@timelesscms-com/mcp-server 0.1.0

package/AGENTS.md

@@ -0,0 +1,319 @@
+# AGENTS.md — Working on a TimelessCMS site
+
+You are connected to a TimelessCMS site through `@timelesscms-com/mcp-server`.
+This file is your briefing: what the system is, what conventions matter,
+what tools to reach for first.
+
+If anything below conflicts with what you observe in the tools, trust the
+tools — the platform may have moved since this was written.
+
+## What this is
+
+TimelessCMS is a static-site CMS: content lives in a database, the user
+edits it through an in-app editor, and a deploy step compiles everything
+to a fast static site hosted on Cloudflare Pages. The in-app chat handles
+single-page or single-block edits by the editor audience. You — through
+this MCP — handle the work that doesn't fit there: site-wide redesigns,
+bulk content updates, structural migrations, directory imports.
+
+The MCP server is a thin wrapper around the public REST API. Each tool
+maps to one HTTP endpoint; the actual logic runs in the customer's portal
+(SaaS or self-hosted).
+
+## The data model in 90 seconds
+
+- **Pages.** Title, slug, status (`draft | review | unlisted | published`),
+  HTML body (`html_content`), SEO fields. Slug can contain slashes, so
+  `2024/01/foo-bar` is a valid slug → `/2024/01/foo-bar` URL. Encode
+  hierarchy in the slug; the renderer doesn't use `parent` for routing.
+
+- **Partials = global blocks.** Three kinds:
+  - `header` — auto-injected at the top of every page.
+  - `footer` — auto-injected at the bottom of every page.
+  - `free` — reusable HTML you drop into a page with
+    `<x-include name="block-id" />`. Free blocks are how you avoid
+    duplicating HTML across pages.
+
+- **Collections.** Repeatable content types (blog, team, events,
+  products, restaurants for a directory site, etc.). Each has a schema
+  (`fields[]`) and optional **per-item routing** via `route_template`
+  (e.g. `/restaurants/{slug}`). When set, every published item gets its
+  own static URL rendered through `item_template_html`. Set
+  `route_template=""` to opt out and keep the collection listing-only.
+
+- **Settings.** Site name, tagline, logo, favicon, colors, fonts,
+  contact info, social links, SEO suffix. Scripts and custom CSS exist
+  on the settings doc but the API does NOT expose them — the customer
+  edits those manually.
+
+- **Redirects.** `from_path → to_path` with status code 301 / 302.
+  Auto-created when you change a page's slug.
+
+- **Versions / branches.** Copy-on-write. The "main" version is the
+  live one. Create a branch (`create_branch`) for multi-step work;
+  everything you write through `?version=<branch-id>` lives on the
+  branch until you `merge_branch` it back to main. Branches default
+  `robots_blocked: true` so a half-finished redesign can't be indexed,
+  and deploys land at a stable `{branch}.{project}.pages.dev` URL.
+
+- **Deploys.** Customers see live changes only after a deploy. Preview
+  always sees drafts. `trigger_deploy` enqueues; `get_deploy_status`
+  reports `queued → running → succeeded | failed`.
+
+- **Site URLs.** `get_site` returns a `urls` object with:
+    - `production` — the customer's real domain (or null)
+    - `fallback` — the auto `{slug}.timelesscms.app`-style preview URL
+    - `preview_base` — the portal preview origin (for token URLs)
+  Use these in answers to "what's the URL?" — never invent.
+
+## Discovering this site
+
+Don't hardcode assumptions about what's here. Every fact about the site
+goes through the MCP:
+
+1. `get_site` — confirm the key works; learn the site name + URLs.
+2. `read_site_settings` — colors, fonts, contact info, SEO suffix,
+   content language (used by `suggest_alt_text_context`).
+3. `list_pages` — what pages exist, paginated.
+4. `list_partials` — what shared blocks already exist. **Defaults to
+   summary mode** (no html_content, just bytes count) — pass
+   `include_content: true` if you actually need the bodies inline.
+5. `list_collections` — what content types exist + their schemas +
+   `route_template` (so you know if items have URLs).
