npm - @01.software/cli - Versions diffs - 0.9.0 → 0.10.1 - Mend

@01.software/cli 0.9.0 → 0.10.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/index.js +414 -28
package/dist/index.js.map +1 -1
package/dist/mcp/{chunk-GJOQ4SE2.js → chunk-2ECTVUKU.js} +1127 -531
package/dist/mcp/chunk-2ECTVUKU.js.map +1 -0
package/dist/mcp/http.js +43 -11
package/dist/mcp/http.js.map +1 -1
package/dist/mcp/stdio.js +1 -1
package/dist/mcp/vercel.js +1162 -540
package/package.json +17 -9
package/dist/mcp/chunk-GJOQ4SE2.js.map +0 -1

package/dist/mcp/vercel.js CHANGED Viewed

@@ -91,6 +91,382 @@ function parseJsonWhere(where) {
   }
 }
+// ../../packages/contracts/src/tenant/index.ts
+import { z } from "zod";
+var tenantFieldConfigStateSchema = z.object({
+  hiddenFields: z.array(z.string()),
+  isHidden: z.boolean()
+}).strict();
+var tenantContextQuerySchema = z.object({
+  counts: z.literal("true").optional()
+}).strict();
+var tenantContextToolInputSchema = z.object({
+  includeCounts: z.boolean().optional().default(false).describe(
+    "Include per-collection document counts and config status (bypasses cache, slower)"
+  )
+}).strict();
+var tenantContextResponseSchema = z.object({
+  tenant: z.object({
+    id: z.string(),
+    name: z.string(),
+    plan: z.string(),
+    planSource: z.string().optional(),
+    authoritative: z.boolean().optional(),
+    capabilityVersion: z.string().optional()
+  }).strict(),
+  features: z.array(z.string()),
+  collections: z.object({
+    active: z.array(z.string()),
+    inactive: z.array(z.string())
+  }).strict(),
+  fieldConfigs: z.record(z.string(), tenantFieldConfigStateSchema),
+  counts: z.record(z.string(), z.number()).optional(),
+  config: z.object({
+    webhookConfigured: z.boolean()
+  }).strict().optional()
+}).strict();
+var tenantFeatureProgressFeatureSchema = z.enum(["ecommerce"]);
+var tenantFeatureProgressInputSchema = z.object({
+  feature: tenantFeatureProgressFeatureSchema.describe(
+    "Feature to inspect for tenant implementation readiness"
+  ),
+  includeEvidence: z.boolean().optional().default(false).describe("Include sanitized counts and static surface evidence")
+}).strict();
+var tenantFeatureProgressStatusSchema = z.enum([
+  "ready",
+  "attention",
+  "blocked"
+]);
+var tenantFeatureProgressItemStateSchema = z.enum([
+  "complete",
+  "incomplete",
+  "blocked",
+  "attention",
+  "optional",
+  "unknown",
+  "manual",
+  "not-applicable"
+]);
+var tenantFeatureProgressSeveritySchema = z.enum([
+  "required",
+  "recommended",
+  "optional"
+]);
+var tenantFeatureProgressEvidenceValueSchema = z.union([
+  z.string(),
+  z.number(),
+  z.boolean(),
+  z.null()
+]);
+var tenantFeatureProgressItemSchema = z.object({
+  id: z.string(),
+  title: z.string(),
+  state: tenantFeatureProgressItemStateSchema,
+  severity: tenantFeatureProgressSeveritySchema,
+  summary: z.string(),
+  evidence: z.record(z.string(), tenantFeatureProgressEvidenceValueSchema).optional()
+}).strict();
+var tenantFeatureProgressGroupSchema = z.object({
+  id: z.string(),
+  title: z.string(),
+  summary: z.string().optional(),
+  items: z.array(tenantFeatureProgressItemSchema)
+}).strict();
+var tenantFeatureProgressResponseSchema = z.object({
+  schemaVersion: z.literal(1),
+  feature: tenantFeatureProgressFeatureSchema,
+  status: tenantFeatureProgressStatusSchema,
+  generatedAt: z.string(),
+  tenant: z.object({
+    id: z.string(),
+    name: z.string(),
+    plan: z.string()
+  }).strict(),
+  capability: z.object({
+    effectiveFeatures: z.array(z.string()),
+    planBlocked: z.array(z.string()),
+    closureAdded: z.array(z.string())
+  }).strict(),
+  summary: z.object({
+    complete: z.number().int().nonnegative(),
+    total: z.number().int().nonnegative(),
+    blocking: z.number().int().nonnegative(),
+    manual: z.number().int().nonnegative(),
+    unknown: z.number().int().nonnegative()
+  }).strict(),
+  groups: z.array(tenantFeatureProgressGroupSchema)
+}).strict();
+var COLLECTION_SCHEMA_CONTRACT_VERSION = 1;
+var collectionSchemaEndpointParamsSchema = z.object({
+  collectionSlug: z.string().min(1, "collectionSlug is required")
+}).strict();
+function createCollectionSchemaToolInputSchema(collections) {
+  return z.object({
+    collection: z.enum(collections).describe("Collection name (required)")
+  }).strict();
+}
+var collectionFieldOptionSchema = z.object({
+  label: z.string(),
+  value: z.string()
+}).strict();
+var collectionFieldSchema = z.lazy(
+  () => z.object({
+    name: z.string(),
+    path: z.string(),
+    type: z.string(),
+    required: z.literal(true).optional(),
+    unique: z.literal(true).optional(),
+    hasMany: z.literal(true).optional(),
+    relationTo: z.union([z.string(), z.array(z.string())]).optional(),
+    options: z.array(collectionFieldOptionSchema).optional(),
+    hidden: z.literal(true).optional(),
+    systemManaged: z.literal(true).optional(),
+    writable: z.boolean().optional(),
+    fields: z.array(collectionFieldSchema).optional()
+  }).strict()
+);
+var collectionSchemaResponseSchema = z.object({
+  contractVersion: z.literal(COLLECTION_SCHEMA_CONTRACT_VERSION),
+  mode: z.literal("effective"),
+  collection: z.object({
+    slug: z.string(),
+    timestamps: z.boolean(),
+    alwaysActive: z.boolean(),
+    feature: z.string().nullable(),
+    systemFields: z.array(z.string()),
+    visibility: z.object({
+      collectionHidden: z.boolean(),
+      hiddenFields: z.array(z.string())
+    }).strict(),
+    fields: z.array(collectionFieldSchema)
+  }).strict()
+}).strict();
+// ../../packages/contracts/src/ecommerce/index.ts
+import { z as z2 } from "zod";
+var transactionStatusSchema = z2.enum([
+  "pending",
+  "paid",
+  "failed",
+  "canceled"
+]);
+var updateTransactionSchema = z2.object({
+  pgPaymentId: z2.string().min(1, "pgPaymentId is required").describe("PG payment ID (required)"),
+  status: transactionStatusSchema.describe(
+    "New transaction status (required)"
+  ),
+  paymentMethod: z2.string().optional().describe("Payment method (optional)"),
+  receiptUrl: z2.string().optional().describe("Receipt URL (optional)"),
+  paymentKey: z2.string().min(1).optional().describe("Provider payment key for verified paid confirmation"),
+  amount: z2.number().int().positive().optional().describe("Provider-confirmed amount for verified paid confirmation")
+}).strict();
+var UpdateTransactionSchema = updateTransactionSchema;
+var providerSlugSchema = z2.string().trim().regex(/^[a-z0-9][a-z0-9_-]{0,63}$/, "pgProvider must be lowercase slug");
+var confirmPaymentSchema = z2.object({
+  orderNumber: z2.string().min(1).optional(),
+  pgPaymentId: z2.string().min(1, "pgPaymentId is required").describe("Provider payment identifier stored on the transaction"),
+  pgProvider: providerSlugSchema.describe(
+    "Payment provider slug, e.g. toss, portone, stripe"
+  ),
+  pgOrderId: z2.string().min(1).optional(),
+  amount: z2.number().int().nonnegative("amount must be non-negative").describe("Provider-confirmed amount in minor units"),
+  currency: z2.string().min(1).optional(),
+  paymentMethod: z2.string().optional(),
+  receiptUrl: z2.string().url().optional(),
+  approvedAt: z2.string().optional(),
+  providerStatus: z2.string().optional(),
+  providerEventId: z2.string().min(1).optional(),
+  confirmationSource: z2.enum([
+    "provider_webhook",
+    "provider_lookup",
+    "provider_api_confirm",
+    "manual_server"
+  ]).optional(),
+  metadata: z2.record(z2.string(), z2.unknown()).optional()
+}).strict();
+var returnReasonSchema = z2.enum([
+  "change_of_mind",
+  "defective",
+  "wrong_delivery",
+  "damaged",
+  "other"
+]);
+var restockActionSchema = z2.enum(["return_to_stock", "discard"]);
+var returnWithRefundItemSchema = z2.object({
+  orderItem: z2.union([z2.string(), z2.number()]).transform(String),
+  quantity: z2.number().int().positive("quantity must be a positive integer"),
+  restockAction: restockActionSchema.default("return_to_stock")
+}).strict();
+var returnWithRefundSchema = z2.object({
+  orderNumber: z2.string().min(1, "orderNumber is required").describe("Order number (required)"),
+  reason: returnReasonSchema.optional().describe("Return reason (optional)"),
+  reasonDetail: z2.string().optional().describe("Detailed reason text (optional)"),
+  returnItems: z2.array(returnWithRefundItemSchema).min(1, "At least one return item is required").max(100, "Too many return items").describe("Array of products to return (required)"),
+  refundAmount: z2.number().min(0, "refundAmount must be non-negative").describe("Refund amount (required, min 0)"),
+  pgPaymentId: z2.string().min(1, "pgPaymentId is required").describe("PG payment ID for refund (required)"),
+  paymentKey: z2.string().min(1).optional().describe("Provider payment key for verified refund"),
+  refundReceiptUrl: z2.string().optional().describe("Refund receipt URL (optional)")
+}).strict();
+var ReturnWithRefundSchema = returnWithRefundSchema;
+// ../../packages/contracts/src/mcp/index.ts
+var MCP_TOOL_CONTRACT = {
+  "query-collection": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "get-collection-by-id": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "get-order": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "stock-check": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "validate-discount": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "calculate-shipping": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "get-collection-schema": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "list-configurable-fields": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "get-tenant-context": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "check-feature-progress": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "add-cart-item": {
+    consoleRole: "tenant-editor",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "update-cart-item": {
+    consoleRole: "tenant-editor",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "remove-cart-item": {
+    consoleRole: "tenant-editor",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "clear-cart": {
+    consoleRole: "tenant-editor",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "apply-discount": {
+    consoleRole: "tenant-editor",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "remove-discount": {
+    consoleRole: "tenant-editor",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  checkout: {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "create-order": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "update-order": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "create-fulfillment": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "update-fulfillment": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "create-return": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "update-return": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "return-with-refund": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "update-transaction": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "update-field-config": {
