@enfyra/mcp-server 0.0.79 → 0.0.81

package/README.md

@@ -1,66 +1,55 @@
 # Enfyra MCP Server
 
-MCP server for managing Enfyra instances from **Codex**, **Claude Code**, **Cursor**, and other MCP-compatible clients. All operations go through Enfyra's REST API.
+Manage Enfyra instances from MCP-compatible coding tools such as **Codex**, **Claude Code**, **Cursor**, MCP Inspector, and other STDIO MCP hosts.
 
+This package is the MCP bridge only. Assistant rules, schema behavior, dynamic script guidance, and examples are served through the MCP server itself from `src/lib/mcp-instructions.js`, `src/lib/mcp-examples.js`, and tool descriptions in `src/mcp-server-entry.mjs`.
 
-**LLM rules (REST, GraphQL, auth, URL, mutation `create_{tableName}`, etc.):** not in this README — see **`src/lib/mcp-instructions.js`** (content sent via MCP `instructions`), **`src/lib/mcp-examples.js`** (concrete examples loaded through `get_enfyra_examples`), and tool descriptions in **`src/mcp-server-entry.mjs`**. This README only covers **MCP installation and configuration** for users/devs.
+## Quick Start
 
-**Official docs:** [Claude Code MCP](https://docs.anthropic.com/en/docs/claude-code/mcp) · [Claude Code settings](https://docs.anthropic.com/en/docs/claude-code/settings) · [Cursor MCP (`mcp.json`)](https://cursor.com/docs/context/mcp)
-
----
-
-## Quick local setup (`config` command)
-
-From your **Enfyra project root**:
+From your project root:
 
 ```bash
 npx @enfyra/mcp-server config
 ```
 
-- **Interactive (default in a terminal):** first asks **where** to write config with an arrow-key selector — Claude Code, Cursor, Codex, or all — unless you already passed target flags. Then prompts for `ENFYRA_API_URL` and `ENFYRA_API_TOKEN` when missing. Press **Enter** to accept bracketed defaults from env or existing `enfyra` config.
-- **Re-run anytime** to update the same files; other entries under `mcpServers` are preserved.
-- **Non-interactive** (CI / scripts): `npx @enfyra/mcp-server config --yes` plus optional `-a` / `-t` and/or env vars.
-- **One host only:** `--claude-code` / `--claude` / `--claude-only` → `./.mcp.json`. `--cursor` / `--cursor-only` → `./.cursor/mcp.json`. `--codex` / `--codex-only` → `./.codex/config.toml`. Pass multiple target flags to write each selected host.
-- **Reconfigure:** `npx @enfyra/mcp-server config --reconfig` prompts for the target host again, uses existing project values as defaults, and replaces the old project `enfyra` entry for that host.
-- **Global/user config:** add `--global` only when you intentionally want the selected host config under your home directory instead of this project.
-- **Help:** `npx @enfyra/mcp-server -h` or `npx @enfyra/mcp-server config --help`
+The config command can write project config for Codex, Claude Code, Cursor, or all supported clients. It preserves other MCP servers and replaces only the `enfyra` entry.
 
-Equivalent in this repo: `yarn mcp:config` (Yarn v1 reserves `yarn config` for registry settings). Same as `node src/index.mjs config` / `npm run mcp:config`.
+Interactive setup asks for `ENFYRA_APP_URL` first, then asks for `ENFYRA_API_TOKEN`. The MCP API base is inferred as `<app>/api`, and the token page is inferred as `<app>/me`. For example, `https://demo.enfyra.io` becomes API base `https://demo.enfyra.io/api` and token page `https://demo.enfyra.io/me`.
 
----
+```bash
+# Non-interactive, all supported clients
+npx @enfyra/mcp-server config --yes \
+  --app-url http://localhost:3000 \
+  -t efy_pat_your-token
 
-## Which coding tool? (switch)
+# One or more clients
+npx @enfyra/mcp-server config --codex
+npx @enfyra/mcp-server config --cursor --claude-code
+```
 
-Use this table to see **where** each host stores config. The **`mcpServers.enfyra` JSON block** at the bottom of each section is identical; only the **file paths** and **CLI** differ.
+Equivalent in this repo:
 
-| | **Codex** | **Claude Code** | **Cursor** |
-|---|-----------|-----------------|------------|
-| **Project (repo, default)** | **`.codex/config.toml`** in the project | **`.mcp.json`** at repository root | **`.cursor/mcp.json`** in the project |
-| **Global (explicit `--global`)** | `~/.codex/config.toml` | `~/.mcp.json` from this helper, or Claude's `~/.claude.json` via `claude mcp add --scope user` | `~/.cursor/mcp.json` |
-| **Typical install** | `npx @enfyra/mcp-server config --codex` | `npx @enfyra/mcp-server config --claude-code` | `npx @enfyra/mcp-server config --cursor` |
-| **Precedence / merge** | Project config is merged/replaced for `enfyra` | Project `.mcp.json` is merged/replaced for `enfyra` | Project `.cursor/mcp.json` is merged/replaced for `enfyra` |
-| **Gotcha** | Open this folder in a new Codex session after editing config | Do not put MCP server definitions in `.claude/settings.json` | Root **`.mcp.json`** is for Claude Code project scope, not Cursor — use **`.cursor/mcp.json`** for Cursor |
+```bash
+yarn mcp:config
+```
 
-Expand **one** block below for step-by-step setup.
+## Choose A Client
 
-<details open>
-<summary><strong>Codex</strong> — setup</summary>
+| Client | Command | Project config |
+|--------|---------|----------------|
+| Codex | `npx @enfyra/mcp-server config --codex` | `.codex/config.toml` |
+| Claude Code | `npx @enfyra/mcp-server config --claude-code` | `.mcp.json` |
+| Cursor | `npx @enfyra/mcp-server config --cursor` | `.cursor/mcp.json` |
+| MCP Inspector / other hosts | Paste the shared STDIO config below | Host-specific `mcpServers` config |
 
-The config command writes project Codex config to `./.codex/config.toml` by default:
+<details>
+<summary><strong>Codex setup</strong></summary>
 
 ```bash
 npx @enfyra/mcp-server config --codex
 ```
 
-Non-interactive:
-
-```bash
-npx @enfyra/mcp-server config --codex --yes \
-  -a http://localhost:3000/api \
-  -t efy_pat_your-token
-```
-
-The generated TOML section is:
+Generated project config:
 
 ```toml
 [mcp_servers.enfyra]
@@ -72,92 +61,57 @@ ENFYRA_API_URL = "http://localhost:3000/api"
 ENFYRA_API_TOKEN = "efy_pat_your-token"
 ```
 
-The config writer replaces only `[mcp_servers.enfyra]` and `[mcp_servers.enfyra.env]`; other Codex config and other MCP servers are preserved. Open this folder in a new Codex session after updating `./.codex/config.toml`. Use `--global --codex` only when you intentionally want `~/.codex/config.toml`.
-
-</details>
+The writer replaces only `[mcp_servers.enfyra]` and `[mcp_servers.enfyra.env]`. Other Codex config and other MCP servers are preserved.
 
-<details open>
-<summary><strong>Claude Code</strong> — setup</summary>
+After editing config, open the folder in a new Codex session so project config is loaded.
 
-MCP server definitions are **not** placed in `.claude/settings.json`; that folder is for other Claude Code settings.
+Official reference: [Codex config](https://developers.openai.com/codex/config-reference).
 
-### Choose scope (Claude Code)
-
-| Goal | Location | Claude Code scope | Typical use |
-|------|----------|-------------------|-------------|
-| Same Enfyra MCP in **every** project on your machine | **`~/.claude.json`** | **user** (`claude mcp add … --scope user`) | One admin stack you always use |
-| MCP only when this **repo is cwd**, private to you, often with secrets | **`~/.claude.json`** | **local** (default: `claude mcp add …` without `--scope project`) | Per-machine URLs or tokens; nothing committed |
-| **Team** / reproducible setup; commit config to git | **`.mcp.json`** at the **repository root** | **project** (`claude mcp add … --scope project`) | Shared onboarding; env expansion supported |
+</details>
 
-**Precedence when the same server name exists in more than one place:** **local** → **project** (`.mcp.json`) → **user**. See the [official MCP docs](https://docs.anthropic.com/en/docs/claude-code/mcp).
+<details>
+<summary><strong>Claude Code setup</strong></summary>
 
-**Project `.mcp.json` approval:** Claude Code may prompt before trusting project-scoped servers; use `claude mcp reset-project-choices` to reset.
+```bash
+npx @enfyra/mcp-server config --claude-code
+```
 
-### `claude mcp add` — user, local, or project
+Project config is written to `.mcp.json`. MCP server definitions do not belong in `.claude/settings.json`.
 
-Use the CLI (recommended). **User** and **local** configs are stored in **`~/.claude.json`**; **project** (`--scope project`) writes **`./.mcp.json`** at the repo root.
+Claude Code also supports its own CLI:
 
 ```bash
-# User scope — available in all projects (options before server name per Claude Code docs)
-claude mcp add --transport stdio --scope user \
-  --env ENFYRA_API_URL=http://localhost:3000/api \
-  --env ENFYRA_API_TOKEN=efy_pat_your-token \
-  enfyra -- npx -y @enfyra/mcp-server
-
-# Local scope (default) — only when this repo is cwd; still stored in ~/.claude.json under project path
-claude mcp add --transport stdio \
-  --env ENFYRA_API_URL=http://localhost:3000/api \
-  --env ENFYRA_API_TOKEN=efy_pat_your-token \
-  enfyra -- npx -y @enfyra/mcp-server
-
-# Project scope — writes/updates .mcp.json at repo root (good for teams)
 claude mcp add --transport stdio --scope project \
   --env ENFYRA_API_URL=http://localhost:3000/api \
   --env ENFYRA_API_TOKEN=efy_pat_your-token \
   enfyra -- npx -y @enfyra/mcp-server
 ```
 
-On **native Windows** (not WSL), stdio servers using `npx` often need the `cmd /c` wrapper — see [Claude Code MCP — Windows](https://docs.anthropic.com/en/docs/claude-code/mcp).
-
-You can set env vars with **`--env`** (as above), edit **`~/.claude.json`** / **`.mcp.json`**, or use the `/mcp` UI.
-
-### Manual JSON (Claude Code)
-
-Use inside **`.mcp.json`** `mcpServers`, or merge into **`~/.claude.json`** per [Claude Code settings](https://docs.anthropic.com/en/docs/claude-code/settings) for your scope. Reuse the **shared JSON** in the [Shared](#shared-enfyra-mcp-json-and-environment) section below.
+Scope precedence when the same server name exists in multiple places is local, then project, then user. Project-scoped `.mcp.json` may require approval in Claude Code.
 