+6. `list_block_types` — registered block types (often empty today;
+   fills in once the block editor lands).
+
+You usually want at least #1 + #2 + a sampling from #3 before
+proposing any design change, so you mirror the conventions in use.
+
+## Common operations
+
+### "Replace this string across the whole site"
+
+```
+search_pages contains="299 kr"             → matches + excerpts
+bulk_replace_text dry_run=true ...          → sample_diffs
+# show the user, get confirmation
+bulk_replace_text dry_run=false ...         → write
+trigger_deploy                              → ship
+get_deploy_status job_id=…                  → poll until succeeded
+```
+
+Writes go through the normal save pipeline (SEO transform + revision
+snapshot) so changes are reversible from the in-app History tab.
+
+### "Audit / understand the site"
+
+```
+list_pages limit=200                              → inventory
+batch_read_pages page_ids=[…]                     → bulk-load bodies
+list_partials                                     → shared blocks (summary)
+find_pages_using_block partial_id=<id>            → blast radius per block
+list_collections                                  → content types + routing
+list_collection_items collection=<name>           → items (richtext hidden)
+```
+
+`find_pages_using_block` for the header or footer returns the full
+page list (they're auto-injected on every page).
+
+### "Redesign the home page"
+
+```
+get_site + read_site_settings
+read_partial partial_id="header"
+list_pages → batch_read_pages a few existing pages    # learn conventions
+# Propose redesign locally; ask user to confirm.
+create_branch name="Home redesign"                    # ID is, say, "home-redesign"
+update_page page_id=home patch={ html_content: "…" } version=home-redesign
+get_preview_link page_id=home version=home-redesign   # signed clickable URL
+# Iterate. When approved:
+merge_branch version_id=home-redesign
+trigger_deploy
+```
+
+The branch also has its own permanent deploy URL at
+`https://home-redesign.<project>.pages.dev` after `trigger_deploy
+version=home-redesign` — useful for "share with stakeholders without
+showing them my preview token". `read_version version_id=home-redesign`
+returns it as `deploy_url`.
+
+### "Build a reusable block"
+
+If you see the same HTML on 3+ pages, propose a free block instead of
+duplicating it:
+
+```
+create_free_block id="newsletter-cta" html_content="<form>…</form>"
+# Then on each page where it should appear:
+update_page page_id=… patch={ html_content: "<…><x-include name=\"newsletter-cta\" />" }
+```
+
+Edits to the block update every page that includes it. Use
+`find_pages_using_block` before changing it.
+
+### "Build a directory site / import structured data"
+
+```
+create_collection
+  name="restaurants"
+  label_singular="Restaurant" label_plural="Restaurants"
+  fields=[ ...title, slug, address, phone, cuisine, body... ]
+  route_template="/restaurants/{slug}"
+  item_template_html="<article><h1>{{title}}</h1>… {{{body}}}</article>"
+
+# For each row in your source data:
+create_collection_item collection="restaurants" fields={…} status="published"
+
+# Each published item now lives at /restaurants/{slug}, included in
+# sitemap.xml. Preview a specific one:
+get_preview_link collection_name="restaurants" item_id="<id>"
+
+# Optional listing page:
+list_collection_items collection="restaurants" limit=200
+update_page page_id=restaurants patch={ html_content: "<hand-written listing>" }
+```
+
+### "Migrate a content type (e.g. WP custom post type)"
+
+```
+list_collections                                     # what exists today?
+read_collection name=blog                            # what fields are writable?
+batch_read_collection_items …                        # load items (richtext hidden)
+# Transform locally; then:
+update_collection_item …  (or)  create_collection_item …
+```
+
+Fields outside the schema are silently dropped — call `read_collection`
+first if you're unsure what's writable.
+
+### "Add images to a page"
+
+```
+# Image lives on a URL somewhere (Unsplash, customer's existing CDN):
+upload_media_from_url source_url="https://..." alt_text="Hero photo of …"
+  → returns { media_id, cdn_url, … }
+
+# OR image lives in your memory (image-gen output):
+upload_media_inline filename="hero.png" content_type="image/png"
+                    data_base64="iVBORw0KGgo…"
+  → returns the same shape
+
+# OPTIONAL but recommended: produce srcset variants for responsive <img>:
+generate_image_variants media_id=<id>
+  → returns webp + avif variants at 320/640/1024/1920 widths
+    (skips upscales; sub-5s per image)
+
+# Then embed in a page:
+read_page page_id=...
