@01.software/cli 0.7.1 → 0.8.0

package/dist/mcp/{chunk-3ZSKJM43.js → chunk-45ZCPS57.js}

@@ -7,40 +7,207 @@ import { z } from "zod";
 // src/lib/request-context.ts
 import { AsyncLocalStorage } from "async_hooks";
 var requestContext = new AsyncLocalStorage();
-function headers() {
-  const ctx = requestContext.getStore();
-  if (!ctx) return null;
-  return Object.fromEntries(ctx.headers.entries());
+function tenantAuthContext() {
+  return requestContext.getStore()?.auth ?? null;
+}
+function hasRequestContext() {
+  return requestContext.getStore() !== void 0;
 }
 
 // src/lib/client.ts
-import { createServerClient } from "@01.software/sdk";
-function getClient() {
-  let secretKey;
-  let publishableKey;
-  try {
-    const h = headers();
-    secretKey = h?.["x-api-key"];
-    publishableKey = h?.["x-publishable-key"] ?? h?.["x-client-key"];
-  } catch {
+import {
+  CollectionClient,
+  CommunityClient,
+  ModerationApi,
+  ServerCommerceClient,
+  createServerClient
+} from "@01.software/sdk";
+
+// src/service-auth.ts
+import { createPrivateKey, randomUUID, sign as signBytes } from "crypto";
+import {
+  MCP_CONSOLE_SERVICE_AUDIENCE,
+  MCP_CONSOLE_SERVICE_SCOPE,
+  MCP_OAUTH_ISSUER,
+  MCP_SERVICE_TOKEN_LIFETIME_SECONDS,
+  MCP_TENANT_CLAIM,
+  MCP_TENANT_ROLE_CLAIM
+} from "@01.software/auth-contracts";
+var KEYSET_ENV = "MCP_SERVICE_KEYSET";
+function assertProductionKeysetUse(source) {
+  const vercelEnv = process.env.VERCEL_ENV;
+  if (vercelEnv && vercelEnv !== "production") {
+    throw new Error(
+      `${source} is only allowed in production Vercel deployments; non-production MCP service auth needs environment-specific issuer, audience, JWKS URI, and key material`
+    );
   }
-  if (!secretKey) {
-    secretKey = process.env.SOFTWARE_SECRET_KEY;
+}
+function parsePrivateJwk() {
+  const keyset = signingKeyset();
+  const jwk = keyset.current;
+  const source = keyset.source;
+  if (typeof jwk.d !== "string" || jwk.d.length === 0) {
+    throw new Error(`${source} current key must be a private JWK`);
   }
-  if (!publishableKey) {
-    publishableKey = process.env.SOFTWARE_PUBLISHABLE_KEY || process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY;
+  if (typeof jwk.kid !== "string" || jwk.kid.length === 0) {
+    throw new Error(`${source} must include kid`);
+  }
+  return jwk;
+}
+function signingKeyset() {
+  const raw = process.env[KEYSET_ENV];
+  const source = KEYSET_ENV;
+  if (raw) assertProductionKeysetUse(source);
+  const parsed = (() => {
+    if (!raw) return null;
+    try {
+      return JSON.parse(raw);
+    } catch {
+      throw new Error(`${KEYSET_ENV} is invalid JSON`);
+    }
+  })();
+  if (!parsed) throw new Error("MCP service JWT signing key is not configured");
+  const keys = Array.isArray(parsed.keys) ? parsed.keys : [parsed];
+  if (keys.length === 0 || keys.length > 2) {
+    throw new Error(
+      `${source} must contain one current key and at most one previous key`
+    );
+  }
+  const currentKid = parsed.current_kid;
+  if (typeof currentKid !== "string" && keys.length > 1) {
+    throw new Error(
+      `${source} must include current_kid when multiple keys are present`
+    );
+  }
+  const current = typeof currentKid === "string" ? keys.find((key) => key.kid === currentKid) : keys[0];
+  if (!current) throw new Error(`${source} current_kid is not in keys`);
+  return { current, keys, source };
+}
+function algForJwk(jwk) {
+  if (jwk.kty === "RSA") return "RS256";
+  if (jwk.kty === "EC" && jwk.crv === "P-256") return "ES256";
+  throw new Error("MCP service JWT signing key must be RSA or P-256 EC");
+}
+function toPublicJwk(jwk) {
+  const {
+    d: _d,
+    p: _p,
+    q: _q,
+    dp: _dp,
+    dq: _dq,
+    qi: _qi,
+    oth: _oth,
+    ...publicJwk
+  } = jwk;
+  return {
+    ...publicJwk,
+    alg: typeof publicJwk.alg === "string" ? publicJwk.alg : algForJwk(jwk),
+    use: "sig"
+  };
+}
+function base64urlJson(value) {
+  return Buffer.from(JSON.stringify(value)).toString("base64url");
+}
+function apiScopesFor(context) {
+  return context.scopes.includes("mcp:write") ? ["read", "write"] : ["read"];
+}
+function mcpServicePublicJwks() {
+  const keyset = signingKeyset();
+  const keys = /* @__PURE__ */ new Map();
+  for (const jwk of keyset.keys.map(toPublicJwk)) {
+    if (typeof jwk.kid === "string" && jwk.kid.length > 0) {
+      keys.set(jwk.kid, jwk);
+    }
+  }
+  return { keys: [...keys.values()] };
+}
+function signMcpServiceToken(context) {
+  if (!context.principalId) {
+    throw new Error("MCP OAuth principal is required for Console service auth");
+  }
+  const jwk = parsePrivateJwk();
+  const alg = algForJwk(jwk);
+  const now = Math.floor(Date.now() / 1e3);
+  const payload = {
+    iss: MCP_OAUTH_ISSUER,
+    aud: MCP_CONSOLE_SERVICE_AUDIENCE,
+    iat: now,
+    nbf: now,
+    exp: now + MCP_SERVICE_TOKEN_LIFETIME_SECONDS,
+    jti: randomUUID(),
+    sub: context.principalId,
+    act: {
+      sub: context.principalId,
+      tenant_id: context.tenantId
+    },
+    [MCP_TENANT_CLAIM]: context.tenantId,
+    [MCP_TENANT_ROLE_CLAIM]: context.tenantRole,
+    scope: MCP_CONSOLE_SERVICE_SCOPE,
+    api_scopes: apiScopesFor(context),
+    mcp_scopes: context.scopes
+  };
+  const header = { alg, kid: jwk.kid, typ: "JWT" };
+  const encodedHeader = base64urlJson(header);
