@wix/mcp 1.0.16 → 1.0.17

package/build/cjs/index.cjs

@@ -3713,9 +3713,9 @@ __export(tslib_es6_exports, {
   __asyncValues: () => __asyncValues,
   __await: () => __await,
   __awaiter: () => __awaiter,
-  __classPrivateFieldGet: () => __classPrivateFieldGet2,
+  __classPrivateFieldGet: () => __classPrivateFieldGet,
   __classPrivateFieldIn: () => __classPrivateFieldIn,
-  __classPrivateFieldSet: () => __classPrivateFieldSet2,
+  __classPrivateFieldSet: () => __classPrivateFieldSet,
   __createBinding: () => __createBinding,
   __decorate: () => __decorate,
   __disposeResources: () => __disposeResources,
@@ -4064,12 +4064,12 @@ function __importStar(mod) {
 function __importDefault(mod) {
   return mod && mod.__esModule ? mod : { default: mod };
 }
-function __classPrivateFieldGet2(receiver, state, kind, f) {
+function __classPrivateFieldGet(receiver, state, kind, f) {
   if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
   if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
   return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
 }
-function __classPrivateFieldSet2(receiver, state, value, kind, f) {
+function __classPrivateFieldSet(receiver, state, value, kind, f) {
   if (kind === "m") throw new TypeError("Private method is not writable");
   if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
   if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
@@ -4218,8 +4218,8 @@ var init_tslib_es6 = __esm({
       __makeTemplateObject,
       __importStar,
       __importDefault,
-      __classPrivateFieldGet: __classPrivateFieldGet2,
-      __classPrivateFieldSet: __classPrivateFieldSet2,
+      __classPrivateFieldGet,
+      __classPrivateFieldSet,
       __classPrivateFieldIn,
       __addDisposableResource,
       __disposeResources,
@@ -5492,7 +5492,7 @@ var require_common = __commonJS({
         createDebug.namespaces = namespaces;
         createDebug.names = [];
         createDebug.skips = [];
-        const split = (typeof namespaces === "string" ? namespaces : "").trim().replace(" ", ",").split(",").filter(Boolean);
+        const split = (typeof namespaces === "string" ? namespaces : "").trim().replace(/\s+/g, ",").split(",").filter(Boolean);
         for (const ns of split) {
           if (ns[0] === "-") {
             createDebug.skips.push(ns.slice(1));
@@ -5710,7 +5710,7 @@ var require_browser = __commonJS({
     function load() {
       let r;
       try {
-        r = exports2.storage.getItem("debug");
+        r = exports2.storage.getItem("debug") || exports2.storage.getItem("DEBUG");
       } catch (error) {
       }
       if (!r && typeof process !== "undefined" && "env" in process) {
@@ -5736,15 +5736,16 @@ var require_browser = __commonJS({
   }
 });
 
-// ../../node_modules/has-flag/index.js
+// ../../node_modules/supports-color/node_modules/has-flag/index.js
 var require_has_flag = __commonJS({
-  "../../node_modules/has-flag/index.js"(exports2, module2) {
+  "../../node_modules/supports-color/node_modules/has-flag/index.js"(exports2, module2) {
     "use strict";
-    module2.exports = (flag, argv = process.argv) => {
+    module2.exports = (flag, argv) => {
+      argv = argv || process.argv;
       const prefix = flag.startsWith("-") ? "" : flag.length === 1 ? "-" : "--";
-      const position = argv.indexOf(prefix + flag);
-      const terminatorPosition = argv.indexOf("--");
-      return position !== -1 && (terminatorPosition === -1 || position < terminatorPosition);
+      const pos = argv.indexOf(prefix + flag);
+      const terminatorPos = argv.indexOf("--");
+      return pos !== -1 && (terminatorPos === -1 ? true : pos < terminatorPos);
     };
   }
 });
@@ -5754,23 +5755,16 @@ var require_supports_color = __commonJS({
   "../../node_modules/supports-color/index.js"(exports2, module2) {
     "use strict";
     var os = require("os");
-    var tty = require("tty");
     var hasFlag = require_has_flag();
-    var { env } = process;
+    var env = process.env;
     var forceColor;
-    if (hasFlag("no-color") || hasFlag("no-colors") || hasFlag("color=false") || hasFlag("color=never")) {
-      forceColor = 0;