+# Build <picture> or <img srcset="..."> using variants[*].cdn_url
+update_page page_id=... patch={ html_content: "<...><img src='{cdn_url}' .../>" }
+```
+
+### "Fill missing alt-text across the media library"
+
+```
+list_media                                 → find items where alt_text is empty
+suggest_alt_text_context media_id=<id>     → returns image_url + tuned prompt
+                                             + language + nearest-heading context
+# Pass image_url + the returned suggested_prompt to YOUR OWN vision
+# capability. The platform does NOT run vision for you.
+update_media media_id=<id> alt_text="<what vision returned>"
+```
+
+The prompt is tuned for SEO-grade output: 5-15 words, written in
+`settings.language`, skips "image of" filler, decorative images return
+empty string.
+
+### "Change a page's URL safely"
+
+```
+update_page page_id=about patch={ slug: "om-oss" }
+  → response includes:
+     auto_redirects: [{ from_path: "/about", to_path: "/om-oss",
+                        status_code: 301 }]
+     sanitization_warnings: []
+```
+
+The 301 fires automatically — you don't have to remember.
+
+## Safety boundaries
+
+- **HTML is sanitized at save.** No `<script>`, no `onclick`, no
+  `javascript:` URLs in page or partial bodies. Write responses include
+  a `sanitization_warnings: []` array listing what got stripped, so you
+  see when an input was modified.
+- **scripts_head, scripts_body_end, custom_css** are read-stripped on
+  `read_site_settings` and silently dropped on `update_site_settings`.
+- **The API key is site-scoped.** Cross-site reach is impossible — a
+  key on the wrong site returns 401, indistinguishable from "bad token".
+- **Audit log.** Every state-changing call (POST / PATCH / PUT /
+  DELETE) is logged. Reads aren't. The customer sees "Acme agency key
+  wrote to /pages/home at 14:32" in the portal.
+- **Rate limits.** 600 reads/min, 60 writes/min per key. On 429 the
+  response carries `Retry-After`.
+
+## Preview-driven workflow
+
+After any non-trivial change, call `get_preview_link` and ask the user
+(or your own browser tool) to confirm the result before moving on. One
+HTTP call vs. shipping a broken redesign — always worth it.
+
+Preview shows DB state (drafts included). Live (`get_site → urls.production`)
+shows the most recent deploy. Branch deploys live at
+`get_version → deploy_url` (`{branch}.{project}.pages.dev`).
+
+## Branches
+
+For multi-step work, create a branch:
+
+```
+create_branch name="Pricing refresh"
+```
+
+The response includes `id` — pass that as `version=<id>` on every
+subsequent call. The branch is independent of main; writes don't affect
+the live site until you `merge_branch`.
+
+Branches default `robots_blocked: true`. Deploys to a branch land at a
+stable, share-able URL (`{branch}.{project}.pages.dev`); use that for
+stakeholder review.
+
+## When in doubt
+
+- **Read before you write.** A `read_page` round-trip is cheap and
+  stops you overwriting unrelated changes.
+- **Dry-run bulk operations.** `bulk_replace_text` accepts `dry_run:
+  true` and returns 3 sample diffs. Show them to the user before the
+  real run.
+- **Watch the sanitization_warnings array.** If it's non-empty, the
+  stored HTML differs from what you sent. Read it back to confirm.
+- **One small confirmation > one large undo.** The audit log makes it
+  obvious who did what, but a clean revert across many pages is still
+  more work than asking "ok to proceed?" first.
+- **Match the site's design.** Read a partial or two before designing
+  new components. CSS variables (`var(--color-primary)`) are common
+  but not universal — mirror what's already in use.
