@01.software/cli 0.7.1 → 0.8.0

package/dist/mcp/vercel.js

@@ -1,5 +1,11 @@
 // src/handler.ts
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import {
+  MCP_OAUTH_ISSUER as MCP_OAUTH_ISSUER3,
+  MCP_PROTECTED_RESOURCE_METADATA_PATH,
+  MCP_RESOURCE_AUDIENCE as MCP_RESOURCE_AUDIENCE2,
+  MCP_SCOPES as MCP_SCOPES2
+} from "@01.software/auth-contracts";
 
 // src/server.ts
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
@@ -10,40 +16,207 @@ import { z } from "zod";
 // src/lib/request-context.ts
 import { AsyncLocalStorage } from "async_hooks";
 var requestContext = new AsyncLocalStorage();
-function headers() {
-  const ctx = requestContext.getStore();
-  if (!ctx) return null;
-  return Object.fromEntries(ctx.headers.entries());
+function tenantAuthContext() {
+  return requestContext.getStore()?.auth ?? null;
+}
+function hasRequestContext() {
+  return requestContext.getStore() !== void 0;
 }
 
 // src/lib/client.ts
-import { createServerClient } from "@01.software/sdk";
-function getClient() {
-  let secretKey;
-  let publishableKey;
-  try {
-    const h = headers();
-    secretKey = h?.["x-api-key"];
-    publishableKey = h?.["x-publishable-key"] ?? h?.["x-client-key"];
-  } catch {
+import {
+  CollectionClient,
+  CommunityClient,
+  ModerationApi,
+  ServerCommerceClient,
+  createServerClient
+} from "@01.software/sdk";
+
+// src/service-auth.ts
+import { createPrivateKey, randomUUID, sign as signBytes } from "crypto";
+import {
+  MCP_CONSOLE_SERVICE_AUDIENCE,
+  MCP_CONSOLE_SERVICE_SCOPE,
+  MCP_OAUTH_ISSUER,
+  MCP_SERVICE_TOKEN_LIFETIME_SECONDS,
+  MCP_TENANT_CLAIM,
+  MCP_TENANT_ROLE_CLAIM
+} from "@01.software/auth-contracts";
+var KEYSET_ENV = "MCP_SERVICE_KEYSET";
+function assertProductionKeysetUse(source) {
+  const vercelEnv = process.env.VERCEL_ENV;
+  if (vercelEnv && vercelEnv !== "production") {
+    throw new Error(
+      `${source} is only allowed in production Vercel deployments; non-production MCP service auth needs environment-specific issuer, audience, JWKS URI, and key material`
+    );
   }
-  if (!secretKey) {
-    secretKey = process.env.SOFTWARE_SECRET_KEY;
+}
+function parsePrivateJwk() {
+  const keyset = signingKeyset();
+  const jwk = keyset.current;
+  const source = keyset.source;
+  if (typeof jwk.d !== "string" || jwk.d.length === 0) {
+    throw new Error(`${source} current key must be a private JWK`);
   }
-  if (!publishableKey) {
-    publishableKey = process.env.SOFTWARE_PUBLISHABLE_KEY || process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY;
+  if (typeof jwk.kid !== "string" || jwk.kid.length === 0) {
+    throw new Error(`${source} must include kid`);
+  }
+  return jwk;
+}
+function signingKeyset() {
+  const raw = process.env[KEYSET_ENV];
+  const source = KEYSET_ENV;
+  if (raw) assertProductionKeysetUse(source);
+  const parsed = (() => {
+    if (!raw) return null;
+    try {
+      return JSON.parse(raw);
+    } catch {
+      throw new Error(`${KEYSET_ENV} is invalid JSON`);
+    }
+  })();
+  if (!parsed) throw new Error("MCP service JWT signing key is not configured");
+  const keys = Array.isArray(parsed.keys) ? parsed.keys : [parsed];
+  if (keys.length === 0 || keys.length > 2) {
+    throw new Error(
+      `${source} must contain one current key and at most one previous key`
+    );
+  }
+  const currentKid = parsed.current_kid;
+  if (typeof currentKid !== "string" && keys.length > 1) {
+    throw new Error(
+      `${source} must include current_kid when multiple keys are present`
+    );
+  }
+  const current = typeof currentKid === "string" ? keys.find((key) => key.kid === currentKid) : keys[0];
+  if (!current) throw new Error(`${source} current_kid is not in keys`);
+  return { current, keys, source };
+}
+function algForJwk(jwk) {
+  if (jwk.kty === "RSA") return "RS256";
+  if (jwk.kty === "EC" && jwk.crv === "P-256") return "ES256";
+  throw new Error("MCP service JWT signing key must be RSA or P-256 EC");
+}
+function toPublicJwk(jwk) {
+  const {
+    d: _d,
+    p: _p,
+    q: _q,
+    dp: _dp,
+    dq: _dq,
+    qi: _qi,
+    oth: _oth,
+    ...publicJwk
+  } = jwk;
+  return {
+    ...publicJwk,
+    alg: typeof publicJwk.alg === "string" ? publicJwk.alg : algForJwk(jwk),
+    use: "sig"
+  };
+}
+function base64urlJson(value) {
+  return Buffer.from(JSON.stringify(value)).toString("base64url");
+}
+function apiScopesFor(context) {
+  return context.scopes.includes("mcp:write") ? ["read", "write"] : ["read"];
+}
+function mcpServicePublicJwks() {
+  const keyset = signingKeyset();
+  const keys = /* @__PURE__ */ new Map();
+  for (const jwk of keyset.keys.map(toPublicJwk)) {
+    if (typeof jwk.kid === "string" && jwk.kid.length > 0) {
+      keys.set(jwk.kid, jwk);
+    }
+  }
+  return { keys: [...keys.values()] };
+}
+function signMcpServiceToken(context) {
+  if (!context.principalId) {
+    throw new Error("MCP OAuth principal is required for Console service auth");
+  }
+  const jwk = parsePrivateJwk();
+  const alg = algForJwk(jwk);
+  const now = Math.floor(Date.now() / 1e3);
+  const payload = {
+    iss: MCP_OAUTH_ISSUER,
+    aud: MCP_CONSOLE_SERVICE_AUDIENCE,
+    iat: now,
+    nbf: now,
+    exp: now + MCP_SERVICE_TOKEN_LIFETIME_SECONDS,
+    jti: randomUUID(),
+    sub: context.principalId,
+    act: {
+      sub: context.principalId,
+      tenant_id: context.tenantId
+    },
+    [MCP_TENANT_CLAIM]: context.tenantId,
+    [MCP_TENANT_ROLE_CLAIM]: context.tenantRole,
+    scope: MCP_CONSOLE_SERVICE_SCOPE,
+    api_scopes: apiScopesFor(context),
+    mcp_scopes: context.scopes
+  };
+  const header = { alg, kid: jwk.kid, typ: "JWT" };
+  const encodedHeader = base64urlJson(header);
+  const encodedPayload = base64urlJson(payload);
+  const signingInput = `${encodedHeader}.${encodedPayload}`;
+  const key = createPrivateKey({ key: jwk, format: "jwk" });
+  const signature = alg === "RS256" ? signBytes("RSA-SHA256", Buffer.from(signingInput), key) : signBytes("SHA256", Buffer.from(signingInput), {
+    key,
+    dsaEncoding: "ieee-p1363"
+  });
+  return `${signingInput}.${signature.toString("base64url")}`;
+}
+
+// src/lib/client.ts
+var MISSING_HTTP_AUTH_CONTEXT_ERROR = "MCP HTTP requests require a validated OAuth tenant context before tool execution.";
+function getClient() {
+  const oauthContext = tenantAuthContext();
+  if (oauthContext) {
+    const serviceToken = signMcpServiceToken(oauthContext);
+    const client = {
+      lastRequestId: null,
+      commerce: void 0,
+      collections: void 0,
+      community: void 0
+    };
+    const onRequestId = (id) => {
+      client.lastRequestId = id;
+    };
+    client.commerce = new ServerCommerceClient({
+      secretKey: serviceToken,
+      onRequestId
+    });
+    client.collections = new CollectionClient(
+      "",
+      serviceToken,
+      void 0,
+      void 0,
+      onRequestId
+    );
+    const community = new CommunityClient({ secretKey: serviceToken });
+    const moderation = new ModerationApi({ secretKey: serviceToken, onRequestId });
+    client.community = Object.assign(community, {
+      moderation: {
+        banCustomer: moderation.banCustomer.bind(moderation),
+        unbanCustomer: moderation.unbanCustomer.bind(moderation)
+      }
+    });
+    return client;
   }
+  if (hasRequestContext()) throw new Error(MISSING_HTTP_AUTH_CONTEXT_ERROR);
+  const secretKey = process.env.SOFTWARE_SECRET_KEY;
+  const publishableKey = process.env.SOFTWARE_PUBLISHABLE_KEY || process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY;
   if (!secretKey) {
     throw new Error(
-      "Authentication required. Provide x-api-key header (HTTP) or SOFTWARE_SECRET_KEY env var (stdio)."
+      "Authentication required. Set SOFTWARE_SECRET_KEY for stdio transport."
     );
   }
   if (!secretKey.startsWith("sk01_") && !secretKey.startsWith("pat01_")) {
-    throw new Error("Invalid API key format. Expected sk01_ or pat01_ token.");
+    throw new Error("Invalid SOFTWARE_SECRET_KEY format. Expected sk01_ or pat01_ token.");
   }
   if (!publishableKey) {
     throw new Error(
-      "publishableKey is required. Provide X-Publishable-Key header (HTTP) or SOFTWARE_PUBLISHABLE_KEY env var (stdio). It is used for rate limiting and monthly quota enforcement via the edge proxy."
+      "publishableKey is required. Set SOFTWARE_PUBLISHABLE_KEY for stdio transport. It is used for rate limiting and monthly quota enforcement via the edge proxy."
     );
   }
   return createServerClient({
@@ -1087,49 +1260,40 @@ import { COLLECTIONS as COLLECTIONS8 } from "@01.software/sdk";
 import { createHash } from "crypto";
 var BASE_URL = process.env.SOFTWARE_API_URL || "http://localhost:3000";
 var TIMEOUT_MS = 5e3;
+var MISSING_HTTP_AUTH_CONTEXT_ERROR2 = "MCP HTTP requests require a validated OAuth tenant context before tool execution.";
 function resolveAuthHeaderContext() {
-  let context = {};
-  try {
-    const h = headers();
-    context = {
-      apiKey: h?.["x-api-key"],
-      publishableKey: h?.["x-publishable-key"] ?? h?.["x-client-key"]
+  const oauthContext = tenantAuthContext();
+  if (oauthContext) {
+    return {
+      apiKey: signMcpServiceToken(oauthContext),
+      mode: "oauth"
     };
-  } catch {
   }
+  if (hasRequestContext()) throw new Error(MISSING_HTTP_AUTH_CONTEXT_ERROR2);
   return {
-    apiKey: context.apiKey ?? process.env.SOFTWARE_SECRET_KEY,
-    publishableKey: context.publishableKey ?? process.env.SOFTWARE_PUBLISHABLE_KEY ?? process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY
+    apiKey: process.env.SOFTWARE_SECRET_KEY,
+    mode: "stdio",
+    publishableKey: process.env.SOFTWARE_PUBLISHABLE_KEY ?? process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY
   };
 }
 function resolveApiKey() {
   const { apiKey } = resolveAuthHeaderContext();
   if (!apiKey || typeof apiKey !== "string") {
     throw new Error(
-      "Authentication required. Provide x-api-key header (HTTP) or SOFTWARE_SECRET_KEY env var (stdio)."
+      "Authentication required. Set SOFTWARE_SECRET_KEY for stdio transport."
     );
   }
   return apiKey;
 }
-function hashKey(apiKey) {
-  return createHash("sha256").update(apiKey).digest("hex");
-}
-function resolveAuthCacheKey(apiKey) {
-  const { publishableKey } = resolveAuthHeaderContext();
-  return hashKey(
-    JSON.stringify({
-      apiKey,
-      publishableKey: publishableKey ?? ""
-    })
-  );
-}
 function buildAuthHeaders(apiKey) {
-  const { publishableKey } = resolveAuthHeaderContext();
-  const headers2 = {
+  const { mode, publishableKey } = resolveAuthHeaderContext();
+  const headers = {
     Authorization: `Bearer ${apiKey}`
   };
-  if (publishableKey) headers2["X-Publishable-Key"] = publishableKey;
-  return headers2;
+  if (mode === "stdio" && publishableKey) {
+    headers["X-Publishable-Key"] = publishableKey;
+  }
+  return headers;
 }
 function extractErrorMessage(body) {
   if (!body || typeof body !== "object") return void 0;
@@ -1223,37 +1387,18 @@ async function getCollectionSchemaTool({
 import { z as z28 } from "zod";
 
