@01.software/cli 0.8.0 → 0.9.0

package/dist/mcp/{chunk-45ZCPS57.js → chunk-GJOQ4SE2.js}

@@ -1,9 +1,6 @@
 // src/server.ts
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 
-// src/tools/query-collection.ts
-import { z } from "zod";
-
 // src/lib/request-context.ts
 import { AsyncLocalStorage } from "async_hooks";
 var requestContext = new AsyncLocalStorage();
@@ -14,6 +11,360 @@ function hasRequestContext() {
   return requestContext.getStore() !== void 0;
 }
 
+// src/lib/tool-utils.ts
+function toolSuccess(data) {
+  return JSON.stringify({ success: true, ...data }, null, 2);
+}
+function toolError(error) {
+  const base = { success: false };
+  const isStructured = !!error && typeof error === "object" && ("code" in error || "reason" in error);
+  if (isStructured) {
+    const sdkErr = error;
+    base.error = sdkErr.message || "Unknown error";
+    if (sdkErr.status) base.status = sdkErr.status;
+    if (sdkErr.code) base.code = sdkErr.code;
+    if (sdkErr.reason) base.reason = sdkErr.reason;
+    if (sdkErr.requestId) base.requestId = sdkErr.requestId;
+    if (sdkErr.suggestion) base.suggestion = sdkErr.suggestion;
+    if (sdkErr.details?.errors) base.errors = sdkErr.details.errors;
+  } else {
+    base.error = error instanceof Error ? error.message : "Unknown error";
+  }
+  return JSON.stringify(base, null, 2);
+}
+var MAX_QUERY_DEPTH = 5;
+function checkDepth(obj, depth = 0) {
+  if (depth > MAX_QUERY_DEPTH) return false;
+  if (obj && typeof obj === "object") {
+    for (const val of Object.values(obj)) {
+      if (!checkDepth(val, depth + 1)) return false;
+    }
+  }
+  return true;
+}
+function parseJsonWhere(where) {
+  try {
+    const parsed = JSON.parse(where);
+    if (!checkDepth(parsed)) {
+      return {
+        success: false,
+        error: JSON.stringify(
+          {
+            success: false,
+            error: `Query exceeds maximum nesting depth of ${MAX_QUERY_DEPTH}`
+          },
+          null,
+          2
+        )
+      };
+    }
+    return { success: true, data: parsed };
+  } catch {
+    return {
+      success: false,
+      error: JSON.stringify(
+        {
+          success: false,
+          error: `Invalid JSON in "where" parameter: ${where.length > 100 ? where.substring(0, 100) + "..." : where}`
+        },
+        null,
+        2
+      )
+    };
+  }
+}
+
+// ../../packages/auth-contracts/dist/index.js
+var MCP_RESOURCE_AUDIENCE = "https://mcp.01.software/mcp";
+var MCP_OAUTH_ISSUER = "https://01.software";
+var MCP_PROTECTED_RESOURCE_METADATA_PATH = "/.well-known/oauth-protected-resource/mcp";
+var MCP_TENANT_CLAIM = "tenant_id";
+var MCP_TENANT_ROLE_CLAIM = "tenant_role";
+var MCP_SCOPES = {
+  read: "mcp:read",
+  write: "mcp:write"
+};
+var MCP_CONSOLE_SERVICE_AUDIENCE = "https://api.01.software/internal/mcp";
+var MCP_CONSOLE_SERVICE_SCOPE = "console:mcp_proxy";
+var MCP_SERVICE_TOKEN_LIFETIME_SECONDS = 60;
+
+// src/tool-policy.ts
+var READ_ONLY_ANNOTATION = {
+  readOnly: true,
+  destructive: false,
+  idempotent: true,
+  openWorld: false
+};
+var NON_DESTRUCTIVE_MUTATION_ANNOTATION = {
+  readOnly: false,
+  destructive: false,
+  idempotent: false,
+  openWorld: false
+};
+var NON_DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION = {
+  readOnly: false,
+  destructive: false,
+  idempotent: true,
+  openWorld: false
+};
+var DESTRUCTIVE_NON_IDEMPOTENT_MUTATION_ANNOTATION = {
+  readOnly: false,
+  destructive: true,
+  idempotent: false,
+  openWorld: false
+};
+var DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION = {
+  readOnly: false,
+  destructive: true,
+  idempotent: true,
+  openWorld: false
+};
+var REASON_IDEMPOTENT_DESTRUCTIVE_UPDATE = "Update operations mutate persisted state but converge to the same end state under repeated identical input.";
+var REASON_CART_EPHEMERAL = "Cart is pre-checkout ephemeral state; reversal is possible by reissuing the prior input. Console enforces tenant scope.";
+var TOOL_POLICY_MANIFEST = {
+  // ── Read-only collection / validation (mcp:read, tenant-viewer) ──
+  "query-collection": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "GET /api/{collection}",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "get-collection-by-id": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "GET /api/{collection}/{id}",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "get-order": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "GET /api/orders/{id}",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "stock-check": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "GET /api/products/{id}/stock",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "validate-discount": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "POST /api/discounts/validate",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "calculate-shipping": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "POST /api/shipping/calculate",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "get-collection-schema": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "GET /api/tenants/schema/{collectionSlug}",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "list-configurable-fields": {
+    category: "read-only-collection",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "GET /api/tenants/field-config",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  // ── Tenant context (mcp:read, tenant-viewer) ──
+  "get-tenant-context": {
+    category: "read-only-tenant",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "GET /api/tenants/context",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  // ── Cart mutations (mcp:write, tenant-editor) ──
+  "add-cart-item": {
+    category: "mutation-cart",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-editor",
+    consoleSurface: "POST /api/carts/{id}/items",
+    annotationPolicy: NON_DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION
+  },
+  "update-cart-item": {
+    category: "mutation-cart",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-editor",
+    consoleSurface: "PATCH /api/carts/{id}/items/{itemId}",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_CART_EPHEMERAL
+  },
+  "remove-cart-item": {
+    category: "mutation-cart",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-editor",
+    consoleSurface: "DELETE /api/carts/{id}/items/{itemId}",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_CART_EPHEMERAL
+  },
+  "clear-cart": {
+    category: "mutation-cart",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-editor",
+    consoleSurface: "POST /api/carts/{id}/clear",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_CART_EPHEMERAL
+  },
+  "apply-discount": {
+    category: "mutation-cart",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-editor",
+    consoleSurface: "POST /api/carts/{id}/discount",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_CART_EPHEMERAL
+  },
+  "remove-discount": {
+    category: "mutation-cart",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-editor",
+    consoleSurface: "DELETE /api/carts/{id}/discount",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_CART_EPHEMERAL
+  },
+  // ── Order mutations (mcp:write, tenant-admin) ──
+  "checkout": {
+    category: "mutation-order",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "POST /api/checkout",
+    annotationPolicy: DESTRUCTIVE_NON_IDEMPOTENT_MUTATION_ANNOTATION
+  },
+  "create-order": {
+    category: "mutation-order",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "POST /api/orders",
+    annotationPolicy: DESTRUCTIVE_NON_IDEMPOTENT_MUTATION_ANNOTATION
+  },
+  "update-order": {
+    category: "mutation-order",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "PATCH /api/orders/{id}",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_IDEMPOTENT_DESTRUCTIVE_UPDATE
+  },
+  // ── Fulfillment mutations (mcp:write, tenant-admin) ──
+  "create-fulfillment": {
+    category: "mutation-fulfillment",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "POST /api/orders/{id}/fulfillments",
+    annotationPolicy: NON_DESTRUCTIVE_MUTATION_ANNOTATION
+  },
+  "update-fulfillment": {
+    category: "mutation-fulfillment",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "PATCH /api/fulfillments/{id}",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_IDEMPOTENT_DESTRUCTIVE_UPDATE
+  },
+  // ── Return mutations (mcp:write, tenant-admin) ──
+  "create-return": {
+    category: "mutation-return",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "POST /api/returns",
+    annotationPolicy: DESTRUCTIVE_NON_IDEMPOTENT_MUTATION_ANNOTATION
+  },
+  "update-return": {
+    category: "mutation-return",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "PATCH /api/returns/{id}",
+    annotationPolicy: DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION,
+    exemptionReason: REASON_IDEMPOTENT_DESTRUCTIVE_UPDATE
+  },
+  "return-with-refund": {
+    category: "mutation-return",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "POST /api/returns/with-refund",
+    annotationPolicy: DESTRUCTIVE_NON_IDEMPOTENT_MUTATION_ANNOTATION
+  },
+  // ── Transaction mutations (mcp:write, tenant-admin) ──
+  "update-transaction": {
+    category: "mutation-transaction",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "PATCH /api/transactions/{id}",
+    annotationPolicy: DESTRUCTIVE_NON_IDEMPOTENT_MUTATION_ANNOTATION
+  },
+  // ── Field-config mutations (mcp:write, tenant-admin) ──
+  "update-field-config": {
+    category: "mutation-field-config",
+    oauthScope: MCP_SCOPES.write,
+    consoleRole: "tenant-admin",
+    consoleSurface: "PATCH /api/tenants/field-config",
+    annotationPolicy: NON_DESTRUCTIVE_IDEMPOTENT_MUTATION_ANNOTATION
+  },
+  // ── SDK doc tools (mcp:read, tenant-viewer, sdk-static surface) ──
+  "sdk-get-recipe": {
+    category: "sdk-doc",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "sdk-static",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "sdk-search-docs": {
+    category: "sdk-doc",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "sdk-static",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "sdk-get-auth-setup": {
+    category: "sdk-doc",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "sdk-static",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
+  "sdk-get-collection-pattern": {
+    category: "sdk-doc",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "sdk-static",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  }
+};
+function evaluateToolPolicy(toolName, scopes) {
+  const entry = TOOL_POLICY_MANIFEST[toolName];
+  if (!entry) {
+    return {
+      allowed: false,
+      reason: "tool_policy_missing",
+      message: `No tool-policy entry for ${toolName}`
+    };
+  }
+  if (!scopes.includes(entry.oauthScope)) {
+    return {
+      allowed: false,
+      reason: "insufficient_scope",
+      message: `Tool ${toolName} requires ${entry.oauthScope}`
+    };
+  }
+  return { allowed: true, entry };
+}
+
+// src/tools/query-collection.ts
+import { z } from "zod";
+
 // src/lib/client.ts
 import {
   CollectionClient,
@@ -25,14 +376,6 @@ import {
 
 // src/service-auth.ts
 import { createPrivateKey, randomUUID, sign as signBytes } from "crypto";
-import {
-  MCP_CONSOLE_SERVICE_AUDIENCE,
-  MCP_CONSOLE_SERVICE_SCOPE,
-  MCP_OAUTH_ISSUER,
-  MCP_SERVICE_TOKEN_LIFETIME_SECONDS,
-  MCP_TENANT_CLAIM,
-  MCP_TENANT_ROLE_CLAIM
-} from "@01.software/auth-contracts";
 var KEYSET_ENV = "MCP_SERVICE_KEYSET";
 function assertProductionKeysetUse(source) {
   const vercelEnv = process.env.VERCEL_ENV;
@@ -218,68 +561,6 @@ function getClient() {
 
