webcake-landing-mcp 1.0.79 → 1.0.81

package/README.md

@@ -172,7 +172,7 @@ server, the `login` browser flow (+ backend contract), and how to grab a JWT by
 |-------|---------------|
 | **[Connect your IDE / claude.ai](docs/connect-mcp.md)** | Step-by-step connection for every client (npx & hosted URL), troubleshooting table. |
 | **[Configuration](docs/configuration.md)** | Env vars, `--env` presets, browser `login`, per-request headers, getting a JWT. |
-| **[Tools reference](docs/tools.md)** | All 21 tools in detail + the step-by-step workflow + model notes. |
+| **[Tools reference](docs/tools.md)** | All 22 tools in detail + the step-by-step workflow + model notes. |
 | **[Usage examples](docs/usage-examples.md)** | Three end-to-end walkthroughs: build from a brief, surgical edit, inspect a type. |
 | **[Manual / advanced install](docs/manual-install.md)** | Shell installers, cloned builds, hand-written per-IDE config. |
 | **[Page-element schema](docs/page-element-schema.md)** | The full element-model reference (+ [every special/event](docs/element-specials-reference.md)). |
@@ -181,13 +181,13 @@ server, the `login` browser flow (+ backend contract), and how to grab a JWT by
 
 ## 🧰 The tools at a glance
 
-21 tools in five groups — full descriptions in **[docs/tools.md](docs/tools.md)**:
+22 tools in five groups — full descriptions in **[docs/tools.md](docs/tools.md)**:
 
 | Group | Tools | Needs |
 |-------|-------|-------|
 | **Reference** | `get_generation_guide` · `list_elements` · `get_element` · `get_page_schema` | nothing |
 | **Generation** | `new_element` · `new_page_skeleton` · `validate_page` | nothing |
-| **Media** | `search_images` (real Pexels stock photos) · `get_icon_svg` (Material Symbols / Font Awesome icon names → inline SVG via Iconify) · `upload_images` (re-host external images, data: URIs, or local file paths from the user's machine) | nothing |
+| **Media** | `search_images` (real Pexels stock photos) · `get_icon_svg` (Material Symbols / Font Awesome icon names → inline SVG via Iconify) · `upload_images` (re-host external images, data: URIs, or local file paths from the user's machine) · `render_preview` (screenshot a page/URL so the model can see + compare it) | nothing |
 | **Ingest** | `ingest_html` · `ingest_url` (recreate an existing page) | nothing |
 | **Persistence** | `list_organizations` · `create_page` · `list_pages` · `find_pages` · `get_page` · `update_page` · `add_section` · `patch_page` · `publish_page` | `WEBCAKE_API_BASE` + `WEBCAKE_JWT` |
 

package/dist/changelog.json

@@ -1,4 +1,18 @@
 [
+  {
+    "v": "1.0.81",
+    "d": "16/06/2026",
+    "type": "Changed",
+    "en": "The Playwright screenshot engine that backs render_preview's GET /api/render/screenshot route now defaults to JPEG output instead of PNG, reducing…",
+    "vi": "Engine chụp màn hình Playwright phục vụ route GET /api/render/screenshot của render_preview nay mặc định xuất ảnh JPEG thay vì PNG, giúp giảm kích…"
+  },
+  {
+    "v": "1.0.80",
+    "d": "16/06/2026",
+    "type": "Added",
+    "en": "New render_preview tool screenshots a page's /preview/<id> or any public URL and returns a PNG the model can see, enabling a…",
+    "vi": "Tool mới render_preview chụp màn hình /preview/<id> của một trang hoặc bất kỳ URL công khai nào và trả về ảnh PNG để model có thể NHÌN THẤY kết quả,…"
+  },
   {
     "v": "1.0.79",
     "d": "15/06/2026",
@@ -26,19 +40,5 @@
     "type": "Added",
     "en": "validate_page now warns when specials.custom_css sets layout or structural CSS properties (position, top, left, right, bottom, inset, width, height,…",
     "vi": "validate_page nay cảnh báo khi specials.custom_css đặt các thuộc tính CSS layout hoặc cấu trúc (position, top, left, right, bottom, inset, width,…"
-  },
-  {
-    "v": "1.0.75",
-    "d": "15/06/2026",
-    "type": "Added",
-    "en": "New get_icon_svg tool resolves Material Symbols (ms:<name>) and Font Awesome (fa:<name>) icon-font references to real inline SVG markup via the…",
-    "vi": "Tool mới get_icon_svg resolve tên icon-font Material Symbols (ms:<name>) và Font Awesome (fa:<name>) thành SVG inline thực sự qua Iconify API công…"
-  },
-  {
-    "v": "1.0.74",
-    "d": "13/06/2026",
-    "type": "Added",
-    "en": "ingest_html and ingest_url now extract Tailwind gradient utilities (bg-gradient-to-*/from-*/via-*/to-*) from the page's class attributes, resolve…",
-    "vi": "ingest_html và ingest_url nay trích xuất các utility gradient Tailwind (bg-gradient-to-*/from-*/via-*/to-*) từ các thuộc tính class của trang,…"
   }
 ]

package/dist/domains/landing/guide.js

@@ -152,6 +152,7 @@ WORKFLOW (recommended)
 4. Assemble { page, popup, settings, options, cartConfigs }.
 5. Call validate_page and fix every error AND every warning — warnings are visible defects (text spilling onto the element below, off-canvas boxes, empty bands at a section's bottom, missing field_name, dead event targets), not advisory polish. Re-validate until the warning list is empty; only a demonstrably false positive may remain (tell the user which and why).
 6. To save: call list_organizations. If the account has EXACTLY ONE organization, create_page will auto-select it — no need to ask. If there are MULTIPLE organizations, show them to the user and ask which to use (highlight is_default as the suggested default); pass the chosen organization_id to create_page. If the user explicitly wants to save without any organization, pass organization_id:"personal". Then create_page (dry_run first, then dry_run:false). Note: create_page itself enforces this — it refuses to guess between multiple orgs and returns the org list asking you to pick.
+7. VISUAL CHECK — do this whenever you built from a reference (clone/adapt) or fidelity matters: after create_page auto-publishes (or after publish_page), actually LOOK at the rendered page and compare it to the reference, then fix what's off. SCREENSHOT IT WITH YOUR OWN CAPABILITY FIRST: if you have a browser/screenshot MCP (e.g. chrome-devtools) or any tool that can capture a URL, screenshot the returned preview_url yourself — it's fresh and unlimited. ONLY if you have no such ability, call render_preview(page_id) (returns a PNG; on a quota/rate-limit it returns ok:false → SKIP the visual check that round, don't fail the build). Put your shot next to the reference and compare section order, colors, spacing, image placement, sizing and text; for EACH mismatch, patch_page the offending element by id, re-publish (publish_page), and screenshot again — loop 2–3 rounds until it matches. The no-domain preview only renders for ~10 min after the last publish, so screenshot promptly and re-publish before re-checking a stale page.
 
