epicmerch-mcp 1.3.20 → 1.3.22

package/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "epicmerch",
   "description": "Run your EpicMerch store from chat — products, orders, analytics, Shopify migration, Stripe setup. Auto-installs the MCP + slash commands + browser OAuth.",
-  "version": "1.0.0",
+  "version": "1.3.22",
   "author": {
     "name": "Aditya Patel",
     "email": "aditya141312@gmail.com",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "epicmerch-mcp",
-  "version": "1.3.20",
+  "version": "1.3.22",
   "description": "MCP server for EpicMerch — integrates e-commerce into Claude and ChatGPT",
   "type": "module",
   "main": "src/index.js",

package/skills/epicmerch.md

@@ -1,239 +1,239 @@
----
-name: epicmerch
-description: EpicMerch umbrella — guided 6-step onboarding wizard for new merchants, driven by a deterministic state machine (merchant_onboarding_state) that re-derives progress from live state and CANNOT report "complete" until a real end-to-end order test (/epicmerch-verify Deep mode) has stamped verification server-side. Also an intent router for merchants who already know what they want (scaffold a storefront, set up payments, add a Buy Now button, manage a store, migrate from Shopify, verify the store). Verification is the non-negotiable, structurally-enforced definition of done.
----
-
-# EpicMerch — the umbrella
-
-The **one entry point** for everything EpicMerch. Merchants don't need to memorise 10+ slash commands; they say what they want (or say nothing) and you figure out the right flow.
-
-## Mode detection
-
-Two modes. Pick one based on what the merchant said:
-
-| What the merchant said when invoking `/epicmerch` | Mode |
-|---|---|
-| Nothing specific. Just `/epicmerch` with no extra words. | **Wizard mode** (Step A below) |
-| "help me start", "I'm new", "set up everything", "what's next", "where do I begin" | **Wizard mode** |
-| "set up Razorpay", "add a Buy Now button", "migrate Shopify", "scaffold a storefront", "show me my products" — anything with a clear specific intent | **Intent mode** (Step B below) |
-
-If ambiguous, ask ONE disambiguating question: *"Want me to walk you through a full setup wizard, or is there one specific thing you want to do?"*
-
----
-
-## DEFINITION OF DONE — read this before you finish (applies to BOTH modes)
-
-**`/epicmerch` is not complete until a live end-to-end test has run and passed.**
-
-This holds no matter how the build happened — the wizard's scaffold step, an intent-mode `/epicmerch-storefront`, OR a fully custom build you designed through brainstorming (e.g. a themed multi-page store). However you got here, the LAST thing you do before telling the merchant "your store is set up" is run **`/epicmerch-verify` (Deep mode)** — the full product→cart→order pipeline; it automatically falls back to Smoke mode if the server's test-login isn't configured.
-
-Common trap: a design-heavy request ("build me a saree store") pulls you into scope/theme/spec brainstorming and a custom build, and the flow ends at "looks good!" without ever testing against the live API. **Don't let that happen.** After the storefront files are written and the `.env` has a real API key, run the e2e/verify gate. A store that was never tested against the live API is not done — that's exactly how the cart-shape / productId / out-of-stock bugs reached real merchants.
-
-If you realize you're wrapping up `/epicmerch` and haven't run the test → run it now.
-
-In **Wizard mode** this is enforced for you: `merchant_onboarding_state` will not return `complete` until `/epicmerch-verify` (Deep mode) has stamped verification server-side, so you structurally can't wrap up early. In **Intent mode** and custom/brainstormed builds there's no such gate — that's where this reminder matters most.
-
----
-
-## Step A — Wizard mode (the harness loop)
-
-Wizard mode is a **deterministic loop driven by the `merchant_onboarding_state` tool** — not prose you interpret. The tool re-derives what's done, what's next, and whether you're complete from **live server state on every call**, and it enforces the gate: you **cannot** reach `complete` until a real `/epicmerch-verify` (Deep mode) run has stamped verification server-side. That is what makes `/epicmerch` un-breakable — the control flow lives in code + a hard gate, so "done but never verified" is structurally unreachable. You bring the creative work (the conversation, the product shape, the styling); the tool owns order, idempotency, and the gate.
-
-Open with one sentence:
-
-> "I'll set up your EpicMerch store. I'll check what's already done, do the next thing, and finish with a live end-to-end test — that test is the only thing that marks the setup complete."
-
-### The loop
-
-Repeat until the tool returns `complete: true`:
-
-1. Check the local project: does `src/lib/epicmerch.js` exist? (`true`/`false` → `storefrontPresent`).
-2. Call `merchant_onboarding_state({ storefrontPresent })`.
-3. If `complete === true` → print the **wrap-up recap** (below) and STOP. You're done.
-4. Else → read `nextStep` and perform **that one step's action** (see *Step actions* below). The `steps[nextStep].action` string is a short reminder; the full expansion is below. Do exactly ONE step, recap it in one line (`✓ <what happened>`), then go back to 1.
