@enfyra/mcp-server 0.0.59 → 0.0.61

package/README.md

@@ -215,7 +215,7 @@ When an LLM builds a Nuxt, Next, or other SSR frontend for Enfyra, follow the sa
 
 ## Tools (summary)
 
-Metadata, examples, query/CRUD, route/handler/hook, tables/columns, reload cache, logs, user/roles, login, menu/extension, `get_enfyra_api_context`. For full tool list and behavior, see the app after enabling MCP or the source in `src/mcp-server-entry.mjs`.
+Metadata, examples, query/CRUD, method management, route/handler/hook, tables/columns, reload cache, logs, user/roles, login, menu/extension, `get_enfyra_api_context`. For full tool list and behavior, see the app after enabling MCP or the source in `src/mcp-server-entry.mjs`.
 
 Use `get_enfyra_examples` when asking an LLM to generate concrete Enfyra implementation patterns. It returns categorized examples for SSR app auth/OAuth/proxy setup, schema/relations, queries/deep, handlers/hooks, permissions/RLS, websocket, flows, files, and extensions.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@enfyra/mcp-server",
-  "version": "0.0.59",
+  "version": "0.0.61",
   "description": "MCP server for Enfyra - manage your Enfyra instance via Claude Code",
   "type": "module",
   "license": "MIT",

package/src/lib/mcp-examples.js

@@ -497,11 +497,11 @@ return @DATA\`
   tableName: "route_definition",
   id: "<route_id>",
   data: {
-    publishedMethods: [{ id: 1 }]
+    publishedMethods: [{ id: "<GET_method_id_from_list_methods>" }]
   }
 })`,
         notes: [
-          'Method id 1 is GET. Use method_definition if you need to confirm method ids.',
+          'Method ids are instance data. Use list_methods or inspect_route output to resolve the GET method id first.',
           'publishedMethods controls anonymous route access. Route permissions are not for public access.',
           'Route permissions apply when the method is not public.',
         ],
@@ -785,6 +785,29 @@ return {
     title: 'Dynamic app extensions and menus',
     useWhen: 'Use when adding custom UI pages to the Enfyra app.',
     examples: [
+      {
+        name: 'Create or update HTTP method colors',
+        code: `list_methods()
+
+create_method({
+  method: "PUT",
+  buttonColor: "#e0e7ff",
+  textColor: "#4338ca"
+})
+
+update_method({
+  method: "PATCH",
+  buttonColor: "#fef3c7",
+  textColor: "#b45309"
+})`,
+        notes: [
+          'Use dedicated method tools instead of generic CRUD on method_definition.',
+          'The backend stores the method label in method_definition.name; do not send or filter a method_definition.method field.',
+          'buttonColor is the badge background and textColor is the badge text color.',
+          'The eApp management UI is /settings/methods.',
+          'delete_method is preview-first and should only be used for unused custom methods.',
+        ],
+      },
       {
         name: 'Create menu then extension',
         code: `create_menu({

