@01.software/cli 0.7.1 → 0.9.0

package/dist/mcp/vercel.js

@@ -1,71 +1,47 @@
 // src/handler.ts
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 
+// ../../packages/auth-contracts/dist/index.js
+var MCP_RESOURCE_AUDIENCE = "https://mcp.01.software/mcp";
+var MCP_OAUTH_ISSUER = "https://01.software";
+var MCP_PROTECTED_RESOURCE_METADATA_PATH = "/.well-known/oauth-protected-resource/mcp";
+var MCP_TENANT_CLAIM = "tenant_id";
+var MCP_TENANT_ROLE_CLAIM = "tenant_role";
+var MCP_SCOPES = {
+  read: "mcp:read",
+  write: "mcp:write"
+};
+var MCP_CONSOLE_SERVICE_AUDIENCE = "https://api.01.software/internal/mcp";
+var MCP_CONSOLE_SERVICE_SCOPE = "console:mcp_proxy";
+var MCP_SERVICE_TOKEN_LIFETIME_SECONDS = 60;
+
 // src/server.ts
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 
-// src/tools/query-collection.ts
-import { z } from "zod";
-
 // src/lib/request-context.ts
 import { AsyncLocalStorage } from "async_hooks";
 var requestContext = new AsyncLocalStorage();
-function headers() {
-  const ctx = requestContext.getStore();
-  if (!ctx) return null;
-  return Object.fromEntries(ctx.headers.entries());
+function tenantAuthContext() {
+  return requestContext.getStore()?.auth ?? null;
 }
-
-// src/lib/client.ts
-import { createServerClient } from "@01.software/sdk";
-function getClient() {
-  let secretKey;
-  let publishableKey;
-  try {
-    const h = headers();
-    secretKey = h?.["x-api-key"];
-    publishableKey = h?.["x-publishable-key"] ?? h?.["x-client-key"];
-  } catch {
-  }
-  if (!secretKey) {
-    secretKey = process.env.SOFTWARE_SECRET_KEY;
-  }
-  if (!publishableKey) {
-    publishableKey = process.env.SOFTWARE_PUBLISHABLE_KEY || process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY;
-  }
-  if (!secretKey) {
-    throw new Error(
-      "Authentication required. Provide x-api-key header (HTTP) or SOFTWARE_SECRET_KEY env var (stdio)."
-    );
-  }
-  if (!secretKey.startsWith("sk01_") && !secretKey.startsWith("pat01_")) {
-    throw new Error("Invalid API key format. Expected sk01_ or pat01_ token.");
-  }
-  if (!publishableKey) {
-    throw new Error(
-      "publishableKey is required. Provide X-Publishable-Key header (HTTP) or SOFTWARE_PUBLISHABLE_KEY env var (stdio). It is used for rate limiting and monthly quota enforcement via the edge proxy."
-    );
-  }
-  return createServerClient({
-    publishableKey,
-    secretKey
-  });
+function hasRequestContext() {
+  return requestContext.getStore() !== void 0;
 }
 
-// src/tools/query-collection.ts
-import { COLLECTIONS } from "@01.software/sdk";
-
 // src/lib/tool-utils.ts
 function toolSuccess(data) {
   return JSON.stringify({ success: true, ...data }, null, 2);
 }
 function toolError(error) {
   const base = { success: false };
-  if (error && typeof error === "object" && "code" in error) {
+  const isStructured = !!error && typeof error === "object" && ("code" in error || "reason" in error);
+  if (isStructured) {
     const sdkErr = error;
     base.error = sdkErr.message || "Unknown error";
     if (sdkErr.status) base.status = sdkErr.status;
     if (sdkErr.code) base.code = sdkErr.code;
+    if (sdkErr.reason) base.reason = sdkErr.reason;
+    if (sdkErr.requestId) base.requestId = sdkErr.requestId;
     if (sdkErr.suggestion) base.suggestion = sdkErr.suggestion;
     if (sdkErr.details?.errors) base.errors = sdkErr.details.errors;
   } else {
@@ -115,7 +91,479 @@ function parseJsonWhere(where) {
   }
 }
 
+// src/tool-policy.ts
+var READ_ONLY_ANNOTATION = {
+  readOnly: true,
+  destructive: false,
+  idempotent: true,
+  openWorld: false
+};
+var NON_DESTRUCTIVE_MUTATION_ANNOTATION = {
+  readOnly: false,
+  destructive: false,
+  idempotent: false,
+  openWorld: false
+};
+var NON_DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION = {
+  readOnly: false,
+  destructive: false,
+  idempotent: true,
+  openWorld: false
+};
+var DESTRUCTIVE_NON_IDEMPOTENT_MUTATION_ANNOTATION = {
+  readOnly: false,
+  destructive: true,
+  idempotent: false,
+  openWorld: false
+};
+var DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION = {
+  readOnly: false,
+  destructive: true,
+  idempotent: true,
+  openWorld: false
+};
+var REASON_IDEMPOTENT_DESTRUCTIVE_UPDATE = "Update operations mutate persisted state but converge to the same end state under repeated identical input.";
+var REASON_CART_EPHEMERAL = "Cart is pre-checkout ephemeral state; reversal is possible by reissuing the prior input. Console enforces tenant scope.";
+var TOOL_POLICY_MANIFEST = {
+  // ── Read-only collection / validation (mcp:read, tenant-viewer) ──
+  "query-collection": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "GET /api/{collection}",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "get-collection-by-id": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "GET /api/{collection}/{id}",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "get-order": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "GET /api/orders/{id}",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "stock-check": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "GET /api/products/{id}/stock",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "validate-discount": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "POST /api/discounts/validate",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "calculate-shipping": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "POST /api/shipping/calculate",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "get-collection-schema": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "GET /api/tenants/schema/{collectionSlug}",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "list-configurable-fields": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "GET /api/tenants/field-config",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  // ── Tenant context (mcp:read, tenant-viewer) ──
+  "get-tenant-context": {
+    category: "read-only-tenant",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "GET /api/tenants/context",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  // ── Cart mutations (mcp:write, tenant-editor) ──
+  "add-cart-item": {
+    category: "mutation-cart",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-editor",
+    consoleSurface: "POST /api/carts/{id}/items",
+    annotationPolicy: NON_DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION
+  },
+  "update-cart-item": {
+    category: "mutation-cart",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-editor",
+    consoleSurface: "PATCH /api/carts/{id}/items/{itemId}",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_CART_EPHEMERAL
+  },
+  "remove-cart-item": {
+    category: "mutation-cart",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-editor",
+    consoleSurface: "DELETE /api/carts/{id}/items/{itemId}",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_CART_EPHEMERAL
+  },
+  "clear-cart": {
+    category: "mutation-cart",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-editor",
+    consoleSurface: "POST /api/carts/{id}/clear",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_CART_EPHEMERAL
+  },
+  "apply-discount": {
+    category: "mutation-cart",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-editor",
+    consoleSurface: "POST /api/carts/{id}/discount",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_CART_EPHEMERAL
+  },
+  "remove-discount": {
+    category: "mutation-cart",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-editor",
+    consoleSurface: "DELETE /api/carts/{id}/discount",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_CART_EPHEMERAL
+  },
+  // ── Order mutations (mcp:write, tenant-admin) ──
+  "checkout": {
+    category: "mutation-order",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "POST /api/checkout",
+    annotationPolicy: DESTRUCTIVE_NON_IDEMPOTENT_MUTATION_ANNOTATION
+  },
+  "create-order": {
+    category: "mutation-order",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "POST /api/orders",
+    annotationPolicy: DESTRUCTIVE_NON_IDEMPOTENT_MUTATION_ANNOTATION
+  },
+  "update-order": {
+    category: "mutation-order",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "PATCH /api/orders/{id}",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_IDEMPOTENT_DESTRUCTIVE_UPDATE
+  },
+  // ── Fulfillment mutations (mcp:write, tenant-admin) ──
+  "create-fulfillment": {
+    category: "mutation-fulfillment",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "POST /api/orders/{id}/fulfillments",
+    annotationPolicy: NON_DESTRUCTIVE_MUTATION_ANNOTATION
+  },
+  "update-fulfillment": {
+    category: "mutation-fulfillment",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "PATCH /api/fulfillments/{id}",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_IDEMPOTENT_DESTRUCTIVE_UPDATE
+  },
+  // ── Return mutations (mcp:write, tenant-admin) ──
+  "create-return": {
+    category: "mutation-return",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "POST /api/returns",
+    annotationPolicy: DESTRUCTIVE_NON_IDEMPOTENT_MUTATION_ANNOTATION
+  },
+  "update-return": {
+    category: "mutation-return",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "PATCH /api/returns/{id}",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_IDEMPOTENT_DESTRUCTIVE_UPDATE
+  },
+  "return-with-refund": {
+    category: "mutation-return",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "POST /api/returns/with-refund",
+    annotationPolicy: DESTRUCTIVE_NON_IDEMPOTENT_MUTATION_ANNOTATION
+  },
+  // ── Transaction mutations (mcp:write, tenant-admin) ──
+  "update-transaction": {
+    category: "mutation-transaction",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "PATCH /api/transactions/{id}",
+    annotationPolicy: DESTRUCTIVE_NON_IDEMPOTENT_MUTATION_ANNOTATION
+  },
+  // ── Field-config mutations (mcp:write, tenant-admin) ──
+  "update-field-config": {
+    category: "mutation-field-config",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "PATCH /api/tenants/field-config",
+    annotationPolicy: NON_DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION
+  },
+  // ── SDK doc tools (mcp:read, tenant-viewer, sdk-static surface) ──
+  "sdk-get-recipe": {
+    category: "sdk-doc",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "sdk-static",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "sdk-search-docs": {
+    category: "sdk-doc",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "sdk-static",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "sdk-get-auth-setup": {
+    category: "sdk-doc",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "sdk-static",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "sdk-get-collection-pattern": {
+    category: "sdk-doc",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "sdk-static",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  }
+};
+function evaluateToolPolicy(toolName, scopes) {
+  const entry = TOOL_POLICY_MANIFEST[toolName];
+  if (!entry) {
+    return {
+      allowed: false,
+      reason: "tool_policy_missing",
+      message: `No tool-policy entry for ${toolName}`
+    };
+  }
+  if (!scopes.includes(entry.oauthScope)) {
+    return {
+      allowed: false,
+      reason: "insufficient_scope",
+      message: `Tool ${toolName} requires ${entry.oauthScope}`
+    };
+  }
+  return { allowed: true, entry };
+}
+
+// src/tools/query-collection.ts
+import { z } from "zod";
+
+// src/lib/client.ts
+import {
+  CollectionClient,
+  CommunityClient,
+  ModerationApi,
+  ServerCommerceClient,
+  createServerClient
+} from "@01.software/sdk";
+
+// src/service-auth.ts
+import { createPrivateKey, randomUUID, sign as signBytes } from "crypto";
+var KEYSET_ENV = "MCP_SERVICE_KEYSET";
+function assertProductionKeysetUse(source) {
+  const vercelEnv = process.env.VERCEL_ENV;
+  if (vercelEnv && vercelEnv !== "production") {
+    throw new Error(
+      `${source} is only allowed in production Vercel deployments; non-production MCP service auth needs environment-specific issuer, audience, JWKS URI, and key material`
+    );
+  }
+}
+function parsePrivateJwk() {
+  const keyset = signingKeyset();
+  const jwk = keyset.current;
+  const source = keyset.source;
+  if (typeof jwk.d !== "string" || jwk.d.length === 0) {
+    throw new Error(`${source} current key must be a private JWK`);
+  }
+  if (typeof jwk.kid !== "string" || jwk.kid.length === 0) {
+    throw new Error(`${source} must include kid`);
+  }
+  return jwk;
+}
+function signingKeyset() {
+  const raw = process.env[KEYSET_ENV];
+  const source = KEYSET_ENV;
+  if (raw) assertProductionKeysetUse(source);
+  const parsed = (() => {
+    if (!raw) return null;
+    try {
+      return JSON.parse(raw);
+    } catch {
+      throw new Error(`${KEYSET_ENV} is invalid JSON`);
+    }
+  })();
+  if (!parsed) throw new Error("MCP service JWT signing key is not configured");
+  const keys = Array.isArray(parsed.keys) ? parsed.keys : [parsed];
+  if (keys.length === 0 || keys.length > 2) {
+    throw new Error(
+      `${source} must contain one current key and at most one previous key`
+    );
+  }
+  const currentKid = parsed.current_kid;
+  if (typeof currentKid !== "string" && keys.length > 1) {
+    throw new Error(
+      `${source} must include current_kid when multiple keys are present`
+    );
+  }
+  const current = typeof currentKid === "string" ? keys.find((key) => key.kid === currentKid) : keys[0];
+  if (!current) throw new Error(`${source} current_kid is not in keys`);
+  return { current, keys, source };
+}
+function algForJwk(jwk) {
+  if (jwk.kty === "RSA") return "RS256";
+  if (jwk.kty === "EC" && jwk.crv === "P-256") return "ES256";
+  throw new Error("MCP service JWT signing key must be RSA or P-256 EC");
+}
+function toPublicJwk(jwk) {
+  const {
+    d: _d,
+    p: _p,
+    q: _q,
+    dp: _dp,
+    dq: _dq,
+    qi: _qi,
+    oth: _oth,
+    ...publicJwk
+  } = jwk;
+  return {
+    ...publicJwk,
+    alg: typeof publicJwk.alg === "string" ? publicJwk.alg : algForJwk(jwk),
+    use: "sig"
+  };
+}
+function base64urlJson(value) {
+  return Buffer.from(JSON.stringify(value)).toString("base64url");
+}
+function apiScopesFor(context) {
+  return context.scopes.includes("mcp:write") ? ["read", "write"] : ["read"];
+}
+function mcpServicePublicJwks() {
+  const keyset = signingKeyset();
+  const keys = /* @__PURE__ */ new Map();
+  for (const jwk of keyset.keys.map(toPublicJwk)) {
+    if (typeof jwk.kid === "string" && jwk.kid.length > 0) {
+      keys.set(jwk.kid, jwk);
+    }
+  }
+  return { keys: [...keys.values()] };
+}
+function signMcpServiceToken(context) {
+  if (!context.principalId) {
+    throw new Error("MCP OAuth principal is required for Console service auth");
+  }
+  const jwk = parsePrivateJwk();
+  const alg = algForJwk(jwk);
+  const now = Math.floor(Date.now() / 1e3);
+  const payload = {
+    iss: MCP_OAUTH_ISSUER,
+    aud: MCP_CONSOLE_SERVICE_AUDIENCE,
+    iat: now,
+    nbf: now,
+    exp: now + MCP_SERVICE_TOKEN_LIFETIME_SECONDS,
+    jti: randomUUID(),
+    sub: context.principalId,
+    act: {
+      sub: context.principalId,
+      tenant_id: context.tenantId
+    },
+    [MCP_TENANT_CLAIM]: context.tenantId,
+    [MCP_TENANT_ROLE_CLAIM]: context.tenantRole,
+    scope: MCP_CONSOLE_SERVICE_SCOPE,
+    api_scopes: apiScopesFor(context),
+    mcp_scopes: context.scopes
+  };
+  const header = { alg, kid: jwk.kid, typ: "JWT" };
+  const encodedHeader = base64urlJson(header);
+  const encodedPayload = base64urlJson(payload);
+  const signingInput = `${encodedHeader}.${encodedPayload}`;
+  const key = createPrivateKey({ key: jwk, format: "jwk" });
+  const signature = alg === "RS256" ? signBytes("RSA-SHA256", Buffer.from(signingInput), key) : signBytes("SHA256", Buffer.from(signingInput), {
+    key,
+    dsaEncoding: "ieee-p1363"
+  });
+  return `${signingInput}.${signature.toString("base64url")}`;
+}
+
+// src/lib/client.ts
+var MISSING_HTTP_AUTH_CONTEXT_ERROR = "MCP HTTP requests require a validated OAuth tenant context before tool execution.";
+function getClient() {
+  const oauthContext = tenantAuthContext();
+  if (oauthContext) {
+    const serviceToken = signMcpServiceToken(oauthContext);
+    const client = {
+      lastRequestId: null,
+      commerce: void 0,
+      collections: void 0,
+      community: void 0
+    };
+    const onRequestId = (id) => {
+      client.lastRequestId = id;
+    };
+    client.commerce = new ServerCommerceClient({
+      secretKey: serviceToken,
+      onRequestId
+    });
+    client.collections = new CollectionClient(
+      "",
+      serviceToken,
+      void 0,
+      void 0,
+      onRequestId
+    );
+    const community = new CommunityClient({ secretKey: serviceToken });
+    const moderation = new ModerationApi({ secretKey: serviceToken, onRequestId });
+    client.community = Object.assign(community, {
+      moderation: {
+        banCustomer: moderation.banCustomer.bind(moderation),
+        unbanCustomer: moderation.unbanCustomer.bind(moderation)
+      }
+    });
+    return client;
+  }
+  if (hasRequestContext()) throw new Error(MISSING_HTTP_AUTH_CONTEXT_ERROR);
+  const secretKey = process.env.SOFTWARE_SECRET_KEY;
+  const publishableKey = process.env.SOFTWARE_PUBLISHABLE_KEY || process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY;
+  if (!secretKey) {
+    throw new Error(
+      "Authentication required. Set SOFTWARE_SECRET_KEY for stdio transport."
+    );
+  }
+  if (!secretKey.startsWith("sk01_") && !secretKey.startsWith("pat01_")) {
+    throw new Error("Invalid SOFTWARE_SECRET_KEY format. Expected sk01_ or pat01_ token.");
+  }
+  if (!publishableKey) {
+    throw new Error(
+      "publishableKey is required. Set SOFTWARE_PUBLISHABLE_KEY for stdio transport. It is used for rate limiting and monthly quota enforcement via the edge proxy."
+    );
+  }
+  return createServerClient({
+    publishableKey,
+    secretKey
+  });
+}
+
 // src/tools/query-collection.ts
+import { COLLECTIONS } from "@01.software/sdk";
 var schema = {
   collection: z.enum(COLLECTIONS).describe("Collection name (required)"),
   where: z.string().optional().describe(
@@ -206,201 +654,12 @@ async function getCollectionById({
   }
 }
 
