@01.software/cli 0.8.0 → 0.10.0

package/dist/mcp/vercel.js

@@ -1,18 +1,23 @@
 // src/handler.ts
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
-import {
-  MCP_OAUTH_ISSUER as MCP_OAUTH_ISSUER3,
-  MCP_PROTECTED_RESOURCE_METADATA_PATH,
-  MCP_RESOURCE_AUDIENCE as MCP_RESOURCE_AUDIENCE2,
-  MCP_SCOPES as MCP_SCOPES2
-} from "@01.software/auth-contracts";
+
+// ../../packages/auth-contracts/dist/index.js
+var MCP_RESOURCE_AUDIENCE = "https://mcp.01.software/mcp";
+var MCP_OAUTH_ISSUER = "https://01.software";
+var MCP_PROTECTED_RESOURCE_METADATA_PATH = "/.well-known/oauth-protected-resource/mcp";
+var MCP_TENANT_CLAIM = "tenant_id";
+var MCP_TENANT_ROLE_CLAIM = "tenant_role";
+var MCP_SCOPES = {
+  read: "mcp:read",
+  write: "mcp:write"
+};
+var MCP_CONSOLE_SERVICE_AUDIENCE = "https://api.01.software/internal/mcp";
+var MCP_CONSOLE_SERVICE_SCOPE = "console:mcp_proxy";
+var MCP_SERVICE_TOKEN_LIFETIME_SECONDS = 60;
 
 // src/server.ts
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 
-// src/tools/query-collection.ts
-import { z } from "zod";
-
 // src/lib/request-context.ts
 import { AsyncLocalStorage } from "async_hooks";
 var requestContext = new AsyncLocalStorage();
@@ -23,25 +28,631 @@ function hasRequestContext() {
   return requestContext.getStore() !== void 0;
 }
 
-// src/lib/client.ts
-import {
-  CollectionClient,
-  CommunityClient,
-  ModerationApi,
-  ServerCommerceClient,
-  createServerClient
-} from "@01.software/sdk";
+// src/lib/tool-utils.ts
+function toolSuccess(data) {
+  return JSON.stringify({ success: true, ...data }, null, 2);
+}
+function toolError(error) {
+  const base = { success: false };
+  const isStructured = !!error && typeof error === "object" && ("code" in error || "reason" in error);
+  if (isStructured) {
+    const sdkErr = error;
+    base.error = sdkErr.message || "Unknown error";
+    if (sdkErr.status) base.status = sdkErr.status;
+    if (sdkErr.code) base.code = sdkErr.code;
+    if (sdkErr.reason) base.reason = sdkErr.reason;
+    if (sdkErr.requestId) base.requestId = sdkErr.requestId;
+    if (sdkErr.suggestion) base.suggestion = sdkErr.suggestion;
+    if (sdkErr.details?.errors) base.errors = sdkErr.details.errors;
+  } else {
+    base.error = error instanceof Error ? error.message : "Unknown error";
+  }
+  return JSON.stringify(base, null, 2);
+}
+var MAX_QUERY_DEPTH = 5;
+function checkDepth(obj, depth = 0) {
+  if (depth > MAX_QUERY_DEPTH) return false;
+  if (obj && typeof obj === "object") {
+    for (const val of Object.values(obj)) {
+      if (!checkDepth(val, depth + 1)) return false;
+    }
+  }
+  return true;
+}
+function parseJsonWhere(where) {
+  try {
+    const parsed = JSON.parse(where);
+    if (!checkDepth(parsed)) {
+      return {
+        success: false,
+        error: JSON.stringify(
+          {
+            success: false,
+            error: `Query exceeds maximum nesting depth of ${MAX_QUERY_DEPTH}`
+          },
+          null,
+          2
+        )
+      };
+    }
+    return { success: true, data: parsed };
+  } catch {
+    return {
+      success: false,
+      error: JSON.stringify(
+        {
+          success: false,
+          error: `Invalid JSON in "where" parameter: ${where.length > 100 ? where.substring(0, 100) + "..." : where}`
+        },
+        null,
+        2
+      )
+    };
+  }
+}
+
+// ../../packages/contracts/src/tenant/index.ts
+import { z } from "zod";
+var tenantFieldConfigStateSchema = z.object({
+  hiddenFields: z.array(z.string()),
+  isHidden: z.boolean()
+}).strict();
+var tenantContextQuerySchema = z.object({
+  counts: z.literal("true").optional()
+}).strict();
+var tenantContextToolInputSchema = z.object({
+  includeCounts: z.boolean().optional().default(false).describe(
+    "Include per-collection document counts and config status (bypasses cache, slower)"
+  )
+}).strict();
+var tenantContextResponseSchema = z.object({
+  tenant: z.object({
+    id: z.string(),
+    name: z.string(),
+    plan: z.string(),
+    planSource: z.string().optional(),
+    authoritative: z.boolean().optional(),
+    capabilityVersion: z.string().optional()
+  }).strict(),
+  features: z.array(z.string()),
+  collections: z.object({
+    active: z.array(z.string()),
+    inactive: z.array(z.string())
+  }).strict(),
+  fieldConfigs: z.record(z.string(), tenantFieldConfigStateSchema),
+  counts: z.record(z.string(), z.number()).optional(),
+  config: z.object({
+    webhookConfigured: z.boolean()
+  }).strict().optional()
+}).strict();
+var COLLECTION_SCHEMA_CONTRACT_VERSION = 1;
+var collectionSchemaEndpointParamsSchema = z.object({
+  collectionSlug: z.string().min(1, "collectionSlug is required")
+}).strict();
+function createCollectionSchemaToolInputSchema(collections) {
+  return z.object({
+    collection: z.enum(collections).describe("Collection name (required)")
+  }).strict();
+}
+var collectionFieldOptionSchema = z.object({
+  label: z.string(),
+  value: z.string()
+}).strict();
+var collectionFieldSchema = z.lazy(
+  () => z.object({
+    name: z.string(),
+    path: z.string(),
+    type: z.string(),
+    required: z.literal(true).optional(),
+    unique: z.literal(true).optional(),
+    hasMany: z.literal(true).optional(),
+    relationTo: z.union([z.string(), z.array(z.string())]).optional(),
+    options: z.array(collectionFieldOptionSchema).optional(),
+    hidden: z.literal(true).optional(),
+    systemManaged: z.literal(true).optional(),
+    writable: z.boolean().optional(),
+    fields: z.array(collectionFieldSchema).optional()
+  }).strict()
+);
+var collectionSchemaResponseSchema = z.object({
+  contractVersion: z.literal(COLLECTION_SCHEMA_CONTRACT_VERSION),
+  mode: z.literal("effective"),
+  collection: z.object({
+    slug: z.string(),
+    timestamps: z.boolean(),
+    alwaysActive: z.boolean(),
+    feature: z.string().nullable(),
+    systemFields: z.array(z.string()),
+    visibility: z.object({
+      collectionHidden: z.boolean(),
+      hiddenFields: z.array(z.string())
+    }).strict(),
+    fields: z.array(collectionFieldSchema)
+  }).strict()
+}).strict();
+
+// ../../packages/contracts/src/ecommerce/index.ts
+import { z as z2 } from "zod";
+var transactionStatusSchema = z2.enum([
+  "pending",
+  "paid",
+  "failed",
+  "canceled"
+]);
+var updateTransactionSchema = z2.object({
+  pgPaymentId: z2.string().min(1, "pgPaymentId is required").describe("PG payment ID (required)"),
+  status: transactionStatusSchema.describe(
+    "New transaction status (required)"
+  ),
+  paymentMethod: z2.string().optional().describe("Payment method (optional)"),
+  receiptUrl: z2.string().optional().describe("Receipt URL (optional)"),
+  paymentKey: z2.string().min(1).optional().describe("Provider payment key for verified paid confirmation"),
+  amount: z2.number().int().positive().optional().describe("Provider-confirmed amount for verified paid confirmation")
+}).strict();
+var UpdateTransactionSchema = updateTransactionSchema;
+var returnReasonSchema = z2.enum([
+  "change_of_mind",
+  "defective",
+  "wrong_delivery",
+  "damaged",
+  "other"
+]);
+var restockActionSchema = z2.enum(["return_to_stock", "discard"]);
+var returnWithRefundItemSchema = z2.object({
+  orderItem: z2.union([z2.string(), z2.number()]).transform(String),
+  quantity: z2.number().int().positive("quantity must be a positive integer"),
+  restockAction: restockActionSchema.default("return_to_stock")
+}).strict();
+var returnWithRefundSchema = z2.object({
+  orderNumber: z2.string().min(1, "orderNumber is required").describe("Order number (required)"),
+  reason: returnReasonSchema.optional().describe("Return reason (optional)"),
+  reasonDetail: z2.string().optional().describe("Detailed reason text (optional)"),
+  returnItems: z2.array(returnWithRefundItemSchema).min(1, "At least one return item is required").max(100, "Too many return items").describe("Array of products to return (required)"),
+  refundAmount: z2.number().min(0, "refundAmount must be non-negative").describe("Refund amount (required, min 0)"),
+  pgPaymentId: z2.string().min(1, "pgPaymentId is required").describe("PG payment ID for refund (required)"),
+  paymentKey: z2.string().min(1).optional().describe("Provider payment key for verified refund"),
+  refundReceiptUrl: z2.string().optional().describe("Refund receipt URL (optional)")
+}).strict();
+var ReturnWithRefundSchema = returnWithRefundSchema;
+
+// ../../packages/contracts/src/mcp/index.ts
+var MCP_TOOL_CONTRACT = {
+  "query-collection": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "get-collection-by-id": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "get-order": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "stock-check": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "validate-discount": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "calculate-shipping": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "get-collection-schema": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "list-configurable-fields": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "get-tenant-context": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "add-cart-item": {
+    consoleRole: "tenant-editor",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "update-cart-item": {
+    consoleRole: "tenant-editor",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "remove-cart-item": {
+    consoleRole: "tenant-editor",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "clear-cart": {
+    consoleRole: "tenant-editor",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "apply-discount": {
+    consoleRole: "tenant-editor",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "remove-discount": {
+    consoleRole: "tenant-editor",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  checkout: {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "create-order": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "update-order": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "create-fulfillment": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "update-fulfillment": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "create-return": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "update-return": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "return-with-refund": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "update-transaction": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "update-field-config": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "sdk-get-recipe": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "sdk-search-docs": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "sdk-get-auth-setup": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "sdk-get-collection-pattern": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  }
+};
+var MCP_TOOL_NAMES = Object.keys(
+  MCP_TOOL_CONTRACT
+);
+function isMcpToolName(toolName) {
+  return Object.prototype.hasOwnProperty.call(MCP_TOOL_CONTRACT, toolName);
+}
+
+// src/tool-policy.ts
+var READ_ONLY_ANNOTATION = {
+  readOnly: true,
+  destructive: false,
+  idempotent: true,
+  openWorld: false
+};
+var NON_DESTRUCTIVE_MUTATION_ANNOTATION = {
+  readOnly: false,
+  destructive: false,
+  idempotent: false,
+  openWorld: false
+};
+var NON_DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION = {
+  readOnly: false,
+  destructive: false,
+  idempotent: true,
+  openWorld: false
+};
+var DESTRUCTIVE_NON_IDEMPOTENT_MUTATION_ANNOTATION = {
+  readOnly: false,
+  destructive: true,
+  idempotent: false,
+  openWorld: false
+};
+var DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION = {
+  readOnly: false,
+  destructive: true,
+  idempotent: true,
+  openWorld: false
+};
+var REASON_IDEMPOTENT_DESTRUCTIVE_UPDATE = "Update operations mutate persisted state but converge to the same end state under repeated identical input.";
+var REASON_CART_EPHEMERAL = "Cart is pre-checkout ephemeral state; reversal is possible by reissuing the prior input. Console enforces tenant scope.";
+var TOOL_POLICY_MANIFEST = {
+  // ── Read-only collection / validation (mcp:read, tenant-viewer) ──
+  "query-collection": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "GET /api/{collection}",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "get-collection-by-id": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "GET /api/{collection}/{id}",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "get-order": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "GET /api/orders/{id}",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "stock-check": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "GET /api/products/{id}/stock",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "validate-discount": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "POST /api/discounts/validate",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "calculate-shipping": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "POST /api/shipping/calculate",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "get-collection-schema": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "GET /api/tenants/schema/{collectionSlug}",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "list-configurable-fields": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "GET /api/tenants/field-config",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  // ── Tenant context (mcp:read, tenant-viewer) ──
+  "get-tenant-context": {
+    category: "read-only-tenant",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "GET /api/tenants/context",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  // ── Cart mutations (mcp:write, tenant-editor) ──
+  "add-cart-item": {
+    category: "mutation-cart",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-editor",
+    consoleSurface: "POST /api/carts/{id}/items",
+    annotationPolicy: NON_DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION
+  },
+  "update-cart-item": {
+    category: "mutation-cart",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-editor",
+    consoleSurface: "PATCH /api/carts/{id}/items/{itemId}",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_CART_EPHEMERAL
+  },
+  "remove-cart-item": {
+    category: "mutation-cart",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-editor",
+    consoleSurface: "DELETE /api/carts/{id}/items/{itemId}",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_CART_EPHEMERAL
+  },
+  "clear-cart": {
+    category: "mutation-cart",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-editor",
+    consoleSurface: "POST /api/carts/{id}/clear",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_CART_EPHEMERAL
+  },
+  "apply-discount": {
+    category: "mutation-cart",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-editor",
+    consoleSurface: "POST /api/carts/{id}/discount",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_CART_EPHEMERAL
+  },
+  "remove-discount": {
+    category: "mutation-cart",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-editor",
+    consoleSurface: "DELETE /api/carts/{id}/discount",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_CART_EPHEMERAL
+  },
+  // ── Order mutations (mcp:write, tenant-admin) ──
+  "checkout": {
+    category: "mutation-order",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "POST /api/checkout",
+    annotationPolicy: DESTRUCTIVE_NON_IDEMPOTENT_MUTATION_ANNOTATION
+  },
+  "create-order": {
+    category: "mutation-order",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "POST /api/orders",
+    annotationPolicy: DESTRUCTIVE_NON_IDEMPOTENT_MUTATION_ANNOTATION
+  },
+  "update-order": {
+    category: "mutation-order",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "PATCH /api/orders/{id}",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_IDEMPOTENT_DESTRUCTIVE_UPDATE
+  },
+  // ── Fulfillment mutations (mcp:write, tenant-admin) ──
+  "create-fulfillment": {
+    category: "mutation-fulfillment",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "POST /api/orders/{id}/fulfillments",
+    annotationPolicy: NON_DESTRUCTIVE_MUTATION_ANNOTATION
+  },
+  "update-fulfillment": {
+    category: "mutation-fulfillment",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "PATCH /api/fulfillments/{id}",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_IDEMPOTENT_DESTRUCTIVE_UPDATE
+  },
+  // ── Return mutations (mcp:write, tenant-admin) ──
+  "create-return": {
+    category: "mutation-return",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "POST /api/returns",
+    annotationPolicy: DESTRUCTIVE_NON_IDEMPOTENT_MUTATION_ANNOTATION
+  },
+  "update-return": {
+    category: "mutation-return",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "PATCH /api/returns/{id}",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_IDEMPOTENT_DESTRUCTIVE_UPDATE
+  },
+  "return-with-refund": {
+    category: "mutation-return",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "POST /api/returns/with-refund",
+    annotationPolicy: DESTRUCTIVE_NON_IDEMPOTENT_MUTATION_ANNOTATION
+  },
+  // ── Transaction mutations (mcp:write, tenant-admin) ──
+  "update-transaction": {
+    category: "mutation-transaction",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "PATCH /api/transactions/{id}",
+    annotationPolicy: DESTRUCTIVE_NON_IDEMPOTENT_MUTATION_ANNOTATION
+  },
+  // ── Field-config mutations (mcp:write, tenant-admin) ──
+  "update-field-config": {
+    category: "mutation-field-config",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "PATCH /api/tenants/field-config",
+    annotationPolicy: NON_DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION
+  },
+  // ── SDK doc tools (mcp:read, tenant-viewer, sdk-static surface) ──
+  "sdk-get-recipe": {
+    category: "sdk-doc",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "sdk-static",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "sdk-search-docs": {
+    category: "sdk-doc",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "sdk-static",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "sdk-get-auth-setup": {
+    category: "sdk-doc",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "sdk-static",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "sdk-get-collection-pattern": {
+    category: "sdk-doc",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "sdk-static",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  }
+};
+function evaluateToolPolicy(toolName, scopes) {
+  if (!isMcpToolName(toolName)) {
+    return {
+      allowed: false,
+      reason: "tool_policy_missing",
+      message: `No tool-policy entry for ${toolName}`
+    };
+  }
+  const entry = TOOL_POLICY_MANIFEST[toolName];
+  if (!scopes.includes(entry.oauthScope)) {
+    return {
+      allowed: false,
+      reason: "insufficient_scope",
+      message: `Tool ${toolName} requires ${entry.oauthScope}`
+    };
+  }
+  return { allowed: true, entry };
+}
+
+// src/lib/mcp-telemetry.ts
+import { AsyncLocalStorage as AsyncLocalStorage2 } from "async_hooks";
+import { randomUUID as randomUUID2 } from "crypto";
+
+// src/lib/console-api.ts
+import { createHash } from "crypto";
 