 // src/lib/tenant-context.ts
-var TENANT_CONTEXT_CACHE_TTL_MS = 6e4;
-var cache = /* @__PURE__ */ new Map();
 function getTenantContextPath(includeCounts) {
   return includeCounts ? "/api/tenants/context?counts=true" : "/api/tenants/context";
 }
-function getCachedTenantContext(cacheKey) {
-  const cached = cache.get(cacheKey);
-  if (!cached || cached.expiry <= Date.now()) return void 0;
-  return cached.data;
-}
 async function getTenantContext(includeCounts = false) {
   const apiKey = resolveApiKey();
-  const cacheKey = resolveAuthCacheKey(apiKey);
-  if (!includeCounts) {
-    const cached = getCachedTenantContext(cacheKey);
-    if (cached) return cached;
-  }
   const data = await consoleGet(
     getTenantContextPath(includeCounts),
     apiKey
   );
-  if (!includeCounts) {
-    cache.set(cacheKey, {
-      data,
-      expiry: Date.now() + TENANT_CONTEXT_CACHE_TTL_MS
-    });
-  }
   return data;
 }
 function invalidateTenantContextCache() {
-  cache.clear();
 }
 
 // src/tools/get-tenant-context.ts
@@ -1339,18 +1484,12 @@ async function handler({ includeCounts }) {
 import { z as z29 } from "zod";
 
 // src/lib/field-config.ts
-var cache2 = /* @__PURE__ */ new Map();
-var CACHE_TTL = 6e4;
 async function fetchFieldConfigs() {
   const apiKey = resolveApiKey();
-  const cacheKey = resolveAuthCacheKey(apiKey);
-  const cached = cache2.get(cacheKey);
-  if (cached && cached.expiry > Date.now()) return cached.data;
   const data = await consoleGet(
     "/api/field-configs/list",
     apiKey
   );
-  cache2.set(cacheKey, { data, expiry: Date.now() + CACHE_TTL });
   return data;
 }
 async function saveFieldConfig(body) {
@@ -1362,7 +1501,6 @@ async function saveFieldConfig(body) {
   );
 }
 function invalidateFieldConfigCache() {
-  cache2.clear();
 }
 
 // src/tools/list-configurable-fields.ts
@@ -1760,18 +1898,13 @@ const client = createClient({
 })
 
 // --- Register ---
-const { customer, verificationRequired } = await client.customer.register({
+const { customer } = await client.customer.register({
   name: 'Jane Doe',
   email: 'jane@example.com',
   password: 'securePassword123',
   phone: '+821012345678', // optional
 })
 