+    consoleRole: "tenant-admin",
+    oauthScope: "mcp:write",
+    readOnly: false
+  },
+  "sdk-get-recipe": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "sdk-search-docs": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "sdk-get-auth-setup": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  },
+  "sdk-get-collection-pattern": {
+    consoleRole: "tenant-viewer",
+    oauthScope: "mcp:read",
+    readOnly: true
+  }
+};
+var MCP_TOOL_NAMES = Object.keys(MCP_TOOL_CONTRACT);
+function isMcpToolName(toolName) {
+  return Object.prototype.hasOwnProperty.call(MCP_TOOL_CONTRACT, toolName);
+}
 // src/tool-policy.ts
 var READ_ONLY_ANNOTATION = {
   readOnly: true,
@@ -190,6 +566,13 @@ var TOOL_POLICY_MANIFEST = {
     consoleSurface: "GET /api/tenants/context",
     annotationPolicy: READ_ONLY_ANNOTATION
   },
+  "check-feature-progress": {
+    category: "read-only-tenant",
+    oauthScope: MCP_SCOPES.read,
+    consoleRole: "tenant-viewer",
+    consoleSurface: "GET /api/tenants/feature-progress",
+    annotationPolicy: READ_ONLY_ANNOTATION
+  },
   // ── Cart mutations (mcp:write, tenant-editor) ──
   "add-cart-item": {
     category: "mutation-cart",
@@ -239,7 +622,7 @@ var TOOL_POLICY_MANIFEST = {
     exemptionReason: REASON_CART_EPHEMERAL
   },
   // ── Order mutations (mcp:write, tenant-admin) ──
-  "checkout": {
+  checkout: {
     category: "mutation-order",
     oauthScope: MCP_SCOPES.write,
     consoleRole: "tenant-admin",
@@ -347,14 +730,14 @@ var TOOL_POLICY_MANIFEST = {
   }
 };
 function evaluateToolPolicy(toolName, scopes) {
-  const entry = TOOL_POLICY_MANIFEST[toolName];
-  if (!entry) {
+  if (!isMcpToolName(toolName)) {
     return {
       allowed: false,
       reason: "tool_policy_missing",
       message: `No tool-policy entry for ${toolName}`
     };
   }
+  const entry = TOOL_POLICY_MANIFEST[toolName];
   if (!scopes.includes(entry.oauthScope)) {
     return {
       allowed: false,
@@ -365,17 +748,12 @@ function evaluateToolPolicy(toolName, scopes) {
   return { allowed: true, entry };
 }
-// src/tools/query-collection.ts
-import { z } from "zod";
+// src/lib/mcp-telemetry.ts
+import { AsyncLocalStorage as AsyncLocalStorage2 } from "async_hooks";
+import { randomUUID as randomUUID2 } from "crypto";
-// src/lib/client.ts
-import {
-  CollectionClient,
-  CommunityClient,
-  ModerationApi,
-  ServerCommerceClient,
-  createServerClient
-} from "@01.software/sdk";
+// src/lib/console-api.ts
+import { createHash } from "crypto";
 // src/service-auth.ts
 import { createPrivateKey, randomUUID, sign as signBytes } from "crypto";
@@ -504,43 +882,209 @@ function signMcpServiceToken(context) {
   return `${signingInput}.${signature.toString("base64url")}`;
 }
-// src/lib/client.ts
+// src/lib/console-api.ts
+var BASE_URL = process.env.SOFTWARE_API_URL || "http://localhost:3000";
+var TIMEOUT_MS = 5e3;
 var MISSING_HTTP_AUTH_CONTEXT_ERROR = "MCP HTTP requests require a validated OAuth tenant context before tool execution.";
-function getClient() {
+function resolveAuthHeaderContext() {
   const oauthContext = tenantAuthContext();
   if (oauthContext) {
-    const serviceToken = signMcpServiceToken(oauthContext);
-    const client = {
-      lastRequestId: null,
-      commerce: void 0,
-      collections: void 0,
-      community: void 0
-    };
-    const onRequestId = (id) => {
-      client.lastRequestId = id;
+    return {
+      apiKey: signMcpServiceToken(oauthContext),
+      mode: "oauth"
     };
-    client.commerce = new ServerCommerceClient({
-      secretKey: serviceToken,
-      onRequestId
-    });
-    client.collections = new CollectionClient(
-      "",
-      serviceToken,
-      void 0,
-      void 0,
-      onRequestId
+  }
+  if (hasRequestContext()) throw new Error(MISSING_HTTP_AUTH_CONTEXT_ERROR);
+  return {
+    apiKey: process.env.SOFTWARE_SECRET_KEY,
+    mode: "stdio",
+    publishableKey: process.env.SOFTWARE_PUBLISHABLE_KEY ?? process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY
+  };
+}
+function resolveApiKey() {
+  const { apiKey } = resolveAuthHeaderContext();
+  if (!apiKey || typeof apiKey !== "string") {
+    throw new Error(
+      "Authentication required. Set SOFTWARE_SECRET_KEY for stdio transport."
     );
-    const community = new CommunityClient({ secretKey: serviceToken });
-    const moderation = new ModerationApi({ secretKey: serviceToken, onRequestId });
-    client.community = Object.assign(community, {
-      moderation: {
-        banCustomer: moderation.banCustomer.bind(moderation),
-        unbanCustomer: moderation.unbanCustomer.bind(moderation)
-      }
+  }
+  return apiKey;
+}
+function buildAuthHeaders(apiKey) {
+  const { mode, publishableKey } = resolveAuthHeaderContext();
+  const headers = {
+    Authorization: `Bearer ${apiKey}`
+  };
+  if (mode === "stdio" && publishableKey) {
+    headers["X-Publishable-Key"] = publishableKey;
+  }
+  return headers;
+}
+function extractErrorMessage(body) {
+  if (!body || typeof body !== "object") return void 0;
+  const b = body;
+  if (typeof b.error === "string") return b.error;
+  if (Array.isArray(b.errors) && b.errors[0]?.message) {
+    return String(b.errors[0].message);
+  }
+  if (typeof b.message === "string") return b.message;
+  return void 0;
+}
+async function consoleGet(path, apiKey) {
+  const authHeaders = buildAuthHeaders(apiKey);
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), TIMEOUT_MS);
+  try {
+    const res = await fetch(`${BASE_URL}${path}`, {
+      headers: authHeaders,
+      signal: controller.signal
     });
-    return client;
+    if (!res.ok) {
+      const body = await res.json().catch(() => ({}));
+      const msg = extractErrorMessage(body);
+      throw new Error(msg || `Console GET ${path} failed: ${res.status}`);
+    }
+    return res.json();
+  } finally {
+    clearTimeout(timeoutId);
   }
-  if (hasRequestContext()) throw new Error(MISSING_HTTP_AUTH_CONTEXT_ERROR);
+}
+async function consolePost(path, body, apiKey) {
+  const authHeaders = buildAuthHeaders(apiKey);
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), TIMEOUT_MS);
+  try {
+    const res = await fetch(`${BASE_URL}${path}`, {
+      method: "POST",
+      headers: { ...authHeaders, "Content-Type": "application/json" },
+      body: JSON.stringify(body),
+      signal: controller.signal
+    });
+    if (!res.ok) {
+      const errBody = await res.json().catch(() => ({}));
+      const msg = extractErrorMessage(errBody);
+      throw new Error(msg || `Console POST ${path} failed: ${res.status}`);
+    }
+    return res.json();
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+async function consolePostTelemetry(path, body, apiKey) {
+  const authHeaders = buildAuthHeaders(apiKey);
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), TIMEOUT_MS);
+  try {
+    const res = await fetch(`${BASE_URL}${path}`, {
+      method: "POST",
+      headers: { ...authHeaders, "Content-Type": "application/json" },
+      body: JSON.stringify(body),
+      signal: controller.signal
+    });
+    if (!res.ok) {
+      const errBody = await res.json().catch(() => ({}));
+      const msg = extractErrorMessage(errBody);
+      throw new Error(msg || `Console POST ${path} failed: ${res.status}`);
+    }
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+// src/lib/mcp-telemetry.ts
+var TELEMETRY_ENDPOINT = "/api/tenants/mcp-telemetry";
+var FLUSH_TIMEOUT_MS = 1500;
+var telemetryContext = new AsyncLocalStorage2();
+function createMcpTelemetrySummary(transport) {
+  return {
+    sessionId: randomUUID2(),
+    startedAtMs: Date.now(),
+    successfulWriteCount: 0,
+    toolCallCount: 0,
+    toolCounts: /* @__PURE__ */ new Map(),
+    transport
+  };
+}
+function currentMcpTelemetrySummary() {
+  return telemetryContext.getStore();
+}
+function runWithMcpTelemetry(summary, fn) {
+  return telemetryContext.run(summary, fn);
+}
+function recordMcpToolResult(params) {
+  if (!isMcpToolName(params.toolName)) return;
+  const toolName = params.toolName;
+  params.summary.toolCallCount += 1;
+  params.summary.toolCounts.set(
+    toolName,
+    (params.summary.toolCounts.get(toolName) ?? 0) + 1
+  );
+  if (!MCP_TOOL_CONTRACT[toolName].readOnly && toolResultSucceeded(params.resultText)) {
+    params.summary.successfulWriteCount += 1;
+  }
+}
+function toMcpTelemetryBody(summary) {
+  if (summary.toolCallCount <= 0) return null;
+  const durationMs = summary.transport === "http" ? Math.max(0, summary.durationMs ?? Date.now() - summary.startedAtMs) : void 0;
+  return {
+    converted: summary.successfulWriteCount > 0,
+    ...durationMs !== void 0 ? { durationMs } : {},
+    sessionId: summary.sessionId,
+    successfulWriteCount: summary.successfulWriteCount,
+    toolCallCount: summary.toolCallCount,
+    toolCounts: Object.fromEntries(summary.toolCounts),
+    transport: summary.transport
+  };
+}
+async function flushMcpTelemetrySummary(summary) {
+  const body = toMcpTelemetryBody(summary);
+  if (!body) return;
+  await swallow(
+    withTimeout(async () => {
+      const apiKey = resolveApiKey();
+      await consolePostTelemetry(TELEMETRY_ENDPOINT, body, apiKey);
+    }, FLUSH_TIMEOUT_MS)
+  );
+}
+function toolResultSucceeded(resultText) {
+  if (!resultText) return false;
+  try {
+    const parsed = JSON.parse(resultText);
+    return parsed.success === true;
+  } catch {
+    return false;
+  }
+}
+async function withTimeout(fn, timeoutMs) {
+  let timer;
+  await Promise.race([
+    fn(),
+    new Promise((resolve) => {
+      timer = setTimeout(resolve, timeoutMs);
+    })
+  ]);
+  if (timer) clearTimeout(timer);
+}
+async function swallow(promise) {
+  try {
+    await promise;
+  } catch {
+  }
+}
+// src/tools/query-collection.ts
+import { z as z3 } from "zod";
+// src/lib/client.ts
+import { createServerClient } from "@01.software/sdk";
+var MISSING_HTTP_AUTH_CONTEXT_ERROR2 = "MCP HTTP requests require a validated OAuth tenant context before tool execution.";
+var HTTP_OAUTH_SDK_CLIENT_ERROR = "MCP HTTP OAuth requests cannot use SDK-backed tools. Use reviewed Console service endpoints for OAuth transport.";
+function getClient() {
+  const oauthContext = tenantAuthContext();
+  if (oauthContext) {
+    throw new Error(HTTP_OAUTH_SDK_CLIENT_ERROR);
+  }
+  if (hasRequestContext()) throw new Error(MISSING_HTTP_AUTH_CONTEXT_ERROR2);
   const secretKey = process.env.SOFTWARE_SECRET_KEY;
   const publishableKey = process.env.SOFTWARE_PUBLISHABLE_KEY || process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY;
   if (!secretKey) {
@@ -563,15 +1107,18 @@ function getClient() {
 }
 // src/tools/query-collection.ts
-import { COLLECTIONS } from "@01.software/sdk";
+import { SERVER_COLLECTIONS } from "@01.software/sdk";
 var schema = {
-  collection: z.enum(COLLECTIONS).describe("Collection name (required)"),