-
-**Rules that keep the harness honest:**
-- Never skip ahead, never decide completion yourself, never print "your store is set up" before the tool returns `complete: true`.
-- The loop is inherently idempotent — every turn re-reads live state, so re-running after a partial setup just resumes where you left off.
-- If you catch yourself about to wrap up without `complete`, call the tool again — it will name the real gap.
-
-### Step actions (the expansion of each `nextStep`)
-
-#### `account` — authenticate
-The tool couldn't read your settings (not connected / 401). Tell the merchant:
-
-> "Your CLI isn't connected. Run `npx epicmerch-mcp setup` (or `npx epicmerch-mcp login` if MCP is already installed), then ask me again."
-
-STOP the loop. Resume (re-call the tool) once they confirm they're connected.
-
-#### `apiKey` — generate a storefront key
-
-> "You don't have an API key yet. I'll generate one called 'Storefront' — that's what the SDK uses to talk to your store."
-
-Call `merchant_generate_api_key({ name: 'Storefront' })`. Recap `✓ API key generated.` and re-loop.
-
-#### `payment` — configure a processor
-Ask **one** question:
-
-> "Where do most of your customers buy from?
-> 1) India (Razorpay — recommended)
-> 2) Outside India (Stripe)"
-
-- "India" / "1" → run `/epicmerch-payments` (it takes the Razorpay path)
-- "outside" / "global" / "2" → run `/epicmerch-payments` (it takes the Stripe path)
-
-`/epicmerch-payments` configures the chosen processor **and** the checkout type — the tool's `payment` step needs both before it counts as done. Re-loop; the tool confirms `payment.done`.
-
-#### `products` — fill the catalog
-The catalog is empty (the tool counts an empty catalog as not-done, so this step keeps surfacing until at least one product exists). Ask:
-
-> "Your catalog is empty. Want me to:
-> 1) Migrate your existing Shopify store
-> 2) Add your first product right now
-> 3) Add a quick sample product so we can finish, and you replace it later"
-
-- "Shopify" / "1" → run `/epicmerch-migrate`
-- "first product" / "2" → walk through it with `merchant_create_product`. **Do NOT just ask for name + price** — products that ship without variants and images break the storefront UX (empty size picker, broken image). Collect the FULL shape in ONE round of questions:
-  - **Name + Category** (`name`, `type`)
-  - **Description** (`description`)
-  - **Pricing** — list price (`price`), plus on-sale fields if applicable (`salePrice`, `discountPercent`). *"If this product is on sale, tell me the sale price and discount %. Otherwise say 'no sale'."*
-  - **Variants** (`variants`) — array of `{ variant: 'S', stock: 5 }` entries. *"What sizes / colors / options does this come in, and how many of each in stock? If just one option, say 'no variants'."* When passed, the server derives total stock from `sum(variant.stock)` and ignores the top-level `stock`.
-  - **Images** (`images`) — array of gallery URLs. Optionally `image` for an explicit primary; if omitted the server uses `images[0]`.
-  Pass everything to `merchant_create_product` in ONE call — never create-then-update.
-- "sample" / "3" → create one reasonable sample product (full shape, a couple of variants, a placeholder image) so the loop can progress. Tell the merchant it's a placeholder they can edit or delete later.
-
-There is no hard "skip" here: `complete` requires a non-empty catalog. If the merchant truly wants to stop, be honest that onboarding stays incomplete until a product exists.
-
-#### `storefront` — scaffold into the project
-`storefrontPresent` is false. First check the project: does `package.json` exist with React / Vite / Next in dependencies?
-
-- **Not a frontend project / no `package.json`**: tell the merchant *"No frontend project detected here. Run `/epicmerch` from inside a React/Vite/Next project to scaffold the storefront."* `storefrontPresent` stays false, so the loop keeps flagging `storefront` — be honest that `complete` needs the storefront scaffolded (they can finish from a project later; a chat-only setup won't reach `complete`).
-- **Project detected, no SDK file**: do the two-part sub-flow:
-
-**4a — Visual style (before scaffolding).** Ask ONE question so the components match their vibe:
-
-> "Quick — what's the vibe of your store?
-> 1) Editorial Funk (bold typography, big imagery, asymmetric layouts)
-> 2) Minimal Mono (clean, monochrome, lots of whitespace)
-> 3) Vibrant Pop (colourful, rounded corners, playful)
-> 4) Skip — functional unstyled scaffolds, I'll polish later"
-
-Remember the answer as `visualStyle`.
-
-**4b — Scaffold + style.** Run `/epicmerch-storefront`. After it finishes:
-- If `visualStyle` ≠ skip, do a quick styling pass: 5-10 well-chosen Tailwind utility classes per component (typography, spacing, colour) matching `visualStyle`. Don't overdo it.
-- Confirm `src/lib/epicmerch.js` contains the **session-restore block** (the `localStorage.getItem('customerInfo') → setCustomerToken` snippet). Without it, OTP login appears to work but doesn't survive a page reload — the #1 silent storefront bug. The 1.3.4+ scaffold includes it by default; add it manually if missing.