-if (verificationRequired) {
-  // Tenant has requireEmailVerification enabled.
-  // Token delivered via webhook \u2014 prompt user to check email.
-}
-
 // --- Login ---
 const { token, customer: loggedIn } = await client.customer.login({
   email: 'jane@example.com',
@@ -1792,9 +1925,9 @@ await client.customer.forgotPassword('jane@example.com') // sends token via webh
 await client.customer.resetPassword(token, 'newPassword123')`,
       cautions: [
         "customer.register/login/me are only available on Client (not ServerClient)",
-        "verificationRequired means no token is returned \u2014 user must verify email first",
+        "registration creates a local customer account; add app-level verification if your project requires it",
         "updateProfile only accepts name, phone, and marketingConsent \u2014 not email or password",
-        "forgotPassword sends the token via tenant webhook, not directly to the client"
+        "forgotPassword sends the token to configured tenant webhooks; your webhook handler owns email/SMS delivery"
       ],
       relatedResources: ["docs://sdk/customer-auth", "docs://sdk/getting-started"],
       relatedTools: []
@@ -2040,8 +2173,8 @@ var docIndex = [
   // Customer Auth
   {
     title: "Customer Auth \u2014 Login and Register",
-    keywords: ["customer", "login", "register", "auth", "authentication", "customer auth", "email verification", "verificationRequired"],
-    summary: "client.customer.login({ email, password }) and register({ name, email, password }). If tenant requireEmailVerification is on, register returns verificationRequired: true.",
+    keywords: ["customer", "login", "register", "auth", "authentication", "customer auth"],
+    summary: "client.customer.login({ email, password }) and register({ name, email, password }).",
     resourceUri: "docs://sdk/customer-auth"
   },
   {
@@ -2067,7 +2200,7 @@ var docIndex = [
   {
     title: "Webhooks",
     keywords: ["webhook", "hmac", "signature", "WEBHOOK_SECRET", "server-to-server", "event"],
-    summary: "Tenant webhooks deliver server-to-server events (e.g. email verification token, password reset token). Signed with HMAC-SHA256 using PAYLOAD_SECRET.",
+    summary: "Tenant webhooks deliver server-to-server events such as password reset tokens. Signed with HMAC-SHA256 using PAYLOAD_SECRET.",
     resourceUri: "docs://sdk/webhook"
   },
   // Order API
@@ -2159,13 +2292,13 @@ var schema33 = {
     "server-client",
     "customer-auth",
     "mcp-connection",
-    "api-key-generation",
+    "server-credentials",
     "webhook-verification"
   ]).describe("Authentication scenario")
 };
 var metadata33 = {
   name: "sdk-get-auth-setup",
-  description: "Get the correct authentication setup for a specific scenario. Returns env var names, code snippets, and security notes.",
+  description: "Get the current authentication setup for a specific scenario. Returns env var names, code snippets, and security notes.",
   annotations: {
     title: "Get Auth Setup",
     readOnlyHint: true,
@@ -2198,15 +2331,14 @@ const { data } = client.query.useQuery({ collection: 'products' })`,
 
 const client = createServerClient({
   publishableKey: process.env.SOFTWARE_PUBLISHABLE_KEY!,
-  secretKey: process.env.SOFTWARE_SECRET_KEY! // usually sk01_..., sometimes pat01_...
+  secretKey: process.env.SOFTWARE_SECRET_KEY!
 })
 
 // Full CRUD operations
 const result = await client.collections.from('products').create({ title: 'New Product' })`,
     notes: [
-      "ServerClient has full CRUD access \u2014 never expose the API key in browser",
-      "SOFTWARE_SECRET_KEY stores an opaque bearer token; backend services should prefer tenant API keys (sk01_...)",
-      "Browser-based CLI/init login flows may provision a user-scoped PAT (pat01_...) with a default tenant",
+      "ServerClient has full CRUD access and must run only in trusted server code",
+      "Store server credentials in environment variables and rotate them from the Console",
       "Use in API routes, server actions, or backend services only",
       "React Query hooks available for reads (useQuery, prefetchQuery, etc.) + mutations (useCreate, useUpdate, useRemove)"
     ]
@@ -2238,90 +2370,68 @@ client.customer.isAuthenticated()`,
     notes: [
       "Customer auth uses the browser Client (not ServerClient)",
       "JWT tokens are managed automatically by the SDK",
-      "Tenant may require email verification (requireEmailVerification setting)"
+      "Registration creates a local customer account; add application-level verification if needed"
     ]
   },
   "mcp-connection": {
     title: "MCP Server Connection",
-    envVars: ["SOFTWARE_PUBLISHABLE_KEY", "SOFTWARE_SECRET_KEY"],
+    envVars: [],
     code: `# Claude Code
-claude mcp add --transport http \\
-  --header "x-api-key: $SOFTWARE_SECRET_KEY" \\
-  --header "x-publishable-key: $SOFTWARE_PUBLISHABLE_KEY" \\
-  01software https://mcp.01.software/mcp
+claude mcp add --transport http 01software https://mcp.01.software/mcp
 
-# Codex project-safe .codex/config.toml
+# Codex .codex/config.toml
 [mcp_servers.01software]
 url = "https://mcp.01.software/mcp"
 
-[mcp_servers.01software.env_http_headers]
-x-api-key = "SOFTWARE_SECRET_KEY"
-x-publishable-key = "SOFTWARE_PUBLISHABLE_KEY"
-
-# Or use .mcp.json
+# Or use JSON clients that support OAuth discovery
 {
   "mcpServers": {
     "01software": {
       "type": "http",
-      "url": "https://mcp.01.software/mcp",
-      "headers": {
-        "x-api-key": "\${env:SOFTWARE_SECRET_KEY}",
-        "x-publishable-key": "\${env:SOFTWARE_PUBLISHABLE_KEY}"
-      }
+      "url": "https://mcp.01.software/mcp"
     }
   }
 }`,
     notes: [
-      "MCP accepts either a tenant API key (sk01_...) or a personal access token (pat01_...) in x-api-key",
-      "HTTP transport also requires x-publishable-key (or legacy x-client-key) for tenant routing, rate limits, and quota enforcement",
-      "Codex project scope is appropriate for repo-safe shared configuration, but keep raw sk01_/pat01_ values out of committed files",
-      "Use tenant API keys for shared service integrations; PATs are useful for user-scoped local workflows",
-      "Never commit raw bearer tokens to repo-local MCP config; prefer environment interpolation, client prompts, OS secret managers, or ignored local files",
-      "Avoid passing real tokens directly on shared-machine command lines because shell history and process listings can expose them",
-      "stdio transport: use `npx @01.software/cli mcp` with SOFTWARE_PUBLISHABLE_KEY and SOFTWARE_SECRET_KEY env vars"
+      "HTTP MCP uses OAuth discovery and Authorization Code + PKCE",
+      "Clients that cannot complete OAuth discovery are unsupported until a smoke test proves compatibility",
+      "stdio transport remains a local CLI path and is separate from HTTP MCP OAuth discovery"
     ]
   },
-  "api-key-generation": {
-    title: "API Key Generation",
+  "server-credentials": {
+    title: "Server Credential Management",
     envVars: ["SOFTWARE_PUBLISHABLE_KEY", "SOFTWARE_SECRET_KEY"],
-    code: `# API keys are generated from the Console, not in code.
-# Go to Console > Settings > API Keys and click "Create API Key".
-# The generated key has the format: sk01_{40hex}
-# Copy the publishable key from the same tenant.
+    code: `# Server credentials are managed from the Console, not in code.
+# Copy both values from the same tenant.
 
-# Use them together for MCP, CLI, and server SDK calls:
-export SOFTWARE_PUBLISHABLE_KEY=pk01_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+# Use them together for CLI and server SDK calls.
+export SOFTWARE_PUBLISHABLE_KEY=pk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 export SOFTWARE_SECRET_KEY=sk01_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`,
     notes: [
-      "API keys are sk01_{40hex} opaque bearer tokens",
       "The matching SOFTWARE_PUBLISHABLE_KEY is still required for tenant routing, rate limits, and quota enforcement",
-      "Browser-based CLI/init login may issue pat01_{40hex} personal access tokens for user-scoped workflows",
-      "Used for MCP and REST API authentication via x-api-key header or Authorization: Bearer",
-      "Generate keys from Console > Settings > API Keys \u2014 never derive them in code"
+      "Used for REST/SDK authentication in trusted server contexts",
+      "Manage credentials from the Console and rotate them on exposure"
     ]
   },
   "webhook-verification": {
     title: "Webhook Verification",
     envVars: ["WEBHOOK_SECRET"],
-    code: `import { handleWebhook } from '@01.software/sdk/webhook'
+    code: `import { handleWebhook, createCustomerAuthWebhookHandler } from '@01.software/sdk/webhook'
+
+const customerAuthHandler = createCustomerAuthWebhookHandler({
+  passwordReset: sendPasswordResetEmail,
+})
 
 export async function POST(request: Request) {
-  return handleWebhook(request, async (event) => {
-    // event.collection, event.operation, event.data
-    switch (event.operation) {
-      case 'verification':
-        await sendVerificationEmail(event.data)
-        break
-      case 'password-reset':
-        await sendPasswordResetEmail(event.data)
-        break
-    }
-  }, { secret: process.env.WEBHOOK_SECRET! })
+  return handleWebhook(request, customerAuthHandler, {
+    secret: process.env.WEBHOOK_SECRET!,
+  })
 }`,
     notes: [
       "handleWebhook() takes (request, handler, options) \u2014 handler receives the parsed event",
       "WEBHOOK_SECRET is set per-tenant in Console > Settings",
-      "handleWebhook() verifies HMAC-SHA256 signature automatically before calling handler"
+      "handleWebhook() verifies HMAC-SHA256 signature automatically before calling handler",
+      "createCustomerAuthWebhookHandler() is optional; it just routes auth events to your own email/SMS delivery code"
     ]
   }
 };
@@ -2632,8 +2742,8 @@ await client.collections.from('products').remove('id')
 const { totalDocs } = await client.collections.from('products').count()
 