+  const encodedPayload = base64urlJson(payload);
+  const signingInput = `${encodedHeader}.${encodedPayload}`;
+  const key = createPrivateKey({ key: jwk, format: "jwk" });
+  const signature = alg === "RS256" ? signBytes("RSA-SHA256", Buffer.from(signingInput), key) : signBytes("SHA256", Buffer.from(signingInput), {
+    key,
+    dsaEncoding: "ieee-p1363"
+  });
+  return `${signingInput}.${signature.toString("base64url")}`;
+}
+
+// src/lib/client.ts
+var MISSING_HTTP_AUTH_CONTEXT_ERROR = "MCP HTTP requests require a validated OAuth tenant context before tool execution.";
+function getClient() {
+  const oauthContext = tenantAuthContext();
+  if (oauthContext) {
+    const serviceToken = signMcpServiceToken(oauthContext);
+    const client = {
+      lastRequestId: null,
+      commerce: void 0,
+      collections: void 0,
+      community: void 0
+    };
+    const onRequestId = (id) => {
+      client.lastRequestId = id;
+    };
+    client.commerce = new ServerCommerceClient({
+      secretKey: serviceToken,
+      onRequestId
+    });
+    client.collections = new CollectionClient(
+      "",
+      serviceToken,
+      void 0,
+      void 0,
+      onRequestId
+    );
+    const community = new CommunityClient({ secretKey: serviceToken });
+    const moderation = new ModerationApi({ secretKey: serviceToken, onRequestId });
+    client.community = Object.assign(community, {
+      moderation: {
+        banCustomer: moderation.banCustomer.bind(moderation),
+        unbanCustomer: moderation.unbanCustomer.bind(moderation)
+      }
+    });
+    return client;
   }
+  if (hasRequestContext()) throw new Error(MISSING_HTTP_AUTH_CONTEXT_ERROR);
+  const secretKey = process.env.SOFTWARE_SECRET_KEY;
+  const publishableKey = process.env.SOFTWARE_PUBLISHABLE_KEY || process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY;
   if (!secretKey) {
     throw new Error(
-      "Authentication required. Provide x-api-key header (HTTP) or SOFTWARE_SECRET_KEY env var (stdio)."
+      "Authentication required. Set SOFTWARE_SECRET_KEY for stdio transport."
     );
   }
   if (!secretKey.startsWith("sk01_") && !secretKey.startsWith("pat01_")) {
-    throw new Error("Invalid API key format. Expected sk01_ or pat01_ token.");
+    throw new Error("Invalid SOFTWARE_SECRET_KEY format. Expected sk01_ or pat01_ token.");
   }
   if (!publishableKey) {
     throw new Error(
-      "publishableKey is required. Provide X-Publishable-Key header (HTTP) or SOFTWARE_PUBLISHABLE_KEY env var (stdio). It is used for rate limiting and monthly quota enforcement via the edge proxy."
+      "publishableKey is required. Set SOFTWARE_PUBLISHABLE_KEY for stdio transport. It is used for rate limiting and monthly quota enforcement via the edge proxy."
     );
   }
   return createServerClient({
@@ -1084,49 +1251,40 @@ import { COLLECTIONS as COLLECTIONS8 } from "@01.software/sdk";
 import { createHash } from "crypto";
 var BASE_URL = process.env.SOFTWARE_API_URL || "http://localhost:3000";
 var TIMEOUT_MS = 5e3;
+var MISSING_HTTP_AUTH_CONTEXT_ERROR2 = "MCP HTTP requests require a validated OAuth tenant context before tool execution.";
 function resolveAuthHeaderContext() {
-  let context = {};
-  try {
-    const h = headers();
-    context = {
-      apiKey: h?.["x-api-key"],
-      publishableKey: h?.["x-publishable-key"] ?? h?.["x-client-key"]
+  const oauthContext = tenantAuthContext();
+  if (oauthContext) {
+    return {
+      apiKey: signMcpServiceToken(oauthContext),
+      mode: "oauth"
     };
-  } catch {
   }
+  if (hasRequestContext()) throw new Error(MISSING_HTTP_AUTH_CONTEXT_ERROR2);
   return {
-    apiKey: context.apiKey ?? process.env.SOFTWARE_SECRET_KEY,
-    publishableKey: context.publishableKey ?? process.env.SOFTWARE_PUBLISHABLE_KEY ?? process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY
+    apiKey: process.env.SOFTWARE_SECRET_KEY,
+    mode: "stdio",
+    publishableKey: process.env.SOFTWARE_PUBLISHABLE_KEY ?? process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY
   };
 }
 function resolveApiKey() {
   const { apiKey } = resolveAuthHeaderContext();
   if (!apiKey || typeof apiKey !== "string") {
     throw new Error(
-      "Authentication required. Provide x-api-key header (HTTP) or SOFTWARE_SECRET_KEY env var (stdio)."
+      "Authentication required. Set SOFTWARE_SECRET_KEY for stdio transport."
     );
   }
   return apiKey;
 }
-function hashKey(apiKey) {
-  return createHash("sha256").update(apiKey).digest("hex");
-}
-function resolveAuthCacheKey(apiKey) {
-  const { publishableKey } = resolveAuthHeaderContext();
-  return hashKey(
-    JSON.stringify({
-      apiKey,
-      publishableKey: publishableKey ?? ""
-    })
-  );
-}
 function buildAuthHeaders(apiKey) {
-  const { publishableKey } = resolveAuthHeaderContext();
-  const headers2 = {
+  const { mode, publishableKey } = resolveAuthHeaderContext();
+  const headers = {
     Authorization: `Bearer ${apiKey}`
   };
-  if (publishableKey) headers2["X-Publishable-Key"] = publishableKey;
-  return headers2;
+  if (mode === "stdio" && publishableKey) {
+    headers["X-Publishable-Key"] = publishableKey;
+  }
+  return headers;
 }
 function extractErrorMessage(body) {
   if (!body || typeof body !== "object") return void 0;
@@ -1220,37 +1378,18 @@ async function getCollectionSchemaTool({
 import { z as z28 } from "zod";
 