 // src/service-auth.ts
 import { createPrivateKey, randomUUID, sign as signBytes } from "crypto";
-import {
-  MCP_CONSOLE_SERVICE_AUDIENCE,
-  MCP_CONSOLE_SERVICE_SCOPE,
-  MCP_OAUTH_ISSUER,
-  MCP_SERVICE_TOKEN_LIFETIME_SECONDS,
-  MCP_TENANT_CLAIM,
-  MCP_TENANT_ROLE_CLAIM
-} from "@01.software/auth-contracts";
 var KEYSET_ENV = "MCP_SERVICE_KEYSET";
 function assertProductionKeysetUse(source) {
   const vercelEnv = process.env.VERCEL_ENV;
@@ -167,136 +778,243 @@ function signMcpServiceToken(context) {
   return `${signingInput}.${signature.toString("base64url")}`;
 }
 
-// src/lib/client.ts
+// src/lib/console-api.ts
+var BASE_URL = process.env.SOFTWARE_API_URL || "http://localhost:3000";
+var TIMEOUT_MS = 5e3;
 var MISSING_HTTP_AUTH_CONTEXT_ERROR = "MCP HTTP requests require a validated OAuth tenant context before tool execution.";
-function getClient() {
+function resolveAuthHeaderContext() {
   const oauthContext = tenantAuthContext();
   if (oauthContext) {
-    const serviceToken = signMcpServiceToken(oauthContext);
-    const client = {
-      lastRequestId: null,
-      commerce: void 0,
-      collections: void 0,
-      community: void 0
-    };
-    const onRequestId = (id) => {
-      client.lastRequestId = id;
+    return {
+      apiKey: signMcpServiceToken(oauthContext),
+      mode: "oauth"
     };
-    client.commerce = new ServerCommerceClient({
-      secretKey: serviceToken,
-      onRequestId
-    });
-    client.collections = new CollectionClient(
-      "",
-      serviceToken,
-      void 0,
-      void 0,
-      onRequestId
-    );
-    const community = new CommunityClient({ secretKey: serviceToken });
-    const moderation = new ModerationApi({ secretKey: serviceToken, onRequestId });
-    client.community = Object.assign(community, {
-      moderation: {
-        banCustomer: moderation.banCustomer.bind(moderation),
-        unbanCustomer: moderation.unbanCustomer.bind(moderation)
-      }
-    });
-    return client;
   }
   if (hasRequestContext()) throw new Error(MISSING_HTTP_AUTH_CONTEXT_ERROR);
-  const secretKey = process.env.SOFTWARE_SECRET_KEY;
-  const publishableKey = process.env.SOFTWARE_PUBLISHABLE_KEY || process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY;
-  if (!secretKey) {
+  return {
+    apiKey: process.env.SOFTWARE_SECRET_KEY,
+    mode: "stdio",
+    publishableKey: process.env.SOFTWARE_PUBLISHABLE_KEY ?? process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY
+  };
+}
+function resolveApiKey() {
+  const { apiKey } = resolveAuthHeaderContext();
+  if (!apiKey || typeof apiKey !== "string") {
     throw new Error(
       "Authentication required. Set SOFTWARE_SECRET_KEY for stdio transport."
     );
   }
-  if (!secretKey.startsWith("sk01_") && !secretKey.startsWith("pat01_")) {
-    throw new Error("Invalid SOFTWARE_SECRET_KEY format. Expected sk01_ or pat01_ token.");
-  }
-  if (!publishableKey) {
-    throw new Error(
-      "publishableKey is required. Set SOFTWARE_PUBLISHABLE_KEY for stdio transport. It is used for rate limiting and monthly quota enforcement via the edge proxy."
-    );
+  return apiKey;
+}
+function buildAuthHeaders(apiKey) {
+  const { mode, publishableKey } = resolveAuthHeaderContext();
+  const headers = {
+    Authorization: `Bearer ${apiKey}`
+  };
+  if (mode === "stdio" && publishableKey) {
+    headers["X-Publishable-Key"] = publishableKey;
   }
-  return createServerClient({
-    publishableKey,
-    secretKey
-  });
+  return headers;
 }
-
-// src/tools/query-collection.ts
-import { COLLECTIONS } from "@01.software/sdk";
-
-// src/lib/tool-utils.ts
-function toolSuccess(data) {
-  return JSON.stringify({ success: true, ...data }, null, 2);
+function extractErrorMessage(body) {
+  if (!body || typeof body !== "object") return void 0;
+  const b = body;
+  if (typeof b.error === "string") return b.error;
+  if (Array.isArray(b.errors) && b.errors[0]?.message) {
+    return String(b.errors[0].message);
+  }
+  if (typeof b.message === "string") return b.message;
+  return void 0;
 }
-function toolError(error) {
-  const base = { success: false };
-  if (error && typeof error === "object" && "code" in error) {
-    const sdkErr = error;
-    base.error = sdkErr.message || "Unknown error";
-    if (sdkErr.status) base.status = sdkErr.status;
-    if (sdkErr.code) base.code = sdkErr.code;
-    if (sdkErr.suggestion) base.suggestion = sdkErr.suggestion;
-    if (sdkErr.details?.errors) base.errors = sdkErr.details.errors;
-  } else {
-    base.error = error instanceof Error ? error.message : "Unknown error";
+async function consoleGet(path, apiKey) {
+  const authHeaders = buildAuthHeaders(apiKey);
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), TIMEOUT_MS);
+  try {
+    const res = await fetch(`${BASE_URL}${path}`, {
+      headers: authHeaders,
+      signal: controller.signal
+    });
+    if (!res.ok) {
+      const body = await res.json().catch(() => ({}));
+      const msg = extractErrorMessage(body);
+      throw new Error(msg || `Console GET ${path} failed: ${res.status}`);
+    }
+    return res.json();
+  } finally {
+    clearTimeout(timeoutId);
   }
-  return JSON.stringify(base, null, 2);
 }
-var MAX_QUERY_DEPTH = 5;
-function checkDepth(obj, depth = 0) {
-  if (depth > MAX_QUERY_DEPTH) return false;
-  if (obj && typeof obj === "object") {
-    for (const val of Object.values(obj)) {
-      if (!checkDepth(val, depth + 1)) return false;
+async function consolePost(path, body, apiKey) {
+  const authHeaders = buildAuthHeaders(apiKey);
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), TIMEOUT_MS);
+  try {
+    const res = await fetch(`${BASE_URL}${path}`, {
+      method: "POST",
+      headers: { ...authHeaders, "Content-Type": "application/json" },
+      body: JSON.stringify(body),
+      signal: controller.signal
+    });
+    if (!res.ok) {
+      const errBody = await res.json().catch(() => ({}));
+      const msg = extractErrorMessage(errBody);
+      throw new Error(msg || `Console POST ${path} failed: ${res.status}`);
     }
+    return res.json();
+  } finally {
+    clearTimeout(timeoutId);
   }
-  return true;
 }
-function parseJsonWhere(where) {
+async function consolePostTelemetry(path, body, apiKey) {
+  const authHeaders = buildAuthHeaders(apiKey);
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), TIMEOUT_MS);
   try {
-    const parsed = JSON.parse(where);
-    if (!checkDepth(parsed)) {
-      return {
-        success: false,
-        error: JSON.stringify(
-          {
-            success: false,
-            error: `Query exceeds maximum nesting depth of ${MAX_QUERY_DEPTH}`
-          },
-          null,
-          2
-        )
-      };
+    const res = await fetch(`${BASE_URL}${path}`, {
+      method: "POST",
+      headers: { ...authHeaders, "Content-Type": "application/json" },
+      body: JSON.stringify(body),
+      signal: controller.signal
+    });
+    if (!res.ok) {
+      const errBody = await res.json().catch(() => ({}));
+      const msg = extractErrorMessage(errBody);
+      throw new Error(msg || `Console POST ${path} failed: ${res.status}`);
     }
-    return { success: true, data: parsed };
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+
+// src/lib/mcp-telemetry.ts
+var TELEMETRY_ENDPOINT = "/api/tenants/mcp-telemetry";
+var FLUSH_TIMEOUT_MS = 1500;
+var telemetryContext = new AsyncLocalStorage2();
+function createMcpTelemetrySummary(transport) {
+  return {
+    sessionId: randomUUID2(),
+    startedAtMs: Date.now(),
+    successfulWriteCount: 0,
+    toolCallCount: 0,
+    toolCounts: /* @__PURE__ */ new Map(),
+    transport
+  };
+}
+function currentMcpTelemetrySummary() {
+  return telemetryContext.getStore();
+}
+function runWithMcpTelemetry(summary, fn) {
+  return telemetryContext.run(summary, fn);
+}
+function recordMcpToolResult(params) {
+  if (!isMcpToolName(params.toolName)) return;
+  const toolName = params.toolName;
+  params.summary.toolCallCount += 1;
+  params.summary.toolCounts.set(
+    toolName,
+    (params.summary.toolCounts.get(toolName) ?? 0) + 1
+  );
+  if (!MCP_TOOL_CONTRACT[toolName].readOnly && toolResultSucceeded(params.resultText)) {
+    params.summary.successfulWriteCount += 1;
+  }
+}
+function toMcpTelemetryBody(summary) {
+  if (summary.toolCallCount <= 0) return null;
+  const durationMs = summary.transport === "http" ? Math.max(0, summary.durationMs ?? Date.now() - summary.startedAtMs) : void 0;
+  return {
+    converted: summary.successfulWriteCount > 0,
+    ...durationMs !== void 0 ? { durationMs } : {},
+    sessionId: summary.sessionId,
+    successfulWriteCount: summary.successfulWriteCount,
+    toolCallCount: summary.toolCallCount,
+    toolCounts: Object.fromEntries(summary.toolCounts),
+    transport: summary.transport
+  };
+}
+async function flushMcpTelemetrySummary(summary) {
+  const body = toMcpTelemetryBody(summary);
+  if (!body) return;
+  await swallow(
+    withTimeout(async () => {
+      const apiKey = resolveApiKey();
+      await consolePostTelemetry(TELEMETRY_ENDPOINT, body, apiKey);
+    }, FLUSH_TIMEOUT_MS)
+  );
+}
+function toolResultSucceeded(resultText) {
+  if (!resultText) return false;
+  try {
+    const parsed = JSON.parse(resultText);
+    return parsed.success === true;
+  } catch {
+    return false;
+  }
+}
+async function withTimeout(fn, timeoutMs) {
+  let timer;
+  await Promise.race([
+    fn(),
+    new Promise((resolve) => {
+      timer = setTimeout(resolve, timeoutMs);
+    })
+  ]);
+  if (timer) clearTimeout(timer);
+}
+async function swallow(promise) {
+  try {
+    await promise;
   } catch {
-    return {
-      success: false,
-      error: JSON.stringify(
-        {
-          success: false,
-          error: `Invalid JSON in "where" parameter: ${where.length > 100 ? where.substring(0, 100) + "..." : where}`
-        },
-        null,
-        2
-      )
-    };
   }
 }
 
 // src/tools/query-collection.ts
+import { z as z3 } from "zod";
+
+// src/lib/client.ts
+import { createServerClient } from "@01.software/sdk";
+var MISSING_HTTP_AUTH_CONTEXT_ERROR2 = "MCP HTTP requests require a validated OAuth tenant context before tool execution.";
+var HTTP_OAUTH_SDK_CLIENT_ERROR = "MCP HTTP OAuth requests cannot use SDK-backed tools. Use reviewed Console service endpoints for OAuth transport.";
+function getClient() {
+  const oauthContext = tenantAuthContext();
+  if (oauthContext) {
+    throw new Error(HTTP_OAUTH_SDK_CLIENT_ERROR);
+  }
+  if (hasRequestContext()) throw new Error(MISSING_HTTP_AUTH_CONTEXT_ERROR2);
+  const secretKey = process.env.SOFTWARE_SECRET_KEY;
+  const publishableKey = process.env.SOFTWARE_PUBLISHABLE_KEY || process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY;
+  if (!secretKey) {
+    throw new Error(
+      "Authentication required. Set SOFTWARE_SECRET_KEY for stdio transport."
+    );
+  }
+  if (!secretKey.startsWith("sk01_") && !secretKey.startsWith("pat01_")) {
+    throw new Error("Invalid SOFTWARE_SECRET_KEY format. Expected sk01_ or pat01_ token.");
+  }
+  if (!publishableKey) {
+    throw new Error(
+      "publishableKey is required. Set SOFTWARE_PUBLISHABLE_KEY for stdio transport. It is used for rate limiting and monthly quota enforcement via the edge proxy."
+    );
+  }
+  return createServerClient({
+    publishableKey,
+    secretKey
+  });
+}
+
+// src/tools/query-collection.ts
+import { SERVER_COLLECTIONS } from "@01.software/sdk";
 var schema = {
-  collection: z.enum(COLLECTIONS).describe("Collection name (required)"),
-  where: z.string().optional().describe(
+  collection: z3.enum(SERVER_COLLECTIONS).describe("Collection name (required)"),
+  where: z3.string().optional().describe(
     `Filter conditions (JSON string, optional). Pass the Payload query condition object as a JSON string. Example: '{"title":{"equals":"Product name"}}'`
   ),
-  limit: z.number().min(1).max(100).default(10).describe("Maximum number of items to return (1-100, default: 10)."),
-  page: z.number().optional().describe("Page number (optional). Starts from 1. Used for pagination."),
-  sort: z.string().regex(/^-?[a-zA-Z0-9_.]+$/, 'Sort must be a field name, optionally prefixed with "-" for descending').optional().describe(
+  limit: z3.number().min(1).max(100).default(10).describe("Maximum number of items to return (1-100, default: 10)."),
+  page: z3.number().optional().describe("Page number (optional). Starts from 1. Used for pagination."),
+  sort: z3.string().regex(
+    /^-?[a-zA-Z0-9_.]+$/,
+    'Sort must be a field name, optionally prefixed with "-" for descending'
+  ).optional().describe(
     'Sort field (optional). Use "fieldName" for ascending or "-fieldName" for descending. Example: "createdAt" or "-createdAt"'
   )
 };
@@ -350,11 +1068,11 @@ async function queryCollection({
 }
 