package/src/lib/mcp-instructions.js

@@ -114,9 +114,10 @@ export function buildMcpServerInstructions(apiBaseUrl) {
 '- **mainTable warning:** do not set `mainTable` on custom routes. It is reserved for canonical table routes only.',
 '  - **Many-to-one:** `"someRelation": {"id": 4}` (single object with id)',
 '  - **One-to-many / many-to-many:** `"publishedMethods": [{"id": 1}, {"id": 2}]` (array of objects with id)',
-'- **Method IDs** (for REST route publishedMethods, availableMethods, skipRoleGuardMethods): GET=1, POST=2, PATCH=3, DELETE=4. Query `method_definition` table if unsure.',
+'- **Method IDs** are instance data, not a stable contract. Query `method_definition` or use method names through MCP route helpers before setting `publishedMethods`, `availableMethods`, `skipRoleGuardMethods`, hook methods, handler methods, or route permissions. Default CRUD records are `GET`, `POST`, `PATCH`, and `DELETE`; create extra records such as `PUT` through method tools when a route needs them.',
+'- `method_definition.name` is the unique backend field for the HTTP method label. Do not filter, create, or update a `method_definition.method` field. MCP method tools accept an input named `method` for usability, but they write/read `name` on the server.',
 '- **Wrong:** `"publishedMethods": ["GET"]` or `"publishedMethods": [{"method": "GET"}]` — rejected or silently ignored.',
-'- **Right:** `"publishedMethods": [{"id": 1}]` (publishes GET). Multiple: `[{"id": 1}, {"id": 2}]` (publishes GET + POST).',
+'- **Right:** first query method records, then pass their ids, for example `"publishedMethods": [{"id": <GET_METHOD_ID>}]`. Multiple methods use multiple id objects.',
 '- **To unset:** pass empty array `"publishedMethods": []`.',
 '',
 '### Dynamic script `$repos` mutation return shape',
@@ -298,6 +299,7 @@ export function buildMcpServerInstructions(apiBaseUrl) {
     '- **Operational list data loading:** do not use arbitrary fixed limits such as `limit=50` as the whole data strategy for admin pages. Use pagination, expose result count when the API supports `meta=filterCount`, and add search/filter controls for natural lookup keys such as id, name, slug, status, email, or external reference.',
     '- **ESV aggregate contract:** aggregate query must be an object keyed by a real field or relation, for example `aggregate: { id: { count: true }, status: { count: { _eq: "failed" } }, amount: { sum: true } }`. Results are returned in `response.meta.aggregate`. Time windows and cross-field conditions belong in top-level `filter`, not inside a field aggregate condition. Field aggregate conditions only support operators on that same field; relation aggregates use `countRecords`.',
     '- **Aggregate numeric rule:** `sum` and `avg` require a numeric field in ESV. Do not aggregate money stored as varchar/text. Use a numeric money field such as `amount_usd` with type `float`, `amount_cents`, or `amount` for revenue stats, or build a dedicated stats route that normalizes legacy values explicitly. If metadata says `float` but SQL aggregate still fails with `sum(character varying)`, the Enfyra Server physical schema is stale or missing the SQL float DDL mapping and must be redeployed/healed before relying on aggregate.',
+    '- **Snapshot migrations:** backend metadata/physical schema renames belong in `data/snapshot-migration.json` via table-driven `columnsToModify` entries. The server migration/self-heal path should read table name plus `oldName`/`newName` dynamically; do not hard-code one-off table repairs when the snapshot migration contract can express the change.',
     '- **Partial reload default:** ESV/ASV automatically triggers partial reloads for metadata, routes, menus, extensions, flows, handlers, and related caches after successful writes. Do not reflexively call `/admin/reload`, `/admin/reload/metadata`, or `/admin/reload/routes` after each change. Verify naturally first; use manual reload only when verification shows stale behavior, a reload event failed, or a concrete error indicates the partial reload did not apply.',
     '- **Menu/extension realtime reload contract:** `menu_definition` and `extension_definition` writes are runtime UI changes, not plain CRUD. The server cache orchestrator must emit `$system:reload` through the admin Socket.IO channel with identifiers that eApp handles; eApp must refetch menus/rebuild the menu registry for menu reloads and invalidate dynamic extension caches for extension reloads. Menu reloads can change route-to-extension mapping, so they should also invalidate extension cache. If an open admin tab does not reflect menu/extension changes, debug this two-sided reload contract before telling the user to refresh.',
     '- **Dashboard stats:** time range buttons must change the query filter and reload stats. Dashboards should summarize actionable errors and high-level activity; successful/no-error background runs usually do not need a standalone page unless there is a real workflow to manage.',
@@ -306,6 +308,7 @@ export function buildMcpServerInstructions(apiBaseUrl) {
     '- **Do not misuse PageHeader stats:** `PageHeader.stats` renders prominent stat cards inside the shell header. Do not put normal operational KPIs, capacity totals, billing totals, or detail metrics there by default; keep those as body cards/tables where the operator can scan them with the page content. Only use PageHeader stats for a deliberately compact overview page where the stats are truly header-level context.',
     '- **Page actions belong in registries:** Move page-level buttons into `useHeaderActionRegistry` or `useSubHeaderActionRegistry`; keep the extension body for operational content only. Sensitive registry actions must include a `permission` condition, for example `{ id: "create", label: "Create report", permission: { and: [{ route: "/report_definition", methods: ["POST"] }] }, onClick }`.',
     '- **Header action button variants:** choose the button variant by intent. Use `color: "primary", variant: "solid"` for the main page action. Use `color: "neutral", variant: "ghost"` for back/navigation actions and `color: "neutral", variant: "outline"` for visible secondary actions. `variant: "soft"` is only for low-emphasis secondary/chrome actions; do not use soft for critical or primary header actions just because it looks acceptable in dark mode.',
+    '- **HTTP method management:** use the dedicated MCP tools `list_methods`, `create_method`, `update_method`, and preview-first `delete_method` for `method_definition`. The backend field is `method_definition.name`, unique per method; do not send `method_definition.method`. The eApp UI for the same records is `/settings/methods`. Method color fields are `buttonColor` for badge background and `textColor` for badge text, both full hex colors. Do not use generic `create_record` on `method_definition` unless the dedicated tool is unavailable.',
     '- **Extension navigation:** prefer `NuxtLink` or Nuxt UI components with `:to` for visible navigation links and drill-down cards/buttons. Use `navigateTo(...)` only for imperative navigation after submit, confirm, mutation, or another side effect.',
     '- **Extension runtime scope:** eApp exposes Vue APIs and injected Nuxt/Enfyra composables both to script global scope and Vue app `globalProperties`. Template expressions may call injected helpers directly, for example after a save handler can call `navigateTo("/data/report_definition")`, because Vue compiles template helpers to `_ctx.*`.',
     '- **Extension CSS affects shell utility ordering:** dynamic extension CSS is injected after the app shell CSS. Shell/page-header code must not put conflicting plain Tailwind utilities on the same element, such as `flex-col` plus `flex-row`, `items-start` plus `items-center`, or `text-left` plus `text-center`. Choose one mutually exclusive class per state; otherwise extension CSS can change which utility wins and shift shell layout.',