 // src/lib/tenant-context.ts
-var TENANT_CONTEXT_CACHE_TTL_MS = 6e4;
-var cache = /* @__PURE__ */ new Map();
 function getTenantContextPath(includeCounts) {
   return includeCounts ? "/api/tenants/context?counts=true" : "/api/tenants/context";
 }
-function getCachedTenantContext(cacheKey) {
-  const cached = cache.get(cacheKey);
-  if (!cached || cached.expiry <= Date.now()) return void 0;
-  return cached.data;
-}
 async function getTenantContext(includeCounts = false) {
   const apiKey = resolveApiKey();
-  const cacheKey = resolveAuthCacheKey(apiKey);
-  if (!includeCounts) {
-    const cached = getCachedTenantContext(cacheKey);
-    if (cached) return cached;
-  }
   const data = await consoleGet(
     getTenantContextPath(includeCounts),
     apiKey
   );
-  if (!includeCounts) {
-    cache.set(cacheKey, {
-      data,
-      expiry: Date.now() + TENANT_CONTEXT_CACHE_TTL_MS
-    });
-  }
   return data;
 }
 function invalidateTenantContextCache() {
-  cache.clear();
 }
 
 // src/tools/get-tenant-context.ts
@@ -1336,18 +1475,12 @@ async function handler({ includeCounts }) {
 import { z as z29 } from "zod";
 
 // src/lib/field-config.ts
-var cache2 = /* @__PURE__ */ new Map();
-var CACHE_TTL = 6e4;
 async function fetchFieldConfigs() {
   const apiKey = resolveApiKey();
-  const cacheKey = resolveAuthCacheKey(apiKey);
-  const cached = cache2.get(cacheKey);
-  if (cached && cached.expiry > Date.now()) return cached.data;
   const data = await consoleGet(
     "/api/field-configs/list",
     apiKey
   );
-  cache2.set(cacheKey, { data, expiry: Date.now() + CACHE_TTL });
   return data;
 }
 async function saveFieldConfig(body) {
@@ -1359,7 +1492,6 @@ async function saveFieldConfig(body) {
   );
 }
 function invalidateFieldConfigCache() {
-  cache2.clear();
 }
 
 // src/tools/list-configurable-fields.ts
@@ -1757,18 +1889,13 @@ const client = createClient({
 })
 
 // --- Register ---
-const { customer, verificationRequired } = await client.customer.register({
+const { customer } = await client.customer.register({
   name: 'Jane Doe',
   email: 'jane@example.com',
   password: 'securePassword123',
   phone: '+821012345678', // optional
 })
 
-if (verificationRequired) {
-  // Tenant has requireEmailVerification enabled.
-  // Token delivered via webhook \u2014 prompt user to check email.
-}
-
 // --- Login ---
 const { token, customer: loggedIn } = await client.customer.login({
   email: 'jane@example.com',
@@ -1789,9 +1916,9 @@ await client.customer.forgotPassword('jane@example.com') // sends token via webh
 await client.customer.resetPassword(token, 'newPassword123')`,
       cautions: [
         "customer.register/login/me are only available on Client (not ServerClient)",
-        "verificationRequired means no token is returned \u2014 user must verify email first",
+        "registration creates a local customer account; add app-level verification if your project requires it",
         "updateProfile only accepts name, phone, and marketingConsent \u2014 not email or password",
-        "forgotPassword sends the token via tenant webhook, not directly to the client"
+        "forgotPassword sends the token to configured tenant webhooks; your webhook handler owns email/SMS delivery"
       ],
       relatedResources: ["docs://sdk/customer-auth", "docs://sdk/getting-started"],
       relatedTools: []
@@ -2037,8 +2164,8 @@ var docIndex = [
   // Customer Auth
   {
     title: "Customer Auth \u2014 Login and Register",
-    keywords: ["customer", "login", "register", "auth", "authentication", "customer auth", "email verification", "verificationRequired"],
-    summary: "client.customer.login({ email, password }) and register({ name, email, password }). If tenant requireEmailVerification is on, register returns verificationRequired: true.",
+    keywords: ["customer", "login", "register", "auth", "authentication", "customer auth"],
+    summary: "client.customer.login({ email, password }) and register({ name, email, password }).",
     resourceUri: "docs://sdk/customer-auth"
   },
   {
@@ -2064,7 +2191,7 @@ var docIndex = [
   {
     title: "Webhooks",
     keywords: ["webhook", "hmac", "signature", "WEBHOOK_SECRET", "server-to-server", "event"],
-    summary: "Tenant webhooks deliver server-to-server events (e.g. email verification token, password reset token). Signed with HMAC-SHA256 using PAYLOAD_SECRET.",
+    summary: "Tenant webhooks deliver server-to-server events such as password reset tokens. Signed with HMAC-SHA256 using PAYLOAD_SECRET.",
     resourceUri: "docs://sdk/webhook"
   },
   // Order API
@@ -2156,13 +2283,13 @@ var schema33 = {
     "server-client",
     "customer-auth",
     "mcp-connection",
-    "api-key-generation",
+    "server-credentials",
     "webhook-verification"
   ]).describe("Authentication scenario")
 };
 var metadata33 = {
   name: "sdk-get-auth-setup",
-  description: "Get the correct authentication setup for a specific scenario. Returns env var names, code snippets, and security notes.",
+  description: "Get the current authentication setup for a specific scenario. Returns env var names, code snippets, and security notes.",
   annotations: {
     title: "Get Auth Setup",
     readOnlyHint: true,
@@ -2195,15 +2322,14 @@ const { data } = client.query.useQuery({ collection: 'products' })`,
 