 // src/tools/get-collection-by-id.ts
-import { z as z2 } from "zod";
-import { COLLECTIONS as COLLECTIONS2 } from "@01.software/sdk";
+import { z as z4 } from "zod";
+import { SERVER_COLLECTIONS as SERVER_COLLECTIONS2 } from "@01.software/sdk";
 var schema2 = {
-  collection: z2.enum(COLLECTIONS2).describe("Collection name (required)"),
-  id: z2.string().min(1).describe("Item ID (required)")
+  collection: z4.enum(SERVER_COLLECTIONS2).describe("Collection name (required)"),
+  id: z4.string().min(1).describe("Item ID (required)")
 };
 var metadata2 = {
   name: "get-collection-by-id",
@@ -379,201 +1097,12 @@ async function getCollectionById({
   }
 }
 
-// src/tools/create-collection.ts
-import { z as z3 } from "zod";
-import { COLLECTIONS as COLLECTIONS3 } from "@01.software/sdk";
+// src/tools/get-order.ts
+import { z as z5 } from "zod";
 var schema3 = {
-  collection: z3.enum(COLLECTIONS3).describe("Collection name (required)"),
-  data: z3.record(z3.string(), z3.unknown()).describe(
-    "Data to create (required). Use get-collection-schema first to understand writable fields, hidden fields, and required metadata. Server will validate and reject invalid fields."
-  )
+  orderNumber: z5.string().min(1).describe("Order number to look up (required)")
 };
 var metadata3 = {
-  name: "create-collection",
-  description: "Create a new collection item",
-  annotations: {
-    title: "Create collection item",
-    readOnlyHint: false,
-    destructiveHint: false,
-    idempotentHint: false
-  }
-};
-async function createCollection({
-  collection,
-  data
-}) {
-  try {
-    const client = getClient().collections;
-    const result = await client.from(collection).create(data);
-    return toolSuccess({ data: result.doc, message: result.message });
-  } catch (error) {
-    return toolError(error);
-  }
-}
-
-// src/tools/update-collection.ts
-import { z as z4 } from "zod";
-import { COLLECTIONS as COLLECTIONS4 } from "@01.software/sdk";
-var schema4 = {
-  collection: z4.enum(COLLECTIONS4).describe("Collection name (required)"),
-  id: z4.string().min(1).describe("Item ID (required)"),
-  data: z4.record(z4.string(), z4.unknown()).describe(
-    "Data to update (required). Use get-collection-by-id first to check current structure, then get-collection-schema to confirm writable fields and required metadata. Server will validate and reject invalid fields."
-  )
-};
-var metadata4 = {
-  name: "update-collection",
-  description: "Update an existing collection item",
-  annotations: {
-    title: "Update collection item",
-    readOnlyHint: false,
-    destructiveHint: true,
-    idempotentHint: true
-  }
-};
-async function updateCollection({
-  collection,
-  id,
-  data
-}) {
-  try {
-    const client = getClient().collections;
-    const result = await client.from(collection).update(id, data);
-    return toolSuccess({ data: result.doc, message: result.message });
-  } catch (error) {
-    return toolError(error);
-  }
-}
-
-// src/tools/delete-collection.ts
-import { z as z5 } from "zod";
-import { COLLECTIONS as COLLECTIONS5 } from "@01.software/sdk";
-var schema5 = {
-  collection: z5.enum(COLLECTIONS5).describe("Collection name (required)"),
-  id: z5.string().min(1).describe("Item ID (required)")
-};
-var metadata5 = {
-  name: "delete-collection",
-  description: "Delete a collection item",
-  annotations: {
-    title: "Delete collection item",
-    readOnlyHint: false,
-    destructiveHint: true,
-    idempotentHint: true
-  }
-};
-async function deleteCollection({
-  collection,
-  id
-}) {
-  try {
-    const client = getClient();
-    await client.collections.from(collection).remove(id);
-    return toolSuccess({ message: "Deleted successfully." });
-  } catch (error) {
-    return toolError(error);
-  }
-}
-
-// src/tools/delete-many-collection.ts
-import { z as z6 } from "zod";
-import { COLLECTIONS as COLLECTIONS6 } from "@01.software/sdk";
-var schema6 = {
-  collection: z6.enum(COLLECTIONS6).describe("Collection name (required)"),
-  where: z6.string().describe(
-    `Filter conditions (JSON string, required). Determines which items to delete. Example: '{"status":{"equals":"archived"}}'`
-  )
-};
-var metadata6 = {
-  name: "delete-many-collection",
-  description: "Bulk delete collection items matching a filter. All matching items will be permanently deleted.",
-  annotations: {
-    title: "Bulk delete collection items",
-    readOnlyHint: false,
-    destructiveHint: true,
-    idempotentHint: true
-  }
-};
-async function deleteManyCollection({
-  collection,
-  where
-}) {
-  try {
-    const client = getClient().collections;
-    const parsed = parseJsonWhere(where);
-    if (!parsed.success) return parsed.error;
-    if (!parsed.data || typeof parsed.data !== "object" || Object.keys(parsed.data).length === 0) {
-      return toolError(
-        new Error(
-          'Empty "where" filter is not allowed for bulk deletes. Provide at least one filter condition.'
-        )
-      );
-    }
-    const result = await client.from(collection).removeMany(parsed.data);
-    return toolSuccess({
-      totalDocs: result.totalDocs,
-      message: `Deleted ${result.totalDocs} item(s).`
-    });
-  } catch (error) {
-    return toolError(error);
-  }
-}
-
-// src/tools/update-many-collection.ts
-import { z as z7 } from "zod";
-import { COLLECTIONS as COLLECTIONS7 } from "@01.software/sdk";
-var schema7 = {
-  collection: z7.enum(COLLECTIONS7).describe("Collection name (required)"),
-  where: z7.string().describe(
-    `Filter conditions (JSON string, required). Determines which items to update. Example: '{"status":{"equals":"draft"}}'`
-  ),
-  data: z7.record(z7.string(), z7.unknown()).describe(
-    "Data to update (required). Partial updates supported. Server will validate and reject invalid fields."
-  )
-};
-var metadata7 = {
-  name: "update-many-collection",
-  description: "Bulk update collection items matching a filter. All matching items will be updated with the provided data.",
-  annotations: {
-    title: "Bulk update collection items",
-    readOnlyHint: false,
-    destructiveHint: true,
-    idempotentHint: true
-  }
-};
-async function updateManyCollection({
-  collection,
-  where,
-  data
-}) {
-  try {
-    const client = getClient().collections;
-    const parsed = parseJsonWhere(where);
-    if (!parsed.success) return parsed.error;
-    if (!parsed.data || typeof parsed.data !== "object" || Object.keys(parsed.data).length === 0) {
-      return toolError(
-        new Error(
-          'Empty "where" filter is not allowed for bulk updates. Provide at least one filter condition.'
-        )
-      );
-    }
-    const result = await client.from(collection).updateMany(parsed.data, data);
-    return toolSuccess({
-      data: result.docs,
-      totalDocs: result.totalDocs,
-      message: `Updated ${result.totalDocs} item(s).`
-    });
-  } catch (error) {
-    return toolError(error);
-  }
-}
-
-// src/tools/get-order.ts
-import { z as z8 } from "zod";
-var schema8 = {
-  orderNumber: z8.string().min(1).describe("Order number to look up (required)")
-};
-var metadata8 = {
   name: "get-order",
   description: "Get order details by order number. Returns order with related data (depth:1).",
   annotations: {
@@ -601,26 +1130,26 @@ async function getOrder({
 }
 
 // src/tools/create-order.ts
-import { z as z9 } from "zod";
-var schema9 = {
-  pgPaymentId: z9.string().optional().describe("PG payment ID (optional \u2014 omit for free orders)"),
-  orderNumber: z9.string().min(1).describe("Unique order number (required)"),
-  customerSnapshot: z9.object({
-    name: z9.string().optional().describe("Customer name"),
-    email: z9.string().describe("Customer email (required)"),
-    phone: z9.string().optional().describe("Customer phone")
+import { z as z6 } from "zod";
+var schema4 = {
+  pgPaymentId: z6.string().optional().describe("PG payment ID (optional \u2014 omit for free orders)"),
+  orderNumber: z6.string().min(1).describe("Unique order number (required)"),
+  customerSnapshot: z6.object({
+    name: z6.string().optional().describe("Customer name"),
+    email: z6.string().describe("Customer email (required)"),
+    phone: z6.string().optional().describe("Customer phone")
   }).describe("Customer snapshot at time of order (required)"),
-  shippingAddress: z9.record(z9.string(), z9.unknown()).describe(
+  shippingAddress: z6.record(z6.string(), z6.unknown()).describe(
     "Shipping address object (required). Fields: postalCode, address1, address2, deliveryMessage, recipientName, phone"
   ),
-  orderItems: z9.array(z9.record(z9.string(), z9.unknown())).describe(
+  orderItems: z6.array(z6.record(z6.string(), z6.unknown())).describe(
     "Array of order item objects (required). Each: { product, variant, option, quantity, unitPrice?, totalPrice? }"
   ),
-  totalAmount: z9.number().nonnegative().describe("Total order amount (required, min 0)"),
-  shippingAmount: z9.number().nonnegative().optional().describe("Shipping amount (optional, default 0)"),
-  discountCode: z9.string().optional().describe("Discount code to apply (optional)")
+  totalAmount: z6.number().nonnegative().describe("Total order amount (required, min 0)"),
+  shippingAmount: z6.number().nonnegative().optional().describe("Shipping amount (optional, default 0)"),
+  discountCode: z6.string().optional().describe("Discount code to apply (optional)")
 };
-var metadata9 = {
+var metadata4 = {
   name: "create-order",
   description: "Create a new order with products and shipping information. Supports idempotency.",
   annotations: {
@@ -643,10 +1172,10 @@ async function createOrder(params) {
 }
 
 // src/tools/update-order.ts
-import { z as z10 } from "zod";
-var schema10 = {
-  orderNumber: z10.string().min(1).describe("Order number (required)"),
-  status: z10.enum([
+import { z as z7 } from "zod";
+var schema5 = {
+  orderNumber: z7.string().min(1).describe("Order number (required)"),
+  status: z7.enum([
     "pending",
     "paid",
     "failed",
@@ -659,7 +1188,7 @@ var schema10 = {
     "New order status. Return-related statuses (return_requested, return_processing, returned) must be set via Return endpoints."
   )
 };
-var metadata10 = {
+var metadata5 = {
   name: "update-order",
   description: "Update order status. Automatically adjusts stock on status changes (e.g., canceled restores stock).",
   annotations: {
@@ -683,17 +1212,17 @@ async function updateOrder({
 }
 
 // src/tools/checkout.ts
-import { z as z11 } from "zod";
-var schema11 = {
-  cartId: z11.string().min(1).describe("Cart ID to convert to order (required)"),
-  pgPaymentId: z11.string().optional().describe("PG payment ID (optional \u2014 omit for free orders)"),
-  orderNumber: z11.string().min(1).describe("Unique order number (required)"),
-  customerSnapshot: z11.record(z11.string(), z11.unknown()).describe(
+import { z as z8 } from "zod";
+var schema6 = {
+  cartId: z8.string().min(1).describe("Cart ID to convert to order (required)"),
+  pgPaymentId: z8.string().optional().describe("PG payment ID (optional \u2014 omit for free orders)"),
+  orderNumber: z8.string().min(1).describe("Unique order number (required)"),
+  customerSnapshot: z8.record(z8.string(), z8.unknown()).describe(
     "Customer snapshot object (required). Fields: { name?, email, phone? }"
   ),
-  discountCode: z11.string().optional().describe("Discount code to apply (optional)")
+  discountCode: z8.string().optional().describe("Discount code to apply (optional)")
 };
-var metadata11 = {
+var metadata6 = {
   name: "checkout",
   description: "Convert a cart to an order. Validates stock, creates order and transaction, marks cart as completed. Supports idempotency.",
   annotations: {
@@ -716,21 +1245,21 @@ async function checkout(params) {
 }
 
 // src/tools/create-fulfillment.ts
-import { z as z12 } from "zod";
-var schema12 = {
-  orderNumber: z12.string().min(1).describe("Order number (required)"),
-  carrier: z12.string().optional().describe("Shipping carrier name (optional)"),
-  trackingNumber: z12.string().optional().describe(
+import { z as z9 } from "zod";
+var schema7 = {
+  orderNumber: z9.string().min(1).describe("Order number (required)"),
+  carrier: z9.string().optional().describe("Shipping carrier name (optional)"),
+  trackingNumber: z9.string().optional().describe(
     'Tracking number (optional). Setting carrier + tracking triggers "shipped" status'
   ),
-  items: z12.array(
-    z12.object({
-      orderItem: z12.string().min(1).describe("Order item ID"),
-      quantity: z12.number().int().positive().describe("Quantity to fulfill")
+  items: z9.array(
+    z9.object({
+      orderItem: z9.string().min(1).describe("Order item ID"),
+      quantity: z9.number().int().positive().describe("Quantity to fulfill")
     })
   ).describe("Array of items to fulfill (required)")
 };
-var metadata12 = {
+var metadata7 = {
   name: "create-fulfillment",
   description: "Create a shipment/fulfillment for order items. Auto-updates order status (paid \u2192 preparing \u2192 shipped).",
   annotations: {
@@ -761,20 +1290,20 @@ async function createFulfillment({
 }
 
 // src/tools/update-fulfillment.ts
-import { z as z13 } from "zod";
-var schema13 = {
-  fulfillmentId: z13.string().min(1).describe("Fulfillment ID (required)"),
-  status: z13.enum(["packed", "shipped", "delivered", "failed"]).describe(
+import { z as z10 } from "zod";
+var schema8 = {
+  fulfillmentId: z10.string().min(1).describe("Fulfillment ID (required)"),
+  status: z10.enum(["packed", "shipped", "delivered", "failed"]).describe(
     "New fulfillment status (required). FSM: pending\u2192packed/shipped/failed, packed\u2192shipped/failed, shipped\u2192delivered/failed"
   ),
-  carrier: z13.string().optional().describe(
+  carrier: z10.string().optional().describe(
     "Shipping carrier (optional, changeable only in pending/packed status)"
   ),
-  trackingNumber: z13.string().optional().describe(
+  trackingNumber: z10.string().optional().describe(
     "Tracking number (optional, changeable only in pending/packed status)"
   )
 };
-var metadata13 = {
+var metadata8 = {
   name: "update-fulfillment",
   description: "Update fulfillment status, carrier, and tracking number. Auto-updates order status when all fulfillments are delivered.",
   annotations: {
@@ -805,14 +1334,8 @@ async function updateFulfillment({
 }
 