+    if (hasFlag("no-color") || hasFlag("no-colors") || hasFlag("color=false")) {
+      forceColor = false;
     } else if (hasFlag("color") || hasFlag("colors") || hasFlag("color=true") || hasFlag("color=always")) {
-      forceColor = 1;
+      forceColor = true;
     }
     if ("FORCE_COLOR" in env) {
-      if (env.FORCE_COLOR === "true") {
-        forceColor = 1;
-      } else if (env.FORCE_COLOR === "false") {
-        forceColor = 0;
-      } else {
-        forceColor = env.FORCE_COLOR.length === 0 ? 1 : Math.min(parseInt(env.FORCE_COLOR, 10), 3);
-      }
+      forceColor = env.FORCE_COLOR.length === 0 || parseInt(env.FORCE_COLOR, 10) !== 0;
     }
     function translateLevel(level) {
       if (level === 0) {
@@ -5783,8 +5777,8 @@ var require_supports_color = __commonJS({
         has16m: level >= 3
       };
     }
-    function supportsColor(haveStream, streamIsTTY) {
-      if (forceColor === 0) {
+    function supportsColor(stream) {
+      if (forceColor === false) {
         return 0;
       }
       if (hasFlag("color=16m") || hasFlag("color=full") || hasFlag("color=truecolor")) {
@@ -5793,22 +5787,19 @@ var require_supports_color = __commonJS({
       if (hasFlag("color=256")) {
         return 2;
       }
-      if (haveStream && !streamIsTTY && forceColor === void 0) {
+      if (stream && !stream.isTTY && forceColor !== true) {
         return 0;
       }
-      const min = forceColor || 0;
-      if (env.TERM === "dumb") {
-        return min;
-      }
+      const min = forceColor ? 1 : 0;
       if (process.platform === "win32") {
         const osRelease = os.release().split(".");
-        if (Number(osRelease[0]) >= 10 && Number(osRelease[2]) >= 10586) {
+        if (Number(process.versions.node.split(".")[0]) >= 8 && Number(osRelease[0]) >= 10 && Number(osRelease[2]) >= 10586) {
           return Number(osRelease[2]) >= 14931 ? 3 : 2;
         }
         return 1;
       }
       if ("CI" in env) {
-        if (["TRAVIS", "CIRCLECI", "APPVEYOR", "GITLAB_CI", "GITHUB_ACTIONS", "BUILDKITE"].some((sign) => sign in env) || env.CI_NAME === "codeship") {
+        if (["TRAVIS", "CIRCLECI", "APPVEYOR", "GITLAB_CI"].some((sign) => sign in env) || env.CI_NAME === "codeship") {
           return 1;
         }
         return min;
@@ -5837,16 +5828,19 @@ var require_supports_color = __commonJS({
       if ("COLORTERM" in env) {
         return 1;
       }
+      if (env.TERM === "dumb") {
+        return min;
+      }
       return min;
     }
     function getSupportLevel(stream) {
-      const level = supportsColor(stream, stream && stream.isTTY);
+      const level = supportsColor(stream);
       return translateLevel(level);
     }
     module2.exports = {
       supportsColor: getSupportLevel,
-      stdout: translateLevel(supportsColor(true, tty.isatty(1))),
-      stderr: translateLevel(supportsColor(true, tty.isatty(2)))
+      stdout: getSupportLevel(process.stdout),
+      stderr: getSupportLevel(process.stderr)
     };
   }
 });
@@ -16762,19 +16756,6 @@ var errorUtil;
 })(errorUtil || (errorUtil = {}));
 
 // ../../node_modules/zod/dist/esm/v3/types.js
-var __classPrivateFieldGet = function(receiver, state, kind, f) {
-  if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
-  if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
-  return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
-};
-var __classPrivateFieldSet = function(receiver, state, value, kind, f) {
-  if (kind === "m") throw new TypeError("Private method is not writable");
-  if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
-  if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
-  return kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value), value;
-};
-var _ZodEnum_cache;
-var _ZodNativeEnum_cache;
 var ParseInputLazyPath = class {
   constructor(parent, value, path2, key) {
     this._cachedPath = [];
@@ -19599,10 +19580,6 @@ function createZodEnum(values, params) {
   });
 }
 var ZodEnum = class _ZodEnum extends ZodType {
-  constructor() {
-    super(...arguments);
-    _ZodEnum_cache.set(this, void 0);
-  }
   _parse(input) {
     if (typeof input.data !== "string") {
       const ctx = this._getOrReturnCtx(input);