 EDITING an existing page
 - find_pages / list_pages → let the user pick (or take a page_id from a URL).
@@ -165,4 +166,5 @@ REFERENCE INPUT (HTML page to clone or adapt)
 - ingest_html(html, detail:'full') / ingest_url(url, detail:'full') returns a richer AST for clone-quality rebuilds: CSS custom-property palette (design tokens by name), background_images from stylesheets (hero/CTA bg images invisible to a plain img scan), per-section blocks (repeating card/tile/step structures with title/body/image/cta), li lists, gradients, and images as { src, alt } objects. Use detail:'compact' (default) for a quick layout-only reference.
 - SECTION HEIGHTS: every AST section carries size_hint = { height, basis, css? } — the section's desktop height on the 960px canvas (basis:'css' = an explicit height/min-height found in the source, css holds the raw value e.g. "100vh"; basis:'estimate' = content-volume math). Set each rebuilt section's desktop height FROM its size_hint (±15% to fit your actual element placement) instead of the 800px default, so the page's vertical rhythm tracks the source: a 72px header stays a slim bar, a 1200px pricing band stays tall. Mobile is NOT hinted — redo the height per the mobile text math (stacked content is taller).
 - Map AST section roles to Webcake elements: hero → section (background image/overlay) + text-block H1 + text-block subheading + button; features → group per card (icon rectangle + text-block title + text-block body); stats bar → group with text-block per stat; pricing → group with text-block list + button; footer → section (dark bg) + text-block + links. When the ingested page contains a composite widget (phone/device mockup, chat thread, mini dashboard, browser frame) → rebuild it as ONE html-box, NOT as element soup. The full AST hands you the SOURCE for this: section.widgets = [{ hint, html, css? }] — the widget's cleaned outerHTML plus the stylesheet rules that style it. Build the html-box FROM that html verbatim: inline each css rule into the matching elements' style="" attributes (an html-box has no <style> scope), wrap in a root div with width:100%;height:100%;box-sizing:border-box;overflow:hidden, and size the html-box to the widget's box — do NOT re-imagine the widget's markup from the summary fields.
-- Reference images are the user's assets — for BOTH intents (adapt AND clone), carry every real image URL found in the AST (images, background_images, og_image, canvas src/background) straight into the matching slot; the save auto-hosts it to the Webcake CDN (no upload_images needed, no hotlinking), so never replace it with a search_images stock photo or a placeholder. intent='adapt' rewrites TEXT for the user's brand, not the imagery; search_images only fills slots that have no source image.`;
+- Reference images are the user's assets — for BOTH intents (adapt AND clone), carry every real image URL found in the AST (images, background_images, og_image, canvas src/background) straight into the matching slot; the save auto-hosts it to the Webcake CDN (no upload_images needed, no hotlinking), so never replace it with a search_images stock photo or a placeholder. intent='adapt' rewrites TEXT for the user's brand, not the imagery; search_images only fills slots that have no source image.
+- VERIFY THE CLONE VISUALLY (don't trust the build blind): after saving, do the VISUAL CHECK from BUILDING step 7 — screenshot the rendered preview with your own browser/screenshot capability (or render_preview as fallback) and compare it side-by-side with the reference (screenshot the reference URL too if you only have HTML), then patch_page the elements that don't match and re-check. Eyeballing a reference and rebuilding once typically lands ~60% similar; the look-and-patch loop is what closes the gap.`;

package/dist/domains/landing/instructions.js

@@ -41,5 +41,6 @@ MODEL (essentials):
 
 - BEYOND ELEMENT CAPABILITY: when a reference effect can't be expressed with an element's built-in specials (hover scale/lift/zoom & transitions, gradients, glassmorphism/backdrop-blur, custom shadows, gradient/clipped text, keyframe animations outside the 9 entrance types) DON'T drop it — use the escape hatches so the page is as complete as possible: element specials.custom_css (extra DECLARATIONS in #w-<id>{…}; declarations-only) + specials.custom_class (both need specials.customAdvance:true) for per-element styling, and page settings.extra_css (a full raw stylesheet in <head> — where :hover/@keyframes/media-queries live, target #w-<element id>) + settings.extra_script (raw JS) + settings.bhet/bbet (raw HTML blocks at end of <head>/<body> — for webfont <link>s, <meta>/verification, analytics/pixels, chat widgets, third-party embeds). get_generation_guide has the recipes. SAFETY (custom is raw + global → sloppy custom BREAKS the whole UI): SCOPE every extra_css rule to "#w-<id>" or a specials.custom_class — NEVER a bare tag / "*" / a Webcake-internal class (.section-container/.rectangle-css/.text-block-css/.group-*…); keep custom_css to VISUAL props only (no position/top/left/width/height/display/float); close every bhet/bbet tag; don't restructure "#w-…" elements in extra_script. validate_page flags unscoped selectors, layout props in custom_css, unbalanced braces/tags, missing customAdvance, and CSS/JS in the wrong field — fix every such warning.
 - PREVIEW vs PUBLISH: for review share the EDITOR url (the builder renders the raw source). The editor_url SIGNS THE BROWSER IN automatically (it routes through the builder's /transport with the account token), so it works even when the user isn't logged in — but for the same reason it must go to the PAGE OWNER ONLY, never into anything public. create_page AUTO-PUBLISHES on success (builds the rendered app + publish_html), so a fresh page's preview_url renders right away — but the preview host (preview.localhost:5800 local / staging.webcake.me staging / www.webcake.me prod) only serves it for ~10 MINUTES after the last publish, then shows "Preview page is expired". The EDIT routes (update_page/add_section/patch_page) store source only — after finishing a round of edits, run publish_page({ page_id, dry_run:false }) to rebuild the rendered app (else the preview shows the STALE pre-edit build). ONLY a custom_domain (publish_page({ page_id, custom_domain, dry_run:false })) gives a permanent public URL; without one the page has just the ephemeral preview link — say so and suggest attaching a domain the user already points at Webcake.
+- VISUAL CHECK after saving (do it for every clone/reference build, and whenever the look matters): don't trust the build blind — LOOK at the rendered page and fix what's off. SCREENSHOT IT WITH YOUR OWN CAPABILITY FIRST — if you have a browser/screenshot MCP (e.g. chrome-devtools) or any tool that captures a URL, screenshot the returned preview_url yourself (fresh + unlimited); ONLY if you have none, call render_preview(page_id), which returns a PNG (on a quota/429 it returns ok:false → skip the check that round, never fail the build). Compare your shot to the reference (screenshot the reference URL too when you only have HTML) — section order, colors, spacing, image placement, sizing, text — then patch_page each mismatch by id, re-publish (publish_page), and screenshot again; loop 2–3 rounds. Rebuilding once from a glance lands ~60% similar — the look-and-patch loop is what closes the gap. The no-domain preview only renders ~10 min after the last publish, so shoot promptly and re-publish before re-checking.
 