 // src/tools/update-transaction.ts
-import { z as z14 } from "zod";
-var schema14 = {
-  pgPaymentId: z14.string().min(1).describe("PG payment ID (required)"),
-  status: z14.enum(["pending", "paid", "failed", "canceled"]).describe("New transaction status (required)"),
-  paymentMethod: z14.string().optional().describe("Payment method (optional)"),
-  receiptUrl: z14.string().optional().describe("Receipt URL (optional)")
-};
-var metadata14 = {
+var schema9 = UpdateTransactionSchema.shape;
+var metadata9 = {
   name: "update-transaction",
   description: "Update transaction status, payment method, and receipt URL.",
   annotations: {
@@ -826,16 +1349,21 @@ async function updateTransaction({
   pgPaymentId,
   status,
   paymentMethod,
-  receiptUrl
+  receiptUrl,
+  paymentKey,
+  amount
 }) {
   try {
     const client = getClient();
-    const result = await client.commerce.orders.updateTransaction({
+    const params = {
       pgPaymentId,
       status,
       paymentMethod,
-      receiptUrl
-    });
+      receiptUrl,
+      paymentKey,
+      amount
+    };
+    const result = await client.commerce.orders.updateTransaction(params);
     return toolSuccess({ data: result });
   } catch (error) {
     return toolError(error);
@@ -843,20 +1371,20 @@ async function updateTransaction({
 }
 
 // src/tools/create-return.ts
-import { z as z15 } from "zod";
-var schema15 = {
-  orderNumber: z15.string().min(1).describe("Order number (required)"),
-  reason: z15.enum(["change_of_mind", "defective", "wrong_delivery", "damaged", "other"]).optional().describe("Return reason (optional)"),
-  reasonDetail: z15.string().optional().describe("Detailed reason text (optional)"),
-  returnItems: z15.array(
-    z15.object({
-      orderItem: z15.string().min(1).describe("Order item ID"),
-      quantity: z15.number().int().positive().describe("Quantity to return")
+import { z as z11 } from "zod";
+var schema10 = {
+  orderNumber: z11.string().min(1).describe("Order number (required)"),
+  reason: z11.enum(["change_of_mind", "defective", "wrong_delivery", "damaged", "other"]).optional().describe("Return reason (optional)"),
+  reasonDetail: z11.string().optional().describe("Detailed reason text (optional)"),
+  returnItems: z11.array(
+    z11.object({
+      orderItem: z11.string().min(1).describe("Order item ID"),
+      quantity: z11.number().int().positive().describe("Quantity to return")
     })
   ).describe("Array of products to return (required)"),
-  refundAmount: z15.number().nonnegative().describe("Refund amount (required, min 0)")
+  refundAmount: z11.number().nonnegative().describe("Refund amount (required, min 0)")
 };
-var metadata15 = {
+var metadata10 = {
   name: "create-return",
   description: "Create a return request for an order. Only works for delivered/confirmed orders. Updates order status to return_requested.",
   annotations: {
@@ -889,14 +1417,14 @@ async function createReturn({
 }
 
 // src/tools/update-return.ts
-import { z as z16 } from "zod";
-var schema16 = {
-  returnId: z16.string().min(1).describe("Return ID (required)"),
-  status: z16.enum(["processing", "approved", "rejected", "completed"]).describe(
+import { z as z12 } from "zod";
+var schema11 = {
+  returnId: z12.string().min(1).describe("Return ID (required)"),
+  status: z12.enum(["processing", "approved", "rejected", "completed"]).describe(
     "New return status (required). Valid transitions: requested\u2192processing/rejected, processing\u2192approved/rejected, approved\u2192completed"
   )
 };
-var metadata16 = {
+var metadata11 = {
   name: "update-return",
   description: "Update return status with FSM validation. Restores inventory on completion, reverts order status on rejection.",
   annotations: {
@@ -920,22 +1448,8 @@ async function updateReturn({
 }
 
 // src/tools/return-with-refund.ts
-import { z as z17 } from "zod";
-var schema17 = {
-  orderNumber: z17.string().min(1).describe("Order number (required)"),
-  reason: z17.enum(["change_of_mind", "defective", "wrong_delivery", "damaged", "other"]).optional().describe("Return reason (optional)"),
-  reasonDetail: z17.string().optional().describe("Detailed reason text (optional)"),
-  returnItems: z17.array(
-    z17.object({
-      orderItem: z17.string().min(1).describe("Order item ID"),
-      quantity: z17.number().int().positive().describe("Quantity to return")
-    })
-  ).describe("Array of products to return (required)"),
-  refundAmount: z17.number().nonnegative().describe("Refund amount (required, min 0)"),
-  pgPaymentId: z17.string().min(1).describe("PG payment ID for refund (required)"),
-  refundReceiptUrl: z17.string().optional().describe("Refund receipt URL (optional)")
-};
-var metadata17 = {
+var schema12 = ReturnWithRefundSchema.shape;
+var metadata12 = {
   name: "return-with-refund",
   description: "Combined return + refund operation. Creates return, restores stock, cancels transaction, updates order status.",
   annotations: {
@@ -952,19 +1466,22 @@ async function returnWithRefund({
   returnItems,
   refundAmount,
   pgPaymentId,
+  paymentKey,
   refundReceiptUrl
 }) {
   try {
     const client = getClient();
-    const result = await client.commerce.orders.returnWithRefund({
+    const params = {
       orderNumber,
       reason,
       reasonDetail,
       returnItems,
       refundAmount,
       pgPaymentId,
+      paymentKey,
       refundReceiptUrl
-    });
+    };
+    const result = await client.commerce.orders.returnWithRefund(params);
     return toolSuccess({ data: result });
   } catch (error) {
     return toolError(error);
@@ -972,15 +1489,15 @@ async function returnWithRefund({
 }
 
 // src/tools/add-cart-item.ts
-import { z as z18 } from "zod";
-var schema18 = {
-  cartId: z18.string().min(1).describe("Cart ID (required)"),
-  product: z18.string().min(1).describe("Product ID (required)"),
-  variant: z18.string().min(1).describe("Product variant ID (required)"),
-  option: z18.string().min(1).describe("Product option ID (required)"),
-  quantity: z18.number().int().positive().describe("Quantity to add (required, positive integer)")
+import { z as z13 } from "zod";
+var schema13 = {
+  cartId: z13.string().min(1).describe("Cart ID (required)"),
+  product: z13.string().min(1).describe("Product ID (required)"),
+  variant: z13.string().min(1).describe("Product variant ID (required)"),
+  option: z13.string().min(1).describe("Product option ID (required)"),
+  quantity: z13.number().int().positive().describe("Quantity to add (required, positive integer)")
 };
-var metadata18 = {
+var metadata13 = {
   name: "add-cart-item",
   description: "Add a product to cart. Validates stock, merges quantity if item already exists, recalculates totals.",
   annotations: {
@@ -1013,12 +1530,12 @@ async function addCartItem({
 }
 
 // src/tools/update-cart-item.ts
-import { z as z19 } from "zod";
-var schema19 = {
-  cartItemId: z19.string().min(1).describe("Cart item ID (required)"),
-  quantity: z19.number().int().positive().describe("New quantity (required, positive integer)")
+import { z as z14 } from "zod";
+var schema14 = {
+  cartItemId: z14.string().min(1).describe("Cart item ID (required)"),
+  quantity: z14.number().int().positive().describe("New quantity (required, positive integer)")
 };
-var metadata19 = {
+var metadata14 = {
   name: "update-cart-item",
   description: "Update cart item quantity. Validates stock availability, recalculates cart totals.",
   annotations: {
@@ -1042,11 +1559,11 @@ async function updateCartItem({
 }
 
 // src/tools/remove-cart-item.ts
-import { z as z20 } from "zod";
-var schema20 = {
-  cartItemId: z20.string().min(1).describe("Cart item ID to remove (required)")
+import { z as z15 } from "zod";
+var schema15 = {
+  cartItemId: z15.string().min(1).describe("Cart item ID to remove (required)")
 };
-var metadata20 = {
+var metadata15 = {
   name: "remove-cart-item",
   description: "Remove an item from cart. Recalculates cart totals after removal.",
   annotations: {
@@ -1069,12 +1586,12 @@ async function removeCartItem({
 }
 
 // src/tools/apply-discount.ts
-import { z as z21 } from "zod";
-var schema21 = {
-  cartId: z21.string().min(1).describe("Cart ID (required)"),
-  discountCode: z21.string().describe("Discount code to apply (required)")
+import { z as z16 } from "zod";
+var schema16 = {
+  cartId: z16.string().min(1).describe("Cart ID (required)"),
+  discountCode: z16.string().describe("Discount code to apply (required)")
 };
-var metadata21 = {
+var metadata16 = {
   name: "apply-discount",
   description: "Apply a discount code to a cart. Validates the code, updates cart totals, and sets free shipping if applicable.",
   annotations: {
@@ -1098,11 +1615,11 @@ async function applyDiscount({
 }
 
 // src/tools/remove-discount.ts
-import { z as z22 } from "zod";
-var schema22 = {
-  cartId: z22.string().min(1).describe("Cart ID (required)")
+import { z as z17 } from "zod";
+var schema17 = {
+  cartId: z17.string().min(1).describe("Cart ID (required)")
 };
-var metadata22 = {
+var metadata17 = {
   name: "remove-discount",
   description: "Remove the applied discount code from a cart and recalculate totals.",
   annotations: {
@@ -1125,11 +1642,11 @@ async function removeDiscount({
 }
 
 // src/tools/clear-cart.ts
-import { z as z23 } from "zod";
-var schema23 = {
-  cartId: z23.string().min(1).describe("Cart ID (required)")
+import { z as z18 } from "zod";
+var schema18 = {
+  cartId: z18.string().min(1).describe("Cart ID (required)")
 };
-var metadata23 = {
+var metadata18 = {
   name: "clear-cart",
   description: "Remove all items from a cart, reset discount and amounts. Shipping fee is preserved.",
   annotations: {
@@ -1152,12 +1669,12 @@ async function clearCart({
 }
 
 // src/tools/validate-discount.ts
-import { z as z24 } from "zod";
-var schema24 = {
-  code: z24.string().describe("Discount code to validate (required)"),
-  orderAmount: z24.number().describe("Order amount for validation (required)")
+import { z as z19 } from "zod";
+var schema19 = {
+  code: z19.string().describe("Discount code to validate (required)"),
+  orderAmount: z19.number().describe("Order amount for validation (required)")
 };
-var metadata24 = {
+var metadata19 = {
   name: "validate-discount",
   description: "Validate a discount code. Checks active status, date range, usage limits, minimum order amount, and calculates discount.",
   annotations: {
@@ -1184,13 +1701,13 @@ async function validateDiscount({
 }
 
 // src/tools/calculate-shipping.ts
-import { z as z25 } from "zod";
-var schema25 = {
-  shippingPolicyId: z25.string().optional().describe("Shipping policy ID (uses default policy if omitted)"),
-  orderAmount: z25.number().describe("Order amount for fee calculation (required)"),
-  postalCode: z25.string().optional().describe("Postal code for Jeju surcharge detection (63000-63644)")
+import { z as z20 } from "zod";
+var schema20 = {
+  shippingPolicyId: z20.string().optional().describe("Shipping policy ID (uses default policy if omitted)"),
+  orderAmount: z20.number().describe("Order amount for fee calculation (required)"),
+  postalCode: z20.string().optional().describe("Postal code for Jeju surcharge detection (63000-63644)")
 };
-var metadata25 = {
+var metadata20 = {
   name: "calculate-shipping",
   description: "Calculate shipping fee based on order amount and postal code. Supports free shipping threshold and Jeju surcharge.",
   annotations: {
@@ -1219,18 +1736,18 @@ async function calculateShipping({
 }
 
 // src/tools/stock-check.ts
-import { z as z26 } from "zod";
-var schema26 = {
-  items: z26.array(
-    z26.object({
-      variantId: z26.string().describe("Product variant ID"),
-      quantity: z26.number().int().positive().describe("Requested quantity")
+import { z as z21 } from "zod";
+var schema21 = {
+  items: z21.array(
+    z21.object({
+      variantId: z21.string().describe("Product variant ID"),
+      quantity: z21.number().int().positive().describe("Requested quantity")
     })
   ).describe(
     "Array of items to check stock for (required, max 100). Each: { variantId, quantity }"
   )
 };
-var metadata26 = {
+var metadata21 = {
   name: "stock-check",
   description: "Batch check product option stock availability. Returns per-item availability and an allAvailable flag.",
   annotations: {
@@ -1253,113 +1770,21 @@ async function stockCheck({
 }
 
 // src/tools/get-collection-schema.ts
-import { z as z27 } from "zod";
-import { COLLECTIONS as COLLECTIONS8 } from "@01.software/sdk";
-
-// src/lib/console-api.ts
-import { createHash } from "crypto";
-var BASE_URL = process.env.SOFTWARE_API_URL || "http://localhost:3000";
-var TIMEOUT_MS = 5e3;
-var MISSING_HTTP_AUTH_CONTEXT_ERROR2 = "MCP HTTP requests require a validated OAuth tenant context before tool execution.";
-function resolveAuthHeaderContext() {
-  const oauthContext = tenantAuthContext();
-  if (oauthContext) {
-    return {
-      apiKey: signMcpServiceToken(oauthContext),
-      mode: "oauth"
-    };
-  }
-  if (hasRequestContext()) throw new Error(MISSING_HTTP_AUTH_CONTEXT_ERROR2);
-  return {
-    apiKey: process.env.SOFTWARE_SECRET_KEY,
-    mode: "stdio",
-    publishableKey: process.env.SOFTWARE_PUBLISHABLE_KEY ?? process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY
-  };
-}
-function resolveApiKey() {
-  const { apiKey } = resolveAuthHeaderContext();
-  if (!apiKey || typeof apiKey !== "string") {
-    throw new Error(
-      "Authentication required. Set SOFTWARE_SECRET_KEY for stdio transport."
-    );
-  }
-  return apiKey;
-}
-function buildAuthHeaders(apiKey) {
-  const { mode, publishableKey } = resolveAuthHeaderContext();
-  const headers = {
-    Authorization: `Bearer ${apiKey}`
-  };
-  if (mode === "stdio" && publishableKey) {
-    headers["X-Publishable-Key"] = publishableKey;
-  }
-  return headers;
-}
-function extractErrorMessage(body) {
-  if (!body || typeof body !== "object") return void 0;
-  const b = body;
-  if (typeof b.error === "string") return b.error;
-  if (Array.isArray(b.errors) && b.errors[0]?.message) {
-    return String(b.errors[0].message);
-  }
-  if (typeof b.message === "string") return b.message;
-  return void 0;
-}
-async function consoleGet(path, apiKey) {
-  const authHeaders = buildAuthHeaders(apiKey);
-  const controller = new AbortController();
-  const timeoutId = setTimeout(() => controller.abort(), TIMEOUT_MS);
-  try {
-    const res = await fetch(`${BASE_URL}${path}`, {
-      headers: authHeaders,
-      signal: controller.signal
-    });
-    if (!res.ok) {
-      const body = await res.json().catch(() => ({}));
-      const msg = extractErrorMessage(body);
-      throw new Error(msg || `Console GET ${path} failed: ${res.status}`);
-    }
-    return res.json();
-  } finally {
-    clearTimeout(timeoutId);
-  }
-}
-async function consolePost(path, body, apiKey) {
-  const authHeaders = buildAuthHeaders(apiKey);
-  const controller = new AbortController();
-  const timeoutId = setTimeout(() => controller.abort(), TIMEOUT_MS);
-  try {
-    const res = await fetch(`${BASE_URL}${path}`, {
-      method: "POST",
-      headers: { ...authHeaders, "Content-Type": "application/json" },
-      body: JSON.stringify(body),
-      signal: controller.signal
-    });
-    if (!res.ok) {
-      const errBody = await res.json().catch(() => ({}));
-      const msg = extractErrorMessage(errBody);
-      throw new Error(msg || `Console POST ${path} failed: ${res.status}`);
-    }
-    return res.json();
-  } finally {
-    clearTimeout(timeoutId);
-  }
-}
+import { SERVER_COLLECTIONS as SERVER_COLLECTIONS3 } from "@01.software/sdk";
 