 const client = createServerClient({
   publishableKey: process.env.SOFTWARE_PUBLISHABLE_KEY!,
-  secretKey: process.env.SOFTWARE_SECRET_KEY! // usually sk01_..., sometimes pat01_...
+  secretKey: process.env.SOFTWARE_SECRET_KEY!
 })
 
 // Full CRUD operations
 const result = await client.collections.from('products').create({ title: 'New Product' })`,
     notes: [
-      "ServerClient has full CRUD access \u2014 never expose the API key in browser",
-      "SOFTWARE_SECRET_KEY stores an opaque bearer token; backend services should prefer tenant API keys (sk01_...)",
-      "Browser-based CLI/init login flows may provision a user-scoped PAT (pat01_...) with a default tenant",
+      "ServerClient has full CRUD access and must run only in trusted server code",
+      "Store server credentials in environment variables and rotate them from the Console",
       "Use in API routes, server actions, or backend services only",
       "React Query hooks available for reads (useQuery, prefetchQuery, etc.) + mutations (useCreate, useUpdate, useRemove)"
     ]
@@ -2235,90 +2361,68 @@ client.customer.isAuthenticated()`,
     notes: [
       "Customer auth uses the browser Client (not ServerClient)",
       "JWT tokens are managed automatically by the SDK",
-      "Tenant may require email verification (requireEmailVerification setting)"
+      "Registration creates a local customer account; add application-level verification if needed"
     ]
   },
   "mcp-connection": {
     title: "MCP Server Connection",
-    envVars: ["SOFTWARE_PUBLISHABLE_KEY", "SOFTWARE_SECRET_KEY"],
+    envVars: [],
     code: `# Claude Code
-claude mcp add --transport http \\
-  --header "x-api-key: $SOFTWARE_SECRET_KEY" \\
-  --header "x-publishable-key: $SOFTWARE_PUBLISHABLE_KEY" \\
-  01software https://mcp.01.software/mcp
+claude mcp add --transport http 01software https://mcp.01.software/mcp
 
-# Codex project-safe .codex/config.toml
+# Codex .codex/config.toml
 [mcp_servers.01software]
 url = "https://mcp.01.software/mcp"
 
-[mcp_servers.01software.env_http_headers]
-x-api-key = "SOFTWARE_SECRET_KEY"
-x-publishable-key = "SOFTWARE_PUBLISHABLE_KEY"
-
-# Or use .mcp.json
+# Or use JSON clients that support OAuth discovery
 {
   "mcpServers": {
     "01software": {
       "type": "http",
-      "url": "https://mcp.01.software/mcp",
-      "headers": {
-        "x-api-key": "\${env:SOFTWARE_SECRET_KEY}",
-        "x-publishable-key": "\${env:SOFTWARE_PUBLISHABLE_KEY}"
-      }
+      "url": "https://mcp.01.software/mcp"
     }
   }
 }`,
     notes: [
-      "MCP accepts either a tenant API key (sk01_...) or a personal access token (pat01_...) in x-api-key",
-      "HTTP transport also requires x-publishable-key (or legacy x-client-key) for tenant routing, rate limits, and quota enforcement",
-      "Codex project scope is appropriate for repo-safe shared configuration, but keep raw sk01_/pat01_ values out of committed files",
-      "Use tenant API keys for shared service integrations; PATs are useful for user-scoped local workflows",
-      "Never commit raw bearer tokens to repo-local MCP config; prefer environment interpolation, client prompts, OS secret managers, or ignored local files",
-      "Avoid passing real tokens directly on shared-machine command lines because shell history and process listings can expose them",
-      "stdio transport: use `npx @01.software/cli mcp` with SOFTWARE_PUBLISHABLE_KEY and SOFTWARE_SECRET_KEY env vars"
+      "HTTP MCP uses OAuth discovery and Authorization Code + PKCE",
+      "Clients that cannot complete OAuth discovery are unsupported until a smoke test proves compatibility",
+      "stdio transport remains a local CLI path and is separate from HTTP MCP OAuth discovery"
     ]
   },
-  "api-key-generation": {
-    title: "API Key Generation",
+  "server-credentials": {
+    title: "Server Credential Management",
     envVars: ["SOFTWARE_PUBLISHABLE_KEY", "SOFTWARE_SECRET_KEY"],
-    code: `# API keys are generated from the Console, not in code.
-# Go to Console > Settings > API Keys and click "Create API Key".
-# The generated key has the format: sk01_{40hex}
-# Copy the publishable key from the same tenant.
+    code: `# Server credentials are managed from the Console, not in code.
+# Copy both values from the same tenant.
 