-// src/tools/create-collection.ts
+// src/tools/get-order.ts
 import { z as z3 } from "zod";
-import { COLLECTIONS as COLLECTIONS3 } from "@01.software/sdk";
 var schema3 = {
-  collection: z3.enum(COLLECTIONS3).describe("Collection name (required)"),
-  data: z3.record(z3.string(), z3.unknown()).describe(
-    "Data to create (required). Use get-collection-schema first to understand writable fields, hidden fields, and required metadata. Server will validate and reject invalid fields."
-  )
+  orderNumber: z3.string().min(1).describe("Order number to look up (required)")
 };
 var metadata3 = {
-  name: "create-collection",
-  description: "Create a new collection item",
-  annotations: {
-    title: "Create collection item",
-    readOnlyHint: false,
-    destructiveHint: false,
-    idempotentHint: false
-  }
-};
-async function createCollection({
-  collection,
-  data
-}) {
-  try {
-    const client = getClient().collections;
-    const result = await client.from(collection).create(data);
-    return toolSuccess({ data: result.doc, message: result.message });
-  } catch (error) {
-    return toolError(error);
-  }
-}
-
-// src/tools/update-collection.ts
-import { z as z4 } from "zod";
-import { COLLECTIONS as COLLECTIONS4 } from "@01.software/sdk";
-var schema4 = {
-  collection: z4.enum(COLLECTIONS4).describe("Collection name (required)"),
-  id: z4.string().min(1).describe("Item ID (required)"),
-  data: z4.record(z4.string(), z4.unknown()).describe(
-    "Data to update (required). Use get-collection-by-id first to check current structure, then get-collection-schema to confirm writable fields and required metadata. Server will validate and reject invalid fields."
-  )
-};
-var metadata4 = {
-  name: "update-collection",
-  description: "Update an existing collection item",
-  annotations: {
-    title: "Update collection item",
-    readOnlyHint: false,
-    destructiveHint: true,
-    idempotentHint: true
-  }
-};
-async function updateCollection({
-  collection,
-  id,
-  data
-}) {
-  try {
-    const client = getClient().collections;
-    const result = await client.from(collection).update(id, data);
-    return toolSuccess({ data: result.doc, message: result.message });
-  } catch (error) {
-    return toolError(error);
-  }
-}
-
-// src/tools/delete-collection.ts
-import { z as z5 } from "zod";
-import { COLLECTIONS as COLLECTIONS5 } from "@01.software/sdk";
-var schema5 = {
-  collection: z5.enum(COLLECTIONS5).describe("Collection name (required)"),
-  id: z5.string().min(1).describe("Item ID (required)")
-};
-var metadata5 = {
-  name: "delete-collection",
-  description: "Delete a collection item",
-  annotations: {
-    title: "Delete collection item",
-    readOnlyHint: false,
-    destructiveHint: true,
-    idempotentHint: true
-  }
-};
-async function deleteCollection({
-  collection,
-  id
-}) {
-  try {
-    const client = getClient();
-    await client.collections.from(collection).remove(id);
-    return toolSuccess({ message: "Deleted successfully." });
-  } catch (error) {
-    return toolError(error);
-  }
-}
-
-// src/tools/delete-many-collection.ts
-import { z as z6 } from "zod";
-import { COLLECTIONS as COLLECTIONS6 } from "@01.software/sdk";
-var schema6 = {
-  collection: z6.enum(COLLECTIONS6).describe("Collection name (required)"),
-  where: z6.string().describe(
-    `Filter conditions (JSON string, required). Determines which items to delete. Example: '{"status":{"equals":"archived"}}'`
-  )
-};
-var metadata6 = {
-  name: "delete-many-collection",
-  description: "Bulk delete collection items matching a filter. All matching items will be permanently deleted.",
-  annotations: {
-    title: "Bulk delete collection items",
-    readOnlyHint: false,
-    destructiveHint: true,
-    idempotentHint: true
-  }
-};
-async function deleteManyCollection({
-  collection,
-  where
-}) {
-  try {
-    const client = getClient().collections;
-    const parsed = parseJsonWhere(where);
-    if (!parsed.success) return parsed.error;
-    if (!parsed.data || typeof parsed.data !== "object" || Object.keys(parsed.data).length === 0) {
-      return toolError(
-        new Error(
-          'Empty "where" filter is not allowed for bulk deletes. Provide at least one filter condition.'
-        )
-      );
-    }
-    const result = await client.from(collection).removeMany(parsed.data);
-    return toolSuccess({
-      totalDocs: result.totalDocs,
-      message: `Deleted ${result.totalDocs} item(s).`
-    });
-  } catch (error) {
-    return toolError(error);
-  }
-}
-
-// src/tools/update-many-collection.ts
-import { z as z7 } from "zod";
-import { COLLECTIONS as COLLECTIONS7 } from "@01.software/sdk";
-var schema7 = {
-  collection: z7.enum(COLLECTIONS7).describe("Collection name (required)"),
-  where: z7.string().describe(
-    `Filter conditions (JSON string, required). Determines which items to update. Example: '{"status":{"equals":"draft"}}'`
-  ),
-  data: z7.record(z7.string(), z7.unknown()).describe(
-    "Data to update (required). Partial updates supported. Server will validate and reject invalid fields."
-  )
-};
-var metadata7 = {
-  name: "update-many-collection",
-  description: "Bulk update collection items matching a filter. All matching items will be updated with the provided data.",
-  annotations: {
-    title: "Bulk update collection items",
-    readOnlyHint: false,
-    destructiveHint: true,
-    idempotentHint: true
-  }
-};
-async function updateManyCollection({
-  collection,
-  where,
-  data
-}) {
-  try {
-    const client = getClient().collections;
-    const parsed = parseJsonWhere(where);
-    if (!parsed.success) return parsed.error;
-    if (!parsed.data || typeof parsed.data !== "object" || Object.keys(parsed.data).length === 0) {
-      return toolError(
-        new Error(
-          'Empty "where" filter is not allowed for bulk updates. Provide at least one filter condition.'
-        )
-      );
-    }
-    const result = await client.from(collection).updateMany(parsed.data, data);
-    return toolSuccess({
-      data: result.docs,
-      totalDocs: result.totalDocs,
-      message: `Updated ${result.totalDocs} item(s).`
-    });
-  } catch (error) {
-    return toolError(error);
-  }
-}
-
-// src/tools/get-order.ts
-import { z as z8 } from "zod";
-var schema8 = {
-  orderNumber: z8.string().min(1).describe("Order number to look up (required)")
-};
-var metadata8 = {
   name: "get-order",
   description: "Get order details by order number. Returns order with related data (depth:1).",
   annotations: {
@@ -428,26 +687,26 @@ async function getOrder({
 }
 
 // src/tools/create-order.ts
-import { z as z9 } from "zod";
-var schema9 = {
-  pgPaymentId: z9.string().optional().describe("PG payment ID (optional \u2014 omit for free orders)"),
-  orderNumber: z9.string().min(1).describe("Unique order number (required)"),
-  customerSnapshot: z9.object({
-    name: z9.string().optional().describe("Customer name"),
-    email: z9.string().describe("Customer email (required)"),
-    phone: z9.string().optional().describe("Customer phone")
+import { z as z4 } from "zod";
+var schema4 = {
+  pgPaymentId: z4.string().optional().describe("PG payment ID (optional \u2014 omit for free orders)"),
+  orderNumber: z4.string().min(1).describe("Unique order number (required)"),
+  customerSnapshot: z4.object({
+    name: z4.string().optional().describe("Customer name"),
+    email: z4.string().describe("Customer email (required)"),
+    phone: z4.string().optional().describe("Customer phone")
   }).describe("Customer snapshot at time of order (required)"),
-  shippingAddress: z9.record(z9.string(), z9.unknown()).describe(
+  shippingAddress: z4.record(z4.string(), z4.unknown()).describe(
     "Shipping address object (required). Fields: postalCode, address1, address2, deliveryMessage, recipientName, phone"
   ),
-  orderItems: z9.array(z9.record(z9.string(), z9.unknown())).describe(
+  orderItems: z4.array(z4.record(z4.string(), z4.unknown())).describe(
     "Array of order item objects (required). Each: { product, variant, option, quantity, unitPrice?, totalPrice? }"
   ),
-  totalAmount: z9.number().nonnegative().describe("Total order amount (required, min 0)"),
-  shippingAmount: z9.number().nonnegative().optional().describe("Shipping amount (optional, default 0)"),
-  discountCode: z9.string().optional().describe("Discount code to apply (optional)")
+  totalAmount: z4.number().nonnegative().describe("Total order amount (required, min 0)"),
+  shippingAmount: z4.number().nonnegative().optional().describe("Shipping amount (optional, default 0)"),
+  discountCode: z4.string().optional().describe("Discount code to apply (optional)")
 };
-var metadata9 = {
+var metadata4 = {
   name: "create-order",
   description: "Create a new order with products and shipping information. Supports idempotency.",
   annotations: {
@@ -470,10 +729,10 @@ async function createOrder(params) {
 }
 
 // src/tools/update-order.ts
-import { z as z10 } from "zod";
-var schema10 = {
-  orderNumber: z10.string().min(1).describe("Order number (required)"),
-  status: z10.enum([
+import { z as z5 } from "zod";
+var schema5 = {
+  orderNumber: z5.string().min(1).describe("Order number (required)"),
+  status: z5.enum([
     "pending",
     "paid",
     "failed",
@@ -486,7 +745,7 @@ var schema10 = {
     "New order status. Return-related statuses (return_requested, return_processing, returned) must be set via Return endpoints."
   )
 };
-var metadata10 = {
+var metadata5 = {
   name: "update-order",
   description: "Update order status. Automatically adjusts stock on status changes (e.g., canceled restores stock).",
   annotations: {
@@ -510,17 +769,17 @@ async function updateOrder({
 }
 
 // src/tools/checkout.ts
-import { z as z11 } from "zod";
-var schema11 = {
-  cartId: z11.string().min(1).describe("Cart ID to convert to order (required)"),
-  pgPaymentId: z11.string().optional().describe("PG payment ID (optional \u2014 omit for free orders)"),
-  orderNumber: z11.string().min(1).describe("Unique order number (required)"),
-  customerSnapshot: z11.record(z11.string(), z11.unknown()).describe(
+import { z as z6 } from "zod";
+var schema6 = {
+  cartId: z6.string().min(1).describe("Cart ID to convert to order (required)"),
+  pgPaymentId: z6.string().optional().describe("PG payment ID (optional \u2014 omit for free orders)"),
+  orderNumber: z6.string().min(1).describe("Unique order number (required)"),
+  customerSnapshot: z6.record(z6.string(), z6.unknown()).describe(
     "Customer snapshot object (required). Fields: { name?, email, phone? }"
   ),
-  discountCode: z11.string().optional().describe("Discount code to apply (optional)")
+  discountCode: z6.string().optional().describe("Discount code to apply (optional)")
 };
-var metadata11 = {
+var metadata6 = {
   name: "checkout",
   description: "Convert a cart to an order. Validates stock, creates order and transaction, marks cart as completed. Supports idempotency.",
   annotations: {
@@ -543,21 +802,21 @@ async function checkout(params) {
 }
 
 // src/tools/create-fulfillment.ts
-import { z as z12 } from "zod";
-var schema12 = {
-  orderNumber: z12.string().min(1).describe("Order number (required)"),
-  carrier: z12.string().optional().describe("Shipping carrier name (optional)"),
-  trackingNumber: z12.string().optional().describe(
+import { z as z7 } from "zod";
+var schema7 = {
+  orderNumber: z7.string().min(1).describe("Order number (required)"),
+  carrier: z7.string().optional().describe("Shipping carrier name (optional)"),
+  trackingNumber: z7.string().optional().describe(
     'Tracking number (optional). Setting carrier + tracking triggers "shipped" status'
   ),
-  items: z12.array(
-    z12.object({
-      orderItem: z12.string().min(1).describe("Order item ID"),
-      quantity: z12.number().int().positive().describe("Quantity to fulfill")
+  items: z7.array(
+    z7.object({
+      orderItem: z7.string().min(1).describe("Order item ID"),
+      quantity: z7.number().int().positive().describe("Quantity to fulfill")
     })
   ).describe("Array of items to fulfill (required)")
 };
-var metadata12 = {
+var metadata7 = {
   name: "create-fulfillment",
   description: "Create a shipment/fulfillment for order items. Auto-updates order status (paid \u2192 preparing \u2192 shipped).",
   annotations: {
@@ -588,20 +847,20 @@ async function createFulfillment({
 }
 
 // src/tools/update-fulfillment.ts
-import { z as z13 } from "zod";
-var schema13 = {
-  fulfillmentId: z13.string().min(1).describe("Fulfillment ID (required)"),
-  status: z13.enum(["packed", "shipped", "delivered", "failed"]).describe(
+import { z as z8 } from "zod";
+var schema8 = {
+  fulfillmentId: z8.string().min(1).describe("Fulfillment ID (required)"),
+  status: z8.enum(["packed", "shipped", "delivered", "failed"]).describe(
     "New fulfillment status (required). FSM: pending\u2192packed/shipped/failed, packed\u2192shipped/failed, shipped\u2192delivered/failed"
   ),
-  carrier: z13.string().optional().describe(
+  carrier: z8.string().optional().describe(
     "Shipping carrier (optional, changeable only in pending/packed status)"
   ),
-  trackingNumber: z13.string().optional().describe(
+  trackingNumber: z8.string().optional().describe(
     "Tracking number (optional, changeable only in pending/packed status)"
   )
 };
-var metadata13 = {
+var metadata8 = {
   name: "update-fulfillment",
   description: "Update fulfillment status, carrier, and tracking number. Auto-updates order status when all fulfillments are delivered.",
   annotations: {
@@ -631,15 +890,134 @@ async function updateFulfillment({
   }
 }
 
