@01.software/cli 0.9.0 → 0.10.0

package/dist/mcp/vercel.js

@@ -91,6 +91,285 @@ function parseJsonWhere(where) {
   }
 }
 
+// ../../packages/contracts/src/tenant/index.ts
+import { z } from "zod";
+var tenantFieldConfigStateSchema = z.object({
+  hiddenFields: z.array(z.string()),
+  isHidden: z.boolean()
+}).strict();
+var tenantContextQuerySchema = z.object({
+  counts: z.literal("true").optional()
+}).strict();
+var tenantContextToolInputSchema = z.object({
+  includeCounts: z.boolean().optional().default(false).describe(
+    "Include per-collection document counts and config status (bypasses cache, slower)"
+  )
+}).strict();
+var tenantContextResponseSchema = z.object({
+  tenant: z.object({
+    id: z.string(),
+    name: z.string(),
+    plan: z.string(),
+    planSource: z.string().optional(),
+    authoritative: z.boolean().optional(),
+    capabilityVersion: z.string().optional()
+  }).strict(),
+  features: z.array(z.string()),
+  collections: z.object({
+    active: z.array(z.string()),
+    inactive: z.array(z.string())
+  }).strict(),
+  fieldConfigs: z.record(z.string(), tenantFieldConfigStateSchema),
+  counts: z.record(z.string(), z.number()).optional(),
+  config: z.object({
+    webhookConfigured: z.boolean()
+  }).strict().optional()
+}).strict();
+var COLLECTION_SCHEMA_CONTRACT_VERSION = 1;
+var collectionSchemaEndpointParamsSchema = z.object({
+  collectionSlug: z.string().min(1, "collectionSlug is required")
+}).strict();
+function createCollectionSchemaToolInputSchema(collections) {
+  return z.object({
+    collection: z.enum(collections).describe("Collection name (required)")
+  }).strict();
+}
+var collectionFieldOptionSchema = z.object({
+  label: z.string(),
+  value: z.string()
+}).strict();
+var collectionFieldSchema = z.lazy(
+  () => z.object({
+    name: z.string(),
+    path: z.string(),
+    type: z.string(),
+    required: z.literal(true).optional(),
+    unique: z.literal(true).optional(),
+    hasMany: z.literal(true).optional(),
+    relationTo: z.union([z.string(), z.array(z.string())]).optional(),
+    options: z.array(collectionFieldOptionSchema).optional(),
+    hidden: z.literal(true).optional(),
+    systemManaged: z.literal(true).optional(),
+    writable: z.boolean().optional(),
+    fields: z.array(collectionFieldSchema).optional()
+  }).strict()
+);
+var collectionSchemaResponseSchema = z.object({
+  contractVersion: z.literal(COLLECTION_SCHEMA_CONTRACT_VERSION),
+  mode: z.literal("effective"),
+  collection: z.object({
+    slug: z.string(),
+    timestamps: z.boolean(),
+    alwaysActive: z.boolean(),
+    feature: z.string().nullable(),
+    systemFields: z.array(z.string()),
+    visibility: z.object({
+      collectionHidden: z.boolean(),
+      hiddenFields: z.array(z.string())
+    }).strict(),
+    fields: z.array(collectionFieldSchema)
+  }).strict()
+}).strict();
+
+// ../../packages/contracts/src/ecommerce/index.ts
+import { z as z2 } from "zod";
+var transactionStatusSchema = z2.enum([
+  "pending",
+  "paid",
+  "failed",
+  "canceled"
+]);
+var updateTransactionSchema = z2.object({
+  pgPaymentId: z2.string().min(1, "pgPaymentId is required").describe("PG payment ID (required)"),
+  status: transactionStatusSchema.describe(
+    "New transaction status (required)"
+  ),
+  paymentMethod: z2.string().optional().describe("Payment method (optional)"),
+  receiptUrl: z2.string().optional().describe("Receipt URL (optional)"),
+  paymentKey: z2.string().min(1).optional().describe("Provider payment key for verified paid confirmation"),
+  amount: z2.number().int().positive().optional().describe("Provider-confirmed amount for verified paid confirmation")
+}).strict();
+var UpdateTransactionSchema = updateTransactionSchema;
+var returnReasonSchema = z2.enum([
+  "change_of_mind",
+  "defective",
+  "wrong_delivery",
+  "damaged",
+  "other"
+]);
+var restockActionSchema = z2.enum(["return_to_stock", "discard"]);
+var returnWithRefundItemSchema = z2.object({
+  orderItem: z2.union([z2.string(), z2.number()]).transform(String),
+  quantity: z2.number().int().positive("quantity must be a positive integer"),
+  restockAction: restockActionSchema.default("return_to_stock")
+}).strict();
+var returnWithRefundSchema = z2.object({
+  orderNumber: z2.string().min(1, "orderNumber is required").describe("Order number (required)"),
+  reason: returnReasonSchema.optional().describe("Return reason (optional)"),
+  reasonDetail: z2.string().optional().describe("Detailed reason text (optional)"),
+  returnItems: z2.array(returnWithRefundItemSchema).min(1, "At least one return item is required").max(100, "Too many return items").describe("Array of products to return (required)"),
+  refundAmount: z2.number().min(0, "refundAmount must be non-negative").describe("Refund amount (required, min 0)"),
+  pgPaymentId: z2.string().min(1, "pgPaymentId is required").describe("PG payment ID for refund (required)"),
+  paymentKey: z2.string().min(1).optional().describe("Provider payment key for verified refund"),
+  refundReceiptUrl: z2.string().optional().describe("Refund receipt URL (optional)")
+}).strict();
+var ReturnWithRefundSchema = returnWithRefundSchema;
+
+// ../../packages/contracts/src/mcp/index.ts
+var MCP_TOOL_CONTRACT = {
+  "query-collection": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "get-collection-by-id": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "get-order": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "stock-check": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "validate-discount": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "calculate-shipping": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "get-collection-schema": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "list-configurable-fields": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "get-tenant-context": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "add-cart-item": {
+    consoleRole: "tenant-editor",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "update-cart-item": {
+    consoleRole: "tenant-editor",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "remove-cart-item": {
+    consoleRole: "tenant-editor",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "clear-cart": {
+    consoleRole: "tenant-editor",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "apply-discount": {
+    consoleRole: "tenant-editor",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "remove-discount": {
+    consoleRole: "tenant-editor",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  checkout: {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "create-order": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "update-order": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "create-fulfillment": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "update-fulfillment": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "create-return": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "update-return": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "return-with-refund": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "update-transaction": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "update-field-config": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "sdk-get-recipe": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "sdk-search-docs": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "sdk-get-auth-setup": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "sdk-get-collection-pattern": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  }
+};
+var MCP_TOOL_NAMES = Object.keys(
+  MCP_TOOL_CONTRACT
+);
+function isMcpToolName(toolName) {
+  return Object.prototype.hasOwnProperty.call(MCP_TOOL_CONTRACT, toolName);
+}
+
 // src/tool-policy.ts
 var READ_ONLY_ANNOTATION = {
   readOnly: true,
@@ -347,14 +626,14 @@ var TOOL_POLICY_MANIFEST = {
   }
 };
 function evaluateToolPolicy(toolName, scopes) {
-  const entry = TOOL_POLICY_MANIFEST[toolName];
-  if (!entry) {
+  if (!isMcpToolName(toolName)) {
     return {
       allowed: false,
       reason: "tool_policy_missing",
       message: `No tool-policy entry for ${toolName}`
     };
   }
+  const entry = TOOL_POLICY_MANIFEST[toolName];
   if (!scopes.includes(entry.oauthScope)) {
     return {
       allowed: false,
@@ -365,17 +644,12 @@ function evaluateToolPolicy(toolName, scopes) {
   return { allowed: true, entry };
 }
 