+
+## Reference: tool families
+
+| Family       | Tools |
+|---|---|
+| **Discovery** | `get_site`, `update_site`, `list_versions`, `read_site_settings` |
+| **Pages — reads** | `list_pages`, `read_page`, `batch_read_pages` |
+| **Pages — writes** | `create_page`, `update_page`, `replace_page`, `batch_update_pages`, `delete_page`, `clone_page` |
+| **Pages — meta** | `get_page_blocks`, `get_page_preview` |
+| **Global blocks** | `list_partials` (summary by default), `read_partial`, `create_free_block`, `update_partial`, `replace_partial`, `delete_partial`, `find_pages_using_block`, `list_blocks_with_usage` |
+| **Block types** | `list_block_types`, `read_block_type`, `find_pages_using_block_type` |
+| **Collections** | `create_collection`, `update_collection_schema`, `delete_collection`, `list_collections`, `read_collection`, `list_collection_items` (richtext hidden by default), `read_collection_item`, `batch_read_collection_items`, `create_collection_item`, `update_collection_item`, `delete_collection_item`, `regenerate_collection_listing` |
+| **Media** | `list_media`, `read_media`, `create_upload_url`, `upload_media_from_url`, `upload_media_inline`, `update_media`, `delete_media`, `generate_image_variants`, `suggest_alt_text_context` |
+| **Redirects** | `list_redirects`, `create_redirect`, `delete_redirect` |
+| **Forms** | `list_forms`, `read_form`, `create_form`, `update_form`, `delete_form`, `list_form_submissions` |
+| **Settings** | `update_site_settings` (whitelist) |
+| **Search + bulk** | `search_pages`, `bulk_replace_text` |
+| **Branches** | `create_branch`, `read_version`, `delete_branch`, `merge_branch` |
+| **Deploy** | `trigger_deploy`, `list_deploys`, `get_deploy_status` |
+| **Preview** | `get_preview_link`, `get_page_preview` |
+
+Every tool's input is validated server-side; the MCP server only does
+auth + shape. If a tool returns `isError: true`, the body carries
+`{ error, status, body }` from the underlying HTTP response.

package/README.md

@@ -0,0 +1,135 @@
+# @timelesscms-com/mcp-server
+
+Model Context Protocol server for the [TimelessCMS](https://timelesscms.com)
+public API. Lets Claude Code (or any MCP-compatible client) manage a
+TimelessCMS site through the same tool surface a human agency would use:
+read and write pages, partials, collections, media, redirects, versions;
+trigger deploys; mint preview links.
+
+The server is a **thin transport adapter** — every tool wraps one HTTP
+endpoint of the TimelessCMS REST API. Auth happens at the API layer with
+a site-scoped key; the MCP just carries the bearer through.
+
+## Quick start
+
+1. **Create an API key** in your TimelessCMS portal at
+   `/app/sites/{siteId}/settings/api-keys`. The key is shown once at
+   creation — copy it somewhere safe.
+
+2. **Add the server to Claude Code.** Drop this into `~/.claude.json`
+   (or your local `.claude/config.json`):
+
+   ```json
+   {
+     "mcpServers": {
+       "timelesscms": {
+         "command": "npx",
+         "args": ["-y", "@timelesscms-com/mcp-server"],
+         "env": {
+           "TCMS_API_URL": "https://app.timelesscms.com",
+           "TCMS_API_KEY": "tcms_live_REPLACE_WITH_YOUR_KEY"
+         }
+       }
+     }
+   }
+   ```
+
+   For a self-hosted portal, point `TCMS_API_URL` at it (e.g.
+   `https://cms.example.com`).
+
+3. **Tell the agent what kind of work you want.** A good first message:
+
+   > "Connect to TimelessCMS and tell me what you find — site name,
+   > number of pages, what global blocks exist, what collections are
+   > defined. Then I'll give you a task."
+
+   Claude will call `get_site`, `list_pages`, `list_partials`,
+   `list_collections` in sequence and report back.