 // src/tools/query-collection.ts
 import { COLLECTIONS } from "@01.software/sdk";
-
-// src/lib/tool-utils.ts
-function toolSuccess(data) {
-  return JSON.stringify({ success: true, ...data }, null, 2);
-}
-function toolError(error) {
-  const base = { success: false };
-  if (error && typeof error === "object" && "code" in error) {
-    const sdkErr = error;
-    base.error = sdkErr.message || "Unknown error";
-    if (sdkErr.status) base.status = sdkErr.status;
-    if (sdkErr.code) base.code = sdkErr.code;
-    if (sdkErr.suggestion) base.suggestion = sdkErr.suggestion;
-    if (sdkErr.details?.errors) base.errors = sdkErr.details.errors;
-  } else {
-    base.error = error instanceof Error ? error.message : "Unknown error";
-  }
-  return JSON.stringify(base, null, 2);
-}
-var MAX_QUERY_DEPTH = 5;
-function checkDepth(obj, depth = 0) {
-  if (depth > MAX_QUERY_DEPTH) return false;
-  if (obj && typeof obj === "object") {
-    for (const val of Object.values(obj)) {
-      if (!checkDepth(val, depth + 1)) return false;
-    }
-  }
-  return true;
-}
-function parseJsonWhere(where) {
-  try {
-    const parsed = JSON.parse(where);
-    if (!checkDepth(parsed)) {
-      return {
-        success: false,
-        error: JSON.stringify(
-          {
-            success: false,
-            error: `Query exceeds maximum nesting depth of ${MAX_QUERY_DEPTH}`
-          },
-          null,
-          2
-        )
-      };
-    }
-    return { success: true, data: parsed };
-  } catch {
-    return {
-      success: false,
-      error: JSON.stringify(
-        {
-          success: false,
-          error: `Invalid JSON in "where" parameter: ${where.length > 100 ? where.substring(0, 100) + "..." : where}`
-        },
-        null,
-        2
-      )
-    };
-  }
-}
-
-// src/tools/query-collection.ts
 var schema = {
   collection: z.enum(COLLECTIONS).describe("Collection name (required)"),
   where: z.string().optional().describe(
@@ -348,223 +629,34 @@ var schema2 = {
   id: z2.string().min(1).describe("Item ID (required)")
 };
 var metadata2 = {
-  name: "get-collection-by-id",
-  description: "Get a specific collection item by ID",
-  annotations: {
-    title: "Get collection item by ID",
-    readOnlyHint: true,
-    destructiveHint: false,
-    idempotentHint: true
-  }
-};
-async function getCollectionById({
-  collection,
-  id
-}) {
-  try {
-    const client = getClient().collections;
-    const result = await client.from(collection).findById(id);
-    return toolSuccess({ data: result });
-  } catch (error) {
-    return toolError(error);
-  }
-}
-
-// src/tools/create-collection.ts
-import { z as z3 } from "zod";
-import { COLLECTIONS as COLLECTIONS3 } from "@01.software/sdk";
-var schema3 = {
-  collection: z3.enum(COLLECTIONS3).describe("Collection name (required)"),
-  data: z3.record(z3.string(), z3.unknown()).describe(
-    "Data to create (required). Use get-collection-schema first to understand writable fields, hidden fields, and required metadata. Server will validate and reject invalid fields."
-  )
-};
-var metadata3 = {
-  name: "create-collection",
-  description: "Create a new collection item",
-  annotations: {
-    title: "Create collection item",
-    readOnlyHint: false,
-    destructiveHint: false,
-    idempotentHint: false
-  }
-};
-async function createCollection({
-  collection,
-  data
-}) {
-  try {
-    const client = getClient().collections;
-    const result = await client.from(collection).create(data);
-    return toolSuccess({ data: result.doc, message: result.message });
-  } catch (error) {
-    return toolError(error);
-  }
-}
-
-// src/tools/update-collection.ts
-import { z as z4 } from "zod";
-import { COLLECTIONS as COLLECTIONS4 } from "@01.software/sdk";
-var schema4 = {
-  collection: z4.enum(COLLECTIONS4).describe("Collection name (required)"),
-  id: z4.string().min(1).describe("Item ID (required)"),
-  data: z4.record(z4.string(), z4.unknown()).describe(
-    "Data to update (required). Use get-collection-by-id first to check current structure, then get-collection-schema to confirm writable fields and required metadata. Server will validate and reject invalid fields."
-  )
-};
-var metadata4 = {
-  name: "update-collection",
-  description: "Update an existing collection item",
-  annotations: {
-    title: "Update collection item",
-    readOnlyHint: false,
-    destructiveHint: true,
-    idempotentHint: true
-  }
-};
-async function updateCollection({
-  collection,
-  id,
-  data
-}) {
-  try {
-    const client = getClient().collections;
-    const result = await client.from(collection).update(id, data);
-    return toolSuccess({ data: result.doc, message: result.message });
-  } catch (error) {
-    return toolError(error);
-  }
-}
-
-// src/tools/delete-collection.ts
-import { z as z5 } from "zod";
-import { COLLECTIONS as COLLECTIONS5 } from "@01.software/sdk";
-var schema5 = {
-  collection: z5.enum(COLLECTIONS5).describe("Collection name (required)"),
-  id: z5.string().min(1).describe("Item ID (required)")
-};
-var metadata5 = {
-  name: "delete-collection",
-  description: "Delete a collection item",
-  annotations: {
-    title: "Delete collection item",
-    readOnlyHint: false,
-    destructiveHint: true,
-    idempotentHint: true
-  }
-};
-async function deleteCollection({
-  collection,
-  id
-}) {
-  try {
-    const client = getClient();
-    await client.collections.from(collection).remove(id);
-    return toolSuccess({ message: "Deleted successfully." });
-  } catch (error) {
-    return toolError(error);
-  }
-}
-
-// src/tools/delete-many-collection.ts
-import { z as z6 } from "zod";
-import { COLLECTIONS as COLLECTIONS6 } from "@01.software/sdk";
-var schema6 = {
-  collection: z6.enum(COLLECTIONS6).describe("Collection name (required)"),
-  where: z6.string().describe(
-    `Filter conditions (JSON string, required). Determines which items to delete. Example: '{"status":{"equals":"archived"}}'`
-  )
-};
-var metadata6 = {
-  name: "delete-many-collection",
-  description: "Bulk delete collection items matching a filter. All matching items will be permanently deleted.",
-  annotations: {
-    title: "Bulk delete collection items",
-    readOnlyHint: false,
-    destructiveHint: true,
-    idempotentHint: true
-  }
-};
-async function deleteManyCollection({
-  collection,
-  where
-}) {
-  try {
-    const client = getClient().collections;
-    const parsed = parseJsonWhere(where);
-    if (!parsed.success) return parsed.error;
-    if (!parsed.data || typeof parsed.data !== "object" || Object.keys(parsed.data).length === 0) {
-      return toolError(
-        new Error(
-          'Empty "where" filter is not allowed for bulk deletes. Provide at least one filter condition.'
-        )
-      );
-    }
-    const result = await client.from(collection).removeMany(parsed.data);
-    return toolSuccess({
-      totalDocs: result.totalDocs,
-      message: `Deleted ${result.totalDocs} item(s).`
-    });
-  } catch (error) {
-    return toolError(error);
-  }
-}
-
-// src/tools/update-many-collection.ts
-import { z as z7 } from "zod";
-import { COLLECTIONS as COLLECTIONS7 } from "@01.software/sdk";
-var schema7 = {
-  collection: z7.enum(COLLECTIONS7).describe("Collection name (required)"),
-  where: z7.string().describe(
-    `Filter conditions (JSON string, required). Determines which items to update. Example: '{"status":{"equals":"draft"}}'`
-  ),
-  data: z7.record(z7.string(), z7.unknown()).describe(
-    "Data to update (required). Partial updates supported. Server will validate and reject invalid fields."
-  )
-};
-var metadata7 = {
-  name: "update-many-collection",
-  description: "Bulk update collection items matching a filter. All matching items will be updated with the provided data.",
+  name: "get-collection-by-id",
+  description: "Get a specific collection item by ID",
   annotations: {
-    title: "Bulk update collection items",
-    readOnlyHint: false,
-    destructiveHint: true,
+    title: "Get collection item by ID",
+    readOnlyHint: true,
+    destructiveHint: false,
     idempotentHint: true
   }
 };
-async function updateManyCollection({
+async function getCollectionById({
   collection,
-  where,
-  data
+  id
 }) {
   try {
     const client = getClient().collections;
-    const parsed = parseJsonWhere(where);
-    if (!parsed.success) return parsed.error;
-    if (!parsed.data || typeof parsed.data !== "object" || Object.keys(parsed.data).length === 0) {
-      return toolError(
-        new Error(
-          'Empty "where" filter is not allowed for bulk updates. Provide at least one filter condition.'
-        )
-      );
-    }
-    const result = await client.from(collection).updateMany(parsed.data, data);
-    return toolSuccess({
-      data: result.docs,
-      totalDocs: result.totalDocs,
-      message: `Updated ${result.totalDocs} item(s).`
-    });
+    const result = await client.from(collection).findById(id);
+    return toolSuccess({ data: result });
   } catch (error) {
     return toolError(error);
   }
 }
 
 // src/tools/get-order.ts
-import { z as z8 } from "zod";
-var schema8 = {
-  orderNumber: z8.string().min(1).describe("Order number to look up (required)")
+import { z as z3 } from "zod";
+var schema3 = {
+  orderNumber: z3.string().min(1).describe("Order number to look up (required)")
 };
-var metadata8 = {
+var metadata3 = {
   name: "get-order",
   description: "Get order details by order number. Returns order with related data (depth:1).",
   annotations: {
@@ -592,26 +684,26 @@ async function getOrder({
 }
 
 // src/tools/create-order.ts
-import { z as z9 } from "zod";
-var schema9 = {
-  pgPaymentId: z9.string().optional().describe("PG payment ID (optional \u2014 omit for free orders)"),
-  orderNumber: z9.string().min(1).describe("Unique order number (required)"),
-  customerSnapshot: z9.object({
-    name: z9.string().optional().describe("Customer name"),
-    email: z9.string().describe("Customer email (required)"),
-    phone: z9.string().optional().describe("Customer phone")
+import { z as z4 } from "zod";
+var schema4 = {
+  pgPaymentId: z4.string().optional().describe("PG payment ID (optional \u2014 omit for free orders)"),
+  orderNumber: z4.string().min(1).describe("Unique order number (required)"),
+  customerSnapshot: z4.object({
+    name: z4.string().optional().describe("Customer name"),
+    email: z4.string().describe("Customer email (required)"),
+    phone: z4.string().optional().describe("Customer phone")
   }).describe("Customer snapshot at time of order (required)"),
-  shippingAddress: z9.record(z9.string(), z9.unknown()).describe(
+  shippingAddress: z4.record(z4.string(), z4.unknown()).describe(
     "Shipping address object (required). Fields: postalCode, address1, address2, deliveryMessage, recipientName, phone"
   ),
-  orderItems: z9.array(z9.record(z9.string(), z9.unknown())).describe(
+  orderItems: z4.array(z4.record(z4.string(), z4.unknown())).describe(
     "Array of order item objects (required). Each: { product, variant, option, quantity, unitPrice?, totalPrice? }"
   ),
-  totalAmount: z9.number().nonnegative().describe("Total order amount (required, min 0)"),
-  shippingAmount: z9.number().nonnegative().optional().describe("Shipping amount (optional, default 0)"),
-  discountCode: z9.string().optional().describe("Discount code to apply (optional)")
+  totalAmount: z4.number().nonnegative().describe("Total order amount (required, min 0)"),
+  shippingAmount: z4.number().nonnegative().optional().describe("Shipping amount (optional, default 0)"),
+  discountCode: z4.string().optional().describe("Discount code to apply (optional)")
 };
-var metadata9 = {
+var metadata4 = {
   name: "create-order",
   description: "Create a new order with products and shipping information. Supports idempotency.",
   annotations: {
@@ -634,10 +726,10 @@ async function createOrder(params) {
 }
 