@@ -19614,10 +19591,10 @@ var ZodEnum = class _ZodEnum extends ZodType {
       });
       return INVALID;
     }
-    if (!__classPrivateFieldGet(this, _ZodEnum_cache, "f")) {
-      __classPrivateFieldSet(this, _ZodEnum_cache, new Set(this._def.values), "f");
+    if (!this._cache) {
+      this._cache = new Set(this._def.values);
     }
-    if (!__classPrivateFieldGet(this, _ZodEnum_cache, "f").has(input.data)) {
+    if (!this._cache.has(input.data)) {
       const ctx = this._getOrReturnCtx(input);
       const expectedValues = this._def.values;
       addIssueToContext(ctx, {
@@ -19666,13 +19643,8 @@ var ZodEnum = class _ZodEnum extends ZodType {
     });
   }
 };
-_ZodEnum_cache = /* @__PURE__ */ new WeakMap();
 ZodEnum.create = createZodEnum;
 var ZodNativeEnum = class extends ZodType {
-  constructor() {
-    super(...arguments);
-    _ZodNativeEnum_cache.set(this, void 0);
-  }
   _parse(input) {
     const nativeEnumValues = util.getValidEnumValues(this._def.values);
     const ctx = this._getOrReturnCtx(input);
@@ -19685,10 +19657,10 @@ var ZodNativeEnum = class extends ZodType {
       });
       return INVALID;
     }
-    if (!__classPrivateFieldGet(this, _ZodNativeEnum_cache, "f")) {
-      __classPrivateFieldSet(this, _ZodNativeEnum_cache, new Set(util.getValidEnumValues(this._def.values)), "f");
+    if (!this._cache) {
+      this._cache = new Set(util.getValidEnumValues(this._def.values));
     }
-    if (!__classPrivateFieldGet(this, _ZodNativeEnum_cache, "f").has(input.data)) {
+    if (!this._cache.has(input.data)) {
       const expectedValues = util.objectValues(nativeEnumValues);
       addIssueToContext(ctx, {
         received: ctx.data,
@@ -19703,7 +19675,6 @@ var ZodNativeEnum = class extends ZodType {
     return this._def.values;
   }
 };
-_ZodNativeEnum_cache = /* @__PURE__ */ new WeakMap();
 ZodNativeEnum.create = (values, params) => {
   return new ZodNativeEnum({
     values,
@@ -19844,7 +19815,7 @@ var ZodEffects = class extends ZodType {
           parent: ctx
         });
         if (!isValid(base))
-          return base;
+          return INVALID;
         const result = effect.transform(base.value, checkCtx);
         if (result instanceof Promise) {
           throw new Error(`Asynchronous transform encountered during synchronous parse operation. Use .parseAsync instead.`);
@@ -19853,7 +19824,7 @@ var ZodEffects = class extends ZodType {
       } else {
         return this._def.schema._parseAsync({ data: ctx.data, path: ctx.path, parent: ctx }).then((base) => {
           if (!isValid(base))
-            return base;
+            return INVALID;
           return Promise.resolve(effect.transform(base.value, checkCtx)).then((result) => ({
             status: status.value,
             value: result
@@ -21266,7 +21237,7 @@ var Protocol = class {
   request(request, resultSchema, options) {
     const { relatedRequestId, resumptionToken, onresumptiontoken } = options !== null && options !== void 0 ? options : {};
     return new Promise((resolve, reject) => {
-      var _a, _b, _c, _d, _e;
+      var _a, _b, _c, _d, _e, _f;
       if (!this._transport) {
         reject(new Error("Not connected"));
         return;
@@ -21285,7 +21256,10 @@ var Protocol = class {
         this._progressHandlers.set(messageId, options.onprogress);
         jsonrpcRequest.params = {
           ...request.params,
-          _meta: { progressToken: messageId }
+          _meta: {
+            ...((_c = request.params) === null || _c === void 0 ? void 0 : _c._meta) || {},
+            progressToken: messageId
+          }
         };
       }
       const cancel = (reason) => {
@@ -21318,13 +21292,13 @@ var Protocol = class {
           reject(error);
         }
       });
-      (_c = options === null || options === void 0 ? void 0 : options.signal) === null || _c === void 0 ? void 0 : _c.addEventListener("abort", () => {
+      (_d = options === null || options === void 0 ? void 0 : options.signal) === null || _d === void 0 ? void 0 : _d.addEventListener("abort", () => {
         var _a2;