+
+## Environment variables
+
+| Var             | Required | Description |
+|-----------------|----------|-------------|
+| `TCMS_API_URL`  | yes      | Base URL of your TimelessCMS portal. |
+| `TCMS_API_KEY`  | yes      | A `tcms_live_…` bearer token from the API keys page. |
+| `TCMS_SITE_ID`  | no       | Pin the server to a specific site. Defaults to autodetect (calls `GET /v1/sites` — per-site keys return exactly one). |
+
+## What the agent should read first
+
+The package ships [AGENTS.md](./AGENTS.md), a self-contained briefing
+that explains TimelessCMS conventions, common operations, and the safety
+boundaries an agent needs to respect. Point Claude at it (or include it
+in your project's `CLAUDE.md` / `AGENTS.md`) so it knows when to use
+which tool.
+
+## Tool surface
+
+Around 50 tools across these families. See [AGENTS.md](./AGENTS.md) for
+the full reference + concrete operation recipes.
+
+- **Discovery** — `get_site`, `update_site` (name/slug/domain), `list_versions`,
+  `read_site_settings`, `update_site_settings`.
+- **Pages** — list, read, batch-read, create, update (PATCH), replace
+  (PUT), batch-update, delete, clone, get-blocks, get-preview.
+- **Global blocks (partials)** — list (summary mode by default), read,
+  create free block, update, replace, delete, find-pages-using-block.
+- **Block types** — list, read, find-pages-using-block-type. Surface
+  for the future block editor.
+- **Collections + items** — create/update/delete the collection schema
+  itself (incl. `route_template` for per-item URLs); list/read/batch-
+  read/create/update/delete items.
+- **Media** — list, read, signed upload URLs, `upload_media_from_url`,
+  `upload_media_inline`, patch metadata, delete, `generate_image_variants`
+  (build-time srcset pipeline), `suggest_alt_text_context` (returns a
+  tuned prompt for your own vision model).
+- **Redirects** — list, create, delete. Plus automatic 301 on slug change.
+- **Forms** — list, read, create, update, delete, list submissions.
+- **Settings** — read + patch (scripts and custom CSS not exposed).
+- **Search** — `search_pages` with substring or regex.
+- **Bulk** — `bulk_replace_text` with dry-run.
+- **Branches** — create, read, delete, merge. Branch deploys get their
+  own URL at `{branch}.{project}.pages.dev`.
+- **Deploy** — trigger, list, get status.
+- **Preview** — `get_preview_link` (signed URL for browser navigation;
+  supports `page_id`, `slug`, or `collection_name + item_id`).
+
+## Direct REST API access
+
+If you don't want the MCP wrapper, the same surface is reachable directly
+with curl:
+
+```bash
+curl -H "Authorization: Bearer tcms_live_..." \
+  https://app.timelesscms.com/api/v1/sites/<siteId>/pages
+```
+
+The MCP server is purely an ergonomics layer on top of that.
+
+## Security model
+
+- API keys are **site-scoped**. A key cannot read or write another site
+  in the same organization — server-side authoritative.
+- All write calls (`POST`, `PUT`, `PATCH`, `DELETE`) are **audit-logged**
+  with the key prefix, IP, method, path, and status. Reads are not
+  logged (cost vs. value).
+- **Rate limits**: 600 reads/min, 60 writes/min per key. 429 responses
+  carry `Retry-After` headers.
+- **HTML sanitization** happens at save time on the server — `<script>`,
+  event handlers, and `javascript:` URLs are stripped. The customer's
+  `scripts_*` and `custom_css` settings are read-stripped and write-dropped
+  by the API.
+- Keys can be **revoked** at any time from the portal. Revocation takes
+  effect on the next request (no in-flight requests get cancelled, but
+  the next one returns 401).
+
+## More
+
+- Full end-to-end production setup recipe with troubleshooting:
+  [docs/claude-code-mcp-setup.md](../../docs/claude-code-mcp-setup.md)
+- Agent operations briefing: [AGENTS.md](./AGENTS.md)
+- Boilerplate skills (migration, content, images, directory, redesign):
+  [skills/](./skills/)
+
+## License
+
+MIT — see [LICENSE](../../LICENSE).

package/dist/client.js

@@ -0,0 +1,103 @@
+// Thin fetch client for the TimelessCMS REST API. The MCP server is just a
+// transport adapter — every tool delegates to one of these methods.
+//
+// Surface kept deliberately tiny so it's easy to reason about: get/post/
+// patch/put/del + a path helper. Errors come back as a structured
+// ApiError with the status and the parsed body so the caller can shape
+// useful tool-result messages.
