whatdotheyknow-mcp 0.1.2__tar.gz

whatdotheyknow_mcp-0.1.2/.github/workflows/release.yml

@@ -0,0 +1,32 @@
+name: Release
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  publish:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: astral-sh/setup-uv@v5
+      - run: uv build
+      - uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          skip_existing: true
+
+  deploy:
+    name: Deploy to Fly
+    runs-on: ubuntu-latest
+    needs: publish
+    steps:
+      - uses: actions/checkout@v4
+      - uses: superfly/flyctl-actions/setup-flyctl@master
+      - run: flyctl deploy --remote-only --ha=false
+        env:
+          FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
+

whatdotheyknow_mcp-0.1.2/.gitignore

@@ -0,0 +1,15 @@
+# Python-generated files
+__pycache__/
+*.py[oc]
+build/
+dist/
+wheels/
+*.egg-info
+
+# Virtual environments
+.venv
+
+# Scratch files
+introduction-to-model-context-protocol.md
+model-context-protocol-advanced-topics.md
+tests/fleet_token_audit.py

whatdotheyknow_mcp-0.1.2/.python-version

@@ -0,0 +1 @@
+3.13

whatdotheyknow_mcp-0.1.2/AGENTS.md

@@ -0,0 +1,50 @@
+# AGENTS.md — whatdotheyknow-mcp
+
+AI agent instructions for working in this repo. See `/home/bch/dev/ops/OPS.md` for credentials, fleet overview, and release tooling.
+
+## Repo shape
+
+Single `server.py`. Tools for searching FOI requests, authorities, and drafting WhatDoTheyKnow submissions.
+Not on PyPI — deployed to Fly only.
+
+## Deploy
+
+```bash
+fly deploy --ha=false
+```
+
+Single instance, lhr region. App name: `whatdotheyknow-mcp`. Fly.io account: articat1066@gmail.com.
+
+## Version bump
+
+1. Update `version` in `pyproject.toml`
+2. Update version string in the `smithery_server_card` route in `server.py`
+3. Commit and push (no PyPI release needed)
+4. `fly deploy --ha=false`
+5. Cut a new Glama release
+
+## Standard routes (must always be present)
+
+- `/.well-known/mcp/server-card.json` — Smithery metadata
+- `/.well-known/glama.json` — Glama maintainer claim
+- `/health` — Fly health check
+
+Verify after deploy:
+```bash
+curl https://whatdotheyknow-mcp.fly.dev/.well-known/mcp/server-card.json
+curl https://whatdotheyknow-mcp.fly.dev/.well-known/glama.json
+curl https://whatdotheyknow-mcp.fly.dev/health
+```
+
+## README badge order
+
+```
+SafeSkill → Glama card → Smithery
+```
+(No PyPI badge — not published to PyPI)
+
+## Do not
+
+- Do not use `FASTMCP_PORT` — the server reads `PORT` env var only
+- Do not set `internal_port` in fly.toml to anything other than 8080
+- Do not commit API keys — all secrets are in Fly secrets (`fly secrets list`)

whatdotheyknow_mcp-0.1.2/CLAUDE.md

@@ -0,0 +1,39 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project
+
+An MCP server exposing [WhatDoTheyKnow](https://www.whatdotheyknow.com) FOI request data to Claude and other MCP clients. Built with FastMCP on Python 3.13+.
+
+## Commands
+
+This project uses `uv` for dependency management.
+
+```bash
+# Install dependencies
+uv sync
+
+# Run the server (listens on http://127.0.0.1:9000)
+uv run server.py
+
+# Type checking
+uv run mypy server.py
+
+# Add a dependency
+uv add <package>
+```
+
+## Architecture
+
+All logic lives in [server.py](server.py). `main.py` is an unused stub.
+
+**`WDTKClient`** — thin `httpx.AsyncClient` wrapper around `https://www.whatdotheyknow.com`. Write operations require `WDTK_API_KEY` env var and POST via `multipart/form-data`.
+
+**Resources** (`wdtk://...`) — read-only data mapped to WhatDoTheyKnow REST endpoints (authorities, requests, users, feeds, CSV). Exposed as tools via `ResourcesAsTools` transform.
+
+**Tools** — `build_request_url` and `search_request_events` are public. `create_request_record` and `update_request_state` are tagged `"write"` and can be disabled at startup.
+
+**Prompt** — `draft_foi_request` generates a system prompt guiding narrow, specific FOI request drafting.
+
+**Write API toggle** — uncomment `mcp.disable(tags={"write"})` in `server.py` to run in read-only mode.