package/src/mcp-server-entry.mjs

@@ -34,7 +34,7 @@ const CAPABILITY_AREAS = [
   {
     area: 'Dynamic REST API',
     tables: ['route_definition', 'route_handler_definition', 'pre_hook_definition', 'post_hook_definition', 'route_permission_definition', 'method_definition'],
-    workflow: 'Create custom paths with create_route without mainTableId, then add handlers/hooks. mainTableId is only for canonical table routes like /table_name. REST methods are GET/POST/PATCH/DELETE.',
+    workflow: 'Create custom paths with create_route without mainTableId, then add handlers/hooks. mainTableId is only for canonical table routes like /table_name. Query method_definition before assigning route methods.',
   },
   {
     area: 'Auth, roles, sessions, OAuth',
@@ -197,8 +197,8 @@ function summarizeRoutes(routesResult) {
     id: route.id ?? route._id,
     path: route.path,
     mainTable: route.mainTable?.name || route.mainTableName || null,
-    availableMethods: (route.availableMethods || []).map((method) => method.method).filter(Boolean),
-    publishedMethods: (route.publishedMethods || []).map((method) => method.method).filter(Boolean),
+    availableMethods: (route.availableMethods || []).map((method) => method.name).filter(Boolean),
+    publishedMethods: (route.publishedMethods || []).map((method) => method.name).filter(Boolean),
     isEnabled: route.isEnabled,
   }));
 }
@@ -356,6 +356,31 @@ function appendQuery(path, queryParams) {
   return `${path}${path.includes('?') ? '&' : '?'}${queryParams}`;
 }
 