         cancel((_a2 = options === null || options === void 0 ? void 0 : options.signal) === null || _a2 === void 0 ? void 0 : _a2.reason);
       });
-      const timeout = (_d = options === null || options === void 0 ? void 0 : options.timeout) !== null && _d !== void 0 ? _d : DEFAULT_REQUEST_TIMEOUT_MSEC;
+      const timeout = (_e = options === null || options === void 0 ? void 0 : options.timeout) !== null && _e !== void 0 ? _e : DEFAULT_REQUEST_TIMEOUT_MSEC;
       const timeoutHandler = () => cancel(new McpError(ErrorCode.RequestTimeout, "Request timed out", { timeout }));
-      this._setupTimeout(messageId, timeout, options === null || options === void 0 ? void 0 : options.maxTotalTimeout, timeoutHandler, (_e = options === null || options === void 0 ? void 0 : options.resetTimeoutOnProgress) !== null && _e !== void 0 ? _e : false);
+      this._setupTimeout(messageId, timeout, options === null || options === void 0 ? void 0 : options.maxTotalTimeout, timeoutHandler, (_f = options === null || options === void 0 ? void 0 : options.resetTimeoutOnProgress) !== null && _f !== void 0 ? _f : false);
       this._transport.send(jsonrpcRequest, { relatedRequestId, resumptionToken, onresumptiontoken }).catch((error) => {
         this._cleanupTimeout(messageId);
         reject(error);
@@ -22981,6 +22955,9 @@ var McpServer = class {
       return;
     }
     this.server.assertCanSetRequestHandler(CompleteRequestSchema.shape.method.value);
+    this.server.registerCapabilities({
+      completions: {}
+    });
     this.server.setRequestHandler(CompleteRequestSchema, async (request) => {
       switch (request.params.ref.type) {
         case "ref/prompt":
@@ -23053,8 +23030,9 @@ var McpServer = class {
         const result = await template.resourceTemplate.listCallback(extra);
         for (const resource of result.resources) {
           templateResources.push({
-            ...resource,
-            ...template.metadata
+            ...template.metadata,
+            // the defined resource metadata should override the template metadata if present
+            ...resource
           });
         }
       }
@@ -23413,6 +23391,7 @@ var createPanoramaClient = (opts) => {
     },
     data: {
       environment: opts.environment,
+      serverInfo: opts.serverInfo,
       runtime: {
         packageVersion: packageJson.version,
         versions: process.versions,
@@ -23473,12 +23452,9 @@ var logger2 = createNullLogger();
 
 // src/wix-mcp-server.ts
 var WixMcpServer = class extends McpServer {
-  biLogger;
-  nodeEnv;
-  sessionId;
-  getUserId;
   constructor(serverInfo, options, nodeEnv) {
     super(serverInfo, options);
+    this.serverInfo = serverInfo;
     this.sessionId = v4_default();
     this.nodeEnv = getEnvironment(nodeEnv);
     this.biLogger = createBiLogger({
@@ -23486,9 +23462,17 @@ var WixMcpServer = class extends McpServer {
     });
     logger2.log(`WixMcpServer created with sessionId: ${this.sessionId}`);
   }
+  biLogger;
+  nodeEnv;
+  sessionId;
+  getUserId;
+  getClientName;
   setUserIdGetter(getUserId) {
     this.getUserId = getUserId;
   }
+  setClientNameGetter(getClientName) {
+    this.getClientName = getClientName;
+  }
   tool(...args) {
     const cbIndex = args.findIndex((arg) => typeof arg === "function");
     if (cbIndex !== -1) {
@@ -23503,7 +23487,8 @@ var WixMcpServer = class extends McpServer {
           environment: this.nodeEnv,
           sessionId: this.sessionId,
           componentId: toolName,
-          uuid: this.getUserId?.()
+          uuid: this.getUserId?.(),
+          serverInfo: this.serverInfo
         });
         const toolInvocationId = v4_default();
         const httpClient = new import_http_client.HttpClient({
@@ -23562,7 +23547,7 @@ var WixMcpServer = class extends McpServer {
             }
             this.biLogger.report(
               (0, import_v2.wixMcpRequestSrc39Evid1607)({
-                clientName,
+                clientName: this.getClientName?.() || clientName,
                 duration,
                 errorBody,
                 toolInvocationId,
@@ -23728,6 +23713,18 @@ async function fetchArticleContentFromDigor(httpClient, articleUrl, mode, stripH
 }