whatdotheyknow_mcp-0.1.2/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Paul Boucherat
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

whatdotheyknow_mcp-0.1.2/PKG-INFO

@@ -0,0 +1,96 @@
+Metadata-Version: 2.4
+Name: whatdotheyknow-mcp
+Version: 0.1.2
+Summary: WhatDoTheyKnow MCP server — search and read UK FOI requests, authorities, and responses
+License-File: LICENSE
+Requires-Python: >=3.13
+Requires-Dist: curl-cffi>=0.15.0
+Requires-Dist: fastmcp>=3.2.4
+Requires-Dist: httpx>=0.28.1
+Requires-Dist: prometheus-client==0.24.1
+Requires-Dist: pydantic>=2.13.3
+Description-Content-Type: text/markdown
+
+# whatdotheyknow-mcp
+
+<!-- mcp-name: io.github.paulieb89/whatdotheyknow-mcp -->
+
+[![Glama](https://img.shields.io/badge/Glama-listed-orange?style=flat-square)](https://glama.ai/mcp/servers/paulieb89/whatdotheyknow-mcp)
+[![smithery badge](https://smithery.ai/badge/bouch/whatdotheyknow)](https://smithery.ai/servers/bouch/whatdotheyknow)
+[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install_Server-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect/mcp/install?name=whatdotheyknow&config=%7B%22type%22%3A%22http%22%2C%22url%22%3A%22https%3A%2F%2Fwhatdotheyknow-mcp.fly.dev%2Fmcp%22%7D)
+[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install_Server-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect/mcp/install?name=whatdotheyknow&config=%7B%22type%22%3A%22http%22%2C%22url%22%3A%22https%3A%2F%2Fwhatdotheyknow-mcp.fly.dev%2Fmcp%22%7D&quality=insiders)
+[![Install in Cursor](https://img.shields.io/badge/Cursor-Install_Server-000000?style=flat-square&logoColor=white)](https://cursor.com/en/install-mcp?name=whatdotheyknow&config=eyJ0eXBlIjoiaHR0cCIsInVybCI6Imh0dHBzOi8vd2hhdGRvdGhleWtub3ctbWNwLmZseS5kZXYvbWNwIn0=)
+[![Install in VS Code (local)](https://img.shields.io/badge/VS_Code-Install_Local-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect/mcp/install?name=whatdotheyknow&config=%7B%22command%22%3A%22uvx%22%2C%22args%22%3A%5B%22whatdotheyknow-mcp%22%5D%7D)
+
+A Model Context Protocol server for UK Freedom of Information research. Connects AI assistants to [WhatDoTheyKnow](https://www.whatdotheyknow.com/) — the UK's largest FOI request platform — to search requests, read responses, look up public authorities, and draft new requests.
+
+## Tools
+
+| Tool | Description |
+|------|-------------|
+| `search_request_events` | Full-text search of FOI requests and responses via WhatDoTheyKnow's Atom feed. Supports structured expressions (`status:successful`, `body:"Liverpool City Council"`). |
+| `search_authorities` | Search UK public authorities by name. Returns slug for use with other tools. |
+| `get_request_feed_items` | Fetch the event timeline (sent, response, clarification) for a specific FOI request. |
+| `build_request_url` | Build a prefilled WhatDoTheyKnow request URL for a given authority and topic. |
+| `create_request_record` | Create a request via the write API (requires `WDTK_API_KEY`). |
+| `update_request_state` | Update user-assessed state of a request (requires `WDTK_API_KEY`). |
+
+## Resources
+
+| URI template | Returns |
+|---|---|
+| `wdtk://authorities/{authority_slug}` | Authority profile JSON |
+| `wdtk://requests/{request_slug}` | FOI request detail JSON |
+| `wdtk://users/{user_slug}` | User profile JSON |
+| `wdtk://requests/{request_slug}/feed` | Request event Atom feed |
+| `wdtk://users/{user_slug}/feed` | User activity Atom feed |
+| `wdtk://authorities/all.csv` | Full CSV of all UK public authorities |
+
+## Prompts
+
+| Prompt | Description |
+|--------|-------------|
+| `draft_foi_request` | Draft a narrow, specific FOI request for a given authority and topic. |
+
+## Connect
+
+### Hosted (no install)
+
+```json
+{
+  "mcpServers": {
+    "whatdotheyknow": {
+      "type": "http",
+      "url": "https://whatdotheyknow-mcp.fly.dev/mcp"
+    }
+  }
+}
+```
+
+### Local (uvx)
+
+```json
+{
+  "mcpServers": {
+    "whatdotheyknow": {
+      "type": "stdio",
+      "command": "uvx",
+      "args": ["whatdotheyknow-mcp"]
+    }
+  }
+}
+```
+
+## Environment variables
+
+| Variable | Required | Description |
+|----------|----------|-------------|
+| `WDTK_API_KEY` | Optional | Enables `create_request_record` and `update_request_state` write tools |
+
+## Upstream API and Licence
+
+| Source | API | Licence | Auth |
+|--------|-----|---------|------|
+| WhatDoTheyKnow | `www.whatdotheyknow.com` | [OGL v3](https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/) | None (read) / API key (write) |
+
+Data is sourced directly from the WhatDoTheyKnow public API. The platform is operated by mySociety.