+const METHOD_NAME_RE = /^[A-Z][A-Z0-9_]*$/;
+const HEX_COLOR_RE = /^#[0-9a-fA-F]{6}$/;
+
+function normalizeMethodNameInput(method) {
+  const value = String(method || '').trim().toUpperCase();
+  if (!METHOD_NAME_RE.test(value)) {
+    throw new Error('Method must start with A-Z and contain only uppercase letters, numbers, or underscore.');
+  }
+  return value;
+}
+
+function normalizeHexColorInput(value, fieldName) {
+  const color = String(value || '').trim().toLowerCase();
+  if (!HEX_COLOR_RE.test(color)) {
+    throw new Error(`${fieldName} must be a full hex color such as #1d4ed8.`);
+  }
+  return color;
+}
+
+async function findMethodRecordByName(method) {
+  const filter = encodeURIComponent(JSON.stringify({ name: { _eq: method } }));
+  const result = await fetchAPI(ENFYRA_API_URL, `/method_definition?filter=${filter}&limit=1&fields=id,_id,name,buttonColor,textColor,isSystem`);
+  return unwrapData(result)[0] || null;
+}
+
 // Create MCP server — `instructions` is sent to the host (e.g. Claude Code) for the LLM; not README
 const server = new McpServer(
   {
@@ -451,7 +476,7 @@ server.tool(
         routes: routes.length,
         methods: methodsResult?.data?.length || 0,
       },
-      methods: (methodsResult?.data || []).map((method) => ({ id: method.id || method._id, method: method.method })),
+      methods: (methodsResult?.data || []).map((method) => ({ id: method.id || method._id, name: method.name, method: method.name })),
       capabilityAreas: CAPABILITY_AREAS.map((item) => ({
         ...item,
         presentTables: item.tables.filter((table) => tableNames.includes(table)),
@@ -554,7 +579,7 @@ server.tool(
         storageConfigs: storageResult?.data?.length || 0,
         settings: settingsResult?.data?.length || 0,
       },
-      methods: (methodsResult?.data || []).map((method) => ({ id: method.id || method._id, method: method.method })),
+      methods: (methodsResult?.data || []).map((method) => ({ id: method.id || method._id, name: method.name, method: method.name })),
       routeRuntime: {
         routePattern: 'GET/POST /<route-path>; PATCH/DELETE /<route-path>/:id; no dynamic GET /<route-path>/:id.',
         adminRoutes: adminRoutes.map((route) => route.path).sort(),
@@ -1020,6 +1045,157 @@ server.tool('delete_record', 'Delete a record by ID', {
   }, null, 2) }] };
 });
 