-Start by calling get_generation_guide. Tools: get_generation_guide, list_elements, get_element, new_element, new_page_skeleton, get_page_schema, validate_page, search_images, get_icon_svg, upload_images, ingest_html, ingest_url, list_organizations, create_page, list_pages, find_pages, get_page, update_page, add_section, patch_page, publish_page.`;
+Start by calling get_generation_guide. Tools: get_generation_guide, list_elements, get_element, new_element, new_page_skeleton, get_page_schema, validate_page, search_images, get_icon_svg, upload_images, render_preview, ingest_html, ingest_url, list_organizations, create_page, list_pages, find_pages, get_page, update_page, add_section, patch_page, publish_page.`;

package/dist/http.js

@@ -21,11 +21,13 @@ import { ICON_SVG, ICON_MIME } from "./branding.js";
 import { guideHtml, ogImageSvg, normalizeLang } from "./web-guide.js";
 import { privacyHtml, termsHtml } from "./legal.js";
 import { searchPexels, resolvePexelsKey } from "./persistence/pexels-client.js";
+import { captureWithPlaywright, isAllowedScreenshotUrl } from "./persistence/screenshot-playwright.js";
 import { resolveEnv, ENVIRONMENTS, stripTrailingSlash } from "./persistence/config.js";
 import { buildConnectUrl } from "./auth/login.js";
 import { registerClient, startAuthorize, completeAuthorize, exchangeToken, resolveAccessToken, revokeToken, authServerMetadata, protectedResourceMetadata, } from "./auth/oauth-server.js";
 const MCP_PATH = "/mcp";
 const IMAGES_PATH = "/api/images/search";
+const RENDER_SCREENSHOT_PATH = "/api/render/screenshot";
 // OAuth 2.1 endpoints (the embedded thin Authorization Server — see auth/oauth-server.ts).
 const WELL_KNOWN_PR = "/.well-known/oauth-protected-resource";
 const WELL_KNOWN_AS = "/.well-known/oauth-authorization-server";
@@ -322,6 +324,40 @@ async function handleImageSearch(req, res) {
     const result = await searchPexels(key, params);
     return sendImgJson(result.ok ? 200 : result.status || 502, result);
 }
+/**
+ * Self-hosted screenshot route: GET /api/render/screenshot?url=…&full_page=…&width=…
+ * Renders the target URL with Playwright (this VPS's own headless Chromium) and
+ * returns the PNG bytes — the UNLIMITED engine `render_preview` falls over to when
+ * Microlink's free quota is hit (point RENDER_SCREENSHOT_BASE at this host). Returns
+ * 503 when Playwright isn't installed here. Blocks private/loopback targets (SSRF).
+ */
+async function handleRenderScreenshot(req, res) {
+    const cors = { "access-control-allow-origin": "*", "access-control-allow-headers": "*" };
+    if (req.method === "OPTIONS") {
+        res.writeHead(204, cors);
+        return res.end();
+    }
+    const sendErr = (status, body) => {
+        res.writeHead(status, { "content-type": "application/json", ...cors });
+        res.end(JSON.stringify(body));
+    };
+    const sp = new URL(req.url ?? "/", "http://x").searchParams;
+    const target = sp.get("url")?.trim();
+    if (!target)
+        return sendErr(400, { ok: false, error: "Pass ?url=<public http(s) URL>." });
+    const allow = isAllowedScreenshotUrl(target);
+    if (!allow.ok)
+        return sendErr(400, { ok: false, error: allow.error });
+    const fullPage = sp.get("full_page") !== "false";
+    const width = sp.get("width") ? Number(sp.get("width")) : undefined;
+    const r = await captureWithPlaywright(target, { fullPage, width });
+    if (!r.ok) {
+        // 503 when the engine is absent (caller should fall back / skip), 502 otherwise.
+        return sendErr(r.reason === "not_installed" ? 503 : 502, { ok: false, error: r.error });
+    }
+    res.writeHead(200, { "content-type": r.mimeType, "cache-control": "no-store", ...cors });
+    return res.end(r.data);
+}
 export async function startHttpServer(port) {
     // mcp-session-id -> live transport (each bound to its own McpServer instance).
     const transports = new Map();
@@ -382,6 +418,9 @@ export async function startHttpServer(port) {
         // Shared image proxy (for `npx` clients without their own Pexels key).
         if (path === IMAGES_PATH)
             return handleImageSearch(req, res);
+        // Self-hosted screenshot engine (Playwright) — the unlimited fallback for render_preview.
+        if (path === RENDER_SCREENSHOT_PATH)
+            return handleRenderScreenshot(req, res);
         // OAuth 2.1 endpoints (always served; see handleOAuth). Returns true if handled.
         if (await handleOAuth(req, res, path))
             return;

package/dist/legal.js

@@ -48,6 +48,10 @@ what categories of data the connector handles, why, who receives it, and how lon
   <li><strong>Images.</strong> External image URLs in a page are re-hosted to the Webcake CDN on save. Optional
   stock-photo search uses the Pexels API and icon lookup uses the Iconify API. <em>Purpose:</em> to supply the
   visuals for your page.</li>
+  <li><strong>Page preview screenshots.</strong> When you ask the assistant to visually check a page, the page's
+  <em>public</em> preview URL is sent to a screenshot service (by default Microlink; optionally a self-hosted
+  renderer) which returns a picture of the page. <em>Purpose:</em> so the assistant can see the rendered result and
+  compare it to your reference. Only the public URL is sent — never your access token or page-source JSON.</li>
 </ul>
 