-### `.mcp.json` only (Claude Code project, manual)
-
-If you skip the CLI, add **`mcpServers.enfyra`** to **`.mcp.json`** at the repository root. Official docs support **environment variable expansion** in `.mcp.json`.
-
-**Local dev (this monorepo):** point `command` / `args` / `cwd` at `node` and `src/index.mjs` inside your clone — see the sample **`.mcp.json`** in this repository (adjust `cwd` or use expansion).
+Official references: [Claude Code MCP](https://docs.anthropic.com/en/docs/claude-code/mcp) and [Claude Code settings](https://docs.anthropic.com/en/docs/claude-code/settings).
 
 </details>
 
 <details>
-<summary><strong>Cursor</strong> — setup</summary>
-
-Cursor reads MCP from **`mcp.json`** in two places ([Cursor docs](https://cursor.com/docs/context/mcp)):
+<summary><strong>Cursor setup</strong></summary>
 
-| Scope | Path |
-|-------|------|
-| **Global** | `~/.cursor/mcp.json` (macOS/Linux) or `%USERPROFILE%\.cursor\mcp.json` (Windows) |
-| **Project** | **`.cursor/mcp.json`** inside the project (directory **`.cursor`** at repo root) |
-
-Paste the **same** `mcpServers` structure as in the [Shared](#shared-enfyra-mcp-json-and-environment) section. Cursor supports **interpolation**, e.g. `${env:ENFYRA_API_TOKEN}`, `${workspaceFolder}`, for secrets and paths.
+```bash
+npx @enfyra/mcp-server config --cursor
+```
 
-Optional **STDIO** fields per Cursor: `type`, `command`, `args`, `env`, `envFile` — see [STDIO server configuration](https://cursor.com/docs/context/mcp).
+Cursor project config is written to `.cursor/mcp.json`. Global config is `~/.cursor/mcp.json` on macOS/Linux or `%USERPROFILE%\.cursor\mcp.json` on Windows.
 
-**After edits:** restart Cursor (or toggle the server under **Settings → Features → Model Context Protocol**). Use **Output → MCP Logs** if the server fails to start.
+After edits, restart Cursor or reload MCP, then confirm the server under Cursor MCP settings. Use MCP logs if the server fails to start.
 
-**Using both Cursor and Claude Code in one repo:** keep **`.cursor/mcp.json`** for Cursor and **`.mcp.json`** (root) for Claude Code **project** scope if needed — they are different files.
+Official reference: [Cursor MCP](https://cursor.com/docs/context/mcp).
 
 </details>
 
----
-
-## Shared: Enfyra MCP JSON and environment
+<details>
+<summary><strong>Other MCP hosts and MCP Inspector</strong></summary>
 
-Use this block in any host-specific `mcp.json` / `mcpServers` merge (adjust env or use `${env:…}` where your editor supports it).
+Use the shared STDIO config with any host that accepts an `mcpServers` JSON block:
 
 ```json
 {
@@ -174,61 +128,128 @@ Use this block in any host-specific `mcp.json` / `mcpServers` merge (adjust env
 }
 ```
 
-- `-y`: auto-confirm `npx` package install without prompting.
-- **Restart** the coding tool after manual file edits.
+`ENFYRA_API_TOKEN` is a programmatic token from the Enfyra admin UI `/me`. It is not a JWT; the MCP server exchanges it through `POST {ENFYRA_API_URL}/auth/token/exchange` before calling Enfyra REST APIs.
+
+Official reference: [MCP Inspector](https://modelcontextprotocol.io/docs/tools/inspector).
+
+</details>
+
+## Config Command
+
+```bash
+npx @enfyra/mcp-server config [options]
+```
+
+| Option | Use |
+|--------|-----|
+| `--app-url` | Set the Enfyra app/admin URL; setup writes `<app>/api` to MCP config |
+| `--api-token`, `-t` | Set `ENFYRA_API_TOKEN` |
+| `--yes` | Non-interactive mode for CI/scripts |
+| `--global` | Write global/user config instead of project config |
+| `--reconfig` | Prompt for target clients again and replace the existing `enfyra` entry |
+| `--codex` | Write Codex config |
+| `--claude-code`, `--claude` | Write Claude Code config |
+| `--cursor` | Write Cursor config |
+| `-h`, `--help` | Show CLI help |
+
+Without a target flag, interactive mode asks which client to configure. Non-interactive mode defaults to all supported clients.
+
+## Environment
 
 | Variable | Description | Default |
 |----------|-------------|---------|
-| `ENFYRA_API_URL` | Base for REST + GraphQL + auth through the Nuxt/app proxy | `http://localhost:3000/api` |
-| `ENFYRA_API_TOKEN` | Programmatic token from eApp `/me`. MCP exchanges it through `/auth/token/exchange` for an access token. | — |
+| `ENFYRA_APP_URL` | App/admin URL used by setup to derive `ENFYRA_API_URL=<app>/api` and token page `<app>/me` | `http://localhost:3000` |
+| `ENFYRA_API_URL` | Runtime API base written into MCP client config | Derived from `ENFYRA_APP_URL` |
+| `ENFYRA_API_TOKEN` | Programmatic token from the Enfyra admin UI `/me` | Required |
+
+For normal apps and demos, enter the app/admin URL such as `http://localhost:3000` or `https://demo.enfyra.io`. Treat the direct Enfyra backend host as private infrastructure unless you are debugging Enfyra core/server internals.
 
-`ENFYRA_API_TOKEN` is a long-lived programmatic token, not a JWT. MCP must never send it directly as `Authorization: Bearer <token>` to REST tools. The MCP client first calls `POST {ENFYRA_API_URL}/auth/token/exchange` with `{ "apiToken": ENFYRA_API_TOKEN }`, caches the returned `accessToken`, and uses that JWT as the Bearer token for subsequent requests.
+## Common Examples
 
-Schema and script tools include safety guards for LLM callers: generic record mutations validate request fields against live metadata, script-backed records must validate `sourceCode` before save through `/admin/script/validate` and fail closed if validation is unavailable, relation metadata rejects physical FK/junction inputs, custom routes reject `mainTableId` unless the path is the canonical table route, schema tools serialize table/column/relation changes, and destructive deletes require `confirm=true` after returning a preview.
+Use `get_enfyra_examples` from the MCP tool list when asking an LLM to generate implementation patterns. It returns focused examples for:
 
-Read tools use Enfyra's `fields` parameter directly. Passing explicit includes such as `fields=id,email` returns only those fields, while any `-field` token switches that scope to exclude mode. For example, `fields=-compiledCode` returns all readable fields except `compiledCode`, and `fields=id,-compiledCode` still means all except `compiledCode`. Nested exclusions work with dotted fields and `deep`, such as `fields=-owner.avatar` or `deep.owner.fields=-avatar`.
+- SSR app auth, OAuth, and proxy setup
+- schema, columns, relations, indexes, and validation
+- query filters, sorting, fields, deep relations, and aggregates
+- handlers, hooks, permissions, and RLS
+- websocket gateways and events
+- flows
+- files and storage
+- Enfyra admin extensions
 
-Generated RLS for canonical table reads must keep projection and pagination client-owned. Pre-hooks may merge owner or membership constraints into `@QUERY.filter`, but they must not override `@QUERY.fields`, `@QUERY.deep`, `@QUERY.sort`, `@QUERY.limit`, `@QUERY.page`, `@QUERY.meta`, `@QUERY.aggregate`, or `debugMode`. Fixed projections belong only on clearly custom summary or workflow endpoints with an explicit response contract.
+## OAuth Setup
 
-Quick checklist for a new LLM using Enfyra MCP: discover the live system first, inspect the specific table/route, load the matching example category, mutate with explicit fields and relation property names, validate or test scripts/routes before relying on them, re-read the saved row when mutation output is summarized, and preview destructive operations before confirming.
+OAuth has three different URLs:
 
-Use `trace_metadata_usage` before changing production features to find related tables, routes, handlers, hooks, flow steps, websocket scripts, GraphQL scripts, and bootstrap scripts. Use `get_script_source` to read full untruncated source plus a SHA-256 hash. Prefer `patch_script_source` for focused exact search/replace edits; it previews by default and, with `apply=true`, validates the patched `sourceCode` through `/admin/script/validate` before saving. Use `update_script_source` when replacing an entire existing script. Use generic `update_record` only for small record patches or patches that include non-script metadata fields.
+| URL | Meaning |
+|-----|---------|
+| Provider callback URL | `{ENFYRA_API_URL}/auth/{provider}/callback` |
+| Enfyra `redirectUri` | Must exactly match the provider callback URL |
+| App `redirect` query | Where Enfyra sends the browser after cookies are set |
 
-For route contracts that intentionally keep workflow fields out of request bodies, generic `create_record`, `update_record`, and `delete_record` accept optional `queryParams` as a JSON object string. For example, a renewal workflow can keep `expires_at=YYYY-MM-DD` in the URL query while `validateBody` remains enabled for the table body.
+Example Google callback when `ENFYRA_API_URL=http://localhost:3000/api`:
 
-### `ENFYRA_API_URL` — use the app proxy
+```text
+http://localhost:3000/api/auth/google/callback
+```
 
-For normal apps and demos, set `ENFYRA_API_URL` to the Nuxt/app proxy:
+Start OAuth from the app proxy:
 
 ```text
-http://localhost:3000/api
+/enfyra/auth/google?redirect=<absoluteReturnUrl>&cookieBridgePrefix=/enfyra
 ```
 
-The Enfyra backend is private infrastructure. MCP, browser code, SSR routes, GraphQL calls, and generated app code should go through the app origin `/api/**`; do not connect them directly to the backend host/port. Direct backend URLs are only for Enfyra core/server debugging when you intentionally bypass the app proxy.
+`appCallbackUrl` is only for manual-token apps that intentionally read token query parameters. SSR apps should prefer proxy-owned cookies.
+
+## Runtime Safety
+
+The MCP server includes safety guards for LLM callers:
+
+- Generic record mutations validate fields against live metadata.
+- Script-backed records validate `sourceCode` through `/admin/script/validate` before saving.
+- Relation tools reject physical FK/junction names.
+- Custom route tools reject `mainTableId` unless the route is the canonical table route.
+- Schema changes are serialized.
+- Destructive deletes return a preview before requiring `confirm=true`.
+
+## Query Notes
 
-### SSR app auth pattern
+Use explicit `fields` in read tools. Include mode is the default, such as `fields=id,email`. Any excluded field switches that scope to exclude mode: `fields=-compiledCode` returns all readable fields except `compiledCode`, and `fields=id,-compiledCode` still means all except `compiledCode`. Dotted exclusions such as `fields=-owner.avatar` work for relation fields when the relation exists in metadata.
 