 // Metadata - generate Next.js Metadata from collection fields
-// Auto-maps per-collection fields (e.g. posts: description\u2192description, thumbnail\u2192image)
-const postMeta = await client.collections.from('posts').findMetadataById(id, { siteName: 'My Blog' })
+// Auto-maps per-collection fields (e.g. articles: description\u2192description, thumbnail\u2192image)
+const articleMeta = await client.collections.from('articles').findMetadataById(id, { siteName: 'My Blog' })
 const productMeta = await client.collections.from('products').findMetadata(
   { where: { slug: { equals: 'my-product' } } },
   { siteName: 'My Store' }
@@ -2959,7 +3069,7 @@ var schema38 = {
   feature: z38.enum([
     "ecommerce",
     "customers",
-    "posts",
+    "articles",
     "documents",
     "playlists",
     "galleries",
@@ -3022,22 +3132,22 @@ customer-groups \u2014 Use \`create-collection\` with \`collection='customer-gro
 
 ### Config
 
-- \`requireEmailVerification\` can be toggled in tenant settings
+- Customer registration creates a local account; add app-level verification if needed
 - Customer auth uses custom JWT (separate from Payload auth)`,
-  posts: `## Posts Setup Guide
+  articles: `## Articles Setup Guide
 
 ### Required Collections (count > 0)
 
-1. **posts** \u2014 At least 1 post
+1. **articles** \u2014 At least 1 article
    - Minimum fields: \`{ title, slug }\`
 
-2. **post-authors** \u2014 At least 1 author
+2. **article-authors** \u2014 At least 1 author
    - Minimum fields: \`{ title, slug }\`
-   - Link authors to posts via the \`authors\` relationship field
+   - Link authors to articles via the \`authors\` relationship field
 
 ### Optional Collections
 
-post-categories, post-tags`,
+article-categories, article-tags`,
   documents: `## Documents Setup Guide
 
 ### Required Collections (count > 0)
@@ -3147,7 +3257,7 @@ form-submissions \u2014 Auto-created when forms are submitted by end users`,
 
 ### Required Collections (count > 0)
 
-1. **threads** \u2014 At least 1 thread
+1. **posts** \u2014 At least 1 post
    - Minimum fields: \`{ title, slug }\`
 
 2. **reaction-types** \u2014 At least 1 reaction type defined
@@ -3159,7 +3269,7 @@ comments, reactions, bookmarks, reports, community-bans
 
 ### Optional Collections
 
-thread-categories`
+post-categories`
 };
 function featureSetupGuide({ feature }) {
   return `# Feature Setup Guide: ${feature}
@@ -3188,23 +3298,11 @@ function handler6() {
 
 ## Authentication
 
-All HTTP requests require a bearer token and publishable key:
-
-\`\`\`
-x-api-key: <sk01_... or pat01_...>
-x-publishable-key: <pk01_...>
-\`\`\`
-
-\`x-client-key\` is accepted as a legacy alias for \`x-publishable-key\`.
+HTTP MCP uses OAuth discovery and Authorization Code + PKCE.
 
-### Accepted Token Types
-
-- \`sk01_{40hex}\` \u2014 tenant API key from Console > Settings > API Keys
-- \`pat01_{40hex}\` \u2014 personal access token for user-scoped local workflows
-
-\`\`\`
-SOFTWARE_SECRET_KEY=sk01_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-SOFTWARE_PUBLISHABLE_KEY=pk01_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+\`\`\`toml
+[mcp_servers.01software]
+url = "https://mcp.01.software/mcp"
 \`\`\`
 
 ## Available Tools (34)
@@ -3308,7 +3406,17 @@ function handler7() {
     Carts: ["carts", "cart-items"],
     Discounts: ["discounts"],
     Documents: ["documents", "document-categories", "document-types"],
-    "Posts (Blog)": ["posts", "post-categories", "post-tags"],
+    Articles: ["articles", "article-authors", "article-categories", "article-tags"],
+    Community: [
+      "posts",
+      "comments",
+      "reactions",
+      "reaction-types",
+      "bookmarks",
+      "post-categories",
+      "reports",
+      "community-bans"
+    ],
     Playlists: [
       "playlists",
       "tracks",
@@ -3859,7 +3967,7 @@ Customer authentication and profile management. Available on \`Client\` only (\`
 ### Authentication
 \`\`\`typescript
 // Register
-const { customer, verificationRequired? } = await client.customer.register({
+const { customer } = await client.customer.register({
   name: 'John',
   email: 'john@example.com',
   password: 'password123',
@@ -3894,7 +4002,7 @@ const updated = await client.customer.updateProfile({
 
 ### Password
 \`\`\`typescript
-// Forgot password (sends reset token via webhook)
+// Forgot password (sends reset token to configured tenant webhooks)
 await client.customer.forgotPassword(email)
 
 // Reset password with token
@@ -3904,11 +4012,6 @@ await client.customer.resetPassword(token, newPassword)
 await client.customer.changePassword(currentPassword, newPassword)
 \`\`\`
 
-### Email Verification
-\`\`\`typescript
-await client.customer.verifyEmail(token)
-\`\`\`
-
 ### Orders
 \`\`\`typescript
 const orders = await client.commerce.orders.listMine({
@@ -4087,7 +4190,7 @@ if (page1.hasNextPage) {
 
 \`\`\`typescript
 // Descending (newest first)
-const result = await client.collections.from('posts').find({ sort: '-createdAt' })
+const result = await client.collections.from('articles').find({ sort: '-createdAt' })
 
 // Ascending
 const result2 = await client.collections.from('products').find({ sort: 'price' })
@@ -4382,19 +4485,19 @@ function handler13() {
 
 Server-side operations are available via \`client.commerce\` on \`ServerClient\`. Use \`createServerClient\` with both \`publishableKey\` and \`secretKey\`.
 
-For backend services, prefer a tenant API key (\`sk01_...\`) in \`SOFTWARE_SECRET_KEY\`.
-Browser-based CLI/init login flows may instead provision a user-scoped PAT (\`pat01_...\`) with a default tenant.
-
 \`\`\`typescript
 import { createServerClient } from '@01.software/sdk'
 
 const client = createServerClient({
   publishableKey: process.env.SOFTWARE_PUBLISHABLE_KEY!,
-  secretKey: process.env.SOFTWARE_SECRET_KEY!, // usually sk01_..., sometimes pat01_...
+  secretKey: process.env.SOFTWARE_SECRET_KEY!,
 })
 \`\`\`
 
-> Never expose \`SOFTWARE_SECRET_KEY\` in browser code. Use server components, API routes, or server actions only.
+Use server components, API routes, or server actions only. Never expose
+\`SOFTWARE_SECRET_KEY\` to browser code, client bundles, logs, or public
+repositories. If a secret key leaks, rotate it from the Console before deploying
+again.
 
 ## Order API
 
@@ -4663,11 +4766,9 @@ const result = await client.customer.register({
   phone?: '+821012345678',
 })
 // result.customer          - created customer object
-// result.token?            - JWT token (set if email verification not required)
-// result.verificationRequired? - true if tenant requires email verification
 \`\`\`
 
-When \`verificationRequired\` is true, no token is returned. The tenant's webhook receives a \`verificationToken\` to send to the customer.
+Registration creates a local customer account. Projects that need additional email verification should enforce it in application code.
 