whatdotheyknow_mcp-0.1.2/README.md

@@ -0,0 +1,83 @@
+# whatdotheyknow-mcp
+
+<!-- mcp-name: io.github.paulieb89/whatdotheyknow-mcp -->
+
+[![Glama](https://img.shields.io/badge/Glama-listed-orange?style=flat-square)](https://glama.ai/mcp/servers/paulieb89/whatdotheyknow-mcp)
+[![smithery badge](https://smithery.ai/badge/bouch/whatdotheyknow)](https://smithery.ai/servers/bouch/whatdotheyknow)
+[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install_Server-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect/mcp/install?name=whatdotheyknow&config=%7B%22type%22%3A%22http%22%2C%22url%22%3A%22https%3A%2F%2Fwhatdotheyknow-mcp.fly.dev%2Fmcp%22%7D)
+[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install_Server-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://insiders.vscode.dev/redirect/mcp/install?name=whatdotheyknow&config=%7B%22type%22%3A%22http%22%2C%22url%22%3A%22https%3A%2F%2Fwhatdotheyknow-mcp.fly.dev%2Fmcp%22%7D&quality=insiders)
+[![Install in Cursor](https://img.shields.io/badge/Cursor-Install_Server-000000?style=flat-square&logoColor=white)](https://cursor.com/en/install-mcp?name=whatdotheyknow&config=eyJ0eXBlIjoiaHR0cCIsInVybCI6Imh0dHBzOi8vd2hhdGRvdGhleWtub3ctbWNwLmZseS5kZXYvbWNwIn0=)
+[![Install in VS Code (local)](https://img.shields.io/badge/VS_Code-Install_Local-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://vscode.dev/redirect/mcp/install?name=whatdotheyknow&config=%7B%22command%22%3A%22uvx%22%2C%22args%22%3A%5B%22whatdotheyknow-mcp%22%5D%7D)
+
+A Model Context Protocol server for UK Freedom of Information research. Connects AI assistants to [WhatDoTheyKnow](https://www.whatdotheyknow.com/) — the UK's largest FOI request platform — to search requests, read responses, look up public authorities, and draft new requests.
+
+## Tools
+
+| Tool | Description |
+|------|-------------|
+| `search_request_events` | Full-text search of FOI requests and responses via WhatDoTheyKnow's Atom feed. Supports structured expressions (`status:successful`, `body:"Liverpool City Council"`). |
+| `search_authorities` | Search UK public authorities by name. Returns slug for use with other tools. |
+| `get_request_feed_items` | Fetch the event timeline (sent, response, clarification) for a specific FOI request. |
+| `build_request_url` | Build a prefilled WhatDoTheyKnow request URL for a given authority and topic. |
+| `create_request_record` | Create a request via the write API (requires `WDTK_API_KEY`). |
+| `update_request_state` | Update user-assessed state of a request (requires `WDTK_API_KEY`). |
+
+## Resources
+
+| URI template | Returns |
+|---|---|
+| `wdtk://authorities/{authority_slug}` | Authority profile JSON |
+| `wdtk://requests/{request_slug}` | FOI request detail JSON |
+| `wdtk://users/{user_slug}` | User profile JSON |
+| `wdtk://requests/{request_slug}/feed` | Request event Atom feed |
+| `wdtk://users/{user_slug}/feed` | User activity Atom feed |
+| `wdtk://authorities/all.csv` | Full CSV of all UK public authorities |
+
+## Prompts
+
+| Prompt | Description |
+|--------|-------------|
+| `draft_foi_request` | Draft a narrow, specific FOI request for a given authority and topic. |
+
+## Connect
+
+### Hosted (no install)
+
+```json
+{
+  "mcpServers": {
+    "whatdotheyknow": {
+      "type": "http",
+      "url": "https://whatdotheyknow-mcp.fly.dev/mcp"
+    }
+  }
+}
+```
+
+### Local (uvx)
+
+```json
+{
+  "mcpServers": {
+    "whatdotheyknow": {
+      "type": "stdio",
+      "command": "uvx",
+      "args": ["whatdotheyknow-mcp"]
+    }
+  }
+}
+```
+
+## Environment variables
+
+| Variable | Required | Description |
+|----------|----------|-------------|
+| `WDTK_API_KEY` | Optional | Enables `create_request_record` and `update_request_state` write tools |
+
+## Upstream API and Licence
+
+| Source | API | Licence | Auth |
+|--------|-----|---------|------|
+| WhatDoTheyKnow | `www.whatdotheyknow.com` | [OGL v3](https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/) | None (read) / API key (write) |
+
+Data is sourced directly from the WhatDoTheyKnow public API. The platform is operated by mySociety.