+// ../../packages/contracts/src/tenant/index.ts
+import { z as z9 } from "zod";
+var tenantFieldConfigStateSchema = z9.object({
+  hiddenFields: z9.array(z9.string()),
+  isHidden: z9.boolean()
+}).strict();
+var tenantContextQuerySchema = z9.object({
+  counts: z9.literal("true").optional()
+}).strict();
+var tenantContextToolInputSchema = z9.object({
+  includeCounts: z9.boolean().optional().default(false).describe(
+    "Include per-collection document counts and config status (bypasses cache, slower)"
+  )
+}).strict();
+var tenantContextResponseSchema = z9.object({
+  tenant: z9.object({
+    id: z9.string(),
+    name: z9.string(),
+    plan: z9.string(),
+    planSource: z9.string().optional(),
+    authoritative: z9.boolean().optional(),
+    capabilityVersion: z9.string().optional(),
+    isDevMode: z9.boolean()
+  }).strict(),
+  features: z9.array(z9.string()),
+  collections: z9.object({
+    active: z9.array(z9.string()),
+    inactive: z9.array(z9.string())
+  }).strict(),
+  fieldConfigs: z9.record(z9.string(), tenantFieldConfigStateSchema),
+  counts: z9.record(z9.string(), z9.number()).optional(),
+  config: z9.object({
+    webhookConfigured: z9.boolean()
+  }).strict().optional()
+}).strict();
+var COLLECTION_SCHEMA_CONTRACT_VERSION = 1;
+var collectionSchemaEndpointParamsSchema = z9.object({
+  collectionSlug: z9.string().min(1, "collectionSlug is required")
+}).strict();
+function createCollectionSchemaToolInputSchema(collections) {
+  return z9.object({
+    collection: z9.enum(collections).describe("Collection name (required)")
+  }).strict();
+}
+var collectionFieldOptionSchema = z9.object({
+  label: z9.string(),
+  value: z9.string()
+}).strict();
+var collectionFieldSchema = z9.lazy(
+  () => z9.object({
+    name: z9.string(),
+    path: z9.string(),
+    type: z9.string(),
+    required: z9.literal(true).optional(),
+    unique: z9.literal(true).optional(),
+    hasMany: z9.literal(true).optional(),
+    relationTo: z9.union([z9.string(), z9.array(z9.string())]).optional(),
+    options: z9.array(collectionFieldOptionSchema).optional(),
+    hidden: z9.literal(true).optional(),
+    systemManaged: z9.literal(true).optional(),
+    writable: z9.boolean().optional(),
+    fields: z9.array(collectionFieldSchema).optional()
+  }).strict()
+);
+var collectionSchemaResponseSchema = z9.object({
+  contractVersion: z9.literal(COLLECTION_SCHEMA_CONTRACT_VERSION),
+  mode: z9.literal("effective"),
+  collection: z9.object({
+    slug: z9.string(),
+    timestamps: z9.boolean(),
+    alwaysActive: z9.boolean(),
+    feature: z9.string().nullable(),
+    systemFields: z9.array(z9.string()),
+    visibility: z9.object({
+      collectionHidden: z9.boolean(),
+      hiddenFields: z9.array(z9.string())
+    }).strict(),
+    fields: z9.array(collectionFieldSchema)
+  }).strict()
+}).strict();
+
+// ../../packages/contracts/src/ecommerce/index.ts
+import { z as z10 } from "zod";
+var transactionStatusSchema = z10.enum([
+  "pending",
+  "paid",
+  "failed",
+  "canceled"
+]);
+var updateTransactionSchema = z10.object({
+  pgPaymentId: z10.string().min(1, "pgPaymentId is required").describe("PG payment ID (required)"),
+  status: transactionStatusSchema.describe(
+    "New transaction status (required)"
+  ),
+  paymentMethod: z10.string().optional().describe("Payment method (optional)"),
+  receiptUrl: z10.string().optional().describe("Receipt URL (optional)"),
+  paymentKey: z10.string().min(1).optional().describe("Provider payment key for verified paid confirmation"),
+  amount: z10.number().int().positive().optional().describe("Provider-confirmed amount for verified paid confirmation")
+}).strict();
+var UpdateTransactionSchema = updateTransactionSchema;
+var returnReasonSchema = z10.enum([
+  "change_of_mind",
+  "defective",
+  "wrong_delivery",
+  "damaged",
+  "other"
+]);
+var restockActionSchema = z10.enum(["return_to_stock", "discard"]);
+var returnWithRefundItemSchema = z10.object({
+  orderItem: z10.union([z10.string(), z10.number()]).transform(String),
+  quantity: z10.number().int().positive("quantity must be a positive integer"),
+  restockAction: restockActionSchema.default("return_to_stock")
+}).strict();
+var returnWithRefundSchema = z10.object({
+  orderNumber: z10.string().min(1, "orderNumber is required").describe("Order number (required)"),
+  reason: returnReasonSchema.optional().describe("Return reason (optional)"),
+  reasonDetail: z10.string().optional().describe("Detailed reason text (optional)"),
+  returnItems: z10.array(returnWithRefundItemSchema).min(1, "At least one return item is required").max(100, "Too many return items").describe("Array of products to return (required)"),
+  refundAmount: z10.number().min(0, "refundAmount must be non-negative").describe("Refund amount (required, min 0)"),
+  pgPaymentId: z10.string().min(1, "pgPaymentId is required").describe("PG payment ID for refund (required)"),
+  paymentKey: z10.string().min(1).optional().describe("Provider payment key for verified refund"),
+  refundReceiptUrl: z10.string().optional().describe("Refund receipt URL (optional)")
+}).strict();
+var ReturnWithRefundSchema = returnWithRefundSchema;
+
 // src/tools/update-transaction.ts
-import { z as z14 } from "zod";
-var schema14 = {
-  pgPaymentId: z14.string().min(1).describe("PG payment ID (required)"),
-  status: z14.enum(["pending", "paid", "failed", "canceled"]).describe("New transaction status (required)"),
-  paymentMethod: z14.string().optional().describe("Payment method (optional)"),
-  receiptUrl: z14.string().optional().describe("Receipt URL (optional)")
-};
-var metadata14 = {
+var schema9 = UpdateTransactionSchema.shape;
+var metadata9 = {
   name: "update-transaction",
   description: "Update transaction status, payment method, and receipt URL.",
   annotations: {
@@ -653,16 +1031,21 @@ async function updateTransaction({
   pgPaymentId,
   status,
   paymentMethod,
-  receiptUrl
+  receiptUrl,
+  paymentKey,
+  amount
 }) {
   try {
     const client = getClient();
-    const result = await client.commerce.orders.updateTransaction({
+    const params = {
       pgPaymentId,
       status,
       paymentMethod,
-      receiptUrl
-    });
+      receiptUrl,
+      paymentKey,
+      amount
+    };
+    const result = await client.commerce.orders.updateTransaction(params);
     return toolSuccess({ data: result });
   } catch (error) {
     return toolError(error);
@@ -670,20 +1053,20 @@ async function updateTransaction({
 }
 
 // src/tools/create-return.ts
-import { z as z15 } from "zod";
-var schema15 = {
-  orderNumber: z15.string().min(1).describe("Order number (required)"),
-  reason: z15.enum(["change_of_mind", "defective", "wrong_delivery", "damaged", "other"]).optional().describe("Return reason (optional)"),
-  reasonDetail: z15.string().optional().describe("Detailed reason text (optional)"),
-  returnItems: z15.array(
-    z15.object({
-      orderItem: z15.string().min(1).describe("Order item ID"),
-      quantity: z15.number().int().positive().describe("Quantity to return")
+import { z as z11 } from "zod";
+var schema10 = {
+  orderNumber: z11.string().min(1).describe("Order number (required)"),
+  reason: z11.enum(["change_of_mind", "defective", "wrong_delivery", "damaged", "other"]).optional().describe("Return reason (optional)"),
+  reasonDetail: z11.string().optional().describe("Detailed reason text (optional)"),
+  returnItems: z11.array(
+    z11.object({
+      orderItem: z11.string().min(1).describe("Order item ID"),
+      quantity: z11.number().int().positive().describe("Quantity to return")
     })
   ).describe("Array of products to return (required)"),
-  refundAmount: z15.number().nonnegative().describe("Refund amount (required, min 0)")
+  refundAmount: z11.number().nonnegative().describe("Refund amount (required, min 0)")
 };
-var metadata15 = {
+var metadata10 = {
   name: "create-return",
   description: "Create a return request for an order. Only works for delivered/confirmed orders. Updates order status to return_requested.",
   annotations: {
@@ -716,14 +1099,14 @@ async function createReturn({
 }
 
 // src/tools/update-return.ts
-import { z as z16 } from "zod";
-var schema16 = {
-  returnId: z16.string().min(1).describe("Return ID (required)"),
-  status: z16.enum(["processing", "approved", "rejected", "completed"]).describe(
+import { z as z12 } from "zod";
+var schema11 = {
+  returnId: z12.string().min(1).describe("Return ID (required)"),
+  status: z12.enum(["processing", "approved", "rejected", "completed"]).describe(
     "New return status (required). Valid transitions: requested\u2192processing/rejected, processing\u2192approved/rejected, approved\u2192completed"
   )
 };
-var metadata16 = {
+var metadata11 = {
   name: "update-return",
   description: "Update return status with FSM validation. Restores inventory on completion, reverts order status on rejection.",
   annotations: {
@@ -747,22 +1130,8 @@ async function updateReturn({
 }
 
 // src/tools/return-with-refund.ts
-import { z as z17 } from "zod";
-var schema17 = {
-  orderNumber: z17.string().min(1).describe("Order number (required)"),
-  reason: z17.enum(["change_of_mind", "defective", "wrong_delivery", "damaged", "other"]).optional().describe("Return reason (optional)"),
-  reasonDetail: z17.string().optional().describe("Detailed reason text (optional)"),
-  returnItems: z17.array(
-    z17.object({
-      orderItem: z17.string().min(1).describe("Order item ID"),
-      quantity: z17.number().int().positive().describe("Quantity to return")
-    })
-  ).describe("Array of products to return (required)"),
-  refundAmount: z17.number().nonnegative().describe("Refund amount (required, min 0)"),
-  pgPaymentId: z17.string().min(1).describe("PG payment ID for refund (required)"),
-  refundReceiptUrl: z17.string().optional().describe("Refund receipt URL (optional)")
-};
-var metadata17 = {
+var schema12 = ReturnWithRefundSchema.shape;
+var metadata12 = {
   name: "return-with-refund",
   description: "Combined return + refund operation. Creates return, restores stock, cancels transaction, updates order status.",
   annotations: {
@@ -779,19 +1148,22 @@ async function returnWithRefund({
   returnItems,
   refundAmount,
   pgPaymentId,
+  paymentKey,
   refundReceiptUrl
 }) {
   try {
     const client = getClient();
-    const result = await client.commerce.orders.returnWithRefund({
+    const params = {
       orderNumber,
       reason,
       reasonDetail,
       returnItems,
       refundAmount,
       pgPaymentId,
+      paymentKey,
       refundReceiptUrl
-    });
+    };
+    const result = await client.commerce.orders.returnWithRefund(params);
     return toolSuccess({ data: result });
   } catch (error) {
     return toolError(error);
@@ -799,15 +1171,15 @@ async function returnWithRefund({
 }
 
 // src/tools/add-cart-item.ts
-import { z as z18 } from "zod";
-var schema18 = {
-  cartId: z18.string().min(1).describe("Cart ID (required)"),
-  product: z18.string().min(1).describe("Product ID (required)"),
-  variant: z18.string().min(1).describe("Product variant ID (required)"),
-  option: z18.string().min(1).describe("Product option ID (required)"),
-  quantity: z18.number().int().positive().describe("Quantity to add (required, positive integer)")
+import { z as z13 } from "zod";
+var schema13 = {
+  cartId: z13.string().min(1).describe("Cart ID (required)"),
+  product: z13.string().min(1).describe("Product ID (required)"),
+  variant: z13.string().min(1).describe("Product variant ID (required)"),
+  option: z13.string().min(1).describe("Product option ID (required)"),
+  quantity: z13.number().int().positive().describe("Quantity to add (required, positive integer)")
 };
-var metadata18 = {
+var metadata13 = {
   name: "add-cart-item",
   description: "Add a product to cart. Validates stock, merges quantity if item already exists, recalculates totals.",
   annotations: {
@@ -840,12 +1212,12 @@ async function addCartItem({
 }
 
 // src/tools/update-cart-item.ts
-import { z as z19 } from "zod";
-var schema19 = {
-  cartItemId: z19.string().min(1).describe("Cart item ID (required)"),
-  quantity: z19.number().int().positive().describe("New quantity (required, positive integer)")
+import { z as z14 } from "zod";
+var schema14 = {
+  cartItemId: z14.string().min(1).describe("Cart item ID (required)"),
+  quantity: z14.number().int().positive().describe("New quantity (required, positive integer)")
 };
-var metadata19 = {
+var metadata14 = {
   name: "update-cart-item",
   description: "Update cart item quantity. Validates stock availability, recalculates cart totals.",
   annotations: {
@@ -869,11 +1241,11 @@ async function updateCartItem({
 }
 
 // src/tools/remove-cart-item.ts
-import { z as z20 } from "zod";
-var schema20 = {
-  cartItemId: z20.string().min(1).describe("Cart item ID to remove (required)")
+import { z as z15 } from "zod";
+var schema15 = {
+  cartItemId: z15.string().min(1).describe("Cart item ID to remove (required)")
 };
-var metadata20 = {
+var metadata15 = {
   name: "remove-cart-item",
   description: "Remove an item from cart. Recalculates cart totals after removal.",
   annotations: {
@@ -896,12 +1268,12 @@ async function removeCartItem({
 }
 
 // src/tools/apply-discount.ts
-import { z as z21 } from "zod";
-var schema21 = {
-  cartId: z21.string().min(1).describe("Cart ID (required)"),
-  discountCode: z21.string().describe("Discount code to apply (required)")
+import { z as z16 } from "zod";
+var schema16 = {
+  cartId: z16.string().min(1).describe("Cart ID (required)"),
+  discountCode: z16.string().describe("Discount code to apply (required)")
 };
-var metadata21 = {
+var metadata16 = {
   name: "apply-discount",
   description: "Apply a discount code to a cart. Validates the code, updates cart totals, and sets free shipping if applicable.",
   annotations: {
@@ -925,11 +1297,11 @@ async function applyDiscount({
 }
 
 // src/tools/remove-discount.ts
-import { z as z22 } from "zod";
-var schema22 = {
-  cartId: z22.string().min(1).describe("Cart ID (required)")
+import { z as z17 } from "zod";
+var schema17 = {
+  cartId: z17.string().min(1).describe("Cart ID (required)")
 };
-var metadata22 = {
+var metadata17 = {
   name: "remove-discount",
   description: "Remove the applied discount code from a cart and recalculate totals.",
   annotations: {
@@ -952,11 +1324,11 @@ async function removeDiscount({
 }
 
 // src/tools/clear-cart.ts
-import { z as z23 } from "zod";
-var schema23 = {
-  cartId: z23.string().min(1).describe("Cart ID (required)")
+import { z as z18 } from "zod";
+var schema18 = {
+  cartId: z18.string().min(1).describe("Cart ID (required)")
 };
-var metadata23 = {
+var metadata18 = {
   name: "clear-cart",
   description: "Remove all items from a cart, reset discount and amounts. Shipping fee is preserved.",
   annotations: {
@@ -979,12 +1351,12 @@ async function clearCart({
 }
 
 // src/tools/validate-discount.ts
-import { z as z24 } from "zod";
-var schema24 = {
-  code: z24.string().describe("Discount code to validate (required)"),
-  orderAmount: z24.number().describe("Order amount for validation (required)")
+import { z as z19 } from "zod";
+var schema19 = {
+  code: z19.string().describe("Discount code to validate (required)"),
+  orderAmount: z19.number().describe("Order amount for validation (required)")
 };
-var metadata24 = {
+var metadata19 = {
   name: "validate-discount",
   description: "Validate a discount code. Checks active status, date range, usage limits, minimum order amount, and calculates discount.",
   annotations: {
@@ -1011,13 +1383,13 @@ async function validateDiscount({
 }
 
 // src/tools/calculate-shipping.ts
-import { z as z25 } from "zod";
-var schema25 = {
-  shippingPolicyId: z25.string().optional().describe("Shipping policy ID (uses default policy if omitted)"),
-  orderAmount: z25.number().describe("Order amount for fee calculation (required)"),
-  postalCode: z25.string().optional().describe("Postal code for Jeju surcharge detection (63000-63644)")
+import { z as z20 } from "zod";
+var schema20 = {
+  shippingPolicyId: z20.string().optional().describe("Shipping policy ID (uses default policy if omitted)"),
+  orderAmount: z20.number().describe("Order amount for fee calculation (required)"),
+  postalCode: z20.string().optional().describe("Postal code for Jeju surcharge detection (63000-63644)")
 };
-var metadata25 = {
+var metadata20 = {
   name: "calculate-shipping",
   description: "Calculate shipping fee based on order amount and postal code. Supports free shipping threshold and Jeju surcharge.",
   annotations: {
@@ -1046,18 +1418,18 @@ async function calculateShipping({
 }
 
 // src/tools/stock-check.ts
-import { z as z26 } from "zod";
-var schema26 = {
-  items: z26.array(
-    z26.object({
-      variantId: z26.string().describe("Product variant ID"),
-      quantity: z26.number().int().positive().describe("Requested quantity")
+import { z as z21 } from "zod";
+var schema21 = {
+  items: z21.array(
+    z21.object({
+      variantId: z21.string().describe("Product variant ID"),
+      quantity: z21.number().int().positive().describe("Requested quantity")
     })
   ).describe(
     "Array of items to check stock for (required, max 100). Each: { variantId, quantity }"
   )
 };
-var metadata26 = {
+var metadata21 = {
   name: "stock-check",
   description: "Batch check product option stock availability. Returns per-item availability and an allAvailable flag.",
   annotations: {
@@ -1080,56 +1452,46 @@ async function stockCheck({
 }
 
 // src/tools/get-collection-schema.ts
-import { z as z27 } from "zod";
-import { COLLECTIONS as COLLECTIONS8 } from "@01.software/sdk";
+import { COLLECTIONS as COLLECTIONS3 } from "@01.software/sdk";
 
 // src/lib/console-api.ts
 import { createHash } from "crypto";
 var BASE_URL = process.env.SOFTWARE_API_URL || "http://localhost:3000";
 var TIMEOUT_MS = 5e3;
+var MISSING_HTTP_AUTH_CONTEXT_ERROR2 = "MCP HTTP requests require a validated OAuth tenant context before tool execution.";
 function resolveAuthHeaderContext() {
-  let context = {};
-  try {
-    const h = headers();
-    context = {
-      apiKey: h?.["x-api-key"],
-      publishableKey: h?.["x-publishable-key"] ?? h?.["x-client-key"]
+  const oauthContext = tenantAuthContext();
+  if (oauthContext) {
+    return {
+      apiKey: signMcpServiceToken(oauthContext),
+      mode: "oauth"
     };
-  } catch {
   }
+  if (hasRequestContext()) throw new Error(MISSING_HTTP_AUTH_CONTEXT_ERROR2);
   return {
-    apiKey: context.apiKey ?? process.env.SOFTWARE_SECRET_KEY,
-    publishableKey: context.publishableKey ?? process.env.SOFTWARE_PUBLISHABLE_KEY ?? process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY
+    apiKey: process.env.SOFTWARE_SECRET_KEY,
+    mode: "stdio",
+    publishableKey: process.env.SOFTWARE_PUBLISHABLE_KEY ?? process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY
   };
 }
 function resolveApiKey() {
   const { apiKey } = resolveAuthHeaderContext();
   if (!apiKey || typeof apiKey !== "string") {
     throw new Error(
-      "Authentication required. Provide x-api-key header (HTTP) or SOFTWARE_SECRET_KEY env var (stdio)."
+      "Authentication required. Set SOFTWARE_SECRET_KEY for stdio transport."
     );
   }
   return apiKey;
 }
-function hashKey(apiKey) {
-  return createHash("sha256").update(apiKey).digest("hex");
-}
-function resolveAuthCacheKey(apiKey) {
-  const { publishableKey } = resolveAuthHeaderContext();
-  return hashKey(
-    JSON.stringify({
-      apiKey,
-      publishableKey: publishableKey ?? ""
-    })
-  );
-}
 function buildAuthHeaders(apiKey) {
-  const { publishableKey } = resolveAuthHeaderContext();
-  const headers2 = {
+  const { mode, publishableKey } = resolveAuthHeaderContext();
+  const headers = {
     Authorization: `Bearer ${apiKey}`
   };
-  if (publishableKey) headers2["X-Publishable-Key"] = publishableKey;
-  return headers2;
+  if (mode === "stdio" && publishableKey) {
+    headers["X-Publishable-Key"] = publishableKey;
+  }
+  return headers;
 }
 function extractErrorMessage(body) {
   if (!body || typeof body !== "object") return void 0;
@@ -1185,17 +1547,16 @@ async function consolePost(path, body, apiKey) {
 // src/lib/collection-schema.ts
 async function getCollectionSchema(collection) {
   const apiKey = resolveApiKey();
-  return consoleGet(
+  const data = await consoleGet(
     `/api/tenants/schema/${encodeURIComponent(collection)}`,
     apiKey
   );
+  return collectionSchemaResponseSchema.parse(data);
 }
 