 ### login()
 Authenticate with email and password.
@@ -4721,12 +4822,12 @@ const updated = await client.customer.updateProfile({
 ## Password
 
 ### forgotPassword()
-Request a password reset. Sends reset token via tenant webhook.
+Request a password reset. Sends the reset token to configured tenant webhooks; your webhook handler owns delivery.
 
 \`\`\`typescript
 await client.customer.forgotPassword('john@example.com')
 // Rate limited: 5 requests/min per tenant+email
-// Webhook receives: { resetPasswordToken, resetPasswordExpiry }
+// Webhook receives: { resetPasswordToken, resetPasswordExpiresAt }
 \`\`\`
 
 ### resetPassword()
@@ -4743,15 +4844,6 @@ Change password while authenticated (requires current password).
 await client.customer.changePassword('currentPassword', 'newPassword123')
 \`\`\`
 
-## Email Verification
-
-### verifyEmail()
-Verify email address using the token received via webhook.
-
-\`\`\`typescript
-await client.customer.verifyEmail('verification-token')
-\`\`\`
-
 ## Orders
 
 ### listMine()
@@ -4797,12 +4889,7 @@ const client = createClient({
 async function handleRegister(email: string, password: string, name: string) {
   const result = await client.customer.register({ email, password, name })
 
-  if (result.verificationRequired) {
-    // Redirect to "check your email" page
-    return { status: 'verify-email' }
-  }
-
-  // Token is automatically stored; customer is now logged in
+  // Customer is created as a local account.
   return { status: 'success', customer: result.customer }
 }
 
@@ -4904,7 +4991,11 @@ await client.commerce.orders.checkout({ ... })
 
 **Environment variables**:
 - \`SOFTWARE_PUBLISHABLE_KEY\` \u2014 publishable key (no NEXT_PUBLIC prefix, server-only)
-- \`SOFTWARE_SECRET_KEY\` \u2014 opaque bearer token (server-only, never expose to browser). Backend services usually use \`sk01_...\`; browser-based CLI/init login can provision \`pat01_...\` with a default tenant.
+- \`SOFTWARE_SECRET_KEY\` \u2014 server credential
+
+Never expose \`SOFTWARE_SECRET_KEY\` in browser code, client bundles, logs, or
+public repositories. If a secret key leaks, rotate it from the Console before
+deploying again.
 
 ## Decision Matrix
 
@@ -4970,9 +5061,10 @@ export function ProductList() {
 
 ## Security Rules
 
-- Never import \`SOFTWARE_SECRET_KEY\` or \`SOFTWARE_PUBLISHABLE_KEY\` in files without a \`'use server'\` directive or that could be bundled for the browser.
+- Keep server credentials in server-only modules.
 - Only \`NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY\` is safe to use in client components.
-- If you accidentally expose \`SOFTWARE_SECRET_KEY\` in a browser bundle, rotate the key immediately in the 01.software console.
+- Never import a module that reads \`SOFTWARE_SECRET_KEY\` from a client component.
+- Rotate any exposed secret key immediately from the Console.
 
 > Ecommerce note: product card pricing lives on \`products.listing.*\`, but authoritative sellable pricing still lives on \`product-variants.price\`.`;
 }
@@ -5137,27 +5229,23 @@ var metadata50 = {
 function handler17() {
   return `# Webhooks
 
-The platform dispatches HMAC-SHA256 signed webhook events to your registered URLs for async operations (email verification, password reset, etc.).
+The platform dispatches HMAC-SHA256 signed webhook events to your registered URLs. Tenant developers own routing inside their webhook handler.
 
 ## Webhook Handling
 
-Use the SDK \`handleWebhook\` helper to verify signatures and route events.
+Use the SDK \`handleWebhook\` helper to verify signatures. For customer auth events, use \`createCustomerAuthWebhookHandler\` to wire delivery behavior in your app.
 
 \`\`\`typescript
-import { handleWebhook } from '@01.software/sdk/webhook'
+import { handleWebhook, createCustomerAuthWebhookHandler } from '@01.software/sdk/webhook'
+
+const handler = createCustomerAuthWebhookHandler({
+  passwordReset: async (data) => {
+    await sendPasswordResetEmail(data)
+  },
+})
 
 export async function POST(request: Request) {
-  return handleWebhook(request, async (event) => {
-    // event.collection, event.operation, event.data
-    switch (event.operation) {
-      case 'verification':
-        await sendVerificationEmail(event.data)
-        break
-      case 'password-reset':
-        await sendPasswordResetEmail(event.data)
-        break
-    }
-  }, {
+  return handleWebhook(request, handler, {
     secret: process.env.WEBHOOK_SECRET!,
   })
 }
@@ -5169,19 +5257,17 @@ export async function POST(request: Request) {
 
 \`\`\`typescript
 // app/api/webhooks/route.ts
-import { handleWebhook } from '@01.software/sdk/webhook'
+import { handleWebhook, createCustomerAuthWebhookHandler } from '@01.software/sdk/webhook'
+
+const customerAuthHandler = createCustomerAuthWebhookHandler({
+  passwordReset: sendPasswordResetEmail,
+})
 
 export async function POST(request: Request) {
   return handleWebhook(request, async (event) => {
     console.log('Webhook received:', event.collection, event.operation)
 
-    if (event.collection === 'customers') {
-      if (event.operation === 'verification') {
-        await sendVerificationEmail(event.data)
-      } else if (event.operation === 'password-reset') {
-        await sendPasswordResetEmail(event.data)
-      }
-    }
+    await customerAuthHandler(event)
   }, {
     secret: process.env.WEBHOOK_SECRET!,
   })
@@ -5195,49 +5281,13 @@ All webhook events share this envelope:
 \`\`\`typescript
 {
   collection: string,    // e.g. 'customers'
-  operation: string,     // e.g. 'verification' | 'password-reset'
+  operation: string,     // e.g. 'password-reset'
   data: object,          // event-specific payload
 }
 \`\`\`
 
 ## Event Types
 
-### Customer Email Verification
-
-Dispatched when a customer registers on a tenant with \`requireEmailVerification: true\`.
-
-\`\`\`typescript
-{
-  collection: 'customers',
-  operation: 'verification',
-  data: {
-    customerId: string,
-    email: string,
-    name: string,
-    verificationToken: string,  // raw token to include in verification link
-  }
-}
-\`\`\`
-
-**Usage**: Send the \`verificationToken\` to the customer's email. The customer calls \`client.customer.verifyEmail(token)\` to complete verification.
-
-\`\`\`typescript
-// Example: send verification email
-async function sendVerificationEmail(data: {
-  customerId: string
-  email: string
-  name: string
-  verificationToken: string
-}) {
-  const verifyUrl = \`https://yourstore.com/verify-email?token=\${data.verificationToken}\`
-  await emailService.send({
-    to: data.email,
-    subject: 'Verify your email',
-    body: \`Click here to verify: \${verifyUrl}\`,
-  })
-}
-\`\`\`
-
 ### Customer Password Reset
 