-When an LLM builds a Nuxt, Next, or other SSR frontend for Enfyra, follow the same-origin proxy pattern:
+## Enfyra URL Pattern
 
-- Browser code calls a same-origin proxy such as `{{ appOrigin }}/enfyra/**`, never the raw Enfyra backend URL.
-- Nuxt can proxy it with `routeRules: { "/enfyra/**": { proxy: { to: `${API_URL}/**`, fetchOptions: { redirect: "manual" } } } }`. Keep redirects manual so OAuth set-cookie redirects reach the browser as real HTTP redirects with `Set-Cookie`.
-- Generated apps should not create custom login/logout/me routes that manually set `accessToken`, `refreshToken`, or `expTime` cookies when the proxy is enough.
-- Password login is `POST /enfyra/login`, not `/enfyra/auth/login`.
-- Fetch the current user with `GET /enfyra/me` and logout with `POST /enfyra/logout`.
-- OAuth starts through the same proxy prefix, for example `/enfyra/auth/google?redirect=<absoluteReturnUrl>&cookieBridgePrefix=/enfyra`. `redirect` must include the app origin, and `cookieBridgePrefix` is the same proxy prefix that reaches Enfyra API routes. Enfyra validates the redirect, exchanges OAuth on its callback, then redirects through `{redirect.origin}{cookieBridgePrefix}/auth/set-cookies` so the third app origin stores the cookies before returning to `redirect`.
-- Socket.IO browser clients use a same-origin bridge too. Connect to the namespace, e.g. `io("/chat", { path: "/socket.io", withCredentials: true })`, and proxy `/socket.io/**` to the Enfyra app bridge `/ws/socket.io/**`. The backend gateway metadata path remains `/chat`.
-- Use token-query OAuth callback pages only for non-SSR/manual-token apps.
+Generated apps should use a same-origin proxy:
 
----
+```js
+export default defineNuxtConfig({
+  routeRules: {
+    "/enfyra/**": {
+      proxy: {
+        to: `${process.env.ENFYRA_API_URL}/**`,
+        fetchOptions: { redirect: "manual" }
+      }
+    }
+  }
+})
+```
+
+Browser code then calls:
+
+```text
+POST /enfyra/login
+GET  /enfyra/me
+POST /enfyra/logout
+GET  /enfyra/<table>
+```
 
-## Tools (summary)
+Do not create custom login/logout/me routes that manually set Enfyra token cookies when the proxy is enough.
 
-Metadata, examples, query/CRUD, method management, route access audit/grant, route/handler/hook, tables/columns, reload cache, logs, user/roles, login, menu/extension, `get_enfyra_api_context`. For full tool list and behavior, see the app after enabling MCP or the source in `src/mcp-server-entry.mjs`.
+## Tool Summary
 
-Use `get_enfyra_examples` when asking an LLM to generate concrete Enfyra implementation patterns. It returns categorized examples for SSR app auth/OAuth/proxy setup, schema/relations, queries/deep, handlers/hooks, permissions/RLS, websocket, flows, files, and extensions.
+The MCP server exposes tools for metadata discovery, examples, query/CRUD, method management, route access audit/grant, routes, handlers, hooks, tables, columns, relations, cache reloads, logs, users, roles, packages, menus, extensions, scripts, flows, websocket, files, and `get_enfyra_api_context`.
 
-For authenticated route access, use `audit_route_access` before changing permissions and `ensure_route_access` to grant access by `path` plus `roleName`/`roleId` or `allowedUserIds`. `ensure_route_access` resolves route, role, and method ids, validates that requested methods are available on the route, merges existing methods by default, and reloads routes.
+For authenticated route access, use `audit_route_access` before changing permissions and `ensure_route_access` to grant access by route path plus role/user. For production script edits, use `trace_metadata_usage`, `get_script_source`, and `patch_script_source` so changes are targeted, hash-checked, and validated.
 
 ## Security
 
-API calls use JWT (MCP auto-refreshes). Permissions are enforced by Enfyra.
+API calls use exchanged JWTs and Enfyra permissions are still enforced server-side. Keep `ENFYRA_API_TOKEN` out of committed config unless the project intentionally uses environment interpolation or another secret-management path.

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@enfyra/mcp-server",
-  "version": "0.0.79",
-  "description": "MCP server for Enfyra - manage your Enfyra instance via Claude Code",
+  "version": "0.0.81",
+  "description": "MCP server for Enfyra - manage Enfyra instances from MCP-compatible coding tools",
   "type": "module",
   "license": "MIT",
   "main": "src/index.mjs",

package/src/lib/config-local.mjs

@@ -6,50 +6,103 @@ import { dirname, join } from 'node:path';
 import { homedir } from 'node:os';
 
 const SERVER_KEY = 'enfyra';
+const forceColor = process.env.FORCE_COLOR != null && process.env.FORCE_COLOR !== '0';
+const canStyle = forceColor || (output.isTTY && process.env.NO_COLOR == null);
+const style = {
+  bold: value => canStyle ? `\x1B[1m${value}\x1B[22m` : value,
+  dim: value => canStyle ? `\x1B[2m${value}\x1B[22m` : value,
+  cyan: value => canStyle ? `\x1B[36m${value}\x1B[39m` : value,
+  green: value => canStyle ? `\x1B[32m${value}\x1B[39m` : value,
+  magenta: value => canStyle ? `\x1B[35m${value}\x1B[39m` : value,
+  blue: value => canStyle ? `\x1B[34m${value}\x1B[39m` : value,
+  yellow: value => canStyle ? `\x1B[33m${value}\x1B[39m` : value,
+  underline: value => canStyle ? `\x1B[4m${value}\x1B[24m` : value,
+  inverse: value => canStyle ? `\x1B[7m${value}\x1B[27m` : value,
+};
+
+const clients = {
+  codex: {
+    label: 'Codex',
+    path: './.codex/config.toml',
+    color: style.green,
+  },
+  claude: {
+    label: 'Claude Code',
+    path: './.mcp.json',
+    color: style.magenta,
+  },
+  cursor: {
+    label: 'Cursor',
+    path: './.cursor/mcp.json',
+    color: style.cyan,
+  },
+};
+
+function statusIcon(kind) {
+  if (kind === 'success') return canStyle ? style.green('✓') : 'Done';
+  if (kind === 'warn') return canStyle ? style.yellow('!') : 'Warning';
+  return canStyle ? style.cyan('•') : '-';
+}
+
+function isCancelError(error) {
+  return error?.code === 'ABORT_ERR' || (error?.message || '') === 'Cancelled';
+}
+
+function exitCancelled() {
+  console.log('\nCancelled.');
+  process.exit(130);
+}
 
 function printHelp() {
-  console.log(`enfyra-mcp — write MCP config (Codex + Claude Code + Cursor)
+  console.log(`${style.bold('Enfyra MCP config')}
+${style.dim('Write local MCP client config for Enfyra.')}
 
-Usage:
+${style.bold('Usage')}
   npx @enfyra/mcp-server config [options]
 
-Writes project config under the current working directory:
-  • ./.mcp.json           — Claude Code project scope
-  • ./.cursor/mcp.json    — Cursor project scope
-  • ./.codex/config.toml  — Codex project scope
+${style.bold('Supported clients')}
+  Codex        ./.codex/config.toml
+  Claude Code  ./.mcp.json
+  Cursor       ./.cursor/mcp.json
+  Other MCP hosts can use the shared stdio JSON from the README.
 
-Options:
-  --api-url, -a <url>     ENFYRA_API_URL
-  --api-token, -t <secret> ENFYRA_API_TOKEN
+${style.bold('Options')}
+  --app-url <url>          Enfyra app/admin URL, for example https://demo.enfyra.io
+  --api-token, -t <secret>  ENFYRA_API_TOKEN
   --global                Write global/user config for selected hosts instead of project config
   --reconfig              Always choose target again in interactive mode and replace the old enfyra config for that target
   --yes                   Non-interactive: no prompts (CI / scripts); use CLI, env, existing file, then defaults
-  Target — non-interactive default is all; with TTY and no target flags, choose with ↑/↓:
+
+${style.bold('Client selection')}
+  Non-interactive default is all supported clients. In a TTY with no target flags, choose with ↑/↓.
+
   --claude-code, --claude, --claude-only   Only ./.mcp.json (Claude Code project scope)
   --cursor, --cursor-only                  Only ./.cursor/mcp.json (Cursor)
   --codex, --codex-only                    Only ./.codex/config.toml (Codex project scope)
   Passing multiple target flags writes each selected target.
+
   -h, --help              Show this help
 
-Interactive mode: lets you choose Claude Code / Cursor / Codex / all if you did not pass target flags; then asks for URL / API token
-  when missing. Existing project config is used as defaults. Re-run to update.
+${style.bold('Interactive mode')}
+  Choose Codex, Claude Code, Cursor, or all clients; then enter ENFYRA_APP_URL and ENFYRA_API_TOKEN.
+  The API base is inferred by appending /api to the app URL.
+  Existing Enfyra config and environment variables are used as defaults. Re-run anytime to update.
 
-Examples:
+${style.bold('Examples')}
   npx @enfyra/mcp-server config
+  npx @enfyra/mcp-server config --yes
+  npx @enfyra/mcp-server config --codex --cursor
   npx @enfyra/mcp-server config --claude-code
-  npx @enfyra/mcp-server config --cursor --yes
-  npx @enfyra/mcp-server config --codex --yes
   npx @enfyra/mcp-server config --global --codex
   npx @enfyra/mcp-server config --reconfig
-  npx @enfyra/mcp-server config -a http://localhost:3000/api -t 'efy_pat_...'
-  npx @enfyra/mcp-server config --yes
-  ENFYRA_API_TOKEN=efy_pat_... npx @enfyra/mcp-server config --yes
+  npx @enfyra/mcp-server config --app-url http://localhost:3000 -t 'efy_pat_...'
+  ENFYRA_APP_URL=https://demo.enfyra.io ENFYRA_API_TOKEN=efy_pat_... npx @enfyra/mcp-server config --yes
 `);
 }
 
 function parseArgs(argv) {
   const out = {
-    apiUrl: undefined,
+    appUrl: undefined,
     apiToken: undefined,
     claude: true,
     cursor: true,
@@ -75,7 +128,10 @@ function parseArgs(argv) {
     else if (a === '--yes') out.yes = true;
     else if (a === '--reconfig') out.reconfig = true;
     else if (a === '--global') out.global = true;
-    else if (a === '--api-url' || a === '-a') out.apiUrl = next();
+    else if (a === '--app-url') out.appUrl = next();
+    else if (a === '--api-url' || a === '-a') {
+      throw new Error(`${a} is no longer supported for setup; use --app-url instead`);
+    }
     else if (a === '--api-token' || a === '-t') out.apiToken = next();
     else if (a === '--email' || a === '-e' || a === '--password' || a === '-p') {
       throw new Error(`${a} is no longer supported; use --api-token instead`);
@@ -105,6 +161,34 @@ function buildServerEntry(apiUrl, apiToken) {
   };
 }
 
