * @param {string} issuer
+ * @param {{ access_token: string, refresh_token?: string, expires_at: number, scope?: string, token_endpoint: string }} creds
+ */
+export function save(issuer, creds) {
+  const store = readStore();
+  store[issuer] = creds;
+  writeStore(store);
+}
+
+/**
+ * Remove cached credentials for the given issuer.
+ * @param {string} issuer
+ */
+export function clear(issuer) {
+  const store = readStore();
+  if (!Object.prototype.hasOwnProperty.call(store, issuer)) return;
+  delete store[issuer];
+  writeStore(store);
+}

package/src/client.js

@@ -1,12 +1,70 @@
 const BASE_URL = "https://api.sutra.co/api/admin/v1";
 
 export class SutraAdminClient {
-  constructor(apiToken, baseUrl) {
-    this.apiToken = apiToken;
+  /**
+   * @param {string | { getToken: () => Promise<string>, onUnauthorized?: () => Promise<void> }} tokenOrOptions
+   *   - string: static API token (original behavior, fully preserved)
+   *   - object: { getToken, onUnauthorized? } for OAuth token provider
+   * @param {string} [baseUrl]
+   */
+  constructor(tokenOrOptions, baseUrl) {
     this.baseUrl = (baseUrl || BASE_URL).replace(/\/+$/, "");
+
+    if (typeof tokenOrOptions === "string") {
+      // Original static-token path — unchanged behaviour
+      this.apiToken = tokenOrOptions;
+      this._getToken = null;
+      this._onUnauthorized = null;
+    } else {
+      // Token provider path (OAuth)
+      this.apiToken = null;
+      this._getToken = tokenOrOptions.getToken;
+      this._onUnauthorized = tokenOrOptions.onUnauthorized ?? null;
+    }
+  }
+
+  /**
+   * Resolve the current bearer token.
+   * @returns {Promise<string>}
+   */
+  async _resolveToken() {
+    if (this._getToken) {
+      return this._getToken();
+    }
+    return this.apiToken;
   }
 
   async request(method, path, { params, body, headers: extra } = {}) {
+    const token = await this._resolveToken();
+    const result = await this._doRequest(method, path, { params, body, extra, token });
+
+    // 401 retry — only once, only when a handler is registered
+    if (result.status === 401 && this._onUnauthorized) {
+      await this._onUnauthorized();
+      const retryToken = await this._resolveToken();
+      const retryResult = await this._doRequest(method, path, {
+        params,
+        body,
+        extra,
+        token: retryToken,
+      });
+      if (!retryResult.ok) {
+        throw new Error(`${method} ${path} → ${retryResult.status}: ${retryResult.text}`);
+      }
+      return retryResult.text ? JSON.parse(retryResult.text) : {};
+    }
+
+    if (!result.ok) {
+      throw new Error(`${method} ${path} → ${result.status}: ${result.text}`);
+    }
+    return result.text ? JSON.parse(result.text) : {};
+  }
+
+  /**
+   * Execute a single HTTP request and return raw status + text (no throw).
+   * @private
+   */
+  async _doRequest(method, path, { params, body, extra, token }) {
     const url = new URL(`${this.baseUrl}${path}`);
     if (params) {
       for (const [k, v] of Object.entries(params)) {
@@ -15,7 +73,7 @@ export class SutraAdminClient {
     }
 
     const headers = {
-      Authorization: `Bearer ${this.apiToken}`,
+      Authorization: `Bearer ${token}`,
       Accept: "application/json",
       ...(body ? { "Content-Type": "application/json" } : {}),
       ...extra,
@@ -28,11 +86,7 @@ export class SutraAdminClient {
     });
 
     const text = await res.text();
-    if (!res.ok) {
-      throw new Error(`${method} ${path} → ${res.status}: ${text}`);
-    }
-
-    return text ? JSON.parse(text) : {};
+    return { ok: res.ok, status: res.status, text };
   }
 
   get(path, params) {
@@ -47,6 +101,10 @@ export class SutraAdminClient {
     return this.request("PATCH", path, { body, headers });
   }
 