+server.tool(
+  'list_methods',
+  'List method_definition records with their UI colors. Use this before creating route methods or method-colored UI.',
+  {},
+  async () => {
+    const result = await fetchAPI(ENFYRA_API_URL, '/method_definition?fields=id,_id,name,buttonColor,textColor,isSystem&sort=name&limit=0');
+    const methods = unwrapData(result).map((method) => ({
+      id: getId(method),
+      name: method.name,
+      method: method.name,
+      buttonColor: method.buttonColor,
+      textColor: method.textColor,
+      isSystem: method.isSystem === true,
+    }));
+    return { content: [{ type: 'text', text: JSON.stringify({
+      tableName: 'method_definition',
+      methods,
+      appUi: '/settings/methods',
+    }, null, 2) }] };
+  },
+);
+
+server.tool(
+  'create_method',
+  'Create a method_definition record with app badge colors. Prefer this over generic create_record for method_definition.',
+  {
+    method: z.string().describe('Uppercase method name, e.g. GET, POST, PUT, CUSTOM_METHOD. Must start with A-Z and contain only A-Z, 0-9, or underscore.'),
+    buttonColor: z.string().describe('Badge background color as full hex, e.g. #dbeafe.'),
+    textColor: z.string().describe('Badge text color as full hex, e.g. #1d4ed8.'),
+    isSystem: z.boolean().optional().default(false).describe('Set true only for built-in/runtime-owned methods. Normal app methods should leave this false.'),
+  },
+  async ({ method, buttonColor, textColor, isSystem }) => {
+    const normalizedMethod = normalizeMethodNameInput(method);
+    const existing = await findMethodRecordByName(normalizedMethod);
+    if (existing) {
+      throw new Error(`Method ${normalizedMethod} already exists with id ${getId(existing)}. Use update_method to change colors.`);
+    }
+    const body = {
+      name: normalizedMethod,
+      buttonColor: normalizeHexColorInput(buttonColor, 'buttonColor'),
+      textColor: normalizeHexColorInput(textColor, 'textColor'),
+      isSystem: isSystem === true,
+    };
+    const result = await fetchAPI(ENFYRA_API_URL, '/method_definition', {
+      method: 'POST',
+      body: JSON.stringify(body),
+    });
+    _methodMap = null;
+    return { content: [{ type: 'text', text: JSON.stringify({
+      ...summarizeMutationResult(result, 'created', 'method_definition'),
+      name: normalizedMethod,
+      method: normalizedMethod,
+      appUi: '/settings/methods',
+    }, null, 2) }] };
+  },
+);
+
+server.tool(
+  'update_method',
+  'Update a method_definition record color pair, and optionally rename non-system methods. Prefer this over generic update_record for method_definition.',
+  {
+    id: z.string().optional().describe('Method record id. If omitted, method is used to find the record.'),
+    method: z.string().optional().describe('Existing method name to find, or new name when id is provided.'),
+    buttonColor: z.string().optional().describe('Badge background color as full hex, e.g. #dbeafe.'),
+    textColor: z.string().optional().describe('Badge text color as full hex, e.g. #1d4ed8.'),
+  },
+  async ({ id, method, buttonColor, textColor }) => {
+    let targetId = id;
+    let existing = null;
+    if (!targetId) {
+      if (!method) throw new Error('Provide id or method.');
+      const normalizedMethod = normalizeMethodNameInput(method);
+      existing = await findMethodRecordByName(normalizedMethod);
+      if (!existing) throw new Error(`Method ${normalizedMethod} was not found.`);
+      targetId = getId(existing);
+    }
+
+    const body = {};
+    if (buttonColor !== undefined) {
+      body.buttonColor = normalizeHexColorInput(buttonColor, 'buttonColor');
+    }
+    if (textColor !== undefined) {