-// src/tools/query-collection.ts
-import { z } from "zod";
+// src/lib/mcp-telemetry.ts
+import { AsyncLocalStorage as AsyncLocalStorage2 } from "async_hooks";
+import { randomUUID as randomUUID2 } from "crypto";
 
-// src/lib/client.ts
-import {
-  CollectionClient,
-  CommunityClient,
-  ModerationApi,
-  ServerCommerceClient,
-  createServerClient
-} from "@01.software/sdk";
+// src/lib/console-api.ts
+import { createHash } from "crypto";
 
 // src/service-auth.ts
 import { createPrivateKey, randomUUID, sign as signBytes } from "crypto";
@@ -504,43 +778,209 @@ function signMcpServiceToken(context) {
   return `${signingInput}.${signature.toString("base64url")}`;
 }
 
-// src/lib/client.ts
+// src/lib/console-api.ts
+var BASE_URL = process.env.SOFTWARE_API_URL || "http://localhost:3000";
+var TIMEOUT_MS = 5e3;
 var MISSING_HTTP_AUTH_CONTEXT_ERROR = "MCP HTTP requests require a validated OAuth tenant context before tool execution.";
-function getClient() {
+function resolveAuthHeaderContext() {
   const oauthContext = tenantAuthContext();
   if (oauthContext) {
-    const serviceToken = signMcpServiceToken(oauthContext);
-    const client = {
-      lastRequestId: null,
-      commerce: void 0,
-      collections: void 0,
-      community: void 0
-    };
-    const onRequestId = (id) => {
-      client.lastRequestId = id;
+    return {
+      apiKey: signMcpServiceToken(oauthContext),
+      mode: "oauth"
     };
-    client.commerce = new ServerCommerceClient({
-      secretKey: serviceToken,
-      onRequestId
-    });
-    client.collections = new CollectionClient(
-      "",
-      serviceToken,
-      void 0,
-      void 0,
-      onRequestId
+  }
+  if (hasRequestContext()) throw new Error(MISSING_HTTP_AUTH_CONTEXT_ERROR);
+  return {
+    apiKey: process.env.SOFTWARE_SECRET_KEY,
+    mode: "stdio",
+    publishableKey: process.env.SOFTWARE_PUBLISHABLE_KEY ?? process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY
+  };
+}
+function resolveApiKey() {
+  const { apiKey } = resolveAuthHeaderContext();
+  if (!apiKey || typeof apiKey !== "string") {
+    throw new Error(
+      "Authentication required. Set SOFTWARE_SECRET_KEY for stdio transport."
     );
-    const community = new CommunityClient({ secretKey: serviceToken });
-    const moderation = new ModerationApi({ secretKey: serviceToken, onRequestId });
-    client.community = Object.assign(community, {
-      moderation: {
-        banCustomer: moderation.banCustomer.bind(moderation),
-        unbanCustomer: moderation.unbanCustomer.bind(moderation)
-      }
+  }
+  return apiKey;
+}
+function buildAuthHeaders(apiKey) {
+  const { mode, publishableKey } = resolveAuthHeaderContext();
+  const headers = {
+    Authorization: `Bearer ${apiKey}`
+  };
+  if (mode === "stdio" && publishableKey) {
+    headers["X-Publishable-Key"] = publishableKey;
+  }
+  return headers;
+}
+function extractErrorMessage(body) {
+  if (!body || typeof body !== "object") return void 0;
+  const b = body;
+  if (typeof b.error === "string") return b.error;
+  if (Array.isArray(b.errors) && b.errors[0]?.message) {
+    return String(b.errors[0].message);
+  }
+  if (typeof b.message === "string") return b.message;
+  return void 0;
+}
+async function consoleGet(path, apiKey) {
+  const authHeaders = buildAuthHeaders(apiKey);
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), TIMEOUT_MS);
+  try {
+    const res = await fetch(`${BASE_URL}${path}`, {
+      headers: authHeaders,
+      signal: controller.signal
     });
-    return client;
+    if (!res.ok) {
+      const body = await res.json().catch(() => ({}));
+      const msg = extractErrorMessage(body);
+      throw new Error(msg || `Console GET ${path} failed: ${res.status}`);
+    }
+    return res.json();
+  } finally {
+    clearTimeout(timeoutId);
   }
-  if (hasRequestContext()) throw new Error(MISSING_HTTP_AUTH_CONTEXT_ERROR);
+}
+async function consolePost(path, body, apiKey) {
+  const authHeaders = buildAuthHeaders(apiKey);
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), TIMEOUT_MS);
+  try {
+    const res = await fetch(`${BASE_URL}${path}`, {
+      method: "POST",
+      headers: { ...authHeaders, "Content-Type": "application/json" },
+      body: JSON.stringify(body),
+      signal: controller.signal
+    });
+    if (!res.ok) {
+      const errBody = await res.json().catch(() => ({}));
+      const msg = extractErrorMessage(errBody);
+      throw new Error(msg || `Console POST ${path} failed: ${res.status}`);
+    }
+    return res.json();
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+async function consolePostTelemetry(path, body, apiKey) {
+  const authHeaders = buildAuthHeaders(apiKey);
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), TIMEOUT_MS);
+  try {
+    const res = await fetch(`${BASE_URL}${path}`, {
+      method: "POST",
+      headers: { ...authHeaders, "Content-Type": "application/json" },
+      body: JSON.stringify(body),
+      signal: controller.signal
+    });
+    if (!res.ok) {
+      const errBody = await res.json().catch(() => ({}));
+      const msg = extractErrorMessage(errBody);
+      throw new Error(msg || `Console POST ${path} failed: ${res.status}`);
+    }
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+
+// src/lib/mcp-telemetry.ts
+var TELEMETRY_ENDPOINT = "/api/tenants/mcp-telemetry";
+var FLUSH_TIMEOUT_MS = 1500;
+var telemetryContext = new AsyncLocalStorage2();
+function createMcpTelemetrySummary(transport) {
+  return {
+    sessionId: randomUUID2(),
+    startedAtMs: Date.now(),
+    successfulWriteCount: 0,
+    toolCallCount: 0,
+    toolCounts: /* @__PURE__ */ new Map(),
+    transport
+  };
+}
+function currentMcpTelemetrySummary() {
+  return telemetryContext.getStore();
+}
+function runWithMcpTelemetry(summary, fn) {
+  return telemetryContext.run(summary, fn);
+}
+function recordMcpToolResult(params) {
+  if (!isMcpToolName(params.toolName)) return;
+  const toolName = params.toolName;
+  params.summary.toolCallCount += 1;
+  params.summary.toolCounts.set(
+    toolName,
+    (params.summary.toolCounts.get(toolName) ?? 0) + 1
+  );
+  if (!MCP_TOOL_CONTRACT[toolName].readOnly && toolResultSucceeded(params.resultText)) {
+    params.summary.successfulWriteCount += 1;
+  }
+}
+function toMcpTelemetryBody(summary) {
+  if (summary.toolCallCount <= 0) return null;
+  const durationMs = summary.transport === "http" ? Math.max(0, summary.durationMs ?? Date.now() - summary.startedAtMs) : void 0;
+  return {
+    converted: summary.successfulWriteCount > 0,
+    ...durationMs !== void 0 ? { durationMs } : {},
+    sessionId: summary.sessionId,
+    successfulWriteCount: summary.successfulWriteCount,
+    toolCallCount: summary.toolCallCount,
+    toolCounts: Object.fromEntries(summary.toolCounts),
+    transport: summary.transport
+  };
+}
+async function flushMcpTelemetrySummary(summary) {
+  const body = toMcpTelemetryBody(summary);
+  if (!body) return;
+  await swallow(
+    withTimeout(async () => {
+      const apiKey = resolveApiKey();
+      await consolePostTelemetry(TELEMETRY_ENDPOINT, body, apiKey);
+    }, FLUSH_TIMEOUT_MS)
+  );
+}
+function toolResultSucceeded(resultText) {
+  if (!resultText) return false;
+  try {
+    const parsed = JSON.parse(resultText);
+    return parsed.success === true;
+  } catch {
+    return false;
+  }
+}
+async function withTimeout(fn, timeoutMs) {
+  let timer;
+  await Promise.race([
+    fn(),
+    new Promise((resolve) => {
+      timer = setTimeout(resolve, timeoutMs);
+    })
+  ]);
+  if (timer) clearTimeout(timer);
+}
+async function swallow(promise) {
+  try {
+    await promise;
+  } catch {
+  }
+}
+
+// src/tools/query-collection.ts
+import { z as z3 } from "zod";
+
+// src/lib/client.ts
+import { createServerClient } from "@01.software/sdk";
+var MISSING_HTTP_AUTH_CONTEXT_ERROR2 = "MCP HTTP requests require a validated OAuth tenant context before tool execution.";
+var HTTP_OAUTH_SDK_CLIENT_ERROR = "MCP HTTP OAuth requests cannot use SDK-backed tools. Use reviewed Console service endpoints for OAuth transport.";
+function getClient() {
+  const oauthContext = tenantAuthContext();
+  if (oauthContext) {
+    throw new Error(HTTP_OAUTH_SDK_CLIENT_ERROR);
+  }
+  if (hasRequestContext()) throw new Error(MISSING_HTTP_AUTH_CONTEXT_ERROR2);
   const secretKey = process.env.SOFTWARE_SECRET_KEY;
   const publishableKey = process.env.SOFTWARE_PUBLISHABLE_KEY || process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY;
   if (!secretKey) {
@@ -563,15 +1003,18 @@ function getClient() {
 }
 