 // src/tools/get-collection-schema.ts
-var schema27 = {
-  collection: z27.enum(COLLECTIONS8).describe("Collection name (required)")
-};
-var metadata27 = {
+var schema22 = createCollectionSchemaToolInputSchema(COLLECTIONS3).shape;
+var metadata22 = {
   name: "get-collection-schema",
   description: "Get the authoritative tenant-aware collection schema from console. Use this before create/update to understand writable fields, hidden fields, required metadata, and collection-level visibility.",
   annotations: {
@@ -1219,48 +1580,22 @@ async function getCollectionSchemaTool({
   }
 }
 
-// src/tools/get-tenant-context.ts
-import { z as z28 } from "zod";
-
 // src/lib/tenant-context.ts
-var TENANT_CONTEXT_CACHE_TTL_MS = 6e4;
-var cache = /* @__PURE__ */ new Map();
 function getTenantContextPath(includeCounts) {
   return includeCounts ? "/api/tenants/context?counts=true" : "/api/tenants/context";
 }
-function getCachedTenantContext(cacheKey) {
-  const cached = cache.get(cacheKey);
-  if (!cached || cached.expiry <= Date.now()) return void 0;
-  return cached.data;
-}
 async function getTenantContext(includeCounts = false) {
   const apiKey = resolveApiKey();
-  const cacheKey = resolveAuthCacheKey(apiKey);
-  if (!includeCounts) {
-    const cached = getCachedTenantContext(cacheKey);
-    if (cached) return cached;
-  }
   const data = await consoleGet(
     getTenantContextPath(includeCounts),
     apiKey
   );
-  if (!includeCounts) {
-    cache.set(cacheKey, {
-      data,
-      expiry: Date.now() + TENANT_CONTEXT_CACHE_TTL_MS
-    });
-  }
-  return data;
-}
-function invalidateTenantContextCache() {
-  cache.clear();
+  return tenantContextResponseSchema.parse(data);
 }
 
 // src/tools/get-tenant-context.ts
-var schema28 = {
-  includeCounts: z28.boolean().optional().default(false).describe("Include per-collection document counts and config status (bypasses cache, slower)")
-};
-var metadata28 = {
+var schema23 = tenantContextToolInputSchema.shape;
+var metadata23 = {
   name: "get-tenant-context",
   description: "Get current tenant features, active collections, and field visibility. Call this at the start of every session. Use includeCounts=true to also get per-collection document counts for setup diagnostics.",
   annotations: {
@@ -1270,7 +1605,9 @@ var metadata28 = {
     idempotentHint: true
   }
 };
-async function handler({ includeCounts }) {
+async function handler({
+  includeCounts
+}) {
   try {
     const ctx = await getTenantContext(includeCounts);
     const lines = [
@@ -1323,11 +1660,10 @@ async function handler({ includeCounts }) {
       }
     }
     if (ctx.config) {
+      lines.push("", "## Config Status");
       lines.push(
-        "",
-        "## Config Status"
+        `- Webhook configured: ${ctx.config.webhookConfigured ? "Yes" : "No"}`
       );
-      lines.push(`- Webhook configured: ${ctx.config.webhookConfigured ? "Yes" : "No"}`);
     }
     return toolSuccess({ context: lines.join("\n") });
   } catch (error) {
@@ -1336,21 +1672,15 @@ async function handler({ includeCounts }) {
 }
 
 // src/tools/list-configurable-fields.ts
-import { z as z29 } from "zod";
+import { z as z22 } from "zod";
 
 // src/lib/field-config.ts
-var cache2 = /* @__PURE__ */ new Map();
-var CACHE_TTL = 6e4;
 async function fetchFieldConfigs() {
   const apiKey = resolveApiKey();
-  const cacheKey = resolveAuthCacheKey(apiKey);
-  const cached = cache2.get(cacheKey);
-  if (cached && cached.expiry > Date.now()) return cached.data;
   const data = await consoleGet(
     "/api/field-configs/list",
     apiKey
   );
-  cache2.set(cacheKey, { data, expiry: Date.now() + CACHE_TTL });
   return data;
 }
 async function saveFieldConfig(body) {
@@ -1362,16 +1692,15 @@ async function saveFieldConfig(body) {
   );
 }
 function invalidateFieldConfigCache() {
-  cache2.clear();
 }
 
 // src/tools/list-configurable-fields.ts
-var schema29 = {
-  collection: z29.string().optional().describe(
+var schema24 = {
+  collection: z22.string().optional().describe(
     "Filter by collection slug (optional \u2014 returns all if omitted). Use this filter to reduce response size when you know which collection to check."
   )
 };
-var metadata29 = {
+var metadata24 = {
   name: "list-configurable-fields",
   description: "List all configurable fields for tenant collections with current visibility state. Shows which fields can be shown/hidden and their current status. Returns all collections including inactive features \u2014 cross-reference with get-tenant-context for active features. Response includes ~300 fields across 47 collections \u2014 use collection filter when possible.",
   annotations: {
@@ -1402,17 +1731,17 @@ async function listConfigurableFields(params) {
 }
 
 // src/tools/update-field-config.ts
-import { z as z30 } from "zod";
-var schema30 = {
-  collection: z30.string().min(1).describe("Collection slug (required)"),
-  hiddenFields: z30.array(z30.string().min(1).max(200)).max(300).describe(
+import { z as z23 } from "zod";
+var schema25 = {
+  collection: z23.string().min(1).describe("Collection slug (required)"),
+  hiddenFields: z23.array(z23.string().min(1).max(200)).max(300).describe(
     "Fields to hide (required). This is a FULL REPLACE \u2014 fields NOT in this list will be shown. Pass [] to show all fields. Use list-configurable-fields first to see available field paths."
   ),
-  isHidden: z30.boolean().optional().describe(
+  isHidden: z23.boolean().optional().describe(
     "Hide the entire collection from Admin Panel (optional). When true, individual hiddenFields are irrelevant."
   )
 };
-var metadata30 = {
+var metadata25 = {
   name: "update-field-config",
   description: "Update field visibility configuration for a tenant collection. Hidden fields are removed from the Admin Panel UI. IMPORTANT: hiddenFields is a full replace, not a merge. Always call list-configurable-fields first to see current state.",
   annotations: {
@@ -1430,7 +1759,6 @@ async function updateFieldConfig(params) {
       isHidden: params.isHidden
     });
     invalidateFieldConfigCache();
-    invalidateTenantContextCache();
     return toolSuccess({
       message: `Field config updated for '${params.collection}'`,
       data: result
@@ -1441,7 +1769,7 @@ async function updateFieldConfig(params) {
 }
 
 // src/tools/sdk-get-recipe.ts
-import { z as z31 } from "zod";
+import { z as z24 } from "zod";
 
 // src/lib/sdk-recipes.ts
 var recipes = {
@@ -1593,7 +1921,7 @@ const result = await client.collections.from('products').create({
         "Returns result.doc (not the document directly)"
       ],
       relatedResources: ["docs://sdk/query-builder"],
-      relatedTools: ["create-collection"]
+      relatedTools: ["query-collection", "get-collection-schema"]
     }
   },
   "update-item": {
@@ -1622,7 +1950,7 @@ const result = await client.collections.from('products').update('product-id', {
         "Partial updates are supported \u2014 omitted fields retain their current value"
       ],
       relatedResources: ["docs://sdk/query-builder"],
-      relatedTools: ["update-collection"]
+      relatedTools: ["get-collection-by-id", "get-collection-schema"]
     }
   },
   "delete-item": {
@@ -1646,7 +1974,7 @@ console.log('Deleted:', deleted.title)`,
         "Throws if the item does not exist"
       ],
       relatedResources: ["docs://sdk/query-builder"],
-      relatedTools: ["delete-collection"]
+      relatedTools: ["get-collection-by-id", "query-collection"]
     }
   },
   "infinite-scroll": {
@@ -1760,18 +2088,13 @@ const client = createClient({
 })
 
 // --- Register ---
-const { customer, verificationRequired } = await client.customer.register({
+const { customer } = await client.customer.register({
   name: 'Jane Doe',
   email: 'jane@example.com',
   password: 'securePassword123',
   phone: '+821012345678', // optional
 })
 
-if (verificationRequired) {
-  // Tenant has requireEmailVerification enabled.
-  // Token delivered via webhook \u2014 prompt user to check email.
-}
-
 // --- Login ---
 const { token, customer: loggedIn } = await client.customer.login({
   email: 'jane@example.com',
@@ -1792,9 +2115,9 @@ await client.customer.forgotPassword('jane@example.com') // sends token via webh
 await client.customer.resetPassword(token, 'newPassword123')`,
       cautions: [
         "customer.register/login/me are only available on Client (not ServerClient)",
-        "verificationRequired means no token is returned \u2014 user must verify email first",
+        "registration creates a local customer account; add app-level verification if your project requires it",
         "updateProfile only accepts name, phone, and marketingConsent \u2014 not email or password",
-        "forgotPassword sends the token via tenant webhook, not directly to the client"
+        "forgotPassword sends the token to configured tenant webhooks; your webhook handler owns email/SMS delivery"
       ],
       relatedResources: ["docs://sdk/customer-auth", "docs://sdk/getting-started"],
       relatedTools: []
@@ -1828,7 +2151,7 @@ const result = await client.collections.from('images').create(formData as unknow
         "Always set alt text for accessibility"
       ],
       relatedResources: ["docs://sdk/query-builder"],
-      relatedTools: ["create-collection"]
+      relatedTools: ["query-collection", "get-collection-schema"]
     }
   },
   "bulk-operations": {
@@ -1864,7 +2187,7 @@ const removed = await client.collections.from('products').removeMany(
         "Very broad where clauses (or empty) will affect all documents in the collection"
       ],
       relatedResources: ["docs://sdk/query-builder"],
-      relatedTools: ["update-many-collection", "delete-many-collection"]
+      relatedTools: ["query-collection", "get-collection-schema"]
     }
   }
 };
@@ -1878,8 +2201,8 @@ function getRecipe(goal, runtime = "both") {
 }
 
 // src/tools/sdk-get-recipe.ts
-var schema31 = {
-  goal: z31.enum([
+var schema26 = {
+  goal: z24.enum([
     "fetch-list",
     "fetch-by-id",
     "create-item",
@@ -1891,11 +2214,11 @@ var schema31 = {
     "file-upload",
     "bulk-operations"
   ]).describe("What the user wants to accomplish"),
-  runtime: z31.enum(["browser", "server", "both"]).default("both").describe("Target runtime environment"),
-  collection: z31.string().optional().describe("Specific collection name if applicable"),
-  includeExample: z31.boolean().default(true).describe("Whether to include a full code example")
+  runtime: z24.enum(["browser", "server", "both"]).default("both").describe("Target runtime environment"),
+  collection: z24.string().optional().describe("Specific collection name if applicable"),
+  includeExample: z24.boolean().default(true).describe("Whether to include a full code example")
 };
-var metadata31 = {
+var metadata26 = {
   name: "sdk-get-recipe",
   description: "Get a complete SDK code recipe for a specific task. Returns recommended approach, code example, and related documentation links. Use this FIRST when the user asks how to do something with the SDK.",
   annotations: {
@@ -1938,7 +2261,7 @@ function handler2({
 }
 
 // src/tools/sdk-search-docs.ts
-import { z as z32 } from "zod";
+import { z as z25 } from "zod";
 
 // src/lib/sdk-doc-index.ts
 var docIndex = [
@@ -2040,8 +2363,8 @@ var docIndex = [
   // Customer Auth
   {
     title: "Customer Auth \u2014 Login and Register",
-    keywords: ["customer", "login", "register", "auth", "authentication", "customer auth", "email verification", "verificationRequired"],
-    summary: "client.customer.login({ email, password }) and register({ name, email, password }). If tenant requireEmailVerification is on, register returns verificationRequired: true.",
+    keywords: ["customer", "login", "register", "auth", "authentication", "customer auth"],
+    summary: "client.customer.login({ email, password }) and register({ name, email, password }).",
     resourceUri: "docs://sdk/customer-auth"
   },
   {
@@ -2067,7 +2390,7 @@ var docIndex = [
   {
     title: "Webhooks",
     keywords: ["webhook", "hmac", "signature", "WEBHOOK_SECRET", "server-to-server", "event"],
-    summary: "Tenant webhooks deliver server-to-server events (e.g. email verification token, password reset token). Signed with HMAC-SHA256 using PAYLOAD_SECRET.",
+    summary: "Tenant webhooks deliver server-to-server events such as password reset tokens. Signed with HMAC-SHA256 using PAYLOAD_SECRET.",
     resourceUri: "docs://sdk/webhook"
   },
   // Order API
@@ -2113,11 +2436,11 @@ function searchDocs(query, limit = 5) {
 }
 
 // src/tools/sdk-search-docs.ts
-var schema32 = {
-  query: z32.string().min(2).describe('Search keyword or phrase (e.g. "infinite scroll", "webhook", "customer login")'),
-  limit: z32.number().min(1).max(10).default(5).describe("Maximum results to return (1-10, default: 5)")
+var schema27 = {
+  query: z25.string().min(2).describe('Search keyword or phrase (e.g. "infinite scroll", "webhook", "customer login")'),
+  limit: z25.number().min(1).max(10).default(5).describe("Maximum results to return (1-10, default: 5)")
 };
-var metadata32 = {
+var metadata27 = {
   name: "sdk-search-docs",
   description: "Search SDK documentation by keyword. Returns matching topics with summaries and resource links. Use when looking for specific SDK features or patterns.",
   annotations: {
@@ -2152,20 +2475,20 @@ function handler3({
 }
 
 // src/tools/sdk-get-auth-setup.ts
-import { z as z33 } from "zod";
-var schema33 = {
-  scenario: z33.enum([
+import { z as z26 } from "zod";
+var schema28 = {
+  scenario: z26.enum([
     "browser-client",
     "server-client",
     "customer-auth",
     "mcp-connection",
-    "api-key-generation",
+    "server-credentials",
     "webhook-verification"
   ]).describe("Authentication scenario")
 };
-var metadata33 = {
+var metadata28 = {
   name: "sdk-get-auth-setup",
-  description: "Get the correct authentication setup for a specific scenario. Returns env var names, code snippets, and security notes.",
+  description: "Get the current authentication setup for a specific scenario. Returns env var names, code snippets, and security notes.",
   annotations: {
     title: "Get Auth Setup",
     readOnlyHint: true,
@@ -2198,15 +2521,14 @@ const { data } = client.query.useQuery({ collection: 'products' })`,
 
 const client = createServerClient({
   publishableKey: process.env.SOFTWARE_PUBLISHABLE_KEY!,
-  secretKey: process.env.SOFTWARE_SECRET_KEY! // usually sk01_..., sometimes pat01_...
+  secretKey: process.env.SOFTWARE_SECRET_KEY!
 })
 
 // Full CRUD operations
 const result = await client.collections.from('products').create({ title: 'New Product' })`,
     notes: [
-      "ServerClient has full CRUD access \u2014 never expose the API key in browser",
-      "SOFTWARE_SECRET_KEY stores an opaque bearer token; backend services should prefer tenant API keys (sk01_...)",
-      "Browser-based CLI/init login flows may provision a user-scoped PAT (pat01_...) with a default tenant",
+      "ServerClient has full CRUD access and must run only in trusted server code",
+      "Store server credentials in environment variables and rotate them from the Console",
       "Use in API routes, server actions, or backend services only",
       "React Query hooks available for reads (useQuery, prefetchQuery, etc.) + mutations (useCreate, useUpdate, useRemove)"
     ]
@@ -2238,90 +2560,68 @@ client.customer.isAuthenticated()`,
     notes: [
       "Customer auth uses the browser Client (not ServerClient)",
       "JWT tokens are managed automatically by the SDK",
-      "Tenant may require email verification (requireEmailVerification setting)"
+      "Registration creates a local customer account; add application-level verification if needed"
     ]
   },
   "mcp-connection": {
     title: "MCP Server Connection",
-    envVars: ["SOFTWARE_PUBLISHABLE_KEY", "SOFTWARE_SECRET_KEY"],
+    envVars: [],
     code: `# Claude Code
-claude mcp add --transport http \\
-  --header "x-api-key: $SOFTWARE_SECRET_KEY" \\
-  --header "x-publishable-key: $SOFTWARE_PUBLISHABLE_KEY" \\
-  01software https://mcp.01.software/mcp
+claude mcp add --transport http 01software https://mcp.01.software/mcp
 
-# Codex project-safe .codex/config.toml
+# Codex .codex/config.toml
 [mcp_servers.01software]
 url = "https://mcp.01.software/mcp"
 
-[mcp_servers.01software.env_http_headers]
-x-api-key = "SOFTWARE_SECRET_KEY"
-x-publishable-key = "SOFTWARE_PUBLISHABLE_KEY"
-
-# Or use .mcp.json
+# Or use JSON clients that support OAuth discovery
 {
   "mcpServers": {
     "01software": {
       "type": "http",
-      "url": "https://mcp.01.software/mcp",
-      "headers": {
-        "x-api-key": "\${env:SOFTWARE_SECRET_KEY}",
-        "x-publishable-key": "\${env:SOFTWARE_PUBLISHABLE_KEY}"
-      }
+      "url": "https://mcp.01.software/mcp"
     }
   }
 }`,
     notes: [
-      "MCP accepts either a tenant API key (sk01_...) or a personal access token (pat01_...) in x-api-key",
-      "HTTP transport also requires x-publishable-key (or legacy x-client-key) for tenant routing, rate limits, and quota enforcement",
-      "Codex project scope is appropriate for repo-safe shared configuration, but keep raw sk01_/pat01_ values out of committed files",
-      "Use tenant API keys for shared service integrations; PATs are useful for user-scoped local workflows",
-      "Never commit raw bearer tokens to repo-local MCP config; prefer environment interpolation, client prompts, OS secret managers, or ignored local files",
-      "Avoid passing real tokens directly on shared-machine command lines because shell history and process listings can expose them",
-      "stdio transport: use `npx @01.software/cli mcp` with SOFTWARE_PUBLISHABLE_KEY and SOFTWARE_SECRET_KEY env vars"
+      "HTTP MCP uses OAuth discovery and Authorization Code + PKCE",
+      "Clients that cannot complete OAuth discovery are unsupported until a smoke test proves compatibility",
+      "stdio transport remains a local CLI path and is separate from HTTP MCP OAuth discovery"
     ]
   },
-  "api-key-generation": {
-    title: "API Key Generation",
+  "server-credentials": {
+    title: "Server Credential Management",
     envVars: ["SOFTWARE_PUBLISHABLE_KEY", "SOFTWARE_SECRET_KEY"],
-    code: `# API keys are generated from the Console, not in code.
-# Go to Console > Settings > API Keys and click "Create API Key".
-# The generated key has the format: sk01_{40hex}
-# Copy the publishable key from the same tenant.
+    code: `# Server credentials are managed from the Console, not in code.
+# Copy both values from the same tenant.
 
