@enfyra/mcp-server 0.0.60 → 0.0.61

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@enfyra/mcp-server",
-  "version": "0.0.60",
+  "version": "0.0.61",
   "description": "MCP server for Enfyra - manage your Enfyra instance via Claude Code",
   "type": "module",
   "license": "MIT",

package/src/lib/mcp-examples.js

@@ -497,11 +497,11 @@ return @DATA\`
   tableName: "route_definition",
   id: "<route_id>",
   data: {
-    publishedMethods: [{ id: 1 }]
+    publishedMethods: [{ id: "<GET_method_id_from_list_methods>" }]
   }
 })`,
         notes: [
-          'Method id 1 is GET. Use method_definition if you need to confirm method ids.',
+          'Method ids are instance data. Use list_methods or inspect_route output to resolve the GET method id first.',
           'publishedMethods controls anonymous route access. Route permissions are not for public access.',
           'Route permissions apply when the method is not public.',
         ],
@@ -802,6 +802,7 @@ update_method({
 })`,
         notes: [
           'Use dedicated method tools instead of generic CRUD on method_definition.',
+          'The backend stores the method label in method_definition.name; do not send or filter a method_definition.method field.',
           'buttonColor is the badge background and textColor is the badge text color.',
           'The eApp management UI is /settings/methods.',
           'delete_method is preview-first and should only be used for unused custom methods.',