-  where: z.string().optional().describe(
+  collection: z3.enum(SERVER_COLLECTIONS).describe("Collection name (required)"),
+  where: z3.string().optional().describe(
     `Filter conditions (JSON string, optional). Pass the Payload query condition object as a JSON string. Example: '{"title":{"equals":"Product name"}}'`
   ),
-  limit: z.number().min(1).max(100).default(10).describe("Maximum number of items to return (1-100, default: 10)."),
-  page: z.number().optional().describe("Page number (optional). Starts from 1. Used for pagination."),
-  sort: z.string().regex(/^-?[a-zA-Z0-9_.]+$/, 'Sort must be a field name, optionally prefixed with "-" for descending').optional().describe(
+  limit: z3.number().min(1).max(100).default(10).describe("Maximum number of items to return (1-100, default: 10)."),
+  page: z3.number().optional().describe("Page number (optional). Starts from 1. Used for pagination."),
+  sort: z3.string().regex(
+    /^-?[a-zA-Z0-9_.]+$/,
+    'Sort must be a field name, optionally prefixed with "-" for descending'
+  ).optional().describe(
     'Sort field (optional). Use "fieldName" for ascending or "-fieldName" for descending. Example: "createdAt" or "-createdAt"'
   )
 };
@@ -625,11 +1172,11 @@ async function queryCollection({
 }
 // src/tools/get-collection-by-id.ts
-import { z as z2 } from "zod";
-import { COLLECTIONS as COLLECTIONS2 } from "@01.software/sdk";
+import { z as z4 } from "zod";
+import { SERVER_COLLECTIONS as SERVER_COLLECTIONS2 } from "@01.software/sdk";
 var schema2 = {
-  collection: z2.enum(COLLECTIONS2).describe("Collection name (required)"),
-  id: z2.string().min(1).describe("Item ID (required)")
+  collection: z4.enum(SERVER_COLLECTIONS2).describe("Collection name (required)"),
+  id: z4.string().min(1).describe("Item ID (required)")
 };
 var metadata2 = {
   name: "get-collection-by-id",
@@ -655,9 +1202,9 @@ async function getCollectionById({
 }
 // src/tools/get-order.ts
-import { z as z3 } from "zod";
+import { z as z5 } from "zod";
 var schema3 = {
-  orderNumber: z3.string().min(1).describe("Order number to look up (required)")
+  orderNumber: z5.string().min(1).describe("Order number to look up (required)")
 };
 var metadata3 = {
   name: "get-order",
@@ -687,24 +1234,24 @@ async function getOrder({
 }
 // src/tools/create-order.ts
-import { z as z4 } from "zod";
+import { z as z6 } from "zod";
 var schema4 = {
-  pgPaymentId: z4.string().optional().describe("PG payment ID (optional \u2014 omit for free orders)"),
-  orderNumber: z4.string().min(1).describe("Unique order number (required)"),
-  customerSnapshot: z4.object({
-    name: z4.string().optional().describe("Customer name"),
-    email: z4.string().describe("Customer email (required)"),
-    phone: z4.string().optional().describe("Customer phone")
+  pgPaymentId: z6.string().optional().describe("PG payment ID (optional \u2014 omit for free orders)"),
+  orderNumber: z6.string().min(1).describe("Unique order number (required)"),
+  customerSnapshot: z6.object({
+    name: z6.string().optional().describe("Customer name"),
+    email: z6.string().describe("Customer email (required)"),
+    phone: z6.string().optional().describe("Customer phone")
   }).describe("Customer snapshot at time of order (required)"),
-  shippingAddress: z4.record(z4.string(), z4.unknown()).describe(
+  shippingAddress: z6.record(z6.string(), z6.unknown()).describe(
     "Shipping address object (required). Fields: postalCode, address1, address2, deliveryMessage, recipientName, phone"
   ),
-  orderItems: z4.array(z4.record(z4.string(), z4.unknown())).describe(
+  orderItems: z6.array(z6.record(z6.string(), z6.unknown())).describe(
     "Array of order item objects (required). Each: { product, variant, option, quantity, unitPrice?, totalPrice? }"
   ),
-  totalAmount: z4.number().nonnegative().describe("Total order amount (required, min 0)"),
-  shippingAmount: z4.number().nonnegative().optional().describe("Shipping amount (optional, default 0)"),
-  discountCode: z4.string().optional().describe("Discount code to apply (optional)")
+  totalAmount: z6.number().nonnegative().describe("Total order amount (required, min 0)"),
+  shippingAmount: z6.number().nonnegative().optional().describe("Shipping amount (optional, default 0)"),
+  discountCode: z6.string().optional().describe("Discount code to apply (optional)")
 };
 var metadata4 = {
   name: "create-order",
@@ -729,10 +1276,10 @@ async function createOrder(params) {
 }
 // src/tools/update-order.ts
-import { z as z5 } from "zod";
+import { z as z7 } from "zod";
 var schema5 = {
-  orderNumber: z5.string().min(1).describe("Order number (required)"),
-  status: z5.enum([
+  orderNumber: z7.string().min(1).describe("Order number (required)"),
+  status: z7.enum([
     "pending",
     "paid",
     "failed",
@@ -769,15 +1316,15 @@ async function updateOrder({
 }
 // src/tools/checkout.ts
-import { z as z6 } from "zod";
+import { z as z8 } from "zod";
 var schema6 = {
-  cartId: z6.string().min(1).describe("Cart ID to convert to order (required)"),
-  pgPaymentId: z6.string().optional().describe("PG payment ID (optional \u2014 omit for free orders)"),
-  orderNumber: z6.string().min(1).describe("Unique order number (required)"),
-  customerSnapshot: z6.record(z6.string(), z6.unknown()).describe(
+  cartId: z8.string().min(1).describe("Cart ID to convert to order (required)"),
+  pgPaymentId: z8.string().optional().describe("PG payment ID (optional \u2014 omit for free orders)"),
+  orderNumber: z8.string().min(1).describe("Unique order number (required)"),
+  customerSnapshot: z8.record(z8.string(), z8.unknown()).describe(
     "Customer snapshot object (required). Fields: { name?, email, phone? }"
   ),
-  discountCode: z6.string().optional().describe("Discount code to apply (optional)")
+  discountCode: z8.string().optional().describe("Discount code to apply (optional)")
 };
 var metadata6 = {
   name: "checkout",
@@ -802,17 +1349,17 @@ async function checkout(params) {
 }
 // src/tools/create-fulfillment.ts
-import { z as z7 } from "zod";
+import { z as z9 } from "zod";
 var schema7 = {
-  orderNumber: z7.string().min(1).describe("Order number (required)"),
-  carrier: z7.string().optional().describe("Shipping carrier name (optional)"),
-  trackingNumber: z7.string().optional().describe(
+  orderNumber: z9.string().min(1).describe("Order number (required)"),
+  carrier: z9.string().optional().describe("Shipping carrier name (optional)"),
+  trackingNumber: z9.string().optional().describe(
     'Tracking number (optional). Setting carrier + tracking triggers "shipped" status'
   ),
-  items: z7.array(
-    z7.object({
-      orderItem: z7.string().min(1).describe("Order item ID"),
-      quantity: z7.number().int().positive().describe("Quantity to fulfill")
+  items: z9.array(
+    z9.object({
+      orderItem: z9.string().min(1).describe("Order item ID"),
+      quantity: z9.number().int().positive().describe("Quantity to fulfill")
     })
   ).describe("Array of items to fulfill (required)")
 };
@@ -847,16 +1394,16 @@ async function createFulfillment({
 }
 // src/tools/update-fulfillment.ts
-import { z as z8 } from "zod";
+import { z as z10 } from "zod";
 var schema8 = {
-  fulfillmentId: z8.string().min(1).describe("Fulfillment ID (required)"),
-  status: z8.enum(["packed", "shipped", "delivered", "failed"]).describe(
+  fulfillmentId: z10.string().min(1).describe("Fulfillment ID (required)"),
+  status: z10.enum(["packed", "shipped", "delivered", "failed"]).describe(
     "New fulfillment status (required). FSM: pending\u2192packed/shipped/failed, packed\u2192shipped/failed, shipped\u2192delivered/failed"
   ),
-  carrier: z8.string().optional().describe(
+  carrier: z10.string().optional().describe(
     "Shipping carrier (optional, changeable only in pending/packed status)"
   ),
-  trackingNumber: z8.string().optional().describe(
+  trackingNumber: z10.string().optional().describe(
     "Tracking number (optional, changeable only in pending/packed status)"
   )
 };
@@ -890,131 +1437,6 @@ async function updateFulfillment({
   }
 }
-// ../../packages/contracts/src/tenant/index.ts
-import { z as z9 } from "zod";
-var tenantFieldConfigStateSchema = z9.object({
-  hiddenFields: z9.array(z9.string()),
-  isHidden: z9.boolean()
-}).strict();
-var tenantContextQuerySchema = z9.object({
-  counts: z9.literal("true").optional()
-}).strict();
-var tenantContextToolInputSchema = z9.object({
-  includeCounts: z9.boolean().optional().default(false).describe(
-    "Include per-collection document counts and config status (bypasses cache, slower)"
-  )
-}).strict();
-var tenantContextResponseSchema = z9.object({
-  tenant: z9.object({
-    id: z9.string(),
-    name: z9.string(),
-    plan: z9.string(),
-    planSource: z9.string().optional(),
-    authoritative: z9.boolean().optional(),
-    capabilityVersion: z9.string().optional(),
-    isDevMode: z9.boolean()
-  }).strict(),
-  features: z9.array(z9.string()),
-  collections: z9.object({
-    active: z9.array(z9.string()),
-    inactive: z9.array(z9.string())
-  }).strict(),
-  fieldConfigs: z9.record(z9.string(), tenantFieldConfigStateSchema),
-  counts: z9.record(z9.string(), z9.number()).optional(),
-  config: z9.object({
-    webhookConfigured: z9.boolean()
-  }).strict().optional()
-}).strict();
-var COLLECTION_SCHEMA_CONTRACT_VERSION = 1;
-var collectionSchemaEndpointParamsSchema = z9.object({
-  collectionSlug: z9.string().min(1, "collectionSlug is required")
-}).strict();
-function createCollectionSchemaToolInputSchema(collections) {
-  return z9.object({
-    collection: z9.enum(collections).describe("Collection name (required)")
-  }).strict();
-}
-var collectionFieldOptionSchema = z9.object({
-  label: z9.string(),
-  value: z9.string()
-}).strict();
-var collectionFieldSchema = z9.lazy(
-  () => z9.object({
-    name: z9.string(),
-    path: z9.string(),
-    type: z9.string(),
-    required: z9.literal(true).optional(),
-    unique: z9.literal(true).optional(),
-    hasMany: z9.literal(true).optional(),
-    relationTo: z9.union([z9.string(), z9.array(z9.string())]).optional(),
-    options: z9.array(collectionFieldOptionSchema).optional(),
-    hidden: z9.literal(true).optional(),
-    systemManaged: z9.literal(true).optional(),
-    writable: z9.boolean().optional(),
-    fields: z9.array(collectionFieldSchema).optional()
-  }).strict()
-);
-var collectionSchemaResponseSchema = z9.object({
-  contractVersion: z9.literal(COLLECTION_SCHEMA_CONTRACT_VERSION),
-  mode: z9.literal("effective"),
-  collection: z9.object({
-    slug: z9.string(),
-    timestamps: z9.boolean(),
-    alwaysActive: z9.boolean(),
-    feature: z9.string().nullable(),
-    systemFields: z9.array(z9.string()),
-    visibility: z9.object({
-      collectionHidden: z9.boolean(),
-      hiddenFields: z9.array(z9.string())
-    }).strict(),
-    fields: z9.array(collectionFieldSchema)
-  }).strict()
-}).strict();