whatdotheyknow_mcp-0.1.2/TODO.md

@@ -0,0 +1,22 @@
+# WhatDoTheyKnow MCP — Audit TODO
+
+Tracked from canonical-fitness audit 2026-04-23.
+
+## Fixes
+
+- [x] Add `destructiveHint=True` to `create_request_record` and `update_request_state`
+- [x] Improve `all_authorities_csv` description (warn LLM of size, suggest alternatives)
+- [x] Improve `get_request_feed_items` docstring (explain why it exists alongside raw feed resource)
+- [x] Add next-step hint to `search_request_events` docstring
+- [x] Add `search_authorities(query, limit)` tool — bounded authority lookup
+
+## Deferred
+
+- [ ] Add `ResponseCachingMiddleware` for read-only tools and resources
+
+## Will Not Fix
+
+- `CurrentContext()` injection — docs confirm both `ctx: Context` and
+  `ctx: Context = CurrentContext()` are valid; explicit form is intentional here.
+- `-> str` + `json.dumps()` in resources — correct pattern per fastmcp docs;
+  anti-pattern only applies to tools (all tools already return Pydantic/dict).

whatdotheyknow_mcp-0.1.2/main.py

@@ -0,0 +1,6 @@
+def main():
+    print("Hello from whatdotheyknow-mcp!")
+
+
+if __name__ == "__main__":
+    main()

whatdotheyknow_mcp-0.1.2/pyproject.toml

@@ -0,0 +1,26 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "whatdotheyknow-mcp"
+version = "0.1.2"
+description = "WhatDoTheyKnow MCP server — search and read UK FOI requests, authorities, and responses"
+readme = "README.md"
+requires-python = ">=3.13"
+dependencies = [
+    "curl-cffi>=0.15.0",
+    "fastmcp>=3.2.4",
+    "httpx>=0.28.1",
+    "pydantic>=2.13.3",
+    "prometheus-client==0.24.1",
+]
+
+[project.scripts]
+whatdotheyknow-mcp = "server:main"
+
+[tool.hatch.build.targets.wheel]
+only-include = ["server.py", "main.py"]
+
+[tool.hatch.build.targets.sdist]
+exclude = ["fly.toml", "Dockerfile", "server.json", ".mcp.json", "dist/", "tests/", "uv.lock"]