-# Use them together for MCP, CLI, and server SDK calls:
-export SOFTWARE_PUBLISHABLE_KEY=pk01_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+# Use them together for CLI and server SDK calls.
+export SOFTWARE_PUBLISHABLE_KEY=pk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 export SOFTWARE_SECRET_KEY=sk01_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`,
     notes: [
-      "API keys are sk01_{40hex} opaque bearer tokens",
       "The matching SOFTWARE_PUBLISHABLE_KEY is still required for tenant routing, rate limits, and quota enforcement",
-      "Browser-based CLI/init login may issue pat01_{40hex} personal access tokens for user-scoped workflows",
-      "Used for MCP and REST API authentication via x-api-key header or Authorization: Bearer",
-      "Generate keys from Console > Settings > API Keys \u2014 never derive them in code"
+      "Used for REST/SDK authentication in trusted server contexts",
+      "Manage credentials from the Console and rotate them on exposure"
     ]
   },
   "webhook-verification": {
     title: "Webhook Verification",
     envVars: ["WEBHOOK_SECRET"],
-    code: `import { handleWebhook } from '@01.software/sdk/webhook'
+    code: `import { handleWebhook, createCustomerAuthWebhookHandler } from '@01.software/sdk/webhook'
+
+const customerAuthHandler = createCustomerAuthWebhookHandler({
+  passwordReset: sendPasswordResetEmail,
+})
 
 export async function POST(request: Request) {
-  return handleWebhook(request, async (event) => {
-    // event.collection, event.operation, event.data
-    switch (event.operation) {
-      case 'verification':
-        await sendVerificationEmail(event.data)
-        break
-      case 'password-reset':
-        await sendPasswordResetEmail(event.data)
-        break
-    }
-  }, { secret: process.env.WEBHOOK_SECRET! })
+  return handleWebhook(request, customerAuthHandler, {
+    secret: process.env.WEBHOOK_SECRET!,
+  })
 }`,
     notes: [
       "handleWebhook() takes (request, handler, options) \u2014 handler receives the parsed event",
       "WEBHOOK_SECRET is set per-tenant in Console > Settings",
-      "handleWebhook() verifies HMAC-SHA256 signature automatically before calling handler"
+      "handleWebhook() verifies HMAC-SHA256 signature automatically before calling handler",
+      "createCustomerAuthWebhookHandler() is optional; it just routes auth events to your own email/SMS delivery code"
     ]
   }
 };
@@ -2340,14 +2640,14 @@ function handler4({
 }
 
 // src/tools/sdk-get-collection-pattern.ts
-import { z as z34 } from "zod";
-import { COLLECTIONS as COLLECTIONS9 } from "@01.software/sdk";
-var schema34 = {
-  collection: z34.enum(COLLECTIONS9).describe("Collection name"),
-  operation: z34.enum(["read", "write", "full-crud"]).default("read").describe("What operations are needed"),
-  surface: z34.enum(["query-builder", "react-query", "server-api"]).default("query-builder").describe("Preferred API surface")
+import { z as z27 } from "zod";
+import { COLLECTIONS as COLLECTIONS4 } from "@01.software/sdk";
+var schema29 = {
+  collection: z27.enum(COLLECTIONS4).describe("Collection name"),
+  operation: z27.enum(["read", "write", "full-crud"]).default("read").describe("What operations are needed"),
+  surface: z27.enum(["query-builder", "react-query", "server-api"]).default("query-builder").describe("Preferred API surface")
 };
-var metadata34 = {
+var metadata29 = {
   name: "sdk-get-collection-pattern",
   description: "Get the recommended CRUD pattern for a specific collection. Returns code examples for the chosen API surface and operation type.",
   annotations: {
@@ -2514,7 +2814,6 @@ function handler5({
       relatedTools: [
         "query-collection",
         "get-collection-by-id",
-        ...operation !== "read" ? ["create-collection", "update-collection", "delete-collection"] : [],
         "get-collection-schema"
       ],
       relatedResources: [
@@ -2528,14 +2827,14 @@ function handler5({
 }
 
 // src/prompts/sdk-usage-guide.ts
-import { z as z35 } from "zod";
-var schema35 = {
-  goal: z35.string().describe('What the user wants to accomplish (e.g., "query product list", "create order")'),
-  runtime: z35.enum(["browser", "server"]).optional().describe("Target runtime: browser (React/Next.js client) or server (Node.js)"),
-  surface: z35.enum(["query-builder", "react-query", "customer-api", "server-api"]).optional().describe("Preferred API surface"),
-  collection: z35.string().optional().describe("Specific collection if relevant")
+import { z as z28 } from "zod";
+var schema30 = {
+  goal: z28.string().describe('What the user wants to accomplish (e.g., "query product list", "create order")'),
+  runtime: z28.enum(["browser", "server"]).optional().describe("Target runtime: browser (React/Next.js client) or server (Node.js)"),
+  surface: z28.enum(["query-builder", "react-query", "customer-api", "server-api"]).optional().describe("Preferred API surface"),
+  collection: z28.string().optional().describe("Specific collection if relevant")
 };
-var metadata35 = {
+var metadata30 = {
   name: "sdk-usage-guide",
   title: "SDK Usage Guide",
   description: "Provides guidance on how to perform a specific task using the 01.software SDK",
@@ -2632,8 +2931,8 @@ await client.collections.from('products').remove('id')
 const { totalDocs } = await client.collections.from('products').count()
 
 // Metadata - generate Next.js Metadata from collection fields
-// Auto-maps per-collection fields (e.g. posts: description\u2192description, thumbnail\u2192image)
-const postMeta = await client.collections.from('posts').findMetadataById(id, { siteName: 'My Blog' })
+// Auto-maps per-collection fields (e.g. articles: description\u2192description, thumbnail\u2192image)
+const articleMeta = await client.collections.from('articles').findMetadataById(id, { siteName: 'My Blog' })
 const productMeta = await client.collections.from('products').findMetadata(
   { where: { slug: { equals: 'my-product' } } },
   { siteName: 'My Store' }
@@ -2672,14 +2971,14 @@ You can perform the "${goal}" task by following the patterns above.`;
 }
 
 // src/prompts/collection-query-help.ts
-import { z as z36 } from "zod";
-import { COLLECTIONS as COLLECTIONS10 } from "@01.software/sdk";
-var schema36 = {
-  collection: z36.enum(COLLECTIONS10).describe("Collection name"),
-  operation: z36.enum(["find", "create", "update", "delete"]).describe("Operation to perform (find, create, update, delete)"),
-  filters: z36.string().optional().describe("Filter conditions (JSON string, optional)")
+import { z as z29 } from "zod";
+import { COLLECTIONS as COLLECTIONS5 } from "@01.software/sdk";
+var schema31 = {
+  collection: z29.enum(COLLECTIONS5).describe("Collection name"),
+  operation: z29.enum(["find", "create", "update", "delete"]).describe("Operation to perform (find, create, update, delete)"),
+  filters: z29.string().optional().describe("Filter conditions (JSON string, optional)")
 };
-var metadata36 = {
+var metadata31 = {
   name: "collection-query-help",
   title: "Collection Query Help",
   description: "Provides guidance on how to write queries for a specific collection",
@@ -2766,16 +3065,16 @@ ${operation === "find" ? `- Use \`where\` option for filtering (Payload query sy
 }
 
 // src/prompts/order-flow-guide.ts
-import { z as z37 } from "zod";
-var schema37 = {
-  scenario: z37.enum([
+import { z as z30 } from "zod";
+var schema32 = {
+  scenario: z30.enum([
     "simple-order",
     "cart-checkout",
     "return-refund",
     "fulfillment-tracking"
   ]).describe("Order flow scenario")
 };
-var metadata37 = {
+var metadata32 = {
   name: "order-flow-guide",
   title: "Order Flow Guide",
   description: "Provides step-by-step guidance for ecommerce order flows including creation, checkout, returns, and fulfillment.",
@@ -2790,8 +3089,8 @@ var SCENARIOS = {
    - Provide: orderNumber, customerSnapshot (email required), shippingAddress, orderItems, totalAmount
    - Optional: pgPaymentId (omit for free orders), shippingAmount, discountCode
 
-2. **Payment Confirmation** \u2192 \`update-order\` tool
-   - Update status to \`paid\` after payment gateway confirms
+2. **Payment Confirmation** \u2192 \`update-transaction\` tool
+   - Confirm provider payment with pgPaymentId, paymentKey, and amount
    - Stock is automatically adjusted (stock -= qty, reservedStock += qty)
 
 3. **Fulfillment** \u2192 \`create-fulfillment\` tool
@@ -2818,8 +3117,13 @@ const order = await client.commerce.orders.create({
   pgPaymentId: 'pay_xxx' // omit for free orders
 })
 
-// 2. After payment confirmed
-await client.commerce.orders.update({ orderNumber: 'ORD-240101-001', status: 'paid' })
+// 2. After payment confirmed by provider
+await client.commerce.orders.updateTransaction({
+  pgPaymentId: 'pay_xxx',
+  status: 'paid',
+  paymentKey: 'payment_key_xxx',
+  amount: 59800
+})
 
 // 3. Ship items
 await client.commerce.orders.createFulfillment({
@@ -2837,7 +3141,7 @@ await client.commerce.orders.createFulfillment({
 2. **Apply Discount** (optional) \u2192 \`apply-discount\` tool
 3. **Calculate Shipping** \u2192 \`calculate-shipping\` tool
 4. **Checkout** \u2192 \`checkout\` tool (converts cart to order)
-5. **Payment** \u2192 \`update-order\` or \`update-transaction\`
+5. **Payment** \u2192 \`update-transaction\` for provider-verified paid transitions
 
 ### Key Points
 - Cart has a customer linked \u2014 auto-copied to order on checkout
@@ -2874,7 +3178,7 @@ const order = await client.commerce.orders.checkout({
 1. **Return with Refund** \u2192 \`return-with-refund\` tool
    - Handles return + stock restoration + transaction update in one call
    - Return immediately completed (bypasses FSM)
-   - Requires pgPaymentId to identify which transaction to refund
+   - Requires pgPaymentId and paymentKey for provider-verified refund
 
 ### Key Points
 - Full refund: original transaction \u2192 \`canceled\`
@@ -2891,7 +3195,8 @@ await client.commerce.orders.returnWithRefund({
   reasonDetail: 'Product arrived damaged',
   returnItems: [{ orderItem: 'oi-id', quantity: 1 }],
   refundAmount: 29900,
-  pgPaymentId: 'pay_xxx'
+  pgPaymentId: 'pay_xxx',
+  paymentKey: 'payment_key_xxx'
 })
 \`\`\``,
   "fulfillment-tracking": `## Fulfillment & Tracking
@@ -2954,12 +3259,12 @@ ${SCENARIOS[scenario] || "Unknown scenario."}
 }
 
 // src/prompts/feature-setup-guide.ts
-import { z as z38 } from "zod";
-var schema38 = {
-  feature: z38.enum([
+import { z as z31 } from "zod";
+var schema33 = {
+  feature: z31.enum([
     "ecommerce",
     "customers",
-    "posts",
+    "articles",
     "documents",
     "playlists",
     "galleries",
@@ -2971,7 +3276,7 @@ var schema38 = {
     "community"
   ]).describe("Feature to get setup guide for")
 };
-var metadata38 = {
+var metadata33 = {
   name: "feature-setup-guide",
   title: "Feature Setup Guide",
   description: "Setup checklist and remediation guide for a tenant feature. Load before using get-tenant-context to diagnose setup gaps.",
@@ -2984,8 +3289,8 @@ var FEATURES = {
 
 ### Required Collections (count > 0)
 
-1. **products** \u2014 Use \`create-collection\` with \`collection='products'\`
-   - Minimum fields: \`{ title, slug, status: 'active' }\`
+1. **products** \u2014 Create via Console UI or SDK \`client.collections.from('products').create({ ... })\`
+   - Minimum fields: \`{ title, slug, status: 'published', _status: 'published' }\`
 
 2. **product-variants** \u2014 At least 1 sellable variant per product
    - Minimum fields: \`{ product, title, price, stock }\`
@@ -3018,26 +3323,26 @@ customer-addresses
 
 ### Optional Collections
 
-customer-groups \u2014 Use \`create-collection\` with \`collection='customer-groups'\`, \`{ title }\`
+customer-groups \u2014 Create via Console UI or SDK \`client.collections.from('customer-groups').create({ title })\`
 
 ### Config
 
-- \`requireEmailVerification\` can be toggled in tenant settings
+- Customer registration creates a local account; add app-level verification if needed
 - Customer auth uses custom JWT (separate from Payload auth)`,
-  posts: `## Posts Setup Guide
+  articles: `## Articles Setup Guide
 
 ### Required Collections (count > 0)
 
-1. **posts** \u2014 At least 1 post
+1. **articles** \u2014 At least 1 article
    - Minimum fields: \`{ title, slug }\`
 
-2. **post-authors** \u2014 At least 1 author
+2. **article-authors** \u2014 At least 1 author
    - Minimum fields: \`{ title, slug }\`
-   - Link authors to posts via the \`authors\` relationship field
+   - Link authors to articles via the \`authors\` relationship field
 
 ### Optional Collections
 
-post-categories, post-tags`,
+article-categories, article-tags`,
   documents: `## Documents Setup Guide
 
 ### Required Collections (count > 0)
@@ -3057,10 +3362,10 @@ document-categories`,
 ### Required Collections (count > 0)
 
 1. **playlists** \u2014 At least 1 playlist
-   - Minimum fields: \`{ title, slug }\`
+   - Minimum fields: \`{ title, slug, status: 'published', _status: 'published' }\`
 
 2. **tracks** \u2014 At least 1 track
-   - Minimum fields: \`{ title }\`
+   - Minimum fields: \`{ title, sourceUrl, status: 'published', _status: 'published' }\`
 
 3. **playlists.tracks** \u2014 Link at least 1 track from a playlist
    - Minimum fields: \`{ tracks: [trackId] }\`
@@ -3073,11 +3378,11 @@ playlist-categories, playlist-tags, track-categories, track-tags, track-assets`,
 ### Required Collections (count > 0)
 
 1. **galleries** \u2014 At least 1 gallery
-   - Minimum fields: \`{ title, slug }\`
+   - Minimum fields: \`{ title, slug, status: 'published', _status: 'published' }\`
 
 2. **gallery-items** \u2014 At least 1 item per gallery
    - References \`images\` collection (non-upload)
-   - Minimum fields: \`{ gallery, image }\`
+   - Minimum fields: \`{ gallery, image, _status: 'published' }\`
 
 ### Optional Collections
 
@@ -3087,7 +3392,7 @@ gallery-categories, gallery-tags`,
 ### Required Collections (count > 0)
 
 1. **links** \u2014 At least 1 link
-   - Minimum fields: \`{ title, slug, url }\`
+   - Minimum fields: \`{ title, slug, url, status: 'published', _status: 'published' }\`
 
 ### Optional Collections
 
@@ -3147,7 +3452,7 @@ form-submissions \u2014 Auto-created when forms are submitted by end users`,
 
 ### Required Collections (count > 0)
 
-1. **threads** \u2014 At least 1 thread
+1. **posts** \u2014 At least 1 post
    - Minimum fields: \`{ title, slug }\`
 
 2. **reaction-types** \u2014 At least 1 reaction type defined
@@ -3159,7 +3464,7 @@ comments, reactions, bookmarks, reports, community-bans
 
 ### Optional Collections
 
-thread-categories`
+post-categories`
 };
 function featureSetupGuide({ feature }) {
   return `# Feature Setup Guide: ${feature}
@@ -3168,12 +3473,12 @@ ${FEATURES[feature] || "Unknown feature."}
 
 ## Related MCP Tools
 - \`get-tenant-context\` \u2014 check current collection counts and feature status
-- \`create-collection\` \u2014 create required collection documents
-- \`query-collection\` \u2014 verify existing documents in a collection`;
+- \`query-collection\` \u2014 verify existing documents in a collection
+- \`get-collection-schema\` \u2014 inspect tenant-aware fields before creating data via SDK or Console UI`;
 }
 
 // src/resources/(config)/app.ts
-var metadata39 = {
+var metadata34 = {
   name: "app-config",
   title: "Application Config",
   description: "01.software SDK and MCP server configuration information"
@@ -3188,35 +3493,20 @@ function handler6() {
 
 ## Authentication
 
-All HTTP requests require a bearer token and publishable key:
+HTTP MCP uses OAuth discovery and Authorization Code + PKCE.
 