 <h2>What we store and for how long</h2>
@@ -70,6 +74,8 @@ what categories of data the connector handles, why, who receives it, and how lon
   and serves your pages; governed by Webcake's own terms.</li>
   <li><strong>Pexels</strong> (pexels.com) — stock-photo search, only when you request images.</li>
   <li><strong>Iconify</strong> (iconify.design) — resolves icon names to SVG, only when a page uses icons.</li>
+  <li><strong>Microlink</strong> (api.microlink.io) — renders a page's public preview URL to a screenshot, only when
+  you request a visual check. A self-hosted renderer can be configured instead; only the public URL is sent.</li>
 </ul>
 
 <h2>Data we do NOT collect</h2>

package/dist/mcp/response.js

@@ -6,6 +6,18 @@ export function text(value) {
     const body = typeof value === "string" ? value : JSON.stringify(value, null, 2);
     return { content: [{ type: "text", text: body }] };
 }
+/**
+ * Wrap a base64 image as an MCP image content block, optionally followed by a
+ * text block (notes/metadata the model should read). Used by render_preview so a
+ * multimodal model can SEE the rendered page and compare it to the reference.
+ */
+export function image(dataBase64, mimeType = "image/png", note) {
+    const content = [{ type: "image", data: dataBase64, mimeType }];
+    if (note !== undefined) {
+        content.push({ type: "text", text: typeof note === "string" ? note : JSON.stringify(note, null, 2) });
+    }
+    return { content };
+}
 /**
  * Directive shipped alongside every non-empty validation-warnings list.
  * Warnings are design defects the customer WILL see (text overlapping the

package/dist/persistence/screenshot-client.js

@@ -0,0 +1,162 @@
+/**
+ * Thin screenshot client for the clone-fidelity loop: render a public URL (a
+ * page's /preview/<id>, or a reference page being cloned) to a PNG the model can
+ * SEE and compare against the reference.
+ *
+ * CAPABILITY LADDER (decided by the caller, NOT this file):
+ *   1. If the AGENT can screenshot itself (a shell + headless browser, e.g. Claude
+ *      Code local), it should do that — fresh every time, no quota. The MCP
+ *      `render_preview` tool is the FALLBACK for agents WITHOUT that ability
+ *      (e.g. the claude.ai remote connector).
+ *   2. This client's default engine is Microlink ZERO-CONFIG (no key) — but its
+ *      free tier is rate-limited PER IP (~50/day). That's fine for a local stdio
+ *      user (their own IP) but a SHARED quota behind the serve-host proxy, so for
+ *      remote/multi-user the host should point RENDER_SCREENSHOT_BASE at a KEYED
+ *      engine (a proxy route that holds a ScreenshotOne/ApiFlash/Microlink-Pro key).
+ *   3. On quota/429 or any failure the caller SKIPS gracefully (never throws).
+ *
+ * Mirrors the Pexels client's direct-vs-proxy shape (see pexels-client.ts). The
+ * secret (if any) is resolved like the JWT — env or per-request header, never
+ * hard-coded (the repo is public). Requires global fetch (Node 18+).
+ */
+/** Microlink's free screenshot endpoint. `embed=screenshot.url` returns the PNG bytes directly. */
+const MICROLINK_ENDPOINT = "https://api.microlink.io/";
+/** Path of the keyed proxy's screenshot route (served by a host that holds a paid key). */
+export const SCREENSHOT_PROXY_PATH = "/api/render/screenshot";
+/** Fetch timeout — screenshots can be slow (full-page + webfont settle). */
+const SCREENSHOT_TIMEOUT_MS = (() => {
+    const v = parseInt(process.env.WEBCAKE_HTTP_TIMEOUT_MS ?? "", 10);
+    return Number.isFinite(v) && v > 0 ? v : 60_000;
+})();
+/** Resolve the keyed-proxy base (host route that holds a paid screenshot key), if configured. */
+export function resolveScreenshotProxyBase(override) {
+    const base = override ?? process.env.RENDER_SCREENSHOT_BASE;
+    return base && base.trim() !== "" ? base.replace(/\/+$/, "") : undefined;
+}
+/** Pull the per-request proxy base header (remote mode), if present. */
+export function screenshotProxyBaseFromHeaders(headers) {
+    const v = headers?.["x-render-screenshot-base"];
+    const raw = Array.isArray(v) ? v[0] : v;
+    return raw && raw.trim() !== "" ? raw.trim() : undefined;
+}
+/** Which engine to try FIRST: "microlink" (free, default) or "proxy" (the keyed/self-hosted route). */
+export function resolveScreenshotPrimary(override) {
+    const v = (override ?? process.env.RENDER_SCREENSHOT_PRIMARY ?? "").toLowerCase();
+    return v === "proxy" ? "proxy" : "microlink";
+}
+/** Optional Microlink Pro key (raises the free per-IP quota) — env or x-microlink-key header. */
+export function resolveMicrolinkKey(override) {
+    const key = override ?? process.env.MICROLINK_API_KEY;
+    return key && key.trim() !== "" ? key.trim() : undefined;
+}
+export function microlinkKeyFromHeaders(headers) {
+    const v = headers?.["x-microlink-key"];
+    const raw = Array.isArray(v) ? v[0] : v;
+    return raw && raw.trim() !== "" ? raw.trim() : undefined;
+}
+/**
+ * Build the Microlink request URL. We force a cache bypass (`force=true` AND a
+ * nonce on the target URL) because the preview URL is stable across patch rounds
+ * — without it Microlink serves a STALE shot of the pre-patch page. Pure so the
+ * smoke test can assert the query shape without a network call.