 // src/tools/update-order.ts
-import { z as z10 } from "zod";
-var schema10 = {
-  orderNumber: z10.string().min(1).describe("Order number (required)"),
-  status: z10.enum([
+import { z as z5 } from "zod";
+var schema5 = {
+  orderNumber: z5.string().min(1).describe("Order number (required)"),
+  status: z5.enum([
     "pending",
     "paid",
     "failed",
@@ -650,7 +742,7 @@ var schema10 = {
     "New order status. Return-related statuses (return_requested, return_processing, returned) must be set via Return endpoints."
   )
 };
-var metadata10 = {
+var metadata5 = {
   name: "update-order",
   description: "Update order status. Automatically adjusts stock on status changes (e.g., canceled restores stock).",
   annotations: {
@@ -674,17 +766,17 @@ async function updateOrder({
 }
 
 // src/tools/checkout.ts
-import { z as z11 } from "zod";
-var schema11 = {
-  cartId: z11.string().min(1).describe("Cart ID to convert to order (required)"),
-  pgPaymentId: z11.string().optional().describe("PG payment ID (optional \u2014 omit for free orders)"),
-  orderNumber: z11.string().min(1).describe("Unique order number (required)"),
-  customerSnapshot: z11.record(z11.string(), z11.unknown()).describe(
+import { z as z6 } from "zod";
+var schema6 = {
+  cartId: z6.string().min(1).describe("Cart ID to convert to order (required)"),
+  pgPaymentId: z6.string().optional().describe("PG payment ID (optional \u2014 omit for free orders)"),
+  orderNumber: z6.string().min(1).describe("Unique order number (required)"),
+  customerSnapshot: z6.record(z6.string(), z6.unknown()).describe(
     "Customer snapshot object (required). Fields: { name?, email, phone? }"
   ),
-  discountCode: z11.string().optional().describe("Discount code to apply (optional)")
+  discountCode: z6.string().optional().describe("Discount code to apply (optional)")
 };
-var metadata11 = {
+var metadata6 = {
   name: "checkout",
   description: "Convert a cart to an order. Validates stock, creates order and transaction, marks cart as completed. Supports idempotency.",
   annotations: {
@@ -707,21 +799,21 @@ async function checkout(params) {
 }
 
 // src/tools/create-fulfillment.ts
-import { z as z12 } from "zod";
-var schema12 = {
-  orderNumber: z12.string().min(1).describe("Order number (required)"),
-  carrier: z12.string().optional().describe("Shipping carrier name (optional)"),
-  trackingNumber: z12.string().optional().describe(
+import { z as z7 } from "zod";
+var schema7 = {
+  orderNumber: z7.string().min(1).describe("Order number (required)"),
+  carrier: z7.string().optional().describe("Shipping carrier name (optional)"),
+  trackingNumber: z7.string().optional().describe(
     'Tracking number (optional). Setting carrier + tracking triggers "shipped" status'
   ),
-  items: z12.array(
-    z12.object({
-      orderItem: z12.string().min(1).describe("Order item ID"),
-      quantity: z12.number().int().positive().describe("Quantity to fulfill")
+  items: z7.array(
+    z7.object({
+      orderItem: z7.string().min(1).describe("Order item ID"),
+      quantity: z7.number().int().positive().describe("Quantity to fulfill")
     })
   ).describe("Array of items to fulfill (required)")
 };
-var metadata12 = {
+var metadata7 = {
   name: "create-fulfillment",
   description: "Create a shipment/fulfillment for order items. Auto-updates order status (paid \u2192 preparing \u2192 shipped).",
   annotations: {
@@ -752,20 +844,20 @@ async function createFulfillment({
 }
 
 // src/tools/update-fulfillment.ts
-import { z as z13 } from "zod";
-var schema13 = {
-  fulfillmentId: z13.string().min(1).describe("Fulfillment ID (required)"),
-  status: z13.enum(["packed", "shipped", "delivered", "failed"]).describe(
+import { z as z8 } from "zod";
+var schema8 = {
+  fulfillmentId: z8.string().min(1).describe("Fulfillment ID (required)"),
+  status: z8.enum(["packed", "shipped", "delivered", "failed"]).describe(
     "New fulfillment status (required). FSM: pending\u2192packed/shipped/failed, packed\u2192shipped/failed, shipped\u2192delivered/failed"
   ),
-  carrier: z13.string().optional().describe(
+  carrier: z8.string().optional().describe(
     "Shipping carrier (optional, changeable only in pending/packed status)"
   ),
-  trackingNumber: z13.string().optional().describe(
+  trackingNumber: z8.string().optional().describe(
     "Tracking number (optional, changeable only in pending/packed status)"
   )
 };
-var metadata13 = {
+var metadata8 = {
   name: "update-fulfillment",
   description: "Update fulfillment status, carrier, and tracking number. Auto-updates order status when all fulfillments are delivered.",
   annotations: {
@@ -795,15 +887,134 @@ async function updateFulfillment({
   }
 }
 
+// ../../packages/contracts/src/tenant/index.ts
+import { z as z9 } from "zod";
+var tenantFieldConfigStateSchema = z9.object({
+  hiddenFields: z9.array(z9.string()),
+  isHidden: z9.boolean()
+}).strict();
+var tenantContextQuerySchema = z9.object({
+  counts: z9.literal("true").optional()
+}).strict();
+var tenantContextToolInputSchema = z9.object({
+  includeCounts: z9.boolean().optional().default(false).describe(
+    "Include per-collection document counts and config status (bypasses cache, slower)"
+  )
+}).strict();
+var tenantContextResponseSchema = z9.object({
+  tenant: z9.object({
+    id: z9.string(),
+    name: z9.string(),
+    plan: z9.string(),
+    planSource: z9.string().optional(),
+    authoritative: z9.boolean().optional(),
+    capabilityVersion: z9.string().optional(),
+    isDevMode: z9.boolean()
+  }).strict(),
+  features: z9.array(z9.string()),
+  collections: z9.object({
+    active: z9.array(z9.string()),
+    inactive: z9.array(z9.string())
+  }).strict(),
+  fieldConfigs: z9.record(z9.string(), tenantFieldConfigStateSchema),
+  counts: z9.record(z9.string(), z9.number()).optional(),
+  config: z9.object({
+    webhookConfigured: z9.boolean()
+  }).strict().optional()
+}).strict();
+var COLLECTION_SCHEMA_CONTRACT_VERSION = 1;
+var collectionSchemaEndpointParamsSchema = z9.object({
+  collectionSlug: z9.string().min(1, "collectionSlug is required")
+}).strict();
+function createCollectionSchemaToolInputSchema(collections) {
+  return z9.object({
+    collection: z9.enum(collections).describe("Collection name (required)")
+  }).strict();
+}
+var collectionFieldOptionSchema = z9.object({
+  label: z9.string(),
+  value: z9.string()
+}).strict();
+var collectionFieldSchema = z9.lazy(
+  () => z9.object({
+    name: z9.string(),
+    path: z9.string(),
+    type: z9.string(),
+    required: z9.literal(true).optional(),
+    unique: z9.literal(true).optional(),
+    hasMany: z9.literal(true).optional(),
+    relationTo: z9.union([z9.string(), z9.array(z9.string())]).optional(),
+    options: z9.array(collectionFieldOptionSchema).optional(),
+    hidden: z9.literal(true).optional(),
+    systemManaged: z9.literal(true).optional(),
+    writable: z9.boolean().optional(),
+    fields: z9.array(collectionFieldSchema).optional()
+  }).strict()
+);
+var collectionSchemaResponseSchema = z9.object({
+  contractVersion: z9.literal(COLLECTION_SCHEMA_CONTRACT_VERSION),
+  mode: z9.literal("effective"),
+  collection: z9.object({
+    slug: z9.string(),
+    timestamps: z9.boolean(),
+    alwaysActive: z9.boolean(),
+    feature: z9.string().nullable(),
+    systemFields: z9.array(z9.string()),
+    visibility: z9.object({
+      collectionHidden: z9.boolean(),
+      hiddenFields: z9.array(z9.string())
+    }).strict(),
+    fields: z9.array(collectionFieldSchema)
+  }).strict()
+}).strict();
+
+// ../../packages/contracts/src/ecommerce/index.ts
+import { z as z10 } from "zod";
+var transactionStatusSchema = z10.enum([
+  "pending",
+  "paid",
+  "failed",
+  "canceled"
+]);
+var updateTransactionSchema = z10.object({
+  pgPaymentId: z10.string().min(1, "pgPaymentId is required").describe("PG payment ID (required)"),
+  status: transactionStatusSchema.describe(
+    "New transaction status (required)"
+  ),
+  paymentMethod: z10.string().optional().describe("Payment method (optional)"),
+  receiptUrl: z10.string().optional().describe("Receipt URL (optional)"),
+  paymentKey: z10.string().min(1).optional().describe("Provider payment key for verified paid confirmation"),
+  amount: z10.number().int().positive().optional().describe("Provider-confirmed amount for verified paid confirmation")
+}).strict();
+var UpdateTransactionSchema = updateTransactionSchema;
+var returnReasonSchema = z10.enum([
+  "change_of_mind",
+  "defective",
+  "wrong_delivery",
+  "damaged",
+  "other"
+]);
+var restockActionSchema = z10.enum(["return_to_stock", "discard"]);
+var returnWithRefundItemSchema = z10.object({
+  orderItem: z10.union([z10.string(), z10.number()]).transform(String),
+  quantity: z10.number().int().positive("quantity must be a positive integer"),
+  restockAction: restockActionSchema.default("return_to_stock")
+}).strict();
+var returnWithRefundSchema = z10.object({
+  orderNumber: z10.string().min(1, "orderNumber is required").describe("Order number (required)"),
+  reason: returnReasonSchema.optional().describe("Return reason (optional)"),
+  reasonDetail: z10.string().optional().describe("Detailed reason text (optional)"),
+  returnItems: z10.array(returnWithRefundItemSchema).min(1, "At least one return item is required").max(100, "Too many return items").describe("Array of products to return (required)"),
+  refundAmount: z10.number().min(0, "refundAmount must be non-negative").describe("Refund amount (required, min 0)"),
+  pgPaymentId: z10.string().min(1, "pgPaymentId is required").describe("PG payment ID for refund (required)"),
+  paymentKey: z10.string().min(1).optional().describe("Provider payment key for verified refund"),
+  refundReceiptUrl: z10.string().optional().describe("Refund receipt URL (optional)")
+}).strict();
+var ReturnWithRefundSchema = returnWithRefundSchema;
+
 // src/tools/update-transaction.ts
-import { z as z14 } from "zod";
-var schema14 = {
-  pgPaymentId: z14.string().min(1).describe("PG payment ID (required)"),
-  status: z14.enum(["pending", "paid", "failed", "canceled"]).describe("New transaction status (required)"),
-  paymentMethod: z14.string().optional().describe("Payment method (optional)"),
-  receiptUrl: z14.string().optional().describe("Receipt URL (optional)")
-};
-var metadata14 = {
+var schema9 = UpdateTransactionSchema.shape;
+var metadata9 = {
   name: "update-transaction",
   description: "Update transaction status, payment method, and receipt URL.",
   annotations: {
@@ -817,16 +1028,21 @@ async function updateTransaction({
   pgPaymentId,
   status,
   paymentMethod,
-  receiptUrl
+  receiptUrl,
+  paymentKey,
+  amount
 }) {
   try {
     const client = getClient();
-    const result = await client.commerce.orders.updateTransaction({
+    const params = {
       pgPaymentId,
       status,
       paymentMethod,
-      receiptUrl
-    });
+      receiptUrl,
+      paymentKey,
+      amount
+    };
+    const result = await client.commerce.orders.updateTransaction(params);
     return toolSuccess({ data: result });
   } catch (error) {
     return toolError(error);
@@ -834,20 +1050,20 @@ async function updateTransaction({
 }
 