+function normalizeAppUrl(appUrl) {
+  const raw = String(appUrl || '').trim().replace(/\/+$/, '');
+  if (!raw) return '';
+  return raw.replace(/\/(?:api|enfyra)$/i, '') || raw;
+}
+
+function deriveApiUrlFromAppUrl(appUrl) {
+  const normalized = normalizeAppUrl(appUrl);
+  return normalized ? `${normalized}/api` : 'http://localhost:3000/api';
+}
+
+function deriveAppUrlFromApiUrl(apiUrl) {
+  return normalizeAppUrl(apiUrl);
+}
+
+function deriveMeUrl(appUrl) {
+  const normalized = normalizeAppUrl(appUrl);
+  return normalized ? `${normalized}/me` : '/me';
+}
+
+function resolveDefaultAppUrl(opts, existing) {
+  const appCandidate = opts.appUrl ?? process.env.ENFYRA_APP_URL;
+  if (appCandidate) return normalizeAppUrl(appCandidate);
+  const apiCandidate = process.env.ENFYRA_API_URL ?? existing.apiUrl;
+  if (apiCandidate) return deriveAppUrlFromApiUrl(apiCandidate);
+  return 'http://localhost:3000';
+}
+
 async function mergeMcpFile(absPath, serverEntry) {
   let data = { mcpServers: {} };
   try {
@@ -160,7 +244,8 @@ async function mergeCodexConfig(absPath, apiUrl, apiToken) {
     if (!skip) kept.push(line);
   }
 
-  const next = `${kept.join('\n').trimEnd()}\n\n${buildCodexTomlBlock(apiUrl, apiToken)}`;
+  const prefix = kept.join('\n').trimEnd();
+  const next = prefix ? `${prefix}\n\n${buildCodexTomlBlock(apiUrl, apiToken)}` : buildCodexTomlBlock(apiUrl, apiToken);
   await mkdir(dirname(absPath), { recursive: true });
   await writeFile(absPath, next, 'utf8');
 }
@@ -213,6 +298,13 @@ function getCursorConfigPath(root, globalScope) {
   return globalScope ? join(homedir(), '.cursor', 'mcp.json') : join(root, '.cursor', 'mcp.json');
 }
 
+function getClientPath(client, root, globalScope) {
+  if (client === 'claude') return getClaudeConfigPath(root, globalScope);
+  if (client === 'cursor') return getCursorConfigPath(root, globalScope);
+  if (client === 'codex') return getCodexConfigPath(root, globalScope);
+  throw new Error(`Unknown MCP client: ${client}`);
+}
+
 async function loadExistingEnfyraEnv(root, readClaude, readCursor, readCodex, globalScope) {
   const paths = [];
   if (readClaude) paths.push(getClaudeConfigPath(root, globalScope));
@@ -246,19 +338,19 @@ async function loadExistingEnfyraEnv(root, readClaude, readCursor, readCodex, gl
 async function promptTargetChoice() {
   const choices = [
     {
-      label: 'Claude Code — project ./.mcp.json',
-      value: { claude: true, cursor: false, codex: false },
+      client: 'codex',
+      value: { claude: false, cursor: false, codex: true },
     },
     {
-      label: 'Cursor — project ./.cursor/mcp.json',
-      value: { claude: false, cursor: true, codex: false },
+      client: 'claude',
+      value: { claude: true, cursor: false, codex: false },
     },
     {
-      label: 'Codex — project ./.codex/config.toml',
-      value: { claude: false, cursor: false, codex: true },
+      client: 'cursor',
+      value: { claude: false, cursor: true, codex: false },
     },
     {
-      label: 'All',
+      client: 'all',
       value: { claude: true, cursor: true, codex: true },
     },
   ];
@@ -269,9 +361,9 @@ async function promptTargetChoice() {
   const rl = createInterface({ input, output });
   const line = (await rl.question(
     'Where should Enfyra MCP config be written?\n'
-      + '  [1] Claude Code — ./.mcp.json\n'
-      + '  [2] Cursor — ./.cursor/mcp.json\n'
-      + '  [3] Codex — ./.codex/config.toml\n'
+      + '  [1] Codex        ./.codex/config.toml\n'
+      + '  [2] Claude Code  ./.mcp.json\n'
+      + '  [3] Cursor       ./.cursor/mcp.json\n'
       + '  [4] All [default]\n'
       + 'Choice [4]: ',
   )).trim().toLowerCase();
@@ -279,15 +371,15 @@ async function promptTargetChoice() {
   if (line === '' || line === '4' || line === 'all' || line === 'a') {
     return { claude: true, cursor: true, codex: true };
   }
-  if (line === '1' || line === 'c' || line === 'claude') {
+  if (line === '1' || line === 'codex' || line === 'x') {
+    return { claude: false, cursor: false, codex: true };
+  }
+  if (line === '2' || line === 'claude' || line === 'claude-code') {
     return { claude: true, cursor: false, codex: false };
   }
-  if (line === '2' || line === 'u' || line === 'cursor') {
+  if (line === '3' || line === 'cursor' || line === 'u') {
     return { claude: false, cursor: true, codex: false };
   }
-  if (line === '3' || line === 'x' || line === 'codex') {
-    return { claude: false, cursor: false, codex: true };
-  }
   return { claude: true, cursor: true, codex: true };
 }
 
@@ -295,15 +387,35 @@ async function promptTargetSelect(choices, initialIndex = 0) {
   let selected = Math.max(0, Math.min(initialIndex, choices.length - 1));
   let renderedLines = 0;
 
+  const formatChoice = (choice, active) => {
+    const indicator = active ? style.cyan('◆') : style.dim('◇');
+    const accent = active ? style.cyan('│') : style.dim('│');
+    if (choice.client === 'all') {
+      const label = active ? style.bold(style.underline('All supported clients')) : 'All supported clients';
+      const paddedLabel = label + ' '.repeat(22 - 'All supported clients'.length);
+      const hint = active ? style.cyan('Codex + Claude Code + Cursor') : style.dim('Codex + Claude Code + Cursor');
+      return `${accent} ${indicator} ${paddedLabel} ${hint}`;
+    }
+
+    const meta = clients[choice.client];
+    const label = active ? style.bold(meta.color(meta.label)) : meta.color(meta.label);
+    const paddedLabel = label + ' '.repeat(Math.max(1, 22 - meta.label.length));
+    const path = active ? style.cyan(meta.path) : style.dim(meta.path);
+    return `${accent} ${indicator} ${paddedLabel} ${path}`;
+  };
+
   const render = () => {
     if (renderedLines > 0) {
       output.write(`\x1B[${renderedLines}A\x1B[0J`);
     }
     const lines = [
-      'Where should Enfyra MCP config be written?',
-      ...choices.map((choice, index) => `${index === selected ? '›' : ' '} ${choice.label}`),
-      '',
-      'Use ↑/↓ to move, Enter to select.',
+      `${style.cyan('◆')} ${style.bold('Enfyra MCP setup')}`,
+      `${style.dim('│')} ${style.dim('Choose where to write the project config.')}`,
+      style.dim('│'),
+      ...choices.map((choice, index) => formatChoice(choice, index === selected)),
+      style.dim('│'),
+      style.dim('Choose one client config, or write all supported project configs.'),
+      `${style.dim('└')} ${style.dim('Use ↑/↓ to move, Enter to select, Ctrl+C to cancel.')}`,
     ];
     renderedLines = lines.length;
     output.write(`${lines.join('\n')}\n`);
@@ -352,31 +464,42 @@ async function promptTargetSelect(choices, initialIndex = 0) {
 }
 
 async function promptConfig(opts, existing) {
-  let apiUrl = opts.apiUrl;
+  let appUrl = opts.appUrl ? normalizeAppUrl(opts.appUrl) : '';
   let apiToken = opts.apiToken;
-  if (apiUrl !== undefined && apiToken !== undefined) {
-    return { apiUrl: String(apiUrl).replace(/\/$/, ''), apiToken };
+  if (appUrl && apiToken !== undefined) {
+    return { apiUrl: deriveApiUrlFromAppUrl(appUrl), apiToken };
   }
 
   const rl = createInterface({ input, output });
-  const q = (msg) => rl.question(msg);
-
-  const defaultUrl = (
-    opts.apiUrl ??
-    process.env.ENFYRA_API_URL ??
-    (existing.apiUrl || undefined) ??
-    'http://localhost:3000/api'
-  ).replace(/\/$/, '');
-  if (apiUrl === undefined) {
-    const line = (await q(`ENFYRA_API_URL [${defaultUrl}]: `)).trim();
-    apiUrl = line || defaultUrl;
+  const q = async (msg) => {
+    try {
+      return await rl.question(msg);
+    } catch (error) {
+      if (isCancelError(error)) {
+        throw new Error('Cancelled');
+      }
+      throw error;
+    }
+  };
+
+  const defaultAppUrl = resolveDefaultAppUrl(opts, existing);
+  if (!appUrl) {
+    console.log(`${style.cyan('◆')} ${style.bold('Connect to Enfyra')}`);
+    console.log(`${style.dim('│')} Enter the Enfyra app URL. The API base will be inferred as ${style.bold('<app>/api')}.`);
+    const line = (await q(`${style.dim('└')} ENFYRA_APP_URL ${style.dim(`[${defaultAppUrl}]`)}: `)).trim();
+    appUrl = normalizeAppUrl(line || defaultAppUrl);
   }
-  apiUrl = String(apiUrl).replace(/\/$/, '');
+  const apiUrl = deriveApiUrlFromAppUrl(appUrl);
 
   const defaultApiToken = opts.apiToken ?? process.env.ENFYRA_API_TOKEN ?? existing.apiToken ?? '';
   if (apiToken === undefined) {
     const hint = defaultApiToken ? ' (Enter = keep current)' : '';
-    const line = (await q(`ENFYRA_API_TOKEN${hint}: `)).trim();
+    const meUrl = deriveMeUrl(appUrl);
+    console.log('');
+    console.log(`${style.cyan('◆')} ${style.bold('API token')}`);
+    console.log(`${style.dim('│')} If you do not have a token yet, open: ${style.cyan(meUrl)}`);
+    console.log(`${style.dim('│')} In the Enfyra admin UI, open ${style.bold('/me')} and create/copy a programmatic API token.`);
+    const line = (await q(`${style.dim('└')} ENFYRA_API_TOKEN${hint}: `)).trim();
     apiToken = line !== '' ? line : defaultApiToken;
   }
 
@@ -385,17 +508,25 @@ async function promptConfig(opts, existing) {
 }
 
 function resolveNonInteractive(opts, existing) {
-  const apiUrl = (
-    opts.apiUrl ??
-    process.env.ENFYRA_API_URL ??
-    (existing.apiUrl || undefined) ??
-    'http://localhost:3000/api'
-  ).replace(/\/$/, '');
+  const appUrl = resolveDefaultAppUrl(opts, existing);
+  const apiUrl = deriveApiUrlFromAppUrl(appUrl);
   const apiToken = opts.apiToken ?? process.env.ENFYRA_API_TOKEN ?? existing.apiToken ?? '';
   return { apiUrl, apiToken };
 }
 
 export async function runLocalConfig(argv) {
+  const onSigint = () => exitCancelled();
+  const onUnhandledRejection = (error) => {
+    if (isCancelError(error)) exitCancelled();
+  };
+  const onUncaughtException = (error) => {
+    if (isCancelError(error)) exitCancelled();
+    throw error;
+  };
+  process.once('SIGINT', onSigint);
+  process.once('unhandledRejection', onUnhandledRejection);
+  process.once('uncaughtException', onUncaughtException);
+
   let opts;
   try {
     opts = parseArgs(argv);
@@ -427,43 +558,67 @@ export async function runLocalConfig(argv) {
 
   let apiUrl;
   let apiToken;
-  if (usePrompt) {
-    const resolved = await promptConfig(opts, existing);
-    apiUrl = resolved.apiUrl;
-    apiToken = resolved.apiToken;
-  } else {
-    const resolved = resolveNonInteractive(opts, existing);
-    apiUrl = resolved.apiUrl;
-    apiToken = resolved.apiToken;
+  try {
+    if (usePrompt) {
+      const resolved = await promptConfig(opts, existing);
+      apiUrl = resolved.apiUrl;
+      apiToken = resolved.apiToken;
+    } else {
+      const resolved = resolveNonInteractive(opts, existing);
+      apiUrl = resolved.apiUrl;
+      apiToken = resolved.apiToken;
+    }
+  } catch (error) {
+    if (isCancelError(error)) {
+      exitCancelled();
+      return;
+    }
+    throw error;
   }
 
   const serverEntry = buildServerEntry(apiUrl, apiToken);
   const written = [];
 