 // src/lib/collection-schema.ts
 async function getCollectionSchema(collection) {
   const apiKey = resolveApiKey();
-  return consoleGet(
+  const data = await consoleGet(
     `/api/tenants/schema/${encodeURIComponent(collection)}`,
     apiKey
   );
+  return collectionSchemaResponseSchema.parse(data);
 }
 
 // src/tools/get-collection-schema.ts
-var schema27 = {
-  collection: z27.enum(COLLECTIONS8).describe("Collection name (required)")
-};
-var metadata27 = {
+var schema22 = createCollectionSchemaToolInputSchema(SERVER_COLLECTIONS3).shape;
+var metadata22 = {
   name: "get-collection-schema",
   description: "Get the authoritative tenant-aware collection schema from console. Use this before create/update to understand writable fields, hidden fields, required metadata, and collection-level visibility.",
   annotations: {
@@ -1383,9 +1808,6 @@ async function getCollectionSchemaTool({
   }
 }
 
-// src/tools/get-tenant-context.ts
-import { z as z28 } from "zod";
-
 // src/lib/tenant-context.ts
 function getTenantContextPath(includeCounts) {
   return includeCounts ? "/api/tenants/context?counts=true" : "/api/tenants/context";
@@ -1396,16 +1818,12 @@ async function getTenantContext(includeCounts = false) {
     getTenantContextPath(includeCounts),
     apiKey
   );
-  return data;
-}
-function invalidateTenantContextCache() {
+  return tenantContextResponseSchema.parse(data);
 }
 
 // src/tools/get-tenant-context.ts
-var schema28 = {
-  includeCounts: z28.boolean().optional().default(false).describe("Include per-collection document counts and config status (bypasses cache, slower)")
-};
-var metadata28 = {
+var schema23 = tenantContextToolInputSchema.shape;
+var metadata23 = {
   name: "get-tenant-context",
   description: "Get current tenant features, active collections, and field visibility. Call this at the start of every session. Use includeCounts=true to also get per-collection document counts for setup diagnostics.",
   annotations: {
@@ -1415,7 +1833,9 @@ var metadata28 = {
     idempotentHint: true
   }
 };
-async function handler({ includeCounts }) {
+async function handler({
+  includeCounts
+}) {
   try {
     const ctx = await getTenantContext(includeCounts);
     const lines = [
@@ -1468,11 +1888,10 @@ async function handler({ includeCounts }) {
       }
     }
     if (ctx.config) {
+      lines.push("", "## Config Status");
       lines.push(
-        "",
-        "## Config Status"
+        `- Webhook configured: ${ctx.config.webhookConfigured ? "Yes" : "No"}`
       );
-      lines.push(`- Webhook configured: ${ctx.config.webhookConfigured ? "Yes" : "No"}`);
     }
     return toolSuccess({ context: lines.join("\n") });
   } catch (error) {
@@ -1481,7 +1900,7 @@ async function handler({ includeCounts }) {
 }
 
 // src/tools/list-configurable-fields.ts
-import { z as z29 } from "zod";
+import { z as z22 } from "zod";
 
 // src/lib/field-config.ts
 async function fetchFieldConfigs() {
@@ -1504,12 +1923,12 @@ function invalidateFieldConfigCache() {
 }
 
 // src/tools/list-configurable-fields.ts
-var schema29 = {
-  collection: z29.string().optional().describe(
+var schema24 = {
+  collection: z22.string().optional().describe(
     "Filter by collection slug (optional \u2014 returns all if omitted). Use this filter to reduce response size when you know which collection to check."
   )
 };
-var metadata29 = {
+var metadata24 = {
   name: "list-configurable-fields",
   description: "List all configurable fields for tenant collections with current visibility state. Shows which fields can be shown/hidden and their current status. Returns all collections including inactive features \u2014 cross-reference with get-tenant-context for active features. Response includes ~300 fields across 47 collections \u2014 use collection filter when possible.",
   annotations: {
@@ -1540,17 +1959,17 @@ async function listConfigurableFields(params) {
 }
 
 // src/tools/update-field-config.ts
-import { z as z30 } from "zod";
-var schema30 = {
-  collection: z30.string().min(1).describe("Collection slug (required)"),
-  hiddenFields: z30.array(z30.string().min(1).max(200)).max(300).describe(
+import { z as z23 } from "zod";
+var schema25 = {
+  collection: z23.string().min(1).describe("Collection slug (required)"),
+  hiddenFields: z23.array(z23.string().min(1).max(200)).max(300).describe(
     "Fields to hide (required). This is a FULL REPLACE \u2014 fields NOT in this list will be shown. Pass [] to show all fields. Use list-configurable-fields first to see available field paths."
   ),
-  isHidden: z30.boolean().optional().describe(
+  isHidden: z23.boolean().optional().describe(
     "Hide the entire collection from Admin Panel (optional). When true, individual hiddenFields are irrelevant."
   )
 };
-var metadata30 = {
+var metadata25 = {
   name: "update-field-config",
   description: "Update field visibility configuration for a tenant collection. Hidden fields are removed from the Admin Panel UI. IMPORTANT: hiddenFields is a full replace, not a merge. Always call list-configurable-fields first to see current state.",
   annotations: {
@@ -1568,7 +1987,6 @@ async function updateFieldConfig(params) {
       isHidden: params.isHidden
     });
     invalidateFieldConfigCache();
-    invalidateTenantContextCache();
     return toolSuccess({
       message: `Field config updated for '${params.collection}'`,
       data: result
@@ -1579,7 +1997,7 @@ async function updateFieldConfig(params) {
 }
 
 // src/tools/sdk-get-recipe.ts
-import { z as z31 } from "zod";
+import { z as z24 } from "zod";
 
 // src/lib/sdk-recipes.ts
 var recipes = {
@@ -1731,7 +2149,7 @@ const result = await client.collections.from('products').create({
         "Returns result.doc (not the document directly)"
       ],
       relatedResources: ["docs://sdk/query-builder"],
-      relatedTools: ["create-collection"]
+      relatedTools: ["query-collection", "get-collection-schema"]
     }
   },
   "update-item": {
@@ -1760,7 +2178,7 @@ const result = await client.collections.from('products').update('product-id', {
         "Partial updates are supported \u2014 omitted fields retain their current value"
       ],
       relatedResources: ["docs://sdk/query-builder"],
-      relatedTools: ["update-collection"]
+      relatedTools: ["get-collection-by-id", "get-collection-schema"]
     }
   },
   "delete-item": {
@@ -1784,7 +2202,7 @@ console.log('Deleted:', deleted.title)`,
         "Throws if the item does not exist"
       ],
       relatedResources: ["docs://sdk/query-builder"],
-      relatedTools: ["delete-collection"]
+      relatedTools: ["get-collection-by-id", "query-collection"]
     }
   },
   "infinite-scroll": {
@@ -1961,7 +2379,7 @@ const result = await client.collections.from('images').create(formData as unknow
         "Always set alt text for accessibility"
       ],
       relatedResources: ["docs://sdk/query-builder"],
-      relatedTools: ["create-collection"]
+      relatedTools: ["query-collection", "get-collection-schema"]
     }
   },
   "bulk-operations": {
@@ -1997,7 +2415,7 @@ const removed = await client.collections.from('products').removeMany(
         "Very broad where clauses (or empty) will affect all documents in the collection"
       ],
       relatedResources: ["docs://sdk/query-builder"],
-      relatedTools: ["update-many-collection", "delete-many-collection"]
+      relatedTools: ["query-collection", "get-collection-schema"]
     }
   }
 };
@@ -2011,8 +2429,8 @@ function getRecipe(goal, runtime = "both") {
 }
 
 // src/tools/sdk-get-recipe.ts
-var schema31 = {
-  goal: z31.enum([
+var schema26 = {
+  goal: z24.enum([
     "fetch-list",
     "fetch-by-id",
     "create-item",
@@ -2024,11 +2442,11 @@ var schema31 = {
     "file-upload",
     "bulk-operations"
   ]).describe("What the user wants to accomplish"),
-  runtime: z31.enum(["browser", "server", "both"]).default("both").describe("Target runtime environment"),
-  collection: z31.string().optional().describe("Specific collection name if applicable"),
-  includeExample: z31.boolean().default(true).describe("Whether to include a full code example")
+  runtime: z24.enum(["browser", "server", "both"]).default("both").describe("Target runtime environment"),
+  collection: z24.string().optional().describe("Specific collection name if applicable"),
+  includeExample: z24.boolean().default(true).describe("Whether to include a full code example")
 };
-var metadata31 = {
+var metadata26 = {
   name: "sdk-get-recipe",
   description: "Get a complete SDK code recipe for a specific task. Returns recommended approach, code example, and related documentation links. Use this FIRST when the user asks how to do something with the SDK.",
   annotations: {
@@ -2071,7 +2489,7 @@ function handler2({
 }
 
 // src/tools/sdk-search-docs.ts
-import { z as z32 } from "zod";
+import { z as z25 } from "zod";
 
 // src/lib/sdk-doc-index.ts
 var docIndex = [
@@ -2085,7 +2503,7 @@ var docIndex = [
   {
     title: "Browser Client vs Server Client",
     keywords: ["browser", "server", "publishable key", "secret key", "createClient", "createServerClient", "NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY", "SOFTWARE_PUBLISHABLE_KEY", "SOFTWARE_SECRET_KEY", "pk01_", "sk01_", "pat01_", "read-only", "full crud"],
-    summary: "createClient() for browser with publishableKey (read-only pk01_), createServerClient() for server with SOFTWARE_SECRET_KEY (usually sk01_, sometimes pat01_ in browser-auth-scoped flows). Never expose SECRET_KEY to the browser.",
+    summary: "createClient() for browser with publishableKey (read-only pk01_), createServerClient() for server with matching SOFTWARE_PUBLISHABLE_KEY + SOFTWARE_SECRET_KEY (usually sk01_, sometimes pat01_ in scoped flows). Never expose SECRET_KEY to the browser.",
     resourceUri: "docs://sdk/getting-started"
   },
   // Query Builder
@@ -2246,11 +2664,11 @@ function searchDocs(query, limit = 5) {
 }
 
 // src/tools/sdk-search-docs.ts
-var schema32 = {
-  query: z32.string().min(2).describe('Search keyword or phrase (e.g. "infinite scroll", "webhook", "customer login")'),
-  limit: z32.number().min(1).max(10).default(5).describe("Maximum results to return (1-10, default: 5)")
+var schema27 = {
+  query: z25.string().min(2).describe('Search keyword or phrase (e.g. "infinite scroll", "webhook", "customer login")'),
+  limit: z25.number().min(1).max(10).default(5).describe("Maximum results to return (1-10, default: 5)")
 };
-var metadata32 = {
+var metadata27 = {
   name: "sdk-search-docs",
   description: "Search SDK documentation by keyword. Returns matching topics with summaries and resource links. Use when looking for specific SDK features or patterns.",
   annotations: {
@@ -2285,9 +2703,9 @@ function handler3({
 }
 
 // src/tools/sdk-get-auth-setup.ts
-import { z as z33 } from "zod";
-var schema33 = {
-  scenario: z33.enum([
+import { z as z26 } from "zod";
+var schema28 = {
+  scenario: z26.enum([
     "browser-client",
     "server-client",
     "customer-auth",
@@ -2296,7 +2714,7 @@ var schema33 = {
     "webhook-verification"
   ]).describe("Authentication scenario")
 };
-var metadata33 = {
+var metadata28 = {
   name: "sdk-get-auth-setup",
   description: "Get the current authentication setup for a specific scenario. Returns env var names, code snippets, and security notes.",
   annotations: {
@@ -2450,14 +2868,14 @@ function handler4({
 }
 
 // src/tools/sdk-get-collection-pattern.ts
-import { z as z34 } from "zod";
-import { COLLECTIONS as COLLECTIONS9 } from "@01.software/sdk";
-var schema34 = {
-  collection: z34.enum(COLLECTIONS9).describe("Collection name"),
-  operation: z34.enum(["read", "write", "full-crud"]).default("read").describe("What operations are needed"),
-  surface: z34.enum(["query-builder", "react-query", "server-api"]).default("query-builder").describe("Preferred API surface")
+import { z as z27 } from "zod";
+import { COLLECTIONS, SERVER_COLLECTIONS as SERVER_COLLECTIONS4 } from "@01.software/sdk";
+var schema29 = {
+  collection: z27.enum(SERVER_COLLECTIONS4).describe("Collection name"),
+  operation: z27.enum(["read", "write", "full-crud"]).default("read").describe("What operations are needed"),
+  surface: z27.enum(["query-builder", "react-query", "server-api"]).default("query-builder").describe("Preferred API surface")
 };
-var metadata34 = {
+var metadata29 = {
   name: "sdk-get-collection-pattern",
   description: "Get the recommended CRUD pattern for a specific collection. Returns code examples for the chosen API surface and operation type.",
   annotations: {
@@ -2468,7 +2886,15 @@ var metadata34 = {
   }
 };
 function generatePattern(collection, operation, surface) {
+  const isPublicCollection = COLLECTIONS.includes(
+    collection
+  );
   if (surface === "react-query") {
+    if (!isPublicCollection) {
+      throw new Error(
+        `${collection} is server-only. Use surface="server-api" with createServerClient().`
+      );
+    }
     const parts2 = [];
     if (operation === "read") {
       parts2.push(
@@ -2580,17 +3006,29 @@ function generatePattern(collection, operation, surface) {
   }
   const parts = [];
   if (operation === "read" || operation === "full-crud") {
-    parts.push(
-      `// Read with any client (Client or ServerClient)`,
-      `const result = await client.collections.from('${collection}').find({`,
-      `  where: { status: { equals: 'published' } },`,
-      `  limit: 10,`,
-      `  sort: '-createdAt'`,
-      `})`,
-      ``,
-      `const item = await client.collections.from('${collection}').findById(id)`,
-      `const { totalDocs } = await client.collections.from('${collection}').count()`
-    );
+    if (isPublicCollection) {
+      parts.push(
+        `// Read with any client (Client or ServerClient)`,
+        `const result = await client.collections.from('${collection}').find({`,
+        `  where: { status: { equals: 'published' } },`,
+        `  limit: 10,`,
+        `  sort: '-createdAt'`,
+        `})`,
+        ``,
+        `const item = await client.collections.from('${collection}').findById(id)`,
+        `const { totalDocs } = await client.collections.from('${collection}').count()`
+      );
+    } else {
+      parts.push(
+        `// Server-only collection: use ServerClient`,
+        `const result = await serverClient.collections.from('${collection}').find({`,
+        `  limit: 10,`,
+        `  sort: '-createdAt'`,
+        `})`,
+        ``,
+        `const item = await serverClient.collections.from('${collection}').findById(id)`
+      );
+    }
   }
   if (operation === "write" || operation === "full-crud") {
     parts.push(
@@ -2605,6 +3043,7 @@ function generatePattern(collection, operation, surface) {
     code: parts.join("\n"),
     notes: [
       "Query Builder works with both Client and ServerClient for reads",
+      !isPublicCollection ? "This collection is server-only" : "",
       operation !== "read" ? "Write operations require ServerClient" : ""
     ].filter(Boolean)
   };
@@ -2624,7 +3063,6 @@ function handler5({
       relatedTools: [
         "query-collection",
         "get-collection-by-id",
-        ...operation !== "read" ? ["create-collection", "update-collection", "delete-collection"] : [],
         "get-collection-schema"
       ],
       relatedResources: [
@@ -2638,14 +3076,14 @@ function handler5({
 }
 