 // src/tools/create-return.ts
-import { z as z15 } from "zod";
-var schema15 = {
-  orderNumber: z15.string().min(1).describe("Order number (required)"),
-  reason: z15.enum(["change_of_mind", "defective", "wrong_delivery", "damaged", "other"]).optional().describe("Return reason (optional)"),
-  reasonDetail: z15.string().optional().describe("Detailed reason text (optional)"),
-  returnItems: z15.array(
-    z15.object({
-      orderItem: z15.string().min(1).describe("Order item ID"),
-      quantity: z15.number().int().positive().describe("Quantity to return")
+import { z as z11 } from "zod";
+var schema10 = {
+  orderNumber: z11.string().min(1).describe("Order number (required)"),
+  reason: z11.enum(["change_of_mind", "defective", "wrong_delivery", "damaged", "other"]).optional().describe("Return reason (optional)"),
+  reasonDetail: z11.string().optional().describe("Detailed reason text (optional)"),
+  returnItems: z11.array(
+    z11.object({
+      orderItem: z11.string().min(1).describe("Order item ID"),
+      quantity: z11.number().int().positive().describe("Quantity to return")
     })
   ).describe("Array of products to return (required)"),
-  refundAmount: z15.number().nonnegative().describe("Refund amount (required, min 0)")
+  refundAmount: z11.number().nonnegative().describe("Refund amount (required, min 0)")
 };
-var metadata15 = {
+var metadata10 = {
   name: "create-return",
   description: "Create a return request for an order. Only works for delivered/confirmed orders. Updates order status to return_requested.",
   annotations: {
@@ -880,14 +1096,14 @@ async function createReturn({
 }
 
 // src/tools/update-return.ts
-import { z as z16 } from "zod";
-var schema16 = {
-  returnId: z16.string().min(1).describe("Return ID (required)"),
-  status: z16.enum(["processing", "approved", "rejected", "completed"]).describe(
+import { z as z12 } from "zod";
+var schema11 = {
+  returnId: z12.string().min(1).describe("Return ID (required)"),
+  status: z12.enum(["processing", "approved", "rejected", "completed"]).describe(
     "New return status (required). Valid transitions: requested\u2192processing/rejected, processing\u2192approved/rejected, approved\u2192completed"
   )
 };
-var metadata16 = {
+var metadata11 = {
   name: "update-return",
   description: "Update return status with FSM validation. Restores inventory on completion, reverts order status on rejection.",
   annotations: {
@@ -911,22 +1127,8 @@ async function updateReturn({
 }
 
 // src/tools/return-with-refund.ts
-import { z as z17 } from "zod";
-var schema17 = {
-  orderNumber: z17.string().min(1).describe("Order number (required)"),
-  reason: z17.enum(["change_of_mind", "defective", "wrong_delivery", "damaged", "other"]).optional().describe("Return reason (optional)"),
-  reasonDetail: z17.string().optional().describe("Detailed reason text (optional)"),
-  returnItems: z17.array(
-    z17.object({
-      orderItem: z17.string().min(1).describe("Order item ID"),
-      quantity: z17.number().int().positive().describe("Quantity to return")
-    })
-  ).describe("Array of products to return (required)"),
-  refundAmount: z17.number().nonnegative().describe("Refund amount (required, min 0)"),
-  pgPaymentId: z17.string().min(1).describe("PG payment ID for refund (required)"),
-  refundReceiptUrl: z17.string().optional().describe("Refund receipt URL (optional)")
-};
-var metadata17 = {
+var schema12 = ReturnWithRefundSchema.shape;
+var metadata12 = {
   name: "return-with-refund",
   description: "Combined return + refund operation. Creates return, restores stock, cancels transaction, updates order status.",
   annotations: {
@@ -943,19 +1145,22 @@ async function returnWithRefund({
   returnItems,
   refundAmount,
   pgPaymentId,
+  paymentKey,
   refundReceiptUrl
 }) {
   try {
     const client = getClient();
-    const result = await client.commerce.orders.returnWithRefund({
+    const params = {
       orderNumber,
       reason,
       reasonDetail,
       returnItems,
       refundAmount,
       pgPaymentId,
+      paymentKey,
       refundReceiptUrl
-    });
+    };
+    const result = await client.commerce.orders.returnWithRefund(params);
     return toolSuccess({ data: result });
   } catch (error) {
     return toolError(error);
@@ -963,15 +1168,15 @@ async function returnWithRefund({
 }
 
 // src/tools/add-cart-item.ts
-import { z as z18 } from "zod";
-var schema18 = {
-  cartId: z18.string().min(1).describe("Cart ID (required)"),
-  product: z18.string().min(1).describe("Product ID (required)"),
-  variant: z18.string().min(1).describe("Product variant ID (required)"),
-  option: z18.string().min(1).describe("Product option ID (required)"),
-  quantity: z18.number().int().positive().describe("Quantity to add (required, positive integer)")
+import { z as z13 } from "zod";
+var schema13 = {
+  cartId: z13.string().min(1).describe("Cart ID (required)"),
+  product: z13.string().min(1).describe("Product ID (required)"),
+  variant: z13.string().min(1).describe("Product variant ID (required)"),
+  option: z13.string().min(1).describe("Product option ID (required)"),
+  quantity: z13.number().int().positive().describe("Quantity to add (required, positive integer)")
 };
-var metadata18 = {
+var metadata13 = {
   name: "add-cart-item",
   description: "Add a product to cart. Validates stock, merges quantity if item already exists, recalculates totals.",
   annotations: {
@@ -1004,12 +1209,12 @@ async function addCartItem({
 }
 
 // src/tools/update-cart-item.ts
-import { z as z19 } from "zod";
-var schema19 = {
-  cartItemId: z19.string().min(1).describe("Cart item ID (required)"),
-  quantity: z19.number().int().positive().describe("New quantity (required, positive integer)")
+import { z as z14 } from "zod";
+var schema14 = {
+  cartItemId: z14.string().min(1).describe("Cart item ID (required)"),
+  quantity: z14.number().int().positive().describe("New quantity (required, positive integer)")
 };
-var metadata19 = {
+var metadata14 = {
   name: "update-cart-item",
   description: "Update cart item quantity. Validates stock availability, recalculates cart totals.",
   annotations: {
@@ -1033,11 +1238,11 @@ async function updateCartItem({
 }
 
 // src/tools/remove-cart-item.ts
-import { z as z20 } from "zod";
-var schema20 = {
-  cartItemId: z20.string().min(1).describe("Cart item ID to remove (required)")
+import { z as z15 } from "zod";
+var schema15 = {
+  cartItemId: z15.string().min(1).describe("Cart item ID to remove (required)")
 };
-var metadata20 = {
+var metadata15 = {
   name: "remove-cart-item",
   description: "Remove an item from cart. Recalculates cart totals after removal.",
   annotations: {
@@ -1060,12 +1265,12 @@ async function removeCartItem({
 }
 
 // src/tools/apply-discount.ts
-import { z as z21 } from "zod";
-var schema21 = {
-  cartId: z21.string().min(1).describe("Cart ID (required)"),
-  discountCode: z21.string().describe("Discount code to apply (required)")
+import { z as z16 } from "zod";
+var schema16 = {
+  cartId: z16.string().min(1).describe("Cart ID (required)"),
+  discountCode: z16.string().describe("Discount code to apply (required)")
 };
-var metadata21 = {
+var metadata16 = {
   name: "apply-discount",
   description: "Apply a discount code to a cart. Validates the code, updates cart totals, and sets free shipping if applicable.",
   annotations: {
@@ -1089,11 +1294,11 @@ async function applyDiscount({
 }
 
 // src/tools/remove-discount.ts
-import { z as z22 } from "zod";
-var schema22 = {
-  cartId: z22.string().min(1).describe("Cart ID (required)")
+import { z as z17 } from "zod";
+var schema17 = {
+  cartId: z17.string().min(1).describe("Cart ID (required)")
 };
-var metadata22 = {
+var metadata17 = {
   name: "remove-discount",
   description: "Remove the applied discount code from a cart and recalculate totals.",
   annotations: {
@@ -1116,11 +1321,11 @@ async function removeDiscount({
 }
 
 // src/tools/clear-cart.ts
-import { z as z23 } from "zod";
-var schema23 = {
-  cartId: z23.string().min(1).describe("Cart ID (required)")
+import { z as z18 } from "zod";
+var schema18 = {
+  cartId: z18.string().min(1).describe("Cart ID (required)")
 };
-var metadata23 = {
+var metadata18 = {
   name: "clear-cart",
   description: "Remove all items from a cart, reset discount and amounts. Shipping fee is preserved.",
   annotations: {
@@ -1143,12 +1348,12 @@ async function clearCart({
 }
 
 // src/tools/validate-discount.ts
-import { z as z24 } from "zod";
-var schema24 = {
-  code: z24.string().describe("Discount code to validate (required)"),
-  orderAmount: z24.number().describe("Order amount for validation (required)")
+import { z as z19 } from "zod";
+var schema19 = {
+  code: z19.string().describe("Discount code to validate (required)"),
+  orderAmount: z19.number().describe("Order amount for validation (required)")
 };
-var metadata24 = {
+var metadata19 = {
   name: "validate-discount",
   description: "Validate a discount code. Checks active status, date range, usage limits, minimum order amount, and calculates discount.",
   annotations: {
@@ -1175,13 +1380,13 @@ async function validateDiscount({
 }
 