 async function fetchArticleContent(httpClient, articleUrl, mode, stripHeader = false) {
   if (mode === "raw") {
+    let parsedUrl;
+    try {
+      parsedUrl = new URL(articleUrl);
+    } catch {
+      throw new Error(`Invalid URL format: ${articleUrl}`);
+    }
+    const hostname = parsedUrl.hostname.replace("www.", "");
+    if (hostname !== "dev.wix.com") {
+      throw new Error(
+        `Unsupported URL domain: ${hostname}. Article URL must be from dev.wix.com`
+      );
+    }
     const { data: doc } = await httpClient.get(articleUrl);
     return doc;
   }
@@ -24219,7 +24216,7 @@ var addDocsTools = (server, allowedTools = [
       getToKnowWixEnabled ? WixREADME_DEPENDENT_DESCRIPTION : ""
     ].join("\n"),
     {
-      articleUrl: external_exports.string().describe(
+      articleUrl: external_exports.string().url().startsWith("https://dev.wix.com/").describe(
         "The URL of the docs article or method article to fetch. Should be something like https://dev.wix.com/docs/.../.../..."
       )
     },
@@ -24256,7 +24253,7 @@ var addDocsTools = (server, allowedTools = [
           content: [
             {
               type: "text",
-              text: "Could not fetch article content, you should try completing the task without it."
+              text: `Could not fetch article content: "${error.message}". You should try completing the task without it.`
             }
           ]
         };
@@ -24270,7 +24267,7 @@ var addDocsTools = (server, allowedTools = [
       "This will give you the entire request/response schema with all the fields and their descriptions."
     ].join("\n"),
     {
-      articleUrl: external_exports.string().describe(
+      articleUrl: external_exports.string().url().startsWith("https://dev.wix.com/").describe(
         "The URL of the documentation to fetch. Should be something like https://dev.wix.com/docs/.../.../..."
       )
     },
@@ -24300,7 +24297,7 @@ var addDocsTools = (server, allowedTools = [
           content: [
             {
               type: "text",
-              text: "Could not fetch method schema, you should try completing the task without it."
+              text: `Could not fetch method schema: "${error.message}". You should try completing the task without it.`
             }
           ]
         };
@@ -24347,164 +24344,227 @@ var handleWixAPIResponse = async (response) => {
   return responseData;
 };
 
+// src/api-call/validation.ts
+function isApiUrlAllowed(url) {
+  let parsedUrl;
+  try {
+    parsedUrl = new URL(url);
+  } catch {
+    return {
+      isAllowed: false,
+      error: `Invalid URL format: ${url}`
+    };
+  }
+  const ALLOWED_HOSTNAMES = [
+    "wix.com",
+    "dev.wix.com",
+    "manage.wix.com",
+    "editor.wix.com",
+    "wixapis.com"
+  ];
+  const hostname = parsedUrl.hostname.replace("www.", "");
+  const isAllowedHostname = ALLOWED_HOSTNAMES.some(
+    (domain) => hostname === domain
+  );
+  if (!isAllowedHostname) {
+    return {
+      isAllowed: false,
+      error: `Unsupported URL domain: ${hostname}. URL must be from one of the allowed domains: ${ALLOWED_HOSTNAMES.join(", ")}`
+    };
+  }
+  return {
+    isAllowed: true
+  };
+}
+
 // src/api-call/index.ts
-function addApiCallTool(server, strategy) {
-  server.tool(
-    "CallWixSiteAPI",
-    [
-      "Call Wix apis on a business or site. Use this to create, read, update, and delete data and other Wix entities in your Wix site,",
-      `You should ALWAYS check the rest docs - "SearchWixRESTDocumentation" for the specific API you want to call, don't just call it without knowing what it does, CHECK THE DOCS`,
-      "Error Handling:",
-      'If the error is related to missing installed app or "WDE0110: Wix Code not enabled", you should install the missing app by using ReadFullDocsArticle tool to fetch the article - https://dev.wix.com/docs/kb-only/MCP_REST_RECIPES_KB_ID/TRAIN_wix.devcenter.apps.installer.v1.AppsInstallerService.InstallApp',
-      "**Note:** there is no need to check if an app is installed/ Wix Code enabled in advance, just call the API and handle the error if it occurs, the API error message will state it clearly.",