+ */
+export function buildMicrolinkUrl(targetUrl, opts = {}, nonce = 0) {
+    // Nonce-bust the TARGET url itself (defends against any URL-keyed cache even if
+    // `force` is restricted on the free tier).
+    const bustTarget = targetUrl + (targetUrl.includes("?") ? "&" : "?") + "_=" + nonce;
+    const q = new URLSearchParams();
+    q.set("url", bustTarget);
+    q.set("screenshot", "true");
+    q.set("fullPage", String(opts.fullPage !== false));
+    q.set("meta", "false");
+    q.set("force", "true");
+    q.set("embed", "screenshot.url"); // respond with the PNG bytes, not JSON
+    if (opts.width && Number.isFinite(opts.width))
+        q.set("viewport.width", String(Math.round(opts.width)));
+    return `${MICROLINK_ENDPOINT}?${q.toString()}`;
+}
+/** Read a fetch Response into a ScreenshotResult, classifying quota/errors. */
+async function readImageResponse(res, via) {
+    const ct = (res.headers.get("content-type") ?? "").toLowerCase();
+    if (res.ok && ct.startsWith("image/")) {
+        const buf = Buffer.from(await res.arrayBuffer());
+        return { ok: true, status: res.status, dataBase64: buf.toString("base64"), mimeType: ct.split(";")[0].trim(), bytes: buf.length, via };
+    }
+    // Non-image → an error (JSON or text). 429 == rate limit / quota.
+    const body = (await res.text()).slice(0, 300);
+    const quota = res.status === 429;
+    return {
+        ok: false,
+        status: res.status,
+        via,
+        quota_exhausted: quota,
+        error: quota
+            ? `screenshot quota/rate-limit hit (HTTP 429) via ${via} — skip the visual check this round or configure a keyed engine`
+            : `${via} returned HTTP ${res.status}${body ? `: ${body}` : ""}`,
+    };
+}
+/** Capture via Microlink directly (zero-config; per-IP free quota). */
+export async function captureViaMicrolink(targetUrl, opts, key, nonce = 0) {
+    const url = buildMicrolinkUrl(targetUrl, opts, nonce);
+    try {
+        const res = await fetch(url, {
+            method: "GET",
+            headers: key ? { "x-api-key": key } : undefined,
+            signal: AbortSignal.timeout(SCREENSHOT_TIMEOUT_MS),
+        });
+        return await readImageResponse(res, "microlink");
+    }
+    catch (e) {
+        if (e?.name === "TimeoutError" || e?.name === "AbortError") {
+            return { ok: false, status: 0, via: "microlink", error: `screenshot timed out after ${SCREENSHOT_TIMEOUT_MS}ms` };
+        }
+        return { ok: false, status: 0, via: "microlink", error: `network error calling Microlink: ${e?.message ?? e}` };
+    }
+}
+/** Capture via a keyed proxy route the host operates: GET <base>/api/render/screenshot?url=…&full_page=…&width=… */
+export async function captureViaProxy(base, targetUrl, opts, nonce = 0) {
+    const q = new URLSearchParams();
+    q.set("url", targetUrl + (targetUrl.includes("?") ? "&" : "?") + "_=" + nonce);
+    q.set("full_page", String(opts.fullPage !== false));
+    if (opts.width && Number.isFinite(opts.width))
+        q.set("width", String(Math.round(opts.width)));
+    const url = `${base}${SCREENSHOT_PROXY_PATH}?${q.toString()}`;
+    try {
+        const res = await fetch(url, { method: "GET", signal: AbortSignal.timeout(SCREENSHOT_TIMEOUT_MS) });
+        return await readImageResponse(res, "proxy");
+    }
+    catch (e) {
+        if (e?.name === "TimeoutError" || e?.name === "AbortError") {
+            return { ok: false, status: 0, via: "proxy", error: `screenshot timed out after ${SCREENSHOT_TIMEOUT_MS}ms calling proxy ${base}` };
+        }
+        return { ok: false, status: 0, via: "proxy", error: `network error calling screenshot proxy ${base}: ${e?.message ?? e}` };
+    }
+}
+/**
+ * Capture a screenshot with AUTOMATIC FALLOVER between the two engines:
+ *   - Microlink direct (free, zero-config) and
+ *   - the proxy route (a keyed API or the VPS's self-hosted Playwright engine).
+ * Tries `primary` first; if it fails — especially Microlink hitting its per-IP
+ * quota (HTTP 429) — it retries the other engine. So a free quota is used up
+ * first, then traffic auto-switches to the unlimited self-hosted route. With no
+ * proxyBase configured it's Microlink only. Never throws; on total failure
+ * returns the most informative error (quota_exhausted set when that was the cause).
+ */
+export async function captureScreenshot(targetUrl, opts = {}, resolved = {}, nonce = 0) {
+    const primary = resolved.primary ?? resolveScreenshotPrimary();
+    const micro = () => captureViaMicrolink(targetUrl, opts, resolved.microlinkKey, nonce);
+    const proxy = () => (resolved.proxyBase ? captureViaProxy(resolved.proxyBase, targetUrl, opts, nonce) : null);
+    // No fallback engine available → single attempt.
+    if (!resolved.proxyBase)
+        return micro();
+    const first = primary === "proxy" ? proxy() : micro();
+    const r1 = await first;
+    if (r1.ok)
+        return r1;
+    // Primary failed (quota or error) → fall over to the other engine.
+    const r2 = await (primary === "proxy" ? micro() : proxy());
+    if (r2.ok)
+        return r2;
+    // Both failed → prefer the non-quota error (more actionable); else the quota one.
+    return r1.quota_exhausted && !r2.quota_exhausted ? r2 : r1;
+}