package/src/lib/mcp-instructions.js

@@ -114,9 +114,10 @@ export function buildMcpServerInstructions(apiBaseUrl) {
 '- **mainTable warning:** do not set `mainTable` on custom routes. It is reserved for canonical table routes only.',
 '  - **Many-to-one:** `"someRelation": {"id": 4}` (single object with id)',
 '  - **One-to-many / many-to-many:** `"publishedMethods": [{"id": 1}, {"id": 2}]` (array of objects with id)',
-'- **Method IDs** (for REST route publishedMethods, availableMethods, skipRoleGuardMethods): GET=1, POST=2, PATCH=3, DELETE=4. Query `method_definition` table if unsure.',
+'- **Method IDs** are instance data, not a stable contract. Query `method_definition` or use method names through MCP route helpers before setting `publishedMethods`, `availableMethods`, `skipRoleGuardMethods`, hook methods, handler methods, or route permissions. Default CRUD records are `GET`, `POST`, `PATCH`, and `DELETE`; create extra records such as `PUT` through method tools when a route needs them.',
+'- `method_definition.name` is the unique backend field for the HTTP method label. Do not filter, create, or update a `method_definition.method` field. MCP method tools accept an input named `method` for usability, but they write/read `name` on the server.',
 '- **Wrong:** `"publishedMethods": ["GET"]` or `"publishedMethods": [{"method": "GET"}]` — rejected or silently ignored.',
-'- **Right:** `"publishedMethods": [{"id": 1}]` (publishes GET). Multiple: `[{"id": 1}, {"id": 2}]` (publishes GET + POST).',
+'- **Right:** first query method records, then pass their ids, for example `"publishedMethods": [{"id": <GET_METHOD_ID>}]`. Multiple methods use multiple id objects.',
 '- **To unset:** pass empty array `"publishedMethods": []`.',
 '',
 '### Dynamic script `$repos` mutation return shape',
@@ -298,6 +299,7 @@ export function buildMcpServerInstructions(apiBaseUrl) {
     '- **Operational list data loading:** do not use arbitrary fixed limits such as `limit=50` as the whole data strategy for admin pages. Use pagination, expose result count when the API supports `meta=filterCount`, and add search/filter controls for natural lookup keys such as id, name, slug, status, email, or external reference.',
     '- **ESV aggregate contract:** aggregate query must be an object keyed by a real field or relation, for example `aggregate: { id: { count: true }, status: { count: { _eq: "failed" } }, amount: { sum: true } }`. Results are returned in `response.meta.aggregate`. Time windows and cross-field conditions belong in top-level `filter`, not inside a field aggregate condition. Field aggregate conditions only support operators on that same field; relation aggregates use `countRecords`.',
     '- **Aggregate numeric rule:** `sum` and `avg` require a numeric field in ESV. Do not aggregate money stored as varchar/text. Use a numeric money field such as `amount_usd` with type `float`, `amount_cents`, or `amount` for revenue stats, or build a dedicated stats route that normalizes legacy values explicitly. If metadata says `float` but SQL aggregate still fails with `sum(character varying)`, the Enfyra Server physical schema is stale or missing the SQL float DDL mapping and must be redeployed/healed before relying on aggregate.',
+    '- **Snapshot migrations:** backend metadata/physical schema renames belong in `data/snapshot-migration.json` via table-driven `columnsToModify` entries. The server migration/self-heal path should read table name plus `oldName`/`newName` dynamically; do not hard-code one-off table repairs when the snapshot migration contract can express the change.',
     '- **Partial reload default:** ESV/ASV automatically triggers partial reloads for metadata, routes, menus, extensions, flows, handlers, and related caches after successful writes. Do not reflexively call `/admin/reload`, `/admin/reload/metadata`, or `/admin/reload/routes` after each change. Verify naturally first; use manual reload only when verification shows stale behavior, a reload event failed, or a concrete error indicates the partial reload did not apply.',
     '- **Menu/extension realtime reload contract:** `menu_definition` and `extension_definition` writes are runtime UI changes, not plain CRUD. The server cache orchestrator must emit `$system:reload` through the admin Socket.IO channel with identifiers that eApp handles; eApp must refetch menus/rebuild the menu registry for menu reloads and invalidate dynamic extension caches for extension reloads. Menu reloads can change route-to-extension mapping, so they should also invalidate extension cache. If an open admin tab does not reflect menu/extension changes, debug this two-sided reload contract before telling the user to refresh.',
     '- **Dashboard stats:** time range buttons must change the query filter and reload stats. Dashboards should summarize actionable errors and high-level activity; successful/no-error background runs usually do not need a standalone page unless there is a real workflow to manage.',
@@ -306,7 +308,7 @@ export function buildMcpServerInstructions(apiBaseUrl) {
     '- **Do not misuse PageHeader stats:** `PageHeader.stats` renders prominent stat cards inside the shell header. Do not put normal operational KPIs, capacity totals, billing totals, or detail metrics there by default; keep those as body cards/tables where the operator can scan them with the page content. Only use PageHeader stats for a deliberately compact overview page where the stats are truly header-level context.',
     '- **Page actions belong in registries:** Move page-level buttons into `useHeaderActionRegistry` or `useSubHeaderActionRegistry`; keep the extension body for operational content only. Sensitive registry actions must include a `permission` condition, for example `{ id: "create", label: "Create report", permission: { and: [{ route: "/report_definition", methods: ["POST"] }] }, onClick }`.',
     '- **Header action button variants:** choose the button variant by intent. Use `color: "primary", variant: "solid"` for the main page action. Use `color: "neutral", variant: "ghost"` for back/navigation actions and `color: "neutral", variant: "outline"` for visible secondary actions. `variant: "soft"` is only for low-emphasis secondary/chrome actions; do not use soft for critical or primary header actions just because it looks acceptable in dark mode.',
-    '- **HTTP method management:** use the dedicated MCP tools `list_methods`, `create_method`, `update_method`, and preview-first `delete_method` for `method_definition`. The eApp UI for the same records is `/settings/methods`. Method color fields are `buttonColor` for badge background and `textColor` for badge text, both full hex colors. Do not use generic `create_record` on `method_definition` unless the dedicated tool is unavailable.',
+    '- **HTTP method management:** use the dedicated MCP tools `list_methods`, `create_method`, `update_method`, and preview-first `delete_method` for `method_definition`. The backend field is `method_definition.name`, unique per method; do not send `method_definition.method`. The eApp UI for the same records is `/settings/methods`. Method color fields are `buttonColor` for badge background and `textColor` for badge text, both full hex colors. Do not use generic `create_record` on `method_definition` unless the dedicated tool is unavailable.',
     '- **Extension navigation:** prefer `NuxtLink` or Nuxt UI components with `:to` for visible navigation links and drill-down cards/buttons. Use `navigateTo(...)` only for imperative navigation after submit, confirm, mutation, or another side effect.',
     '- **Extension runtime scope:** eApp exposes Vue APIs and injected Nuxt/Enfyra composables both to script global scope and Vue app `globalProperties`. Template expressions may call injected helpers directly, for example after a save handler can call `navigateTo("/data/report_definition")`, because Vue compiles template helpers to `_ctx.*`.',
     '- **Extension CSS affects shell utility ordering:** dynamic extension CSS is injected after the app shell CSS. Shell/page-header code must not put conflicting plain Tailwind utilities on the same element, such as `flex-col` plus `flex-row`, `items-start` plus `items-center`, or `text-left` plus `text-center`. Choose one mutually exclusive class per state; otherwise extension CSS can change which utility wins and shift shell layout.',