 // src/tools/calculate-shipping.ts
-import { z as z25 } from "zod";
-var schema25 = {
-  shippingPolicyId: z25.string().optional().describe("Shipping policy ID (uses default policy if omitted)"),
-  orderAmount: z25.number().describe("Order amount for fee calculation (required)"),
-  postalCode: z25.string().optional().describe("Postal code for Jeju surcharge detection (63000-63644)")
+import { z as z20 } from "zod";
+var schema20 = {
+  shippingPolicyId: z20.string().optional().describe("Shipping policy ID (uses default policy if omitted)"),
+  orderAmount: z20.number().describe("Order amount for fee calculation (required)"),
+  postalCode: z20.string().optional().describe("Postal code for Jeju surcharge detection (63000-63644)")
 };
-var metadata25 = {
+var metadata20 = {
   name: "calculate-shipping",
   description: "Calculate shipping fee based on order amount and postal code. Supports free shipping threshold and Jeju surcharge.",
   annotations: {
@@ -1210,18 +1415,18 @@ async function calculateShipping({
 }
 
 // src/tools/stock-check.ts
-import { z as z26 } from "zod";
-var schema26 = {
-  items: z26.array(
-    z26.object({
-      variantId: z26.string().describe("Product variant ID"),
-      quantity: z26.number().int().positive().describe("Requested quantity")
+import { z as z21 } from "zod";
+var schema21 = {
+  items: z21.array(
+    z21.object({
+      variantId: z21.string().describe("Product variant ID"),
+      quantity: z21.number().int().positive().describe("Requested quantity")
     })
   ).describe(
     "Array of items to check stock for (required, max 100). Each: { variantId, quantity }"
   )
 };
-var metadata26 = {
+var metadata21 = {
   name: "stock-check",
   description: "Batch check product option stock availability. Returns per-item availability and an allAvailable flag.",
   annotations: {
@@ -1244,8 +1449,7 @@ async function stockCheck({
 }
 
 // src/tools/get-collection-schema.ts
-import { z as z27 } from "zod";
-import { COLLECTIONS as COLLECTIONS8 } from "@01.software/sdk";
+import { COLLECTIONS as COLLECTIONS3 } from "@01.software/sdk";
 
 // src/lib/console-api.ts
 import { createHash } from "crypto";
@@ -1340,17 +1544,16 @@ async function consolePost(path, body, apiKey) {
 // src/lib/collection-schema.ts
 async function getCollectionSchema(collection) {
   const apiKey = resolveApiKey();
-  return consoleGet(
+  const data = await consoleGet(
     `/api/tenants/schema/${encodeURIComponent(collection)}`,
     apiKey
   );
+  return collectionSchemaResponseSchema.parse(data);
 }
 
 // src/tools/get-collection-schema.ts
-var schema27 = {
-  collection: z27.enum(COLLECTIONS8).describe("Collection name (required)")
-};
-var metadata27 = {
+var schema22 = createCollectionSchemaToolInputSchema(COLLECTIONS3).shape;
+var metadata22 = {
   name: "get-collection-schema",
   description: "Get the authoritative tenant-aware collection schema from console. Use this before create/update to understand writable fields, hidden fields, required metadata, and collection-level visibility.",
   annotations: {
@@ -1374,9 +1577,6 @@ async function getCollectionSchemaTool({
   }
 }
 
-// src/tools/get-tenant-context.ts
-import { z as z28 } from "zod";
-
 // src/lib/tenant-context.ts
 function getTenantContextPath(includeCounts) {
   return includeCounts ? "/api/tenants/context?counts=true" : "/api/tenants/context";
@@ -1387,16 +1587,12 @@ async function getTenantContext(includeCounts = false) {
     getTenantContextPath(includeCounts),
     apiKey
   );
-  return data;
-}
-function invalidateTenantContextCache() {
+  return tenantContextResponseSchema.parse(data);
 }
 
 // src/tools/get-tenant-context.ts
-var schema28 = {
-  includeCounts: z28.boolean().optional().default(false).describe("Include per-collection document counts and config status (bypasses cache, slower)")
-};
-var metadata28 = {
+var schema23 = tenantContextToolInputSchema.shape;
+var metadata23 = {
   name: "get-tenant-context",
   description: "Get current tenant features, active collections, and field visibility. Call this at the start of every session. Use includeCounts=true to also get per-collection document counts for setup diagnostics.",
   annotations: {
@@ -1406,7 +1602,9 @@ var metadata28 = {
     idempotentHint: true
   }
 };
-async function handler({ includeCounts }) {
+async function handler({
+  includeCounts
+}) {
   try {
     const ctx = await getTenantContext(includeCounts);
     const lines = [
@@ -1459,11 +1657,10 @@ async function handler({ includeCounts }) {
       }
     }
     if (ctx.config) {
+      lines.push("", "## Config Status");
       lines.push(
-        "",
-        "## Config Status"
+        `- Webhook configured: ${ctx.config.webhookConfigured ? "Yes" : "No"}`
       );
-      lines.push(`- Webhook configured: ${ctx.config.webhookConfigured ? "Yes" : "No"}`);
     }
     return toolSuccess({ context: lines.join("\n") });
   } catch (error) {
@@ -1472,7 +1669,7 @@ async function handler({ includeCounts }) {
 }
 
 // src/tools/list-configurable-fields.ts
-import { z as z29 } from "zod";
+import { z as z22 } from "zod";
 
 // src/lib/field-config.ts
 async function fetchFieldConfigs() {
@@ -1495,12 +1692,12 @@ function invalidateFieldConfigCache() {
 }
 
 // src/tools/list-configurable-fields.ts
-var schema29 = {
-  collection: z29.string().optional().describe(
+var schema24 = {
+  collection: z22.string().optional().describe(
     "Filter by collection slug (optional \u2014 returns all if omitted). Use this filter to reduce response size when you know which collection to check."
   )
 };
-var metadata29 = {
+var metadata24 = {
   name: "list-configurable-fields",
   description: "List all configurable fields for tenant collections with current visibility state. Shows which fields can be shown/hidden and their current status. Returns all collections including inactive features \u2014 cross-reference with get-tenant-context for active features. Response includes ~300 fields across 47 collections \u2014 use collection filter when possible.",
   annotations: {
@@ -1531,17 +1728,17 @@ async function listConfigurableFields(params) {
 }
 
 // src/tools/update-field-config.ts
-import { z as z30 } from "zod";
-var schema30 = {
-  collection: z30.string().min(1).describe("Collection slug (required)"),
-  hiddenFields: z30.array(z30.string().min(1).max(200)).max(300).describe(
+import { z as z23 } from "zod";
+var schema25 = {
+  collection: z23.string().min(1).describe("Collection slug (required)"),
+  hiddenFields: z23.array(z23.string().min(1).max(200)).max(300).describe(
     "Fields to hide (required). This is a FULL REPLACE \u2014 fields NOT in this list will be shown. Pass [] to show all fields. Use list-configurable-fields first to see available field paths."
   ),
-  isHidden: z30.boolean().optional().describe(
+  isHidden: z23.boolean().optional().describe(
     "Hide the entire collection from Admin Panel (optional). When true, individual hiddenFields are irrelevant."
   )
 };
-var metadata30 = {
+var metadata25 = {
   name: "update-field-config",
   description: "Update field visibility configuration for a tenant collection. Hidden fields are removed from the Admin Panel UI. IMPORTANT: hiddenFields is a full replace, not a merge. Always call list-configurable-fields first to see current state.",
   annotations: {
@@ -1559,7 +1756,6 @@ async function updateFieldConfig(params) {
       isHidden: params.isHidden
     });
     invalidateFieldConfigCache();
-    invalidateTenantContextCache();
     return toolSuccess({
       message: `Field config updated for '${params.collection}'`,
       data: result
@@ -1570,7 +1766,7 @@ async function updateFieldConfig(params) {
 }
 
 // src/tools/sdk-get-recipe.ts
-import { z as z31 } from "zod";
+import { z as z24 } from "zod";
 
 // src/lib/sdk-recipes.ts
 var recipes = {
@@ -1722,7 +1918,7 @@ const result = await client.collections.from('products').create({
         "Returns result.doc (not the document directly)"
       ],
       relatedResources: ["docs://sdk/query-builder"],
-      relatedTools: ["create-collection"]
+      relatedTools: ["query-collection", "get-collection-schema"]
     }
   },
   "update-item": {
@@ -1751,7 +1947,7 @@ const result = await client.collections.from('products').update('product-id', {
         "Partial updates are supported \u2014 omitted fields retain their current value"
       ],
       relatedResources: ["docs://sdk/query-builder"],
-      relatedTools: ["update-collection"]
+      relatedTools: ["get-collection-by-id", "get-collection-schema"]
     }
   },
   "delete-item": {
@@ -1775,7 +1971,7 @@ console.log('Deleted:', deleted.title)`,
         "Throws if the item does not exist"
       ],
       relatedResources: ["docs://sdk/query-builder"],
-      relatedTools: ["delete-collection"]
+      relatedTools: ["get-collection-by-id", "query-collection"]
     }
   },
   "infinite-scroll": {
@@ -1952,7 +2148,7 @@ const result = await client.collections.from('images').create(formData as unknow
         "Always set alt text for accessibility"
       ],
       relatedResources: ["docs://sdk/query-builder"],
-      relatedTools: ["create-collection"]
+      relatedTools: ["query-collection", "get-collection-schema"]
     }
   },
   "bulk-operations": {
@@ -1988,7 +2184,7 @@ const removed = await client.collections.from('products').removeMany(
         "Very broad where clauses (or empty) will affect all documents in the collection"
       ],
       relatedResources: ["docs://sdk/query-builder"],
-      relatedTools: ["update-many-collection", "delete-many-collection"]
+      relatedTools: ["query-collection", "get-collection-schema"]
     }
   }
 };
@@ -2002,8 +2198,8 @@ function getRecipe(goal, runtime = "both") {
 }
 
 // src/tools/sdk-get-recipe.ts
-var schema31 = {
-  goal: z31.enum([
+var schema26 = {
+  goal: z24.enum([
     "fetch-list",
     "fetch-by-id",
     "create-item",
@@ -2015,11 +2211,11 @@ var schema31 = {
     "file-upload",
     "bulk-operations"
   ]).describe("What the user wants to accomplish"),
-  runtime: z31.enum(["browser", "server", "both"]).default("both").describe("Target runtime environment"),
-  collection: z31.string().optional().describe("Specific collection name if applicable"),
-  includeExample: z31.boolean().default(true).describe("Whether to include a full code example")
+  runtime: z24.enum(["browser", "server", "both"]).default("both").describe("Target runtime environment"),
+  collection: z24.string().optional().describe("Specific collection name if applicable"),
+  includeExample: z24.boolean().default(true).describe("Whether to include a full code example")
 };
-var metadata31 = {
+var metadata26 = {
   name: "sdk-get-recipe",
   description: "Get a complete SDK code recipe for a specific task. Returns recommended approach, code example, and related documentation links. Use this FIRST when the user asks how to do something with the SDK.",
   annotations: {
@@ -2062,7 +2258,7 @@ function handler2({
 }
 