package/dist/persistence/screenshot-playwright.js

@@ -0,0 +1,182 @@
+/**
+ * Self-hosted screenshot engine (Playwright) for the serve-host's
+ * GET /api/render/screenshot route — the UNLIMITED fallback the `render_preview`
+ * tool falls over to when Microlink's free per-IP quota is exhausted.
+ *
+ * Playwright is NOT a package dependency (keeps `npx webcake-landing-mcp` light —
+ * no Chromium download for stdio users). It is loaded LAZILY at runtime; absent →
+ * captureWithPlaywright returns ok:false and the route replies 503. Install it
+ * ONLY on the VPS that runs `serve`:
+ *
+ *   npm i playwright && npx playwright install --with-deps chromium
+ *   # or, to reuse an already-installed Chrome/Chromium without the download:
+ *   npm i playwright-core   and set CHROME_BIN=/path/to/chrome
+ *
+ * Launch uses CHROME_BIN / PLAYWRIGHT_CHROMIUM_PATH as executablePath when set
+ * (so playwright-core can drive a system browser); otherwise Playwright's own
+ * bundled Chromium. One browser is launched and reused; a fresh context per shot.
+ */
+let pwModule = null;
+let triedLoad = false;
+let browserPromise = null;
+/** Lazy-load `playwright` (then `playwright-core`); cache the result (incl. the not-installed case). */
+async function loadPlaywright() {
+    if (triedLoad)
+        return pwModule;
+    triedLoad = true;
+    // Variable specifier so tsc treats import() as `any` and does NOT require the
+    // module to be installed at build time.
+    for (const spec of ["playwright", "playwright-core"]) {
+        try {
+            pwModule = await import(spec);
+            break;
+        }
+        catch {
+            /* not installed — try next */
+        }
+    }
+    return pwModule;
+}
+/** True when a Playwright package is importable on this host. */
+export async function playwrightInstalled() {
+    return !!(await loadPlaywright());
+}
+/** Launch (once) and reuse a headless Chromium. Returns null when unavailable. */
+async function getBrowser() {
+    const pw = await loadPlaywright();
+    if (!pw)
+        return null;
+    if (!browserPromise) {
+        const launchOpts = { headless: true, args: ["--no-sandbox", "--disable-dev-shm-usage"] };
+        const exe = process.env.PLAYWRIGHT_CHROMIUM_PATH || process.env.CHROME_BIN;
+        if (exe)
+            launchOpts.executablePath = exe;
+        browserPromise = pw.chromium.launch(launchOpts).catch((e) => {
+            browserPromise = null; // allow a later retry
+            throw e;
+        });
+    }
+    try {
+        return await browserPromise;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Output tuning (env-controlled, so the VPS operator picks the size/quality
+ * tradeoff). Default JPEG — a full-page landing screenshot is ~5–10× smaller as
+ * JPEG than PNG with no loss that matters for a layout/colour comparison, which
+ * shrinks the base64 the model receives. `scale` (deviceScaleFactor) renders at a
+ * lower pixel density to cut dimensions too; 1 = crisp, 0.5 = quarter the pixels.
+ */
+function outputOpts() {
+    const fmt = (process.env.RENDER_SCREENSHOT_FORMAT ?? "jpeg").toLowerCase();
+    const type = fmt === "png" ? "png" : "jpeg";
+    const q = parseInt(process.env.RENDER_SCREENSHOT_QUALITY ?? "", 10);
+    const quality = type === "jpeg" ? (Number.isFinite(q) && q >= 1 && q <= 100 ? q : 72) : undefined;
+    const s = parseFloat(process.env.RENDER_SCREENSHOT_SCALE ?? "");
+    const scale = Number.isFinite(s) && s > 0 && s <= 2 ? s : 1;
+    return { type, quality, scale };
+}
+/** Screenshot a URL with Playwright. Never throws. */
+export async function captureWithPlaywright(url, opts = {}) {
+    const pw = await loadPlaywright();
+    if (!pw) {
+        return {
+            ok: false,
+            reason: "not_installed",
+            error: "playwright is not installed on this host (run: npm i playwright && npx playwright install chromium)",
+        };
+    }
+    // One shot, with a single self-heal retry: if the cached browser died (crash,
+    // or a system Chrome that closed), drop it and relaunch once.
+    for (let attempt = 0; attempt < 2; attempt++) {
+        let browser = await getBrowser();
+        if (!browser)
+            return { ok: false, error: "failed to launch headless chromium (check CHROME_BIN / playwright install)" };
+        // If the cached handle is already disconnected, force a relaunch.
+        if (typeof browser.isConnected === "function" && !browser.isConnected()) {
+            browserPromise = null;
+            browser = await getBrowser();
+            if (!browser)
+                return { ok: false, error: "failed to relaunch headless chromium" };
+        }
+        let ctx;
+        try {
+            const out = outputOpts();
+            ctx = await browser.newContext({
+                viewport: { width: opts.width && Number.isFinite(opts.width) ? Math.round(opts.width) : 1280, height: 900 },
+                deviceScaleFactor: out.scale,
+            });
+            const page = await ctx.newPage();
+            await page.goto(url, { waitUntil: "load", timeout: 30_000 });
+            await page.waitForTimeout(1200); // let webfonts/lazy images settle
+            const shot = await page.screenshot({
+                fullPage: opts.fullPage !== false,
+                type: out.type,
+                ...(out.type === "jpeg" ? { quality: out.quality } : {}),
+            });
+            return { ok: true, data: Buffer.from(shot), mimeType: out.type === "png" ? "image/png" : "image/jpeg" };
+        }
+        catch (e) {
+            const msg = String(e?.message ?? e);
+            // Browser-died errors → reset and retry once; other errors → fail now.
+            const dead = /closed|disconnected|crash|Target page, context or browser/i.test(msg);
+            if (dead && attempt === 0) {
+                browserPromise = null;
+                continue;
+            }
+            return { ok: false, error: `playwright capture failed: ${msg}` };
+        }
+        finally {
+            if (ctx)
+                await ctx.close().catch(() => { });
+        }
+    }
+    return { ok: false, error: "playwright capture failed after retry" };
+}
+// ---------------------------------------------------------------------------
+// SSRF guard — this route fetches an arbitrary `url`, so block private/loopback
+// targets (someone could otherwise screenshot internal services). Pure + exported
+// for smoke coverage. Opt out with RENDER_ALLOW_PRIVATE=1 (e.g. local dev).
+// ---------------------------------------------------------------------------
+/** True when `hostname` resolves to a loopback / link-local / RFC-1918 private host. */
+export function isPrivateHost(hostname) {
+    const h = hostname.toLowerCase().replace(/^\[|\]$/g, ""); // strip IPv6 brackets
+    if (h === "localhost" || h.endsWith(".localhost") || h === "::1" || h === "0.0.0.0")
+        return true;
+    if (/^127\./.test(h))
+        return true; // loopback
+    if (/^10\./.test(h))
+        return true; // private A
+    if (/^192\.168\./.test(h))
+        return true; // private C
+    if (/^172\.(1[6-9]|2\d|3[01])\./.test(h))
+        return true; // private B
+    if (/^169\.254\./.test(h))
+        return true; // link-local
+    if (/^0\./.test(h))
+        return true; // "this" network
+    if (h.startsWith("fc") || h.startsWith("fd"))
+        return true; // IPv6 ULA
+    if (h.startsWith("fe80"))
+        return true; // IPv6 link-local
+    return false;
+}
+/** Validate a screenshot target URL: http(s) only, no private host (unless RENDER_ALLOW_PRIVATE). */
+export function isAllowedScreenshotUrl(raw) {
+    let u;
+    try {
+        u = new URL(raw);
+    }
+    catch {
+        return { ok: false, error: "invalid url" };
+    }
+    if (u.protocol !== "http:" && u.protocol !== "https:")
+        return { ok: false, error: "only http(s) urls are allowed" };
+    if (!process.env.RENDER_ALLOW_PRIVATE && isPrivateHost(u.hostname)) {
+        return { ok: false, error: "private/loopback hosts are blocked (set RENDER_ALLOW_PRIVATE=1 to allow)" };
+    }
+    return { ok: true };
+}