-- Recap `✓ Storefront scaffolded + styled (<visualStyle>)` (or `unstyled`).
-
-**Optional add-on (not gated):** once the storefront exists, you may offer a 1-click Buy Now button — *"Want a 1-click 'Buy Now' button? Razorpay's Magic Checkout lets customers buy without a cart screen."* → `/epicmerch-magic-checkout` (it verifies Razorpay first). This is optional and does NOT affect `complete`; the merchant can add it anytime by saying *"add a Buy Now button"*. Then re-loop.
-
-#### `verified` — the gate (the ONLY step that flips `complete`)
-This is the un-fakeable half of the harness. Run **`/epicmerch-verify` (Deep mode)** automatically:
-
-> "Last step — a live end-to-end test to confirm everything actually works."
-
-It gets a customer session, creates a throwaway test product, adds it to a cart, creates a real order (exercising stock reservation + Razorpay order creation, no charge), verifies every response shape, then cleans up (cancels the order, deletes the product). This proves the WHOLE pipeline, not just read paths. It gets its customer token via the server's env-gated test phone (`store_auth_send_otp` + `store_auth_verify_otp` against `E2E_TEST_PHONE`), so it needs no SMS and no manual login.
-
-- **On pass:** `/epicmerch-verify` (Deep mode) calls **`merchant_mark_verified`**, which stamps `lastVerifiedAt` server-side. That is the ONLY thing that flips the tool's `verified` step to done. Re-loop — `merchant_onboarding_state` will now return `complete: true`.
-- **On any failure:** do NOT stamp verified. Route to `/epicmerch-debug` automatically — its four-check playbook (OTP not persisting, products not loading, INSUFFICIENT_STOCK on checkout, cart 401) fixes it without further merchant intervention. Then re-run `/epicmerch-verify` (Deep mode).
-- **If the e2e token step fails** because the server lacks `E2E_TEST_PHONE`/`E2E_TEST_OTP` (you'll see a normal SMS channel instead of `e2e-test`, or a 401 on verify), fall back to `/epicmerch-verify` (read-path + payload checks, no token). **Important:** the fallback does NOT stamp `lastVerifiedAt`, so the `verified` step stays not-done and the tool will NOT report `complete`. Be honest: *"Ran the read-path + payload checks. To mark the store verified end-to-end (and finish onboarding), your EpicMerch operator needs to set `E2E_TEST_PHONE`/`E2E_TEST_OTP` on the server so the automated order test can run."*
-
-### Wizard wrap-up
-
-Print this one-block recap **only when `merchant_onboarding_state` has returned `complete: true`** (i.e. the `verified` step is done — never before):
-
-```
-━━━ Your store is set up ━━━
-  ✓ Account connected as <email>
-  ✓ API key: <name>
-  ✓ Payments: <Razorpay/Stripe>
-  ✓ Catalog: <N> products
-  ✓ Storefront: scaffolded into <project>   (or "skipped — no project")
-  ✗ Buy Now button: skipped                  (or ✓ if they added it)
-  ✓ End-to-end test: product → cart → order → cleanup all passed
-       (verified live — lastVerifiedAt stamped server-side)
-
-Next: restart your dev server (`npm run dev`) to pick up `.env`. Your
-store works end-to-end. Ask me about analytics, notifications, or
-abandoned-cart messages whenever you're ready.
-```
-
----
-
-## Step B — Intent mode (router)
-
-The merchant said something specific. Match against the table below, pick the closest, hand off. If multiple match, ask ONE disambiguating question.
-
-| The merchant says … | Route to |
-|---|---|
-| "set up EpicMerch", "scaffold a storefront", "build me a store", "integrate ecommerce" (and the project has no `src/lib/epicmerch.js`) | `/epicmerch-storefront` |
-| "add login / OTP / sign in" | `/epicmerch-storefront` (auth slice) |
-| "add a product catalog", "show products on my site", "product list with search" | `/epicmerch-storefront` (products slice) |
-| "add a cart", "build checkout", "order history page", "multi-product checkout" | `/epicmerch-storefront` (orders slice) |
-| "add Buy Now button", "1-click checkout", "impulse buy", "Razorpay Magic Checkout" | `/epicmerch-magic-checkout` |
-| "set up payments", "accept cards", "configure checkout", "set up Razorpay", "set up Stripe", "India / international payments" | `/epicmerch-payments` |
-| "connect my store to Claude / Cursor / Codex", "log in to EpicMerch", "install the MCP" | `/epicmerch-setup` |
-| "show me my store / products / orders / sales", "manage my store from chat" | `/epicmerch-merchant` |
-| "migrate from Shopify", "import my Shopify catalog" | `/epicmerch-migrate` |
-| "my login isn't sticking", "products aren't loading", "checkout fails", "insufficient stock undefined", "something's broken" | `/epicmerch-debug` |
-| "test everything", "does checkout actually work", "full end-to-end test", "run a real order test" | `/epicmerch-verify` (Deep mode) |
-
-### Hand-off (or inline)
-
-**In Claude Code / Claude Desktop / Cursor / VS Code Claude extension:**
-
-Tell the merchant which slash command you're invoking, then proceed:
-
-> "Sounds like you want X — running `/epicmerch-Y` now."
-
-The slash-command file is loaded from `~/.claude/commands/epicmerch-Y.md`; follow its steps.
-
-**In Codex CLI (or any client without slash commands):**