+  put(path, body, headers) {
+    return this.request("PUT", path, { body, headers });
+  }
+
   delete(path, headers) {
     return this.request("DELETE", path, { headers });
   }

package/src/index.js

@@ -7,6 +7,8 @@ import { SutraAdminClient } from "./client.js";
 import { registerSpaceTools } from "./tools/spaces.js";
 import { registerMemberTools } from "./tools/members.js";
 import { registerContentTools } from "./tools/content.js";
+import { registerDocumentTools } from "./tools/documents.js";
+import { registerMediaTools } from "./tools/media.js";
 import { registerPropertyTools } from "./tools/properties.js";
 import { registerInvitationTools } from "./tools/invitations.js";
 import { registerSurveyTools } from "./tools/surveys.js";
@@ -16,32 +18,117 @@ import { registerBroadcastTools } from "./tools/broadcasts.js";
 import { registerDeepTool } from "./tools/deep.js";
 import { registerAutomationTools } from "./tools/automations.js";
 import { registerHelpCenterTools } from "./tools/help-center.js";
+import { registerBlogTools } from "./tools/blog.js";
+import { registerDesignTools } from "./tools/design.js";
 import { registerAdminApiResources } from "./resources/admin-api.js";
+import { registerDesignResources } from "./resources/design.js";
+import { getValidAccessToken, login, refresh } from "./auth/oauth.js";
+import { clear, load } from "./auth/store.js";
+
+// ---------------------------------------------------------------------------
+// CLI subcommands — must be handled before any MCP server setup so that
+// stdout is never written to (it is the MCP channel).
+// ---------------------------------------------------------------------------
+
+const args = process.argv.slice(2);
+
+if (args.includes("login")) {
+  const issuer = process.env.SUTRA_OAUTH_ISSUER || "https://sutra.co";
+  try {
+    await login({ issuer });
+    process.exit(0);
+  } catch (err) {
+    process.stderr.write(`Login failed: ${err.message}\n`);
+    process.exit(1);
+  }
+}
+
+if (args.includes("logout")) {
+  const issuer = process.env.SUTRA_OAUTH_ISSUER || "https://sutra.co";
+  clear(issuer);
+  process.stderr.write("Logged out — cached credentials removed.\n");
+  process.exit(0);
+}
+
+// ---------------------------------------------------------------------------
+// Auth bootstrap
+// ---------------------------------------------------------------------------
 
 const SUTRA_API_TOKEN = process.env.SUTRA_API_TOKEN;
 const SUTRA_BASE_URL = process.env.SUTRA_BASE_URL;
+const SUTRA_OAUTH_ISSUER = process.env.SUTRA_OAUTH_ISSUER || "https://sutra.co";
 