package/src/mcp-server-entry.mjs

@@ -34,7 +34,7 @@ const CAPABILITY_AREAS = [
   {
     area: 'Dynamic REST API',
     tables: ['route_definition', 'route_handler_definition', 'pre_hook_definition', 'post_hook_definition', 'route_permission_definition', 'method_definition'],
-    workflow: 'Create custom paths with create_route without mainTableId, then add handlers/hooks. mainTableId is only for canonical table routes like /table_name. REST methods are GET/POST/PATCH/DELETE.',
+    workflow: 'Create custom paths with create_route without mainTableId, then add handlers/hooks. mainTableId is only for canonical table routes like /table_name. Query method_definition before assigning route methods.',
   },
   {
     area: 'Auth, roles, sessions, OAuth',
@@ -197,8 +197,8 @@ function summarizeRoutes(routesResult) {
     id: route.id ?? route._id,
     path: route.path,
     mainTable: route.mainTable?.name || route.mainTableName || null,
-    availableMethods: (route.availableMethods || []).map((method) => method.method).filter(Boolean),
-    publishedMethods: (route.publishedMethods || []).map((method) => method.method).filter(Boolean),
+    availableMethods: (route.availableMethods || []).map((method) => method.name).filter(Boolean),
+    publishedMethods: (route.publishedMethods || []).map((method) => method.name).filter(Boolean),
     isEnabled: route.isEnabled,
   }));
 }
@@ -376,8 +376,8 @@ function normalizeHexColorInput(value, fieldName) {
 }
 
 async function findMethodRecordByName(method) {
-  const filter = encodeURIComponent(JSON.stringify({ method: { _eq: method } }));
-  const result = await fetchAPI(ENFYRA_API_URL, `/method_definition?filter=${filter}&limit=1&fields=id,_id,method,buttonColor,textColor,isSystem`);
+  const filter = encodeURIComponent(JSON.stringify({ name: { _eq: method } }));
+  const result = await fetchAPI(ENFYRA_API_URL, `/method_definition?filter=${filter}&limit=1&fields=id,_id,name,buttonColor,textColor,isSystem`);
   return unwrapData(result)[0] || null;
 }
 