-
-Fetch the matching skill from the API and follow it:
-
-```
-Fetch https://api.epicmerch.in/api/skills/epicmerch-<slug>.md and execute every step against the current project, using the MCP tools available in this session.
-```
-
-If the fetch fails, fall back to the high-level intent using the MCP tools you have (e.g. for Razorpay: `merchant_configure_razorpay({keyId, keySecret})` + `merchant_set_checkout_type({type:'epicmerch'})`).
-
-### After the sub-flow
-
-Briefly recap and ask if anything else is needed. One short sentence, not three follow-ups.
-
-**If the sub-flow built or changed the storefront** (`/epicmerch-storefront`, `/epicmerch-magic-checkout`, or a custom build), run the **Definition of Done** gate above before recapping — `/epicmerch-verify` (Deep mode). Don't say "done" on anything that touched checkout without testing it live. (Pure config sub-flows like payment setup don't need the storefront verify, but a quick `merchant_diagnose` confirms they took.)
-
-Examples:
-
-> "Razorpay is now live on your store. Want a Buy Now button too?" *(routes to `/epicmerch-magic-checkout`)*
-
-> "Storefront scaffolded and end-to-end tested (product → cart → order all pass). Restart your dev server (`npm run dev`) to load `.env`. Need anything else — payments, Shopify migration, analytics?"
-
----
-
-## Step C — Tool fallback (no skill match)
-
-If the intent doesn't match any row in the table AND it's not a "start me up" wizard cue, fall through to MCP tools directly:
-
-- "How many products do I have?" → `merchant_list_products`
-- "What's missing from my setup?" → `merchant_diagnose`
-- "Generate a new API key called X" → `merchant_generate_api_key`
-- "Send a notification to all customers" → `merchant_send_notification`
-
-Only escalate to a sub-skill if a multi-step recipe is needed (scaffolding files, configuring payment processors, multi-stage migrations).
-
----
-
-## Style
-
-- **One question at a time.** Never stack three.
-- **Read intent from context.** React + no `src/lib/epicmerch.js` → don't ask, just say "I'll scaffold the storefront" and start.
-- **Confirm destructive operations.** Anything that deletes data or sends bulk notifications needs a yes-or-no first.
-- **Skill files are guidance, not gospel.** If a step fails (server error, etc.), surface the actual error and ask the merchant rather than blindly retrying.
-- **Lead with numbers.** "You have 42 products and ₹5,231 revenue this week" beats "let me tell you about your store."
-
-## What this skill does NOT do
-
-- Does not collect email/password in chat. Auth always goes through the browser OAuth flow via `/epicmerch-setup` (which runs `npx epicmerch-mcp login`).
-- Does not bypass per-skill safety checks. E.g. `/epicmerch-magic-checkout` won't scaffold a Buy Now button before verifying Razorpay is configured — the umbrella respects that and the wizard's step 2 ensures payments are configured before step 5 even asks.
+---
+name: epicmerch
+description: EpicMerch umbrella — guided 6-step onboarding wizard for new merchants, driven by a deterministic state machine (merchant_onboarding_state) that re-derives progress from live state and CANNOT report "complete" until a real end-to-end order test (/epicmerch-verify Deep mode) has stamped verification server-side. Also an intent router for merchants who already know what they want (scaffold a storefront, set up payments, add a Buy Now button, manage a store, migrate from Shopify, verify the store). Verification is the non-negotiable, structurally-enforced definition of done.
+---
+
+# EpicMerch — the umbrella
+
+The **one entry point** for everything EpicMerch. Merchants don't need to memorise 10+ slash commands; they say what they want (or say nothing) and you figure out the right flow.
+
+## Mode detection
+
+Two modes. Pick one based on what the merchant said:
+
+| What the merchant said when invoking `/epicmerch` | Mode |
+|---|---|
+| Nothing specific. Just `/epicmerch` with no extra words. | **Wizard mode** (Step A below) |
+| "help me start", "I'm new", "set up everything", "what's next", "where do I begin" | **Wizard mode** |
+| "set up Razorpay", "add a Buy Now button", "migrate Shopify", "scaffold a storefront", "show me my products" — anything with a clear specific intent | **Intent mode** (Step B below) |
+
+If ambiguous, ask ONE disambiguating question: *"Want me to walk you through a full setup wizard, or is there one specific thing you want to do?"*
+
+---
+
+## DEFINITION OF DONE — read this before you finish (applies to BOTH modes)
+
+**`/epicmerch` is not complete until a live end-to-end test has run and passed.**
+
+This holds no matter how the build happened — the wizard's scaffold step, an intent-mode `/epicmerch-storefront`, OR a fully custom build you designed through brainstorming (e.g. a themed multi-page store). However you got here, the LAST thing you do before telling the merchant "your store is set up" is run **`/epicmerch-verify` (Deep mode)** — the full product→cart→order pipeline; it automatically falls back to Smoke mode if the server's test-login isn't configured.
+