+export class ApiError extends Error {
+    status;
+    body;
+    constructor(status, body, message) {
+        super(message ?? `API request failed (${status})`);
+        this.status = status;
+        this.body = body;
+        this.name = 'ApiError';
+    }
+}
+export class TcmsClient {
+    baseUrl;
+    apiKey;
+    fetchImpl;
+    constructor(config) {
+        if (!config.baseUrl)
+            throw new Error('baseUrl is required');
+        if (!config.apiKey)
+            throw new Error('apiKey is required');
+        this.baseUrl = config.baseUrl.replace(/\/+$/, '');
+        this.apiKey = config.apiKey;
+        this.fetchImpl = config.fetchImpl ?? globalThis.fetch.bind(globalThis);
+    }
+    /** Build the full URL for a path (relative to /api/v1/sites/{siteId}/...) */
+    url(siteId, path, query) {
+        const cleanPath = path.replace(/^\/+/, '');
+        const url = new URL(`${this.baseUrl}/api/v1/sites/${encodeURIComponent(siteId)}/${cleanPath}`);
+        if (query) {
+            for (const [k, v] of Object.entries(query)) {
+                if (v !== undefined && v !== null)
+                    url.searchParams.set(k, String(v));
+            }
+        }
+        return url.toString();
+    }
+    /** Top-level URL (no siteId prefix) — used by GET /v1/sites only. */
+    rootUrl(path, query) {
+        const cleanPath = path.replace(/^\/+/, '');
+        const url = new URL(`${this.baseUrl}/api/v1/${cleanPath}`);
+        if (query) {
+            for (const [k, v] of Object.entries(query)) {
+                if (v !== undefined && v !== null)
+                    url.searchParams.set(k, String(v));
+            }
+        }
+        return url.toString();
+    }
+    async request(method, url, body) {
+        const headers = {
+            authorization: `Bearer ${this.apiKey}`,
+            accept: 'application/json',
+        };
+        if (body !== undefined)
+            headers['content-type'] = 'application/json';
+        const res = await this.fetchImpl(url, {
+            method,
+            headers,
+            body: body !== undefined ? JSON.stringify(body) : undefined,
+        });
+        const text = await res.text();
+        let parsed = undefined;
+        if (text) {
+            try {
+                parsed = JSON.parse(text);
+            }
+            catch {
+                parsed = text;
+            }
+        }
+        if (!res.ok) {
+            const message = parsed?.error ?? `HTTP ${res.status}`;
+            throw new ApiError(res.status, parsed, message);
+        }
+        return parsed;
+    }
+    // ── Site-scoped helpers ────────────────────────────────────────────────
+    get(siteId, path, query) {
+        return this.request('GET', this.url(siteId, path, query));
+    }
+    post(siteId, path, body, query) {
+        return this.request('POST', this.url(siteId, path, query), body);
+    }
+    patch(siteId, path, body, query) {
+        return this.request('PATCH', this.url(siteId, path, query), body);
+    }
+    put(siteId, path, body, query) {
+        return this.request('PUT', this.url(siteId, path, query), body);
+    }
+    del(siteId, path, query) {
+        return this.request('DELETE', this.url(siteId, path, query));
+    }
+    // ── Root helpers ───────────────────────────────────────────────────────
+    rootGet(path) {
+        return this.request('GET', this.rootUrl(path));
+    }
+}

package/dist/index.js

@@ -0,0 +1,112 @@
+#!/usr/bin/env node
+// TimelessCMS MCP server — stdio entry point.
+//
+// Reads two env vars at startup:
+//   TCMS_API_URL  — base URL of the portal (e.g. https://app.timelesscms.com)
+//   TCMS_API_KEY  — a tcms_live_... bearer token from /app/sites/{id}/settings/api-keys
+//
+// Optionally:
+//   TCMS_SITE_ID  — pre-set the site id. If omitted we discover it by
+//                   calling GET /v1/sites at startup (the v1 keys are
+//                   per-site so that endpoint always returns exactly one).