@@ -476,7 +476,7 @@ server.tool(
         routes: routes.length,
         methods: methodsResult?.data?.length || 0,
       },
-      methods: (methodsResult?.data || []).map((method) => ({ id: method.id || method._id, method: method.method })),
+      methods: (methodsResult?.data || []).map((method) => ({ id: method.id || method._id, name: method.name, method: method.name })),
       capabilityAreas: CAPABILITY_AREAS.map((item) => ({
         ...item,
         presentTables: item.tables.filter((table) => tableNames.includes(table)),
@@ -579,7 +579,7 @@ server.tool(
         storageConfigs: storageResult?.data?.length || 0,
         settings: settingsResult?.data?.length || 0,
       },
-      methods: (methodsResult?.data || []).map((method) => ({ id: method.id || method._id, method: method.method })),
+      methods: (methodsResult?.data || []).map((method) => ({ id: method.id || method._id, name: method.name, method: method.name })),
       routeRuntime: {
         routePattern: 'GET/POST /<route-path>; PATCH/DELETE /<route-path>/:id; no dynamic GET /<route-path>/:id.',
         adminRoutes: adminRoutes.map((route) => route.path).sort(),
@@ -1050,10 +1050,11 @@ server.tool(
   'List method_definition records with their UI colors. Use this before creating route methods or method-colored UI.',
   {},
   async () => {
-    const result = await fetchAPI(ENFYRA_API_URL, '/method_definition?fields=id,_id,method,buttonColor,textColor,isSystem&sort=method&limit=0');
+    const result = await fetchAPI(ENFYRA_API_URL, '/method_definition?fields=id,_id,name,buttonColor,textColor,isSystem&sort=name&limit=0');
     const methods = unwrapData(result).map((method) => ({
       id: getId(method),
-      method: method.method,
+      name: method.name,
+      method: method.name,
       buttonColor: method.buttonColor,
       textColor: method.textColor,
       isSystem: method.isSystem === true,
@@ -1082,7 +1083,7 @@ server.tool(
       throw new Error(`Method ${normalizedMethod} already exists with id ${getId(existing)}. Use update_method to change colors.`);
     }
     const body = {
-      method: normalizedMethod,
+      name: normalizedMethod,
       buttonColor: normalizeHexColorInput(buttonColor, 'buttonColor'),
       textColor: normalizeHexColorInput(textColor, 'textColor'),
       isSystem: isSystem === true,
@@ -1094,6 +1095,7 @@ server.tool(
     _methodMap = null;
     return { content: [{ type: 'text', text: JSON.stringify({
       ...summarizeMutationResult(result, 'created', 'method_definition'),
+      name: normalizedMethod,
       method: normalizedMethod,
       appUi: '/settings/methods',
     }, null, 2) }] };
@@ -1128,7 +1130,7 @@ server.tool(
       body.textColor = normalizeHexColorInput(textColor, 'textColor');
     }
     if (method !== undefined && id) {
-      body.method = normalizeMethodNameInput(method);
+      body.name = normalizeMethodNameInput(method);
     }
     if (Object.keys(body).length === 0) {
       throw new Error('Provide buttonColor, textColor, or a new method name.');
@@ -1168,13 +1170,14 @@ server.tool(
       if (!target) {
         const primaryKey = await getPrimaryFieldName('method_definition');
         const filter = encodeURIComponent(JSON.stringify({ [primaryKey]: { _eq: targetId } }));
-        const result = await fetchAPI(ENFYRA_API_URL, `/method_definition?filter=${filter}&limit=1&fields=id,_id,method,buttonColor,textColor,isSystem`);
+        const result = await fetchAPI(ENFYRA_API_URL, `/method_definition?filter=${filter}&limit=1&fields=id,_id,name,buttonColor,textColor,isSystem`);
         target = unwrapData(result)[0] || null;
       }
       return { content: [{ type: 'text', text: JSON.stringify({
         action: 'delete_method_preview',
         id: targetId,
-        method: target?.method,
+        name: target?.name,
+        method: target?.name,
         isSystem: target?.isSystem === true,
         destructive: true,
         warning: 'Only delete unused custom methods. Deleting a method can affect route method relations.',
@@ -1265,7 +1268,7 @@ async function getMethodMap() {
   const result = await fetchAPI(ENFYRA_API_URL, '/method_definition?limit=0');
   _methodMap = {};
   for (const m of result.data) {
