squilla/
early alpha ★ 1
docker compose up
← back to blog
product3 min readby Erik Kubica

MCP as a Control Surface

Operating Squilla from Claude Code via MCP.

If you've connected Squilla to Claude Code via MCP, here's what an actual session looks like — not a marketing demo, but the kind of thing you do on a Tuesday afternoon when content needs to ship.

The starting move: core.guide

Always start with core.guide. One call returns the goal→tool decision tree (“I want to publish a page with an image → here are the four tool calls”) plus a live snapshot of the CMS — the active theme, the registered node types, the recent nodes, the convention list. It replaces what would otherwise be ten discovery calls and primes the agent with what already exists before it mutates anything.

Adding a node type

The agent calls core.nodetype.create with a slug, label, and field schema. The CMS doesn't create a new SQL table — fields live in JSONB with a GIN index. Adding a node type is a metadata-only operation and is reversible via core.nodetype.delete.

Seeding content

core.node.create for each entry. The agent passes blocks_data as an array of {type, fields} objects — typed against the available block schemas. Field shapes are predictable: image is {url, alt, width, height}, never a bare string. link is {label, url, target}. The agent doesn't have to guess.

Verifying before declaring done

This is where most agent workflows fall down. Squilla ships core.render.node_preview(id) which renders the node exactly as the public site would — layout, blocks, theme CSS — with no events fired and no view counts incremented. Side-effect-free verification. Always end a content session with this call before telling the user the work is shipped.

What the agent doesn't have

  • No filesystem access. It can't write a file outside what the CoreAPI allows.
  • No shell. There's no core.exec.
  • No raw network egress. core.http.fetch exists but is gated under http:fetch capability and SSRF-conscious.
  • No user-write surface via MCP. core.user.query and core.user.get are read-only; password resets and account creation go through dedicated admin flows.

That set of constraints is what makes the agent safe to run unattended. The capability scopes you grant are the entire trust budget.

← all posts