+//
+// Each tool wraps a single REST endpoint. The MCP server itself does no
+// business logic — that all lives in the portal. This keeps the package
+// boring to maintain and lets the customer's self-hosted portal serve the
+// same MCP without needing two implementations to stay in sync.
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { TcmsClient } from './client.js';
+import { pageTools } from './tools/pages.js';
+import { partialTools } from './tools/partials.js';
+import { collectionTools } from './tools/collections.js';
+import { mediaTools } from './tools/media.js';
+import { redirectTools } from './tools/redirects.js';
+import { formTools } from './tools/forms.js';
+import { searchTools } from './tools/search.js';
+import { bulkTools } from './tools/bulk.js';
+import { versionTools } from './tools/versions.js';
+import { deployTools } from './tools/deploy.js';
+import { previewTools } from './tools/preview.js';
+import { blockTypeTools } from './tools/block-types.js';
+import { settingsTools } from './tools/settings.js';
+import { siteTools } from './tools/sites.js';
+const VERSION = '0.1.0';
+async function resolveSiteId(client) {
+    const fromEnv = process.env.TCMS_SITE_ID?.trim();
+    if (fromEnv)
+        return fromEnv;
+    // Per-site keys → exactly one site. We fetch it so the agent doesn't
+    // have to know its own site id ahead of time.
+    const res = await client.rootGet('sites');
+    if (!res.sites || res.sites.length === 0) {
+        throw new Error('No sites returned for this API key. Check the key is valid.');
+    }
+    if (res.sites.length > 1) {
+        throw new Error(`This key authorises ${res.sites.length} sites; set TCMS_SITE_ID to pick one.`);
+    }
+    return res.sites[0].id;
+}
+function bail(message) {
+    console.error(`timelesscms-mcp: ${message}`);
+    process.exit(1);
+}
+async function main() {
+    const apiUrl = process.env.TCMS_API_URL?.trim();
+    const apiKey = process.env.TCMS_API_KEY?.trim();
+    if (!apiUrl)
+        bail('TCMS_API_URL is not set. Point it at your TimelessCMS portal (e.g. https://app.timelesscms.com).');
+    if (!apiKey)
+        bail('TCMS_API_KEY is not set. Create a key in /app/sites/{siteId}/settings/api-keys and copy it once.');
+    if (!apiKey.startsWith('tcms_live_')) {
+        bail('TCMS_API_KEY does not look like a TimelessCMS key (expected tcms_live_... prefix).');
+    }
+    const client = new TcmsClient({ baseUrl: apiUrl, apiKey });
+    let siteId;
+    try {
+        siteId = await resolveSiteId(client);
+    }
+    catch (e) {
+        bail(`Failed to discover site: ${e instanceof Error ? e.message : String(e)}`);
+    }
+    const deps = { client, siteId };
+    const server = new McpServer({ name: 'timelesscms', version: VERSION }, { capabilities: { tools: {} } });
+    const allTools = [
+        ...siteTools,
+        ...pageTools,
+        ...partialTools,
+        ...blockTypeTools,
+        ...collectionTools,
+        ...mediaTools,
+        ...redirectTools,
+        ...formTools,
+        ...settingsTools,
+        ...searchTools,
+        ...bulkTools,
+        ...versionTools,
+        ...deployTools,
+        ...previewTools,
+    ];
+    // The SDK's registerTool signature has very deep generic constraints
+    // (ZodRawShape × AnySchema × annotations) that TypeScript can't unify
+    // when we iterate heterogeneous tools at runtime. We cast the bag once
+    // here and rely on our own ToolDef contract for type safety.
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const register = server.registerTool.bind(server);
+    for (const tool of allTools) {
+        register(tool.name, {
+            description: tool.description,
+            ...(tool.inputSchema ? { inputSchema: tool.inputSchema } : {}),
+        }, 
+        // The SDK's callback gets the args object (when inputSchema is set) or
+        // no args (when it isn't). Both are valid for our handler signature.
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        async (args) => tool.handler(args ?? {}, deps));
+    }
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+}
+main().catch((err) => {
+    console.error('timelesscms-mcp fatal:', err);
+    process.exit(1);
+});