-    _methodMap[m.method] = m.id || m._id;
+    _methodMap[m.name] = m.id || m._id;
   }
   return _methodMap;
 }
@@ -1289,7 +1292,8 @@ function withMethodNames(records, methodIdNameMap, field = 'methods') {
     [field]: Array.isArray(record?.[field])
       ? record[field].map((item) => ({
           ...item,
-          method: item.method || methodIdNameMap[String(getId(item))] || null,
+          name: item.name || methodIdNameMap[String(getId(item))] || null,
+          method: item.name || methodIdNameMap[String(getId(item))] || null,
         }))
       : record?.[field],
   }));
@@ -1344,7 +1348,11 @@ function enrichRoute(route, state) {
     .filter((item) => sameId(refId(item.route), routeId))
     .map((item) => pickCodeSummary({
       ...item,
-      method: item.method ? { ...item.method, method: state.methodIdNameMap[String(getId(item.method))] || item.method.method || null } : item.method,
+      method: item.method ? {
+        ...item.method,
+        name: state.methodIdNameMap[String(getId(item.method))] || item.method.name || null,
+        method: state.methodIdNameMap[String(getId(item.method))] || item.method.name || null,
+      } : item.method,
     }, 'sourceCode'));
   const routePreHooks = withMethodNames(
     state.preHooks.filter((item) => item.isGlobal || sameId(refId(item.route), routeId)),
@@ -1369,13 +1377,25 @@ function enrichRoute(route, state) {
   return {
     ...route,
     availableMethods: Array.isArray(route.availableMethods)
-      ? route.availableMethods.map((method) => ({ ...method, method: method.method || state.methodIdNameMap[String(getId(method))] || null }))
+      ? route.availableMethods.map((method) => ({
+          ...method,
+          name: method.name || state.methodIdNameMap[String(getId(method))] || null,
+          method: method.name || state.methodIdNameMap[String(getId(method))] || null,
+        }))
       : route.availableMethods,
     publishedMethods: Array.isArray(route.publishedMethods)
-      ? route.publishedMethods.map((method) => ({ ...method, method: method.method || state.methodIdNameMap[String(getId(method))] || null }))
+      ? route.publishedMethods.map((method) => ({
+          ...method,
+          name: method.name || state.methodIdNameMap[String(getId(method))] || null,
+          method: method.name || state.methodIdNameMap[String(getId(method))] || null,
+        }))
       : route.publishedMethods,
     skipRoleGuardMethods: Array.isArray(route.skipRoleGuardMethods)
-      ? route.skipRoleGuardMethods.map((method) => ({ ...method, method: method.method || state.methodIdNameMap[String(getId(method))] || null }))
+      ? route.skipRoleGuardMethods.map((method) => ({
+          ...method,
+          name: method.name || state.methodIdNameMap[String(getId(method))] || null,
+          method: method.name || state.methodIdNameMap[String(getId(method))] || null,
+        }))
       : route.skipRoleGuardMethods,
     handlers: routeHandlers,
     preHooks: routePreHooks,
@@ -1536,7 +1556,7 @@ server.tool(
     'Use this after inspecting a route or changing handlers/hooks/guards. Pass paths like /table_definition?limit=1, not external URLs.',
   ].join(' '),
   {
-    method: z.enum(['GET', 'POST', 'PATCH', 'DELETE']).default('GET').describe('HTTP method'),
+    method: z.string().optional().default('GET').describe('HTTP method name. Must exist in method_definition.name for Enfyra route-backed calls.'),
     path: z.string().describe('Enfyra API path, e.g. /route_definition?limit=1'),
     query: z.string().optional().describe('Optional query params JSON object, merged onto path query string'),
     body: z.string().optional().describe('Optional JSON request body string'),
@@ -1544,6 +1564,7 @@ server.tool(
     useAuth: z.boolean().optional().default(true).describe('Attach MCP admin Bearer token. Set false to test published/public access.'),
   },
   async ({ method, path, query, body, headers, useAuth }) => {
+    const httpMethod = normalizeMethodNameInput(method || 'GET');
     const restPath = normalizeRestPath(path);
     const url = new URL(`${ENFYRA_API_URL.replace(/\/$/, '')}${restPath}`);
     const queryObj = parseJsonArg(query, {});
@@ -1561,9 +1582,9 @@ server.tool(
 