 // src/tools/query-collection.ts
-import { COLLECTIONS } from "@01.software/sdk";
+import { SERVER_COLLECTIONS } from "@01.software/sdk";
 var schema = {
-  collection: z.enum(COLLECTIONS).describe("Collection name (required)"),
-  where: z.string().optional().describe(
+  collection: z3.enum(SERVER_COLLECTIONS).describe("Collection name (required)"),
+  where: z3.string().optional().describe(
     `Filter conditions (JSON string, optional). Pass the Payload query condition object as a JSON string. Example: '{"title":{"equals":"Product name"}}'`
   ),
-  limit: z.number().min(1).max(100).default(10).describe("Maximum number of items to return (1-100, default: 10)."),
-  page: z.number().optional().describe("Page number (optional). Starts from 1. Used for pagination."),
-  sort: z.string().regex(/^-?[a-zA-Z0-9_.]+$/, 'Sort must be a field name, optionally prefixed with "-" for descending').optional().describe(
+  limit: z3.number().min(1).max(100).default(10).describe("Maximum number of items to return (1-100, default: 10)."),
+  page: z3.number().optional().describe("Page number (optional). Starts from 1. Used for pagination."),
+  sort: z3.string().regex(
+    /^-?[a-zA-Z0-9_.]+$/,
+    'Sort must be a field name, optionally prefixed with "-" for descending'
+  ).optional().describe(
     'Sort field (optional). Use "fieldName" for ascending or "-fieldName" for descending. Example: "createdAt" or "-createdAt"'
   )
 };
@@ -625,11 +1068,11 @@ async function queryCollection({
 }
 
 // src/tools/get-collection-by-id.ts
-import { z as z2 } from "zod";
-import { COLLECTIONS as COLLECTIONS2 } from "@01.software/sdk";
+import { z as z4 } from "zod";
+import { SERVER_COLLECTIONS as SERVER_COLLECTIONS2 } from "@01.software/sdk";
 var schema2 = {
-  collection: z2.enum(COLLECTIONS2).describe("Collection name (required)"),
-  id: z2.string().min(1).describe("Item ID (required)")
+  collection: z4.enum(SERVER_COLLECTIONS2).describe("Collection name (required)"),
+  id: z4.string().min(1).describe("Item ID (required)")
 };
 var metadata2 = {
   name: "get-collection-by-id",
@@ -655,9 +1098,9 @@ async function getCollectionById({
 }
 
 // src/tools/get-order.ts
-import { z as z3 } from "zod";
+import { z as z5 } from "zod";
 var schema3 = {
-  orderNumber: z3.string().min(1).describe("Order number to look up (required)")
+  orderNumber: z5.string().min(1).describe("Order number to look up (required)")
 };
 var metadata3 = {
   name: "get-order",
@@ -687,24 +1130,24 @@ async function getOrder({
 }
 
 // src/tools/create-order.ts
-import { z as z4 } from "zod";
+import { z as z6 } from "zod";
 var schema4 = {
-  pgPaymentId: z4.string().optional().describe("PG payment ID (optional \u2014 omit for free orders)"),
-  orderNumber: z4.string().min(1).describe("Unique order number (required)"),
-  customerSnapshot: z4.object({
-    name: z4.string().optional().describe("Customer name"),
-    email: z4.string().describe("Customer email (required)"),
-    phone: z4.string().optional().describe("Customer phone")
+  pgPaymentId: z6.string().optional().describe("PG payment ID (optional \u2014 omit for free orders)"),
+  orderNumber: z6.string().min(1).describe("Unique order number (required)"),
+  customerSnapshot: z6.object({
+    name: z6.string().optional().describe("Customer name"),
+    email: z6.string().describe("Customer email (required)"),
+    phone: z6.string().optional().describe("Customer phone")
   }).describe("Customer snapshot at time of order (required)"),
-  shippingAddress: z4.record(z4.string(), z4.unknown()).describe(
+  shippingAddress: z6.record(z6.string(), z6.unknown()).describe(
     "Shipping address object (required). Fields: postalCode, address1, address2, deliveryMessage, recipientName, phone"
   ),
-  orderItems: z4.array(z4.record(z4.string(), z4.unknown())).describe(
+  orderItems: z6.array(z6.record(z6.string(), z6.unknown())).describe(
     "Array of order item objects (required). Each: { product, variant, option, quantity, unitPrice?, totalPrice? }"
   ),
-  totalAmount: z4.number().nonnegative().describe("Total order amount (required, min 0)"),
-  shippingAmount: z4.number().nonnegative().optional().describe("Shipping amount (optional, default 0)"),
-  discountCode: z4.string().optional().describe("Discount code to apply (optional)")
+  totalAmount: z6.number().nonnegative().describe("Total order amount (required, min 0)"),
+  shippingAmount: z6.number().nonnegative().optional().describe("Shipping amount (optional, default 0)"),
+  discountCode: z6.string().optional().describe("Discount code to apply (optional)")
 };
 var metadata4 = {
   name: "create-order",
@@ -729,10 +1172,10 @@ async function createOrder(params) {
 }
 