-// ../../packages/contracts/src/ecommerce/index.ts
-import { z as z10 } from "zod";
-var transactionStatusSchema = z10.enum([
-  "pending",
-  "paid",
-  "failed",
-  "canceled"
-]);
-var updateTransactionSchema = z10.object({
-  pgPaymentId: z10.string().min(1, "pgPaymentId is required").describe("PG payment ID (required)"),
-  status: transactionStatusSchema.describe(
-    "New transaction status (required)"
-  ),
-  paymentMethod: z10.string().optional().describe("Payment method (optional)"),
-  receiptUrl: z10.string().optional().describe("Receipt URL (optional)"),
-  paymentKey: z10.string().min(1).optional().describe("Provider payment key for verified paid confirmation"),
-  amount: z10.number().int().positive().optional().describe("Provider-confirmed amount for verified paid confirmation")
-}).strict();
-var UpdateTransactionSchema = updateTransactionSchema;
-var returnReasonSchema = z10.enum([
-  "change_of_mind",
-  "defective",
-  "wrong_delivery",
-  "damaged",
-  "other"
-]);
-var restockActionSchema = z10.enum(["return_to_stock", "discard"]);
-var returnWithRefundItemSchema = z10.object({
-  orderItem: z10.union([z10.string(), z10.number()]).transform(String),
-  quantity: z10.number().int().positive("quantity must be a positive integer"),
-  restockAction: restockActionSchema.default("return_to_stock")
-}).strict();
-var returnWithRefundSchema = z10.object({
-  orderNumber: z10.string().min(1, "orderNumber is required").describe("Order number (required)"),
-  reason: returnReasonSchema.optional().describe("Return reason (optional)"),
-  reasonDetail: z10.string().optional().describe("Detailed reason text (optional)"),
-  returnItems: z10.array(returnWithRefundItemSchema).min(1, "At least one return item is required").max(100, "Too many return items").describe("Array of products to return (required)"),
-  refundAmount: z10.number().min(0, "refundAmount must be non-negative").describe("Refund amount (required, min 0)"),
-  pgPaymentId: z10.string().min(1, "pgPaymentId is required").describe("PG payment ID for refund (required)"),
-  paymentKey: z10.string().min(1).optional().describe("Provider payment key for verified refund"),
-  refundReceiptUrl: z10.string().optional().describe("Refund receipt URL (optional)")
-}).strict();
-var ReturnWithRefundSchema = returnWithRefundSchema;
 // src/tools/update-transaction.ts
 var schema9 = UpdateTransactionSchema.shape;
 var metadata9 = {
@@ -1409,141 +1831,51 @@ async function calculateShipping({
     const result = await client.commerce.shipping.calculate({
       shippingPolicyId,
       orderAmount,
-      postalCode
-    });
-    return toolSuccess({ data: result });
-  } catch (error) {
-    return toolError(error);
-  }
-}
-// src/tools/stock-check.ts
-import { z as z21 } from "zod";
-var schema21 = {
-  items: z21.array(
-    z21.object({
-      variantId: z21.string().describe("Product variant ID"),
-      quantity: z21.number().int().positive().describe("Requested quantity")
-    })
-  ).describe(
-    "Array of items to check stock for (required, max 100). Each: { variantId, quantity }"
-  )
-};
-var metadata21 = {
-  name: "stock-check",
-  description: "Batch check product option stock availability. Returns per-item availability and an allAvailable flag.",
-  annotations: {
-    title: "Check stock availability",
-    readOnlyHint: true,
-    destructiveHint: false,
-    idempotentHint: true
-  }
-};
-async function stockCheck({
-  items
-}) {
-  try {
-    const client = getClient();
-    const result = await client.commerce.product.stockCheck({ items });
-    return toolSuccess({ data: result });
-  } catch (error) {
-    return toolError(error);
-  }
-}
-// src/tools/get-collection-schema.ts
-import { COLLECTIONS as COLLECTIONS3 } from "@01.software/sdk";
-// src/lib/console-api.ts
-import { createHash } from "crypto";
-var BASE_URL = process.env.SOFTWARE_API_URL || "http://localhost:3000";
-var TIMEOUT_MS = 5e3;
-var MISSING_HTTP_AUTH_CONTEXT_ERROR2 = "MCP HTTP requests require a validated OAuth tenant context before tool execution.";
-function resolveAuthHeaderContext() {
-  const oauthContext = tenantAuthContext();
-  if (oauthContext) {
-    return {
-      apiKey: signMcpServiceToken(oauthContext),
-      mode: "oauth"
-    };
-  }
-  if (hasRequestContext()) throw new Error(MISSING_HTTP_AUTH_CONTEXT_ERROR2);
-  return {
-    apiKey: process.env.SOFTWARE_SECRET_KEY,
-    mode: "stdio",
-    publishableKey: process.env.SOFTWARE_PUBLISHABLE_KEY ?? process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY
-  };
-}
-function resolveApiKey() {
-  const { apiKey } = resolveAuthHeaderContext();
-  if (!apiKey || typeof apiKey !== "string") {
-    throw new Error(
-      "Authentication required. Set SOFTWARE_SECRET_KEY for stdio transport."
-    );
-  }
-  return apiKey;
-}
-function buildAuthHeaders(apiKey) {
-  const { mode, publishableKey } = resolveAuthHeaderContext();
-  const headers = {
-    Authorization: `Bearer ${apiKey}`
-  };
-  if (mode === "stdio" && publishableKey) {
-    headers["X-Publishable-Key"] = publishableKey;
-  }
-  return headers;
-}
-function extractErrorMessage(body) {
-  if (!body || typeof body !== "object") return void 0;
-  const b = body;
-  if (typeof b.error === "string") return b.error;
-  if (Array.isArray(b.errors) && b.errors[0]?.message) {
-    return String(b.errors[0].message);
-  }
-  if (typeof b.message === "string") return b.message;
-  return void 0;
-}
-async function consoleGet(path, apiKey) {
-  const authHeaders = buildAuthHeaders(apiKey);
-  const controller = new AbortController();
-  const timeoutId = setTimeout(() => controller.abort(), TIMEOUT_MS);
-  try {
-    const res = await fetch(`${BASE_URL}${path}`, {
-      headers: authHeaders,
-      signal: controller.signal
-    });
-    if (!res.ok) {
-      const body = await res.json().catch(() => ({}));
-      const msg = extractErrorMessage(body);
-      throw new Error(msg || `Console GET ${path} failed: ${res.status}`);
-    }
-    return res.json();
-  } finally {
-    clearTimeout(timeoutId);
+      postalCode
+    });
+    return toolSuccess({ data: result });
+  } catch (error) {
+    return toolError(error);
   }
 }
-async function consolePost(path, body, apiKey) {
-  const authHeaders = buildAuthHeaders(apiKey);
-  const controller = new AbortController();
-  const timeoutId = setTimeout(() => controller.abort(), TIMEOUT_MS);
+// src/tools/stock-check.ts
+import { z as z21 } from "zod";
+var schema21 = {
+  items: z21.array(
+    z21.object({
+      variantId: z21.string().describe("Product variant ID"),
+      quantity: z21.number().int().positive().describe("Requested quantity")
+    })
+  ).describe(
+    "Array of items to check stock for (required, max 100). Each: { variantId, quantity }"
+  )
+};
+var metadata21 = {
+  name: "stock-check",
+  description: "Batch check product option stock availability. Returns per-item availability and an allAvailable flag.",
+  annotations: {
+    title: "Check stock availability",
+    readOnlyHint: true,
+    destructiveHint: false,
+    idempotentHint: true
+  }
+};
+async function stockCheck({
+  items
+}) {
   try {
-    const res = await fetch(`${BASE_URL}${path}`, {
-      method: "POST",
-      headers: { ...authHeaders, "Content-Type": "application/json" },
-      body: JSON.stringify(body),
-      signal: controller.signal
-    });
-    if (!res.ok) {
-      const errBody = await res.json().catch(() => ({}));
-      const msg = extractErrorMessage(errBody);
-      throw new Error(msg || `Console POST ${path} failed: ${res.status}`);
-    }
-    return res.json();
-  } finally {
-    clearTimeout(timeoutId);
+    const client = getClient();
+    const result = await client.commerce.product.stockCheck({ items });
+    return toolSuccess({ data: result });
+  } catch (error) {
+    return toolError(error);
   }
 }
+// src/tools/get-collection-schema.ts
+import { SERVER_COLLECTIONS as SERVER_COLLECTIONS3 } from "@01.software/sdk";
 // src/lib/collection-schema.ts
 async function getCollectionSchema(collection) {
   const apiKey = resolveApiKey();
@@ -1555,7 +1887,7 @@ async function getCollectionSchema(collection) {
 }
 // src/tools/get-collection-schema.ts
-var schema22 = createCollectionSchemaToolInputSchema(COLLECTIONS3).shape;
+var schema22 = createCollectionSchemaToolInputSchema(SERVER_COLLECTIONS3).shape;
 var metadata22 = {
   name: "get-collection-schema",
   description: "Get the authoritative tenant-aware collection schema from console. Use this before create/update to understand writable fields, hidden fields, required metadata, and collection-level visibility.",
@@ -1584,6 +1916,11 @@ async function getCollectionSchemaTool({
 function getTenantContextPath(includeCounts) {
   return includeCounts ? "/api/tenants/context?counts=true" : "/api/tenants/context";
 }
+function getTenantFeatureProgressPath(feature, includeEvidence) {
+  const search = new URLSearchParams({ feature });
+  if (includeEvidence) search.set("includeEvidence", "true");
+  return `/api/tenants/feature-progress?${search.toString()}`;
+}
 async function getTenantContext(includeCounts = false) {
   const apiKey = resolveApiKey();
   const data = await consoleGet(
@@ -1592,6 +1929,14 @@ async function getTenantContext(includeCounts = false) {
   );
   return tenantContextResponseSchema.parse(data);
 }
+async function getTenantFeatureProgress(feature, includeEvidence = false) {
+  const apiKey = resolveApiKey();
+  const data = await consoleGet(
+    getTenantFeatureProgressPath(feature, includeEvidence),
+    apiKey
+  );
+  return tenantFeatureProgressResponseSchema.parse(data);
+}
 // src/tools/get-tenant-context.ts
 var schema23 = tenantContextToolInputSchema.shape;
@@ -1671,6 +2016,30 @@ async function handler({
   }
 }
+// src/tools/check-feature-progress.ts
+var schema24 = tenantFeatureProgressInputSchema.shape;
+var metadata24 = {
+  name: "check-feature-progress",
+  description: "Check tenant implementation progress for a supported feature. Start with feature=ecommerce to inspect catalog, cart, checkout, payment result, webhook, and operations readiness without mutating tenant data.",
+  annotations: {
+    title: "Check Feature Progress",
+    readOnlyHint: true,
+    destructiveHint: false,
+    idempotentHint: true
+  }
+};
+async function handler2({
+  feature,
+  includeEvidence
+}) {
+  try {
+    const progress = await getTenantFeatureProgress(feature, includeEvidence);
+    return toolSuccess({ progress });
+  } catch (error) {
+    return toolError(error);
+  }
+}
 // src/tools/list-configurable-fields.ts
 import { z as z22 } from "zod";
@@ -1695,12 +2064,12 @@ function invalidateFieldConfigCache() {
 }
 // src/tools/list-configurable-fields.ts
-var schema24 = {
+var schema25 = {
   collection: z22.string().optional().describe(
     "Filter by collection slug (optional \u2014 returns all if omitted). Use this filter to reduce response size when you know which collection to check."
