Farther ShoreDocs
Go to Farther Shore
What is FartherShore
Install the CLI
Quickstart
Core concepts
The @Product class
Meters & resources
Features & routes
Capabilities & entitlements
Plans & pricing
The Manifest IR
Bring your own backend
Transport modes
Metering & verification
Runtime tokens
Frontend SDK
Root & data components
Auth & sessions
Entitlement gates
Connect Stripe
Subscriptions & usage
Plan changes & grandfathering
Billing strategies
Apply & deploy
Environments
Migrations
Docs versions & archive
Operate with an agent
Operation classes
MCP server
Projected from one registryThe toolsWhat is CLI-only on purposeCalling a toolReach for the CLI when you can
End-to-end via CLI/MCP
CLI reference
@farthershore/product
@farthershore/backend
@farthershore/farthershore-js
Environment variables
Response & deny codes
Add a metered capability
Gate a feature
Change a price
Prepaid credits
Meter AI tokens
Operate via an agent
Prepare for launch
Status
Docs/Automate with agents/MCP server

MCP server

The farthershore-mcp tools, how they project from the same operation registry as the CLI, and the CLI ⊇ MCP parity guarantee.

PreviousOperation classesNextEnd-to-end via CLI/MCP

farthershore-mcp is an MCP stdio server that exposes the agent-writable slice of the platform as fs_* tools. It ships inside @farthershore/cli, so no separate install is needed:

FARTHERSHORE_TOKEN=mk_xxx npx -p @farthershore/cli farthershore-mcp

Point your agent's MCP client at that command. Auth is the same maker token the CLI uses, passed via FARTHERSHORE_TOKEN. Every tool returns the same AgentEnvelope the CLI emits, so an agent parses one shape across both surfaces.

{ "schema_version": 1, "ok": true, "op": "product.publish", "data": { … } }

Projected from one registry

The CLI and MCP are not two codebases. Both project from a single list of OperationDefs (apps/cli/src/operations/registry.ts). Each operation carries a shared core (opKey, operationClass, scope, sideEffect) plus a per-surface projection — a cli block and an optional mcp block:

export interface OperationDef {
  opKey: string;
  operationClass: OperationClass;
  scope: string[];
  sideEffect: ToolSideEffect;          // "read" | "write"
  cli: CliProjection;                  // every op has one — the CLI is the superset
  mcp: McpProjection | null;           // null = CLI-only (e.g. contract-class writes)
}

ALL_TOOLS is derived (OPERATIONS.filter(o => o.mcp).map(toMcpTool)), and the parity map MCP_TOOL_TO_CLI_COMMAND is derived too. An "MCP tool with no CLI command" is therefore unrepresentable, and the parity is enforced by apps/cli/src/operations/mcp-cli-parity.test.ts.

The surfaces diverge by design: the CLI is the rich human/agent tool (env-name resolution, more flags, friendly errors); the MCP is the lean machine surface (raw ids, fewer fields). Same capability, different ergonomics.

The tools

These are the fs_* tools the registry projects today. Every one is a read or an operate/dual write — never a contract write, per the operation-class invariant.

ToolClassSibling CLI command
fs_product_listoperateproduct list
fs_product_statusoperateproduct status
fs_product_publishdualproduct publish
fs_brand_updateoperateproduct update
fs_env_listdualenv list
fs_env_createdualenv create
fs_plan_listcontract*plan list
fs_plan_migrateoperateplan migrate
fs_frontend_statusoperatefrontend status
fs_frontend_deployoperatefrontend deploy
fs_frontend_rollbackoperatefrontend rollback
fs_backend_listoperatebackend list
fs_backend_createoperatebackend create
fs_backend_deleteoperatebackend delete
fs_runtime_token_listoperatebackend tokens list
fs_runtime_token_mintoperatebackend tokens create
fs_runtime_token_rotateoperatebackend tokens rotate
fs_runtime_token_revokeoperatebackend tokens revoke
fs_persona_bootstrapoperatepersona bootstrap
fs_persona_listoperatepersona list
fs_persona_revokeoperatepersona revoke
fs_usage_readoperateusage summary
fs_maker_token_listoperatetoken list

*fs_plan_list is a contract read — reads are always allowed. There is no fs_plan_create/update/delete tool because those are contract writes, managed as code. The CLI keeps plan create (CLI-only) for the DRAFT seed-window; on a published product it returns MANAGED_BY_CODE.

What is CLI-only on purpose

CLI ⊇ MCP means some operations have mcp: null. They fall into three buckets:

  • contract-class writes — plan create/update/delete, and every other manifest-owned change. The correct path is to edit product/product.config.ts and push.
  • Richer reads with no projected tool — product show (the full product read, including repo-linked fields) has no fs_product_show; over MCP an agent uses fs_product_list and fs_product_status instead.
  • Operations that need a workstation — product create (it provisions a GitHub repo and the frontend/ starter), init, and build (which executes the decorated @Product class locally). These run in the agent's shell, not over a remote tool call.

If your agent only has MCP, route those through the CLI sibling listed above — that is exactly what the parity map guarantees exists.

Calling a tool

fs_product_publish (a dual write — an agent may publish its own product):

{
  "name": "fs_product_publish",
  "arguments": { "productId": "prod_abc123" }
}

fs_runtime_token_mint is flagged returnsOneTimeSecret — the server skips its usual redaction so the agent receives the plaintext fsrt_ token once (deploy it as FS_RUNTIME_TOKEN):

{ "name": "fs_runtime_token_mint", "arguments": { "productId": "prod_abc123", "backendId": "be_…" } }

Reach for the CLI when you can

The MCP surface is the right fit for a hosted agent with no shell. But the design intent is that agents primarily drive the CLI plus skills — it is the superset, it has friendlier errors and env-name resolution, and it is the only way to run the local build that turns your decorated @Product class into a manifest. Use MCP for the operate/dual calls; use the CLI for the whole lifecycle, including the contract edits MCP intentionally withholds. The end-to-end walkthrough shows the full run.