+  if (writeCodex) {
+    const p = getClientPath('codex', root, opts.global);
+    await mergeCodexConfig(p, apiUrl, apiToken);
+    written.push({ client: 'codex', path: p });
+  }
   if (writeClaude) {
-    const p = getClaudeConfigPath(root, opts.global);
+    const p = getClientPath('claude', root, opts.global);
     await mergeMcpFile(p, serverEntry);
-    written.push(p);
+    written.push({ client: 'claude', path: p });
   }
   if (writeCursor) {
-    const p = getCursorConfigPath(root, opts.global);
+    const p = getClientPath('cursor', root, opts.global);
     await mergeMcpFile(p, serverEntry);
-    written.push(p);
+    written.push({ client: 'cursor', path: p });
   }
-  if (writeCodex) {
-    const p = getCodexConfigPath(root, opts.global);
-    await mergeCodexConfig(p, apiUrl, apiToken);
-    written.push(p);
+
+  const scopeLabel = opts.global ? 'global/user' : 'project';
+  console.log(`${statusIcon('success')} ${style.bold(style.green('Enfyra MCP config updated'))} ${style.dim(`(${scopeLabel})`)}\n`);
+  for (const entry of written) {
+    const meta = clients[entry.client];
+    console.log(`  ${style.cyan('•')} ${style.bold(meta.color(meta.label))}`);
+    console.log(`    ${style.dim(entry.path)}`);
   }
 
-  console.log('Enfyra MCP — local config updated:\n');
-  for (const p of written) console.log(`  ${p}`);
-  console.log('\nNext steps:');
-  console.log('  • Codex: open this folder in a new Codex session so project ./.codex/config.toml is loaded.');
-  console.log('  • Claude Code: open this folder; approve project MCP if prompted (`claude mcp reset-project-choices` to reset).');
-  console.log('  • Cursor: open this folder, restart Cursor or reload MCP, then confirm server under Settings → MCP.');
-  console.log('  • Run `config` again anytime to change values (same files are merged/overwritten for `enfyra`).');
+  const selectedClients = new Set(written.map(entry => entry.client));
+  console.log(`\n${style.bold(style.blue('Next steps'))}`);
+  if (selectedClients.has('codex')) {
+    console.log('  - Codex: open this folder in a new Codex session so config is loaded.');
+  }
+  if (selectedClients.has('claude')) {
+    console.log('  - Claude Code: open this folder; approve project MCP if prompted.');
+  }
+  if (selectedClients.has('cursor')) {
+    console.log('  - Cursor: restart Cursor or reload MCP, then confirm the server under Settings -> MCP.');
+  }
+  console.log('  - Re-run this command anytime to update the same Enfyra entries.');
   if (!apiToken) {
-    console.log('\nWarning: ENFYRA_API_TOKEN is empty — tools will not authenticate until set.');
+    console.log(`\n${statusIcon('warn')} ${style.yellow('ENFYRA_API_TOKEN is empty; tools will not authenticate until it is set.')}`);
   }
+  process.off('SIGINT', onSigint);
+  process.off('unhandledRejection', onUnhandledRejection);
+  process.off('uncaughtException', onUncaughtException);
 }

package/src/lib/mcp-examples.js

@@ -153,6 +153,26 @@ onUnmounted(() => {
           'Disconnect the singleton socket when the current user/session clears.',
         ],
       },
+      {
+        name: 'OAuth provider setup values',
+        code: `// Enfyra OAuth config row, stored in oauth_config_definition.
+{
+  "provider": "google",
+  "clientId": "<google-client-id>",
+  "clientSecret": "<google-client-secret>",
+  "redirectUri": "http://localhost:3000/api/auth/google/callback",
+  "isEnabled": true
+}
+
+// Google Cloud Console -> Authorized redirect URIs:
+// http://localhost:3000/api/auth/google/callback`,
+        notes: [
+          'redirectUri is the Enfyra callback URL: {ENFYRA_API_URL}/auth/google/callback.',
+          'The provider console callback URL and oauth_config_definition.redirectUri must match exactly.',
+          'This callback URL is not the app return page; the app return page is sent as the redirect query when starting OAuth.',
+          'Use appCallbackUrl only for manual-token apps that intentionally read token query parameters.',
+        ],
+      },
       {
         name: 'Google OAuth button',
         code: `const redirect = new URL("/chat", window.location.origin)
@@ -164,6 +184,7 @@ window.location.href = url.toString()`,
           'redirect must be absolute and must include the app origin.',
           'cookieBridgePrefix is the app proxy prefix that forwards to Enfyra API routes.',
           'Enfyra redirects through {redirect.origin}{cookieBridgePrefix}/auth/set-cookies before returning to redirect.',
+          'After returning, call /enfyra/me to load the authenticated user; do not parse tokens from the URL in proxy-cookie mode.',
         ],
       },
     ],
@@ -1040,7 +1061,7 @@ update_method({
           'Use dedicated method tools instead of generic CRUD on method_definition.',
           'The backend stores the method label in method_definition.name; do not send or filter a method_definition.method field.',
           'buttonColor is the badge background and textColor is the badge text color.',
-          'The eApp management UI is /settings/methods.',
+          'The Enfyra admin UI is /settings/methods.',
           'delete_method is preview-first and should only be used for unused custom methods.',
         ],
       },
@@ -1080,8 +1101,8 @@ create_extension({
           'Do not put ordinary KPI cards in PageHeader.stats; render metrics in the extension body.',
           'Put page-level actions in useHeaderActionRegistry or useSubHeaderActionRegistry, destructure register first, then call it with one action or an array.',
           'Page extensions should be full-bleed by default and responsive from the first version.',
-          'The extension root is already inside eApp main; do not add root-level page padding.',
-          'After saving, open eApp tabs should update through the server/eApp realtime reload contract; do not tell the user to refresh unless that contract is proven broken.',
+          'The extension root is already inside Enfyra admin page main; do not add root-level page padding.',
+          'After saving, open Enfyra admin tabs should update through the server/Enfyra admin UI realtime reload contract; do not tell the user to refresh unless that contract is proven broken.',
         ],
       },
       {
@@ -1141,7 +1162,7 @@ create_extension({
           'Do not mutate widget props. Use computed for derived display state, and use watch only when mirroring a prop into local editable draft state.',
           'Prefer defineEmits for child-to-parent requests such as refresh. Use callback props only for parent-owned modal/drawer openers or imperative navigation.',
           'Keep PermissionGate and type="button" plus @click.stop.prevent inside action widgets; server permissions still enforce the real boundary.',
-          'eApp batch-fetches widget metadata requested in the same tick and caches loaded widgets, so render Widget components directly instead of manually fetching widget code.',
+          'the Enfyra admin UI batch-fetches widget metadata requested in the same tick and caches loaded widgets, so render Widget components directly instead of manually fetching widget code.',
         ],
       },
       {
@@ -1211,13 +1232,13 @@ create_extension({
   isEnabled: true
 })`,
         notes: [
-          'Global extensions are mounted invisibly by eApp during layout init; do not create a menu and do not embed them with Widget.',
+          'Global extensions are mounted invisibly by Enfyra admin UI during layout init; do not create a menu and do not embed them with Widget.',
           'Use them for shell-level registrations, realtime listeners, notification counters, account panel rows, and background refresh bridges.',
           'Keep the global extension template empty or hidden; visible UI should be registered into an existing shell registry or component slot.',
-          'For account-panel UI, register data-driven row fields so eApp owns icon size, row spacing, badge placement, hover state, and expanded chrome.',
+          'For account-panel UI, register data-driven row fields so Enfyra admin UI owns icon size, row spacing, badge placement, hover state, and expanded chrome.',
           'Use contentComponent only for expanded inner content; use raw component only as an escape hatch when the row cannot fit the shell contract.',
           'Destructure registry functions and register stable ids so reloads replace the same shell item predictably.',
-          'Remove socket or DOM listeners in onUnmounted; eApp unmounts old global components when extension cache reloads or the extension is disabled.',
+          'Remove socket or DOM listeners in onUnmounted; The Enfyra admin UI unmounts old global components when extension cache reloads or the extension is disabled.',
         ],
       },
       {
@@ -1257,7 +1278,7 @@ register({
         notes: [
           'Prefer this contract for shell/account-panel items: data fields for the row, optional contentComponent for the expanded body.',
           'Do not draw a custom full row with page-scale cards, hero headings, large whitespace, or nested buttons unless the shell contract cannot express the UI.',
-          'Let eApp handle the row button, icon container, label, microcopy, badge, chevron, hover state, spacing, and expanded wrapper.',
+          'Let the Enfyra admin UI handle the row button, icon container, label, microcopy, badge, chevron, hover state, spacing, and expanded wrapper.',
           'Keep contentComponent compact; it is rendered inside account-panel chrome and should not create another large card around itself.',
           'Register the component from a `type="global"` extension, not from a page extension, when it must appear everywhere.',
         ],
@@ -1316,7 +1337,7 @@ registerHeaderActions([
         ],
       },
       {
-        name: 'Debug menu or extension changes that do not appear in open eApp tabs',
+        name: 'Debug menu or extension changes that do not appear in open Enfyra admin tabs',
         code: `// Server side: menu_definition and extension_definition are runtime UI definitions.
 // They must participate in partial reload, just like metadata/routes.
 // Expected server contract:
@@ -1324,7 +1345,7 @@ registerHeaderActions([
 // - cache orchestrator maps extension_definition -> extension reload
 // - successful writes emit $system:reload to the admin Socket.IO namespace
 
-// eApp side expected listener behavior:
+// Enfyra admin UI side expected listener behavior:
 // if reload target is metadata/menu:
 //   await fetch menus
 //   rebuild menu registry with reset: true
@@ -1335,12 +1356,12 @@ registerHeaderActions([
 