   )
 };
-var metadata24 = {
+var metadata25 = {
   name: "list-configurable-fields",
   description: "List all configurable fields for tenant collections with current visibility state. Shows which fields can be shown/hidden and their current status. Returns all collections including inactive features \u2014 cross-reference with get-tenant-context for active features. Response includes ~300 fields across 47 collections \u2014 use collection filter when possible.",
   annotations: {
@@ -1732,7 +2101,7 @@ async function listConfigurableFields(params) {
 // src/tools/update-field-config.ts
 import { z as z23 } from "zod";
-var schema25 = {
+var schema26 = {
   collection: z23.string().min(1).describe("Collection slug (required)"),
   hiddenFields: z23.array(z23.string().min(1).max(200)).max(300).describe(
     "Fields to hide (required). This is a FULL REPLACE \u2014 fields NOT in this list will be shown. Pass [] to show all fields. Use list-configurable-fields first to see available field paths."
@@ -1741,7 +2110,7 @@ var schema25 = {
     "Hide the entire collection from Admin Panel (optional). When true, individual hiddenFields are irrelevant."
   )
 };
-var metadata25 = {
+var metadata26 = {
   name: "update-field-config",
   description: "Update field visibility configuration for a tenant collection. Hidden fields are removed from the Admin Panel UI. IMPORTANT: hiddenFields is a full replace, not a merge. Always call list-configurable-fields first to see current state.",
   annotations: {
@@ -2201,7 +2570,7 @@ function getRecipe(goal, runtime = "both") {
 }
 // src/tools/sdk-get-recipe.ts
-var schema26 = {
+var schema27 = {
   goal: z24.enum([
     "fetch-list",
     "fetch-by-id",
@@ -2218,7 +2587,7 @@ var schema26 = {
   collection: z24.string().optional().describe("Specific collection name if applicable"),
   includeExample: z24.boolean().default(true).describe("Whether to include a full code example")
 };
-var metadata26 = {
+var metadata27 = {
   name: "sdk-get-recipe",
   description: "Get a complete SDK code recipe for a specific task. Returns recommended approach, code example, and related documentation links. Use this FIRST when the user asks how to do something with the SDK.",
   annotations: {
@@ -2228,7 +2597,7 @@ var metadata26 = {
     idempotentHint: true
   }
 };
-function handler2({
+function handler3({
   goal,
   runtime,
   collection,
@@ -2275,7 +2644,7 @@ var docIndex = [
   {
     title: "Browser Client vs Server Client",
     keywords: ["browser", "server", "publishable key", "secret key", "createClient", "createServerClient", "NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY", "SOFTWARE_PUBLISHABLE_KEY", "SOFTWARE_SECRET_KEY", "pk01_", "sk01_", "pat01_", "read-only", "full crud"],
-    summary: "createClient() for browser with publishableKey (read-only pk01_), createServerClient() for server with SOFTWARE_SECRET_KEY (usually sk01_, sometimes pat01_ in browser-auth-scoped flows). Never expose SECRET_KEY to the browser.",
+    summary: "createClient() for browser with publishableKey (read-only pk01_), createServerClient() for server with matching SOFTWARE_PUBLISHABLE_KEY + SOFTWARE_SECRET_KEY (usually sk01_, sometimes pat01_ in scoped flows). Never expose SECRET_KEY to the browser.",
     resourceUri: "docs://sdk/getting-started"
   },
   // Query Builder
@@ -2436,11 +2805,11 @@ function searchDocs(query, limit = 5) {
 }
 // src/tools/sdk-search-docs.ts
-var schema27 = {
+var schema28 = {
   query: z25.string().min(2).describe('Search keyword or phrase (e.g. "infinite scroll", "webhook", "customer login")'),
   limit: z25.number().min(1).max(10).default(5).describe("Maximum results to return (1-10, default: 5)")
 };
-var metadata27 = {
+var metadata28 = {
   name: "sdk-search-docs",
   description: "Search SDK documentation by keyword. Returns matching topics with summaries and resource links. Use when looking for specific SDK features or patterns.",
   annotations: {
@@ -2450,7 +2819,7 @@ var metadata27 = {
     idempotentHint: true
   }
 };
-function handler3({
+function handler4({
   query,
   limit
 }) {
@@ -2476,7 +2845,7 @@ function handler3({
 // src/tools/sdk-get-auth-setup.ts
 import { z as z26 } from "zod";
-var schema28 = {
+var schema29 = {
   scenario: z26.enum([
     "browser-client",
     "server-client",
@@ -2486,7 +2855,7 @@ var schema28 = {
     "webhook-verification"
   ]).describe("Authentication scenario")
 };
-var metadata28 = {
+var metadata29 = {
   name: "sdk-get-auth-setup",
   description: "Get the current authentication setup for a specific scenario. Returns env var names, code snippets, and security notes.",
   annotations: {
@@ -2625,7 +2994,7 @@ export async function POST(request: Request) {
     ]
   }
 };
-function handler4({
+function handler5({
   scenario
 }) {
   try {
@@ -2641,13 +3010,13 @@ function handler4({
 // src/tools/sdk-get-collection-pattern.ts
 import { z as z27 } from "zod";
-import { COLLECTIONS as COLLECTIONS4 } from "@01.software/sdk";
-var schema29 = {
-  collection: z27.enum(COLLECTIONS4).describe("Collection name"),
+import { COLLECTIONS, SERVER_COLLECTIONS as SERVER_COLLECTIONS4 } from "@01.software/sdk";
+var schema30 = {
+  collection: z27.enum(SERVER_COLLECTIONS4).describe("Collection name"),
   operation: z27.enum(["read", "write", "full-crud"]).default("read").describe("What operations are needed"),
   surface: z27.enum(["query-builder", "react-query", "server-api"]).default("query-builder").describe("Preferred API surface")
 };
-var metadata29 = {
+var metadata30 = {
   name: "sdk-get-collection-pattern",
   description: "Get the recommended CRUD pattern for a specific collection. Returns code examples for the chosen API surface and operation type.",
   annotations: {
@@ -2658,7 +3027,15 @@ var metadata29 = {
   }
 };
 function generatePattern(collection, operation, surface) {
+  const isPublicCollection = COLLECTIONS.includes(
+    collection
+  );
   if (surface === "react-query") {
+    if (!isPublicCollection) {
+      throw new Error(
+        `${collection} is server-only. Use surface="server-api" with createServerClient().`
+      );
+    }
     const parts2 = [];
     if (operation === "read") {
       parts2.push(
@@ -2770,17 +3147,29 @@ function generatePattern(collection, operation, surface) {
   }
   const parts = [];
   if (operation === "read" || operation === "full-crud") {
-    parts.push(
-      `// Read with any client (Client or ServerClient)`,
-      `const result = await client.collections.from('${collection}').find({`,
-      `  where: { status: { equals: 'published' } },`,
-      `  limit: 10,`,
-      `  sort: '-createdAt'`,
-      `})`,
-      ``,
-      `const item = await client.collections.from('${collection}').findById(id)`,
-      `const { totalDocs } = await client.collections.from('${collection}').count()`
-    );
+    if (isPublicCollection) {
+      parts.push(
+        `// Read with any client (Client or ServerClient)`,
+        `const result = await client.collections.from('${collection}').find({`,
+        `  where: { status: { equals: 'published' } },`,
+        `  limit: 10,`,
+        `  sort: '-createdAt'`,
+        `})`,
+        ``,
+        `const item = await client.collections.from('${collection}').findById(id)`,
+        `const { totalDocs } = await client.collections.from('${collection}').count()`
+      );
+    } else {
+      parts.push(
+        `// Server-only collection: use ServerClient`,
+        `const result = await serverClient.collections.from('${collection}').find({`,
+        `  limit: 10,`,
+        `  sort: '-createdAt'`,
+        `})`,
+        ``,
+        `const item = await serverClient.collections.from('${collection}').findById(id)`
+      );
+    }
   }
   if (operation === "write" || operation === "full-crud") {
     parts.push(
@@ -2795,11 +3184,12 @@ function generatePattern(collection, operation, surface) {
     code: parts.join("\n"),
     notes: [
       "Query Builder works with both Client and ServerClient for reads",
+      !isPublicCollection ? "This collection is server-only" : "",
       operation !== "read" ? "Write operations require ServerClient" : ""
     ].filter(Boolean)
   };
 }
-function handler5({
+function handler6({
   collection,
   operation,
   surface
@@ -2828,13 +3218,13 @@ function handler5({
 // src/prompts/sdk-usage-guide.ts
 import { z as z28 } from "zod";
-var schema30 = {
+var schema31 = {
   goal: z28.string().describe('What the user wants to accomplish (e.g., "query product list", "create order")'),
   runtime: z28.enum(["browser", "server"]).optional().describe("Target runtime: browser (React/Next.js client) or server (Node.js)"),
   surface: z28.enum(["query-builder", "react-query", "customer-api", "server-api"]).optional().describe("Preferred API surface"),
   collection: z28.string().optional().describe("Specific collection if relevant")
 };
-var metadata30 = {
+var metadata31 = {
   name: "sdk-usage-guide",
   title: "SDK Usage Guide",
   description: "Provides guidance on how to perform a specific task using the 01.software SDK",
@@ -2972,13 +3362,13 @@ You can perform the "${goal}" task by following the patterns above.`;
 // src/prompts/collection-query-help.ts
 import { z as z29 } from "zod";
-import { COLLECTIONS as COLLECTIONS5 } from "@01.software/sdk";
-var schema31 = {
-  collection: z29.enum(COLLECTIONS5).describe("Collection name"),
+import { COLLECTIONS as COLLECTIONS2, SERVER_COLLECTIONS as SERVER_COLLECTIONS5 } from "@01.software/sdk";
+var schema32 = {
+  collection: z29.enum(SERVER_COLLECTIONS5).describe("Collection name"),
   operation: z29.enum(["find", "create", "update", "delete"]).describe("Operation to perform (find, create, update, delete)"),
   filters: z29.string().optional().describe("Filter conditions (JSON string, optional)")
 };
-var metadata31 = {
+var metadata32 = {
   name: "collection-query-help",
   title: "Collection Query Help",
   description: "Provides guidance on how to write queries for a specific collection",
@@ -2995,6 +3385,11 @@ Filter conditions:
 \`\`\`json
 ${filters}
 \`\`\`` : "";
+  const isPublicCollection = COLLECTIONS2.includes(
+    collection
+  );
+  const readClientName = isPublicCollection ? "client" : "serverClient";
+  const readClientNote = isPublicCollection ? "Client or ServerClient" : "ServerClient only";
   return `How to perform "${operation}" operation on "${collection}" collection:${filterExample}
 ## Collection: ${collection}
@@ -3005,26 +3400,26 @@ ${filters}
 \`\`\`typescript
 import { createClient, createServerClient } from '@01.software/sdk'
-// Client (read-only)
+// Client (read-only public collections)
 const client = createClient({
   publishableKey: process.env.NEXT_PUBLIC_SOFTWARE_PUBLISHABLE_KEY!
 })
-// Server client (full CRUD)
+// Server client (server/public collections, full CRUD)
 const serverClient = createServerClient({
   publishableKey: process.env.SOFTWARE_PUBLISHABLE_KEY!,
   secretKey: process.env.SOFTWARE_SECRET_KEY!
 })
-${operation === "find" ? `// Query ${collection} collection with Query Builder
+${operation === "find" ? `// Query ${collection} collection with Query Builder (${readClientNote})
 // find() returns PayloadFindResponse with docs array and pagination
-const result = await client.collections.from('${collection}').find(${filters ? `{
+const result = await ${readClientName}.collections.from('${collection}').find(${filters ? `{
   where: ${filters}
 }` : ""})
 // result.docs - array of items
 // result.totalDocs, result.page, result.totalPages, result.hasNextPage, ...