 Dispatched when a customer calls \`client.customer.forgotPassword(email)\`.
@@ -5251,7 +5301,7 @@ Dispatched when a customer calls \`client.customer.forgotPassword(email)\`.
     email: string,
     name: string,
     resetPasswordToken: string,   // raw token to include in reset link
-    resetPasswordExpiry: string,  // ISO 8601 expiry (1 hour from dispatch)
+    resetPasswordExpiresAt: string,  // ISO 8601 expiry (1 hour from dispatch)
   }
 }
 \`\`\`
@@ -5264,13 +5314,13 @@ async function sendPasswordResetEmail(data: {
   email: string
   name: string
   resetPasswordToken: string
-  resetPasswordExpiry: string
+  resetPasswordExpiresAt: string
 }) {
   const resetUrl = \`https://yourstore.com/reset-password?token=\${data.resetPasswordToken}\`
   await emailService.send({
     to: data.email,
     subject: 'Reset your password',
-    body: \`Reset link (expires \${data.resetPasswordExpiry}): \${resetUrl}\`,
+    body: \`Reset link (expires \${data.resetPasswordExpiresAt}): \${resetUrl}\`,
   })
 }
 \`\`\`
@@ -5333,37 +5383,40 @@ function registerStaticResource(server, uri, meta, handler19) {
     })
   );
 }
-function createServer() {
+function createServer(options = {}) {
+  const toolSurface = options.toolSurface ?? "full";
   const server = new McpServer({
     name: "01.software MCP Server",
     version: "0.1.0"
   });
-  registerTool(server, schema, metadata, queryCollection);
-  registerTool(server, schema2, metadata2, getCollectionById);
-  registerTool(server, schema3, metadata3, createCollection);
-  registerTool(server, schema4, metadata4, updateCollection);
-  registerTool(server, schema5, metadata5, deleteCollection);
-  registerTool(server, schema6, metadata6, deleteManyCollection);
-  registerTool(server, schema7, metadata7, updateManyCollection);
-  registerTool(server, schema8, metadata8, getOrder);
-  registerTool(server, schema9, metadata9, createOrder);
-  registerTool(server, schema10, metadata10, updateOrder);
-  registerTool(server, schema11, metadata11, checkout);
-  registerTool(server, schema12, metadata12, createFulfillment);
-  registerTool(server, schema13, metadata13, updateFulfillment);
-  registerTool(server, schema14, metadata14, updateTransaction);
-  registerTool(server, schema15, metadata15, createReturn);
-  registerTool(server, schema16, metadata16, updateReturn);
-  registerTool(server, schema17, metadata17, returnWithRefund);
-  registerTool(server, schema18, metadata18, addCartItem);
-  registerTool(server, schema19, metadata19, updateCartItem);
-  registerTool(server, schema20, metadata20, removeCartItem);
-  registerTool(server, schema21, metadata21, applyDiscount);
-  registerTool(server, schema22, metadata22, removeDiscount);
-  registerTool(server, schema23, metadata23, clearCart);
-  registerTool(server, schema24, metadata24, validateDiscount);
-  registerTool(server, schema25, metadata25, calculateShipping);
-  registerTool(server, schema26, metadata26, stockCheck);
+  if (toolSurface === "full") {
+    registerTool(server, schema, metadata, queryCollection);
+    registerTool(server, schema2, metadata2, getCollectionById);
+    registerTool(server, schema3, metadata3, createCollection);
+    registerTool(server, schema4, metadata4, updateCollection);
+    registerTool(server, schema5, metadata5, deleteCollection);
+    registerTool(server, schema6, metadata6, deleteManyCollection);
+    registerTool(server, schema7, metadata7, updateManyCollection);
+    registerTool(server, schema8, metadata8, getOrder);
+    registerTool(server, schema9, metadata9, createOrder);
+    registerTool(server, schema10, metadata10, updateOrder);
+    registerTool(server, schema11, metadata11, checkout);
+    registerTool(server, schema12, metadata12, createFulfillment);
+    registerTool(server, schema13, metadata13, updateFulfillment);
+    registerTool(server, schema14, metadata14, updateTransaction);
+    registerTool(server, schema15, metadata15, createReturn);
+    registerTool(server, schema16, metadata16, updateReturn);
+    registerTool(server, schema17, metadata17, returnWithRefund);
+    registerTool(server, schema18, metadata18, addCartItem);
+    registerTool(server, schema19, metadata19, updateCartItem);
+    registerTool(server, schema20, metadata20, removeCartItem);
+    registerTool(server, schema21, metadata21, applyDiscount);
+    registerTool(server, schema22, metadata22, removeDiscount);
+    registerTool(server, schema23, metadata23, clearCart);
+    registerTool(server, schema24, metadata24, validateDiscount);
+    registerTool(server, schema25, metadata25, calculateShipping);
+    registerTool(server, schema26, metadata26, stockCheck);
+  }
   registerTool(server, schema27, metadata27, getCollectionSchemaTool);
   registerTool(server, schema28, metadata28, handler);
   registerTool(server, schema29, metadata29, listConfigurableFields);
@@ -5392,21 +5445,198 @@ function createServer() {
 }
 