+      body.textColor = normalizeHexColorInput(textColor, 'textColor');
+    }
+    if (method !== undefined && id) {
+      body.name = normalizeMethodNameInput(method);
+    }
+    if (Object.keys(body).length === 0) {
+      throw new Error('Provide buttonColor, textColor, or a new method name.');
+    }
+
+    const result = await fetchAPI(ENFYRA_API_URL, `/method_definition/${encodeURIComponent(String(targetId))}`, {
+      method: 'PATCH',
+      body: JSON.stringify(body),
+    });
+    _methodMap = null;
+    return { content: [{ type: 'text', text: JSON.stringify({
+      ...summarizeMutationResult(result, 'updated', 'method_definition'),
+      id: targetId,
+      appUi: '/settings/methods',
+    }, null, 2) }] };
+  },
+);
+
+server.tool(
+  'delete_method',
+  'Preview or delete a method_definition record. Only delete unused custom methods; system/default methods should be kept.',
+  {
+    id: z.string().optional().describe('Method record id. If omitted, method is used to find the record.'),
+    method: z.string().optional().describe('Method name to find when id is omitted.'),
+    confirm: z.boolean().optional().default(false).describe('Required true to apply the destructive delete. Omit/false returns a preview only.'),
+  },
+  async ({ id, method, confirm }) => {
+    let targetId = id;
+    let target = null;
+    if (!targetId) {
+      if (!method) throw new Error('Provide id or method.');
+      target = await findMethodRecordByName(normalizeMethodNameInput(method));
+      if (!target) throw new Error(`Method ${method} was not found.`);
+      targetId = getId(target);
+    }
+    if (!confirm) {
+      if (!target) {
+        const primaryKey = await getPrimaryFieldName('method_definition');
+        const filter = encodeURIComponent(JSON.stringify({ [primaryKey]: { _eq: targetId } }));
+        const result = await fetchAPI(ENFYRA_API_URL, `/method_definition?filter=${filter}&limit=1&fields=id,_id,name,buttonColor,textColor,isSystem`);
+        target = unwrapData(result)[0] || null;
+      }
+      return { content: [{ type: 'text', text: JSON.stringify({
+        action: 'delete_method_preview',
+        id: targetId,
+        name: target?.name,
+        method: target?.name,
+        isSystem: target?.isSystem === true,
+        destructive: true,
+        warning: 'Only delete unused custom methods. Deleting a method can affect route method relations.',
+        next: 'Call delete_method again with confirm=true to delete.',
+      }, null, 2) }] };
+    }
+    const result = await fetchAPI(ENFYRA_API_URL, `/method_definition/${encodeURIComponent(String(targetId))}`, { method: 'DELETE' });
+    _methodMap = null;
+    return { content: [{ type: 'text', text: JSON.stringify({
+      action: 'deleted',
+      tableName: 'method_definition',
+      id: targetId,
+      statusCode: result?.statusCode,
+      success: result?.success,
+    }, null, 2) }] };
+  },
+);
+
 server.tool(
   'run_admin_test',
   [
@@ -1092,7 +1268,7 @@ async function getMethodMap() {
   const result = await fetchAPI(ENFYRA_API_URL, '/method_definition?limit=0');
   _methodMap = {};
   for (const m of result.data) {
-    _methodMap[m.method] = m.id || m._id;
+    _methodMap[m.name] = m.id || m._id;
   }
   return _methodMap;
 }
@@ -1116,7 +1292,8 @@ function withMethodNames(records, methodIdNameMap, field = 'methods') {
     [field]: Array.isArray(record?.[field])
       ? record[field].map((item) => ({
           ...item,
-          method: item.method || methodIdNameMap[String(getId(item))] || null,
+          name: item.name || methodIdNameMap[String(getId(item))] || null,
+          method: item.name || methodIdNameMap[String(getId(item))] || null,