 // src/tools/sdk-search-docs.ts
-import { z as z32 } from "zod";
+import { z as z25 } from "zod";
 
 // src/lib/sdk-doc-index.ts
 var docIndex = [
@@ -2237,11 +2433,11 @@ function searchDocs(query, limit = 5) {
 }
 
 // src/tools/sdk-search-docs.ts
-var schema32 = {
-  query: z32.string().min(2).describe('Search keyword or phrase (e.g. "infinite scroll", "webhook", "customer login")'),
-  limit: z32.number().min(1).max(10).default(5).describe("Maximum results to return (1-10, default: 5)")
+var schema27 = {
+  query: z25.string().min(2).describe('Search keyword or phrase (e.g. "infinite scroll", "webhook", "customer login")'),
+  limit: z25.number().min(1).max(10).default(5).describe("Maximum results to return (1-10, default: 5)")
 };
-var metadata32 = {
+var metadata27 = {
   name: "sdk-search-docs",
   description: "Search SDK documentation by keyword. Returns matching topics with summaries and resource links. Use when looking for specific SDK features or patterns.",
   annotations: {
@@ -2276,9 +2472,9 @@ function handler3({
 }
 
 // src/tools/sdk-get-auth-setup.ts
-import { z as z33 } from "zod";
-var schema33 = {
-  scenario: z33.enum([
+import { z as z26 } from "zod";
+var schema28 = {
+  scenario: z26.enum([
     "browser-client",
     "server-client",
     "customer-auth",
@@ -2287,7 +2483,7 @@ var schema33 = {
     "webhook-verification"
   ]).describe("Authentication scenario")
 };
-var metadata33 = {
+var metadata28 = {
   name: "sdk-get-auth-setup",
   description: "Get the current authentication setup for a specific scenario. Returns env var names, code snippets, and security notes.",
   annotations: {
@@ -2441,14 +2637,14 @@ function handler4({
 }
 
 // src/tools/sdk-get-collection-pattern.ts
-import { z as z34 } from "zod";
-import { COLLECTIONS as COLLECTIONS9 } from "@01.software/sdk";
-var schema34 = {
-  collection: z34.enum(COLLECTIONS9).describe("Collection name"),
-  operation: z34.enum(["read", "write", "full-crud"]).default("read").describe("What operations are needed"),
-  surface: z34.enum(["query-builder", "react-query", "server-api"]).default("query-builder").describe("Preferred API surface")
+import { z as z27 } from "zod";
+import { COLLECTIONS as COLLECTIONS4 } from "@01.software/sdk";
+var schema29 = {
+  collection: z27.enum(COLLECTIONS4).describe("Collection name"),
+  operation: z27.enum(["read", "write", "full-crud"]).default("read").describe("What operations are needed"),
+  surface: z27.enum(["query-builder", "react-query", "server-api"]).default("query-builder").describe("Preferred API surface")
 };
-var metadata34 = {
+var metadata29 = {
   name: "sdk-get-collection-pattern",
   description: "Get the recommended CRUD pattern for a specific collection. Returns code examples for the chosen API surface and operation type.",
   annotations: {
@@ -2615,7 +2811,6 @@ function handler5({
       relatedTools: [
         "query-collection",
         "get-collection-by-id",
-        ...operation !== "read" ? ["create-collection", "update-collection", "delete-collection"] : [],
         "get-collection-schema"
       ],
       relatedResources: [
@@ -2629,14 +2824,14 @@ function handler5({
 }
 
 // src/prompts/sdk-usage-guide.ts
-import { z as z35 } from "zod";
-var schema35 = {
-  goal: z35.string().describe('What the user wants to accomplish (e.g., "query product list", "create order")'),
-  runtime: z35.enum(["browser", "server"]).optional().describe("Target runtime: browser (React/Next.js client) or server (Node.js)"),
-  surface: z35.enum(["query-builder", "react-query", "customer-api", "server-api"]).optional().describe("Preferred API surface"),
-  collection: z35.string().optional().describe("Specific collection if relevant")
+import { z as z28 } from "zod";
+var schema30 = {
+  goal: z28.string().describe('What the user wants to accomplish (e.g., "query product list", "create order")'),
+  runtime: z28.enum(["browser", "server"]).optional().describe("Target runtime: browser (React/Next.js client) or server (Node.js)"),
+  surface: z28.enum(["query-builder", "react-query", "customer-api", "server-api"]).optional().describe("Preferred API surface"),
+  collection: z28.string().optional().describe("Specific collection if relevant")
 };
-var metadata35 = {
+var metadata30 = {
   name: "sdk-usage-guide",
   title: "SDK Usage Guide",
   description: "Provides guidance on how to perform a specific task using the 01.software SDK",
@@ -2773,14 +2968,14 @@ You can perform the "${goal}" task by following the patterns above.`;
 }
 
 // src/prompts/collection-query-help.ts
-import { z as z36 } from "zod";
-import { COLLECTIONS as COLLECTIONS10 } from "@01.software/sdk";
-var schema36 = {
-  collection: z36.enum(COLLECTIONS10).describe("Collection name"),
-  operation: z36.enum(["find", "create", "update", "delete"]).describe("Operation to perform (find, create, update, delete)"),
-  filters: z36.string().optional().describe("Filter conditions (JSON string, optional)")
+import { z as z29 } from "zod";
+import { COLLECTIONS as COLLECTIONS5 } from "@01.software/sdk";
+var schema31 = {
+  collection: z29.enum(COLLECTIONS5).describe("Collection name"),
+  operation: z29.enum(["find", "create", "update", "delete"]).describe("Operation to perform (find, create, update, delete)"),
+  filters: z29.string().optional().describe("Filter conditions (JSON string, optional)")
 };
-var metadata36 = {
+var metadata31 = {
   name: "collection-query-help",
   title: "Collection Query Help",
   description: "Provides guidance on how to write queries for a specific collection",
@@ -2867,16 +3062,16 @@ ${operation === "find" ? `- Use \`where\` option for filtering (Payload query sy
 }
 
 // src/prompts/order-flow-guide.ts
-import { z as z37 } from "zod";
-var schema37 = {
-  scenario: z37.enum([
+import { z as z30 } from "zod";
+var schema32 = {
+  scenario: z30.enum([
     "simple-order",
     "cart-checkout",
     "return-refund",
     "fulfillment-tracking"
   ]).describe("Order flow scenario")
 };
-var metadata37 = {
+var metadata32 = {
   name: "order-flow-guide",
   title: "Order Flow Guide",
   description: "Provides step-by-step guidance for ecommerce order flows including creation, checkout, returns, and fulfillment.",
@@ -2891,8 +3086,8 @@ var SCENARIOS = {
    - Provide: orderNumber, customerSnapshot (email required), shippingAddress, orderItems, totalAmount
    - Optional: pgPaymentId (omit for free orders), shippingAmount, discountCode
 
-2. **Payment Confirmation** \u2192 \`update-order\` tool
-   - Update status to \`paid\` after payment gateway confirms
+2. **Payment Confirmation** \u2192 \`update-transaction\` tool
+   - Confirm provider payment with pgPaymentId, paymentKey, and amount
    - Stock is automatically adjusted (stock -= qty, reservedStock += qty)
 
 3. **Fulfillment** \u2192 \`create-fulfillment\` tool
@@ -2919,8 +3114,13 @@ const order = await client.commerce.orders.create({
   pgPaymentId: 'pay_xxx' // omit for free orders
 })
 
-// 2. After payment confirmed
-await client.commerce.orders.update({ orderNumber: 'ORD-240101-001', status: 'paid' })
+// 2. After payment confirmed by provider
+await client.commerce.orders.updateTransaction({
+  pgPaymentId: 'pay_xxx',
+  status: 'paid',
+  paymentKey: 'payment_key_xxx',
+  amount: 59800
+})
 
 // 3. Ship items
 await client.commerce.orders.createFulfillment({
@@ -2938,7 +3138,7 @@ await client.commerce.orders.createFulfillment({
 2. **Apply Discount** (optional) \u2192 \`apply-discount\` tool
 3. **Calculate Shipping** \u2192 \`calculate-shipping\` tool
 4. **Checkout** \u2192 \`checkout\` tool (converts cart to order)
-5. **Payment** \u2192 \`update-order\` or \`update-transaction\`
+5. **Payment** \u2192 \`update-transaction\` for provider-verified paid transitions
 
 ### Key Points
 - Cart has a customer linked \u2014 auto-copied to order on checkout
@@ -2975,7 +3175,7 @@ const order = await client.commerce.orders.checkout({
 1. **Return with Refund** \u2192 \`return-with-refund\` tool
    - Handles return + stock restoration + transaction update in one call
    - Return immediately completed (bypasses FSM)
-   - Requires pgPaymentId to identify which transaction to refund
+   - Requires pgPaymentId and paymentKey for provider-verified refund
 
 ### Key Points
 - Full refund: original transaction \u2192 \`canceled\`
@@ -2992,7 +3192,8 @@ await client.commerce.orders.returnWithRefund({
   reasonDetail: 'Product arrived damaged',
   returnItems: [{ orderItem: 'oi-id', quantity: 1 }],
   refundAmount: 29900,
-  pgPaymentId: 'pay_xxx'
+  pgPaymentId: 'pay_xxx',
+  paymentKey: 'payment_key_xxx'
 })
 \`\`\``,
   "fulfillment-tracking": `## Fulfillment & Tracking
@@ -3055,9 +3256,9 @@ ${SCENARIOS[scenario] || "Unknown scenario."}
 }
 
 // src/prompts/feature-setup-guide.ts
-import { z as z38 } from "zod";
-var schema38 = {
-  feature: z38.enum([
+import { z as z31 } from "zod";
+var schema33 = {
+  feature: z31.enum([
     "ecommerce",
     "customers",
     "articles",
@@ -3072,7 +3273,7 @@ var schema38 = {
     "community"
   ]).describe("Feature to get setup guide for")
 };
-var metadata38 = {
+var metadata33 = {
   name: "feature-setup-guide",
   title: "Feature Setup Guide",
   description: "Setup checklist and remediation guide for a tenant feature. Load before using get-tenant-context to diagnose setup gaps.",
@@ -3085,8 +3286,8 @@ var FEATURES = {
 
 ### Required Collections (count > 0)
 
-1. **products** \u2014 Use \`create-collection\` with \`collection='products'\`
-   - Minimum fields: \`{ title, slug, status: 'active' }\`
+1. **products** \u2014 Create via Console UI or SDK \`client.collections.from('products').create({ ... })\`
+   - Minimum fields: \`{ title, slug, status: 'published', _status: 'published' }\`
 
 2. **product-variants** \u2014 At least 1 sellable variant per product
    - Minimum fields: \`{ product, title, price, stock }\`
@@ -3119,7 +3320,7 @@ customer-addresses
 
 ### Optional Collections
 
-customer-groups \u2014 Use \`create-collection\` with \`collection='customer-groups'\`, \`{ title }\`
+customer-groups \u2014 Create via Console UI or SDK \`client.collections.from('customer-groups').create({ title })\`
 