 // src/auth.ts
-function validateApiKey(apiKey) {
-  if (!apiKey || apiKey.length === 0) {
-    return { valid: false, error: "x-api-key header is required" };
+import { createPublicKey, verify as verifySignature } from "crypto";
+import {
+  MCP_OAUTH_ISSUER as MCP_OAUTH_ISSUER2,
+  MCP_RESOURCE_AUDIENCE,
+  MCP_SCOPES,
+  MCP_TENANT_CLAIM as MCP_TENANT_CLAIM2,
+  MCP_TENANT_ROLE_CLAIM as MCP_TENANT_ROLE_CLAIM2
+} from "@01.software/auth-contracts";
+var ALLOWED_ALGORITHMS = /* @__PURE__ */ new Set(["RS256", "ES256"]);
+var DEFAULT_CLOCK_SKEW_SECONDS = 30;
+var DEFAULT_JWKS_URI = `${MCP_OAUTH_ISSUER2}/.well-known/jwks.json`;
+var MAX_ACCESS_TOKEN_LIFETIME_SECONDS = 300;
+function invalid(errorDescription) {
+  return { valid: false, error: "invalid_token", errorDescription };
+}
+function isProduction() {
+  return process.env.NODE_ENV === "production";
+}
+function insufficientScope(errorDescription) {
+  return { valid: false, error: "insufficient_scope", errorDescription };
+}
+function decodeBase64UrlJson(value) {
+  try {
+    return JSON.parse(Buffer.from(value, "base64url").toString("utf8"));
+  } catch {
+    return null;
   }
-  if (!apiKey.startsWith("sk01_") && !apiKey.startsWith("pat01_")) {
-    return {
-      valid: false,
-      error: "Invalid API key format. Expected sk01_ or pat01_ token."
-    };
+}
+function parseScopes(payload) {
+  const rawScopes = typeof payload.scope === "string" ? payload.scope.split(/\s+/).filter(Boolean) : Array.isArray(payload.scp) ? payload.scp : [];
+  return rawScopes.filter(
+    (scope) => scope === MCP_SCOPES.read || scope === MCP_SCOPES.write
+  );
+}
+function audienceMatches(aud, expected) {
+  if (typeof aud === "string") return aud === expected;
+  return Array.isArray(aud) && aud.includes(expected);
+}
+function verifyJwtSignature(alg, jwk, signingInput, signature) {
+  const key = createPublicKey({ key: jwk, format: "jwk" });
+  const input = Buffer.from(signingInput);
+  if (alg === "RS256") {
+    return verifySignature("RSA-SHA256", input, key, signature);
+  }
+  if (alg === "ES256") {
+    return verifySignature("SHA256", input, { key, dsaEncoding: "ieee-p1363" }, signature);
+  }
+  return false;
+}
+var cachedRemoteJwks = null;
+function jwksUriFor(options) {
+  const raw = isProduction() ? DEFAULT_JWKS_URI : options.jwksUri ?? DEFAULT_JWKS_URI;
+  let url;
+  try {
+    url = new URL(raw);
+  } catch {
+    return null;
+  }
+  if (url.protocol !== "https:" || url.username || url.password || url.search || url.hash) {
+    return null;
+  }
+  return url.toString();
+}
+async function remoteJwks(options = {}, forceRefresh = false) {
+  const uri = jwksUriFor(options);
+  if (!uri) return null;
+  const now = Date.now();
+  if (!forceRefresh && cachedRemoteJwks && cachedRemoteJwks.uri === uri && cachedRemoteJwks.expiresAt > now) {
+    return cachedRemoteJwks.jwks;
+  }
+  const fetchImpl = options.fetchImpl ?? fetch;
+  let response;
+  try {
+    response = await fetchImpl(uri, {
+      headers: { Accept: "application/json" }
+    });
+  } catch {
+    return null;
+  }
+  if (!response.ok) return null;
+  const parsed = await response.json().catch(() => null);
+  if (!parsed || !Array.isArray(parsed.keys)) return null;
+  cachedRemoteJwks = {
+    expiresAt: now + 3e5,
+    jwks: parsed,
+    uri
+  };
+  return parsed;
+}
+function validateAccessToken(token, options = {}) {
+  const parts = token.split(".");
+  if (parts.length !== 3 || parts.some((part) => part.length === 0)) {
+    return invalid("Bearer token must be a compact JWT");
+  }
+  const [encodedHeader, encodedPayload, encodedSignature] = parts;
+  const header = decodeBase64UrlJson(encodedHeader);
+  const payload = decodeBase64UrlJson(encodedPayload);
+  if (!header || !payload) return invalid("Bearer token contains invalid JSON");
+  if (typeof header.alg !== "string" || !ALLOWED_ALGORITHMS.has(header.alg)) {
+    return invalid("Bearer token uses an unsupported signing algorithm");
+  }
+  if (typeof header.kid !== "string" || header.kid.length === 0) {
+    return invalid("Bearer token is missing kid");
+  }
+  const jwks = options.jwks;
+  if (!jwks) return invalid("JWKS is not configured");
+  const jwk = jwks.keys.find((key) => key.kid === header.kid);
+  if (!jwk) return invalid("Bearer token kid is unknown");
+  const signingInput = `${encodedHeader}.${encodedPayload}`;
+  const signature = Buffer.from(encodedSignature, "base64url");
+  if (!verifyJwtSignature(header.alg, jwk, signingInput, signature)) {
+    return invalid("Bearer token signature is invalid");
+  }
+  const issuer = options.issuer ?? MCP_OAUTH_ISSUER2;
+  if (payload.iss !== issuer) return invalid("Bearer token issuer is invalid");
+  const audience = options.audience ?? MCP_RESOURCE_AUDIENCE;
+  if (!audienceMatches(payload.aud, audience)) {
+    return invalid("Bearer token audience is invalid");
+  }
+  if (typeof payload.iat !== "number") return invalid("Bearer token is missing iat");
+  if (typeof payload.exp !== "number") return invalid("Bearer token is missing exp");
+  if (payload.exp <= payload.iat) {
+    return invalid("Bearer token lifetime is invalid");
+  }
+  if (payload.exp - payload.iat > MAX_ACCESS_TOKEN_LIFETIME_SECONDS) {
+    return invalid("Bearer token lifetime exceeds 300 seconds");
+  }
+  const nowSeconds = Math.floor((options.now ?? /* @__PURE__ */ new Date()).getTime() / 1e3);
+  const leeway = options.clockSkewSeconds ?? DEFAULT_CLOCK_SKEW_SECONDS;
+  if (payload.iat > nowSeconds + leeway) {
+    return invalid("Bearer token iat is too far in the future");
+  }
+  if (typeof payload.nbf === "number" && payload.nbf > nowSeconds + leeway) {
+    return invalid("Bearer token is not yet valid");
+  }
+  if (payload.exp < nowSeconds - leeway) return invalid("Bearer token is expired");
+  const tenantId = payload[MCP_TENANT_CLAIM2];
+  if (typeof tenantId !== "string" || tenantId.length === 0) {
+    return invalid("Bearer token tenant_id claim is invalid");
   }
-  return { valid: true };
+  const tenantRole = payload[MCP_TENANT_ROLE_CLAIM2];
+  if (tenantRole !== "tenant-admin" && tenantRole !== "tenant-editor" && tenantRole !== "tenant-viewer") {
+    return invalid("Bearer token tenant_role claim is invalid");
+  }
+  if (typeof payload.sub !== "string" || payload.sub.length === 0) {
+    return invalid("Bearer token subject claim is invalid");
+  }
+  const scopes = parseScopes(payload);
+  const requiredScopes = options.requiredScopes ?? [MCP_SCOPES.read];
+  const missingScope = requiredScopes.find((scope) => !scopes.includes(scope));
+  if (missingScope) return insufficientScope(`Bearer token is missing ${missingScope}`);
+  return {
+    valid: true,
+    context: {
+      tenantId,
+      principalId: payload.sub,
+      scopes,
+      tenantRole,
+      authMode: "oauth"
+    }
+  };
+}
+function shouldRefreshRemoteJwks(result) {
+  return !result.valid && (result.errorDescription === "Bearer token kid is unknown" || result.errorDescription === "Bearer token signature is invalid");
+}
+async function validateBearerAuthorizationHeaderAsync(authorization, options) {
+  if (!authorization) return invalid("Authorization Bearer token is required");
+  const match = authorization.match(/^Bearer\s+(.+)$/i);
+  if (!match) return invalid("Authorization header must use Bearer");
+  if (options?.jwks) {
+    return validateAccessToken(match[1], options);
+  }
+  const jwks = await remoteJwks(options);
+  const result = validateAccessToken(match[1], {
+    ...options,
+    jwks: jwks ?? void 0
+  });
+  if (shouldRefreshRemoteJwks(result)) {
+    const refreshedJwks = await remoteJwks(options, true);
+    if (refreshedJwks) {
+      return validateAccessToken(match[1], {
+        ...options,
+        jwks: refreshedJwks
+      });
+    }
+  }
+  return result;
 }
 
 // src/handler.ts
 var MAX_REQUEST_BODY_BYTES = 1024 * 1024;
+var MCP_ALLOWED_BROWSER_ORIGIN = "https://01.software";
 var METHOD_NOT_ALLOWED = JSON.stringify({
   jsonrpc: "2.0",
   error: {
@@ -5416,16 +5646,16 @@ var METHOD_NOT_ALLOWED = JSON.stringify({
   id: null
 });
 function setCors(res) {
-  res.setHeader("Access-Control-Allow-Origin", "*");
+  res.setHeader("Access-Control-Allow-Origin", MCP_ALLOWED_BROWSER_ORIGIN);
   res.setHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS");
   res.setHeader(
     "Access-Control-Allow-Headers",
-    "Content-Type, x-api-key, x-publishable-key, x-client-key, mcp-session-id"
+    "Authorization, Content-Type, mcp-session-id"
   );
   res.setHeader("Access-Control-Expose-Headers", "Mcp-Session-Id, Mcp-Protocol-Version");
 }
-function getHeaderValue(headers2, name) {
-  const value = headers2[name.toLowerCase()];
+function getHeaderValue(headers, name) {
+  const value = headers[name.toLowerCase()];
   if (Array.isArray(value)) return value[0];
   return value;
 }
@@ -5450,143 +5680,69 @@ var HOME_PAGE = `01.software MCP Server
 ======================
 
 MCP server for AI agents to interact with the 01.software API.
-Manage content, products, orders, and more.
+Connect over HTTP with OAuth, or use the local CLI stdio transport for full
+server-key operations.
 
 
 Authentication
 --------------
 
-All requests require both:
-  x-api-key          opaque bearer token
-  x-publishable-key publishable key for routing, rate limits, and quota enforcement
-
-Use x-client-key as a legacy alias for x-publishable-key.
-
-Accepted formats:
-  sk01_{40hex}   tenant API key (Console > Settings > API Keys)
-  pat01_{40hex}  personal access token (user-scoped local workflow)
-  pk01_{...}     publishable key
-
-  export SOFTWARE_PUBLISHABLE_KEY=pk01_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-  export SOFTWARE_SECRET_KEY=sk01_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-
+HTTP MCP uses OAuth discovery and Authorization Code + PKCE.
+Clients should connect to:
 
 Connect
 -------
 
 Claude Code:
 
-  claude mcp add --transport http \\
-    --header "x-api-key: $SOFTWARE_SECRET_KEY" \\
-    --header "x-publishable-key: $SOFTWARE_PUBLISHABLE_KEY" \\
-    01software https://mcp.01.software/mcp
+  claude mcp add --transport http 01software https://mcp.01.software/mcp
 
-Codex (.codex/config.toml, project-safe when using env vars):
+Codex (.codex/config.toml):
 
   [mcp_servers.01software]
   url = "https://mcp.01.software/mcp"
 
-  [mcp_servers.01software.env_http_headers]
-  x-api-key = "SOFTWARE_SECRET_KEY"
-  x-publishable-key = "SOFTWARE_PUBLISHABLE_KEY"
+Cursor / Claude Desktop / other JSON clients:
 