+\`\`\`toml
+[mcp_servers.01software]
+url = "https://mcp.01.software/mcp"
 \`\`\`
-x-api-key: <sk01_... or pat01_...>
-x-publishable-key: <pk01_...>
-\`\`\`
-
-\`x-client-key\` is accepted as a legacy alias for \`x-publishable-key\`.
 
-### Accepted Token Types
+## Available Tools (29)
 
-- \`sk01_{40hex}\` \u2014 tenant API key from Console > Settings > API Keys
-- \`pat01_{40hex}\` \u2014 personal access token for user-scoped local workflows
+> Generic write tools (create/update/delete/update-many/delete-many) are intentionally absent. Use the dedicated workflow tools below or the SDK (\`client.collections.from(slug).create()\` / \`update()\` / \`remove()\` / \`updateMany()\` / \`removeMany()\`) for stateful mutations.
 
-\`\`\`
-SOFTWARE_SECRET_KEY=sk01_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-SOFTWARE_PUBLISHABLE_KEY=pk01_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-\`\`\`
-
-## Available Tools (34)
-
-### Generic CRUD (7)
+### Generic Read (2)
 - \`query-collection\` - Query collection with filters, pagination, sorting
 - \`get-collection-by-id\` - Get single item by ID
-- \`create-collection\` - Create new item
-- \`update-collection\` - Update existing item
-- \`delete-collection\` - Delete item (destructive)
-- \`update-many-collection\` - Bulk update items matching filter
-- \`delete-many-collection\` - Bulk delete items matching filter (destructive)
 
 ### Orders (7)
 - \`create-order\` - Create a new order with products and shipping
@@ -3274,70 +3564,86 @@ Rate limits depend on your tenant plan:
 }
 
 // src/resources/(collections)/schema.ts
-import { COLLECTIONS as COLLECTIONS11 } from "@01.software/sdk";
-var metadata40 = {
+import { COLLECTIONS as COLLECTIONS6 } from "@01.software/sdk";
+var metadata35 = {
   name: "collections-schema",
   title: "Collection Schema Info",
   description: "Available collections and their schema information"
 };
+var COLLECTIONS_BY_CATEGORY = {
+  "Tenant Management": ["tenants", "tenant-metadata", "tenant-logos"],
+  Products: [
+    "products",
+    "product-variants",
+    "product-options",
+    "product-option-values",
+    "product-categories",
+    "product-tags",
+    "product-collections"
+  ],
+  Brands: ["brands", "brand-logos"],
+  "Orders & Fulfillment": [
+    "orders",
+    "order-items",
+    "transactions",
+    "fulfillments",
+    "fulfillment-items"
+  ],
+  "Shipping & Returns": ["returns", "return-items", "shipping-policies"],
+  Customers: [
+    "customers",
+    "customer-profiles",
+    "customer-addresses",
+    "customer-groups"
+  ],
+  Carts: ["carts", "cart-items"],
+  "Discounts & Promotions": ["discounts", "promotions"],
+  Documents: ["documents", "document-categories", "document-types"],
+  Articles: ["articles", "article-authors", "article-categories", "article-tags"],
+  Community: [
+    "posts",
+    "comments",
+    "reactions",
+    "reaction-types",
+    "bookmarks",
+    "post-categories",
+    "reports",
+    "community-bans"
+  ],
+  Playlists: [
+    "playlists",
+    "tracks",
+    "playlist-categories",
+    "playlist-tags",
+    "track-categories",
+    "track-tags"
+  ],
+  Galleries: ["galleries", "gallery-items", "gallery-categories", "gallery-tags"],
+  Links: ["links", "link-categories", "link-tags"],
+  Canvas: [
+    "canvases",
+    "canvas-node-types",
+    "canvas-edge-types",
+    "canvas-categories",
+    "canvas-tags",
+    "canvas-nodes",
+    "canvas-edges"
+  ],
+  Videos: ["videos", "video-categories", "video-tags"],
+  "Live Streams": ["live-streams"],
+  Images: ["images"],
+  Forms: ["forms", "form-submissions"],
+  Events: [
+    "event-calendars",
+    "events",
+    "event-categories",
+    "event-occurrences",
+    "event-tags"
+  ]
+};
 function handler7() {
-  const collectionsByCategory = {
-    "Tenant Management": ["tenants", "tenant-metadata", "tenant-logos"],
-    Products: [
-      "products",
-      "product-variants",
-      "product-options",
-      "product-categories",
-      "product-tags",
-      "product-collections"
-    ],
-    Brands: ["brands", "brand-logos"],
-    "Orders & Fulfillment": [
-      "orders",
-      "order-items",
-      "transactions",
-      "fulfillments",
-      "fulfillment-items"
-    ],
-    "Shipping & Returns": [
-      "returns",
-      "return-items",
-      "shipping-policies"
-    ],
-    Customers: ["customers", "customer-addresses", "customer-groups"],
-    Carts: ["carts", "cart-items"],
-    Discounts: ["discounts"],
-    Documents: ["documents", "document-categories", "document-types"],
-    "Posts (Blog)": ["posts", "post-categories", "post-tags"],
-    Playlists: [
-      "playlists",
-      "tracks",
-      "track-assets",
-      "playlist-categories",
-      "playlist-tags",
-      "track-categories",
-      "track-tags"
-    ],
-    Galleries: [
-      "galleries",
-      "gallery-items",
-      "gallery-categories",
-      "gallery-tags"
-    ],
-    Canvas: [
-      "canvases",
-      "canvas-node-types",
-      "canvas-edge-types",
-      "canvas-categories",
-      "canvas-tags"
-    ],
-    Videos: ["videos", "video-categories", "video-tags"],
-    "Live Streams": ["live-streams"],
-    Images: ["images"],
-    Forms: ["forms", "form-submissions"]
-  };
-  const categoryDocs = Object.entries(collectionsByCategory).map(([category, collections]) => {
-    const collectionList = collections.filter((c) => COLLECTIONS11.includes(c)).map((c) => `- **${c}**`).join("\n");
+  const categoryDocs = Object.entries(COLLECTIONS_BY_CATEGORY).map(([category, collections]) => {
+    const collectionList = collections.filter((c) => COLLECTIONS6.includes(c)).map((c) => `- **${c}**`).join("\n");
     return `## ${category}
 ${collectionList}`;
   }).join("\n\n");
@@ -3358,6 +3664,9 @@ Each collection supports the following operations:
 - \`updateMany(where, data)\` - Bulk update items matching filter
 - \`removeMany(where)\` - Bulk delete items matching filter
 
+Draft-enabled public collections expose only \`_status: 'published'\` rows to
+publishable-key reads unless server-side access explicitly includes drafts.
+
 ## Query Examples
 
 ### Filtering
@@ -3379,11 +3688,11 @@ Each collection supports the following operations:
 }
 \`\`\`
 
-Total available collections: ${COLLECTIONS11.length}`;
+Total available collections: ${COLLECTIONS6.length}`;
 }
 
 // src/resources/(docs)/getting-started.ts
-var metadata41 = {
+var metadata36 = {
   name: "docs-getting-started",
   title: "Getting Started",
   description: "01.software SDK getting started guide"
@@ -3428,7 +3737,7 @@ const result = await client.collections.from('products').find({
 }
 
 // src/resources/(docs)/guides.ts
-var metadata42 = {
+var metadata37 = {
   name: "docs-guides",
   title: "Guides",
   description: "01.software SDK usage guides"
@@ -3639,7 +3948,7 @@ For more detailed guides, see the [Guides page](/docs/guides).`;
 }
 
 // src/resources/(docs)/api.ts
-var metadata43 = {
+var metadata38 = {
   name: "docs-api",
   title: "API Reference",
   description: "01.software SDK API reference documentation"
@@ -3859,7 +4168,7 @@ Customer authentication and profile management. Available on \`Client\` only (\`
 ### Authentication
 \`\`\`typescript
 // Register
-const { customer, verificationRequired? } = await client.customer.register({
+const { customer } = await client.customer.register({
   name: 'John',
   email: 'john@example.com',
   password: 'password123',
@@ -3894,7 +4203,7 @@ const updated = await client.customer.updateProfile({
 
 ### Password
 \`\`\`typescript
-// Forgot password (sends reset token via webhook)
+// Forgot password (sends reset token to configured tenant webhooks)
 await client.customer.forgotPassword(email)
 
 // Reset password with token
@@ -3904,11 +4213,6 @@ await client.customer.resetPassword(token, newPassword)
 await client.customer.changePassword(currentPassword, newPassword)
 \`\`\`
 
-### Email Verification
-\`\`\`typescript
-await client.customer.verifyEmail(token)
-\`\`\`
-
 ### Orders
 \`\`\`typescript
 const orders = await client.commerce.orders.listMine({
@@ -3930,7 +4234,7 @@ For more details, see the [full API documentation](/docs/api).`;
 }
 
 // src/resources/(docs)/query-builder.ts
-var metadata44 = {
+var metadata39 = {
   name: "docs-query-builder",
   title: "Query Builder",
   description: "01.software SDK Query Builder API reference (client.collections.from)"
@@ -4087,7 +4391,7 @@ if (page1.hasNextPage) {
 
 \`\`\`typescript
 // Descending (newest first)
-const result = await client.collections.from('posts').find({ sort: '-createdAt' })
+const result = await client.collections.from('articles').find({ sort: '-createdAt' })
 
 // Ascending
 const result2 = await client.collections.from('products').find({ sort: 'price' })
@@ -4124,7 +4428,7 @@ console.log(result.hasNextPage) // true
 }
 
 // src/resources/(docs)/react-query.ts
-var metadata45 = {
+var metadata40 = {
   name: "docs-react-query",
   title: "React Query Hooks",
   description: "01.software SDK React Query hooks reference (client.query)"
@@ -4372,7 +4676,7 @@ export function ProductList() {
 }
 
 // src/resources/(docs)/server-api.ts
-var metadata46 = {
+var metadata41 = {
   name: "docs-server-api",
   title: "Server-side API",
   description: "01.software SDK server-side API reference (client.commerce) for orders, fulfillments, returns, carts, and validation"
@@ -4382,19 +4686,19 @@ function handler13() {
 
 Server-side operations are available via \`client.commerce\` on \`ServerClient\`. Use \`createServerClient\` with both \`publishableKey\` and \`secretKey\`.
 
-For backend services, prefer a tenant API key (\`sk01_...\`) in \`SOFTWARE_SECRET_KEY\`.
-Browser-based CLI/init login flows may instead provision a user-scoped PAT (\`pat01_...\`) with a default tenant.
-
 \`\`\`typescript
 import { createServerClient } from '@01.software/sdk'
 
 const client = createServerClient({
   publishableKey: process.env.SOFTWARE_PUBLISHABLE_KEY!,
-  secretKey: process.env.SOFTWARE_SECRET_KEY!, // usually sk01_..., sometimes pat01_...
+  secretKey: process.env.SOFTWARE_SECRET_KEY!,
 })
 \`\`\`
 
-> Never expose \`SOFTWARE_SECRET_KEY\` in browser code. Use server components, API routes, or server actions only.
+Use server components, API routes, or server actions only. Never expose
+\`SOFTWARE_SECRET_KEY\` to browser code, client bundles, logs, or public
+repositories. If a secret key leaks, rotate it from the Console before deploying
+again.
 
 ## Order API
 
@@ -4513,7 +4817,7 @@ const ret = await client.commerce.orders.updateReturn({
 \`\`\`
 
 ### returnWithRefund()
-Create a return and process refund in one atomic operation.
+Create a return and process a provider-verified refund in one atomic operation.
 
 \`\`\`typescript
 const result = await client.commerce.orders.returnWithRefund({
@@ -4525,6 +4829,7 @@ const result = await client.commerce.orders.returnWithRefund({
   ],
   refundAmount: 29900,
   pgPaymentId: 'toss-payment-id',  // required
+  paymentKey: 'toss-payment-key',  // required for provider refund
   refundReceiptUrl?: 'https://...',
 })
 \`\`\`
@@ -4532,12 +4837,15 @@ const result = await client.commerce.orders.returnWithRefund({
 ## Transaction API
 
 ### updateTransaction()
-Update a transaction status (after PG callback).
+Confirm or annotate a transaction. Paid transitions require provider
+verification; non-financial annotations can still update pending transactions.
 
 \`\`\`typescript
 const tx = await client.commerce.orders.updateTransaction({
   pgPaymentId: 'toss-payment-id',
-  status: 'paid',  // paid | failed | canceled
+  status: 'paid',  // pending | paid | failed | canceled
+  paymentKey: 'toss-payment-key',  // required when status is paid
+  amount: 29900,  // required when status is paid
 })
 \`\`\`
 
@@ -4630,7 +4938,7 @@ const result = await client.commerce.shipping.calculate({
 }
 
 // src/resources/(docs)/customer-auth.ts
-var metadata47 = {
+var metadata42 = {
   name: "docs-customer-auth",
   title: "Customer Auth API",
   description: "01.software SDK Customer Auth API reference (client.customer)"
@@ -4663,11 +4971,9 @@ const result = await client.customer.register({
   phone?: '+821012345678',
 })
 // result.customer          - created customer object
-// result.token?            - JWT token (set if email verification not required)
-// result.verificationRequired? - true if tenant requires email verification
 \`\`\`
 
-When \`verificationRequired\` is true, no token is returned. The tenant's webhook receives a \`verificationToken\` to send to the customer.
+Registration creates a local customer account. Projects that need additional email verification should enforce it in application code.
 
 ### login()
 Authenticate with email and password.
@@ -4721,12 +5027,12 @@ const updated = await client.customer.updateProfile({
 ## Password
 
 ### forgotPassword()
-Request a password reset. Sends reset token via tenant webhook.
+Request a password reset. Sends the reset token to configured tenant webhooks; your webhook handler owns delivery.
 
 \`\`\`typescript
 await client.customer.forgotPassword('john@example.com')
 // Rate limited: 5 requests/min per tenant+email
-// Webhook receives: { resetPasswordToken, resetPasswordExpiry }
+// Webhook receives: { resetPasswordToken, resetPasswordExpiresAt }
 \`\`\`
 
 ### resetPassword()
@@ -4743,15 +5049,6 @@ Change password while authenticated (requires current password).
 await client.customer.changePassword('currentPassword', 'newPassword123')
 \`\`\`
 
-## Email Verification
-
-### verifyEmail()
-Verify email address using the token received via webhook.
-
-\`\`\`typescript
-await client.customer.verifyEmail('verification-token')
-\`\`\`
-
 ## Orders
 
 ### listMine()
@@ -4797,12 +5094,7 @@ const client = createClient({
 async function handleRegister(email: string, password: string, name: string) {
   const result = await client.customer.register({ email, password, name })
 
-  if (result.verificationRequired) {
-    // Redirect to "check your email" page
-    return { status: 'verify-email' }
-  }
-
-  // Token is automatically stored; customer is now logged in
+  // Customer is created as a local account.
   return { status: 'success', customer: result.customer }
 }
 
@@ -4824,7 +5116,7 @@ async function loadProfile() {
 }
 
 // src/resources/(docs)/browser-vs-server.ts
-var metadata48 = {
+var metadata43 = {
   name: "docs-browser-vs-server",
   title: "Client vs ServerClient",
   description: "When to use Client (createClient) vs ServerClient (createServerClient) in the 01.software SDK"
@@ -4904,7 +5196,11 @@ await client.commerce.orders.checkout({ ... })
 
 **Environment variables**:
 - \`SOFTWARE_PUBLISHABLE_KEY\` \u2014 publishable key (no NEXT_PUBLIC prefix, server-only)
-- \`SOFTWARE_SECRET_KEY\` \u2014 opaque bearer token (server-only, never expose to browser). Backend services usually use \`sk01_...\`; browser-based CLI/init login can provision \`pat01_...\` with a default tenant.
+- \`SOFTWARE_SECRET_KEY\` \u2014 server credential
+
+Never expose \`SOFTWARE_SECRET_KEY\` in browser code, client bundles, logs, or
+public repositories. If a secret key leaks, rotate it from the Console before
+deploying again.
 