package/dist/smoke.js

@@ -15,6 +15,8 @@ import { normalizePhoto, resolvePexelsKey, pexelsKeyFromHeaders, resolvePexelsPr
 import { putDraft, getDraft, updateDraft, deleteDraft } from "./persistence/draft-cache.js";
 import { buildConnectUrl, parseCallback } from "./auth/login.js";
 import { isLocalPath, resolveLocalPath, sniffMime, localContentType } from "./tools/media.js";
+import { buildMicrolinkUrl } from "./persistence/screenshot-client.js";
+import { isPrivateHost, isAllowedScreenshotUrl } from "./persistence/screenshot-playwright.js";
 import { iconifyCandidates } from "./persistence/icon-client.js";
 import { collectExternalImageUrls, rewriteImageUrls, isRehostableImageUrl } from "./persistence/rehost.js";
 let failures = 0;
@@ -1799,5 +1801,40 @@ console.log("== upload_images: localContentType (ext + magic, pure offline) ==")
     // both unknown → undefined
     check("localContentType: unknown magic + unknown ext → undefined", localContentType("xyz", unknownBuf) === undefined);
 }
+// == render_preview: buildMicrolinkUrl (pure offline) ==
+{
+    console.log("\n== render_preview: buildMicrolinkUrl (pure offline) ==");
+    const u = buildMicrolinkUrl("https://www.webcake.me/preview/abc", { fullPage: true, width: 1280 }, 999);
+    const sp = new URL(u).searchParams;
+    check("buildMicrolinkUrl: hits api.microlink.io", u.startsWith("https://api.microlink.io/?"));
+    check("buildMicrolinkUrl: screenshot=true", sp.get("screenshot") === "true");
+    check("buildMicrolinkUrl: fullPage=true by default", sp.get("fullPage") === "true");
+    check("buildMicrolinkUrl: force=true (cache bypass)", sp.get("force") === "true");
+    check("buildMicrolinkUrl: embed returns PNG bytes", sp.get("embed") === "screenshot.url");
+    check("buildMicrolinkUrl: nonce busts the target url", (sp.get("url") ?? "").includes("_=999"));
+    check("buildMicrolinkUrl: viewport.width passed through", sp.get("viewport.width") === "1280");
+    const noFull = new URL(buildMicrolinkUrl("https://x.test", { fullPage: false }, 1)).searchParams;
+    check("buildMicrolinkUrl: fullPage=false honored", noFull.get("fullPage") === "false");
+    check("buildMicrolinkUrl: width omitted → no viewport.width", noFull.get("viewport.width") === null);
+}
+// == /api/render/screenshot: SSRF url guard (pure offline) ==
+{
+    console.log("\n== render screenshot route: SSRF url guard (pure offline) ==");
+    // private / loopback / link-local hosts are blocked
+    check("isPrivateHost: localhost", isPrivateHost("localhost"));
+    check("isPrivateHost: 127.0.0.1", isPrivateHost("127.0.0.1"));
+    check("isPrivateHost: 10.x", isPrivateHost("10.1.2.3"));
+    check("isPrivateHost: 192.168.x", isPrivateHost("192.168.0.5"));
+    check("isPrivateHost: 172.16-31.x", isPrivateHost("172.20.0.1") && isPrivateHost("172.16.0.1") && isPrivateHost("172.31.255.255"));
+    check("isPrivateHost: 172.15/172.32 are PUBLIC", !isPrivateHost("172.15.0.1") && !isPrivateHost("172.32.0.1"));
+    check("isPrivateHost: 169.254 link-local", isPrivateHost("169.254.1.1"));
+    check("isPrivateHost: IPv6 ::1 / ULA", isPrivateHost("::1") && isPrivateHost("fd00::1"));
+    check("isPrivateHost: public host", !isPrivateHost("www.webcake.me") && !isPrivateHost("8.8.8.8"));
+    // url validation (RENDER_ALLOW_PRIVATE not set in smoke)
+    check("isAllowedScreenshotUrl: public https ok", isAllowedScreenshotUrl("https://www.webcake.me/preview/abc").ok);
+    check("isAllowedScreenshotUrl: ftp rejected", !isAllowedScreenshotUrl("ftp://x.test/a").ok);
+    check("isAllowedScreenshotUrl: localhost rejected", !isAllowedScreenshotUrl("http://localhost:5800/preview/1").ok);
+    check("isAllowedScreenshotUrl: garbage rejected", !isAllowedScreenshotUrl("not a url").ok);
+}
 console.log(`\n${failures === 0 ? "ALL GOOD" : failures + " FAILURE(S)"}`);
 process.exit(failures === 0 ? 0 : 1);