 // src/tools/update-order.ts
-import { z as z5 } from "zod";
+import { z as z7 } from "zod";
 var schema5 = {
-  orderNumber: z5.string().min(1).describe("Order number (required)"),
-  status: z5.enum([
+  orderNumber: z7.string().min(1).describe("Order number (required)"),
+  status: z7.enum([
     "pending",
     "paid",
     "failed",
@@ -769,15 +1212,15 @@ async function updateOrder({
 }
 
 // src/tools/checkout.ts
-import { z as z6 } from "zod";
+import { z as z8 } from "zod";
 var schema6 = {
-  cartId: z6.string().min(1).describe("Cart ID to convert to order (required)"),
-  pgPaymentId: z6.string().optional().describe("PG payment ID (optional \u2014 omit for free orders)"),
-  orderNumber: z6.string().min(1).describe("Unique order number (required)"),
-  customerSnapshot: z6.record(z6.string(), z6.unknown()).describe(
+  cartId: z8.string().min(1).describe("Cart ID to convert to order (required)"),
+  pgPaymentId: z8.string().optional().describe("PG payment ID (optional \u2014 omit for free orders)"),
+  orderNumber: z8.string().min(1).describe("Unique order number (required)"),
+  customerSnapshot: z8.record(z8.string(), z8.unknown()).describe(
     "Customer snapshot object (required). Fields: { name?, email, phone? }"
   ),
-  discountCode: z6.string().optional().describe("Discount code to apply (optional)")
+  discountCode: z8.string().optional().describe("Discount code to apply (optional)")
 };
 var metadata6 = {
   name: "checkout",
@@ -802,17 +1245,17 @@ async function checkout(params) {
 }
 
 // src/tools/create-fulfillment.ts
-import { z as z7 } from "zod";
+import { z as z9 } from "zod";
 var schema7 = {
-  orderNumber: z7.string().min(1).describe("Order number (required)"),
-  carrier: z7.string().optional().describe("Shipping carrier name (optional)"),
-  trackingNumber: z7.string().optional().describe(
+  orderNumber: z9.string().min(1).describe("Order number (required)"),
+  carrier: z9.string().optional().describe("Shipping carrier name (optional)"),
+  trackingNumber: z9.string().optional().describe(
     'Tracking number (optional). Setting carrier + tracking triggers "shipped" status'
   ),
-  items: z7.array(
-    z7.object({
-      orderItem: z7.string().min(1).describe("Order item ID"),
-      quantity: z7.number().int().positive().describe("Quantity to fulfill")
+  items: z9.array(
+    z9.object({
+      orderItem: z9.string().min(1).describe("Order item ID"),
+      quantity: z9.number().int().positive().describe("Quantity to fulfill")
     })
   ).describe("Array of items to fulfill (required)")
 };
@@ -847,16 +1290,16 @@ async function createFulfillment({
 }
 
 // src/tools/update-fulfillment.ts
-import { z as z8 } from "zod";
+import { z as z10 } from "zod";
 var schema8 = {
-  fulfillmentId: z8.string().min(1).describe("Fulfillment ID (required)"),
-  status: z8.enum(["packed", "shipped", "delivered", "failed"]).describe(
+  fulfillmentId: z10.string().min(1).describe("Fulfillment ID (required)"),
+  status: z10.enum(["packed", "shipped", "delivered", "failed"]).describe(
     "New fulfillment status (required). FSM: pending\u2192packed/shipped/failed, packed\u2192shipped/failed, shipped\u2192delivered/failed"
   ),
-  carrier: z8.string().optional().describe(
+  carrier: z10.string().optional().describe(
     "Shipping carrier (optional, changeable only in pending/packed status)"
   ),
-  trackingNumber: z8.string().optional().describe(
+  trackingNumber: z10.string().optional().describe(
     "Tracking number (optional, changeable only in pending/packed status)"
   )
 };
@@ -890,131 +1333,6 @@ async function updateFulfillment({
   }
 }
 
-// ../../packages/contracts/src/tenant/index.ts
-import { z as z9 } from "zod";
-var tenantFieldConfigStateSchema = z9.object({
-  hiddenFields: z9.array(z9.string()),
-  isHidden: z9.boolean()
-}).strict();
-var tenantContextQuerySchema = z9.object({
-  counts: z9.literal("true").optional()
-}).strict();
-var tenantContextToolInputSchema = z9.object({
-  includeCounts: z9.boolean().optional().default(false).describe(
-    "Include per-collection document counts and config status (bypasses cache, slower)"
-  )
-}).strict();
-var tenantContextResponseSchema = z9.object({
-  tenant: z9.object({
-    id: z9.string(),
-    name: z9.string(),
-    plan: z9.string(),
-    planSource: z9.string().optional(),
-    authoritative: z9.boolean().optional(),
-    capabilityVersion: z9.string().optional(),
-    isDevMode: z9.boolean()
-  }).strict(),
-  features: z9.array(z9.string()),
-  collections: z9.object({
-    active: z9.array(z9.string()),
-    inactive: z9.array(z9.string())
-  }).strict(),
-  fieldConfigs: z9.record(z9.string(), tenantFieldConfigStateSchema),
-  counts: z9.record(z9.string(), z9.number()).optional(),
-  config: z9.object({
-    webhookConfigured: z9.boolean()
-  }).strict().optional()
-}).strict();
-var COLLECTION_SCHEMA_CONTRACT_VERSION = 1;
-var collectionSchemaEndpointParamsSchema = z9.object({
-  collectionSlug: z9.string().min(1, "collectionSlug is required")
-}).strict();
-function createCollectionSchemaToolInputSchema(collections) {
-  return z9.object({
-    collection: z9.enum(collections).describe("Collection name (required)")
-  }).strict();
-}
-var collectionFieldOptionSchema = z9.object({
-  label: z9.string(),
-  value: z9.string()
-}).strict();
-var collectionFieldSchema = z9.lazy(
-  () => z9.object({
-    name: z9.string(),
-    path: z9.string(),
-    type: z9.string(),
-    required: z9.literal(true).optional(),
-    unique: z9.literal(true).optional(),
-    hasMany: z9.literal(true).optional(),
-    relationTo: z9.union([z9.string(), z9.array(z9.string())]).optional(),
-    options: z9.array(collectionFieldOptionSchema).optional(),
-    hidden: z9.literal(true).optional(),
-    systemManaged: z9.literal(true).optional(),
-    writable: z9.boolean().optional(),
-    fields: z9.array(collectionFieldSchema).optional()
-  }).strict()
-);
-var collectionSchemaResponseSchema = z9.object({
-  contractVersion: z9.literal(COLLECTION_SCHEMA_CONTRACT_VERSION),
-  mode: z9.literal("effective"),
-  collection: z9.object({
-    slug: z9.string(),
-    timestamps: z9.boolean(),
-    alwaysActive: z9.boolean(),
-    feature: z9.string().nullable(),
-    systemFields: z9.array(z9.string()),
-    visibility: z9.object({
-      collectionHidden: z9.boolean(),
-      hiddenFields: z9.array(z9.string())
-    }).strict(),
-    fields: z9.array(collectionFieldSchema)
-  }).strict()
-}).strict();
-
-// ../../packages/contracts/src/ecommerce/index.ts
-import { z as z10 } from "zod";
-var transactionStatusSchema = z10.enum([
-  "pending",
-  "paid",
-  "failed",
-  "canceled"
-]);
-var updateTransactionSchema = z10.object({
-  pgPaymentId: z10.string().min(1, "pgPaymentId is required").describe("PG payment ID (required)"),
-  status: transactionStatusSchema.describe(
-    "New transaction status (required)"
-  ),
-  paymentMethod: z10.string().optional().describe("Payment method (optional)"),
-  receiptUrl: z10.string().optional().describe("Receipt URL (optional)"),
-  paymentKey: z10.string().min(1).optional().describe("Provider payment key for verified paid confirmation"),
-  amount: z10.number().int().positive().optional().describe("Provider-confirmed amount for verified paid confirmation")
-}).strict();
-var UpdateTransactionSchema = updateTransactionSchema;
-var returnReasonSchema = z10.enum([
-  "change_of_mind",
-  "defective",
-  "wrong_delivery",
-  "damaged",
-  "other"
-]);
-var restockActionSchema = z10.enum(["return_to_stock", "discard"]);
-var returnWithRefundItemSchema = z10.object({
-  orderItem: z10.union([z10.string(), z10.number()]).transform(String),
-  quantity: z10.number().int().positive("quantity must be a positive integer"),
-  restockAction: restockActionSchema.default("return_to_stock")
-}).strict();
-var returnWithRefundSchema = z10.object({
-  orderNumber: z10.string().min(1, "orderNumber is required").describe("Order number (required)"),
-  reason: returnReasonSchema.optional().describe("Return reason (optional)"),
-  reasonDetail: z10.string().optional().describe("Detailed reason text (optional)"),
-  returnItems: z10.array(returnWithRefundItemSchema).min(1, "At least one return item is required").max(100, "Too many return items").describe("Array of products to return (required)"),
-  refundAmount: z10.number().min(0, "refundAmount must be non-negative").describe("Refund amount (required, min 0)"),
-  pgPaymentId: z10.string().min(1, "pgPaymentId is required").describe("PG payment ID for refund (required)"),
-  paymentKey: z10.string().min(1).optional().describe("Provider payment key for verified refund"),
-  refundReceiptUrl: z10.string().optional().describe("Refund receipt URL (optional)")
-}).strict();
-var ReturnWithRefundSchema = returnWithRefundSchema;
-
 // src/tools/update-transaction.ts
 var schema9 = UpdateTransactionSchema.shape;
 var metadata9 = {
@@ -1452,97 +1770,7 @@ async function stockCheck({
 }
 
