MCP tools

Cartwright exposes 36 tools across 12 domains. Every tool can be called by an external AI agent (MCP at /api/mcp), a REST client (/api/v1/tools), the storefront chat assistant, or the admin AI — all funneled through the same lib/tools/registry.ts.

This page is a reference catalogue. For the validation pipeline and audit-log behaviour see Architecture: tool registry.

Authentication

All MCP and REST calls require a bearer token from an API key created in /admin/api-keys. Each key carries an explicit list of scopes; tools verify scope before executing.

curl https://my-shop.com/api/mcp \
  -H "Authorization: Bearer sb_live_..." \
  -H "Content-Type: application/json" \
  -d '{"method":"tools/list"}'

For the strict input/output JSON Schema for each tool, hit GET /api/v1/tools (it serializes Zod schemas via zodToJsonSchema).

Scopes catalogue

Scopes are defined in lib/scopes.ts. 19 scopes total across the read/write split:

products:read, products:write
categories:read, categories:write
pages:read, pages:write
discounts:read, discounts:write
orders:read, orders:write
settings:read, settings:write
audit:read, audit:revert
analytics:read
marketing:write
catalog:read   ← read-only catalog access for storefront chat
cart:write     ← cart mutations for storefront chat
customer:read  ← customer lookup for cart/account context

* exists as a wildcard for admin UI keys. Never grant it to a storefront chat session.

Tool catalogue

Example: invoke from an external agent

curl https://my-shop.com/api/mcp \
  -H "Authorization: Bearer sb_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "method": "tools/call",
    "params": {
      "name": "products.search",
      "arguments": { "q": "aviator", "limit": 5 }
    }
  }'

For the exact response envelope and JSON Schema of each tool's inputSchema, query GET /api/v1/tools against your shop.