 // Verification pattern:
 // 1. Save the menu or extension record.
-// 2. Watch the open eApp tab for the $system:reload event.
+// 2. Watch the open Enfyra admin UI tab for the $system:reload event.
 // 3. Confirm sidebar/menu registry or extension component cache changed.
 // 4. Only use manual reload endpoints or browser refresh after the natural event path is proven stale.`,
         notes: [
           'Do not treat menu and extension writes as plain CRUD when debugging live admin UI.',
-          'Check both halves: ASV/ESV emits the reload event, and eApp consumes it.',
+          'Check both halves: Enfyra Server emits the reload event, and Enfyra admin UI consumes it.',
           'Menu reload should also invalidate extension cache because menu records attach page extensions to routes.',
           'Manual reload is a fallback, not the default fix.',
         ],
@@ -1380,7 +1401,7 @@ create_menu({
           'PageHeader.stats is reserved for deliberate overview headers; operational KPIs belong in body cards/tables.',
           'Operational history pages should not show raw event rows as the primary UI; group by entity/run and translate step keys into operator-facing labels.',
           'Operational lists should use pagination plus search/filter controls; do not rely on arbitrary fixed limits such as limit=50.',
-          'UTabs is available in eApp extension runtime for page-level sections.',
+          'UTabs is available in the Enfyra admin UI extension runtime for page-level sections.',
           'Admin links for editing or inspecting records should point to /data/<table> routes.',
         ],
       },
@@ -1463,7 +1484,7 @@ console.log(ok, requiredTerms.has('terms'), loaded, label, date)
 </script>`,
         notes: [
           'Do not rewrite extension code to ES5 when tooling rejects modern APIs.',
-          'If diagnostics complain about these APIs, fix eApp extension TypeScript lib/runtime contract.',
+          'If diagnostics complain about these APIs, fix Enfyra admin extension TypeScript lib/runtime contract.',
         ],
       },
       {