 // src/tools/get-collection-schema.ts
-import { COLLECTIONS as COLLECTIONS3 } from "@01.software/sdk";
-
-// src/lib/console-api.ts
-import { createHash } from "crypto";
-var BASE_URL = process.env.SOFTWARE_API_URL || "http://localhost:3000";
-var TIMEOUT_MS = 5e3;
-var MISSING_HTTP_AUTH_CONTEXT_ERROR2 = "MCP HTTP requests require a validated OAuth tenant context before tool execution.";
-function resolveAuthHeaderContext() {
-  const oauthContext = tenantAuthContext();
-  if (oauthContext) {
-    return {
-      apiKey: signMcpServiceToken(oauthContext),
-      mode: "oauth"
-    };
-  }
-  if (hasRequestContext()) throw new Error(MISSING_HTTP_AUTH_CONTEXT_ERROR2);
-  return {
-    apiKey: process.env.SOFTWARE_SECRET_KEY,
-    mode: "stdio",
-    publishableKey: process.env.SOFTWARE_PUBLISHABLE_KEY ?? process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY
-  };
-}
-function resolveApiKey() {
-  const { apiKey } = resolveAuthHeaderContext();
-  if (!apiKey || typeof apiKey !== "string") {
-    throw new Error(
-      "Authentication required. Set SOFTWARE_SECRET_KEY for stdio transport."
-    );
-  }
-  return apiKey;
-}
-function buildAuthHeaders(apiKey) {
-  const { mode, publishableKey } = resolveAuthHeaderContext();
-  const headers = {
-    Authorization: `Bearer ${apiKey}`
-  };
-  if (mode === "stdio" && publishableKey) {
-    headers["X-Publishable-Key"] = publishableKey;
-  }
-  return headers;
-}
-function extractErrorMessage(body) {
-  if (!body || typeof body !== "object") return void 0;
-  const b = body;
-  if (typeof b.error === "string") return b.error;
-  if (Array.isArray(b.errors) && b.errors[0]?.message) {
-    return String(b.errors[0].message);
-  }
-  if (typeof b.message === "string") return b.message;
-  return void 0;
-}
-async function consoleGet(path, apiKey) {
-  const authHeaders = buildAuthHeaders(apiKey);
-  const controller = new AbortController();
-  const timeoutId = setTimeout(() => controller.abort(), TIMEOUT_MS);
-  try {
-    const res = await fetch(`${BASE_URL}${path}`, {
-      headers: authHeaders,
-      signal: controller.signal
-    });
-    if (!res.ok) {
-      const body = await res.json().catch(() => ({}));
-      const msg = extractErrorMessage(body);
-      throw new Error(msg || `Console GET ${path} failed: ${res.status}`);
-    }
-    return res.json();
-  } finally {
-    clearTimeout(timeoutId);
-  }
-}
-async function consolePost(path, body, apiKey) {
-  const authHeaders = buildAuthHeaders(apiKey);
-  const controller = new AbortController();
-  const timeoutId = setTimeout(() => controller.abort(), TIMEOUT_MS);
-  try {
-    const res = await fetch(`${BASE_URL}${path}`, {
-      method: "POST",
-      headers: { ...authHeaders, "Content-Type": "application/json" },
-      body: JSON.stringify(body),
-      signal: controller.signal
-    });
-    if (!res.ok) {
-      const errBody = await res.json().catch(() => ({}));
-      const msg = extractErrorMessage(errBody);
-      throw new Error(msg || `Console POST ${path} failed: ${res.status}`);
-    }
-    return res.json();
-  } finally {
-    clearTimeout(timeoutId);
-  }
-}
+import { SERVER_COLLECTIONS as SERVER_COLLECTIONS3 } from "@01.software/sdk";
 
 // src/lib/collection-schema.ts
 async function getCollectionSchema(collection) {
@@ -1555,7 +1783,7 @@ async function getCollectionSchema(collection) {
 }
 
 // src/tools/get-collection-schema.ts
-var schema22 = createCollectionSchemaToolInputSchema(COLLECTIONS3).shape;
+var schema22 = createCollectionSchemaToolInputSchema(SERVER_COLLECTIONS3).shape;
 var metadata22 = {
   name: "get-collection-schema",
   description: "Get the authoritative tenant-aware collection schema from console. Use this before create/update to understand writable fields, hidden fields, required metadata, and collection-level visibility.",
@@ -2275,7 +2503,7 @@ var docIndex = [
   {
     title: "Browser Client vs Server Client",
     keywords: ["browser", "server", "publishable key", "secret key", "createClient", "createServerClient", "NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY", "SOFTWARE_PUBLISHABLE_KEY", "SOFTWARE_SECRET_KEY", "pk01_", "sk01_", "pat01_", "read-only", "full crud"],
-    summary: "createClient() for browser with publishableKey (read-only pk01_), createServerClient() for server with SOFTWARE_SECRET_KEY (usually sk01_, sometimes pat01_ in browser-auth-scoped flows). Never expose SECRET_KEY to the browser.",
+    summary: "createClient() for browser with publishableKey (read-only pk01_), createServerClient() for server with matching SOFTWARE_PUBLISHABLE_KEY + SOFTWARE_SECRET_KEY (usually sk01_, sometimes pat01_ in scoped flows). Never expose SECRET_KEY to the browser.",
     resourceUri: "docs://sdk/getting-started"
   },
   // Query Builder
@@ -2641,9 +2869,9 @@ function handler4({
 