+Common trap: a design-heavy request ("build me a saree store") pulls you into scope/theme/spec brainstorming and a custom build, and the flow ends at "looks good!" without ever testing against the live API. **Don't let that happen.** After the storefront files are written and the `.env` has a real API key, run the e2e/verify gate. A store that was never tested against the live API is not done — that's exactly how the cart-shape / productId / out-of-stock bugs reached real merchants.
+
+If you realize you're wrapping up `/epicmerch` and haven't run the test → run it now.
+
+In **Wizard mode** this is enforced for you: `merchant_onboarding_state` will not return `complete` until `/epicmerch-verify` (Deep mode) has stamped verification server-side, so you structurally can't wrap up early. In **Intent mode** and custom/brainstormed builds there's no such gate — that's where this reminder matters most.
+
+---
+
+## Step A — Wizard mode (the harness loop)
+
+Wizard mode is a **deterministic loop driven by the `merchant_onboarding_state` tool** — not prose you interpret. The tool re-derives what's done, what's next, and whether you're complete from **live server state on every call**, and it enforces the gate: you **cannot** reach `complete` until a real `/epicmerch-verify` (Deep mode) run has stamped verification server-side. That is what makes `/epicmerch` un-breakable — the control flow lives in code + a hard gate, so "done but never verified" is structurally unreachable. You bring the creative work (the conversation, the product shape, the styling); the tool owns order, idempotency, and the gate.
+
+Open with one sentence:
+
+> "I'll set up your EpicMerch store. I'll check what's already done, do the next thing, and finish with a live end-to-end test — that test is the only thing that marks the setup complete."
+
+### The loop
+
+Repeat until the tool returns `complete: true`:
+
+1. Check the local project: does `src/lib/epicmerch.js` exist? (`true`/`false` → `storefrontPresent`).
+2. Call `merchant_onboarding_state({ storefrontPresent })`.
+3. If `complete === true` → print the **wrap-up recap** (below) and STOP. You're done.
+4. Else → read `nextStep` and perform **that one step's action** (see *Step actions* below). The `steps[nextStep].action` string is a short reminder; the full expansion is below. Do exactly ONE step, recap it in one line (`✓ <what happened>`), then go back to 1.
+
+**Rules that keep the harness honest:**
+- Never skip ahead, never decide completion yourself, never print "your store is set up" before the tool returns `complete: true`.
+- The loop is inherently idempotent — every turn re-reads live state, so re-running after a partial setup just resumes where you left off.
+- If you catch yourself about to wrap up without `complete`, call the tool again — it will name the real gap.
+
+### Step actions (the expansion of each `nextStep`)
+
+#### `account` — authenticate
+The tool couldn't read your settings (not connected / 401). Tell the merchant:
+
+> "Your CLI isn't connected. Run `npx epicmerch-mcp setup` (or `npx epicmerch-mcp login` if MCP is already installed), then ask me again."
+
+STOP the loop. Resume (re-call the tool) once they confirm they're connected.
+
+#### `apiKey` — generate a storefront key
+
+> "You don't have an API key yet. I'll generate one called 'Storefront' — that's what the SDK uses to talk to your store."
+
+Call `merchant_generate_api_key({ name: 'Storefront' })`. Recap `✓ API key generated.` and re-loop.
+
+#### `payment` — configure a processor
+Ask **one** question:
+
+> "Where do most of your customers buy from?
+> 1) India (Razorpay — recommended)
+> 2) Outside India (Stripe)"
+
+- "India" / "1" → run `/epicmerch-payments` (it takes the Razorpay path)
+- "outside" / "global" / "2" → run `/epicmerch-payments` (it takes the Stripe path)
+
+`/epicmerch-payments` configures the chosen processor **and** the checkout type — the tool's `payment` step needs both before it counts as done. Re-loop; the tool confirms `payment.done`.
+
+#### `products` — fill the catalog
+The catalog is empty (the tool counts an empty catalog as not-done, so this step keeps surfacing until at least one product exists). Ask:
+
+> "Your catalog is empty. Want me to:
+> 1) Migrate your existing Shopify store
+> 2) Add your first product right now
+> 3) Add a quick sample product so we can finish, and you replace it later"
+
+- "Shopify" / "1" → run `/epicmerch-migrate`
+- "first product" / "2" → walk through it with `merchant_create_product`. **Do NOT just ask for name + price** — products that ship without variants and images break the storefront UX (empty size picker, broken image). Collect the FULL shape in ONE round of questions:
+  - **Name + Category** (`name`, `type`)
+  - **Description** (`description`)
+  - **Pricing** — list price (`price`), plus on-sale fields if applicable (`salePrice`, `discountPercent`). *"If this product is on sale, tell me the sale price and discount %. Otherwise say 'no sale'."*
+  - **Variants** (`variants`) — array of `{ variant: 'S', stock: 5 }` entries. *"What sizes / colors / options does this come in, and how many of each in stock? If just one option, say 'no variants'."* When passed, the server derives total stock from `sum(variant.stock)` and ignores the top-level `stock`.