package/dist/tools/media.js

@@ -26,8 +26,9 @@ import { z } from "zod";
 import { promises as fs } from "node:fs";
 import { homedir } from "node:os";
 import { fileURLToPath } from "node:url";
-import { text } from "../mcp/response.js";
+import { text, image } from "../mcp/response.js";
 import { searchPexels, searchImagesViaProxy, resolvePexelsKey, resolvePexelsProxyBase, pexelsKeyFromHeaders, } from "../persistence/pexels-client.js";
+import { captureScreenshot, resolveScreenshotProxyBase, screenshotProxyBaseFromHeaders, resolveMicrolinkKey, microlinkKeyFromHeaders, } from "../persistence/screenshot-client.js";
 import { uploadImageMultipart } from "../persistence/webcake-client.js";
 import { resolveIconSvg } from "../persistence/icon-client.js";
 import { configFromHeaders, ENVIRONMENTS, stripTrailingSlash } from "../persistence/config.js";
@@ -47,6 +48,21 @@ function resolveApiBase(headers) {
     // Default to prod.
     return ENVIRONMENTS.prod.apiBase;
 }
+/** Resolve the public preview base (for building /preview/<id> URLs) from headers → env → WEBCAKE_ENV preset → prod default. No JWT needed. */
+function resolvePreviewBase(headers) {
+    const overrides = configFromHeaders(headers);
+    if (overrides.previewBase)
+        return stripTrailingSlash(overrides.previewBase);
+    if (process.env.WEBCAKE_PREVIEW_BASE)
+        return stripTrailingSlash(process.env.WEBCAKE_PREVIEW_BASE);
+    const envName = overrides.env ?? process.env.WEBCAKE_ENV;
+    if (envName && envName in ENVIRONMENTS) {
+        const p = ENVIRONMENTS[envName].previewBase;
+        if (p)
+            return stripTrailingSlash(p);
+    }
+    return ENVIRONMENTS.prod.previewBase;
+}
 const UPLOAD_FETCH_TIMEOUT_MS = 60_000; // 60 s — large bodies can be slow to transfer
 const UPLOAD_MAX_BYTES = 200_000_000; // 200 MB — mirrors the backend multipart Plug.Parsers limit
 /** Map a content_type to its canonical file extension. */
@@ -252,6 +268,41 @@ export function registerMediaTools(server, allowLocalFiles = true) {
             usage: "For each icons[<ref>].svg, make a rectangle in that card's icon slot: copy the svg into BOTH responsive.desktop.config.svgMask AND responsive.mobile.config.svgMask, set styles.background to the icon color, and keep the box SQUARE (width === height) — without styles.background the masked icon is invisible, and a non-square box stretches it. For any ok:false ref, fall back to an emoji inline or skip — never leave a feature card iconless.",
         });
     });
+    // 13c) Render a page/URL to a screenshot the model can SEE --------------------
+    server.tool("render_preview", "Renders a PUBLIC URL to a PNG and returns it as an image so the model can SEE the result and compare it visually to the reference — the fidelity-check step of the clone loop (build → see → patch_page → re-check). Pass `page_id` to shoot a created page's preview (/preview/<id>) or `url` for any public page (e.g. the reference you're cloning). full_page defaults to true (whole scrollable page). AGENT-FIRST: if YOU already have a screenshot/browser capability (a shell + headless browser, or a screenshot tool), screenshot the preview URL YOURSELF instead — it's fresh and unlimited; use this tool only when you cannot. ENGINE: zero-config via Microlink's free tier (rate-limited ~50/day PER IP, so heavy looping can hit HTTP 429 — then this returns ok:false and you should SKIP the visual check that round, not fail); a host can set RENDER_SCREENSHOT_BASE (or the x-render-screenshot-base header) to a keyed proxy, or MICROLINK_API_KEY / x-microlink-key for a higher quota. NOTE: a no-domain preview only renders for ~10 minutes after the last publish — call this promptly after create_page/publish_page, and re-publish before re-checking a stale page.", {
+        page_id: z.string().optional().describe("A created page's id — screenshots its /preview/<id> URL (built from the preview base). Provide page_id OR url."),
+        url: z.string().optional().describe("Any public http(s) URL to screenshot (e.g. the reference page being cloned). Wins over page_id."),
+        full_page: z.boolean().optional().describe("Capture the whole scrollable page (default true) vs just the viewport."),
+        width: z.number().int().min(320).max(2560).optional().describe("Viewport width in px (default 1280; use ~960/1200 to match the page canvas, ~420 for mobile)."),
+    }, { title: "Render Preview Screenshot", readOnlyHint: true, openWorldHint: true }, async ({ page_id, url, full_page, width }, extra) => {
+        const headers = extra?.requestInfo?.headers;
+        let target = url?.trim();
+        if (!target && page_id) {
+            target = `${resolvePreviewBase(headers)}/preview/${encodeURIComponent(page_id)}`;
+        }
+        if (!target) {
+            return text({ ok: false, error: "Pass `page_id` (to shoot its /preview/<id>) or `url`." });
+        }
+        const resolved = {
+            proxyBase: resolveScreenshotProxyBase(screenshotProxyBaseFromHeaders(headers)),
+            microlinkKey: resolveMicrolinkKey(microlinkKeyFromHeaders(headers)),
+        };
+        const r = await captureScreenshot(target, { fullPage: full_page !== false, width }, resolved, Date.now());
+        if (!r.ok) {
+            return text({
+                ok: false,
+                url: target,
+                status: r.status,
+                via: r.via,
+                quota_exhausted: r.quota_exhausted ?? false,
+                error: r.error,
+                hint: r.quota_exhausted
+                    ? "Screenshot quota/rate-limit reached — SKIP the visual check this round (do not block the build), or set a keyed engine (RENDER_SCREENSHOT_BASE / MICROLINK_API_KEY) and retry."
+                    : "Couldn't capture the screenshot. If you have your own browser/screenshot ability, shoot the URL yourself; otherwise skip the visual check. Note the /preview/<id> link expires ~10 min after the last publish — re-publish if stale.",
+            });
+        }
+        return image(r.dataBase64, r.mimeType ?? "image/png", `Rendered ${target} (${r.bytes} bytes, via ${r.via}). Compare this to the reference: check section order, colors, spacing, image placement, and text. For each mismatch, patch_page the offending element by id, re-publish, then render_preview again until it matches.`);
+    });
     // 14) Upload images to Webcake -----------------------------------------------
     server.tool("upload_images", "Converts external image URLs (typically collected from ingest_html/ingest_url results), data: URIs, or LOCAL FILE PATHS from the user's computer into Webcake-hosted URLs (statics.pancake.vn) by reading/downloading each image and re-uploading it to the Webcake backend via multipart upload (200 MB backend limit). Use this whenever the page is built from a reference HTML/URL (BOTH intents — adapt AND clone), the user supplies their own image URLs, OR the user provides local image files from their machine — pass the path directly in `urls`; NEVER upload a user's local file to a third-party host (catbox, imgur, transfer.sh…) to obtain a URL first. The returned URLs go directly into specials.src — same as search_images results. Processes up to 20 entries per call in parallel, with a 200 MB per-image cap. No Webcake credentials required (the upload endpoint is public). UPLOADS BY DEFAULT (dry_run defaults to FALSE — unlike the page-persistence tools, this touches no account data, so the default is the real upload): the call downloads/reads each entry, uploads it, and returns the images map (original URL → hosted URL); WAIT for that map before assembling the page and never fall back to a placeholder for a slot whose upload succeeded. Pass dry_run:true only to preview what would be processed without any network/filesystem activity. Use search_images instead when you need stock photos. Local file paths are only permitted when the MCP server runs locally (stdio mode); on the remote HTTP transport they are rejected per-entry.", {
         urls: z

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "webcake-landing-mcp",
-  "version": "1.0.79",
+  "version": "1.0.81",
   "description": "MCP server exposing Webcake landing-page element schemas + AI usage hints, and persisting LLM-generated page sources to a Webcake backend.",
   "mcpName": "io.github.vuluu2k/webcake-landing-mcp",
   "type": "module",
@@ -31,6 +31,7 @@
     "dev:guide": "node scripts/preview-guide.mjs",
     "smoke": "node dist/smoke.js",
     "inspect": "npm run build && npx -y @modelcontextprotocol/inspector node dist/index.js",
+    "pack:mcpb": "node scripts/pack-mcpb.mjs",
     "prepare": "npm run build",
     "prepublishOnly": "npm run build && npm run smoke",
     "release": "node scripts/release.js",