 // src/tools/sdk-get-collection-pattern.ts
 import { z as z27 } from "zod";
-import { COLLECTIONS as COLLECTIONS4 } from "@01.software/sdk";
+import { COLLECTIONS, SERVER_COLLECTIONS as SERVER_COLLECTIONS4 } from "@01.software/sdk";
 var schema29 = {
-  collection: z27.enum(COLLECTIONS4).describe("Collection name"),
+  collection: z27.enum(SERVER_COLLECTIONS4).describe("Collection name"),
   operation: z27.enum(["read", "write", "full-crud"]).default("read").describe("What operations are needed"),
   surface: z27.enum(["query-builder", "react-query", "server-api"]).default("query-builder").describe("Preferred API surface")
 };
@@ -2658,7 +2886,15 @@ var metadata29 = {
   }
 };
 function generatePattern(collection, operation, surface) {
+  const isPublicCollection = COLLECTIONS.includes(
+    collection
+  );
   if (surface === "react-query") {
+    if (!isPublicCollection) {
+      throw new Error(
+        `${collection} is server-only. Use surface="server-api" with createServerClient().`
+      );
+    }
     const parts2 = [];
     if (operation === "read") {
       parts2.push(
@@ -2770,17 +3006,29 @@ function generatePattern(collection, operation, surface) {
   }
   const parts = [];
   if (operation === "read" || operation === "full-crud") {
-    parts.push(
-      `// Read with any client (Client or ServerClient)`,
-      `const result = await client.collections.from('${collection}').find({`,
-      `  where: { status: { equals: 'published' } },`,
-      `  limit: 10,`,
-      `  sort: '-createdAt'`,
-      `})`,
-      ``,
-      `const item = await client.collections.from('${collection}').findById(id)`,
-      `const { totalDocs } = await client.collections.from('${collection}').count()`
-    );
+    if (isPublicCollection) {
+      parts.push(
+        `// Read with any client (Client or ServerClient)`,
+        `const result = await client.collections.from('${collection}').find({`,
+        `  where: { status: { equals: 'published' } },`,
+        `  limit: 10,`,
+        `  sort: '-createdAt'`,
+        `})`,
+        ``,
+        `const item = await client.collections.from('${collection}').findById(id)`,
+        `const { totalDocs } = await client.collections.from('${collection}').count()`
+      );
+    } else {
+      parts.push(
+        `// Server-only collection: use ServerClient`,
+        `const result = await serverClient.collections.from('${collection}').find({`,
+        `  limit: 10,`,
+        `  sort: '-createdAt'`,
+        `})`,
+        ``,
+        `const item = await serverClient.collections.from('${collection}').findById(id)`
+      );
+    }
   }
   if (operation === "write" || operation === "full-crud") {
     parts.push(
@@ -2795,6 +3043,7 @@ function generatePattern(collection, operation, surface) {
     code: parts.join("\n"),
     notes: [
       "Query Builder works with both Client and ServerClient for reads",
+      !isPublicCollection ? "This collection is server-only" : "",
       operation !== "read" ? "Write operations require ServerClient" : ""
     ].filter(Boolean)
   };
@@ -2972,9 +3221,9 @@ You can perform the "${goal}" task by following the patterns above.`;
 
 // src/prompts/collection-query-help.ts
 import { z as z29 } from "zod";
-import { COLLECTIONS as COLLECTIONS5 } from "@01.software/sdk";
+import { COLLECTIONS as COLLECTIONS2, SERVER_COLLECTIONS as SERVER_COLLECTIONS5 } from "@01.software/sdk";
 var schema31 = {
-  collection: z29.enum(COLLECTIONS5).describe("Collection name"),
+  collection: z29.enum(SERVER_COLLECTIONS5).describe("Collection name"),
   operation: z29.enum(["find", "create", "update", "delete"]).describe("Operation to perform (find, create, update, delete)"),
   filters: z29.string().optional().describe("Filter conditions (JSON string, optional)")
 };
@@ -2995,6 +3244,11 @@ Filter conditions:
 \`\`\`json
 ${filters}
 \`\`\`` : "";
+  const isPublicCollection = COLLECTIONS2.includes(
+    collection
+  );
+  const readClientName = isPublicCollection ? "client" : "serverClient";
+  const readClientNote = isPublicCollection ? "Client or ServerClient" : "ServerClient only";
   return `How to perform "${operation}" operation on "${collection}" collection:${filterExample}
 
 ## Collection: ${collection}
@@ -3005,26 +3259,26 @@ ${filters}
 \`\`\`typescript
 import { createClient, createServerClient } from '@01.software/sdk'
 
-// Client (read-only)
+// Client (read-only public collections)
 const client = createClient({
   publishableKey: process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY!
 })
 
-// Server client (full CRUD)
+// Server client (server/public collections, full CRUD)
 const serverClient = createServerClient({
   publishableKey: process.env.SOFTWARE_PUBLISHABLE_KEY!,
   secretKey: process.env.SOFTWARE_SECRET_KEY!
 })
 
-${operation === "find" ? `// Query ${collection} collection with Query Builder
+${operation === "find" ? `// Query ${collection} collection with Query Builder (${readClientNote})
 // find() returns PayloadFindResponse with docs array and pagination
-const result = await client.collections.from('${collection}').find(${filters ? `{
+const result = await ${readClientName}.collections.from('${collection}').find(${filters ? `{
   where: ${filters}
 }` : ""})
 // result.docs - array of items
 // result.totalDocs, result.page, result.totalPages, result.hasNextPage, ...
 
-// Using React Hook
+${isPublicCollection ? `// Using React Hook
 const { data, isLoading, error } = client.query.useQuery({
   collection: '${collection}',
   options: { limit: 10 }
@@ -3034,19 +3288,19 @@ const { data, isLoading, error } = client.query.useQuery({
 const { data } = client.query.useSuspenseQuery({
   collection: '${collection}',
   options: { limit: 10 }
-})` : operation === "create" ? `// Create ${collection} item (ServerClient only)
+})` : `// React hooks are browser/public only and do not support '${collection}'.`}` : operation === "create" ? `// Create ${collection} item (ServerClient only)
 // create() returns PayloadMutationResponse with doc and message
-const result = await serverClient.from('${collection}').create({
+const result = await serverClient.collections.from('${collection}').create({
   // Enter fields
 })
 // result.doc - created item, result.message` : operation === "update" ? `// Update ${collection} item (ServerClient only)
 // update() returns PayloadMutationResponse with doc and message
-const result = await serverClient.from('${collection}').update(id, {
+const result = await serverClient.collections.from('${collection}').update(id, {
   // Fields to update
 })
 // result.doc - updated item, result.message` : `// Delete ${collection} item (ServerClient only)
 // remove() returns the deleted document directly
-await serverClient.from('${collection}').remove(id)`}
+await serverClient.collections.from('${collection}').remove(id)`}
 \`\`\`
 