whatdotheyknow_mcp-0.1.2/server.py

@@ -0,0 +1,506 @@
+from __future__ import annotations
+
+import functools
+import json
+import os
+import time
+from typing import Any
+from urllib.parse import quote, urlencode
+from xml.etree import ElementTree as ET
+
+import httpx
+from curl_cffi.requests import AsyncSession
+from prometheus_client import CONTENT_TYPE_LATEST, Counter as PromCounter, Histogram, generate_latest
+from pydantic import BaseModel, Field, HttpUrl
+from starlette.responses import JSONResponse, Response
+
+from fastmcp import FastMCP
+from fastmcp.dependencies import CurrentContext
+from fastmcp.server.context import Context
+from fastmcp.server.transforms import PromptsAsTools
+from mcp.types import ToolAnnotations
+
+
+BASE_URL = "https://www.whatdotheyknow.com"
+
+TRANSPORT = os.getenv("FASTMCP_TRANSPORT", "http")
+REGION = os.getenv("FLY_REGION", "local")
+
+tool_calls_total = PromCounter(
+    "whatdotheyknow_tool_calls_total",
+    "Count of MCP tool invocations.",
+    labelnames=["tool", "transport", "region", "status"],
+)
+tool_duration_seconds = Histogram(
+    "whatdotheyknow_tool_duration_seconds",
+    "Tool invocation latency in seconds.",
+    labelnames=["tool", "transport", "region"],
+    buckets=(0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1.0, 2.5, 5.0, 10.0),
+)
+
+
+def _timed_tool(fn):
+    tool_name = fn.__name__
+
+    @functools.wraps(fn)
+    async def wrapped(*args, **kwargs):
+        t0 = time.perf_counter()
+        try:
+            result = await fn(*args, **kwargs)
+            tool_calls_total.labels(tool_name, TRANSPORT, REGION, "ok").inc()
+            return result
+        except BaseException:
+            tool_calls_total.labels(tool_name, TRANSPORT, REGION, "error").inc()
+            raise
+        finally:
+            tool_duration_seconds.labels(tool_name, TRANSPORT, REGION).observe(
+                time.perf_counter() - t0
+            )
+
+    return wrapped
+
+
+class NewRequestLink(BaseModel):
+    authority_slug: str
+    url: HttpUrl
+
+
+class AtomEntry(BaseModel):
+    id: str | None = None
+    title: str | None = None
+    link: str | None = None
+    updated: str | None = None
+    summary: str | None = None
+
+
+class CreateRequestPayload(BaseModel):
+    title: str
+    body: str
+    external_user_name: str
+    external_url: HttpUrl
+
+
+class AddCorrespondencePayload(BaseModel):
+    direction: str = Field(pattern="^(request|response)$")
+    body: str
+    sent_at: str
+    state: str | None = Field(
+        default=None,
+        pattern="^(waiting_response|rejected|successful|partially_successful)$",
+    )
+
+
+class UpdateRequestStatePayload(BaseModel):
+    state: str = Field(pattern="^(waiting_response|rejected|successful|partially_successful)$")
+
+
+class AuthorityResult(BaseModel):
+    name: str
+    short_name: str
+    slug: str
+    tags: str | None = None
+
+
+class WDTKClient:
+    def __init__(self, base_url: str = BASE_URL, timeout: float = 20.0) -> None:
+        self.base_url = base_url.rstrip("/")
+        self.timeout = timeout
+
+    async def get_json(self, path: str) -> dict[str, Any]:
+        async with AsyncSession(impersonate="safari17_0") as client:
+            response = await client.get(
+                f"{self.base_url}{path}",
+                headers={"Accept": "application/json"},
+                timeout=self.timeout,
+            )
+            response.raise_for_status()
+            return response.json()
+
+    async def get_text(self, path: str, accept: str | None = None) -> str:
+        async with AsyncSession(impersonate="safari17_0") as client:
+            headers = {"Accept": accept} if accept else {}
+            response = await client.get(
+                f"{self.base_url}{path}",
+                headers=headers,
+                timeout=self.timeout,
+            )
+            response.raise_for_status()
+            return response.text
+
+    async def post_form_json(
+        self,
+        path: str,
+        *,
+        api_key: str,
+        json_payload: dict[str, Any],
+        files: list[tuple[str, tuple[str, bytes, str]]] | None = None,
+    ) -> dict[str, Any]:
+        data = {"json": json.dumps(json_payload)}