+  - **Images** (`images`) — array of gallery URLs. Optionally `image` for an explicit primary; if omitted the server uses `images[0]`.
+  Pass everything to `merchant_create_product` in ONE call — never create-then-update.
+- "sample" / "3" → create one reasonable sample product (full shape, a couple of variants, a placeholder image) so the loop can progress. Tell the merchant it's a placeholder they can edit or delete later.
+
+There is no hard "skip" here: `complete` requires a non-empty catalog. If the merchant truly wants to stop, be honest that onboarding stays incomplete until a product exists.
+
+#### `storefront` — scaffold into the project
+`storefrontPresent` is false. First check the project: does `package.json` exist with React / Vite / Next in dependencies?
+
+- **Not a frontend project / no `package.json`**: tell the merchant *"No frontend project detected here. Run `/epicmerch` from inside a React/Vite/Next project to scaffold the storefront."* `storefrontPresent` stays false, so the loop keeps flagging `storefront` — be honest that `complete` needs the storefront scaffolded (they can finish from a project later; a chat-only setup won't reach `complete`).
+- **Project detected, no SDK file**: do the two-part sub-flow:
+
+**4a — Visual style (before scaffolding).** Ask ONE question so the components match their vibe:
+
+> "Quick — what's the vibe of your store?
+> 1) Editorial Funk (bold typography, big imagery, asymmetric layouts)
+> 2) Minimal Mono (clean, monochrome, lots of whitespace)
+> 3) Vibrant Pop (colourful, rounded corners, playful)
+> 4) Skip — functional unstyled scaffolds, I'll polish later"
+
+Remember the answer as `visualStyle`.
+
+**4b — Scaffold + style.** Run `/epicmerch-storefront`. After it finishes:
+- If `visualStyle` ≠ skip, do a quick styling pass: 5-10 well-chosen Tailwind utility classes per component (typography, spacing, colour) matching `visualStyle`. Don't overdo it.
+- Confirm `src/lib/epicmerch.js` contains the **session-restore block** (the `localStorage.getItem('customerInfo') → setCustomerToken` snippet). Without it, OTP login appears to work but doesn't survive a page reload — the #1 silent storefront bug. The 1.3.4+ scaffold includes it by default; add it manually if missing.
+- Recap `✓ Storefront scaffolded + styled (<visualStyle>)` (or `unstyled`).
+
+**Optional add-on (not gated):** once the storefront exists, you may offer a 1-click Buy Now button — *"Want a 1-click 'Buy Now' button? Razorpay's Magic Checkout lets customers buy without a cart screen."* → `/epicmerch-magic-checkout` (it verifies Razorpay first). This is optional and does NOT affect `complete`; the merchant can add it anytime by saying *"add a Buy Now button"*. Then re-loop.
+
+#### `verified` — the gate (the ONLY step that flips `complete`)
+This is the un-fakeable half of the harness. Run **`/epicmerch-verify` (Deep mode)** automatically:
+
+> "Last step — a live end-to-end test to confirm everything actually works."
+
+It gets a customer session, creates a throwaway test product, adds it to a cart, creates a real order (exercising stock reservation + Razorpay order creation, no charge), verifies every response shape, then cleans up (cancels the order, deletes the product). This proves the WHOLE pipeline, not just read paths. It gets its customer token via the server's env-gated test phone (`store_auth_send_otp` + `store_auth_verify_otp` against `E2E_TEST_PHONE`), so it needs no SMS and no manual login.
+
+- **On pass:** `/epicmerch-verify` (Deep mode) calls **`merchant_mark_verified`**, which stamps `lastVerifiedAt` server-side. That is the ONLY thing that flips the tool's `verified` step to done. Re-loop — `merchant_onboarding_state` will now return `complete: true`.
+- **On any failure:** do NOT stamp verified. Route to `/epicmerch-debug` automatically — its four-check playbook (OTP not persisting, products not loading, INSUFFICIENT_STOCK on checkout, cart 401) fixes it without further merchant intervention. Then re-run `/epicmerch-verify` (Deep mode).
+- **If the e2e token step fails** because the server lacks `E2E_TEST_PHONE`/`E2E_TEST_OTP` (you'll see a normal SMS channel instead of `e2e-test`, or a 401 on verify), fall back to `/epicmerch-verify` (read-path + payload checks, no token). **Important:** the fallback does NOT stamp `lastVerifiedAt`, so the `verified` step stays not-done and the tool will NOT report `complete`. Be honest: *"Ran the read-path + payload checks. To mark the store verified end-to-end (and finish onboarding), your EpicMerch operator needs to set `E2E_TEST_PHONE`/`E2E_TEST_OTP` on the server so the automated order test can run."*
+
+### Wizard wrap-up
+
+Print this one-block recap **only when `merchant_onboarding_state` has returned `complete: true`** (i.e. the `verified` step is done — never before):
+
+```
+━━━ Your store is set up ━━━
+  ✓ Account connected as <email>
+  ✓ API key: <name>
+  ✓ Payments: <Razorpay/Stripe>
+  ✓ Catalog: <N> products
+  ✓ Storefront: scaffolded into <project>   (or "skipped — no project")
+  ✗ Buy Now button: skipped                  (or ✓ if they added it)
+  ✓ End-to-end test: product → cart → order → cleanup all passed