 // src/prompts/sdk-usage-guide.ts
-import { z as z35 } from "zod";
-var schema35 = {
-  goal: z35.string().describe('What the user wants to accomplish (e.g., "query product list", "create order")'),
-  runtime: z35.enum(["browser", "server"]).optional().describe("Target runtime: browser (React/Next.js client) or server (Node.js)"),
-  surface: z35.enum(["query-builder", "react-query", "customer-api", "server-api"]).optional().describe("Preferred API surface"),
-  collection: z35.string().optional().describe("Specific collection if relevant")
+import { z as z28 } from "zod";
+var schema30 = {
+  goal: z28.string().describe('What the user wants to accomplish (e.g., "query product list", "create order")'),
+  runtime: z28.enum(["browser", "server"]).optional().describe("Target runtime: browser (React/Next.js client) or server (Node.js)"),
+  surface: z28.enum(["query-builder", "react-query", "customer-api", "server-api"]).optional().describe("Preferred API surface"),
+  collection: z28.string().optional().describe("Specific collection if relevant")
 };
-var metadata35 = {
+var metadata30 = {
   name: "sdk-usage-guide",
   title: "SDK Usage Guide",
   description: "Provides guidance on how to perform a specific task using the 01.software SDK",
@@ -2782,14 +3220,14 @@ You can perform the "${goal}" task by following the patterns above.`;
 }
 
 // src/prompts/collection-query-help.ts
-import { z as z36 } from "zod";
-import { COLLECTIONS as COLLECTIONS10 } from "@01.software/sdk";
-var schema36 = {
-  collection: z36.enum(COLLECTIONS10).describe("Collection name"),
-  operation: z36.enum(["find", "create", "update", "delete"]).describe("Operation to perform (find, create, update, delete)"),
-  filters: z36.string().optional().describe("Filter conditions (JSON string, optional)")
+import { z as z29 } from "zod";
+import { COLLECTIONS as COLLECTIONS2, SERVER_COLLECTIONS as SERVER_COLLECTIONS5 } from "@01.software/sdk";
+var schema31 = {
+  collection: z29.enum(SERVER_COLLECTIONS5).describe("Collection name"),
+  operation: z29.enum(["find", "create", "update", "delete"]).describe("Operation to perform (find, create, update, delete)"),
+  filters: z29.string().optional().describe("Filter conditions (JSON string, optional)")
 };
-var metadata36 = {
+var metadata31 = {
   name: "collection-query-help",
   title: "Collection Query Help",
   description: "Provides guidance on how to write queries for a specific collection",
@@ -2806,6 +3244,11 @@ Filter conditions:
 \`\`\`json
 ${filters}
 \`\`\`` : "";
+  const isPublicCollection = COLLECTIONS2.includes(
+    collection
+  );
+  const readClientName = isPublicCollection ? "client" : "serverClient";
+  const readClientNote = isPublicCollection ? "Client or ServerClient" : "ServerClient only";
   return `How to perform "${operation}" operation on "${collection}" collection:${filterExample}
 
 ## Collection: ${collection}
@@ -2816,26 +3259,26 @@ ${filters}
 \`\`\`typescript
 import { createClient, createServerClient } from '@01.software/sdk'
 
-// Client (read-only)
+// Client (read-only public collections)
 const client = createClient({
   publishableKey: process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY!
 })
 
-// Server client (full CRUD)
+// Server client (server/public collections, full CRUD)
 const serverClient = createServerClient({
   publishableKey: process.env.SOFTWARE_PUBLISHABLE_KEY!,
   secretKey: process.env.SOFTWARE_SECRET_KEY!
 })
 
-${operation === "find" ? `// Query ${collection} collection with Query Builder
+${operation === "find" ? `// Query ${collection} collection with Query Builder (${readClientNote})
 // find() returns PayloadFindResponse with docs array and pagination
-const result = await client.collections.from('${collection}').find(${filters ? `{
+const result = await ${readClientName}.collections.from('${collection}').find(${filters ? `{
   where: ${filters}
 }` : ""})
 // result.docs - array of items
 // result.totalDocs, result.page, result.totalPages, result.hasNextPage, ...
 
-// Using React Hook
+${isPublicCollection ? `// Using React Hook
 const { data, isLoading, error } = client.query.useQuery({
   collection: '${collection}',
   options: { limit: 10 }
@@ -2845,19 +3288,19 @@ const { data, isLoading, error } = client.query.useQuery({
 const { data } = client.query.useSuspenseQuery({
   collection: '${collection}',
   options: { limit: 10 }
-})` : operation === "create" ? `// Create ${collection} item (ServerClient only)
+})` : `// React hooks are browser/public only and do not support '${collection}'.`}` : operation === "create" ? `// Create ${collection} item (ServerClient only)
 // create() returns PayloadMutationResponse with doc and message
-const result = await serverClient.from('${collection}').create({
+const result = await serverClient.collections.from('${collection}').create({
   // Enter fields
 })
 // result.doc - created item, result.message` : operation === "update" ? `// Update ${collection} item (ServerClient only)
 // update() returns PayloadMutationResponse with doc and message
-const result = await serverClient.from('${collection}').update(id, {
+const result = await serverClient.collections.from('${collection}').update(id, {
   // Fields to update
 })
 // result.doc - updated item, result.message` : `// Delete ${collection} item (ServerClient only)
 // remove() returns the deleted document directly
-await serverClient.from('${collection}').remove(id)`}
+await serverClient.collections.from('${collection}').remove(id)`}
 \`\`\`
 
 ### Useful Tips
@@ -2865,7 +3308,7 @@ await serverClient.from('${collection}').remove(id)`}
 ${operation === "find" ? `- Use \`where\` option for filtering (Payload query syntax)
 - Use \`limit\` and \`page\` for pagination
 - Use \`sort\` for sorting (prefix with "-" for descending)
-- React Query hooks: useQuery, useSuspenseQuery, useInfiniteQuery
+- ${isPublicCollection ? "React Query hooks: useQuery, useSuspenseQuery, useInfiniteQuery" : "React Query hooks are browser/public only; use ServerClient for this collection"}
 - Cache utilities: invalidateQueries, prefetchQuery, getQueryData, setQueryData` : operation === "create" ? `- Requires ServerClient with secretKey
 - Check required fields
 - TypeScript recommended for type safety` : operation === "update" ? `- Requires ServerClient with secretKey
@@ -2876,16 +3319,16 @@ ${operation === "find" ? `- Use \`where\` option for filtering (Payload query sy
 }
 
 // src/prompts/order-flow-guide.ts
-import { z as z37 } from "zod";
-var schema37 = {
-  scenario: z37.enum([
+import { z as z30 } from "zod";
+var schema32 = {
+  scenario: z30.enum([
     "simple-order",
     "cart-checkout",
     "return-refund",
     "fulfillment-tracking"
   ]).describe("Order flow scenario")
 };
-var metadata37 = {
+var metadata32 = {
   name: "order-flow-guide",
   title: "Order Flow Guide",
   description: "Provides step-by-step guidance for ecommerce order flows including creation, checkout, returns, and fulfillment.",
@@ -2900,8 +3343,8 @@ var SCENARIOS = {
    - Provide: orderNumber, customerSnapshot (email required), shippingAddress, orderItems, totalAmount
    - Optional: pgPaymentId (omit for free orders), shippingAmount, discountCode
 
-2. **Payment Confirmation** \u2192 \`update-order\` tool
-   - Update status to \`paid\` after payment gateway confirms
+2. **Payment Confirmation** \u2192 \`update-transaction\` tool
+   - Confirm provider payment with pgPaymentId, paymentKey, and amount
    - Stock is automatically adjusted (stock -= qty, reservedStock += qty)
 
 3. **Fulfillment** \u2192 \`create-fulfillment\` tool
@@ -2928,8 +3371,13 @@ const order = await client.commerce.orders.create({
   pgPaymentId: 'pay_xxx' // omit for free orders
 })
 
-// 2. After payment confirmed
-await client.commerce.orders.update({ orderNumber: 'ORD-240101-001', status: 'paid' })
+// 2. After payment confirmed by provider
+await client.commerce.orders.updateTransaction({
+  pgPaymentId: 'pay_xxx',
+  status: 'paid',
+  paymentKey: 'payment_key_xxx',
+  amount: 59800
+})
 
 // 3. Ship items
 await client.commerce.orders.createFulfillment({
@@ -2947,7 +3395,7 @@ await client.commerce.orders.createFulfillment({
 2. **Apply Discount** (optional) \u2192 \`apply-discount\` tool
 3. **Calculate Shipping** \u2192 \`calculate-shipping\` tool
 4. **Checkout** \u2192 \`checkout\` tool (converts cart to order)
-5. **Payment** \u2192 \`update-order\` or \`update-transaction\`
+5. **Payment** \u2192 \`update-transaction\` for provider-verified paid transitions
 
 ### Key Points
 - Cart has a customer linked \u2014 auto-copied to order on checkout
@@ -2984,7 +3432,7 @@ const order = await client.commerce.orders.checkout({
 1. **Return with Refund** \u2192 \`return-with-refund\` tool
    - Handles return + stock restoration + transaction update in one call
    - Return immediately completed (bypasses FSM)
-   - Requires pgPaymentId to identify which transaction to refund
+   - Requires pgPaymentId and paymentKey for provider-verified refund
 
 ### Key Points
 - Full refund: original transaction \u2192 \`canceled\`
@@ -3001,7 +3449,8 @@ await client.commerce.orders.returnWithRefund({
   reasonDetail: 'Product arrived damaged',
   returnItems: [{ orderItem: 'oi-id', quantity: 1 }],
   refundAmount: 29900,
-  pgPaymentId: 'pay_xxx'
+  pgPaymentId: 'pay_xxx',
+  paymentKey: 'payment_key_xxx'
 })
 \`\`\``,
   "fulfillment-tracking": `## Fulfillment & Tracking
@@ -3064,9 +3513,9 @@ ${SCENARIOS[scenario] || "Unknown scenario."}
 }
 
 // src/prompts/feature-setup-guide.ts
-import { z as z38 } from "zod";
-var schema38 = {
-  feature: z38.enum([
+import { z as z31 } from "zod";
+var schema33 = {
+  feature: z31.enum([
     "ecommerce",
     "customers",
     "articles",
@@ -3081,7 +3530,7 @@ var schema38 = {
     "community"
   ]).describe("Feature to get setup guide for")
 };
-var metadata38 = {
+var metadata33 = {
   name: "feature-setup-guide",
   title: "Feature Setup Guide",
   description: "Setup checklist and remediation guide for a tenant feature. Load before using get-tenant-context to diagnose setup gaps.",
@@ -3094,8 +3543,8 @@ var FEATURES = {
 
 ### Required Collections (count > 0)
 
-1. **products** \u2014 Use \`create-collection\` with \`collection='products'\`
-   - Minimum fields: \`{ title, slug, status: 'active' }\`
+1. **products** \u2014 Create via Console UI or SDK \`client.collections.from('products').create({ ... })\`
+   - Minimum fields: \`{ title, slug, status: 'published' }\`
 
 2. **product-variants** \u2014 At least 1 sellable variant per product
    - Minimum fields: \`{ product, title, price, stock }\`
@@ -3128,7 +3577,8 @@ customer-addresses
 
 ### Optional Collections
 
-customer-groups \u2014 Use \`create-collection\` with \`collection='customer-groups'\`, \`{ title }\`
+- customer-groups \u2014 Console/server-scoped segmentation for VIP coupons and campaigns. Use \`createServerClient().collections.from('customer-groups')\`.
+- customer-profile-lists \u2014 Public profile display/ranking lists for storefronts. Browser reads may use \`client.collections.from('customer-profile-lists')\`.
 