+        params = {"k": api_key}
+
+        async with httpx.AsyncClient(base_url=self.base_url, timeout=self.timeout) as client:
+            response = await client.post(path, params=params, data=data, files=files)
+            response.raise_for_status()
+            return response.json()
+
+
+def parse_atom(xml_text: str) -> list[AtomEntry]:
+    ns = {"atom": "http://www.w3.org/2005/Atom"}
+    root = ET.fromstring(xml_text)
+    entries: list[AtomEntry] = []
+
+    for entry in root.findall("atom:entry", ns):
+        link_el = entry.find("atom:link", ns)
+        summary_el = entry.find("atom:summary", ns)
+        entries.append(
+            AtomEntry(
+                id=(entry.findtext("atom:id", default=None, namespaces=ns)),
+                title=(entry.findtext("atom:title", default=None, namespaces=ns)),
+                link=(link_el.get("href") if link_el is not None else None),
+                updated=(entry.findtext("atom:updated", default=None, namespaces=ns)),
+                summary=("".join(summary_el.itertext()).strip() if summary_el is not None else None),
+            )
+        )
+
+    return entries
+
+
+wdtk = WDTKClient()
+
+mcp = FastMCP(
+    name="WhatDoTheyKnow MCP",
+    instructions=(
+        "Read WhatDoTheyKnow public JSON, Atom feeds, and CSV exports. "
+        "Optionally call the experimental write API if configured."
+    ),
+    mask_error_details=True,
+)
+
+
+# -------------------------
+# Resources: read-only data
+# -------------------------
+
+@mcp.resource("wdtk://authorities/{authority_slug}", mime_type="application/json")
+async def authority_json(authority_slug: str, ctx: Context = CurrentContext()) -> str:
+    """Read a public authority as JSON."""
+    await ctx.info(f"Fetching authority JSON: {authority_slug}")
+    payload = await wdtk.get_json(f"/body/{authority_slug}.json")
+    return json.dumps(payload, ensure_ascii=False, indent=2)
+
+
+@mcp.resource("wdtk://requests/{request_slug}", mime_type="application/json")
+async def request_json(request_slug: str, ctx: Context = CurrentContext()) -> str:
+    """Read a request as JSON."""
+    await ctx.info(f"Fetching request JSON: {request_slug}")
+    payload = await wdtk.get_json(f"/request/{request_slug}.json")
+    return json.dumps(payload, ensure_ascii=False, indent=2)
+
+
+@mcp.resource("wdtk://users/{user_slug}", mime_type="application/json")
+async def user_json(user_slug: str, ctx: Context = CurrentContext()) -> str:
+    """Read a user as JSON."""
+    await ctx.info(f"Fetching user JSON: {user_slug}")
+    payload = await wdtk.get_json(f"/user/{user_slug}.json")
+    return json.dumps(payload, ensure_ascii=False, indent=2)
+
+
+@mcp.resource("wdtk://requests/{request_slug}/feed", mime_type="application/atom+xml")
+async def request_feed_xml(request_slug: str, ctx: Context = CurrentContext()) -> str:
+    """Read a request Atom feed as raw XML."""
+    await ctx.info(f"Fetching request feed: {request_slug}")
+    return await wdtk.get_text(
+        f"/request/{request_slug}/feed",
+        accept="application/atom+xml, application/xml;q=0.9, */*;q=0.1",
+    )
+
+
+@mcp.resource("wdtk://users/{user_slug}/feed", mime_type="application/atom+xml")
+async def user_feed_xml(user_slug: str, ctx: Context = CurrentContext()) -> str:
+    """Read a user Atom feed as raw XML."""
+    await ctx.info(f"Fetching user feed: {user_slug}")
+    return await wdtk.get_text(
+        f"/feed/user/{user_slug}",
+        accept="application/atom+xml, application/xml;q=0.9, */*;q=0.1",
+    )
+
+
+@mcp.resource("wdtk://authorities/all.csv", mime_type="text/csv")
+async def all_authorities_csv(ctx: Context = CurrentContext()) -> str:
+    """Download the complete CSV of every WhatDoTheyKnow public authority.
+    WARNING: this is a large payload — use search_authorities(query) for targeted
+    lookups, or authority_json for a specific body. Only call this when you need
+    the full dataset (e.g. bulk analysis or seeding a list)."""
+    await ctx.info("Fetching all-authorities CSV")
+    return await wdtk.get_text("/body/all-authorities.csv", accept="text/csv, */*;q=0.1")
+
+
+# -------------------------
+# Tools: operations/helpers
+# -------------------------
+
+@mcp.tool(
+    annotations=ToolAnnotations(