+       (verified live — lastVerifiedAt stamped server-side)
+
+Next: restart your dev server (`npm run dev`) to pick up `.env`. Your
+store works end-to-end. Ask me about analytics, notifications, or
+abandoned-cart messages whenever you're ready.
+```
+
+---
+
+## Step B — Intent mode (router)
+
+The merchant said something specific. Match against the table below, pick the closest, hand off. If multiple match, ask ONE disambiguating question.
+
+| The merchant says … | Route to |
+|---|---|
+| "set up EpicMerch", "scaffold a storefront", "build me a store", "integrate ecommerce" (and the project has no `src/lib/epicmerch.js`) | `/epicmerch-storefront` |
+| "add login / OTP / sign in" | `/epicmerch-storefront` (auth slice) |
+| "add a product catalog", "show products on my site", "product list with search" | `/epicmerch-storefront` (products slice) |
+| "add a cart", "build checkout", "order history page", "multi-product checkout" | `/epicmerch-storefront` (orders slice) |
+| "add Buy Now button", "1-click checkout", "impulse buy", "Razorpay Magic Checkout" | `/epicmerch-magic-checkout` |
+| "set up payments", "accept cards", "configure checkout", "set up Razorpay", "set up Stripe", "India / international payments" | `/epicmerch-payments` |
+| "connect my store to Claude / Cursor / Codex", "log in to EpicMerch", "install the MCP" | `/epicmerch-setup` |
+| "show me my store / products / orders / sales", "manage my store from chat" | `/epicmerch-merchant` |
+| "migrate from Shopify", "import my Shopify catalog" | `/epicmerch-migrate` |
+| "my login isn't sticking", "products aren't loading", "checkout fails", "insufficient stock undefined", "something's broken" | `/epicmerch-debug` |
+| "test everything", "does checkout actually work", "full end-to-end test", "run a real order test" | `/epicmerch-verify` (Deep mode) |
+
+### Hand-off (or inline)
+
+**In Claude Code / Claude Desktop / Cursor / VS Code Claude extension:**
+
+Tell the merchant which slash command you're invoking, then proceed:
+
+> "Sounds like you want X — running `/epicmerch-Y` now."
+
+The slash-command file is loaded from `~/.claude/commands/epicmerch-Y.md`; follow its steps.
+
+**In Codex CLI (or any client without slash commands):**
+
+Fetch the matching skill from the API and follow it:
+
+```
+Fetch https://api.epicmerch.in/api/skills/epicmerch-<slug>.md and execute every step against the current project, using the MCP tools available in this session.
+```
+
+If the fetch fails, fall back to the high-level intent using the MCP tools you have (e.g. for Razorpay: `merchant_configure_razorpay({keyId, keySecret})` + `merchant_set_checkout_type({type:'epicmerch'})`).
+
+### After the sub-flow
+
+Briefly recap and ask if anything else is needed. One short sentence, not three follow-ups.
+
+**If the sub-flow built or changed the storefront** (`/epicmerch-storefront`, `/epicmerch-magic-checkout`, or a custom build), run the **Definition of Done** gate above before recapping — `/epicmerch-verify` (Deep mode). Don't say "done" on anything that touched checkout without testing it live. (Pure config sub-flows like payment setup don't need the storefront verify, but a quick `merchant_diagnose` confirms they took.)
+
+Examples:
+
+> "Razorpay is now live on your store. Want a Buy Now button too?" *(routes to `/epicmerch-magic-checkout`)*
+
+> "Storefront scaffolded and end-to-end tested (product → cart → order all pass). Restart your dev server (`npm run dev`) to load `.env`. Need anything else — payments, Shopify migration, analytics?"
+
+---
+
+## Step C — Tool fallback (no skill match)
+
+If the intent doesn't match any row in the table AND it's not a "start me up" wizard cue, fall through to MCP tools directly:
+
+- "How many products do I have?" → `merchant_list_products`
+- "What's missing from my setup?" → `merchant_diagnose`
+- "Generate a new API key called X" → `merchant_generate_api_key`
+- "Send a notification to all customers" → `merchant_send_notification`
+
+Only escalate to a sub-skill if a multi-step recipe is needed (scaffolding files, configuring payment processors, multi-stage migrations).
+
+---
+
+## Style
+
+- **One question at a time.** Never stack three.
+- **Read intent from context.** React + no `src/lib/epicmerch.js` → don't ask, just say "I'll scaffold the storefront" and start.
+- **Confirm destructive operations.** Anything that deletes data or sends bulk notifications needs a yes-or-no first.
+- **Skill files are guidance, not gospel.** If a step fails (server error, etc.), surface the actual error and ask the merchant rather than blindly retrying.
+- **Lead with numbers.** "You have 42 products and ₹5,231 revenue this week" beats "let me tell you about your store."
+
+## What this skill does NOT do
+
+- Does not collect email/password in chat. Auth always goes through the browser OAuth flow via `/epicmerch-setup` (which runs `npx epicmerch-mcp login`).
+- Does not bypass per-skill safety checks. E.g. `/epicmerch-magic-checkout` won't scaffold a Buy Now button before verifying Razorpay is configured — the umbrella respects that and the wizard's step 2 ensures payments are configured before step 5 even asks.