         }))
       : record?.[field],
   }));
@@ -1171,7 +1348,11 @@ function enrichRoute(route, state) {
     .filter((item) => sameId(refId(item.route), routeId))
     .map((item) => pickCodeSummary({
       ...item,
-      method: item.method ? { ...item.method, method: state.methodIdNameMap[String(getId(item.method))] || item.method.method || null } : item.method,
+      method: item.method ? {
+        ...item.method,
+        name: state.methodIdNameMap[String(getId(item.method))] || item.method.name || null,
+        method: state.methodIdNameMap[String(getId(item.method))] || item.method.name || null,
+      } : item.method,
     }, 'sourceCode'));
   const routePreHooks = withMethodNames(
     state.preHooks.filter((item) => item.isGlobal || sameId(refId(item.route), routeId)),
@@ -1196,13 +1377,25 @@ function enrichRoute(route, state) {
   return {
     ...route,
     availableMethods: Array.isArray(route.availableMethods)
-      ? route.availableMethods.map((method) => ({ ...method, method: method.method || state.methodIdNameMap[String(getId(method))] || null }))
+      ? route.availableMethods.map((method) => ({
+          ...method,
+          name: method.name || state.methodIdNameMap[String(getId(method))] || null,
+          method: method.name || state.methodIdNameMap[String(getId(method))] || null,
+        }))
       : route.availableMethods,
     publishedMethods: Array.isArray(route.publishedMethods)
-      ? route.publishedMethods.map((method) => ({ ...method, method: method.method || state.methodIdNameMap[String(getId(method))] || null }))
+      ? route.publishedMethods.map((method) => ({
+          ...method,
+          name: method.name || state.methodIdNameMap[String(getId(method))] || null,
+          method: method.name || state.methodIdNameMap[String(getId(method))] || null,
+        }))
       : route.publishedMethods,
     skipRoleGuardMethods: Array.isArray(route.skipRoleGuardMethods)
-      ? route.skipRoleGuardMethods.map((method) => ({ ...method, method: method.method || state.methodIdNameMap[String(getId(method))] || null }))
+      ? route.skipRoleGuardMethods.map((method) => ({
+          ...method,
+          name: method.name || state.methodIdNameMap[String(getId(method))] || null,
+          method: method.name || state.methodIdNameMap[String(getId(method))] || null,
+        }))
       : route.skipRoleGuardMethods,
     handlers: routeHandlers,
     preHooks: routePreHooks,
@@ -1363,7 +1556,7 @@ server.tool(
     'Use this after inspecting a route or changing handlers/hooks/guards. Pass paths like /table_definition?limit=1, not external URLs.',
   ].join(' '),
   {
-    method: z.enum(['GET', 'POST', 'PATCH', 'DELETE']).default('GET').describe('HTTP method'),
+    method: z.string().optional().default('GET').describe('HTTP method name. Must exist in method_definition.name for Enfyra route-backed calls.'),
     path: z.string().describe('Enfyra API path, e.g. /route_definition?limit=1'),
     query: z.string().optional().describe('Optional query params JSON object, merged onto path query string'),
     body: z.string().optional().describe('Optional JSON request body string'),
@@ -1371,6 +1564,7 @@ server.tool(
     useAuth: z.boolean().optional().default(true).describe('Attach MCP admin Bearer token. Set false to test published/public access.'),
   },
   async ({ method, path, query, body, headers, useAuth }) => {
+    const httpMethod = normalizeMethodNameInput(method || 'GET');
     const restPath = normalizeRestPath(path);
     const url = new URL(`${ENFYRA_API_URL.replace(/\/$/, '')}${restPath}`);
     const queryObj = parseJsonArg(query, {});
@@ -1388,9 +1582,9 @@ server.tool(
 