-  // or .mcp.json
   {
     "mcpServers": {
       "01software": {
         "type": "http",
-        "url": "https://mcp.01.software/mcp",
-        "headers": {
-          "x-api-key": "\${env:SOFTWARE_SECRET_KEY}",
-          "x-publishable-key": "\${env:SOFTWARE_PUBLISHABLE_KEY}"
-        }
+        "url": "https://mcp.01.software/mcp"
       }
     }
   }
 
-Cursor (.cursor/mcp.json):
+Windsurf (~/.codeium/windsurf/mcp_config.json):
 
   {
     "mcpServers": {
       "01software": {
-        "url": "https://mcp.01.software/mcp",
-        "headers": {
-          "x-api-key": "\${env:SOFTWARE_SECRET_KEY}",
-          "x-publishable-key": "\${env:SOFTWARE_PUBLISHABLE_KEY}"
-        }
+        "serverUrl": "https://mcp.01.software/mcp"
       }
     }
   }
 
-Windsurf (~/.codeium/windsurf/mcp_config.json):
+CLI (stdio):
 
-  {
-    "mcpServers": {
-      "01software": {
-        "serverUrl": "https://mcp.01.software/mcp",
-        "headers": {
-          "x-api-key": "\${env:SOFTWARE_SECRET_KEY}",
-          "x-publishable-key": "\${env:SOFTWARE_PUBLISHABLE_KEY}"
-        }
-      }
-    }
-  }
+  npx @01.software/cli mcp
 
-VS Code (.vscode/mcp.json):
 
-  {
-    "servers": {
-      "01software": {
-        "type": "http",
-        "url": "https://mcp.01.software/mcp",
-        "headers": {
-          "x-api-key": "\${input:01software-api-key}",
-          "x-publishable-key": "\${input:01software-publishable-key}"
-        }
-      }
-    }
-  }
+HTTP OAuth Tools
+----------------
 
-Claude Desktop (claude_desktop_config.json):
+Schema       get-collection-schema
+Context      get-tenant-context
+Field Config list-configurable-fields, update-field-config
+Guidance     sdk-get-recipe, sdk-search-docs, sdk-get-auth-setup, sdk-get-collection-pattern
 
-  {
-    "mcpServers": {
-      "01software": {
-        "url": "https://mcp.01.software/mcp",
-        "headers": {
-          "x-api-key": "\${env:SOFTWARE_SECRET_KEY}",
-          "x-publishable-key": "\${env:SOFTWARE_PUBLISHABLE_KEY}"
-        }
-      }
-    }
-  }
+Full Tool Surface
+-----------------
 
-CLI (stdio):
+The local CLI stdio transport exposes CRUD, commerce, cart, validation, product,
+schema, context, field-config, and guidance tools:
 
   npx @01.software/cli mcp
-  # Reads SOFTWARE_SECRET_KEY=sk01_... or pat01_...
-  # Also reads SOFTWARE_PUBLISHABLE_KEY for CDN routing, rate limits, and quota enforcement
-
-Security: never commit raw sk01_... or pat01_... tokens to repo-local MCP
-config files. Prefer client secret prompts, environment interpolation, OS secret
-managers, or ignored local files. Avoid passing real tokens directly on
-shared-machine command lines because shell history and process listings can
-expose them.
-
-
-Tools (34)
-----------
-
-CRUD        query, get, create, update, delete, delete-many, update-many
-Orders      create-order, checkout, get-order, update-order, create-fulfillment, update-fulfillment, update-transaction
-Returns     create-return, update-return, return-with-refund
-Cart        add-cart-item, update-cart-item, remove-cart-item, clear-cart, apply-discount, remove-discount
-Validation  validate-discount, calculate-shipping
-Products    stock-check
-Schema      get-collection-schema
-Context     get-tenant-context
-Field Config list-configurable-fields, update-field-config
-Guidance    sdk-get-recipe, sdk-search-docs, sdk-get-auth-setup, sdk-get-collection-pattern
 
 Prompts (4): sdk-usage-guide, collection-query-help, order-flow-guide, feature-setup-guide
 Resources (12): config, collections-schema, getting-started, guides, api, query-builder, react-query, server-api, customer-auth, browser-vs-server, file-upload, webhook
@@ -5600,6 +5756,19 @@ SDK             https://01.software/docs/sdk/client
 API Reference   https://01.software/docs/api/rest-api
 Console         https://console.01.software
 `;
+var PROTECTED_RESOURCE_METADATA = JSON.stringify({
+  resource: MCP_RESOURCE_AUDIENCE2,
+  authorization_servers: [MCP_OAUTH_ISSUER3],
+  scopes_supported: [MCP_SCOPES2.read, MCP_SCOPES2.write]
+});
+var SERVICE_JWKS_PATH = "/.well-known/service-jwks.json";
+function writeOAuthError(res, status, error, description) {
+  res.writeHead(status, {
+    "Content-Type": "application/json",
+    "WWW-Authenticate": `Bearer resource_metadata="${MCP_PROTECTED_RESOURCE_METADATA_PATH}", error="${error}", error_description="${description}"`
+  });
+  res.end(JSON.stringify({ error, error_description: description }));
+}
 async function handler18(req, res) {
   setCors(res);
   if (req.method === "OPTIONS") {
@@ -5608,6 +5777,30 @@ async function handler18(req, res) {
     return;
   }
   if (req.method === "GET") {
+    const pathname = new URL(req.url ?? "/", MCP_RESOURCE_AUDIENCE2).pathname;
+    if (pathname === MCP_PROTECTED_RESOURCE_METADATA_PATH) {
+      res.setHeader("Access-Control-Allow-Origin", "*");
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(PROTECTED_RESOURCE_METADATA);
+      return;
+    }
+    if (pathname === SERVICE_JWKS_PATH) {
+      res.setHeader("Access-Control-Allow-Origin", "*");
+      try {
+        res.writeHead(200, {
+          "Cache-Control": "public, max-age=60",
+          "Content-Type": "application/json"
+        });
+        res.end(JSON.stringify(mcpServicePublicJwks()));
+      } catch {
+        res.writeHead(503, {
+          "Cache-Control": "no-store",
+          "Content-Type": "application/json"
+        });
+        res.end(JSON.stringify({ keys: [] }));
+      }
+      return;
+    }
     res.writeHead(200, { "Content-Type": "text/plain; charset=utf-8" });
     res.end(HOME_PAGE);
     return;
@@ -5617,20 +5810,14 @@ async function handler18(req, res) {
     res.end(METHOD_NOT_ALLOWED);
     return;
   }
-  const apiKey = getHeaderValue(req.headers, "x-api-key");
-  const auth = validateApiKey(apiKey);
+  const auth = await validateBearerAuthorizationHeaderAsync(
+    getHeaderValue(req.headers, "authorization")
+  );
   if (!auth.valid) {
-    res.writeHead(401, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ error: auth.error }));
-    return;
-  }
-  const publishableKey = getHeaderValue(req.headers, "x-publishable-key") ?? getHeaderValue(req.headers, "x-client-key");
-  if (!publishableKey) {
-    res.writeHead(401, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ error: "x-publishable-key header is required" }));
+    writeOAuthError(res, auth.error === "insufficient_scope" ? 403 : 401, auth.error, auth.errorDescription);
     return;
   }
-  const server = createServer();
+  const server = createServer({ toolSurface: "oauth" });
   const transport = new StreamableHTTPServerTransport({
     sessionIdGenerator: void 0
   });
@@ -5645,12 +5832,12 @@ async function handler18(req, res) {
     void close();
   });
   await server.connect(transport);
-  const headers2 = new Headers();
+  const headers = new Headers();
   for (const [key, value] of Object.entries(req.headers)) {
-    if (typeof value === "string") headers2.set(key, value);
-    else if (Array.isArray(value)) headers2.set(key, value.join(", "));
+    if (typeof value === "string") headers.set(key, value);
+    else if (Array.isArray(value)) headers.set(key, value.join(", "));
   }
-  await requestContext.run({ headers: headers2 }, async () => {
+  await requestContext.run({ headers, auth: auth.context }, async () => {
     try {
       const body = req.body ?? JSON.parse(await readBody(req));
       await transport.handleRequest(req, res, body);