-      "For any other error, use your default error handling mechanism"
-    ].join("\n"),
-    {
-      siteId: external_exports.string().describe("The id of the site selected using site selection tool"),
-      url: external_exports.string().describe(
-        "The url of the api to call - ALWAYS get the information from the Wix REST docs or from the conversation context, the URL MUST BE ABSOLUTE URL"
-      ),
-      method: external_exports.string().describe(
-        "The HTTP method to use for the API call (e.g. GET, POST, PUT, DELETE)"
-      ),
-      body: external_exports.string().optional().describe(
-        "A string representing of a valid JSON object to describe the body of the request"
-      )
-    },
-    async ({ url, body, method, siteId }, { httpClient }) => {
-      logger2.log(
-        `Calling Wix Site API: ${siteId} ${url}, body: ${JSON.stringify(body)}`
-      );
-      try {
-        const response = await httpClient.request({
-          url,
-          method,
-          headers: {
-            ...await strategy.getSiteAuthHeaders(siteId),
-            ...body ? { "Content-Type": "application/json" } : {}
-          },
-          data: method === "GET" ? void 0 : body
-        });
-        const responseData = await handleWixAPIResponse(response);
-        return {
-          content: [
-            {
-              type: "text",
-              text: `Wix Site API call successful: ${JSON.stringify(responseData)}`
-            }
-          ]
-        };
-      } catch (error) {
-        logger2.error(`Failed to call Wix Site API: ${error}`);
-        const response = error.response;
-        if (!response) {
-          throw new Error(`Failed to call Wix Site API: ${error}`);
+function addApiCallTool(server, strategy, allowedTools = ["CallWixSiteAPI", "ListWixSites", "ManageWixSite"]) {
+  if (allowedTools.includes("CallWixSiteAPI")) {
+    server.tool(
+      "CallWixSiteAPI",
+      [
+        "Call Wix apis on a business or site. Use this to create, read, update, and delete data and other Wix entities in your Wix site,",
+        `You should ALWAYS check the rest docs - "SearchWixRESTDocumentation" for the specific API you want to call, don't just call it without knowing what it does, CHECK THE DOCS`,
+        "Error Handling:",
+        'If the error is related to missing installed app or "WDE0110: Wix Code not enabled", you should install the missing app by using ReadFullDocsArticle tool to fetch the article - https://dev.wix.com/docs/kb-only/MCP_REST_RECIPES_KB_ID/TRAIN_wix.devcenter.apps.installer.v1.AppsInstallerService.InstallApp',
+        "**Note:** there is no need to check if an app is installed/ Wix Code enabled in advance, just call the API and handle the error if it occurs, the API error message will state it clearly.",
+        "For any other error, use your default error handling mechanism"
+      ].join("\n"),
+      {
+        siteId: external_exports.string().describe("The id of the site selected using site selection tool"),
+        url: external_exports.string().url().describe(
+          "The url of the api to call - ALWAYS get the information from the Wix REST docs or from the conversation context, the URL MUST BE ABSOLUTE URL"
+        ),
+        method: external_exports.string().describe(
+          "The HTTP method to use for the API call (e.g. GET, POST, PUT, DELETE)"
+        ),
+        body: external_exports.string().optional().describe(
+          "A string representing of a valid JSON object to describe the body of the request"
+        )
+      },
+      async ({ url, body, method, siteId }, { httpClient }) => {
+        logger2.log(
+          `Calling Wix Site API: ${siteId} ${url}, body: ${JSON.stringify(body)}`
+        );
+        const { isAllowed, error: urlError } = isApiUrlAllowed(url);
+        if (!isAllowed) {
+          return {
+            content: [
+              {
+                isError: true,
+                type: "text",
+                text: `Error validating URL: ${urlError}`
+              }
+            ]
+          };
         }
-        return handleWixAPIResponse(response);
-      }
-    }
-  );
-  server.tool(