     const started = Date.now();
     const response = await fetch(url, {
-      method,
+      method: httpMethod,
       headers: requestHeaders,
-      ...(body !== undefined && body !== null && method !== 'GET' ? { body } : {}),
+      ...(body !== undefined && body !== null && httpMethod !== 'GET' ? { body } : {}),
     });
     const contentType = response.headers.get('content-type') || '';
     const responseText = await response.text();
@@ -1401,7 +1595,7 @@ server.tool(
 
     const payload = {
       request: {
-        method,
+        method: httpMethod,
         url: url.toString(),
         authenticated: !!useAuth,
       },
@@ -1468,9 +1662,9 @@ server.tool(
   {
     path: z.string().describe('URL path, must start with / (e.g., "/my-endpoint")'),
     mainTableId: z.union([z.string(), z.number()]).optional().describe('Only set for the canonical table route `/<table_name>`. Omit for every custom route.'),
-    methods: z.array(z.enum(['GET', 'POST', 'PATCH', 'DELETE']))
-      .describe('HTTP methods this route supports (availableMethods). Common: ["GET","POST","PATCH","DELETE"]'),
-    publishedMethods: z.array(z.enum(['GET', 'POST', 'PATCH', 'DELETE'])).optional()
+    methods: z.array(z.string())
+      .describe('HTTP method names this route supports (availableMethods). Each value must exist in method_definition.name. Common: ["GET","POST","PATCH","DELETE"].'),
+    publishedMethods: z.array(z.string()).optional()
       .describe('Methods accessible WITHOUT auth token. Omit = all methods require auth.'),
     isEnabled: z.boolean().optional().default(true).describe('Enable route immediately'),
     description: z.string().optional().describe('Route description'),
@@ -1514,7 +1708,7 @@ server.tool(
         publishedMethods: publishedMethods || [],
       },
       routesReloaded: true,
-      next: `Use create_handler({ routeId: ${JSON.stringify(getId(created))}, method: "GET"|"POST"|"PATCH"|"DELETE", sourceCode }) for custom code.`,
+      next: `Use create_handler({ routeId: ${JSON.stringify(getId(created))}, method: "GET", sourceCode }) for custom code. Create extra method_definition.name rows first for custom methods such as PUT.`,
     }, null, 2) }] };
   },
 );
@@ -1531,9 +1725,9 @@ server.tool(
   ].join(' '),
   {
     routeId: z.union([z.string(), z.number()]).describe('Route definition ID'),
-    method: z.enum(['GET', 'POST', 'PATCH', 'DELETE']).optional()
-      .describe('Single method to create. Prefer this for one handler.'),
-    methods: z.array(z.enum(['GET', 'POST', 'PATCH', 'DELETE'])).optional()
+    method: z.string().optional()
+      .describe('Single method_definition.name to create. Prefer this for one handler.'),
+    methods: z.array(z.string()).optional()
       .describe('Batch create multiple handlers. Use only when the same sourceCode applies to every method.'),
     sourceCode: z.string().describe('Handler JavaScript sourceCode. Do not use logic; backend CRUD rejects logic.'),
     scriptLanguage: z.enum(['javascript', 'typescript']).optional().default('javascript').describe('Script language for compiler. Default javascript.'),
@@ -1595,8 +1789,8 @@ server.tool(
     name: z.string().describe('Hook name (unique per route)'),
     code: z.string().describe('Hook JavaScript sourceCode. MCP stores it as sourceCode and lets Enfyra compile compiledCode.'),
     scriptLanguage: z.enum(['javascript', 'typescript']).optional().default('javascript').describe('Script language for compiler. Default javascript.'),
-    methods: z.array(z.enum(['GET', 'POST', 'PATCH', 'DELETE'])).optional()
-      .describe('Methods this hook applies to. Default: all REST methods.'),
+    methods: z.array(z.string()).optional()
+      .describe('Method names this hook applies to. Default: built-in REST methods GET, POST, PATCH, DELETE.'),
     priority: z.number().optional().default(0).describe('Execution order (lower = first)'),
     isEnabled: z.boolean().optional().default(true).describe('Enable hook immediately'),
   },
@@ -1649,8 +1843,8 @@ server.tool(
     name: z.string().describe('Hook name (unique per route)'),
     code: z.string().describe('Hook JavaScript sourceCode. MCP stores it as sourceCode and lets Enfyra compile compiledCode.'),
     scriptLanguage: z.enum(['javascript', 'typescript']).optional().default('javascript').describe('Script language for compiler. Default javascript.'),
-    methods: z.array(z.enum(['GET', 'POST', 'PATCH', 'DELETE'])).optional()
-      .describe('Methods this hook applies to. Default: all REST methods.'),
+    methods: z.array(z.string()).optional()
+      .describe('Method names this hook applies to. Default: built-in REST methods GET, POST, PATCH, DELETE.'),
     priority: z.number().optional().default(0).describe('Execution order (lower = first)'),
     isEnabled: z.boolean().optional().default(true).describe('Enable hook immediately'),
   },
@@ -1781,7 +1975,7 @@ server.tool(
   {
     path: z.string().optional().describe('Route path, e.g. /user_definition'),
     routeId: z.union([z.string(), z.number()]).optional().describe('Route id. Use either path or routeId.'),
-    methods: z.array(z.enum(['GET', 'POST', 'PATCH', 'DELETE'])).describe('REST methods this permission allows'),
+    methods: z.array(z.string()).describe('REST method names this permission allows. Each value must exist in method_definition.name.'),
     roleId: z.union([z.string(), z.number()]).optional().describe('Role id scope'),
     allowedUserIds: z.array(z.union([z.string(), z.number()])).optional().describe('Specific user ids scope'),
     description: z.string().optional().describe('Admin note'),
@@ -1826,7 +2020,7 @@ server.tool(
     position: z.enum(['pre_auth', 'post_auth']).default('pre_auth').describe('Execution position for root guard'),
     routeId: z.union([z.string(), z.number()]).optional().describe('Optional route id'),
     path: z.string().optional().describe('Optional route path'),
-    methods: z.array(z.enum(['GET', 'POST', 'PATCH', 'DELETE'])).optional().describe('Methods this guard applies to. Empty means all configured behavior for route/global.'),
+    methods: z.array(z.string()).optional().describe('Method names this guard applies to. Empty means all configured behavior for route/global.'),
     combinator: z.enum(['and', 'or']).default('and').describe('How child guards/rules combine'),
     priority: z.number().optional().default(0).describe('Lower runs first'),
     isGlobal: z.boolean().optional().default(false).describe('Apply globally instead of one route'),