+        readOnlyHint=True,
+        idempotentHint=True,
+        openWorldHint=True,
+    ),
+    tags={"public", "compose"},
+)
+def build_request_url(
+    authority_slug: str,
+    title: str | None = None,
+    default_letter: str | None = None,
+    body: str | None = None,
+    tags: list[str] | None = None,
+) -> NewRequestLink:
+    """Build a prefilled WhatDoTheyKnow request URL."""
+    params: dict[str, str] = {}
+    if title:
+        params["title"] = title
+    if default_letter:
+        params["default_letter"] = default_letter
+    if body:
+        params["body"] = body
+    if tags:
+        params["tags"] = " ".join(tags)
+
+    query = urlencode(params, doseq=False)
+    url = f"{BASE_URL}/new/{authority_slug}"
+    if query:
+        url = f"{url}?{query}"
+
+    return NewRequestLink(authority_slug=authority_slug, url=url)
+
+
+@mcp.tool(
+    annotations=ToolAnnotations(
+        readOnlyHint=True,
+        idempotentHint=True,
+        openWorldHint=True,
+    ),
+    tags={"public", "feed"},
+)
+@_timed_tool
+async def get_request_feed_items(
+    request_slug: str,
+    limit: int = 20,
+    ctx: Context = CurrentContext(),
+) -> list[AtomEntry]:
+    """Return parsed Atom feed entries for a specific FOI request as structured objects.
+
+    Use this instead of reading the raw wdtk://requests/{slug}/feed resource when you
+    want structured AtomEntry objects rather than raw XML. Each entry's `link` field
+    contains the request URL; use the slug from that URL with request_json or
+    authority_json for full detail."""
+    await ctx.info(f"Parsing request feed for: {request_slug}")
+    xml_text = await wdtk.get_text(
+        f"/request/{request_slug}/feed",
+        accept="application/atom+xml, application/xml;q=0.9, */*;q=0.1",
+    )
+    items = parse_atom(xml_text)
+    return items[:limit]
+
+
+@mcp.tool(
+    annotations=ToolAnnotations(
+        readOnlyHint=True,
+        idempotentHint=True,
+        openWorldHint=True,
+    ),
+    tags={"public", "search"},
+)
+@_timed_tool
+async def search_request_events(
+    search_expression: str,
+    limit: int = 20,
+    ctx: Context = CurrentContext(),
+) -> list[AtomEntry]:
+    """Search WhatDoTheyKnow's feed-based event index and return structured results.
+
+    Call this to find FOI requests matching a query expression. Returns up to `limit`
+    AtomEntry objects. Use the `link` field of each result as the next navigation
+    step — extract the request slug and call the wdtk://requests/{slug} resource or
+    get_request_feed_items for full detail.
+
+    Example expressions:
+      status:successful
+      body:"Liverpool City Council"
+      (variety:sent OR variety:response) status:successful
+    """
+    await ctx.info(f"Searching WDTK feed with expression: {search_expression}")
+    encoded = quote(search_expression, safe="")
+    xml_text = await wdtk.get_text(
+        f"/feed/search/{encoded}",
+        accept="application/atom+xml, application/xml;q=0.9, */*;q=0.1",
+    )
+    items = parse_atom(xml_text)
+    return items[:limit]
+
+
+@mcp.tool(
+    annotations=ToolAnnotations(
+        readOnlyHint=True,
+        idempotentHint=True,
+        openWorldHint=True,
+    ),
+    tags={"public", "search"},
+)
+@_timed_tool
+async def search_authorities(
+    query: str,
+    limit: int = 20,
+    ctx: Context = CurrentContext(),
+) -> list[AuthorityResult]:
+    """Search WhatDoTheyKnow public authorities by name.
+
+    Returns up to `limit` authorities whose name or short_name contains `query`
+    (case-insensitive). Use the `slug` field with authority_json or
+    build_request_url as the next step.
+
+    Example: search_authorities("Liverpool") → slug "liverpool_city_council"
+    Then: authority_json with that slug, or build_request_url with it."""
+    import csv
+    import io
+
+    await ctx.info(f"Searching authorities for: {query}")
+    csv_text = await wdtk.get_text("/body/all-authorities.csv", accept="text/csv, */*;q=0.1")
+    reader = csv.DictReader(io.StringIO(csv_text))
+    q = query.lower()
+    results: list[AuthorityResult] = []
+    for row in reader:
+        if q in row.get("Name", "").lower() or q in row.get("Short name", "").lower():