-# Use them together for MCP, CLI, and server SDK calls:
-export SOFTWARE_PUBLISHABLE_KEY=pk01_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+# Use them together for CLI and server SDK calls.
+export SOFTWARE_PUBLISHABLE_KEY=pk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 export SOFTWARE_SECRET_KEY=sk01_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`,
     notes: [
-      "API keys are sk01_{40hex} opaque bearer tokens",
       "The matching SOFTWARE_PUBLISHABLE_KEY is still required for tenant routing, rate limits, and quota enforcement",
-      "Browser-based CLI/init login may issue pat01_{40hex} personal access tokens for user-scoped workflows",
-      "Used for MCP and REST API authentication via x-api-key header or Authorization: Bearer",
-      "Generate keys from Console > Settings > API Keys \u2014 never derive them in code"
+      "Used for REST/SDK authentication in trusted server contexts",
+      "Manage credentials from the Console and rotate them on exposure"
     ]
   },
   "webhook-verification": {
     title: "Webhook Verification",
     envVars: ["WEBHOOK_SECRET"],
-    code: `import { handleWebhook } from '@01.software/sdk/webhook'
+    code: `import { handleWebhook, createCustomerAuthWebhookHandler } from '@01.software/sdk/webhook'
+
+const customerAuthHandler = createCustomerAuthWebhookHandler({
+  passwordReset: sendPasswordResetEmail,
+})
 
 export async function POST(request: Request) {
-  return handleWebhook(request, async (event) => {
-    // event.collection, event.operation, event.data
-    switch (event.operation) {
-      case 'verification':
-        await sendVerificationEmail(event.data)
-        break
-      case 'password-reset':
-        await sendPasswordResetEmail(event.data)
-        break
-    }
-  }, { secret: process.env.WEBHOOK_SECRET! })
+  return handleWebhook(request, customerAuthHandler, {
+    secret: process.env.WEBHOOK_SECRET!,
+  })
 }`,
     notes: [
       "handleWebhook() takes (request, handler, options) \u2014 handler receives the parsed event",
       "WEBHOOK_SECRET is set per-tenant in Console > Settings",
-      "handleWebhook() verifies HMAC-SHA256 signature automatically before calling handler"
+      "handleWebhook() verifies HMAC-SHA256 signature automatically before calling handler",
+      "createCustomerAuthWebhookHandler() is optional; it just routes auth events to your own email/SMS delivery code"
     ]
   }
 };
@@ -2629,8 +2733,8 @@ await client.collections.from('products').remove('id')
 const { totalDocs } = await client.collections.from('products').count()
 
 // Metadata - generate Next.js Metadata from collection fields
-// Auto-maps per-collection fields (e.g. posts: description\u2192description, thumbnail\u2192image)
-const postMeta = await client.collections.from('posts').findMetadataById(id, { siteName: 'My Blog' })
+// Auto-maps per-collection fields (e.g. articles: description\u2192description, thumbnail\u2192image)
+const articleMeta = await client.collections.from('articles').findMetadataById(id, { siteName: 'My Blog' })
 const productMeta = await client.collections.from('products').findMetadata(
   { where: { slug: { equals: 'my-product' } } },
   { siteName: 'My Store' }
@@ -2956,7 +3060,7 @@ var schema38 = {
   feature: z38.enum([
     "ecommerce",
     "customers",
-    "posts",
+    "articles",
     "documents",
     "playlists",
     "galleries",
@@ -3019,22 +3123,22 @@ customer-groups \u2014 Use \`create-collection\` with \`collection='customer-gro
 
 ### Config
 
-- \`requireEmailVerification\` can be toggled in tenant settings
+- Customer registration creates a local account; add app-level verification if needed
 - Customer auth uses custom JWT (separate from Payload auth)`,
-  posts: `## Posts Setup Guide
+  articles: `## Articles Setup Guide
 
 ### Required Collections (count > 0)
 
-1. **posts** \u2014 At least 1 post
+1. **articles** \u2014 At least 1 article
    - Minimum fields: \`{ title, slug }\`
 
-2. **post-authors** \u2014 At least 1 author
+2. **article-authors** \u2014 At least 1 author
    - Minimum fields: \`{ title, slug }\`
-   - Link authors to posts via the \`authors\` relationship field
+   - Link authors to articles via the \`authors\` relationship field
 
 ### Optional Collections
 
-post-categories, post-tags`,
+article-categories, article-tags`,
   documents: `## Documents Setup Guide
 
 ### Required Collections (count > 0)
@@ -3144,7 +3248,7 @@ form-submissions \u2014 Auto-created when forms are submitted by end users`,
 
 ### Required Collections (count > 0)
 
-1. **threads** \u2014 At least 1 thread
+1. **posts** \u2014 At least 1 post
    - Minimum fields: \`{ title, slug }\`
 
 2. **reaction-types** \u2014 At least 1 reaction type defined
@@ -3156,7 +3260,7 @@ comments, reactions, bookmarks, reports, community-bans
 
 ### Optional Collections
 
-thread-categories`
+post-categories`
 };
 function featureSetupGuide({ feature }) {
   return `# Feature Setup Guide: ${feature}
@@ -3185,23 +3289,11 @@ function handler6() {
 
 ## Authentication
 
-All HTTP requests require a bearer token and publishable key:
-
-\`\`\`
-x-api-key: <sk01_... or pat01_...>
-x-publishable-key: <pk01_...>
-\`\`\`
-
-\`x-client-key\` is accepted as a legacy alias for \`x-publishable-key\`.
+HTTP MCP uses OAuth discovery and Authorization Code + PKCE.
 