-if (!SUTRA_API_TOKEN) {
-  console.error(
-    "SUTRA_API_TOKEN is required.\n\n" +
-    "Set it to your Sutra Admin API token (sutra_live_sk_...).\n" +
-    "Get one from your Sutra account settings or contact support@sutra.co.\n"
-  );
-  process.exit(1);
+let client;
+
+if (SUTRA_API_TOKEN) {
+  // Static token path — original behaviour, unchanged
+  client = new SutraAdminClient(SUTRA_API_TOKEN, SUTRA_BASE_URL);
+} else {
+  // OAuth path — obtain (or reuse/refresh) a token before connecting
+  process.stderr.write("No SUTRA_API_TOKEN set — using OAuth login.\n");
+
+  let cachedToken;
+  try {
+    cachedToken = await getValidAccessToken({ issuer: SUTRA_OAUTH_ISSUER });
+  } catch (err) {
+    process.stderr.write(
+      `Authentication failed: ${err.message}\n\n` +
+      "Run `npx -y @sutraspaces/mcp-server login` to authenticate, or set the\n" +
+      "SUTRA_API_TOKEN environment variable to a Sutra Admin API token.\n"
+    );
+    process.exit(1);
+  }
+
+  // Token provider: always return the in-memory cached token (fast path).
+  // The onUnauthorized handler refreshes it or triggers a new login.
+  const getToken = () => Promise.resolve(cachedToken);
+
+  // On a mid-session 401, only attempt a silent refresh. We deliberately do
+  // NOT trigger a full interactive browser login here: this runs inside a
+  // long-lived stdio server with no TTY, where spawning a browser and blocking
+  // a tool call for up to 5 minutes would be surprising and disruptive. If the
+  // refresh token is gone or rejected, surface a clear "re-run login" message.
+  const onUnauthorized = async () => {
+    process.stderr.write("Received 401 — attempting silent token refresh...\n");
+    try {
+      const stored = load(SUTRA_OAUTH_ISSUER);
+      if (!stored || !stored.refresh_token) {
+        process.stderr.write(
+          "No refresh token available. Run `npx -y @sutraspaces/mcp-server login` to re-authenticate.\n"
+        );
+        return;
+      }
+      const updated = await refresh({ issuer: SUTRA_OAUTH_ISSUER, creds: stored });
+      cachedToken = updated.access_token;
+      process.stderr.write("Token refreshed.\n");
+    } catch (err) {
+      process.stderr.write(
+        `Token refresh failed: ${err.message}\n` +
+        "Run `npx -y @sutraspaces/mcp-server login` to re-authenticate.\n"
+      );
+      // cachedToken unchanged; the retry will fail and surface a clear error.
+    }
+  };
+
+  client = new SutraAdminClient({ getToken, onUnauthorized }, SUTRA_BASE_URL);
 }
 
+// ---------------------------------------------------------------------------
+// MCP server setup
+// ---------------------------------------------------------------------------
+
 const server = new McpServer({
   name: "sutra",
-  version: "1.1.0",
+  version: "1.2.0",
   description:
     "Sutra Admin API — manage spaces, members, contacts, content, discussions, surveys, plans, broadcasts, and more.",
 });
 
-const client = new SutraAdminClient(SUTRA_API_TOKEN, SUTRA_BASE_URL);
-
 registerSpaceTools(server, client);
 registerMemberTools(server, client);
 registerContentTools(server, client);
+registerDocumentTools(server, client);
+registerMediaTools(server, client);
 registerPropertyTools(server, client);
 registerInvitationTools(server, client);
 registerSurveyTools(server, client);
@@ -50,16 +137,19 @@ registerCouponTools(server, client);
 registerBroadcastTools(server, client);
 registerDeepTool(server, client);
 registerAutomationTools(server, client);
+registerDesignTools(server, client);
 registerHelpCenterTools(server);
+registerBlogTools(server);
 registerAdminApiResources(server);
+registerDesignResources(server, client);
 
 async function main() {
   const transport = new StdioServerTransport();
   await server.connect(transport);
-  console.error("Sutra MCP server running on stdio");
+  process.stderr.write("Sutra MCP server running on stdio\n");
 }
 
 main().catch((err) => {
-  console.error("Fatal:", err);
+  process.stderr.write(`Fatal: ${err}\n`);
   process.exit(1);
 });