 ### Config
 
@@ -3158,10 +3359,10 @@ document-categories`,
 ### Required Collections (count > 0)
 
 1. **playlists** \u2014 At least 1 playlist
-   - Minimum fields: \`{ title, slug }\`
+   - Minimum fields: \`{ title, slug, status: 'published', _status: 'published' }\`
 
 2. **tracks** \u2014 At least 1 track
-   - Minimum fields: \`{ title }\`
+   - Minimum fields: \`{ title, sourceUrl, status: 'published', _status: 'published' }\`
 
 3. **playlists.tracks** \u2014 Link at least 1 track from a playlist
    - Minimum fields: \`{ tracks: [trackId] }\`
@@ -3174,11 +3375,11 @@ playlist-categories, playlist-tags, track-categories, track-tags, track-assets`,
 ### Required Collections (count > 0)
 
 1. **galleries** \u2014 At least 1 gallery
-   - Minimum fields: \`{ title, slug }\`
+   - Minimum fields: \`{ title, slug, status: 'published', _status: 'published' }\`
 
 2. **gallery-items** \u2014 At least 1 item per gallery
    - References \`images\` collection (non-upload)
-   - Minimum fields: \`{ gallery, image }\`
+   - Minimum fields: \`{ gallery, image, _status: 'published' }\`
 
 ### Optional Collections
 
@@ -3188,7 +3389,7 @@ gallery-categories, gallery-tags`,
 ### Required Collections (count > 0)
 
 1. **links** \u2014 At least 1 link
-   - Minimum fields: \`{ title, slug, url }\`
+   - Minimum fields: \`{ title, slug, url, status: 'published', _status: 'published' }\`
 
 ### Optional Collections
 
@@ -3269,12 +3470,12 @@ ${FEATURES[feature] || "Unknown feature."}
 
 ## Related MCP Tools
 - \`get-tenant-context\` \u2014 check current collection counts and feature status
-- \`create-collection\` \u2014 create required collection documents
-- \`query-collection\` \u2014 verify existing documents in a collection`;
+- \`query-collection\` \u2014 verify existing documents in a collection
+- \`get-collection-schema\` \u2014 inspect tenant-aware fields before creating data via SDK or Console UI`;
 }
 
 // src/resources/(config)/app.ts
-var metadata39 = {
+var metadata34 = {
   name: "app-config",
   title: "Application Config",
   description: "01.software SDK and MCP server configuration information"
@@ -3296,16 +3497,13 @@ HTTP MCP uses OAuth discovery and Authorization Code + PKCE.
 url = "https://mcp.01.software/mcp"
 \`\`\`
 
-## Available Tools (34)
+## Available Tools (29)
+
+> Generic write tools (create/update/delete/update-many/delete-many) are intentionally absent. Use the dedicated workflow tools below or the SDK (\`client.collections.from(slug).create()\` / \`update()\` / \`remove()\` / \`updateMany()\` / \`removeMany()\`) for stateful mutations.
 
-### Generic CRUD (7)
+### Generic Read (2)
 - \`query-collection\` - Query collection with filters, pagination, sorting
 - \`get-collection-by-id\` - Get single item by ID
-- \`create-collection\` - Create new item
-- \`update-collection\` - Update existing item
-- \`delete-collection\` - Delete item (destructive)
-- \`update-many-collection\` - Bulk update items matching filter
-- \`delete-many-collection\` - Bulk delete items matching filter (destructive)
 
 ### Orders (7)
 - \`create-order\` - Create a new order with products and shipping
@@ -3363,80 +3561,86 @@ Rate limits depend on your tenant plan:
 }
 
 // src/resources/(collections)/schema.ts
-import { COLLECTIONS as COLLECTIONS11 } from "@01.software/sdk";
-var metadata40 = {
+import { COLLECTIONS as COLLECTIONS6 } from "@01.software/sdk";
+var metadata35 = {
   name: "collections-schema",
   title: "Collection Schema Info",
   description: "Available collections and their schema information"
 };
+var COLLECTIONS_BY_CATEGORY = {
+  "Tenant Management": ["tenants", "tenant-metadata", "tenant-logos"],
+  Products: [
+    "products",
+    "product-variants",
+    "product-options",
+    "product-option-values",
+    "product-categories",
+    "product-tags",
+    "product-collections"
+  ],
+  Brands: ["brands", "brand-logos"],
+  "Orders & Fulfillment": [
+    "orders",
+    "order-items",
+    "transactions",
+    "fulfillments",
+    "fulfillment-items"
+  ],
+  "Shipping & Returns": ["returns", "return-items", "shipping-policies"],
+  Customers: [
+    "customers",
+    "customer-profiles",
+    "customer-addresses",
+    "customer-groups"
+  ],
+  Carts: ["carts", "cart-items"],
+  "Discounts & Promotions": ["discounts", "promotions"],
+  Documents: ["documents", "document-categories", "document-types"],
+  Articles: ["articles", "article-authors", "article-categories", "article-tags"],
+  Community: [
+    "posts",
+    "comments",
+    "reactions",
+    "reaction-types",
+    "bookmarks",
+    "post-categories",
+    "reports",
+    "community-bans"
+  ],
+  Playlists: [
+    "playlists",
+    "tracks",
+    "playlist-categories",
+    "playlist-tags",
+    "track-categories",
+    "track-tags"
+  ],
+  Galleries: ["galleries", "gallery-items", "gallery-categories", "gallery-tags"],
+  Links: ["links", "link-categories", "link-tags"],
+  Canvas: [
+    "canvases",
+    "canvas-node-types",
+    "canvas-edge-types",
+    "canvas-categories",
+    "canvas-tags",
+    "canvas-nodes",
+    "canvas-edges"
+  ],
+  Videos: ["videos", "video-categories", "video-tags"],
+  "Live Streams": ["live-streams"],
+  Images: ["images"],
+  Forms: ["forms", "form-submissions"],
+  Events: [
+    "event-calendars",
+    "events",
+    "event-categories",
+    "event-occurrences",
+    "event-tags"
+  ]
+};
 function handler7() {
-  const collectionsByCategory = {
-    "Tenant Management": ["tenants", "tenant-metadata", "tenant-logos"],
-    Products: [
-      "products",
-      "product-variants",
-      "product-options",
-      "product-categories",
-      "product-tags",
-      "product-collections"
-    ],
-    Brands: ["brands", "brand-logos"],
-    "Orders & Fulfillment": [
-      "orders",
-      "order-items",
-      "transactions",
-      "fulfillments",
-      "fulfillment-items"
-    ],
-    "Shipping & Returns": [
-      "returns",
-      "return-items",
-      "shipping-policies"
-    ],
-    Customers: ["customers", "customer-addresses", "customer-groups"],
-    Carts: ["carts", "cart-items"],
-    Discounts: ["discounts"],
-    Documents: ["documents", "document-categories", "document-types"],
-    Articles: ["articles", "article-authors", "article-categories", "article-tags"],
-    Community: [
-      "posts",
-      "comments",
-      "reactions",
-      "reaction-types",
-      "bookmarks",
-      "post-categories",
-      "reports",
-      "community-bans"
-    ],
-    Playlists: [
-      "playlists",
-      "tracks",
-      "track-assets",
-      "playlist-categories",
-      "playlist-tags",
-      "track-categories",
-      "track-tags"
-    ],
-    Galleries: [
-      "galleries",
-      "gallery-items",
-      "gallery-categories",
-      "gallery-tags"
-    ],
-    Canvas: [
-      "canvases",
-      "canvas-node-types",
-      "canvas-edge-types",
-      "canvas-categories",
-      "canvas-tags"
-    ],
-    Videos: ["videos", "video-categories", "video-tags"],
-    "Live Streams": ["live-streams"],
-    Images: ["images"],
-    Forms: ["forms", "form-submissions"]
-  };
-  const categoryDocs = Object.entries(collectionsByCategory).map(([category, collections]) => {
-    const collectionList = collections.filter((c) => COLLECTIONS11.includes(c)).map((c) => `- **${c}**`).join("\n");
+  const categoryDocs = Object.entries(COLLECTIONS_BY_CATEGORY).map(([category, collections]) => {
+    const collectionList = collections.filter((c) => COLLECTIONS6.includes(c)).map((c) => `- **${c}**`).join("\n");
     return `## ${category}
 ${collectionList}`;
   }).join("\n\n");
@@ -3457,6 +3661,9 @@ Each collection supports the following operations:
 - \`updateMany(where, data)\` - Bulk update items matching filter
 - \`removeMany(where)\` - Bulk delete items matching filter
 
+Draft-enabled public collections expose only \`_status: 'published'\` rows to
+publishable-key reads unless server-side access explicitly includes drafts.
+
 ## Query Examples
 
 ### Filtering
@@ -3478,11 +3685,11 @@ Each collection supports the following operations:
 }
 \`\`\`
 
-Total available collections: ${COLLECTIONS11.length}`;
+Total available collections: ${COLLECTIONS6.length}`;
 }
 
 // src/resources/(docs)/getting-started.ts
-var metadata41 = {
+var metadata36 = {
   name: "docs-getting-started",
   title: "Getting Started",
   description: "01.software SDK getting started guide"
@@ -3527,7 +3734,7 @@ const result = await client.collections.from('products').find({
 }
 
 // src/resources/(docs)/guides.ts
-var metadata42 = {
+var metadata37 = {
   name: "docs-guides",
   title: "Guides",
   description: "01.software SDK usage guides"
@@ -3738,7 +3945,7 @@ For more detailed guides, see the [Guides page](/docs/guides).`;
 }
 
 // src/resources/(docs)/api.ts
-var metadata43 = {
+var metadata38 = {
   name: "docs-api",
   title: "API Reference",
   description: "01.software SDK API reference documentation"
@@ -4024,7 +4231,7 @@ For more details, see the [full API documentation](/docs/api).`;
 }
 
 // src/resources/(docs)/query-builder.ts
-var metadata44 = {
+var metadata39 = {
   name: "docs-query-builder",
   title: "Query Builder",
   description: "01.software SDK Query Builder API reference (client.collections.from)"
@@ -4218,7 +4425,7 @@ console.log(result.hasNextPage) // true
 }
 
 // src/resources/(docs)/react-query.ts
-var metadata45 = {
+var metadata40 = {
   name: "docs-react-query",
   title: "React Query Hooks",
   description: "01.software SDK React Query hooks reference (client.query)"
@@ -4466,7 +4673,7 @@ export function ProductList() {
 }
 
 // src/resources/(docs)/server-api.ts
-var metadata46 = {
+var metadata41 = {
   name: "docs-server-api",
   title: "Server-side API",
   description: "01.software SDK server-side API reference (client.commerce) for orders, fulfillments, returns, carts, and validation"
@@ -4607,7 +4814,7 @@ const ret = await client.commerce.orders.updateReturn({
 \`\`\`
 
 ### returnWithRefund()
-Create a return and process refund in one atomic operation.
+Create a return and process a provider-verified refund in one atomic operation.
 