 ## Decision Matrix
 
@@ -4970,15 +5266,16 @@ export function ProductList() {
 
 ## Security Rules
 
-- Never import \`SOFTWARE_SECRET_KEY\` or \`SOFTWARE_PUBLISHABLE_KEY\` in files without a \`'use server'\` directive or that could be bundled for the browser.
+- Keep server credentials in server-only modules.
 - Only \`NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY\` is safe to use in client components.
-- If you accidentally expose \`SOFTWARE_SECRET_KEY\` in a browser bundle, rotate the key immediately in the 01.software console.
+- Never import a module that reads \`SOFTWARE_SECRET_KEY\` from a client component.
+- Rotate any exposed secret key immediately from the Console.
 
 > Ecommerce note: product card pricing lives on \`products.listing.*\`, but authoritative sellable pricing still lives on \`product-variants.price\`.`;
 }
 
 // src/resources/(docs)/file-upload.ts
-var metadata49 = {
+var metadata44 = {
   name: "docs-file-upload",
   title: "File Upload",
   description: "01.software SDK file upload patterns using the images collection"
@@ -5129,7 +5426,7 @@ The platform stores files in Cloudflare R2 and serves via CDN (\`cdn.01.software
 }
 
 // src/resources/(docs)/webhook.ts
-var metadata50 = {
+var metadata45 = {
   name: "docs-webhook",
   title: "Webhooks",
   description: "01.software SDK webhook verification and event handling"
@@ -5137,27 +5434,23 @@ var metadata50 = {
 function handler17() {
   return `# Webhooks
 
-The platform dispatches HMAC-SHA256 signed webhook events to your registered URLs for async operations (email verification, password reset, etc.).
+The platform dispatches HMAC-SHA256 signed webhook events to your registered URLs. Tenant developers own routing inside their webhook handler.
 
 ## Webhook Handling
 
-Use the SDK \`handleWebhook\` helper to verify signatures and route events.
+Use the SDK \`handleWebhook\` helper to verify signatures. For customer auth events, use \`createCustomerAuthWebhookHandler\` to wire delivery behavior in your app.
 
 \`\`\`typescript
-import { handleWebhook } from '@01.software/sdk/webhook'
+import { handleWebhook, createCustomerAuthWebhookHandler } from '@01.software/sdk/webhook'
+
+const handler = createCustomerAuthWebhookHandler({
+  passwordReset: async (data) => {
+    await sendPasswordResetEmail(data)
+  },
+})
 
 export async function POST(request: Request) {
-  return handleWebhook(request, async (event) => {
-    // event.collection, event.operation, event.data
-    switch (event.operation) {
-      case 'verification':
-        await sendVerificationEmail(event.data)
-        break
-      case 'password-reset':
-        await sendPasswordResetEmail(event.data)
-        break
-    }
-  }, {
+  return handleWebhook(request, handler, {
     secret: process.env.WEBHOOK_SECRET!,
   })
 }
@@ -5169,19 +5462,17 @@ export async function POST(request: Request) {
 
 \`\`\`typescript
 // app/api/webhooks/route.ts
-import { handleWebhook } from '@01.software/sdk/webhook'
+import { handleWebhook, createCustomerAuthWebhookHandler } from '@01.software/sdk/webhook'
+
+const customerAuthHandler = createCustomerAuthWebhookHandler({
+  passwordReset: sendPasswordResetEmail,
+})
 
 export async function POST(request: Request) {
   return handleWebhook(request, async (event) => {
     console.log('Webhook received:', event.collection, event.operation)
 
-    if (event.collection === 'customers') {
-      if (event.operation === 'verification') {
-        await sendVerificationEmail(event.data)
-      } else if (event.operation === 'password-reset') {
-        await sendPasswordResetEmail(event.data)
-      }
-    }
+    await customerAuthHandler(event)
   }, {
     secret: process.env.WEBHOOK_SECRET!,
   })
@@ -5195,49 +5486,13 @@ All webhook events share this envelope:
 \`\`\`typescript
 {
   collection: string,    // e.g. 'customers'
-  operation: string,     // e.g. 'verification' | 'password-reset'
+  operation: string,     // e.g. 'password-reset'
   data: object,          // event-specific payload
 }
 \`\`\`
 
 ## Event Types
 
-### Customer Email Verification
-
-Dispatched when a customer registers on a tenant with \`requireEmailVerification: true\`.
-
-\`\`\`typescript
-{
-  collection: 'customers',
-  operation: 'verification',
-  data: {
-    customerId: string,
-    email: string,
-    name: string,
-    verificationToken: string,  // raw token to include in verification link
-  }
-}
-\`\`\`
-
-**Usage**: Send the \`verificationToken\` to the customer's email. The customer calls \`client.customer.verifyEmail(token)\` to complete verification.
-
-\`\`\`typescript
-// Example: send verification email
-async function sendVerificationEmail(data: {
-  customerId: string
-  email: string
-  name: string
-  verificationToken: string
-}) {
-  const verifyUrl = \`https://yourstore.com/verify-email?token=\${data.verificationToken}\`
-  await emailService.send({
-    to: data.email,
-    subject: 'Verify your email',
-    body: \`Click here to verify: \${verifyUrl}\`,
-  })
-}
-\`\`\`
-
 ### Customer Password Reset
 
 Dispatched when a customer calls \`client.customer.forgotPassword(email)\`.
@@ -5251,7 +5506,7 @@ Dispatched when a customer calls \`client.customer.forgotPassword(email)\`.
     email: string,
     name: string,
     resetPasswordToken: string,   // raw token to include in reset link
-    resetPasswordExpiry: string,  // ISO 8601 expiry (1 hour from dispatch)
+    resetPasswordExpiresAt: string,  // ISO 8601 expiry (1 hour from dispatch)
   }
 }
 \`\`\`
@@ -5264,13 +5519,13 @@ async function sendPasswordResetEmail(data: {
   email: string
   name: string
   resetPasswordToken: string
-  resetPasswordExpiry: string
+  resetPasswordExpiresAt: string
 }) {
   const resetUrl = \`https://yourstore.com/reset-password?token=\${data.resetPasswordToken}\`
   await emailService.send({
     to: data.email,
     subject: 'Reset your password',
-    body: \`Reset link (expires \${data.resetPasswordExpiry}): \${resetUrl}\`,
+    body: \`Reset link (expires \${data.resetPasswordExpiresAt}): \${resetUrl}\`,
   })
 }
 \`\`\`
@@ -5285,28 +5540,54 @@ Configure webhook URLs in the 01.software console under Tenant Settings > Webhoo
 }
 
 // src/server.ts
-function registerTool(server, schema39, meta, handler19) {
+var REGISTERED_TOOLS_BY_SERVER = /* @__PURE__ */ new WeakMap();
+function registerTool(server, schema34, meta, handler19) {
+  let registered = REGISTERED_TOOLS_BY_SERVER.get(server);
+  if (!registered) {
+    registered = /* @__PURE__ */ new Set();
+    REGISTERED_TOOLS_BY_SERVER.set(server, registered);
+  }
+  registered.add(meta.name);
   server.registerTool(
     meta.name,
     {
       description: meta.description,
-      inputSchema: schema39,
+      inputSchema: schema34,
       annotations: meta.annotations
     },
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     async (params) => {
+      const ctx = tenantAuthContext();
+      if (ctx) {
+        const decision = evaluateToolPolicy(meta.name, ctx.scopes);
+        if (!decision.allowed) {
+          const status = decision.reason === "insufficient_scope" ? 403 : 500;
+          return {
+            content: [
+              {
+                type: "text",
+                text: toolError({
+                  status,
+                  reason: decision.reason,
+                  message: decision.message
+                })
+              }
+            ]
+          };
+        }
+      }
       const result = await handler19(params);
       return { content: [{ type: "text", text: result }] };
     }
   );
 }
-function registerPrompt(server, schema39, meta, handler19) {
+function registerPrompt(server, schema34, meta, handler19) {
   server.registerPrompt(
     meta.name,
     {
       title: meta.title,
       description: meta.description,
-      argsSchema: schema39
+      argsSchema: schema34
     },
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     (params) => ({
@@ -5333,80 +5614,248 @@ function registerStaticResource(server, uri, meta, handler19) {
     })
   );
 }
-function createServer() {
+function createServer(options = {}) {
+  const toolSurface = options.toolSurface ?? "full";
   const server = new McpServer({
     name: "01.software MCP Server",
     version: "0.1.0"
   });
-  registerTool(server, schema, metadata, queryCollection);
-  registerTool(server, schema2, metadata2, getCollectionById);
-  registerTool(server, schema3, metadata3, createCollection);
-  registerTool(server, schema4, metadata4, updateCollection);
-  registerTool(server, schema5, metadata5, deleteCollection);
-  registerTool(server, schema6, metadata6, deleteManyCollection);
-  registerTool(server, schema7, metadata7, updateManyCollection);
-  registerTool(server, schema8, metadata8, getOrder);
-  registerTool(server, schema9, metadata9, createOrder);
-  registerTool(server, schema10, metadata10, updateOrder);
-  registerTool(server, schema11, metadata11, checkout);
-  registerTool(server, schema12, metadata12, createFulfillment);
-  registerTool(server, schema13, metadata13, updateFulfillment);
-  registerTool(server, schema14, metadata14, updateTransaction);
-  registerTool(server, schema15, metadata15, createReturn);
-  registerTool(server, schema16, metadata16, updateReturn);
-  registerTool(server, schema17, metadata17, returnWithRefund);
-  registerTool(server, schema18, metadata18, addCartItem);
-  registerTool(server, schema19, metadata19, updateCartItem);
-  registerTool(server, schema20, metadata20, removeCartItem);
-  registerTool(server, schema21, metadata21, applyDiscount);
-  registerTool(server, schema22, metadata22, removeDiscount);
-  registerTool(server, schema23, metadata23, clearCart);
-  registerTool(server, schema24, metadata24, validateDiscount);
-  registerTool(server, schema25, metadata25, calculateShipping);
-  registerTool(server, schema26, metadata26, stockCheck);
-  registerTool(server, schema27, metadata27, getCollectionSchemaTool);
-  registerTool(server, schema28, metadata28, handler);
-  registerTool(server, schema29, metadata29, listConfigurableFields);
-  registerTool(server, schema30, metadata30, updateFieldConfig);
-  registerTool(server, schema31, metadata31, handler2);
-  registerTool(server, schema32, metadata32, handler3);
-  registerTool(server, schema33, metadata33, handler4);
-  registerTool(server, schema34, metadata34, handler5);
-  registerPrompt(server, schema35, metadata35, sdkUsageGuide);
-  registerPrompt(server, schema36, metadata36, collectionQueryHelp);
-  registerPrompt(server, schema37, metadata37, orderFlowGuide);
-  registerPrompt(server, schema38, metadata38, featureSetupGuide);
-  registerStaticResource(server, "config://app", metadata39, handler6);
-  registerStaticResource(server, "collections://schema", metadata40, handler7);
-  registerStaticResource(server, "docs://sdk/getting-started", metadata41, handler8);
-  registerStaticResource(server, "docs://sdk/guides", metadata42, handler9);
-  registerStaticResource(server, "docs://sdk/api", metadata43, handler10);
-  registerStaticResource(server, "docs://sdk/query-builder", metadata44, handler11);
-  registerStaticResource(server, "docs://sdk/react-query", metadata45, handler12);
-  registerStaticResource(server, "docs://sdk/server-api", metadata46, handler13);
-  registerStaticResource(server, "docs://sdk/customer-auth", metadata47, handler14);
-  registerStaticResource(server, "docs://sdk/browser-vs-server", metadata48, handler15);
-  registerStaticResource(server, "docs://sdk/file-upload", metadata49, handler16);
-  registerStaticResource(server, "docs://sdk/webhook", metadata50, handler17);
+  if (toolSurface === "full") {
+    registerTool(server, schema, metadata, queryCollection);
+    registerTool(server, schema2, metadata2, getCollectionById);
+    registerTool(server, schema3, metadata3, getOrder);
+    registerTool(server, schema4, metadata4, createOrder);
+    registerTool(server, schema5, metadata5, updateOrder);
+    registerTool(server, schema6, metadata6, checkout);
+    registerTool(server, schema7, metadata7, createFulfillment);
+    registerTool(server, schema8, metadata8, updateFulfillment);
+    registerTool(server, schema9, metadata9, updateTransaction);
+    registerTool(server, schema10, metadata10, createReturn);
+    registerTool(server, schema11, metadata11, updateReturn);
+    registerTool(server, schema12, metadata12, returnWithRefund);
+    registerTool(server, schema13, metadata13, addCartItem);
+    registerTool(server, schema14, metadata14, updateCartItem);
+    registerTool(server, schema15, metadata15, removeCartItem);
+    registerTool(server, schema16, metadata16, applyDiscount);
+    registerTool(server, schema17, metadata17, removeDiscount);
+    registerTool(server, schema18, metadata18, clearCart);
+    registerTool(server, schema19, metadata19, validateDiscount);
+    registerTool(server, schema20, metadata20, calculateShipping);
+    registerTool(server, schema21, metadata21, stockCheck);
+  }
+  registerTool(server, schema22, metadata22, getCollectionSchemaTool);
+  registerTool(server, schema23, metadata23, handler);
+  registerTool(server, schema24, metadata24, listConfigurableFields);
+  registerTool(server, schema25, metadata25, updateFieldConfig);
+  registerTool(server, schema26, metadata26, handler2);
+  registerTool(server, schema27, metadata27, handler3);
+  registerTool(server, schema28, metadata28, handler4);
+  registerTool(server, schema29, metadata29, handler5);
+  registerPrompt(server, schema30, metadata30, sdkUsageGuide);
+  registerPrompt(server, schema31, metadata31, collectionQueryHelp);
+  registerPrompt(server, schema32, metadata32, orderFlowGuide);
+  registerPrompt(server, schema33, metadata33, featureSetupGuide);
+  registerStaticResource(server, "config://app", metadata34, handler6);
+  registerStaticResource(server, "collections://schema", metadata35, handler7);
+  registerStaticResource(server, "docs://sdk/getting-started", metadata36, handler8);
+  registerStaticResource(server, "docs://sdk/guides", metadata37, handler9);
+  registerStaticResource(server, "docs://sdk/api", metadata38, handler10);
+  registerStaticResource(server, "docs://sdk/query-builder", metadata39, handler11);
+  registerStaticResource(server, "docs://sdk/react-query", metadata40, handler12);
+  registerStaticResource(server, "docs://sdk/server-api", metadata41, handler13);
+  registerStaticResource(server, "docs://sdk/customer-auth", metadata42, handler14);
+  registerStaticResource(server, "docs://sdk/browser-vs-server", metadata43, handler15);
+  registerStaticResource(server, "docs://sdk/file-upload", metadata44, handler16);
+  registerStaticResource(server, "docs://sdk/webhook", metadata45, handler17);
   return server;
 }
 