-// Using React Hook
+${isPublicCollection ? `// Using React Hook
 const { data, isLoading, error } = client.query.useQuery({
   collection: '${collection}',
   options: { limit: 10 }
@@ -3034,19 +3429,19 @@ const { data, isLoading, error } = client.query.useQuery({
 const { data } = client.query.useSuspenseQuery({
   collection: '${collection}',
   options: { limit: 10 }
-})` : operation === "create" ? `// Create ${collection} item (ServerClient only)
+})` : `// React hooks are browser/public only and do not support '${collection}'.`}` : operation === "create" ? `// Create ${collection} item (ServerClient only)
 // create() returns PayloadMutationResponse with doc and message
-const result = await serverClient.from('${collection}').create({
+const result = await serverClient.collections.from('${collection}').create({
   // Enter fields
 })
 // result.doc - created item, result.message` : operation === "update" ? `// Update ${collection} item (ServerClient only)
 // update() returns PayloadMutationResponse with doc and message
-const result = await serverClient.from('${collection}').update(id, {
+const result = await serverClient.collections.from('${collection}').update(id, {
   // Fields to update
 })
 // result.doc - updated item, result.message` : `// Delete ${collection} item (ServerClient only)
 // remove() returns the deleted document directly
-await serverClient.from('${collection}').remove(id)`}
+await serverClient.collections.from('${collection}').remove(id)`}
 \`\`\`
 ### Useful Tips
@@ -3054,7 +3449,7 @@ await serverClient.from('${collection}').remove(id)`}
 ${operation === "find" ? `- Use \`where\` option for filtering (Payload query syntax)
 - Use \`limit\` and \`page\` for pagination
 - Use \`sort\` for sorting (prefix with "-" for descending)
-- React Query hooks: useQuery, useSuspenseQuery, useInfiniteQuery
+- ${isPublicCollection ? "React Query hooks: useQuery, useSuspenseQuery, useInfiniteQuery" : "React Query hooks are browser/public only; use ServerClient for this collection"}
 - Cache utilities: invalidateQueries, prefetchQuery, getQueryData, setQueryData` : operation === "create" ? `- Requires ServerClient with secretKey
 - Check required fields
 - TypeScript recommended for type safety` : operation === "update" ? `- Requires ServerClient with secretKey
@@ -3066,7 +3461,7 @@ ${operation === "find" ? `- Use \`where\` option for filtering (Payload query sy
 // src/prompts/order-flow-guide.ts
 import { z as z30 } from "zod";
-var schema32 = {
+var schema33 = {
   scenario: z30.enum([
     "simple-order",
     "cart-checkout",
@@ -3074,7 +3469,7 @@ var schema32 = {
     "fulfillment-tracking"
   ]).describe("Order flow scenario")
 };
-var metadata32 = {
+var metadata33 = {
   name: "order-flow-guide",
   title: "Order Flow Guide",
   description: "Provides step-by-step guidance for ecommerce order flows including creation, checkout, returns, and fulfillment.",
@@ -3260,7 +3655,7 @@ ${SCENARIOS[scenario] || "Unknown scenario."}
 // src/prompts/feature-setup-guide.ts
 import { z as z31 } from "zod";
-var schema33 = {
+var schema34 = {
   feature: z31.enum([
     "ecommerce",
     "customers",
@@ -3276,10 +3671,10 @@ var schema33 = {
     "community"
   ]).describe("Feature to get setup guide for")
 };
-var metadata33 = {
+var metadata34 = {
   name: "feature-setup-guide",
   title: "Feature Setup Guide",
-  description: "Setup checklist and remediation guide for a tenant feature. Load before using get-tenant-context to diagnose setup gaps.",
+  description: "Setup checklist and remediation guide for a tenant feature. Load with check-feature-progress and get-tenant-context to diagnose setup gaps.",
   role: "assistant"
 };
 var FEATURES = {
@@ -3290,7 +3685,7 @@ var FEATURES = {
 ### Required Collections (count > 0)
 1. **products** \u2014 Create via Console UI or SDK \`client.collections.from('products').create({ ... })\`
-   - Minimum fields: \`{ title, slug, status: 'published', _status: 'published' }\`
+   - Minimum fields: \`{ title, slug, status: 'published' }\`
 2. **product-variants** \u2014 At least 1 sellable variant per product
    - Minimum fields: \`{ product, title, price, stock }\`
@@ -3309,6 +3704,7 @@ product-options, product-option-values, product-categories, product-tags, produc
 ### Config
 - **Webhook URL** must be configured in tenant settings for payment gateway callbacks
+- Use \`check-feature-progress\` for the tenant-aware ecommerce progress check
 - Use \`get-tenant-context\` to check current webhook configuration`,
   customers: `## Customers Setup Guide
@@ -3323,7 +3719,8 @@ customer-addresses
 ### Optional Collections
-customer-groups \u2014 Create via Console UI or SDK \`client.collections.from('customer-groups').create({ title })\`
+- customer-groups \u2014 Console/server-scoped segmentation for VIP coupons and campaigns. Use \`createServerClient().collections.from('customer-groups')\`.
+- customer-profile-lists \u2014 Public profile display/ranking lists for storefronts. Browser reads may use \`client.collections.from('customer-profile-lists')\`.
 ### Config
@@ -3334,10 +3731,10 @@ customer-groups \u2014 Create via Console UI or SDK \`client.collections.from('c
 ### Required Collections (count > 0)
 1. **articles** \u2014 At least 1 article
-   - Minimum fields: \`{ title, slug }\`
+   - Minimum fields: \`{ title, slug, status: 'published' }\`
 2. **article-authors** \u2014 At least 1 author
-   - Minimum fields: \`{ title, slug }\`
+   - Minimum fields: \`{ title, slug, status: 'published' }\`
    - Link authors to articles via the \`authors\` relationship field
 ### Optional Collections
@@ -3352,7 +3749,7 @@ article-categories, article-tags`,
 2. **document-types** \u2014 At least 1 type
    - Minimum fields: \`{ title, slug }\`
-   - Link document type via \`documentType\` relationship field
+   - Link document type via \`type\` relationship field
 ### Optional Collections
@@ -3362,10 +3759,10 @@ document-categories`,
 ### Required Collections (count > 0)
 1. **playlists** \u2014 At least 1 playlist
-   - Minimum fields: \`{ title, slug, status: 'published', _status: 'published' }\`
+   - Minimum fields: \`{ title, slug, status: 'published' }\`
 2. **tracks** \u2014 At least 1 track
-   - Minimum fields: \`{ title, sourceUrl, status: 'published', _status: 'published' }\`
+   - Minimum fields: \`{ title, sourceUrl, status: 'published' }\`
 3. **playlists.tracks** \u2014 Link at least 1 track from a playlist
    - Minimum fields: \`{ tracks: [trackId] }\`
@@ -3378,11 +3775,11 @@ playlist-categories, playlist-tags, track-categories, track-tags, track-assets`,
 ### Required Collections (count > 0)
 1. **galleries** \u2014 At least 1 gallery
-   - Minimum fields: \`{ title, slug, status: 'published', _status: 'published' }\`
+   - Minimum fields: \`{ title, slug, status: 'published' }\`
 2. **gallery-items** \u2014 At least 1 item per gallery
    - References \`images\` collection (non-upload)
-   - Minimum fields: \`{ gallery, image, _status: 'published' }\`
+   - Minimum fields: \`{ gallery, image, status: 'published' }\`
 ### Optional Collections
@@ -3392,7 +3789,7 @@ gallery-categories, gallery-tags`,
 ### Required Collections (count > 0)
 1. **links** \u2014 At least 1 link
-   - Minimum fields: \`{ title, slug, url, status: 'published', _status: 'published' }\`
+   - Minimum fields: \`{ title, slug, url, status: 'published' }\`
 ### Optional Collections
@@ -3464,32 +3861,36 @@ comments, reactions, bookmarks, reports, community-bans
 ### Optional Collections
-post-categories`
+post-categories, customer-profile-lists`
 };
-function featureSetupGuide({ feature }) {
+function featureSetupGuide({
+  feature
+}) {
   return `# Feature Setup Guide: ${feature}
 ${FEATURES[feature] || "Unknown feature."}
 ## Related MCP Tools
+- \`check-feature-progress\` \u2014 run the tenant-aware ecommerce implementation progress check
 - \`get-tenant-context\` \u2014 check current collection counts and feature status
 - \`query-collection\` \u2014 verify existing documents in a collection
 - \`get-collection-schema\` \u2014 inspect tenant-aware fields before creating data via SDK or Console UI`;
 }
 // src/resources/(config)/app.ts
-var metadata34 = {
+var metadata35 = {
   name: "app-config",
   title: "Application Config",
   description: "01.software SDK and MCP server configuration information"
 };
-function handler6() {
+function handler7() {
   return `# 01.software MCP Server Configuration
 ## Server Info
 - **Name**: 01.software MCP Server
 - **Version**: 0.1.0
-- **Transport**: HTTP (Streamable)
+- **Hosted transport**: HTTP (Streamable)
+- **Local transport**: stdio through \`npx @01.software/cli mcp\`
 ## Authentication
@@ -3500,48 +3901,16 @@ HTTP MCP uses OAuth discovery and Authorization Code + PKCE.
 url = "https://mcp.01.software/mcp"
 \`\`\`
-## Available Tools (29)
-> Generic write tools (create/update/delete/update-many/delete-many) are intentionally absent. Use the dedicated workflow tools below or the SDK (\`client.collections.from(slug).create()\` / \`update()\` / \`remove()\` / \`updateMany()\` / \`removeMany()\`) for stateful mutations.
-### Generic Read (2)
-- \`query-collection\` - Query collection with filters, pagination, sorting
-- \`get-collection-by-id\` - Get single item by ID
-### Orders (7)
-- \`create-order\` - Create a new order with products and shipping
-- \`get-order\` - Get order details by order number
-- \`update-order\` - Update order status
-- \`checkout\` - Convert cart to order
-- \`create-fulfillment\` - Create fulfillment for order items
-- \`update-fulfillment\` - Update fulfillment status, carrier, and tracking
-- \`update-transaction\` - Update transaction status
-### Returns (3)
-- \`create-return\` - Create a return request
-- \`update-return\` - Update return status
-- \`return-with-refund\` - Process return with refund atomically
+## Hosted HTTP OAuth Tools (9)
-### Cart (6)
-- \`add-cart-item\` - Add item to cart
-- \`update-cart-item\` - Update cart item quantity
-- \`remove-cart-item\` - Remove item from cart
-- \`apply-discount\` - Apply discount code to cart
-- \`remove-discount\` - Remove discount from cart
-- \`clear-cart\` - Remove all items from cart
-### Validation (2)
-- \`validate-discount\` - Validate discount code
-- \`calculate-shipping\` - Calculate shipping fee
-### Product (1)
-- \`stock-check\` - Check product option stock availability
+The hosted HTTP MCP endpoint at https://mcp.01.software/mcp exposes only these OAuth-safe tools:
 ### Schema (1)
 - \`get-collection-schema\` - Get authoritative tenant-aware collection schema
-### Tenant Context (1)
+### Tenant Context (2)
 - \`get-tenant-context\` - Get tenant features, active collections, and field config
+- \`check-feature-progress\` - Check ecommerce implementation progress without mutating tenant data
 ### Field Config (2)
 - \`list-configurable-fields\` - List configurable fields and current hidden state
@@ -3553,6 +3922,16 @@ url = "https://mcp.01.software/mcp"
 - \`sdk-get-auth-setup\` - Get framework-specific auth setup guidance
 - \`sdk-get-collection-pattern\` - Get collection-specific usage patterns
+## Local CLI Stdio Surface (30)
+For trusted local server-key workflows, start the stdio server:
+\`\`\`bash
+npx @01.software/cli mcp
+\`\`\`
+Local stdio can expose generic read, order, return, cart, validation, stock, schema, tenant context, feature progress, field config, and guidance tools. Generic collection write tools (create/update/delete/update-many/delete-many) are intentionally absent on every transport; use the SDK server client for generic writes.