     const started = Date.now();
     const response = await fetch(url, {
-      method,
+      method: httpMethod,
       headers: requestHeaders,
-      ...(body !== undefined && body !== null && method !== 'GET' ? { body } : {}),
+      ...(body !== undefined && body !== null && httpMethod !== 'GET' ? { body } : {}),
     });
     const contentType = response.headers.get('content-type') || '';
     const responseText = await response.text();
@@ -1574,7 +1595,7 @@ server.tool(
 
     const payload = {
       request: {
-        method,
+        method: httpMethod,
         url: url.toString(),
         authenticated: !!useAuth,
       },
@@ -1641,9 +1662,9 @@ server.tool(
   {
     path: z.string().describe('URL path, must start with / (e.g., "/my-endpoint")'),
     mainTableId: z.union([z.string(), z.number()]).optional().describe('Only set for the canonical table route `/<table_name>`. Omit for every custom route.'),
-    methods: z.array(z.enum(['GET', 'POST', 'PATCH', 'DELETE']))
-      .describe('HTTP methods this route supports (availableMethods). Common: ["GET","POST","PATCH","DELETE"]'),
-    publishedMethods: z.array(z.enum(['GET', 'POST', 'PATCH', 'DELETE'])).optional()
+    methods: z.array(z.string())
+      .describe('HTTP method names this route supports (availableMethods). Each value must exist in method_definition.name. Common: ["GET","POST","PATCH","DELETE"].'),
+    publishedMethods: z.array(z.string()).optional()
       .describe('Methods accessible WITHOUT auth token. Omit = all methods require auth.'),
     isEnabled: z.boolean().optional().default(true).describe('Enable route immediately'),
     description: z.string().optional().describe('Route description'),
@@ -1687,7 +1708,7 @@ server.tool(
         publishedMethods: publishedMethods || [],
       },
       routesReloaded: true,
-      next: `Use create_handler({ routeId: ${JSON.stringify(getId(created))}, method: "GET"|"POST"|"PATCH"|"DELETE", sourceCode }) for custom code.`,
+      next: `Use create_handler({ routeId: ${JSON.stringify(getId(created))}, method: "GET", sourceCode }) for custom code. Create extra method_definition.name rows first for custom methods such as PUT.`,
     }, null, 2) }] };
   },
 );
@@ -1704,9 +1725,9 @@ server.tool(
   ].join(' '),
   {
     routeId: z.union([z.string(), z.number()]).describe('Route definition ID'),
-    method: z.enum(['GET', 'POST', 'PATCH', 'DELETE']).optional()
-      .describe('Single method to create. Prefer this for one handler.'),
-    methods: z.array(z.enum(['GET', 'POST', 'PATCH', 'DELETE'])).optional()
+    method: z.string().optional()
+      .describe('Single method_definition.name to create. Prefer this for one handler.'),
+    methods: z.array(z.string()).optional()
       .describe('Batch create multiple handlers. Use only when the same sourceCode applies to every method.'),
     sourceCode: z.string().describe('Handler JavaScript sourceCode. Do not use logic; backend CRUD rejects logic.'),
     scriptLanguage: z.enum(['javascript', 'typescript']).optional().default('javascript').describe('Script language for compiler. Default javascript.'),
@@ -1768,8 +1789,8 @@ server.tool(
     name: z.string().describe('Hook name (unique per route)'),
     code: z.string().describe('Hook JavaScript sourceCode. MCP stores it as sourceCode and lets Enfyra compile compiledCode.'),
     scriptLanguage: z.enum(['javascript', 'typescript']).optional().default('javascript').describe('Script language for compiler. Default javascript.'),
-    methods: z.array(z.enum(['GET', 'POST', 'PATCH', 'DELETE'])).optional()
-      .describe('Methods this hook applies to. Default: all REST methods.'),
+    methods: z.array(z.string()).optional()
+      .describe('Method names this hook applies to. Default: built-in REST methods GET, POST, PATCH, DELETE.'),
     priority: z.number().optional().default(0).describe('Execution order (lower = first)'),
     isEnabled: z.boolean().optional().default(true).describe('Enable hook immediately'),
   },
@@ -1822,8 +1843,8 @@ server.tool(
     name: z.string().describe('Hook name (unique per route)'),
     code: z.string().describe('Hook JavaScript sourceCode. MCP stores it as sourceCode and lets Enfyra compile compiledCode.'),
     scriptLanguage: z.enum(['javascript', 'typescript']).optional().default('javascript').describe('Script language for compiler. Default javascript.'),
-    methods: z.array(z.enum(['GET', 'POST', 'PATCH', 'DELETE'])).optional()
-      .describe('Methods this hook applies to. Default: all REST methods.'),
+    methods: z.array(z.string()).optional()
+      .describe('Method names this hook applies to. Default: built-in REST methods GET, POST, PATCH, DELETE.'),
     priority: z.number().optional().default(0).describe('Execution order (lower = first)'),
     isEnabled: z.boolean().optional().default(true).describe('Enable hook immediately'),
   },
@@ -1954,7 +1975,7 @@ server.tool(
   {
     path: z.string().optional().describe('Route path, e.g. /user_definition'),
     routeId: z.union([z.string(), z.number()]).optional().describe('Route id. Use either path or routeId.'),
-    methods: z.array(z.enum(['GET', 'POST', 'PATCH', 'DELETE'])).describe('REST methods this permission allows'),
+    methods: z.array(z.string()).describe('REST method names this permission allows. Each value must exist in method_definition.name.'),
     roleId: z.union([z.string(), z.number()]).optional().describe('Role id scope'),
     allowedUserIds: z.array(z.union([z.string(), z.number()])).optional().describe('Specific user ids scope'),
     description: z.string().optional().describe('Admin note'),
@@ -1999,7 +2020,7 @@ server.tool(
     position: z.enum(['pre_auth', 'post_auth']).default('pre_auth').describe('Execution position for root guard'),
     routeId: z.union([z.string(), z.number()]).optional().describe('Optional route id'),
     path: z.string().optional().describe('Optional route path'),
-    methods: z.array(z.enum(['GET', 'POST', 'PATCH', 'DELETE'])).optional().describe('Methods this guard applies to. Empty means all configured behavior for route/global.'),
+    methods: z.array(z.string()).optional().describe('Method names this guard applies to. Empty means all configured behavior for route/global.'),
     combinator: z.enum(['and', 'or']).default('and').describe('How child guards/rules combine'),
     priority: z.number().optional().default(0).describe('Lower runs first'),
     isGlobal: z.boolean().optional().default(false).describe('Apply globally instead of one route'),