-### Accepted Token Types
-
-- \`sk01_{40hex}\` \u2014 tenant API key from Console > Settings > API Keys
-- \`pat01_{40hex}\` \u2014 personal access token for user-scoped local workflows
-
-\`\`\`
-SOFTWARE_SECRET_KEY=sk01_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-SOFTWARE_PUBLISHABLE_KEY=pk01_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+\`\`\`toml
+[mcp_servers.01software]
+url = "https://mcp.01.software/mcp"
 \`\`\`
 
 ## Available Tools (34)
@@ -3305,7 +3397,17 @@ function handler7() {
     Carts: ["carts", "cart-items"],
     Discounts: ["discounts"],
     Documents: ["documents", "document-categories", "document-types"],
-    "Posts (Blog)": ["posts", "post-categories", "post-tags"],
+    Articles: ["articles", "article-authors", "article-categories", "article-tags"],
+    Community: [
+      "posts",
+      "comments",
+      "reactions",
+      "reaction-types",
+      "bookmarks",
+      "post-categories",
+      "reports",
+      "community-bans"
+    ],
     Playlists: [
       "playlists",
       "tracks",
@@ -3856,7 +3958,7 @@ Customer authentication and profile management. Available on \`Client\` only (\`
 ### Authentication
 \`\`\`typescript
 // Register
-const { customer, verificationRequired? } = await client.customer.register({
+const { customer } = await client.customer.register({
   name: 'John',
   email: 'john@example.com',
   password: 'password123',
@@ -3891,7 +3993,7 @@ const updated = await client.customer.updateProfile({
 
 ### Password
 \`\`\`typescript
-// Forgot password (sends reset token via webhook)
+// Forgot password (sends reset token to configured tenant webhooks)
 await client.customer.forgotPassword(email)
 
 // Reset password with token
@@ -3901,11 +4003,6 @@ await client.customer.resetPassword(token, newPassword)
 await client.customer.changePassword(currentPassword, newPassword)
 \`\`\`
 
-### Email Verification
-\`\`\`typescript
-await client.customer.verifyEmail(token)
-\`\`\`
-
 ### Orders
 \`\`\`typescript
 const orders = await client.commerce.orders.listMine({
@@ -4084,7 +4181,7 @@ if (page1.hasNextPage) {
 
 \`\`\`typescript
 // Descending (newest first)
-const result = await client.collections.from('posts').find({ sort: '-createdAt' })
+const result = await client.collections.from('articles').find({ sort: '-createdAt' })
 
 // Ascending
 const result2 = await client.collections.from('products').find({ sort: 'price' })
@@ -4379,19 +4476,19 @@ function handler13() {
 
 Server-side operations are available via \`client.commerce\` on \`ServerClient\`. Use \`createServerClient\` with both \`publishableKey\` and \`secretKey\`.
 
-For backend services, prefer a tenant API key (\`sk01_...\`) in \`SOFTWARE_SECRET_KEY\`.
-Browser-based CLI/init login flows may instead provision a user-scoped PAT (\`pat01_...\`) with a default tenant.
-
 \`\`\`typescript
 import { createServerClient } from '@01.software/sdk'
 
 const client = createServerClient({
   publishableKey: process.env.SOFTWARE_PUBLISHABLE_KEY!,
-  secretKey: process.env.SOFTWARE_SECRET_KEY!, // usually sk01_..., sometimes pat01_...
+  secretKey: process.env.SOFTWARE_SECRET_KEY!,
 })
 \`\`\`
 
-> Never expose \`SOFTWARE_SECRET_KEY\` in browser code. Use server components, API routes, or server actions only.
+Use server components, API routes, or server actions only. Never expose
+\`SOFTWARE_SECRET_KEY\` to browser code, client bundles, logs, or public
+repositories. If a secret key leaks, rotate it from the Console before deploying
+again.
 
 ## Order API
 
@@ -4660,11 +4757,9 @@ const result = await client.customer.register({
   phone?: '+821012345678',
 })
 // result.customer          - created customer object
-// result.token?            - JWT token (set if email verification not required)
-// result.verificationRequired? - true if tenant requires email verification
 \`\`\`
 
-When \`verificationRequired\` is true, no token is returned. The tenant's webhook receives a \`verificationToken\` to send to the customer.
+Registration creates a local customer account. Projects that need additional email verification should enforce it in application code.
 
 ### login()
 Authenticate with email and password.
@@ -4718,12 +4813,12 @@ const updated = await client.customer.updateProfile({
 ## Password
 
 ### forgotPassword()
-Request a password reset. Sends reset token via tenant webhook.
+Request a password reset. Sends the reset token to configured tenant webhooks; your webhook handler owns delivery.
 