-    "ListWixSites",
-    "List Wix sites for the current user, by default it will return all sites, but you can filter by name",
-    {
-      nameSearch: external_exports.string().optional().describe(
-        "optional filer by name, if not provided all sites will be returned"
-      ),
-      // Hack for Cursor ignoring tools with no params (when nameSearch is optional)
-      alwaysTrue: external_exports.boolean().describe("Always pass true to this parameter")
-    },
-    async ({ nameSearch }, { httpClient }) => {
-      const sitesRes = await httpClient.post(
-        "https://www.wixapis.com/site-list/v2/sites/query",
-        {
-          query: {
-            cursorPaging: { limit: 21 },
-            filter: {
-              ...nameSearch ? {
-                name: nameSearch
-              } : {},
-              namespace: {
-                $in: ["WIX", "DASHBOARD_FIRST", "ANYWHERE", "HEADLESS"]
+        try {
+          const response = await httpClient.request({
+            url,
+            method,
+            headers: {
+              ...await strategy.getSiteAuthHeaders(siteId),
+              ...body ? { "Content-Type": "application/json" } : {}
+            },
+            data: method === "GET" ? void 0 : body
+          });
+          const responseData = await handleWixAPIResponse(response);
+          return {
+            content: [
+              {
+                type: "text",
+                text: `Wix Site API call successful: ${JSON.stringify(responseData)}`
               }
-            }
-          }
-        },
-        {
-          headers: {
-            ...await strategy.getAccountAuthHeaders(),
-            "Content-Type": "application/json",
-            Accept: "application/json, text/plain, */*"
+            ]
+          };
+        } catch (error) {
+          logger2.error(`Failed to call Wix Site API: ${error}`);
+          const response = error.response;
+          if (!response) {
+            throw new Error(`Failed to call Wix Site API: ${error}`);
           }
+          return handleWixAPIResponse(response);
         }
-      );
-      const result = sitesRes.data.sites?.map(({ id, displayName }) => ({
-        id,
-        name: displayName
-      })) ?? [];
-      return {
-        content: [
+      }
+    );
+  }
+  if (allowedTools.includes("ListWixSites")) {
+    server.tool(
+      "ListWixSites",
+      "List Wix sites for the current user, by default it will return all sites, but you can filter by name",
+      {
+        nameSearch: external_exports.string().optional().describe(
+          "optional filer by name, if not provided all sites will be returned"
+        ),
+        // Hack for Cursor ignoring tools with no params (when nameSearch is optional)
+        alwaysTrue: external_exports.boolean().describe("Always pass true to this parameter")
+      },
+      async ({ nameSearch }, { httpClient }) => {
+        const sitesRes = await httpClient.post(
+          "https://www.wixapis.com/site-list/v2/sites/query",
           {
-            type: "text",
-            text: JSON.stringify(result)
+            query: {
+              cursorPaging: { limit: 21 },
+              filter: {
+                ...nameSearch ? {
+                  name: nameSearch
+                } : {},
+                namespace: {
+                  $in: ["WIX", "DASHBOARD_FIRST", "ANYWHERE", "HEADLESS"]
+                }
+              }
+            }
           },
           {
-            type: "text",
-            text: "if there is more than one site returned, the user should pick one from a list, list the sites (only name) for the user and ask them to pick one,If more than 20 are found you should list all 20 and suggest to search by the name of the site they are looking for"
+            headers: {
+              ...await strategy.getAccountAuthHeaders(),
+              "Content-Type": "application/json",
+              Accept: "application/json, text/plain, */*"
+            }
           }
-        ]
-      };
-    }
-  );
-  server.tool(
-    "ManageWixSite",
-    `Use account level API in order to create a site, update a site and publish site.