 ### Useful Tips
@@ -3054,7 +3308,7 @@ await serverClient.from('${collection}').remove(id)`}
 ${operation === "find" ? `- Use \`where\` option for filtering (Payload query syntax)
 - Use \`limit\` and \`page\` for pagination
 - Use \`sort\` for sorting (prefix with "-" for descending)
-- React Query hooks: useQuery, useSuspenseQuery, useInfiniteQuery
+- ${isPublicCollection ? "React Query hooks: useQuery, useSuspenseQuery, useInfiniteQuery" : "React Query hooks are browser/public only; use ServerClient for this collection"}
 - Cache utilities: invalidateQueries, prefetchQuery, getQueryData, setQueryData` : operation === "create" ? `- Requires ServerClient with secretKey
 - Check required fields
 - TypeScript recommended for type safety` : operation === "update" ? `- Requires ServerClient with secretKey
@@ -3290,7 +3544,7 @@ var FEATURES = {
 ### Required Collections (count > 0)
 
 1. **products** \u2014 Create via Console UI or SDK \`client.collections.from('products').create({ ... })\`
-   - Minimum fields: \`{ title, slug, status: 'published', _status: 'published' }\`
+   - Minimum fields: \`{ title, slug, status: 'published' }\`
 
 2. **product-variants** \u2014 At least 1 sellable variant per product
    - Minimum fields: \`{ product, title, price, stock }\`
@@ -3323,7 +3577,8 @@ customer-addresses
 
 ### Optional Collections
 
-customer-groups \u2014 Create via Console UI or SDK \`client.collections.from('customer-groups').create({ title })\`
+- customer-groups \u2014 Console/server-scoped segmentation for VIP coupons and campaigns. Use \`createServerClient().collections.from('customer-groups')\`.
+- customer-profile-lists \u2014 Public profile display/ranking lists for storefronts. Browser reads may use \`client.collections.from('customer-profile-lists')\`.
 
 ### Config
 
@@ -3334,10 +3589,10 @@ customer-groups \u2014 Create via Console UI or SDK \`client.collections.from('c
 ### Required Collections (count > 0)
 
 1. **articles** \u2014 At least 1 article
-   - Minimum fields: \`{ title, slug }\`
+   - Minimum fields: \`{ title, slug, status: 'published' }\`
 
 2. **article-authors** \u2014 At least 1 author
-   - Minimum fields: \`{ title, slug }\`
+   - Minimum fields: \`{ title, slug, status: 'published' }\`
    - Link authors to articles via the \`authors\` relationship field
 
 ### Optional Collections
@@ -3352,7 +3607,7 @@ article-categories, article-tags`,
 
 2. **document-types** \u2014 At least 1 type
    - Minimum fields: \`{ title, slug }\`
-   - Link document type via \`documentType\` relationship field
+   - Link document type via \`type\` relationship field
 
 ### Optional Collections
 
@@ -3362,10 +3617,10 @@ document-categories`,
 ### Required Collections (count > 0)
 
 1. **playlists** \u2014 At least 1 playlist
-   - Minimum fields: \`{ title, slug, status: 'published', _status: 'published' }\`
+   - Minimum fields: \`{ title, slug, status: 'published' }\`
 
 2. **tracks** \u2014 At least 1 track
-   - Minimum fields: \`{ title, sourceUrl, status: 'published', _status: 'published' }\`
+   - Minimum fields: \`{ title, sourceUrl, status: 'published' }\`
 
 3. **playlists.tracks** \u2014 Link at least 1 track from a playlist
    - Minimum fields: \`{ tracks: [trackId] }\`
@@ -3378,11 +3633,11 @@ playlist-categories, playlist-tags, track-categories, track-tags, track-assets`,
 ### Required Collections (count > 0)
 
 1. **galleries** \u2014 At least 1 gallery
-   - Minimum fields: \`{ title, slug, status: 'published', _status: 'published' }\`
+   - Minimum fields: \`{ title, slug, status: 'published' }\`
 
 2. **gallery-items** \u2014 At least 1 item per gallery
    - References \`images\` collection (non-upload)
-   - Minimum fields: \`{ gallery, image, _status: 'published' }\`
+   - Minimum fields: \`{ gallery, image, status: 'published' }\`
 
 ### Optional Collections
 
@@ -3392,7 +3647,7 @@ gallery-categories, gallery-tags`,
 ### Required Collections (count > 0)
 
 1. **links** \u2014 At least 1 link
-   - Minimum fields: \`{ title, slug, url, status: 'published', _status: 'published' }\`
+   - Minimum fields: \`{ title, slug, url, status: 'published' }\`
 
 ### Optional Collections
 
@@ -3464,9 +3719,11 @@ comments, reactions, bookmarks, reports, community-bans
 
 ### Optional Collections
 
-post-categories`
+post-categories, customer-profile-lists`
 };
-function featureSetupGuide({ feature }) {
+function featureSetupGuide({
+  feature
+}) {
   return `# Feature Setup Guide: ${feature}
 
 ${FEATURES[feature] || "Unknown feature."}
@@ -3489,7 +3746,8 @@ function handler6() {
 ## Server Info
 - **Name**: 01.software MCP Server
 - **Version**: 0.1.0
-- **Transport**: HTTP (Streamable)
+- **Hosted transport**: HTTP (Streamable)
+- **Local transport**: stdio through \`npx @01.software/cli mcp\`
 
 ## Authentication
 
@@ -3500,42 +3758,9 @@ HTTP MCP uses OAuth discovery and Authorization Code + PKCE.
 url = "https://mcp.01.software/mcp"
 \`\`\`
 
-## Available Tools (29)
-
-> Generic write tools (create/update/delete/update-many/delete-many) are intentionally absent. Use the dedicated workflow tools below or the SDK (\`client.collections.from(slug).create()\` / \`update()\` / \`remove()\` / \`updateMany()\` / \`removeMany()\`) for stateful mutations.
-
-### Generic Read (2)
-- \`query-collection\` - Query collection with filters, pagination, sorting
-- \`get-collection-by-id\` - Get single item by ID
+## Hosted HTTP OAuth Tools (8)
 
-### Orders (7)
-- \`create-order\` - Create a new order with products and shipping
-- \`get-order\` - Get order details by order number
-- \`update-order\` - Update order status
-- \`checkout\` - Convert cart to order
-- \`create-fulfillment\` - Create fulfillment for order items
-- \`update-fulfillment\` - Update fulfillment status, carrier, and tracking
-- \`update-transaction\` - Update transaction status
-
-### Returns (3)
-- \`create-return\` - Create a return request
-- \`update-return\` - Update return status
-- \`return-with-refund\` - Process return with refund atomically
-
-### Cart (6)
-- \`add-cart-item\` - Add item to cart
-- \`update-cart-item\` - Update cart item quantity
-- \`remove-cart-item\` - Remove item from cart
-- \`apply-discount\` - Apply discount code to cart
-- \`remove-discount\` - Remove discount from cart
-- \`clear-cart\` - Remove all items from cart
-
-### Validation (2)
-- \`validate-discount\` - Validate discount code
-- \`calculate-shipping\` - Calculate shipping fee
-
-### Product (1)
-- \`stock-check\` - Check product option stock availability
+The hosted HTTP MCP endpoint at https://mcp.01.software/mcp exposes only these OAuth-safe tools:
 
 ### Schema (1)
 - \`get-collection-schema\` - Get authoritative tenant-aware collection schema
@@ -3553,6 +3778,16 @@ url = "https://mcp.01.software/mcp"
 - \`sdk-get-auth-setup\` - Get framework-specific auth setup guidance
 - \`sdk-get-collection-pattern\` - Get collection-specific usage patterns
 