 \`\`\`typescript
 await client.customer.forgotPassword('john@example.com')
 // Rate limited: 5 requests/min per tenant+email
-// Webhook receives: { resetPasswordToken, resetPasswordExpiry }
+// Webhook receives: { resetPasswordToken, resetPasswordExpiresAt }
 \`\`\`
 
 ### resetPassword()
@@ -4740,15 +4835,6 @@ Change password while authenticated (requires current password).
 await client.customer.changePassword('currentPassword', 'newPassword123')
 \`\`\`
 
-## Email Verification
-
-### verifyEmail()
-Verify email address using the token received via webhook.
-
-\`\`\`typescript
-await client.customer.verifyEmail('verification-token')
-\`\`\`
-
 ## Orders
 
 ### listMine()
@@ -4794,12 +4880,7 @@ const client = createClient({
 async function handleRegister(email: string, password: string, name: string) {
   const result = await client.customer.register({ email, password, name })
 
-  if (result.verificationRequired) {
-    // Redirect to "check your email" page
-    return { status: 'verify-email' }
-  }
-
-  // Token is automatically stored; customer is now logged in
+  // Customer is created as a local account.
   return { status: 'success', customer: result.customer }
 }
 
@@ -4901,7 +4982,11 @@ await client.commerce.orders.checkout({ ... })
 
 **Environment variables**:
 - \`SOFTWARE_PUBLISHABLE_KEY\` \u2014 publishable key (no NEXT_PUBLIC prefix, server-only)
-- \`SOFTWARE_SECRET_KEY\` \u2014 opaque bearer token (server-only, never expose to browser). Backend services usually use \`sk01_...\`; browser-based CLI/init login can provision \`pat01_...\` with a default tenant.
+- \`SOFTWARE_SECRET_KEY\` \u2014 server credential
+
+Never expose \`SOFTWARE_SECRET_KEY\` in browser code, client bundles, logs, or
+public repositories. If a secret key leaks, rotate it from the Console before
+deploying again.
 
 ## Decision Matrix
 
@@ -4967,9 +5052,10 @@ export function ProductList() {
 
 ## Security Rules
 
-- Never import \`SOFTWARE_SECRET_KEY\` or \`SOFTWARE_PUBLISHABLE_KEY\` in files without a \`'use server'\` directive or that could be bundled for the browser.
+- Keep server credentials in server-only modules.
 - Only \`NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY\` is safe to use in client components.
-- If you accidentally expose \`SOFTWARE_SECRET_KEY\` in a browser bundle, rotate the key immediately in the 01.software console.
+- Never import a module that reads \`SOFTWARE_SECRET_KEY\` from a client component.
+- Rotate any exposed secret key immediately from the Console.
 
 > Ecommerce note: product card pricing lives on \`products.listing.*\`, but authoritative sellable pricing still lives on \`product-variants.price\`.`;
 }
@@ -5134,27 +5220,23 @@ var metadata50 = {
 function handler17() {
   return `# Webhooks
 
-The platform dispatches HMAC-SHA256 signed webhook events to your registered URLs for async operations (email verification, password reset, etc.).
+The platform dispatches HMAC-SHA256 signed webhook events to your registered URLs. Tenant developers own routing inside their webhook handler.
 
 ## Webhook Handling
 
-Use the SDK \`handleWebhook\` helper to verify signatures and route events.
+Use the SDK \`handleWebhook\` helper to verify signatures. For customer auth events, use \`createCustomerAuthWebhookHandler\` to wire delivery behavior in your app.
 
 \`\`\`typescript
-import { handleWebhook } from '@01.software/sdk/webhook'
+import { handleWebhook, createCustomerAuthWebhookHandler } from '@01.software/sdk/webhook'
+
+const handler = createCustomerAuthWebhookHandler({
+  passwordReset: async (data) => {
+    await sendPasswordResetEmail(data)
+  },
+})
 
 export async function POST(request: Request) {
-  return handleWebhook(request, async (event) => {
-    // event.collection, event.operation, event.data
-    switch (event.operation) {
-      case 'verification':
-        await sendVerificationEmail(event.data)
-        break
-      case 'password-reset':
-        await sendPasswordResetEmail(event.data)
-        break
-    }
-  }, {
+  return handleWebhook(request, handler, {
     secret: process.env.WEBHOOK_SECRET!,
   })
 }
@@ -5166,19 +5248,17 @@ export async function POST(request: Request) {
 
 \`\`\`typescript
 // app/api/webhooks/route.ts
-import { handleWebhook } from '@01.software/sdk/webhook'
+import { handleWebhook, createCustomerAuthWebhookHandler } from '@01.software/sdk/webhook'
+
+const customerAuthHandler = createCustomerAuthWebhookHandler({
+  passwordReset: sendPasswordResetEmail,
+})
 
 export async function POST(request: Request) {
   return handleWebhook(request, async (event) => {
     console.log('Webhook received:', event.collection, event.operation)
 
-    if (event.collection === 'customers') {
-      if (event.operation === 'verification') {
-        await sendVerificationEmail(event.data)
-      } else if (event.operation === 'password-reset') {
-        await sendPasswordResetEmail(event.data)
-      }
-    }
+    await customerAuthHandler(event)
   }, {
     secret: process.env.WEBHOOK_SECRET!,
   })
@@ -5192,49 +5272,13 @@ All webhook events share this envelope:
 \`\`\`typescript
 {
   collection: string,    // e.g. 'customers'
-  operation: string,     // e.g. 'verification' | 'password-reset'
+  operation: string,     // e.g. 'password-reset'
   data: object,          // event-specific payload
 }
 \`\`\`
 
 ## Event Types
 
-### Customer Email Verification
-
-Dispatched when a customer registers on a tenant with \`requireEmailVerification: true\`.
-
-\`\`\`typescript
-{
-  collection: 'customers',
-  operation: 'verification',
-  data: {
-    customerId: string,
-    email: string,
-    name: string,
-    verificationToken: string,  // raw token to include in verification link
-  }
-}
-\`\`\`
-
-**Usage**: Send the \`verificationToken\` to the customer's email. The customer calls \`client.customer.verifyEmail(token)\` to complete verification.
-
-\`\`\`typescript
-// Example: send verification email
-async function sendVerificationEmail(data: {
-  customerId: string
-  email: string
-  name: string
-  verificationToken: string
-}) {
-  const verifyUrl = \`https://yourstore.com/verify-email?token=\${data.verificationToken}\`
-  await emailService.send({
-    to: data.email,
-    subject: 'Verify your email',
-    body: \`Click here to verify: \${verifyUrl}\`,
-  })
-}
-\`\`\`
-
 ### Customer Password Reset
 