 // src/auth.ts
-function validateApiKey(apiKey) {
-  if (!apiKey || apiKey.length === 0) {
-    return { valid: false, error: "x-api-key header is required" };
+import { createPublicKey, verify as verifySignature } from "crypto";
+var ALLOWED_ALGORITHMS = /* @__PURE__ */ new Set(["RS256", "ES256"]);
+var DEFAULT_CLOCK_SKEW_SECONDS = 30;
+var DEFAULT_JWKS_URI = `${MCP_OAUTH_ISSUER}/.well-known/jwks.json`;
+var MAX_ACCESS_TOKEN_LIFETIME_SECONDS = 300;
+function invalid(errorDescription) {
+  return { valid: false, error: "invalid_token", errorDescription };
+}
+function isProduction() {
+  return process.env.NODE_ENV === "production";
+}
+function insufficientScope(errorDescription) {
+  return { valid: false, error: "insufficient_scope", errorDescription };
+}
+function decodeBase64UrlJson(value) {
+  try {
+    return JSON.parse(Buffer.from(value, "base64url").toString("utf8"));
+  } catch {
+    return null;
   }
-  if (!apiKey.startsWith("sk01_") && !apiKey.startsWith("pat01_")) {
-    return {
-      valid: false,
-      error: "Invalid API key format. Expected sk01_ or pat01_ token."
-    };
+}
+function parseScopes(payload) {
+  const rawScopes = typeof payload.scope === "string" ? payload.scope.split(/\s+/).filter(Boolean) : Array.isArray(payload.scp) ? payload.scp : [];
+  return rawScopes.filter(
+    (scope) => scope === MCP_SCOPES.read || scope === MCP_SCOPES.write
+  );
+}
+function audienceMatches(aud, expected) {
+  if (typeof aud === "string") return aud === expected;
+  return Array.isArray(aud) && aud.includes(expected);
+}
+function verifyJwtSignature(alg, jwk, signingInput, signature) {
+  const key = createPublicKey({ key: jwk, format: "jwk" });
+  const input = Buffer.from(signingInput);
+  if (alg === "RS256") {
+    return verifySignature("RSA-SHA256", input, key, signature);
+  }
+  if (alg === "ES256") {
+    return verifySignature("SHA256", input, { key, dsaEncoding: "ieee-p1363" }, signature);
+  }
+  return false;
+}
+var cachedRemoteJwks = null;
+function jwksUriFor(options) {
+  const raw = isProduction() ? DEFAULT_JWKS_URI : options.jwksUri ?? DEFAULT_JWKS_URI;
+  let url;
+  try {
+    url = new URL(raw);
+  } catch {
+    return null;
+  }
+  if (url.protocol !== "https:" || url.username || url.password || url.search || url.hash) {
+    return null;
+  }
+  return url.toString();
+}
+async function remoteJwks(options = {}, forceRefresh = false) {
+  const uri = jwksUriFor(options);
+  if (!uri) return null;
+  const now = Date.now();
+  if (!forceRefresh && cachedRemoteJwks && cachedRemoteJwks.uri === uri && cachedRemoteJwks.expiresAt > now) {
+    return cachedRemoteJwks.jwks;
+  }
+  const fetchImpl = options.fetchImpl ?? fetch;
+  let response;
+  try {
+    response = await fetchImpl(uri, {
+      headers: { Accept: "application/json" }
+    });
+  } catch {
+    return null;
+  }
+  if (!response.ok) return null;
+  const parsed = await response.json().catch(() => null);
+  if (!parsed || !Array.isArray(parsed.keys)) return null;
+  cachedRemoteJwks = {
+    expiresAt: now + 3e5,
+    jwks: parsed,
+    uri
+  };
+  return parsed;
+}
+function validateAccessToken(token, options = {}) {
+  const parts = token.split(".");
+  if (parts.length !== 3 || parts.some((part) => part.length === 0)) {
+    return invalid("Bearer token must be a compact JWT");
+  }
+  const [encodedHeader, encodedPayload, encodedSignature] = parts;
+  const header = decodeBase64UrlJson(encodedHeader);
+  const payload = decodeBase64UrlJson(encodedPayload);
+  if (!header || !payload) return invalid("Bearer token contains invalid JSON");
+  if (typeof header.alg !== "string" || !ALLOWED_ALGORITHMS.has(header.alg)) {
+    return invalid("Bearer token uses an unsupported signing algorithm");
+  }
+  if (typeof header.kid !== "string" || header.kid.length === 0) {
+    return invalid("Bearer token is missing kid");
+  }
+  const jwks = options.jwks;
+  if (!jwks) return invalid("JWKS is not configured");
+  const jwk = jwks.keys.find((key) => key.kid === header.kid);
+  if (!jwk) return invalid("Bearer token kid is unknown");
+  const signingInput = `${encodedHeader}.${encodedPayload}`;
+  const signature = Buffer.from(encodedSignature, "base64url");
+  if (!verifyJwtSignature(header.alg, jwk, signingInput, signature)) {
+    return invalid("Bearer token signature is invalid");
+  }
+  const issuer = options.issuer ?? MCP_OAUTH_ISSUER;
+  if (payload.iss !== issuer) return invalid("Bearer token issuer is invalid");
+  const audience = options.audience ?? MCP_RESOURCE_AUDIENCE;
+  if (!audienceMatches(payload.aud, audience)) {
+    return invalid("Bearer token audience is invalid");
+  }
+  if (typeof payload.iat !== "number") return invalid("Bearer token is missing iat");
+  if (typeof payload.exp !== "number") return invalid("Bearer token is missing exp");
+  if (payload.exp <= payload.iat) {
+    return invalid("Bearer token lifetime is invalid");
+  }
+  if (payload.exp - payload.iat > MAX_ACCESS_TOKEN_LIFETIME_SECONDS) {
+    return invalid("Bearer token lifetime exceeds 300 seconds");
+  }
+  const nowSeconds = Math.floor((options.now ?? /* @__PURE__ */ new Date()).getTime() / 1e3);
+  const leeway = options.clockSkewSeconds ?? DEFAULT_CLOCK_SKEW_SECONDS;
+  if (payload.iat > nowSeconds + leeway) {
+    return invalid("Bearer token iat is too far in the future");
+  }
+  if (typeof payload.nbf === "number" && payload.nbf > nowSeconds + leeway) {
+    return invalid("Bearer token is not yet valid");
   }
-  return { valid: true };
+  if (payload.exp < nowSeconds - leeway) return invalid("Bearer token is expired");
+  const tenantId = payload[MCP_TENANT_CLAIM];
+  if (typeof tenantId !== "string" || tenantId.length === 0) {
+    return invalid("Bearer token tenant_id claim is invalid");
+  }
+  const tenantRole = payload[MCP_TENANT_ROLE_CLAIM];
+  if (tenantRole !== "tenant-admin" && tenantRole !== "tenant-editor" && tenantRole !== "tenant-viewer") {
+    return invalid("Bearer token tenant_role claim is invalid");
+  }
+  if (typeof payload.sub !== "string" || payload.sub.length === 0) {
+    return invalid("Bearer token subject claim is invalid");
+  }
+  const scopes = parseScopes(payload);
+  const requiredScopes = options.requiredScopes ?? [MCP_SCOPES.read];
+  const missingScope = requiredScopes.find((scope) => !scopes.includes(scope));
+  if (missingScope) return insufficientScope(`Bearer token is missing ${missingScope}`);
+  return {
+    valid: true,
+    context: {
+      tenantId,
+      principalId: payload.sub,
+      scopes,
+      tenantRole,
+      authMode: "oauth"
+    }
+  };
+}
+function shouldRefreshRemoteJwks(result) {
+  return !result.valid && (result.errorDescription === "Bearer token kid is unknown" || result.errorDescription === "Bearer token signature is invalid");
+}
+async function validateBearerAuthorizationHeaderAsync(authorization, options) {
+  if (!authorization) return invalid("Authorization Bearer token is required");
+  const match = authorization.match(/^Bearer\s+(.+)$/i);
+  if (!match) return invalid("Authorization header must use Bearer");
+  if (options?.jwks) {
+    return validateAccessToken(match[1], options);
+  }
+  const jwks = await remoteJwks(options);
+  const result = validateAccessToken(match[1], {
+    ...options,
+    jwks: jwks ?? void 0
+  });
+  if (shouldRefreshRemoteJwks(result)) {
+    const refreshedJwks = await remoteJwks(options, true);
+    if (refreshedJwks) {
+      return validateAccessToken(match[1], {
+        ...options,
+        jwks: refreshedJwks
+      });
+    }
+  }
+  return result;
 }
 
 // src/handler.ts
 var MAX_REQUEST_BODY_BYTES = 1024 * 1024;
+var MCP_ALLOWED_BROWSER_ORIGIN = "https://01.software";
 var METHOD_NOT_ALLOWED = JSON.stringify({
   jsonrpc: "2.0",
   error: {
@@ -5416,16 +5865,16 @@ var METHOD_NOT_ALLOWED = JSON.stringify({
   id: null
 });
 function setCors(res) {
-  res.setHeader("Access-Control-Allow-Origin", "*");
+  res.setHeader("Access-Control-Allow-Origin", MCP_ALLOWED_BROWSER_ORIGIN);
   res.setHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS");
   res.setHeader(
     "Access-Control-Allow-Headers",
-    "Content-Type, x-api-key, x-publishable-key, x-client-key, mcp-session-id"
+    "Authorization, Content-Type, mcp-session-id"
   );
   res.setHeader("Access-Control-Expose-Headers", "Mcp-Session-Id, Mcp-Protocol-Version");
 }
-function getHeaderValue(headers2, name) {
-  const value = headers2[name.toLowerCase()];
+function getHeaderValue(headers, name) {
+  const value = headers[name.toLowerCase()];
   if (Array.isArray(value)) return value[0];
   return value;
 }
@@ -5450,143 +5899,69 @@ var HOME_PAGE = `01.software MCP Server
 ======================
 
 MCP server for AI agents to interact with the 01.software API.
-Manage content, products, orders, and more.
+Connect over HTTP with OAuth, or use the local CLI stdio transport for full
+server-key operations.
 
 
 Authentication
 --------------
 
-All requests require both:
-  x-api-key          opaque bearer token
-  x-publishable-key publishable key for routing, rate limits, and quota enforcement
-
-Use x-client-key as a legacy alias for x-publishable-key.
-
-Accepted formats:
-  sk01_{40hex}   tenant API key (Console > Settings > API Keys)
-  pat01_{40hex}  personal access token (user-scoped local workflow)
-  pk01_{...}     publishable key
-
-  export SOFTWARE_PUBLISHABLE_KEY=pk01_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-  export SOFTWARE_SECRET_KEY=sk01_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-
+HTTP MCP uses OAuth discovery and Authorization Code + PKCE.
+Clients should connect to:
 
 Connect
 -------
 
 Claude Code:
 
-  claude mcp add --transport http \\
-    --header "x-api-key: $SOFTWARE_SECRET_KEY" \\
-    --header "x-publishable-key: $SOFTWARE_PUBLISHABLE_KEY" \\
-    01software https://mcp.01.software/mcp
+  claude mcp add --transport http 01software https://mcp.01.software/mcp
 
-Codex (.codex/config.toml, project-safe when using env vars):
+Codex (.codex/config.toml):
 
   [mcp_servers.01software]
   url = "https://mcp.01.software/mcp"
 
-  [mcp_servers.01software.env_http_headers]
-  x-api-key = "SOFTWARE_SECRET_KEY"
-  x-publishable-key = "SOFTWARE_PUBLISHABLE_KEY"
+Cursor / Claude Desktop / other JSON clients:
 
-  // or .mcp.json
   {
     "mcpServers": {
       "01software": {
         "type": "http",
-        "url": "https://mcp.01.software/mcp",
-        "headers": {
-          "x-api-key": "\${env:SOFTWARE_SECRET_KEY}",
-          "x-publishable-key": "\${env:SOFTWARE_PUBLISHABLE_KEY}"
-        }
+        "url": "https://mcp.01.software/mcp"
       }
     }
   }
 
-Cursor (.cursor/mcp.json):
+Windsurf (~/.codeium/windsurf/mcp_config.json):
 
   {
     "mcpServers": {
       "01software": {
-        "url": "https://mcp.01.software/mcp",
-        "headers": {
-          "x-api-key": "\${env:SOFTWARE_SECRET_KEY}",
-          "x-publishable-key": "\${env:SOFTWARE_PUBLISHABLE_KEY}"
-        }
+        "serverUrl": "https://mcp.01.software/mcp"
       }
     }
   }
 
-Windsurf (~/.codeium/windsurf/mcp_config.json):
+CLI (stdio):
 
-  {
-    "mcpServers": {
-      "01software": {
-        "serverUrl": "https://mcp.01.software/mcp",
-        "headers": {
-          "x-api-key": "\${env:SOFTWARE_SECRET_KEY}",
-          "x-publishable-key": "\${env:SOFTWARE_PUBLISHABLE_KEY}"
-        }
-      }
-    }
-  }
+  npx @01.software/cli mcp
 
-VS Code (.vscode/mcp.json):
 
-  {
-    "servers": {
-      "01software": {
-        "type": "http",
-        "url": "https://mcp.01.software/mcp",
-        "headers": {
-          "x-api-key": "\${input:01software-api-key}",
-          "x-publishable-key": "\${input:01software-publishable-key}"
-        }
-      }
-    }
-  }
+HTTP OAuth Tools
+----------------
 
-Claude Desktop (claude_desktop_config.json):
+Schema       get-collection-schema
+Context      get-tenant-context
+Field Config list-configurable-fields, update-field-config
+Guidance     sdk-get-recipe, sdk-search-docs, sdk-get-auth-setup, sdk-get-collection-pattern
 
-  {
-    "mcpServers": {
-      "01software": {
-        "url": "https://mcp.01.software/mcp",
-        "headers": {
-          "x-api-key": "\${env:SOFTWARE_SECRET_KEY}",
-          "x-publishable-key": "\${env:SOFTWARE_PUBLISHABLE_KEY}"
-        }
-      }
-    }
-  }
+Full Tool Surface
+-----------------
 
-CLI (stdio):
+The local CLI stdio transport exposes CRUD, commerce, cart, validation, product,
+schema, context, field-config, and guidance tools:
 
   npx @01.software/cli mcp
-  # Reads SOFTWARE_SECRET_KEY=sk01_... or pat01_...
-  # Also reads SOFTWARE_PUBLISHABLE_KEY for CDN routing, rate limits, and quota enforcement
-
-Security: never commit raw sk01_... or pat01_... tokens to repo-local MCP
-config files. Prefer client secret prompts, environment interpolation, OS secret
-managers, or ignored local files. Avoid passing real tokens directly on
-shared-machine command lines because shell history and process listings can
-expose them.
-
-
-Tools (34)
-----------
-
-CRUD        query, get, create, update, delete, delete-many, update-many
-Orders      create-order, checkout, get-order, update-order, create-fulfillment, update-fulfillment, update-transaction
-Returns     create-return, update-return, return-with-refund
-Cart        add-cart-item, update-cart-item, remove-cart-item, clear-cart, apply-discount, remove-discount
-Validation  validate-discount, calculate-shipping
-Products    stock-check
-Schema      get-collection-schema
-Context     get-tenant-context
-Field Config list-configurable-fields, update-field-config
-Guidance    sdk-get-recipe, sdk-search-docs, sdk-get-auth-setup, sdk-get-collection-pattern
 
 Prompts (4): sdk-usage-guide, collection-query-help, order-flow-guide, feature-setup-guide
 Resources (12): config, collections-schema, getting-started, guides, api, query-builder, react-query, server-api, customer-auth, browser-vs-server, file-upload, webhook
@@ -5600,6 +5975,19 @@ SDK             https://01.software/docs/sdk/client
 API Reference   https://01.software/docs/api/rest-api
 Console         https://console.01.software
 `;
+var PROTECTED_RESOURCE_METADATA = JSON.stringify({
+  resource: MCP_RESOURCE_AUDIENCE,
+  authorization_servers: [MCP_OAUTH_ISSUER],
+  scopes_supported: [MCP_SCOPES.read, MCP_SCOPES.write]
+});
+var SERVICE_JWKS_PATH = "/.well-known/service-jwks.json";
+function writeOAuthError(res, status, error, description) {
+  res.writeHead(status, {
+    "Content-Type": "application/json",
+    "WWW-Authenticate": `Bearer resource_metadata="${MCP_PROTECTED_RESOURCE_METADATA_PATH}", error="${error}", error_description="${description}"`
+  });
+  res.end(JSON.stringify({ error, error_description: description }));
+}
 async function handler18(req, res) {
   setCors(res);
   if (req.method === "OPTIONS") {
@@ -5608,6 +5996,30 @@ async function handler18(req, res) {
     return;
   }
   if (req.method === "GET") {
+    const pathname = new URL(req.url ?? "/", MCP_RESOURCE_AUDIENCE).pathname;
+    if (pathname === MCP_PROTECTED_RESOURCE_METADATA_PATH) {
+      res.setHeader("Access-Control-Allow-Origin", "*");
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(PROTECTED_RESOURCE_METADATA);
+      return;
+    }
+    if (pathname === SERVICE_JWKS_PATH) {
+      res.setHeader("Access-Control-Allow-Origin", "*");
+      try {
+        res.writeHead(200, {
+          "Cache-Control": "public, max-age=60",
+          "Content-Type": "application/json"
+        });
+        res.end(JSON.stringify(mcpServicePublicJwks()));
+      } catch {
+        res.writeHead(503, {
+          "Cache-Control": "no-store",
+          "Content-Type": "application/json"
+        });
+        res.end(JSON.stringify({ keys: [] }));
+      }
+      return;
+    }
     res.writeHead(200, { "Content-Type": "text/plain; charset=utf-8" });
     res.end(HOME_PAGE);
     return;
@@ -5617,20 +6029,14 @@ async function handler18(req, res) {
     res.end(METHOD_NOT_ALLOWED);
     return;
   }
-  const apiKey = getHeaderValue(req.headers, "x-api-key");
-  const auth = validateApiKey(apiKey);
+  const auth = await validateBearerAuthorizationHeaderAsync(
+    getHeaderValue(req.headers, "authorization")
+  );
   if (!auth.valid) {
-    res.writeHead(401, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ error: auth.error }));
-    return;
-  }
-  const publishableKey = getHeaderValue(req.headers, "x-publishable-key") ?? getHeaderValue(req.headers, "x-client-key");
-  if (!publishableKey) {
-    res.writeHead(401, { "Content-Type": "application/json" });
-    res.end(JSON.stringify({ error: "x-publishable-key header is required" }));
+    writeOAuthError(res, auth.error === "insufficient_scope" ? 403 : 401, auth.error, auth.errorDescription);
     return;
   }
-  const server = createServer();
+  const server = createServer({ toolSurface: "oauth" });
   const transport = new StreamableHTTPServerTransport({
     sessionIdGenerator: void 0
   });
@@ -5645,25 +6051,37 @@ async function handler18(req, res) {
     void close();
   });
   await server.connect(transport);
-  const headers2 = new Headers();
+  const headers = new Headers();
   for (const [key, value] of Object.entries(req.headers)) {
-    if (typeof value === "string") headers2.set(key, value);
-    else if (Array.isArray(value)) headers2.set(key, value.join(", "));
+    if (typeof value === "string") headers.set(key, value);
+    else if (Array.isArray(value)) headers.set(key, value.join(", "));
   }
-  await requestContext.run({ headers: headers2 }, async () => {
+  await requestContext.run({ headers, auth: auth.context }, async () => {
     try {
       const body = req.body ?? JSON.parse(await readBody(req));
       await transport.handleRequest(req, res, body);
-    } catch {
-      if (!res.headersSent) {
-        res.writeHead(500, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ error: "Internal server error" }));
-      }
+    } catch (err) {
+      writeRequestError(res, err);
     } finally {
       await close();
     }
   });
 }
+function writeRequestError(res, err) {
+  if (res.headersSent) return;
+  if (err instanceof SyntaxError) {
+    res.writeHead(400, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ error: "Invalid JSON body" }));
+    return;
+  }
+  if (err instanceof Error && err.message === "Request body too large") {
+    res.writeHead(413, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ error: "Request body too large" }));
+    return;
+  }
+  res.writeHead(500, { "Content-Type": "application/json" });
+  res.end(JSON.stringify({ error: "Internal server error" }));
+}
 export {
   handler18 as default
 };