package/src/resources/design.js

@@ -0,0 +1,77 @@
+const BUNDLED_CAPABILITIES_MARKDOWN = `# Sutra Design Capabilities
+
+Read this before designing Sutra pages.
+
+- Use get_design_capabilities for the live manifest whenever possible.
+- Read get_space_design before changing a page and keep its content_digest as base_digest.
+- Validate nodes before creating or publishing a draft.
+- Use create_or_update_design_draft and publish_design_draft instead of raw content writes.
+- If publish returns 409 conflict, re-read the design and rebase instead of retrying blindly.
+- Do not emit image_keywords; direct design writes require real image URLs.
+- Use actionCallbackValue and actionCallbackTarget for action buttons.
+- Use 12-unit grid dist arrays such as [6,6], [8,4], or [4,4,4].
+- Use only font families returned by get_design_capabilities fonts.available; other fonts fall back at render time.
+`;
+
+export function registerDesignResources(server, client) {
+  server.registerResource(
+    "sutra-design-capabilities",
+    "sutra://design/capabilities",
+    {
+      title: "Sutra Design Capabilities",
+      description: "Renderer-aware Sutra design rules and supported fonts for page-generation tools.",
+      mimeType: "text/markdown",
+    },
+    async () => {
+      let text = BUNDLED_CAPABILITIES_MARKDOWN;
+      try {
+        const live = await client.get("/design/capabilities");
+        text = manifestToMarkdown(live.data || live);
+      } catch (_err) {
+        text += "\n\nLive capabilities could not be fetched; this bundled guidance may be stale.\n";
+      }
+
+      return {
+        contents: [
+          {
+            uri: "sutra://design/capabilities",
+            mimeType: "text/markdown",
+            text,
+          },
+        ],
+      };
+    }
+  );
+}
+
+function manifestToMarkdown(manifest) {
+  const lines = [
+    "# Sutra Design Capabilities",
+    "",
+    `Version: ${manifest.version || "unknown"}`,
+    "",
+    "## Rules",
+  ];
+
+  for (const rule of Object.values(manifest.rules || {})) lines.push(`- ${rule}`);
+  lines.push("", "## Node Types");
+  for (const [type, spec] of Object.entries(manifest.nodes || {})) {
+    lines.push(`- \`${type}\` attrs: ${(spec.attrs || []).map((attr) => `\`${attr}\``).join(", ")}`);
+  }
+  lines.push("", "## Marks");
+  for (const [type, spec] of Object.entries(manifest.marks || {})) {
+    lines.push(`- \`${type}\` attrs: ${(spec.attrs || []).map((attr) => `\`${attr}\``).join(", ")}`);
+  }
+  const fonts = manifest.fonts || {};
+  const availableFonts = fonts.available || [];
+  lines.push("", "## Fonts");
+  if (availableFonts.length > 0) {
+    for (const font of availableFonts) lines.push(`- ${font}`);
+  } else {
+    lines.push("- No font list returned by the live manifest.");
+  }
+  if (fonts.note) lines.push(`- ${fonts.note}`);
+  lines.push("", "## Anti-patterns");
+  for (const rule of manifest.anti_patterns || []) lines.push(`- ${rule}`);
+  return lines.join("\n");
+}