 Dispatched when a customer calls \`client.customer.forgotPassword(email)\`.
@@ -5248,7 +5292,7 @@ Dispatched when a customer calls \`client.customer.forgotPassword(email)\`.
     email: string,
     name: string,
     resetPasswordToken: string,   // raw token to include in reset link
-    resetPasswordExpiry: string,  // ISO 8601 expiry (1 hour from dispatch)
+    resetPasswordExpiresAt: string,  // ISO 8601 expiry (1 hour from dispatch)
   }
 }
 \`\`\`
@@ -5261,13 +5305,13 @@ async function sendPasswordResetEmail(data: {
   email: string
   name: string
   resetPasswordToken: string
-  resetPasswordExpiry: string
+  resetPasswordExpiresAt: string
 }) {
   const resetUrl = \`https://yourstore.com/reset-password?token=\${data.resetPasswordToken}\`
   await emailService.send({
     to: data.email,
     subject: 'Reset your password',
-    body: \`Reset link (expires \${data.resetPasswordExpiry}): \${resetUrl}\`,
+    body: \`Reset link (expires \${data.resetPasswordExpiresAt}): \${resetUrl}\`,
   })
 }
 \`\`\`
@@ -5330,37 +5374,40 @@ function registerStaticResource(server, uri, meta, handler18) {
     })
   );
 }
-function createServer() {
+function createServer(options = {}) {
+  const toolSurface = options.toolSurface ?? "full";
   const server = new McpServer({
     name: "01.software MCP Server",
     version: "0.1.0"
   });
-  registerTool(server, schema, metadata, queryCollection);
-  registerTool(server, schema2, metadata2, getCollectionById);
-  registerTool(server, schema3, metadata3, createCollection);
-  registerTool(server, schema4, metadata4, updateCollection);
-  registerTool(server, schema5, metadata5, deleteCollection);
-  registerTool(server, schema6, metadata6, deleteManyCollection);
-  registerTool(server, schema7, metadata7, updateManyCollection);
-  registerTool(server, schema8, metadata8, getOrder);
-  registerTool(server, schema9, metadata9, createOrder);
-  registerTool(server, schema10, metadata10, updateOrder);
-  registerTool(server, schema11, metadata11, checkout);
-  registerTool(server, schema12, metadata12, createFulfillment);
-  registerTool(server, schema13, metadata13, updateFulfillment);
-  registerTool(server, schema14, metadata14, updateTransaction);
-  registerTool(server, schema15, metadata15, createReturn);
-  registerTool(server, schema16, metadata16, updateReturn);
-  registerTool(server, schema17, metadata17, returnWithRefund);
-  registerTool(server, schema18, metadata18, addCartItem);
-  registerTool(server, schema19, metadata19, updateCartItem);
-  registerTool(server, schema20, metadata20, removeCartItem);
-  registerTool(server, schema21, metadata21, applyDiscount);
-  registerTool(server, schema22, metadata22, removeDiscount);
-  registerTool(server, schema23, metadata23, clearCart);
-  registerTool(server, schema24, metadata24, validateDiscount);
-  registerTool(server, schema25, metadata25, calculateShipping);
-  registerTool(server, schema26, metadata26, stockCheck);
+  if (toolSurface === "full") {
+    registerTool(server, schema, metadata, queryCollection);
+    registerTool(server, schema2, metadata2, getCollectionById);
+    registerTool(server, schema3, metadata3, createCollection);
+    registerTool(server, schema4, metadata4, updateCollection);
+    registerTool(server, schema5, metadata5, deleteCollection);
+    registerTool(server, schema6, metadata6, deleteManyCollection);
+    registerTool(server, schema7, metadata7, updateManyCollection);
+    registerTool(server, schema8, metadata8, getOrder);
+    registerTool(server, schema9, metadata9, createOrder);
+    registerTool(server, schema10, metadata10, updateOrder);
+    registerTool(server, schema11, metadata11, checkout);
+    registerTool(server, schema12, metadata12, createFulfillment);
+    registerTool(server, schema13, metadata13, updateFulfillment);
+    registerTool(server, schema14, metadata14, updateTransaction);
+    registerTool(server, schema15, metadata15, createReturn);
+    registerTool(server, schema16, metadata16, updateReturn);
+    registerTool(server, schema17, metadata17, returnWithRefund);
+    registerTool(server, schema18, metadata18, addCartItem);
+    registerTool(server, schema19, metadata19, updateCartItem);
+    registerTool(server, schema20, metadata20, removeCartItem);
+    registerTool(server, schema21, metadata21, applyDiscount);
+    registerTool(server, schema22, metadata22, removeDiscount);
+    registerTool(server, schema23, metadata23, clearCart);
+    registerTool(server, schema24, metadata24, validateDiscount);
+    registerTool(server, schema25, metadata25, calculateShipping);
+    registerTool(server, schema26, metadata26, stockCheck);
+  }
   registerTool(server, schema27, metadata27, getCollectionSchemaTool);
   registerTool(server, schema28, metadata28, handler);
   registerTool(server, schema29, metadata29, listConfigurableFields);
@@ -5390,6 +5437,7 @@ function createServer() {
 
 export {
   requestContext,
+  mcpServicePublicJwks,
   createServer
 };
-//# sourceMappingURL=chunk-3ZSKJM43.js.map
+//# sourceMappingURL=chunk-45ZCPS57.js.map