-    ALWAYS use "SearchWixRESTDocumentation" to search for the API you should invoke, NEVER GUESS THE SITE API URL
-    You should ALWAYS check the rest docs - "SearchWixRESTDocumentation" for the specific API you want to call, don't just call it without knowing what it does, CHECK THE DOCS`,
-    {
-      url: external_exports.string().describe(
-        "The url of the api to call - ALWAYS get the information from the Wix REST docs DONT GUESS IT, the URL MUST BE ABSOLUTE URL"
-      ),
-      method: external_exports.string().describe(
-        "The HTTP method to use for the API call (e.g. GET, POST, PUT, DELETE)"
-      ),
-      body: external_exports.string().optional().describe(
-        "A string representing of a valid JSON object to describe the body of the request"
-      )
-    },
-    async ({ url, body, method }, { httpClient }) => {
-      logger2.log(
-        `Calling Wix Account level API: ${url}, body: ${JSON.stringify(body)}`
-      );
-      try {
-        const response = await httpClient.request({
-          url,
-          method,
-          headers: {
-            ...await strategy.getAccountAuthHeaders(),
-            ...body ? { "Content-Type": "application/json" } : {}
-          },
-          data: method === "GET" ? void 0 : body
-        });
-        const responseData = await handleWixAPIResponse(response);
+        );
+        const result = sitesRes.data.sites?.map(({ id, displayName }) => ({
+          id,
+          name: displayName
+        })) ?? [];
         return {
           content: [
             {
               type: "text",
-              text: `Wix Account API call successful: ${JSON.stringify(responseData)}`
+              text: JSON.stringify(result)
+            },
+            {
+              type: "text",
+              text: "if there is more than one site returned, the user should pick one from a list, list the sites (only name) for the user and ask them to pick one,If more than 20 are found you should list all 20 and suggest to search by the name of the site they are looking for"
             }
           ]
         };
-      } catch (error) {
-        logger2.error(`Failed to call Wix Account API: ${error}`);
-        const response = error.response;
-        if (!response) {
-          throw new Error(`Failed to call Wix Account API: ${error}`);
+      }
+    );
+  }
+  if (allowedTools.includes("ManageWixSite")) {
+    server.tool(
+      "ManageWixSite",
+      `Use account level API in order to create a site, update a site and publish site.
+    ALWAYS use "SearchWixRESTDocumentation" to search for the API you should invoke, NEVER GUESS THE SITE API URL
+    You should ALWAYS check the rest docs - "SearchWixRESTDocumentation" for the specific API you want to call, don't just call it without knowing what it does, CHECK THE DOCS`,
+      {
+        url: external_exports.string().url().describe(
+          "The url of the api to call - ALWAYS get the information from the Wix REST docs DONT GUESS IT, the URL MUST BE ABSOLUTE URL"
+        ),
+        method: external_exports.string().describe(
+          "The HTTP method to use for the API call (e.g. GET, POST, PUT, DELETE)"
+        ),
+        body: external_exports.string().optional().describe(
+          "A string representing of a valid JSON object to describe the body of the request"
+        )
+      },
+      async ({ url, body, method }, { httpClient }) => {
+        logger2.log(
+          `Calling Wix Account level API: ${url}, body: ${JSON.stringify(body)}`
+        );
+        const { isAllowed, error: urlError } = isApiUrlAllowed(url);
+        if (!isAllowed) {
+          return {
+            content: [
+              {
+                isError: true,
+                type: "text",
+                text: `Error validating URL: ${urlError}`
+              }
+            ]
+          };
+        }
+        try {
+          const response = await httpClient.request({
+            url,
+            method,
+            headers: {
+              ...await strategy.getAccountAuthHeaders(),
+              ...body ? { "Content-Type": "application/json" } : {}
+            },
+            data: method === "GET" ? void 0 : body
+          });
+          const responseData = await handleWixAPIResponse(response);
+          return {
+            content: [
+              {
+                type: "text",
+                text: `Wix Account API call successful: ${JSON.stringify(responseData)}`
+              }
+            ]
+          };
+        } catch (error) {
+          logger2.error(`Failed to call Wix Account API: ${error}`);
+          const response = error.response;
+          if (!response) {
+            throw new Error(`Failed to call Wix Account API: ${error}`);
+          }
+          return handleWixAPIResponse(response);
         }
-        return handleWixAPIResponse(response);
       }
-    }
-  );
+    );
+  }
 }
 
 // src/resources/docs.ts