package/src/adapters/mcp.js

@@ -11,6 +11,7 @@ import { developerTools, developerToolDefs } from '../tools/developer.js';
 import { scaffoldTools, scaffoldToolDefs } from '../tools/scaffold.js';
 import { merchantTools, merchantToolDefs } from '../tools/merchant.js';
 import { prompts } from '../prompts/index.js';
+import { VERSION } from '../version.js';
 
 const __dir = dirname(fileURLToPath(import.meta.url));
 const readResource = (rel) => readFileSync(join(__dir, '../resources', rel), 'utf-8');
@@ -27,7 +28,7 @@ function buildZodSchema(schemaDef) {
 }
 
 export async function startMcpAdapter(session, client) {
-  const server = new McpServer({ name: 'epicmerch', version: '1.0.0' });
+  const server = new McpServer({ name: 'epicmerch', version: VERSION });
 
   const allToolDefs = [...sessionToolDefs, ...developerToolDefs, ...scaffoldToolDefs, ...merchantToolDefs];
   const allHandlers = {

package/src/adapters/openapi.js

@@ -6,6 +6,7 @@ import { sessionTools, sessionToolDefs } from '../tools/session.js';
 import { developerTools, developerToolDefs } from '../tools/developer.js';
 import { scaffoldTools, scaffoldToolDefs } from '../tools/scaffold.js';
 import { merchantTools, merchantToolDefs } from '../tools/merchant.js';
+import { VERSION } from '../version.js';
 
 const ALL_TOOL_DEFS = [...sessionToolDefs, ...developerToolDefs, ...scaffoldToolDefs, ...merchantToolDefs];
 
@@ -46,7 +47,7 @@ function buildOpenApiSpec(serverUrl) {
 
   return {
     openapi: '3.1.0',
-    info: { title: 'EpicMerch MCP Tools', version: '1.0.0', description: 'EpicMerch tools for Claude and ChatGPT' },
+    info: { title: 'EpicMerch MCP Tools', version: VERSION, description: 'EpicMerch tools for Claude and ChatGPT' },
     servers: [{ url: serverUrl || 'https://mcp.epicmerch.in' }],
     paths,
     components: {

package/src/version.js

@@ -0,0 +1,13 @@
+// src/version.js
+// Single source of the package version, read from package.json at runtime — so
+// the MCP serverInfo handshake, the OpenAPI spec, etc. always match the published
+// version instead of drifting from a hardcoded literal. Works in local dev, the
+// npm tarball, and the staged .dxt (package.json sits at ../ from src/ in all three).
+import { readFileSync } from 'fs';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+
+const __dir = dirname(fileURLToPath(import.meta.url));
+export const VERSION = JSON.parse(
+  readFileSync(join(__dir, '..', 'package.json'), 'utf-8')
+).version;