package/src/tools/blog.js

@@ -0,0 +1,204 @@
+import { z } from "zod";
+
+// MCP tools for the Sutra Blog (public surface at /resources). Mirrors
+// help-center.js, blog-shaped: category is optional, tags are supported, and
+// the support-only fields (product_area, intent_type, applies_to_plan, …) are
+// dropped. Calls the admin API under /api/v4/lotus/blog.
+const BLOG_BASE_URL = process.env.SUTRA_BLOG_BASE_URL || "https://api.sutra.co/api/v4/lotus/blog";
+
+export function registerBlogTools(server) {
+  const token = process.env.SUTRA_BLOG_TOKEN || process.env.SUTRA_HELP_CENTER_TOKEN;
+  if (!token) return;
+
+  async function request(method, path, { params, body } = {}) {
+    const url = new URL(`${BLOG_BASE_URL}${path}`);
+    if (params) {
+      for (const [k, v] of Object.entries(params)) {
+        if (v !== undefined && v !== null) url.searchParams.set(k, String(v));
+      }
+    }
+    const headers = {
+      Authorization: `Bearer ${token}`,
+      Accept: "application/json",
+      ...(body ? { "Content-Type": "application/json" } : {}),
+    };
+    const res = await fetch(url.toString(), {
+      method,
+      headers,
+      body: body ? JSON.stringify(body) : undefined,
+    });
+    const text = await res.text();
+    if (!res.ok) throw new Error(`${method} ${path} → ${res.status}: ${text}`);
+    return text ? JSON.parse(text) : {};
+  }
+
+  // Shared optional post fields (used by create / propose / update).
+  const postFields = {
+    title: z.string().optional().describe("Post title"),
+    slug: z.string().optional().describe("URL slug (auto-generated from title if omitted; cannot equal a category slug)"),
+    subtitle: z.string().optional().describe("Subtitle / deck"),
+    excerpt: z.string().optional().describe("Short summary shown on cards"),
+    blog_category_id: z.number().optional().describe("Category ID — OPTIONAL (posts can be uncategorized)"),
+    hero_image_url: z.string().optional().describe("Hero / cover image URL"),
+    og_image_url: z.string().optional().describe("Open Graph image URL"),
+    meta_title: z.string().optional().describe("SEO meta title"),
+    meta_description: z.string().optional().describe("SEO meta description"),
+    featured: z.boolean().optional().describe("Feature on the landing page"),
+    position: z.number().optional().describe("Sort position"),
+    search_keywords: z.array(z.string()).optional().describe("Extra search keywords for recall"),
+    tags: z.array(z.string()).optional().describe("Tag slugs (created if missing)"),
+  };
+
+  // --- Posts ---
+
+  server.tool(
+    "blog_list_posts",
+    "List blog posts (the public Resources surface, served at /resources) with optional filters. Returns post summaries and stats.",
+    {
+      status: z.enum(["draft", "published", "archived"]).optional().describe("Filter by status"),
+      review_status: z.string().optional().describe("Filter by review status"),
+      category_id: z.number().optional().describe("Filter by category ID"),
+      featured: z.boolean().optional().describe("Filter by featured flag"),
+      q: z.string().optional().describe("Search title and excerpt"),
+    },
+    async (params) => json(await request("GET", "/posts.json", { params }))
+  );
+
+  server.tool(
+    "blog_get_post",
+    "Get a blog post with full content, metadata, and version history.",
+    { id: z.number().describe("Post ID") },
+    async ({ id }) => json(await request("GET", `/posts/${id}.json`))
+  );
+
+  server.tool(
+    "blog_create_post",
+    "Create a new blog post. Returns the post and its first version.",
+    {
+      ...postFields,
+      title: z.string().describe("Post title"),
+      status: z.enum(["draft", "published", "archived"]).optional().describe("Initial status (default: draft)"),
+      content: z.any().optional().describe("Tiptap JSON content"),
+      commit_message: z.string().optional().describe("Version commit message"),
+      publish: z.boolean().optional().describe("Publish immediately after creation"),
+    },
+    async ({ publish, ...post }) => json(await request("POST", "/posts.json", { body: { post, publish } }))
+  );
+
+  server.tool(
+    "blog_propose_post",
+    "Submit an AI-authored blog post draft for human review. Creates an ai_cobolt version and marks the post as AI changes pending (not published).",
+    {
+      ...postFields,
+      title: z.string().describe("Post title"),
+      content: z.any().describe("Tiptap JSON content"),
+      commit_message: z.string().optional().describe("Version commit message"),
+      ai_agent_id: z.string().optional().describe("Identifier for the AI agent submitting the draft"),