package/src/lib/mcp-instructions.js

@@ -44,7 +44,7 @@ export function buildMcpServerInstructions(apiBaseUrl) {
     '### Capability map (current Enfyra system)',
     '- **Schema/metadata:** `table_definition`, `relation_definition`, and schema tools manage tables, columns, relations, validation, and migrations. `column_definition` is internal/no-route; columns are created/updated through table schema operations.',
     '- **Dynamic REST API:** `route_definition`, `route_handler_definition`, `pre_hook_definition`, `post_hook_definition`, `route_permission_definition`, and `method_definition` define paths, methods, handlers, hooks, and permissions.',
-    '- **Auth/OAuth/session:** `user_definition`, `role_definition`, `api_token_definition`, `oauth_config_definition`, `oauth_account_definition`; `session_definition` and `api_token_definition` are internal/no-route. OAuth is browser redirect only. MCP uses `ENFYRA_API_TOKEN` through `/auth/token/exchange`; configure tokens from eApp `/me`. `user_definition` is the single source of truth for app users.',
+    '- **Auth/OAuth/session:** `user_definition`, `role_definition`, `api_token_definition`, `oauth_config_definition`, `oauth_account_definition`; `session_definition` and `api_token_definition` are internal/no-route. OAuth is browser redirect only. MCP uses `ENFYRA_API_TOKEN` through `/auth/token/exchange`; configure tokens from the Enfyra admin UI `/me`. `user_definition` is the single source of truth for app users.',
     '- **Guards/permissions/validation:** `guard_definition`, `guard_rule_definition`, `field_permission_definition`, and `column_rule_definition` control route guards, field access, and request body validation.',
     '- **GraphQL:** `gql_definition` enables tables in GraphQL. GraphQL endpoint and schema share `ENFYRA_API_URL`; GraphQL requires Bearer auth.',
     '- **Files/storage/assets:** `file_definition`, `file_permission_definition`, `folder_definition`, `storage_config_definition` plus upload/assets routes and file helpers.',
@@ -302,7 +302,7 @@ export function buildMcpServerInstructions(apiBaseUrl) {
     '- **Condition branching**: Condition step uses JavaScript truthy/falsy evaluation (e.g. `return user` → truthy if exists, falsy if null/0/undefined). Children with matching `parent: {id: conditionStepId}` and `branch: "true"/"false"` execute. Root steps (no parent) always execute sequentially.',
     '- **Safety**: Max nesting depth 10 (flow triggering flow). Circular flow detection prevents A→B→A loops. HTTP steps: **SSRF hardening** — only `http`/`https`; blocks `localhost`, private IPs, and hostnames resolving to private IPs (use internet-facing URLs like `https://api.example.com`, not internal services, unless server policy changes). Default HTTP timeout 30s (AbortController). `$trigger()` available inside flow steps.',
     '- **Workflow**: Create flow → `create_record` on `flow_definition`. Add steps → `create_record` on `flow_step_definition` with `flow: {id}`. For branch steps, set `parent: {id: conditionStepId}` and `branch: "true"` or `"false"`. Trigger manually via `POST /admin/flow/trigger/{flowId}`.',
-    '- **Flow source sanity:** after creating or patching a multi-step flow, refetch saved `flow_step_definition` rows and verify every script/condition step has executable step-specific `sourceCode` with a body/return. A helper-only source block that parses successfully is still broken and must be patched before the user sees it in eApp.',
+    '- **Flow source sanity:** after creating or patching a multi-step flow, refetch saved `flow_step_definition` rows and verify every script/condition step has executable step-specific `sourceCode` with a body/return. A helper-only source block that parses successfully is still broken and must be patched before the user sees it in the Enfyra admin UI.',
     '- **Test step**: `POST /admin/test/run` with body `{kind:"flow_step", type, config, timeout}` — runs a single step without saving, returns `{success, result, error, duration}`.',
     '- MCP wrappers: use **`test_flow_step`** for one flow step, **`run_admin_test`** for flow/websocket tests, and **`trigger_flow`** for saved flows.',
     '- **In handlers/hooks**: Trigger flows via `$ctx.$trigger("flow-name", {payload})` or `$ctx.$trigger(flowId, {payload})`.',
@@ -315,33 +315,33 @@ export function buildMcpServerInstructions(apiBaseUrl) {
     '- **Design first for dashboards:** before creating/updating a dashboard extension, define the menu/page split, time range controls, tabs, and drill-down links. Keep `/dashboard` as a compact summary and routing hub only: KPIs, current signal, attention queue, and navigation cards. Put detailed lists/tables/timelines into focused pages such as jobs, orders, reports, integrations, and settings.',
     '- **Operational page modeling:** model admin operational pages around the operator mental entity, not raw database/event rows. For long-running jobs, group history by entity/run, translate internal step keys into readable labels, show current step, operator meaning, and next action, and keep raw history as a secondary `/data` shortcut.',
     '- **Operational list data loading:** do not use arbitrary fixed limits such as `limit=50` as the whole data strategy for admin pages. Use pagination, expose result count when the API supports `meta=filterCount`, and add search/filter controls for natural lookup keys such as id, name, slug, status, email, or external reference.',
-    '- **ESV aggregate contract:** aggregate query must be an object keyed by a real field or relation, for example `aggregate: { id: { count: true }, status: { count: { _eq: "failed" } }, amount: { sum: true } }`. Results are returned in `response.meta.aggregate`. Time windows and cross-field conditions belong in top-level `filter`, not inside a field aggregate condition. Field aggregate conditions only support operators on that same field; relation aggregates use `countRecords`.',
-    '- **Aggregate numeric rule:** `sum` and `avg` require a numeric field in ESV. Do not aggregate money stored as varchar/text. Use a numeric money field such as `amount_usd` with type `float`, `amount_cents`, or `amount` for revenue stats, or build a dedicated stats route that normalizes legacy values explicitly. If metadata says `float` but SQL aggregate still fails with `sum(character varying)`, the Enfyra Server physical schema is stale or missing the SQL float DDL mapping and must be redeployed/healed before relying on aggregate.',
+    '- **Enfyra aggregate contract:** aggregate query must be an object keyed by a real field or relation, for example `aggregate: { id: { count: true }, status: { count: { _eq: "failed" } }, amount: { sum: true } }`. Results are returned in `response.meta.aggregate`. Time windows and cross-field conditions belong in top-level `filter`, not inside a field aggregate condition. Field aggregate conditions only support operators on that same field; relation aggregates use `countRecords`.',
+    '- **Aggregate numeric rule:** `sum` and `avg` require a numeric field in Enfyra Server. Do not aggregate money stored as varchar/text. Use a numeric money field such as `amount_usd` with type `float`, `amount_cents`, or `amount` for revenue stats, or build a dedicated stats route that normalizes legacy values explicitly. If metadata says `float` but SQL aggregate still fails with `sum(character varying)`, the Enfyra Server physical schema is stale or missing the SQL float DDL mapping and must be redeployed/healed before relying on aggregate.',
     '- **Snapshot migrations:** backend metadata/physical schema renames belong in `data/snapshot-migration.json` via table-driven `columnsToModify` entries. The server migration/self-heal path should read table name plus `oldName`/`newName` dynamically; do not hard-code one-off table repairs when the snapshot migration contract can express the change.',
-    '- **Partial reload default:** ESV/ASV automatically triggers partial reloads for metadata, routes, menus, extensions, flows, handlers, and related caches after successful writes. Do not reflexively call `/admin/reload`, `/admin/reload/metadata`, or `/admin/reload/routes` after each change. Verify naturally first; use manual reload only when verification shows stale behavior, a reload event failed, or a concrete error indicates the partial reload did not apply.',
-    '- **Menu/extension realtime reload contract:** `menu_definition` and `extension_definition` writes are runtime UI changes, not plain CRUD. The server cache orchestrator must emit `$system:reload` through the admin Socket.IO channel with identifiers that eApp handles; eApp must refetch menus/rebuild the menu registry for menu reloads, invalidate dynamic extension caches for extension reloads, and reload enabled `type="global"` shell extensions when extension/menu metadata changes. Menu reloads can change route-to-extension mapping, so they should also invalidate extension cache. If an open admin tab does not reflect menu/extension changes, debug this two-sided reload contract before telling the user to refresh.',
+    '- **Partial reload default:** Enfyra Server automatically triggers partial reloads for metadata, routes, menus, extensions, flows, handlers, and related caches after successful writes. Do not reflexively call `/admin/reload`, `/admin/reload/metadata`, or `/admin/reload/routes` after each change. Verify naturally first; use manual reload only when verification shows stale behavior, a reload event failed, or a concrete error indicates the partial reload did not apply.',
+    '- **Menu/extension realtime reload contract:** `menu_definition` and `extension_definition` writes are runtime UI changes, not plain CRUD. The server cache orchestrator must emit `$system:reload` through the admin Socket.IO channel with identifiers that the Enfyra admin UI handles; Enfyra admin UI must refetch menus/rebuild the menu registry for menu reloads, invalidate dynamic extension caches for extension reloads, and reload enabled `type="global"` shell extensions when extension/menu metadata changes. Menu reloads can change route-to-extension mapping, so they should also invalidate extension cache. If an open admin tab does not reflect menu/extension changes, debug this two-sided reload contract before telling the user to refresh.',
     '- **Dashboard stats:** time range buttons must change the query filter and reload stats. Dashboards should summarize actionable errors and high-level activity; successful/no-error background runs usually do not need a standalone page unless there is a real workflow to manage.',
-    '- **Page layout default:** page extensions should render full-bleed inside the app shell by default. The extension root is already inside the eApp page `<main>`, so do not add root-level page padding such as `p-4 sm:p-6 xl:p-8`; use spacing between internal sections only. Do not wrap the entire page in a centered card/container unless explicitly requested. Use responsive grids/stacks from the first version so the page works on desktop, tablet, and mobile.',
-    '- **PageHeader is mandatory for page extensions:** eApp already renders `CommonPageHeader` from `usePageHeaderRegistry()` in the app shell. Page extensions must call `const { registerPageHeader } = usePageHeaderRegistry()` and register app-level context such as `{ title, description, leadingIcon, gradient, variant }` instead of rendering their own top `<header>` inside extension content. Use `variant: "minimal"` for operational/admin detail pages unless the page intentionally needs a larger title strip.',
+    '- **Page layout default:** page extensions should render full-bleed inside the app shell by default. The extension root is already inside the Enfyra admin UI page `<main>`, so do not add root-level page padding such as `p-4 sm:p-6 xl:p-8`; use spacing between internal sections only. Do not wrap the entire page in a centered card/container unless explicitly requested. Use responsive grids/stacks from the first version so the page works on desktop, tablet, and mobile.',
+    '- **PageHeader is mandatory for page extensions:** The Enfyra admin shell already renders `CommonPageHeader` from `usePageHeaderRegistry()` in the app shell. Page extensions must call `const { registerPageHeader } = usePageHeaderRegistry()` and register app-level context such as `{ title, description, leadingIcon, gradient, variant }` instead of rendering their own top `<header>` inside extension content. Use `variant: "minimal"` for operational/admin detail pages unless the page intentionally needs a larger title strip.',
     '- **Do not misuse PageHeader stats:** `PageHeader.stats` renders prominent stat cards inside the shell header. Do not put normal operational KPIs, capacity totals, billing totals, or detail metrics there by default; keep those as body cards/tables where the operator can scan them with the page content. Only use PageHeader stats for a deliberately compact overview page where the stats are truly header-level context.',
     '- **Page actions belong in registries:** Move page-level buttons into `useHeaderActionRegistry` or `useSubHeaderActionRegistry`; keep the extension body for operational content only. Destructure `register` first, then call it with one action or an array, for example `const { register: registerHeaderActions } = useHeaderActionRegistry(); registerHeaderActions([{ id: "create", label: "Create report", permission: { and: [{ route: "/report_definition", methods: ["POST"] }] }, onClick }])`. Sensitive registry actions must include a `permission` condition.',
     '- **Header action button variants:** choose the button variant by intent. Use `color: "primary", variant: "solid"` for the main page action. Use `color: "neutral", variant: "ghost"` for back/navigation actions and `color: "neutral", variant: "outline"` for visible secondary actions. `variant: "soft"` is only for low-emphasis secondary/chrome actions; do not use soft for critical or primary header actions just because it looks acceptable in dark mode.',
-    '- **HTTP method management:** use the dedicated MCP tools `list_methods`, `create_method`, `update_method`, and preview-first `delete_method` for `method_definition`. The backend field is `method_definition.name`, unique per method; do not send `method_definition.method`. The eApp UI for the same records is `/settings/methods`. Method color fields are `buttonColor` for badge background and `textColor` for badge text, both full hex colors. Do not use generic `create_record` on `method_definition` unless the dedicated tool is unavailable.',
+    '- **HTTP method management:** use the dedicated MCP tools `list_methods`, `create_method`, `update_method`, and preview-first `delete_method` for `method_definition`. The backend field is `method_definition.name`, unique per method; do not send `method_definition.method`. The Enfyra admin UI UI for the same records is `/settings/methods`. Method color fields are `buttonColor` for badge background and `textColor` for badge text, both full hex colors. Do not use generic `create_record` on `method_definition` unless the dedicated tool is unavailable.',
     '- **Extension navigation:** prefer `NuxtLink` or Nuxt UI components with `:to` for visible navigation links and drill-down cards/buttons. Use `navigateTo(...)` only for imperative navigation after submit, confirm, mutation, or another side effect.',
-    '- **Extension runtime scope:** eApp exposes Vue APIs and injected Nuxt/Enfyra composables both to script global scope and Vue app `globalProperties`. Template expressions may call injected helpers directly, for example after a save handler can call `navigateTo("/data/report_definition")`, because Vue compiles template helpers to `_ctx.*`.',
-    '- **Global extension lifecycle:** `extension_definition.type="global"` records are Vue SFC components mounted invisibly once at the eApp shell level. Use them for app-wide registrations such as account panel items, notification bells, admin socket listeners, and background refresh bridges. They do not need a menu, must not render page body UI, and should clean up socket/listener side effects with `onUnmounted`. Prefer registry composables such as `useAccountPanelRegistry`, `useHeaderActionRegistry`, or `useSubHeaderActionRegistry` instead of directly editing shell DOM. For account-panel entries, register data (`label`, `icon`, `description`, `badge`, `badgeColor`, `expanded`, `onToggle`, `contentComponent`) so eApp owns row spacing, icon sizing, badges, and expanded chrome; use a raw row `component` only for a true custom escape hatch.',
-    '- **Extension realtime:** admin extensions can use `useAdminSocket()` to listen to the shared admin Socket.IO client instead of creating a separate browser socket. Use it for backend admin events such as operational status changes, debounce refreshes, and unsubscribe with `socket.off(...)` in `onUnmounted`. Guard generated code with `typeof useAdminSocket === "function"` when the extension may run on an older eApp build.',
+    '- **Extension runtime scope:** Enfyra admin UI exposes Vue APIs and injected Nuxt/Enfyra composables both to script global scope and Vue app `globalProperties`. Template expressions may call injected helpers directly, for example after a save handler can call `navigateTo("/data/report_definition")`, because Vue compiles template helpers to `_ctx.*`.',