+## Local CLI Stdio Surface (29)
+
+For trusted local server-key workflows, start the stdio server:
+
+\`\`\`bash
+npx @01.software/cli mcp
+\`\`\`
+
+Local stdio can expose generic read, order, return, cart, validation, stock, schema, tenant context, field config, and guidance tools. Generic collection write tools (create/update/delete/update-many/delete-many) are intentionally absent on every transport; use the SDK server client for generic writes.
+
 ## Rate Limits
 
 Rate limits depend on your tenant plan:
@@ -3564,7 +3799,7 @@ Rate limits depend on your tenant plan:
 }
 
 // src/resources/(collections)/schema.ts
-import { COLLECTIONS as COLLECTIONS6 } from "@01.software/sdk";
+import { COLLECTIONS as COLLECTIONS3 } from "@01.software/sdk";
 var metadata35 = {
   name: "collections-schema",
   title: "Collection Schema Info",
@@ -3593,13 +3828,18 @@ var COLLECTIONS_BY_CATEGORY = {
   Customers: [
     "customers",
     "customer-profiles",
-    "customer-addresses",
-    "customer-groups"
+    "customer-profile-lists",
+    "customer-addresses"
   ],
   Carts: ["carts", "cart-items"],
   "Discounts & Promotions": ["discounts", "promotions"],
   Documents: ["documents", "document-categories", "document-types"],
-  Articles: ["articles", "article-authors", "article-categories", "article-tags"],
+  Articles: [
+    "articles",
+    "article-authors",
+    "article-categories",
+    "article-tags"
+  ],
   Community: [
     "posts",
     "comments",
@@ -3618,7 +3858,12 @@ var COLLECTIONS_BY_CATEGORY = {
     "track-categories",
     "track-tags"
   ],
-  Galleries: ["galleries", "gallery-items", "gallery-categories", "gallery-tags"],
+  Galleries: [
+    "galleries",
+    "gallery-items",
+    "gallery-categories",
+    "gallery-tags"
+  ],
   Links: ["links", "link-categories", "link-tags"],
   Canvas: [
     "canvases",
@@ -3643,7 +3888,7 @@ var COLLECTIONS_BY_CATEGORY = {
 };
 function handler7() {
   const categoryDocs = Object.entries(COLLECTIONS_BY_CATEGORY).map(([category, collections]) => {
-    const collectionList = collections.filter((c) => COLLECTIONS6.includes(c)).map((c) => `- **${c}**`).join("\n");
+    const collectionList = collections.filter((c) => COLLECTIONS3.includes(c)).map((c) => `- **${c}**`).join("\n");
     return `## ${category}
 ${collectionList}`;
   }).join("\n\n");
@@ -3664,8 +3909,9 @@ Each collection supports the following operations:
 - \`updateMany(where, data)\` - Bulk update items matching filter
 - \`removeMany(where)\` - Bulk delete items matching filter
 
-Draft-enabled public collections expose only \`_status: 'published'\` rows to
-publishable-key reads unless server-side access explicitly includes drafts.
+Status-managed public collections expose only \`status: 'published'\` rows to
+publishable-key reads unless server-side access explicitly includes
+unpublished statuses.
 
 ## Query Examples
 
@@ -3688,7 +3934,7 @@ publishable-key reads unless server-side access explicitly includes drafts.
 }
 \`\`\`
 
-Total available collections: ${COLLECTIONS6.length}`;
+Total available collections: ${COLLECTIONS3.length}`;
 }
 
 // src/resources/(docs)/getting-started.ts
@@ -5576,8 +5822,25 @@ function registerTool(server, schema34, meta, handler19) {
           };
         }
       }
-      const result = await handler19(params);
-      return { content: [{ type: "text", text: result }] };
+      const activeSummary = currentMcpTelemetrySummary();
+      const ownSummary = activeSummary || hasRequestContext() ? null : createMcpTelemetrySummary("stdio");
+      const summary = activeSummary ?? ownSummary;
+      let result = null;
+      try {
+        result = await handler19(params);
+        return { content: [{ type: "text", text: result }] };
+      } finally {
+        if (summary) {
+          recordMcpToolResult({
+            resultText: result,
+            summary,
+            toolName: meta.name
+          });
+        }
+        if (ownSummary) {
+          void flushMcpTelemetrySummary(ownSummary);
+        }
+      }
     }
   );
 }
@@ -5970,9 +6233,9 @@ Resources (12): config, collections-schema, getting-started, guides, api, query-
 Links
 -----
 
-Docs            https://01.software/docs/integrations/mcp
-SDK             https://01.software/docs/sdk/client
-API Reference   https://01.software/docs/api/rest-api
+Docs            https://docs.01.software/docs/developers/integrations/mcp
+SDK             https://docs.01.software/docs/developers/sdk/client
+API Reference   https://docs.01.software/docs/developers/api/rest-api
 Console         https://console.01.software
 `;
 var PROTECTED_RESOURCE_METADATA = JSON.stringify({
@@ -5980,14 +6243,23 @@ var PROTECTED_RESOURCE_METADATA = JSON.stringify({
   authorization_servers: [MCP_OAUTH_ISSUER],
   scopes_supported: [MCP_SCOPES.read, MCP_SCOPES.write]
 });
+var PROTECTED_RESOURCE_METADATA_URL = new URL(
+  MCP_PROTECTED_RESOURCE_METADATA_PATH,
+  MCP_RESOURCE_AUDIENCE
+).toString();
 var SERVICE_JWKS_PATH = "/.well-known/service-jwks.json";
 function writeOAuthError(res, status, error, description) {
   res.writeHead(status, {
     "Content-Type": "application/json",
-    "WWW-Authenticate": `Bearer resource_metadata="${MCP_PROTECTED_RESOURCE_METADATA_PATH}", error="${error}", error_description="${description}"`
+    "WWW-Authenticate": `Bearer resource_metadata="${PROTECTED_RESOURCE_METADATA_URL}", error="${error}", error_description="${description}"`
   });
   res.end(JSON.stringify({ error, error_description: description }));
 }
+function acceptsEventStream(req) {
+  const accept = getHeaderValue(req.headers, "accept");
+  if (!accept) return false;
+  return accept.split(",").some((entry) => entry.trim().split(";")[0]?.toLowerCase() === "text/event-stream");
+}
 async function handler18(req, res) {
   setCors(res);
   if (req.method === "OPTIONS") {
@@ -6020,6 +6292,11 @@ async function handler18(req, res) {
       }
       return;
     }
+    if (acceptsEventStream(req)) {
+      res.writeHead(405, { "Content-Type": "application/json" });
+      res.end(METHOD_NOT_ALLOWED);
+      return;
+    }
     res.writeHead(200, { "Content-Type": "text/plain; charset=utf-8" });
     res.end(HOME_PAGE);
     return;
@@ -6056,14 +6333,19 @@ async function handler18(req, res) {
     if (typeof value === "string") headers.set(key, value);
     else if (Array.isArray(value)) headers.set(key, value.join(", "));
   }
+  const telemetrySummary = createMcpTelemetrySummary("http");
   await requestContext.run({ headers, auth: auth.context }, async () => {
     try {
-      const body = req.body ?? JSON.parse(await readBody(req));
-      await transport.handleRequest(req, res, body);
+      await runWithMcpTelemetry(telemetrySummary, async () => {
+        const body = req.body ?? JSON.parse(await readBody(req));
+        await transport.handleRequest(req, res, body);
+      });
     } catch (err) {
       writeRequestError(res, err);
     } finally {
+      telemetrySummary.durationMs = Date.now() - telemetrySummary.startedAtMs;
       await close();
+      await flushMcpTelemetrySummary(telemetrySummary);
     }
   });
 }