 ### Config
 
@@ -3139,10 +3589,10 @@ customer-groups \u2014 Use \`create-collection\` with \`collection='customer-gro
 ### Required Collections (count > 0)
 
 1. **articles** \u2014 At least 1 article
-   - Minimum fields: \`{ title, slug }\`
+   - Minimum fields: \`{ title, slug, status: 'published' }\`
 
 2. **article-authors** \u2014 At least 1 author
-   - Minimum fields: \`{ title, slug }\`
+   - Minimum fields: \`{ title, slug, status: 'published' }\`
    - Link authors to articles via the \`authors\` relationship field
 
 ### Optional Collections
@@ -3157,7 +3607,7 @@ article-categories, article-tags`,
 
 2. **document-types** \u2014 At least 1 type
    - Minimum fields: \`{ title, slug }\`
-   - Link document type via \`documentType\` relationship field
+   - Link document type via \`type\` relationship field
 
 ### Optional Collections
 
@@ -3167,10 +3617,10 @@ document-categories`,
 ### Required Collections (count > 0)
 
 1. **playlists** \u2014 At least 1 playlist
-   - Minimum fields: \`{ title, slug }\`
+   - Minimum fields: \`{ title, slug, status: 'published' }\`
 
 2. **tracks** \u2014 At least 1 track
-   - Minimum fields: \`{ title }\`
+   - Minimum fields: \`{ title, sourceUrl, status: 'published' }\`
 
 3. **playlists.tracks** \u2014 Link at least 1 track from a playlist
    - Minimum fields: \`{ tracks: [trackId] }\`
@@ -3183,11 +3633,11 @@ playlist-categories, playlist-tags, track-categories, track-tags, track-assets`,
 ### Required Collections (count > 0)
 
 1. **galleries** \u2014 At least 1 gallery
-   - Minimum fields: \`{ title, slug }\`
+   - Minimum fields: \`{ title, slug, status: 'published' }\`
 
 2. **gallery-items** \u2014 At least 1 item per gallery
    - References \`images\` collection (non-upload)
-   - Minimum fields: \`{ gallery, image }\`
+   - Minimum fields: \`{ gallery, image, status: 'published' }\`
 
 ### Optional Collections
 
@@ -3197,7 +3647,7 @@ gallery-categories, gallery-tags`,
 ### Required Collections (count > 0)
 
 1. **links** \u2014 At least 1 link
-   - Minimum fields: \`{ title, slug, url }\`
+   - Minimum fields: \`{ title, slug, url, status: 'published' }\`
 
 ### Optional Collections
 
@@ -3269,21 +3719,23 @@ comments, reactions, bookmarks, reports, community-bans
 
 ### Optional Collections
 
-post-categories`
+post-categories, customer-profile-lists`
 };
-function featureSetupGuide({ feature }) {
+function featureSetupGuide({
+  feature
+}) {
   return `# Feature Setup Guide: ${feature}
 
 ${FEATURES[feature] || "Unknown feature."}
 
 ## Related MCP Tools
 - \`get-tenant-context\` \u2014 check current collection counts and feature status
-- \`create-collection\` \u2014 create required collection documents
-- \`query-collection\` \u2014 verify existing documents in a collection`;
+- \`query-collection\` \u2014 verify existing documents in a collection
+- \`get-collection-schema\` \u2014 inspect tenant-aware fields before creating data via SDK or Console UI`;
 }
 
 // src/resources/(config)/app.ts
-var metadata39 = {
+var metadata34 = {
   name: "app-config",
   title: "Application Config",
   description: "01.software SDK and MCP server configuration information"
@@ -3294,7 +3746,8 @@ function handler6() {
 ## Server Info
 - **Name**: 01.software MCP Server
 - **Version**: 0.1.0
-- **Transport**: HTTP (Streamable)
+- **Hosted transport**: HTTP (Streamable)
+- **Local transport**: stdio through \`npx @01.software/cli mcp\`
 
 ## Authentication
 
@@ -3305,45 +3758,9 @@ HTTP MCP uses OAuth discovery and Authorization Code + PKCE.
 url = "https://mcp.01.software/mcp"
 \`\`\`
 
-## Available Tools (34)
-
-### Generic CRUD (7)
-- \`query-collection\` - Query collection with filters, pagination, sorting
-- \`get-collection-by-id\` - Get single item by ID
-- \`create-collection\` - Create new item
-- \`update-collection\` - Update existing item
-- \`delete-collection\` - Delete item (destructive)
-- \`update-many-collection\` - Bulk update items matching filter
-- \`delete-many-collection\` - Bulk delete items matching filter (destructive)
-
-### Orders (7)
-- \`create-order\` - Create a new order with products and shipping
-- \`get-order\` - Get order details by order number
-- \`update-order\` - Update order status
-- \`checkout\` - Convert cart to order
-- \`create-fulfillment\` - Create fulfillment for order items
-- \`update-fulfillment\` - Update fulfillment status, carrier, and tracking
-- \`update-transaction\` - Update transaction status
-
-### Returns (3)
-- \`create-return\` - Create a return request
-- \`update-return\` - Update return status
-- \`return-with-refund\` - Process return with refund atomically
-
-### Cart (6)
-- \`add-cart-item\` - Add item to cart
-- \`update-cart-item\` - Update cart item quantity
-- \`remove-cart-item\` - Remove item from cart
-- \`apply-discount\` - Apply discount code to cart
-- \`remove-discount\` - Remove discount from cart
-- \`clear-cart\` - Remove all items from cart
-
-### Validation (2)
-- \`validate-discount\` - Validate discount code
-- \`calculate-shipping\` - Calculate shipping fee
-
-### Product (1)
-- \`stock-check\` - Check product option stock availability
+## Hosted HTTP OAuth Tools (8)
+
+The hosted HTTP MCP endpoint at https://mcp.01.software/mcp exposes only these OAuth-safe tools:
 
 ### Schema (1)
 - \`get-collection-schema\` - Get authoritative tenant-aware collection schema
@@ -3361,6 +3778,16 @@ url = "https://mcp.01.software/mcp"
 - \`sdk-get-auth-setup\` - Get framework-specific auth setup guidance
 - \`sdk-get-collection-pattern\` - Get collection-specific usage patterns
 
+## Local CLI Stdio Surface (29)
+
+For trusted local server-key workflows, start the stdio server:
+
+\`\`\`bash
+npx @01.software/cli mcp
+\`\`\`
+
+Local stdio can expose generic read, order, return, cart, validation, stock, schema, tenant context, field config, and guidance tools. Generic collection write tools (create/update/delete/update-many/delete-many) are intentionally absent on every transport; use the SDK server client for generic writes.
+
 ## Rate Limits
 
 Rate limits depend on your tenant plan:
@@ -3372,80 +3799,96 @@ Rate limits depend on your tenant plan:
 }
 
 // src/resources/(collections)/schema.ts
-import { COLLECTIONS as COLLECTIONS11 } from "@01.software/sdk";
-var metadata40 = {
+import { COLLECTIONS as COLLECTIONS3 } from "@01.software/sdk";
+var metadata35 = {
   name: "collections-schema",
   title: "Collection Schema Info",
   description: "Available collections and their schema information"
 };
+var COLLECTIONS_BY_CATEGORY = {
+  "Tenant Management": ["tenants", "tenant-metadata", "tenant-logos"],
+  Products: [
+    "products",
+    "product-variants",
+    "product-options",
+    "product-option-values",
+    "product-categories",
+    "product-tags",
+    "product-collections"
+  ],
+  Brands: ["brands", "brand-logos"],
+  "Orders & Fulfillment": [
+    "orders",
+    "order-items",
+    "transactions",
+    "fulfillments",
+    "fulfillment-items"
+  ],
+  "Shipping & Returns": ["returns", "return-items", "shipping-policies"],
+  Customers: [
+    "customers",
+    "customer-profiles",
+    "customer-profile-lists",
+    "customer-addresses"
+  ],
+  Carts: ["carts", "cart-items"],
+  "Discounts & Promotions": ["discounts", "promotions"],
+  Documents: ["documents", "document-categories", "document-types"],
+  Articles: [
+    "articles",
+    "article-authors",
+    "article-categories",
+    "article-tags"
+  ],
+  Community: [
+    "posts",
+    "comments",
+    "reactions",
+    "reaction-types",
+    "bookmarks",
+    "post-categories",
+    "reports",
+    "community-bans"
+  ],
+  Playlists: [
+    "playlists",
+    "tracks",
+    "playlist-categories",
+    "playlist-tags",
+    "track-categories",
+    "track-tags"
+  ],
+  Galleries: [
+    "galleries",
+    "gallery-items",
+    "gallery-categories",
+    "gallery-tags"
+  ],
+  Links: ["links", "link-categories", "link-tags"],
+  Canvas: [
+    "canvases",
+    "canvas-node-types",
+    "canvas-edge-types",
+    "canvas-categories",
+    "canvas-tags",
+    "canvas-nodes",
+    "canvas-edges"
+  ],
+  Videos: ["videos", "video-categories", "video-tags"],
+  "Live Streams": ["live-streams"],
+  Images: ["images"],
+  Forms: ["forms", "form-submissions"],
+  Events: [
+    "event-calendars",
+    "events",
+    "event-categories",
+    "event-occurrences",
+    "event-tags"
+  ]
+};
 function handler7() {
-  const collectionsByCategory = {
-    "Tenant Management": ["tenants", "tenant-metadata", "tenant-logos"],
-    Products: [
-      "products",
-      "product-variants",
-      "product-options",
-      "product-categories",
-      "product-tags",
-      "product-collections"
-    ],
-    Brands: ["brands", "brand-logos"],
-    "Orders & Fulfillment": [
-      "orders",
-      "order-items",
-      "transactions",
-      "fulfillments",
-      "fulfillment-items"
-    ],
-    "Shipping & Returns": [
-      "returns",
-      "return-items",
-      "shipping-policies"
-    ],
-    Customers: ["customers", "customer-addresses", "customer-groups"],
-    Carts: ["carts", "cart-items"],
-    Discounts: ["discounts"],
-    Documents: ["documents", "document-categories", "document-types"],
-    Articles: ["articles", "article-authors", "article-categories", "article-tags"],
-    Community: [
-      "posts",
-      "comments",
-      "reactions",
-      "reaction-types",
-      "bookmarks",
-      "post-categories",
-      "reports",
-      "community-bans"
-    ],
-    Playlists: [
-      "playlists",
-      "tracks",
-      "track-assets",
-      "playlist-categories",
-      "playlist-tags",
-      "track-categories",
-      "track-tags"
-    ],
-    Galleries: [
-      "galleries",
-      "gallery-items",
-      "gallery-categories",
-      "gallery-tags"
-    ],
-    Canvas: [
-      "canvases",
-      "canvas-node-types",
-      "canvas-edge-types",
-      "canvas-categories",
-      "canvas-tags"
-    ],
-    Videos: ["videos", "video-categories", "video-tags"],
-    "Live Streams": ["live-streams"],
-    Images: ["images"],
-    Forms: ["forms", "form-submissions"]
-  };
-  const categoryDocs = Object.entries(collectionsByCategory).map(([category, collections]) => {
-    const collectionList = collections.filter((c) => COLLECTIONS11.includes(c)).map((c) => `- **${c}**`).join("\n");
+  const categoryDocs = Object.entries(COLLECTIONS_BY_CATEGORY).map(([category, collections]) => {
+    const collectionList = collections.filter((c) => COLLECTIONS3.includes(c)).map((c) => `- **${c}**`).join("\n");
     return `## ${category}
 ${collectionList}`;
   }).join("\n\n");
@@ -3466,6 +3909,10 @@ Each collection supports the following operations:
 - \`updateMany(where, data)\` - Bulk update items matching filter
 - \`removeMany(where)\` - Bulk delete items matching filter
 
+Status-managed public collections expose only \`status: 'published'\` rows to
+publishable-key reads unless server-side access explicitly includes
+unpublished statuses.
+
 ## Query Examples
 
 ### Filtering
@@ -3487,11 +3934,11 @@ Each collection supports the following operations:
 }
 \`\`\`
 
-Total available collections: ${COLLECTIONS11.length}`;
+Total available collections: ${COLLECTIONS3.length}`;
 }
 
 // src/resources/(docs)/getting-started.ts
-var metadata41 = {
+var metadata36 = {
   name: "docs-getting-started",
   title: "Getting Started",
   description: "01.software SDK getting started guide"
@@ -3536,7 +3983,7 @@ const result = await client.collections.from('products').find({
 }
 
 // src/resources/(docs)/guides.ts
-var metadata42 = {
+var metadata37 = {
   name: "docs-guides",
   title: "Guides",
   description: "01.software SDK usage guides"
@@ -3747,7 +4194,7 @@ For more detailed guides, see the [Guides page](/docs/guides).`;
 }
 
 // src/resources/(docs)/api.ts
-var metadata43 = {
+var metadata38 = {
   name: "docs-api",
   title: "API Reference",
   description: "01.software SDK API reference documentation"
@@ -4033,7 +4480,7 @@ For more details, see the [full API documentation](/docs/api).`;
 }
 
 // src/resources/(docs)/query-builder.ts
-var metadata44 = {
+var metadata39 = {
   name: "docs-query-builder",
   title: "Query Builder",
   description: "01.software SDK Query Builder API reference (client.collections.from)"
@@ -4227,7 +4674,7 @@ console.log(result.hasNextPage) // true
 }
 
 // src/resources/(docs)/react-query.ts
-var metadata45 = {
+var metadata40 = {
   name: "docs-react-query",
   title: "React Query Hooks",
   description: "01.software SDK React Query hooks reference (client.query)"
@@ -4475,7 +4922,7 @@ export function ProductList() {
 }
 
 // src/resources/(docs)/server-api.ts
-var metadata46 = {
+var metadata41 = {
   name: "docs-server-api",
   title: "Server-side API",
   description: "01.software SDK server-side API reference (client.commerce) for orders, fulfillments, returns, carts, and validation"
@@ -4616,7 +5063,7 @@ const ret = await client.commerce.orders.updateReturn({
 \`\`\`
 
 ### returnWithRefund()
-Create a return and process refund in one atomic operation.
+Create a return and process a provider-verified refund in one atomic operation.
 
 \`\`\`typescript
 const result = await client.commerce.orders.returnWithRefund({
@@ -4628,6 +5075,7 @@ const result = await client.commerce.orders.returnWithRefund({
   ],
   refundAmount: 29900,
   pgPaymentId: 'toss-payment-id',  // required
+  paymentKey: 'toss-payment-key',  // required for provider refund
   refundReceiptUrl?: 'https://...',
 })
 \`\`\`
@@ -4635,12 +5083,15 @@ const result = await client.commerce.orders.returnWithRefund({
 ## Transaction API
 
 ### updateTransaction()
-Update a transaction status (after PG callback).
+Confirm or annotate a transaction. Paid transitions require provider
+verification; non-financial annotations can still update pending transactions.
 
 \`\`\`typescript
 const tx = await client.commerce.orders.updateTransaction({
   pgPaymentId: 'toss-payment-id',
-  status: 'paid',  // paid | failed | canceled
+  status: 'paid',  // pending | paid | failed | canceled
+  paymentKey: 'toss-payment-key',  // required when status is paid
+  amount: 29900,  // required when status is paid
 })
 \`\`\`
 
@@ -4733,7 +5184,7 @@ const result = await client.commerce.shipping.calculate({
 }
 
 // src/resources/(docs)/customer-auth.ts
-var metadata47 = {
+var metadata42 = {
   name: "docs-customer-auth",
   title: "Customer Auth API",
   description: "01.software SDK Customer Auth API reference (client.customer)"
@@ -4911,7 +5362,7 @@ async function loadProfile() {
 }
 
 // src/resources/(docs)/browser-vs-server.ts
-var metadata48 = {
+var metadata43 = {
   name: "docs-browser-vs-server",
   title: "Client vs ServerClient",
   description: "When to use Client (createClient) vs ServerClient (createServerClient) in the 01.software SDK"
@@ -5070,7 +5521,7 @@ export function ProductList() {
 }
 
 // src/resources/(docs)/file-upload.ts
-var metadata49 = {
+var metadata44 = {
   name: "docs-file-upload",
   title: "File Upload",
   description: "01.software SDK file upload patterns using the images collection"
@@ -5221,7 +5672,7 @@ The platform stores files in Cloudflare R2 and serves via CDN (\`cdn.01.software
 }
 
 // src/resources/(docs)/webhook.ts
-var metadata50 = {
+var metadata45 = {
   name: "docs-webhook",
   title: "Webhooks",
   description: "01.software SDK webhook verification and event handling"
@@ -5335,28 +5786,71 @@ Configure webhook URLs in the 01.software console under Tenant Settings > Webhoo
 }
 