+      source_signal: z.record(z.any()).optional().describe("Evidence or trigger that led to this draft"),
+    },
+    async ({ ai_agent_id, source_signal, ...post }) =>
+      json(await request("POST", "/posts/propose.json", { body: { post, ai_agent_id, source_signal } }))
+  );
+
+  server.tool(
+    "blog_update_post",
+    "Update an existing blog post and create a new version.",
+    {
+      id: z.number().describe("Post ID"),
+      ...postFields,
+      status: z.string().optional().describe("Status (draft/published/archived)"),
+      content: z.any().optional().describe("Tiptap JSON content"),
+      commit_message: z.string().optional().describe("Version commit message"),
+      publish: z.boolean().optional().describe("Publish this version immediately"),
+    },
+    async ({ id, publish, ...post }) => json(await request("PUT", `/posts/${id}.json`, { body: { post, publish } }))
+  );
+
+  server.tool(
+    "blog_propose_post_update",
+    "Submit AI-authored changes to an existing blog post for human review. Creates an ai_cobolt pending version without publishing.",
+    {
+      id: z.number().describe("Post ID"),
+      ...postFields,
+      content: z.any().optional().describe("Proposed Tiptap content; omit for metadata-only proposals"),
+      commit_message: z.string().optional().describe("Version commit message"),
+      ai_agent_id: z.string().optional().describe("Identifier for the AI agent submitting the proposal"),
+      source_signal: z.record(z.any()).optional().describe("Evidence or trigger that led to this update"),
+    },
+    async ({ id, ai_agent_id, source_signal, ...post }) =>
+      json(await request("POST", `/posts/${id}/propose_update.json`, { body: { post, ai_agent_id, source_signal } }))
+  );
+
+  server.tool(
+    "blog_publish_post",
+    "Publish a blog post version. Publishes the latest version if no version_id is given.",
+    {
+      id: z.number().describe("Post ID"),
+      version_id: z.number().optional().describe("Specific version ID to publish (defaults to latest)"),
+    },
+    async ({ id, version_id }) =>
+      json(await request("POST", `/posts/${id}/publish.json`, { body: version_id ? { version_id } : {} }))
+  );
+
+  server.tool(
+    "blog_review_post",
+    "Approve or reject a pending blog post version.",
+    {
+      id: z.number().describe("Post ID"),
+      version_id: z.number().describe("Version ID to review"),
+      decision: z.enum(["approve", "reject"]).describe("Review decision"),
+      comment: z.string().optional().describe("Review comment"),
+    },
+    async ({ id, ...body }) => json(await request("POST", `/posts/${id}/review.json`, { body }))
+  );
+
+  // --- Categories ---
+
+  server.tool("blog_list_categories", "List all blog categories.", {}, async () =>
+    json(await request("GET", "/categories.json")));
+
+  server.tool(
+    "blog_create_category",
+    "Create a new blog category.",
+    {
+      name: z.string().describe("Category name"),
+      slug: z.string().optional().describe("URL slug"),
+      description: z.string().optional().describe("Category description"),
+      icon_library: z.string().optional().describe("Icon library name"),
+      icon_name: z.string().optional().describe("Icon name"),
+      icon_color: z.string().optional().describe("Icon color hex"),
+      position: z.number().optional().describe("Sort position"),
+      published: z.boolean().optional().describe("Whether the category is published"),
+    },
+    async (category) => json(await request("POST", "/categories.json", { body: { category } }))
+  );
+
+  server.tool(
+    "blog_update_category",
+    "Update a blog category.",
+    {
+      id: z.number().describe("Category ID"),
+      name: z.string().optional(),
+      slug: z.string().optional(),
+      description: z.string().optional(),
+      icon_library: z.string().optional(),
+      icon_name: z.string().optional(),
+      icon_color: z.string().optional(),
+      position: z.number().optional(),
+      published: z.boolean().optional(),
+    },
+    async ({ id, ...category }) => json(await request("PUT", `/categories/${id}.json`, { body: { category } }))
+  );
+
+  server.tool("blog_delete_category", "Delete a blog category.", { id: z.number().describe("Category ID") },
+    async ({ id }) => json(await request("DELETE", `/categories/${id}.json`)));
+
+  // --- Tags ---
+
+  server.tool("blog_list_tags", "List all blog tags.", {}, async () =>
+    json(await request("GET", "/tags.json")));
+}
+
+function json(data) {
+  return { content: [{ type: "text", text: JSON.stringify(data, null, 2) }] };
+}