 \`\`\`typescript
 const result = await client.commerce.orders.returnWithRefund({
@@ -4619,6 +4826,7 @@ const result = await client.commerce.orders.returnWithRefund({
   ],
   refundAmount: 29900,
   pgPaymentId: 'toss-payment-id',  // required
+  paymentKey: 'toss-payment-key',  // required for provider refund
   refundReceiptUrl?: 'https://...',
 })
 \`\`\`
@@ -4626,12 +4834,15 @@ const result = await client.commerce.orders.returnWithRefund({
 ## Transaction API
 
 ### updateTransaction()
-Update a transaction status (after PG callback).
+Confirm or annotate a transaction. Paid transitions require provider
+verification; non-financial annotations can still update pending transactions.
 
 \`\`\`typescript
 const tx = await client.commerce.orders.updateTransaction({
   pgPaymentId: 'toss-payment-id',
-  status: 'paid',  // paid | failed | canceled
+  status: 'paid',  // pending | paid | failed | canceled
+  paymentKey: 'toss-payment-key',  // required when status is paid
+  amount: 29900,  // required when status is paid
 })
 \`\`\`
 
@@ -4724,7 +4935,7 @@ const result = await client.commerce.shipping.calculate({
 }
 
 // src/resources/(docs)/customer-auth.ts
-var metadata47 = {
+var metadata42 = {
   name: "docs-customer-auth",
   title: "Customer Auth API",
   description: "01.software SDK Customer Auth API reference (client.customer)"
@@ -4902,7 +5113,7 @@ async function loadProfile() {
 }
 
 // src/resources/(docs)/browser-vs-server.ts
-var metadata48 = {
+var metadata43 = {
   name: "docs-browser-vs-server",
   title: "Client vs ServerClient",
   description: "When to use Client (createClient) vs ServerClient (createServerClient) in the 01.software SDK"
@@ -5061,7 +5272,7 @@ export function ProductList() {
 }
 
 // src/resources/(docs)/file-upload.ts
-var metadata49 = {
+var metadata44 = {
   name: "docs-file-upload",
   title: "File Upload",
   description: "01.software SDK file upload patterns using the images collection"
@@ -5212,7 +5423,7 @@ The platform stores files in Cloudflare R2 and serves via CDN (\`cdn.01.software
 }
 
 // src/resources/(docs)/webhook.ts
-var metadata50 = {
+var metadata45 = {
   name: "docs-webhook",
   title: "Webhooks",
   description: "01.software SDK webhook verification and event handling"
@@ -5326,28 +5537,54 @@ Configure webhook URLs in the 01.software console under Tenant Settings > Webhoo
 }
 
 // src/server.ts
-function registerTool(server, schema39, meta, handler18) {
+var REGISTERED_TOOLS_BY_SERVER = /* @__PURE__ */ new WeakMap();
+function registerTool(server, schema34, meta, handler18) {
+  let registered = REGISTERED_TOOLS_BY_SERVER.get(server);
+  if (!registered) {
+    registered = /* @__PURE__ */ new Set();
+    REGISTERED_TOOLS_BY_SERVER.set(server, registered);
+  }
+  registered.add(meta.name);
   server.registerTool(
     meta.name,
     {
       description: meta.description,
-      inputSchema: schema39,
+      inputSchema: schema34,
       annotations: meta.annotations
     },
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     async (params) => {
+      const ctx = tenantAuthContext();
+      if (ctx) {
+        const decision = evaluateToolPolicy(meta.name, ctx.scopes);
+        if (!decision.allowed) {
+          const status = decision.reason === "insufficient_scope" ? 403 : 500;
+          return {
+            content: [
+              {
+                type: "text",
+                text: toolError({
+                  status,
+                  reason: decision.reason,
+                  message: decision.message
+                })
+              }
+            ]
+          };
+        }
+      }
       const result = await handler18(params);
       return { content: [{ type: "text", text: result }] };
     }
   );
 }
-function registerPrompt(server, schema39, meta, handler18) {
+function registerPrompt(server, schema34, meta, handler18) {
   server.registerPrompt(
     meta.name,
     {
       title: meta.title,
       description: meta.description,
-      argsSchema: schema39
+      argsSchema: schema34
     },
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     (params) => ({
@@ -5383,61 +5620,62 @@ function createServer(options = {}) {
   if (toolSurface === "full") {
     registerTool(server, schema, metadata, queryCollection);
     registerTool(server, schema2, metadata2, getCollectionById);
-    registerTool(server, schema3, metadata3, createCollection);
-    registerTool(server, schema4, metadata4, updateCollection);
-    registerTool(server, schema5, metadata5, deleteCollection);
-    registerTool(server, schema6, metadata6, deleteManyCollection);
-    registerTool(server, schema7, metadata7, updateManyCollection);
-    registerTool(server, schema8, metadata8, getOrder);
-    registerTool(server, schema9, metadata9, createOrder);
-    registerTool(server, schema10, metadata10, updateOrder);
-    registerTool(server, schema11, metadata11, checkout);
-    registerTool(server, schema12, metadata12, createFulfillment);
-    registerTool(server, schema13, metadata13, updateFulfillment);
-    registerTool(server, schema14, metadata14, updateTransaction);
-    registerTool(server, schema15, metadata15, createReturn);
-    registerTool(server, schema16, metadata16, updateReturn);
-    registerTool(server, schema17, metadata17, returnWithRefund);
-    registerTool(server, schema18, metadata18, addCartItem);
-    registerTool(server, schema19, metadata19, updateCartItem);
-    registerTool(server, schema20, metadata20, removeCartItem);
-    registerTool(server, schema21, metadata21, applyDiscount);
-    registerTool(server, schema22, metadata22, removeDiscount);
-    registerTool(server, schema23, metadata23, clearCart);
-    registerTool(server, schema24, metadata24, validateDiscount);
-    registerTool(server, schema25, metadata25, calculateShipping);
-    registerTool(server, schema26, metadata26, stockCheck);
+    registerTool(server, schema3, metadata3, getOrder);
+    registerTool(server, schema4, metadata4, createOrder);
+    registerTool(server, schema5, metadata5, updateOrder);
+    registerTool(server, schema6, metadata6, checkout);
+    registerTool(server, schema7, metadata7, createFulfillment);
+    registerTool(server, schema8, metadata8, updateFulfillment);
+    registerTool(server, schema9, metadata9, updateTransaction);
+    registerTool(server, schema10, metadata10, createReturn);
+    registerTool(server, schema11, metadata11, updateReturn);
+    registerTool(server, schema12, metadata12, returnWithRefund);
+    registerTool(server, schema13, metadata13, addCartItem);
+    registerTool(server, schema14, metadata14, updateCartItem);
+    registerTool(server, schema15, metadata15, removeCartItem);
+    registerTool(server, schema16, metadata16, applyDiscount);
+    registerTool(server, schema17, metadata17, removeDiscount);
+    registerTool(server, schema18, metadata18, clearCart);
+    registerTool(server, schema19, metadata19, validateDiscount);
+    registerTool(server, schema20, metadata20, calculateShipping);
+    registerTool(server, schema21, metadata21, stockCheck);
   }
-  registerTool(server, schema27, metadata27, getCollectionSchemaTool);
-  registerTool(server, schema28, metadata28, handler);
-  registerTool(server, schema29, metadata29, listConfigurableFields);
-  registerTool(server, schema30, metadata30, updateFieldConfig);
-  registerTool(server, schema31, metadata31, handler2);
-  registerTool(server, schema32, metadata32, handler3);
-  registerTool(server, schema33, metadata33, handler4);
-  registerTool(server, schema34, metadata34, handler5);
-  registerPrompt(server, schema35, metadata35, sdkUsageGuide);
-  registerPrompt(server, schema36, metadata36, collectionQueryHelp);
-  registerPrompt(server, schema37, metadata37, orderFlowGuide);
-  registerPrompt(server, schema38, metadata38, featureSetupGuide);
-  registerStaticResource(server, "config://app", metadata39, handler6);
-  registerStaticResource(server, "collections://schema", metadata40, handler7);
-  registerStaticResource(server, "docs://sdk/getting-started", metadata41, handler8);
-  registerStaticResource(server, "docs://sdk/guides", metadata42, handler9);
-  registerStaticResource(server, "docs://sdk/api", metadata43, handler10);
-  registerStaticResource(server, "docs://sdk/query-builder", metadata44, handler11);
-  registerStaticResource(server, "docs://sdk/react-query", metadata45, handler12);
-  registerStaticResource(server, "docs://sdk/server-api", metadata46, handler13);
-  registerStaticResource(server, "docs://sdk/customer-auth", metadata47, handler14);
-  registerStaticResource(server, "docs://sdk/browser-vs-server", metadata48, handler15);
-  registerStaticResource(server, "docs://sdk/file-upload", metadata49, handler16);
-  registerStaticResource(server, "docs://sdk/webhook", metadata50, handler17);
+  registerTool(server, schema22, metadata22, getCollectionSchemaTool);
+  registerTool(server, schema23, metadata23, handler);
+  registerTool(server, schema24, metadata24, listConfigurableFields);
+  registerTool(server, schema25, metadata25, updateFieldConfig);
+  registerTool(server, schema26, metadata26, handler2);
+  registerTool(server, schema27, metadata27, handler3);
+  registerTool(server, schema28, metadata28, handler4);
+  registerTool(server, schema29, metadata29, handler5);
+  registerPrompt(server, schema30, metadata30, sdkUsageGuide);
+  registerPrompt(server, schema31, metadata31, collectionQueryHelp);
+  registerPrompt(server, schema32, metadata32, orderFlowGuide);
+  registerPrompt(server, schema33, metadata33, featureSetupGuide);
+  registerStaticResource(server, "config://app", metadata34, handler6);
+  registerStaticResource(server, "collections://schema", metadata35, handler7);
+  registerStaticResource(server, "docs://sdk/getting-started", metadata36, handler8);
+  registerStaticResource(server, "docs://sdk/guides", metadata37, handler9);
+  registerStaticResource(server, "docs://sdk/api", metadata38, handler10);
+  registerStaticResource(server, "docs://sdk/query-builder", metadata39, handler11);
+  registerStaticResource(server, "docs://sdk/react-query", metadata40, handler12);
+  registerStaticResource(server, "docs://sdk/server-api", metadata41, handler13);
+  registerStaticResource(server, "docs://sdk/customer-auth", metadata42, handler14);
+  registerStaticResource(server, "docs://sdk/browser-vs-server", metadata43, handler15);
+  registerStaticResource(server, "docs://sdk/file-upload", metadata44, handler16);
+  registerStaticResource(server, "docs://sdk/webhook", metadata45, handler17);
   return server;
 }
 
 export {
+  MCP_RESOURCE_AUDIENCE,
+  MCP_OAUTH_ISSUER,
+  MCP_PROTECTED_RESOURCE_METADATA_PATH,
+  MCP_TENANT_CLAIM,
+  MCP_TENANT_ROLE_CLAIM,
+  MCP_SCOPES,
   requestContext,
   mcpServicePublicJwks,
   createServer
 };
-//# sourceMappingURL=chunk-45ZCPS57.js.map
+//# sourceMappingURL=chunk-GJOQ4SE2.js.map