 ## Rate Limits
 Rate limits depend on your tenant plan:
@@ -3564,8 +3943,8 @@ Rate limits depend on your tenant plan:
 }
 // src/resources/(collections)/schema.ts
-import { COLLECTIONS as COLLECTIONS6 } from "@01.software/sdk";
-var metadata35 = {
+import { COLLECTIONS as COLLECTIONS3 } from "@01.software/sdk";
+var metadata36 = {
   name: "collections-schema",
   title: "Collection Schema Info",
   description: "Available collections and their schema information"
@@ -3593,13 +3972,18 @@ var COLLECTIONS_BY_CATEGORY = {
   Customers: [
     "customers",
     "customer-profiles",
-    "customer-addresses",
-    "customer-groups"
+    "customer-profile-lists",
+    "customer-addresses"
   ],
   Carts: ["carts", "cart-items"],
   "Discounts & Promotions": ["discounts", "promotions"],
   Documents: ["documents", "document-categories", "document-types"],
-  Articles: ["articles", "article-authors", "article-categories", "article-tags"],
+  Articles: [
+    "articles",
+    "article-authors",
+    "article-categories",
+    "article-tags"
+  ],
   Community: [
     "posts",
     "comments",
@@ -3618,7 +4002,12 @@ var COLLECTIONS_BY_CATEGORY = {
     "track-categories",
     "track-tags"
   ],
-  Galleries: ["galleries", "gallery-items", "gallery-categories", "gallery-tags"],
+  Galleries: [
+    "galleries",
+    "gallery-items",
+    "gallery-categories",
+    "gallery-tags"
+  ],
   Links: ["links", "link-categories", "link-tags"],
   Canvas: [
     "canvases",
@@ -3641,9 +4030,9 @@ var COLLECTIONS_BY_CATEGORY = {
     "event-tags"
   ]
 };
-function handler7() {
+function handler8() {
   const categoryDocs = Object.entries(COLLECTIONS_BY_CATEGORY).map(([category, collections]) => {
-    const collectionList = collections.filter((c) => COLLECTIONS6.includes(c)).map((c) => `- **${c}**`).join("\n");
+    const collectionList = collections.filter((c) => COLLECTIONS3.includes(c)).map((c) => `- **${c}**`).join("\n");
     return `## ${category}
 ${collectionList}`;
   }).join("\n\n");
@@ -3664,8 +4053,9 @@ Each collection supports the following operations:
 - \`updateMany(where, data)\` - Bulk update items matching filter
 - \`removeMany(where)\` - Bulk delete items matching filter
-Draft-enabled public collections expose only \`_status: 'published'\` rows to
-publishable-key reads unless server-side access explicitly includes drafts.
+Status-managed public collections expose only \`status: 'published'\` rows to
+publishable-key reads unless server-side access explicitly includes
+unpublished statuses.
 ## Query Examples
@@ -3688,16 +4078,16 @@ publishable-key reads unless server-side access explicitly includes drafts.
 }
 \`\`\`
-Total available collections: ${COLLECTIONS6.length}`;
+Total available collections: ${COLLECTIONS3.length}`;
 }
 // src/resources/(docs)/getting-started.ts
-var metadata36 = {
+var metadata37 = {
   name: "docs-getting-started",
   title: "Getting Started",
   description: "01.software SDK getting started guide"
 };
-function handler8() {
+function handler9() {
   return `# Getting Started
 A guide to getting started with the 01.software SDK.
@@ -3731,18 +4121,18 @@ const result = await client.collections.from('products').find({
 ## Next Steps
-- [Quick Start](/docs/getting-started/quick-start) - Get started in 5 minutes
-- [Configuration](/docs/getting-started/configuration) - Detailed configuration options
-- [API Reference](/docs/api) - Full API documentation`;
+- [SDK Guide](/developers/sdk) - Install and query workspace content
+- [Authentication & Keys](/developers/authentication) - Choose the right key for each surface
+- [API](/developers/api) - Use the HTTP API when SDKs are not a fit`;
 }
 // src/resources/(docs)/guides.ts
-var metadata37 = {
+var metadata38 = {
   name: "docs-guides",
   title: "Guides",
   description: "01.software SDK usage guides"
 };
-function handler9() {
+function handler10() {
   return `# Guides
 Comprehensive guides to master the 01.software SDK.
@@ -3944,16 +4334,16 @@ Payload query syntax operators:
 For ecommerce collections, \`products.listing.*\` is the browse/search projection. Authoritative sellable price and stock remain on \`product-variants\`.
-For more detailed guides, see the [Guides page](/docs/guides).`;
+For more implementation guidance, see the [SDK Guide](/developers/sdk).`;
 }
 // src/resources/(docs)/api.ts
-var metadata38 = {
+var metadata39 = {
   name: "docs-api",
   title: "API Reference",
   description: "01.software SDK API reference documentation"
 };
-function handler10() {
+function handler11() {
   return `# API Reference
 Comprehensive documentation for all methods and types in the 01.software SDK.
@@ -4230,16 +4620,16 @@ client.customer.isAuthenticated()  // Check auth status
 client.customer.logout()           // Clear token
 \`\`\`
-For more details, see the [full API documentation](/docs/api).`;
+For more details, see the [API documentation](/developers/api).`;
 }
 // src/resources/(docs)/query-builder.ts
-var metadata39 = {
+var metadata40 = {
   name: "docs-query-builder",
   title: "Query Builder",
   description: "01.software SDK Query Builder API reference (client.collections.from)"
 };
-function handler11() {
+function handler12() {
   return `# Query Builder API
 The Query Builder provides a fluent interface for querying collections via \`client.collections.from(collection)\`.
@@ -4428,12 +4818,12 @@ console.log(result.hasNextPage) // true
 }
 // src/resources/(docs)/react-query.ts
-var metadata40 = {
+var metadata41 = {
   name: "docs-react-query",
   title: "React Query Hooks",
   description: "01.software SDK React Query hooks reference (client.query)"
 };
-function handler12() {
+function handler13() {
   return `# React Query Hooks
 React Query hooks are available on the browser-side \`Client\` via \`client.query\`. They provide automatic caching, background refetching, and cache invalidation.
@@ -4676,12 +5066,12 @@ export function ProductList() {
 }
 // src/resources/(docs)/server-api.ts
-var metadata41 = {
+var metadata42 = {
   name: "docs-server-api",
   title: "Server-side API",
   description: "01.software SDK server-side API reference (client.commerce) for orders, fulfillments, returns, carts, and validation"
 };
-function handler13() {
+function handler14() {
   return `# Server-side API
 Server-side operations are available via \`client.commerce\` on \`ServerClient\`. Use \`createServerClient\` with both \`publishableKey\` and \`secretKey\`.
@@ -4938,12 +5328,12 @@ const result = await client.commerce.shipping.calculate({
 }
 // src/resources/(docs)/customer-auth.ts
-var metadata42 = {
+var metadata43 = {
   name: "docs-customer-auth",
   title: "Customer Auth API",
   description: "01.software SDK Customer Auth API reference (client.customer)"
 };
-function handler14() {
+function handler15() {
   return `# Customer Auth API
 Customer authentication and profile management is available via \`client.customer\` on the browser-side \`Client\`.
@@ -5116,12 +5506,12 @@ async function loadProfile() {
 }
 // src/resources/(docs)/browser-vs-server.ts
-var metadata43 = {
+var metadata44 = {
   name: "docs-browser-vs-server",
   title: "Client vs ServerClient",
   description: "When to use Client (createClient) vs ServerClient (createServerClient) in the 01.software SDK"
 };
-function handler15() {
+function handler16() {
   return `# Client vs ServerClient
 The SDK provides two client types for different execution environments.
@@ -5275,12 +5665,12 @@ export function ProductList() {
 }
 // src/resources/(docs)/file-upload.ts
-var metadata44 = {
+var metadata45 = {
   name: "docs-file-upload",
   title: "File Upload",
   description: "01.software SDK file upload patterns using the images collection"
 };
-function handler16() {
+function handler17() {
   return `# File Upload
 Upload files using the \`images\` collection (tenant-scoped, unified image store) or \`system-media\` (global, non-tenant).
@@ -5426,12 +5816,12 @@ The platform stores files in Cloudflare R2 and serves via CDN (\`cdn.01.software
 }
 // src/resources/(docs)/webhook.ts
-var metadata45 = {
+var metadata46 = {
   name: "docs-webhook",
   title: "Webhooks",
   description: "01.software SDK webhook verification and event handling"
 };
-function handler17() {
+function handler18() {
   return `# Webhooks
 The platform dispatches HMAC-SHA256 signed webhook events to your registered URLs. Tenant developers own routing inside their webhook handler.