 // src/server.ts
-function registerTool(server, schema39, meta, handler19) {
+var REGISTERED_TOOLS_BY_SERVER = /* @__PURE__ */ new WeakMap();
+function registerTool(server, schema34, meta, handler19) {
+  let registered = REGISTERED_TOOLS_BY_SERVER.get(server);
+  if (!registered) {
+    registered = /* @__PURE__ */ new Set();
+    REGISTERED_TOOLS_BY_SERVER.set(server, registered);
+  }
+  registered.add(meta.name);
   server.registerTool(
     meta.name,
     {
       description: meta.description,
-      inputSchema: schema39,
+      inputSchema: schema34,
       annotations: meta.annotations
     },
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     async (params) => {
-      const result = await handler19(params);
-      return { content: [{ type: "text", text: result }] };
+      const ctx = tenantAuthContext();
+      if (ctx) {
+        const decision = evaluateToolPolicy(meta.name, ctx.scopes);
+        if (!decision.allowed) {
+          const status = decision.reason === "insufficient_scope" ? 403 : 500;
+          return {
+            content: [
+              {
+                type: "text",
+                text: toolError({
+                  status,
+                  reason: decision.reason,
+                  message: decision.message
+                })
+              }
+            ]
+          };
+        }
+      }
+      const activeSummary = currentMcpTelemetrySummary();
+      const ownSummary = activeSummary || hasRequestContext() ? null : createMcpTelemetrySummary("stdio");
+      const summary = activeSummary ?? ownSummary;
+      let result = null;
+      try {
+        result = await handler19(params);
+        return { content: [{ type: "text", text: result }] };
+      } finally {
+        if (summary) {
+          recordMcpToolResult({
+            resultText: result,
+            summary,
+            toolName: meta.name
+          });
+        }
+        if (ownSummary) {
+          void flushMcpTelemetrySummary(ownSummary);
+        }
+      }
     }
   );
 }
-function registerPrompt(server, schema39, meta, handler19) {
+function registerPrompt(server, schema34, meta, handler19) {
   server.registerPrompt(
     meta.name,
     {
       title: meta.title,
       description: meta.description,
-      argsSchema: schema39
+      argsSchema: schema34
     },
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     (params) => ({
@@ -5392,70 +5886,58 @@ function createServer(options = {}) {
   if (toolSurface === "full") {
     registerTool(server, schema, metadata, queryCollection);
     registerTool(server, schema2, metadata2, getCollectionById);
-    registerTool(server, schema3, metadata3, createCollection);
-    registerTool(server, schema4, metadata4, updateCollection);
-    registerTool(server, schema5, metadata5, deleteCollection);
-    registerTool(server, schema6, metadata6, deleteManyCollection);
-    registerTool(server, schema7, metadata7, updateManyCollection);
-    registerTool(server, schema8, metadata8, getOrder);
-    registerTool(server, schema9, metadata9, createOrder);
-    registerTool(server, schema10, metadata10, updateOrder);
-    registerTool(server, schema11, metadata11, checkout);
-    registerTool(server, schema12, metadata12, createFulfillment);
-    registerTool(server, schema13, metadata13, updateFulfillment);
-    registerTool(server, schema14, metadata14, updateTransaction);
-    registerTool(server, schema15, metadata15, createReturn);
-    registerTool(server, schema16, metadata16, updateReturn);
-    registerTool(server, schema17, metadata17, returnWithRefund);
-    registerTool(server, schema18, metadata18, addCartItem);
-    registerTool(server, schema19, metadata19, updateCartItem);
-    registerTool(server, schema20, metadata20, removeCartItem);
-    registerTool(server, schema21, metadata21, applyDiscount);
-    registerTool(server, schema22, metadata22, removeDiscount);
-    registerTool(server, schema23, metadata23, clearCart);
-    registerTool(server, schema24, metadata24, validateDiscount);
-    registerTool(server, schema25, metadata25, calculateShipping);
-    registerTool(server, schema26, metadata26, stockCheck);
-  }
-  registerTool(server, schema27, metadata27, getCollectionSchemaTool);
-  registerTool(server, schema28, metadata28, handler);
-  registerTool(server, schema29, metadata29, listConfigurableFields);
-  registerTool(server, schema30, metadata30, updateFieldConfig);
-  registerTool(server, schema31, metadata31, handler2);
-  registerTool(server, schema32, metadata32, handler3);
-  registerTool(server, schema33, metadata33, handler4);
-  registerTool(server, schema34, metadata34, handler5);
-  registerPrompt(server, schema35, metadata35, sdkUsageGuide);
-  registerPrompt(server, schema36, metadata36, collectionQueryHelp);
-  registerPrompt(server, schema37, metadata37, orderFlowGuide);
-  registerPrompt(server, schema38, metadata38, featureSetupGuide);
-  registerStaticResource(server, "config://app", metadata39, handler6);
-  registerStaticResource(server, "collections://schema", metadata40, handler7);
-  registerStaticResource(server, "docs://sdk/getting-started", metadata41, handler8);
-  registerStaticResource(server, "docs://sdk/guides", metadata42, handler9);
-  registerStaticResource(server, "docs://sdk/api", metadata43, handler10);
-  registerStaticResource(server, "docs://sdk/query-builder", metadata44, handler11);
-  registerStaticResource(server, "docs://sdk/react-query", metadata45, handler12);
-  registerStaticResource(server, "docs://sdk/server-api", metadata46, handler13);
-  registerStaticResource(server, "docs://sdk/customer-auth", metadata47, handler14);
-  registerStaticResource(server, "docs://sdk/browser-vs-server", metadata48, handler15);
-  registerStaticResource(server, "docs://sdk/file-upload", metadata49, handler16);
-  registerStaticResource(server, "docs://sdk/webhook", metadata50, handler17);
+    registerTool(server, schema3, metadata3, getOrder);
+    registerTool(server, schema4, metadata4, createOrder);
+    registerTool(server, schema5, metadata5, updateOrder);
+    registerTool(server, schema6, metadata6, checkout);
+    registerTool(server, schema7, metadata7, createFulfillment);
+    registerTool(server, schema8, metadata8, updateFulfillment);
+    registerTool(server, schema9, metadata9, updateTransaction);
+    registerTool(server, schema10, metadata10, createReturn);
+    registerTool(server, schema11, metadata11, updateReturn);
+    registerTool(server, schema12, metadata12, returnWithRefund);
+    registerTool(server, schema13, metadata13, addCartItem);
+    registerTool(server, schema14, metadata14, updateCartItem);
+    registerTool(server, schema15, metadata15, removeCartItem);
+    registerTool(server, schema16, metadata16, applyDiscount);
+    registerTool(server, schema17, metadata17, removeDiscount);
+    registerTool(server, schema18, metadata18, clearCart);
+    registerTool(server, schema19, metadata19, validateDiscount);
+    registerTool(server, schema20, metadata20, calculateShipping);
+    registerTool(server, schema21, metadata21, stockCheck);
+  }
+  registerTool(server, schema22, metadata22, getCollectionSchemaTool);
+  registerTool(server, schema23, metadata23, handler);
+  registerTool(server, schema24, metadata24, listConfigurableFields);
+  registerTool(server, schema25, metadata25, updateFieldConfig);
+  registerTool(server, schema26, metadata26, handler2);
+  registerTool(server, schema27, metadata27, handler3);
+  registerTool(server, schema28, metadata28, handler4);
+  registerTool(server, schema29, metadata29, handler5);
+  registerPrompt(server, schema30, metadata30, sdkUsageGuide);
+  registerPrompt(server, schema31, metadata31, collectionQueryHelp);
+  registerPrompt(server, schema32, metadata32, orderFlowGuide);
+  registerPrompt(server, schema33, metadata33, featureSetupGuide);
+  registerStaticResource(server, "config://app", metadata34, handler6);
+  registerStaticResource(server, "collections://schema", metadata35, handler7);
+  registerStaticResource(server, "docs://sdk/getting-started", metadata36, handler8);
+  registerStaticResource(server, "docs://sdk/guides", metadata37, handler9);
+  registerStaticResource(server, "docs://sdk/api", metadata38, handler10);
+  registerStaticResource(server, "docs://sdk/query-builder", metadata39, handler11);
+  registerStaticResource(server, "docs://sdk/react-query", metadata40, handler12);
+  registerStaticResource(server, "docs://sdk/server-api", metadata41, handler13);
+  registerStaticResource(server, "docs://sdk/customer-auth", metadata42, handler14);
+  registerStaticResource(server, "docs://sdk/browser-vs-server", metadata43, handler15);
+  registerStaticResource(server, "docs://sdk/file-upload", metadata44, handler16);
+  registerStaticResource(server, "docs://sdk/webhook", metadata45, handler17);
   return server;
 }
 
 // src/auth.ts
 import { createPublicKey, verify as verifySignature } from "crypto";
-import {
-  MCP_OAUTH_ISSUER as MCP_OAUTH_ISSUER2,
-  MCP_RESOURCE_AUDIENCE,
-  MCP_SCOPES,
-  MCP_TENANT_CLAIM as MCP_TENANT_CLAIM2,
-  MCP_TENANT_ROLE_CLAIM as MCP_TENANT_ROLE_CLAIM2
-} from "@01.software/auth-contracts";
 var ALLOWED_ALGORITHMS = /* @__PURE__ */ new Set(["RS256", "ES256"]);
 var DEFAULT_CLOCK_SKEW_SECONDS = 30;
-var DEFAULT_JWKS_URI = `${MCP_OAUTH_ISSUER2}/.well-known/jwks.json`;
+var DEFAULT_JWKS_URI = `${MCP_OAUTH_ISSUER}/.well-known/jwks.json`;
 var MAX_ACCESS_TOKEN_LIFETIME_SECONDS = 300;
 function invalid(errorDescription) {
   return { valid: false, error: "invalid_token", errorDescription };
@@ -5558,7 +6040,7 @@ function validateAccessToken(token, options = {}) {
   if (!verifyJwtSignature(header.alg, jwk, signingInput, signature)) {
     return invalid("Bearer token signature is invalid");
   }
-  const issuer = options.issuer ?? MCP_OAUTH_ISSUER2;
+  const issuer = options.issuer ?? MCP_OAUTH_ISSUER;
   if (payload.iss !== issuer) return invalid("Bearer token issuer is invalid");
   const audience = options.audience ?? MCP_RESOURCE_AUDIENCE;
   if (!audienceMatches(payload.aud, audience)) {
@@ -5581,11 +6063,11 @@ function validateAccessToken(token, options = {}) {
     return invalid("Bearer token is not yet valid");
   }
   if (payload.exp < nowSeconds - leeway) return invalid("Bearer token is expired");
-  const tenantId = payload[MCP_TENANT_CLAIM2];
+  const tenantId = payload[MCP_TENANT_CLAIM];
   if (typeof tenantId !== "string" || tenantId.length === 0) {
     return invalid("Bearer token tenant_id claim is invalid");
   }
-  const tenantRole = payload[MCP_TENANT_ROLE_CLAIM2];
+  const tenantRole = payload[MCP_TENANT_ROLE_CLAIM];
   if (tenantRole !== "tenant-admin" && tenantRole !== "tenant-editor" && tenantRole !== "tenant-viewer") {
     return invalid("Bearer token tenant_role claim is invalid");
   }
@@ -5751,24 +6233,33 @@ Resources (12): config, collections-schema, getting-started, guides, api, query-
 Links
 -----
 
-Docs            https://01.software/docs/integrations/mcp
-SDK             https://01.software/docs/sdk/client
-API Reference   https://01.software/docs/api/rest-api
+Docs            https://docs.01.software/docs/developers/integrations/mcp
+SDK             https://docs.01.software/docs/developers/sdk/client
+API Reference   https://docs.01.software/docs/developers/api/rest-api
 Console         https://console.01.software
 `;
 var PROTECTED_RESOURCE_METADATA = JSON.stringify({
-  resource: MCP_RESOURCE_AUDIENCE2,
-  authorization_servers: [MCP_OAUTH_ISSUER3],
-  scopes_supported: [MCP_SCOPES2.read, MCP_SCOPES2.write]
+  resource: MCP_RESOURCE_AUDIENCE,
+  authorization_servers: [MCP_OAUTH_ISSUER],
+  scopes_supported: [MCP_SCOPES.read, MCP_SCOPES.write]
 });
+var PROTECTED_RESOURCE_METADATA_URL = new URL(
+  MCP_PROTECTED_RESOURCE_METADATA_PATH,
+  MCP_RESOURCE_AUDIENCE
+).toString();
 var SERVICE_JWKS_PATH = "/.well-known/service-jwks.json";
 function writeOAuthError(res, status, error, description) {
   res.writeHead(status, {
     "Content-Type": "application/json",
-    "WWW-Authenticate": `Bearer resource_metadata="${MCP_PROTECTED_RESOURCE_METADATA_PATH}", error="${error}", error_description="${description}"`
+    "WWW-Authenticate": `Bearer resource_metadata="${PROTECTED_RESOURCE_METADATA_URL}", error="${error}", error_description="${description}"`
   });
   res.end(JSON.stringify({ error, error_description: description }));
 }
+function acceptsEventStream(req) {
+  const accept = getHeaderValue(req.headers, "accept");
+  if (!accept) return false;
+  return accept.split(",").some((entry) => entry.trim().split(";")[0]?.toLowerCase() === "text/event-stream");
+}
 async function handler18(req, res) {
   setCors(res);
   if (req.method === "OPTIONS") {
@@ -5777,7 +6268,7 @@ async function handler18(req, res) {
     return;
   }
   if (req.method === "GET") {
-    const pathname = new URL(req.url ?? "/", MCP_RESOURCE_AUDIENCE2).pathname;
+    const pathname = new URL(req.url ?? "/", MCP_RESOURCE_AUDIENCE).pathname;
     if (pathname === MCP_PROTECTED_RESOURCE_METADATA_PATH) {
       res.setHeader("Access-Control-Allow-Origin", "*");
       res.writeHead(200, { "Content-Type": "application/json" });
@@ -5801,6 +6292,11 @@ async function handler18(req, res) {
       }
       return;
     }
+    if (acceptsEventStream(req)) {
+      res.writeHead(405, { "Content-Type": "application/json" });
+      res.end(METHOD_NOT_ALLOWED);
+      return;
+    }
     res.writeHead(200, { "Content-Type": "text/plain; charset=utf-8" });
     res.end(HOME_PAGE);
     return;
@@ -5837,20 +6333,37 @@ async function handler18(req, res) {
     if (typeof value === "string") headers.set(key, value);
     else if (Array.isArray(value)) headers.set(key, value.join(", "));
   }
+  const telemetrySummary = createMcpTelemetrySummary("http");
   await requestContext.run({ headers, auth: auth.context }, async () => {
     try {
-      const body = req.body ?? JSON.parse(await readBody(req));
-      await transport.handleRequest(req, res, body);
-    } catch {
-      if (!res.headersSent) {
-        res.writeHead(500, { "Content-Type": "application/json" });
-        res.end(JSON.stringify({ error: "Internal server error" }));
-      }
+      await runWithMcpTelemetry(telemetrySummary, async () => {
+        const body = req.body ?? JSON.parse(await readBody(req));
+        await transport.handleRequest(req, res, body);
+      });
+    } catch (err) {
+      writeRequestError(res, err);
     } finally {
+      telemetrySummary.durationMs = Date.now() - telemetrySummary.startedAtMs;
       await close();
+      await flushMcpTelemetrySummary(telemetrySummary);
     }
   });
 }
+function writeRequestError(res, err) {
+  if (res.headersSent) return;
+  if (err instanceof SyntaxError) {
+    res.writeHead(400, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ error: "Invalid JSON body" }));
+    return;
+  }
+  if (err instanceof Error && err.message === "Request body too large") {
+    res.writeHead(413, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ error: "Request body too large" }));
+    return;
+  }
+  res.writeHead(500, { "Content-Type": "application/json" });
+  res.end(JSON.stringify({ error: "Internal server error" }));
+}
 export {
   handler18 as default
 };