+            results.append(
+                AuthorityResult(
+                    name=row.get("Name", ""),
+                    short_name=row.get("Short name", ""),
+                    slug=row.get("URL name", ""),
+                    tags=row.get("Tags") or None,
+                )
+            )
+            if len(results) >= limit:
+                break
+    return results
+
+
+@mcp.tool(
+    annotations=ToolAnnotations(destructiveHint=True, openWorldHint=True),
+    tags={"write", "admin"},
+)
+@_timed_tool
+async def create_request_record(
+    title: str,
+    body: str,
+    external_user_name: str,
+    external_url: str,
+    ctx: Context = CurrentContext(),
+) -> dict[str, Any]:
+    """
+    Create a request through the experimental write API.
+
+    Requires WDTK_API_KEY in the server environment.
+    """
+    api_key = os.getenv("WDTK_API_KEY")
+    if not api_key:
+        return {"error": "Write API unavailable: WDTK_API_KEY not configured. Requires an authority-level key from the WhatDoTheyKnow admin interface."}
+    payload = CreateRequestPayload(
+        title=title,
+        body=body,
+        external_user_name=external_user_name,
+        external_url=external_url,
+    )
+    await ctx.info(f"Creating request record for {external_user_name}")
+    return await wdtk.post_form_json(
+        "/api/v2/request",
+        api_key=api_key,
+        json_payload=payload.model_dump(mode="json"),
+    )
+
+
+@mcp.tool(
+    annotations=ToolAnnotations(destructiveHint=True, openWorldHint=True),
+    tags={"write", "admin"},
+)
+@_timed_tool
+async def update_request_state(
+    request_id: int,
+    state: str,
+    ctx: Context = CurrentContext(),
+) -> dict[str, Any]:
+    """
+    Update the user-assessed state of a request through the experimental write API.
+
+    Requires WDTK_API_KEY in the server environment.
+    """
+    api_key = os.getenv("WDTK_API_KEY")
+    if not api_key:
+        return {"error": "Write API unavailable: WDTK_API_KEY not configured. Requires an authority-level key from the WhatDoTheyKnow admin interface."}
+    payload = UpdateRequestStatePayload(state=state)
+    await ctx.info(f"Updating request {request_id} to state={state}")
+    return await wdtk.post_form_json(
+        f"/api/v2/request/{request_id}/update.json",
+        api_key=api_key,
+        json_payload=payload.model_dump(mode="json"),
+    )
+
+
+# -------------------------
+# Prompt: optional workflow
+# -------------------------
+
+@mcp.prompt
+def draft_foi_request(
+    authority_slug: str,
+    topic: str,
+    facts: str | None = None,
+) -> str:
+    """Draft a narrow, specific FOI request suitable for WhatDoTheyKnow."""
+    extra = f"\nRelevant facts:\n{facts}\n" if facts else ""
+    return (
+        f"Draft a concise UK FOI request for authority '{authority_slug}' about '{topic}'.\n"
+        "Requirements:\n"
+        "- narrow scope\n"
+        "- precise date range if useful\n"
+        "- request existing recorded information only\n"
+        "- avoid arguments/opinions\n"
+        "- suitable for publication on WhatDoTheyKnow\n"
+        f"{extra}"
+    )
+
+
+mcp.add_transform(PromptsAsTools(mcp))
+
+# Optional: keep admin/write tools hidden on the public server.
+# mcp.disable(tags={"write"})
+
+
+@mcp.custom_route("/.well-known/mcp/server-card.json", methods=["GET"])
+async def smithery_server_card(request):
+    return JSONResponse({"serverInfo": {"name": "whatdotheyknow-mcp", "version": "0.1.1"}})
+
+
+@mcp.custom_route("/.well-known/glama.json", methods=["GET"])
+async def glama_claim(request):
+    return JSONResponse({
+        "$schema": "https://glama.ai/mcp/schemas/connector.json",
+        "maintainers": [{"email": "paul@bouch.dev"}],
+    })
+
+
+@mcp.custom_route("/health", methods=["GET"])
+async def health_check(request):
+    return JSONResponse({"status": "healthy"})
+
+
+@mcp.custom_route("/metrics", methods=["GET"])
+async def metrics_endpoint(request):
+    return Response(generate_latest(), media_type=CONTENT_TYPE_LATEST)
+
+
+def main() -> None:
+    port = int(os.environ.get("PORT", "9000"))
+    mcp.run(transport="streamable-http", host="0.0.0.0", port=port, stateless_http=True)
+
+
+if __name__ == "__main__":
+    main()