@@ -5541,7 +5931,7 @@ Configure webhook URLs in the 01.software console under Tenant Settings > Webhoo
 // src/server.ts
 var REGISTERED_TOOLS_BY_SERVER = /* @__PURE__ */ new WeakMap();
-function registerTool(server, schema34, meta, handler19) {
+function registerTool(server, schema35, meta, handler20) {
   let registered = REGISTERED_TOOLS_BY_SERVER.get(server);
   if (!registered) {
     registered = /* @__PURE__ */ new Set();
@@ -5552,7 +5942,7 @@ function registerTool(server, schema34, meta, handler19) {
     meta.name,
     {
       description: meta.description,
-      inputSchema: schema34,
+      inputSchema: schema35,
       annotations: meta.annotations
     },
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -5576,31 +5966,48 @@ function registerTool(server, schema34, meta, handler19) {
           };
         }
       }
-      const result = await handler19(params);
-      return { content: [{ type: "text", text: result }] };
+      const activeSummary = currentMcpTelemetrySummary();
+      const ownSummary = activeSummary || hasRequestContext() ? null : createMcpTelemetrySummary("stdio");
+      const summary = activeSummary ?? ownSummary;
+      let result = null;
+      try {
+        result = await handler20(params);
+        return { content: [{ type: "text", text: result }] };
+      } finally {
+        if (summary) {
+          recordMcpToolResult({
+            resultText: result,
+            summary,
+            toolName: meta.name
+          });
+        }
+        if (ownSummary) {
+          void flushMcpTelemetrySummary(ownSummary);
+        }
+      }
     }
   );
 }
-function registerPrompt(server, schema34, meta, handler19) {
+function registerPrompt(server, schema35, meta, handler20) {
   server.registerPrompt(
     meta.name,
     {
       title: meta.title,
       description: meta.description,
-      argsSchema: schema34
+      argsSchema: schema35
     },
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     (params) => ({
       messages: [
         {
           role: meta.role ?? "assistant",
-          content: { type: "text", text: handler19(params) }
+          content: { type: "text", text: handler20(params) }
         }
       ]
     })
   );
 }
-function registerStaticResource(server, uri, meta, handler19) {
+function registerStaticResource(server, uri, meta, handler20) {
   server.registerResource(
     meta.name,
     uri,
@@ -5610,7 +6017,7 @@ function registerStaticResource(server, uri, meta, handler19) {
       mimeType: meta.mimeType ?? "text/plain"
     },
     async (url) => ({
-      contents: [{ uri: url.href, text: handler19() }]
+      contents: [{ uri: url.href, text: handler20() }]
     })
   );
 }
@@ -5621,52 +6028,238 @@ function createServer(options = {}) {
     version: "0.1.0"
   });
   if (toolSurface === "full") {
-    registerTool(server, schema, metadata, queryCollection);
-    registerTool(server, schema2, metadata2, getCollectionById);
+    registerTool(
+      server,
+      schema,
+      metadata,
+      queryCollection
+    );
+    registerTool(
+      server,
+      schema2,
+      metadata2,
+      getCollectionById
+    );
     registerTool(server, schema3, metadata3, getOrder);
     registerTool(server, schema4, metadata4, createOrder);
     registerTool(server, schema5, metadata5, updateOrder);
     registerTool(server, schema6, metadata6, checkout);
-    registerTool(server, schema7, metadata7, createFulfillment);
-    registerTool(server, schema8, metadata8, updateFulfillment);
-    registerTool(server, schema9, metadata9, updateTransaction);
-    registerTool(server, schema10, metadata10, createReturn);
-    registerTool(server, schema11, metadata11, updateReturn);
-    registerTool(server, schema12, metadata12, returnWithRefund);
+    registerTool(
+      server,
+      schema7,
+      metadata7,
+      createFulfillment
+    );
+    registerTool(
+      server,
+      schema8,
+      metadata8,
+      updateFulfillment
+    );
+    registerTool(
+      server,
+      schema9,
+      metadata9,
+      updateTransaction
+    );
+    registerTool(
+      server,
+      schema10,
+      metadata10,
+      createReturn
+    );
+    registerTool(
+      server,
+      schema11,
+      metadata11,
+      updateReturn
+    );
+    registerTool(
+      server,
+      schema12,
+      metadata12,
+      returnWithRefund
+    );
     registerTool(server, schema13, metadata13, addCartItem);
-    registerTool(server, schema14, metadata14, updateCartItem);
-    registerTool(server, schema15, metadata15, removeCartItem);
-    registerTool(server, schema16, metadata16, applyDiscount);
-    registerTool(server, schema17, metadata17, removeDiscount);
+    registerTool(
+      server,
+      schema14,
+      metadata14,
+      updateCartItem
+    );
+    registerTool(
+      server,
+      schema15,
+      metadata15,
+      removeCartItem
+    );
+    registerTool(
+      server,
+      schema16,
+      metadata16,
+      applyDiscount
+    );
+    registerTool(
+      server,
+      schema17,
+      metadata17,
+      removeDiscount
+    );
     registerTool(server, schema18, metadata18, clearCart);
-    registerTool(server, schema19, metadata19, validateDiscount);
-    registerTool(server, schema20, metadata20, calculateShipping);
+    registerTool(
+      server,
+      schema19,
+      metadata19,
+      validateDiscount
+    );
+    registerTool(
+      server,
+      schema20,
+      metadata20,
+      calculateShipping
+    );
     registerTool(server, schema21, metadata21, stockCheck);
   }
-  registerTool(server, schema22, metadata22, getCollectionSchemaTool);
-  registerTool(server, schema23, metadata23, handler);
-  registerTool(server, schema24, metadata24, listConfigurableFields);
-  registerTool(server, schema25, metadata25, updateFieldConfig);
-  registerTool(server, schema26, metadata26, handler2);
-  registerTool(server, schema27, metadata27, handler3);
-  registerTool(server, schema28, metadata28, handler4);
-  registerTool(server, schema29, metadata29, handler5);
-  registerPrompt(server, schema30, metadata30, sdkUsageGuide);
-  registerPrompt(server, schema31, metadata31, collectionQueryHelp);
-  registerPrompt(server, schema32, metadata32, orderFlowGuide);
-  registerPrompt(server, schema33, metadata33, featureSetupGuide);
-  registerStaticResource(server, "config://app", metadata34, handler6);
-  registerStaticResource(server, "collections://schema", metadata35, handler7);
-  registerStaticResource(server, "docs://sdk/getting-started", metadata36, handler8);
-  registerStaticResource(server, "docs://sdk/guides", metadata37, handler9);
-  registerStaticResource(server, "docs://sdk/api", metadata38, handler10);
-  registerStaticResource(server, "docs://sdk/query-builder", metadata39, handler11);
-  registerStaticResource(server, "docs://sdk/react-query", metadata40, handler12);
-  registerStaticResource(server, "docs://sdk/server-api", metadata41, handler13);
-  registerStaticResource(server, "docs://sdk/customer-auth", metadata42, handler14);
-  registerStaticResource(server, "docs://sdk/browser-vs-server", metadata43, handler15);
-  registerStaticResource(server, "docs://sdk/file-upload", metadata44, handler16);
-  registerStaticResource(server, "docs://sdk/webhook", metadata45, handler17);
+  registerTool(
+    server,
+    schema22,
+    metadata22,
+    getCollectionSchemaTool
+  );
+  registerTool(
+    server,
+    schema23,
+    metadata23,
+    handler
+  );
+  registerTool(
+    server,
+    schema24,
+    metadata24,
+    handler2
+  );
+  registerTool(
+    server,
+    schema25,
+    metadata25,
+    listConfigurableFields
+  );
+  registerTool(
+    server,
+    schema26,
+    metadata26,
+    updateFieldConfig
+  );
+  registerTool(
+    server,
+    schema27,
+    metadata27,
+    handler3
+  );
+  registerTool(
+    server,
+    schema28,
+    metadata28,
+    handler4
+  );
+  registerTool(
+    server,
+    schema29,
+    metadata29,
+    handler5
+  );
+  registerTool(
+    server,
+    schema30,
+    metadata30,
+    handler6
+  );
+  registerPrompt(
+    server,
+    schema31,
+    metadata31,
+    sdkUsageGuide
+  );
+  registerPrompt(
+    server,
+    schema32,
+    metadata32,
+    collectionQueryHelp
+  );
+  registerPrompt(
+    server,
+    schema33,
+    metadata33,
+    orderFlowGuide
+  );
+  registerPrompt(
+    server,
+    schema34,
+    metadata34,
+    featureSetupGuide
+  );
+  registerStaticResource(
+    server,
+    "config://app",
+    metadata35,
+    handler7
+  );
+  registerStaticResource(
+    server,
+    "collections://schema",
+    metadata36,
+    handler8
+  );
+  registerStaticResource(
+    server,
+    "docs://sdk/getting-started",
+    metadata37,
+    handler9
+  );
+  registerStaticResource(server, "docs://sdk/guides", metadata38, handler10);
+  registerStaticResource(server, "docs://sdk/api", metadata39, handler11);
+  registerStaticResource(
+    server,
+    "docs://sdk/query-builder",
+    metadata40,
+    handler12
+  );
+  registerStaticResource(
+    server,
+    "docs://sdk/react-query",
+    metadata41,
+    handler13
+  );
+  registerStaticResource(
+    server,
+    "docs://sdk/server-api",
+    metadata42,
+    handler14
+  );
+  registerStaticResource(
+    server,
+    "docs://sdk/customer-auth",
+    metadata43,
+    handler15
+  );
+  registerStaticResource(
+    server,
+    "docs://sdk/browser-vs-server",
+    metadata44,
+    handler16
+  );
+  registerStaticResource(
+    server,
+    "docs://sdk/file-upload",
+    metadata45,
+    handler17
+  );
+  registerStaticResource(
+    server,
+    "docs://sdk/webhook",
+    metadata46,
+    handler18
+  );
   return server;
 }
@@ -5871,7 +6464,10 @@ function setCors(res) {
     "Access-Control-Allow-Headers",
     "Authorization, Content-Type, mcp-session-id"
   );
-  res.setHeader("Access-Control-Expose-Headers", "Mcp-Session-Id, Mcp-Protocol-Version");
+  res.setHeader(
+    "Access-Control-Expose-Headers",
+    "Mcp-Session-Id, Mcp-Protocol-Version"
+  );
 }
 function getHeaderValue(headers, name) {
   const value = headers[name.toLowerCase()];
@@ -5951,7 +6547,7 @@ HTTP OAuth Tools
 ----------------
 Schema       get-collection-schema
-Context      get-tenant-context
+Context      get-tenant-context, check-feature-progress
 Field Config list-configurable-fields, update-field-config
 Guidance     sdk-get-recipe, sdk-search-docs, sdk-get-auth-setup, sdk-get-collection-pattern
@@ -5970,9 +6566,9 @@ Resources (12): config, collections-schema, getting-started, guides, api, query-
 Links
 -----
-Docs            https://01.software/docs/integrations/mcp
-SDK             https://01.software/docs/sdk/client
-API Reference   https://01.software/docs/api/rest-api
+Integrations    https://docs.01.software/integrations
+Readiness       https://docs.01.software/readiness
+OpenAPI         https://docs.01.software/api/openapi
 Console         https://console.01.software
 `;
 var PROTECTED_RESOURCE_METADATA = JSON.stringify({
@@ -5980,15 +6576,26 @@ var PROTECTED_RESOURCE_METADATA = JSON.stringify({
   authorization_servers: [MCP_OAUTH_ISSUER],
   scopes_supported: [MCP_SCOPES.read, MCP_SCOPES.write]
 });
+var PROTECTED_RESOURCE_METADATA_URL = new URL(
+  MCP_PROTECTED_RESOURCE_METADATA_PATH,
+  MCP_RESOURCE_AUDIENCE
+).toString();
 var SERVICE_JWKS_PATH = "/.well-known/service-jwks.json";
 function writeOAuthError(res, status, error, description) {
   res.writeHead(status, {
     "Content-Type": "application/json",
-    "WWW-Authenticate": `Bearer resource_metadata="${MCP_PROTECTED_RESOURCE_METADATA_PATH}", error="${error}", error_description="${description}"`
+    "WWW-Authenticate": `Bearer resource_metadata="${PROTECTED_RESOURCE_METADATA_URL}", error="${error}", error_description="${description}"`
   });
   res.end(JSON.stringify({ error, error_description: description }));
 }
-async function handler18(req, res) {
+function acceptsEventStream(req) {
+  const accept = getHeaderValue(req.headers, "accept");
+  if (!accept) return false;
+  return accept.split(",").some(
+    (entry) => entry.trim().split(";")[0]?.toLowerCase() === "text/event-stream"
+  );
+}
+async function handler19(req, res) {
   setCors(res);
   if (req.method === "OPTIONS") {
     res.writeHead(204);
@@ -6020,6 +6627,11 @@ async function handler18(req, res) {
       }
       return;
     }
+    if (acceptsEventStream(req)) {
+      res.writeHead(405, { "Content-Type": "application/json" });
+      res.end(METHOD_NOT_ALLOWED);
+      return;
+    }
     res.writeHead(200, { "Content-Type": "text/plain; charset=utf-8" });
     res.end(HOME_PAGE);
     return;
@@ -6033,7 +6645,12 @@ async function handler18(req, res) {
     getHeaderValue(req.headers, "authorization")
   );
   if (!auth.valid) {
-    writeOAuthError(res, auth.error === "insufficient_scope" ? 403 : 401, auth.error, auth.errorDescription);
+    writeOAuthError(
+      res,
+      auth.error === "insufficient_scope" ? 403 : 401,
+      auth.error,
+      auth.errorDescription
+    );
     return;
   }
   const server = createServer({ toolSurface: "oauth" });
@@ -6056,14 +6673,19 @@ async function handler18(req, res) {
     if (typeof value === "string") headers.set(key, value);
     else if (Array.isArray(value)) headers.set(key, value.join(", "));
   }
+  const telemetrySummary = createMcpTelemetrySummary("http");
   await requestContext.run({ headers, auth: auth.context }, async () => {
     try {
-      const body = req.body ?? JSON.parse(await readBody(req));
-      await transport.handleRequest(req, res, body);
+      await runWithMcpTelemetry(telemetrySummary, async () => {
+        const body = req.body ?? JSON.parse(await readBody(req));
+        await transport.handleRequest(req, res, body);
+      });
     } catch (err) {
       writeRequestError(res, err);
     } finally {
+      telemetrySummary.durationMs = Date.now() - telemetrySummary.startedAtMs;
       await close();
+      await flushMcpTelemetrySummary(telemetrySummary);
     }
   });
 }
@@ -6083,5 +6705,5 @@ function writeRequestError(res, err) {
   res.end(JSON.stringify({ error: "Internal server error" }));
 }
 export {
-  handler18 as default
+  handler19 as default
 };