+    '- **Global extension lifecycle:** `extension_definition.type="global"` records are Vue SFC components mounted invisibly once at the Enfyra admin UI shell level. Use them for app-wide registrations such as account panel items, notification bells, admin socket listeners, and background refresh bridges. They do not need a menu, must not render page body UI, and should clean up socket/listener side effects with `onUnmounted`. Prefer registry composables such as `useAccountPanelRegistry`, `useHeaderActionRegistry`, or `useSubHeaderActionRegistry` instead of directly editing shell DOM. For account-panel entries, register data (`label`, `icon`, `description`, `badge`, `badgeColor`, `expanded`, `onToggle`, `contentComponent`) so Enfyra admin UI owns row spacing, icon sizing, badges, and expanded chrome; use a raw row `component` only for a true custom escape hatch.',
+    '- **Extension realtime:** admin extensions can use `useAdminSocket()` to listen to the shared admin Socket.IO client instead of creating a separate browser socket. Use it for backend admin events such as operational status changes, debounce refreshes, and unsubscribe with `socket.off(...)` in `onUnmounted`. Guard generated code with `typeof useAdminSocket === "function"` when the extension may run on an older Enfyra admin UI build.',
     '- **Extension CSS affects shell utility ordering:** dynamic extension CSS is injected after the app shell CSS. Shell/page-header code must not put conflicting plain Tailwind utilities on the same element, such as `flex-col` plus `flex-row`, `items-start` plus `items-center`, or `text-left` plus `text-center`. Choose one mutually exclusive class per state; otherwise extension CSS can change which utility wins and shift shell layout.',
-    '- **Admin record links:** when an admin extension links to backend records for management or inspection, point to eApp data routes such as `/data/report_definition` or `/data/order_definition`. Do not use public website paths from record fields unless the explicit intent is previewing the public website.',
+    '- **Admin record links:** when an admin extension links to backend records for management or inspection, point to Enfyra admin UI data routes such as `/data/report_definition` or `/data/order_definition`. Do not use public website paths from record fields unless the explicit intent is previewing the public website.',
     '- **Admin menu visibility is permission-driven, not RLS:** admin menu entries are sensitive and must set `menu_definition.permission` so they are visible only to users who have at least GET permission for the backing route or table. Permission conditions use HTTP `methods`, not CRUD `actions`. Do not show an admin menu merely because an extension exists or because the path is hardcoded. Example: `/reports` menu can require `{ or: [{ route: "/reports", methods: ["GET"] }, { route: "/report_definition", methods: ["GET"] }] }`.',
     '- **PermissionGate is mandatory inside admin extensions:** every sensitive action button, form, mutation, destructive workflow, and data shortcut must be wrapped in `PermissionGate` or guarded with `usePermissions()` before rendering/enabling. Default gates: list/detail visibility needs `methods: ["GET"]`; create and custom flow-trigger routes usually need `methods: ["POST"]`; native record edits need `methods: ["PATCH"]`; native delete routes need `methods: ["DELETE"]`. Root admin still passes through normal permission helpers, but extension code must not rely on root-only assumptions.',
     '- **Extension permission UX:** if the current user can read a page but cannot perform an action, hide the action by default. If hiding would confuse the workflow, render a disabled state with a short reason. Never let the button render active and depend only on the server rejection; server permissions are the final boundary, not the UI contract.',
     '- **Flow schedule UI:** schedule trigger editors must keep the server contract as `triggerConfig.cron` and `triggerConfig.timezone`, but the UI should not be a bare cron field plus giant timezone dropdown. Provide common cadence presets, readable current-schedule summary, searchable access to all IANA timezones, suggested timezone shortcuts, and a custom cron escape hatch so operators can configure recurring checks without remembering cron syntax.',
-    '- **Admin operation UI:** use eApp `CommonModal` for compact create, disable, delete, and multi-field confirmation workflows. Use `CommonDrawer` for longer setup workflows such as multi-step create/edit forms and provider/package selection. Open the modal/drawer immediately on click, then render loading/error/content inside it; do not wait for async fetches to finish before showing the shell.',
+    '- **Admin operation UI:** use Enfyra admin `CommonModal` for compact create, disable, delete, and multi-field confirmation workflows. Use `CommonDrawer` for longer setup workflows such as multi-step create/edit forms and provider/package selection. Open the modal/drawer immediately on click, then render loading/error/content inside it; do not wait for async fetches to finish before showing the shell.',
     '- **FormEditor is preferred for table-record forms:** when an extension creates or edits a concrete table record such as `report_definition`, `order_definition`, or another table-backed entity, use `FormEditor`/`FormEditorLazy` inside the modal/page when the form is a direct table edit. Customize layout with `sections`, `includes`, and `field-map`; reserve custom inputs only for workflow-specific fields that are not table columns.',
     '- **Modal form layout:** inside `CommonModal`, stack each form control vertically with label text above a full-width input/control. Use a small grid/space stack such as `grid gap-4`, `p.text-sm.font-medium`, then `UInput class="mt-2 w-full"`. Do not place modal labels and inputs side by side unless the user explicitly asks for a dense horizontal form.',
     '- **Confirmation modal flow:** destructive/admin confirmation modals must read top-to-bottom as the operator workflow. For server-hash confirmations, render: id input first, then a full-width `Request hash` button, then a disabled hash input that is auto-filled by the server response, then the final destructive action in the footer. The final action stays disabled until the typed id matches and the server hash has been requested. Do not ask operators to manually type or edit the hash.',
-    '- **Do not downgrade extension code to ES5 to appease tooling.** eApp extension runtime should support normal browser/runtime APIs such as `Array.includes`, `Set`, `Promise.all`, `String.replace`, `Intl.DateTimeFormat`, and `Intl.NumberFormat`. If diagnostics reject these, fix eApp extension checker/runtime contract instead of rewriting generated extension code around the limitation. Vue extension diagnostics should only TypeScript-check `<script setup lang="ts">`; plain `<script setup>` extension code is JavaScript and must not emit TypeScript diagnostics into the form.',
+    '- **Do not downgrade extension code to ES5 to appease tooling.** Enfyra admin extension runtime should support normal browser/runtime APIs such as `Array.includes`, `Set`, `Promise.all`, `String.replace`, `Intl.DateTimeFormat`, and `Intl.NumberFormat`. If diagnostics reject these, fix Enfyra admin extension checker/runtime contract instead of rewriting generated extension code around the limitation. Vue extension diagnostics should only TypeScript-check `<script setup lang="ts">`; plain `<script setup>` extension code is JavaScript and must not emit TypeScript diagnostics into the form.',
     '',
     '#### Injected Vue API functions:',
     '- Reactivity: `ref`, `reactive`, `computed`, `readonly`, `shallowRef`, `shallowReactive`',
@@ -367,7 +367,7 @@ export function buildMcpServerInstructions(apiBaseUrl) {
     '- **useConfirm:** Confirmation dialogs. Returns `{ confirm({ title, content, confirmText, cancelText }), isVisible, options, onConfirm, onCancel }`.',
     '- **useHeaderActionRegistry:** Register header actions. Use `const { register: registerHeaderActions } = useHeaderActionRegistry(); registerHeaderActions([{ id, label, onClick, color, icon, order, side, global, permission }])`. Action has `{ id, label, onClick, color, icon, order, side: \'left\'|\'right\', global, component, permission }`; admin actions should set `permission` by default.',
     '- **useSubHeaderActionRegistry:** Same as header but for sub-header: destructure `register` first, then call it with one action or an array.',
-    '- **useAccountPanelRegistry:** Register rows in the sidebar account panel. Destructure `const { register } = useAccountPanelRegistry()` and call `register(itemOrItems)`. Prefer data-driven items: `{ id, order, label, icon, description, badge, badgeColor, trailingIcon, expanded, onToggle, contentComponent, contentProps }`. eApp renders the row chrome and lifecycle-unregisters the caller automatically. Use `contentComponent` only for expanded inner content, and use raw `component` only when the entire row truly cannot use the shell contract.',
+    '- **useAccountPanelRegistry:** Register rows in the sidebar account panel. Destructure `const { register } = useAccountPanelRegistry()` and call `register(itemOrItems)`. Prefer data-driven items: `{ id, order, label, icon, description, badge, badgeColor, trailingIcon, expanded, onToggle, contentComponent, contentProps }`. Enfyra admin UI renders the row chrome and lifecycle-unregisters the caller automatically. Use `contentComponent` only for expanded inner content, and use raw `component` only when the entire row truly cannot use the shell contract.',
     '- **usePageHeaderRegistry:** Page title strip. `{ registerPageHeader, clearPageHeader, pageHeader, hasPageHeader }`. Config: `title`, optional `description`, `stats`, `variant`, `gradient` (`purple`|`blue`|`cyan`|`none` — horizontal strip + leading icon tint), `leadingIcon` (icon name), `hideLeadingIcon`. Call `registerPageHeader` again when title/stats must update (plain object snapshot, not refs inside the config).',
     '- **useMenuRegistry:** Menu management. Returns `{ menuItems, menuGroups, registerMenuItem, unregisterMenuItem, getMenuItemsBySidebar, findParentMenuIdByPath }`.',
     '- **useMenuApi:** Low-level menu API.',
@@ -385,7 +385,7 @@ export function buildMcpServerInstructions(apiBaseUrl) {
     '- **File Manager:** `FileManager`, `FileView`, `FileGridCard`, `CreateFolderModal`',
     '- **Menu:** `MenuRenderer`, `MenuItemEditor`',
     '- **UI:** `NuxtLink`, `UButton`, `UCard`, `UInput`, `UTable`, `UBadge` (if available)',
-    '- **Tabs:** `UTabs` is available in current eApp extension runtime. Use it for page-level sections when a page would otherwise become too long.',
+    '- **Tabs:** `UTabs` is available in current Enfyra admin extension runtime. Use it for page-level sections when a page would otherwise become too long.',
     '- **Extension:** `Widget` — embed widget extension records by numeric database id, e.g. `<Widget :id="123" />`',
     '- **WebSocket:** `WebSocketManager`',
     '- **Permission:** `PermissionGate`, `PermissionManager`',
@@ -398,13 +398,13 @@ export function buildMcpServerInstructions(apiBaseUrl) {
     '- **FormEditor field-map:** Customize fields via `:field-map`. Options: `label`, `description`, `hideLabel`, `hideDescription`, `component`, `componentProps`, `type`, `disabled`, `placeholder`, `permission`, `excludedOptions`/`includedOptions`, `fieldProps` (e.g. grid `class: \'md:col-span-2\'` when `layout=\'grid\'`), `booleanWrapperClass`, `fieldWrapperClass`. Optional `:sections` — array of `{ id, title?, hideHeading?, headingClass?, class?, rootClass?, fields: string[] }`; field order follows `fields`; unlisted columns render after. Custom input component: `modelValue` / `update:modelValue`.',
     '- **type "page":** Full-page extension. Requires `menu: { id }` — create menu first (`create_menu` or `create_record` on `menu_definition`), find by path/label, then create extension with `menu: { id: menuId }`. `menu_definition` uses **label** not name — filter by `label` or `path`. Sensitive/admin menus should pass a `permission` JSON object string to `create_menu` so visibility is permission-gated from creation.',
     '- **type "widget":** Widget extension. No menu required. Embed by numeric database id via `<Widget :id="123" />` in other extensions or pages.',
-    '- **type "global":** Global shell extension. No menu required and not embedded manually; eApp fetches all enabled global extensions during layout init and mounts them invisibly with normal Vue lifecycle. Use for global notification/account-panel/realtime registration code, not for route content. Keep `<template></template>` empty or minimal hidden markup, and keep visible UI in registered components or existing shell slots.',
+    '- **type "global":** Global shell extension. No menu required and not embedded manually; the Enfyra admin UI fetches all enabled global extensions during layout init and mounts them invisibly with normal Vue lifecycle. Use for global notification/account-panel/realtime registration code, not for route content. Keep `<template></template>` empty or minimal hidden markup, and keep visible UI in registered components or existing shell slots.',
     '- **Widget composition:** split large page extensions into widget extensions for bulky or reusable sections such as operation panels, status cards, timelines, tables, and sidebars. Keep tiny one-off markup in the page. Create/update the widget `extension_definition` rows first, then embed their ids from the page extension.',
     '- **Widget props/events:** the `Widget` wrapper forwards non-`id` attrs and listeners to the rendered widget component. Widget extensions can declare `defineProps` and `defineEmits`; parent prop changes are reactive like normal Vue component props. Use normal Vue syntax such as `<Widget :id="123" :project-id="projectId" :history-rows="historyRows" @refresh="refreshAll" />`; kebab-case attributes map to camelCase props.',
     '- **Widget state boundary:** do not mutate props inside widgets. Derive display state with `computed`, or mirror a prop into local mutable state with `watch(() => props.value, ...)` when the widget owns an editor draft. Prefer emitted events for child-to-parent actions; use callback function props only for parent-owned modal/drawer openers or imperative actions, and guard with `typeof action === "function"` inside the widget.',
     '- **Widget ownership:** keep route parsing, page-level API loading/mutation state, and modal submit flows in the page extension unless a widget intentionally owns the whole workflow. Use widgets for focused render sections or operation panels that receive safe data/actions from the page.',
     '- **Widget permissions:** sensitive action controls inside widgets must still use `PermissionGate` or `usePermissions()` and must keep `type="button"` plus `@click.stop.prevent` for modal/drawer triggers. Server routes remain the final permission boundary.',
-    '- **Widget loading performance:** eApp batches widget metadata fetches requested in the same tick and caches loaded widgets. Do not manually fetch widget code from page extensions; render `<Widget>` components together so the runtime can batch-load them.',
+    '- **Widget loading performance:** Enfyra admin UI batches widget metadata fetches requested in the same tick and caches loaded widgets. Do not manually fetch widget code from page extensions; render `<Widget>` components together so the runtime can batch-load them.',
     '- **Existing pages:** if a menu already has a page extension, update that `extension_definition` record instead of creating a duplicate menu/extension. For example `/dashboard` is menu-driven and may already have an extension attached.',
     '',
     '#### NPM packages (install via MCP):',
@@ -421,7 +421,7 @@ export function buildMcpServerInstructions(apiBaseUrl) {
     '- **Header actions:** `const { register: registerHeaderActions } = useHeaderActionRegistry(); registerHeaderActions([{ id: \'back\', label: \'Hosts\', icon: \'lucide:arrow-left\', color: \'neutral\', variant: \'ghost\', order: 0, onClick: goBack }, { id: \'refresh\', label: \'Refresh\', icon: \'lucide:refresh-cw\', color: \'primary\', variant: \'solid\', order: 1, onClick: refresh }])`',
     '- **Schema:** Call `fetchSchema()` first, then use `definition.value`, `editableFields.value`, `getField(\'fieldName\')`.',
     '- **Permissions:** Use `checkPermissionCondition({ or: [{ route: \'/posts\', methods: [\'GET\'] }] })` for complex rules. In templates, wrap sensitive controls with `<PermissionGate :condition="{ and: [{ route: \'/admin/action\', methods: [\'POST\'] }] }">...</PermissionGate>` instead of only disabling them visually.',
-    '- **After menu/extension create/update:** open eApp tabs should update through the `$system:reload` contract. Do not tell the user to press F5 unless you have verified the natural reload event failed or the server/eApp version does not support menu/extension reload yet.',
+    '- **After menu/extension create/update:** open Enfyra admin tabs should update through the `$system:reload` contract. Do not tell the user to press F5 unless you have verified the natural reload event failed or the server/Enfyra admin UI version does not support menu/extension reload yet.',
     '',
     '#### Minimal example:',
     '`<template><div class="p-6"><h1 class="text-2xl font-bold">{{ title }}</h1><UButton @click="handleClick">Click</UButton></div></template><script setup>const title = ref(\'My Extension\'); const toast = useToast(); const handleClick = () => toast.add({ title: \'Clicked\', color: \'green\' });</script>`',

package/src/mcp-server-entry.mjs

@@ -51,7 +51,7 @@ const CAPABILITY_AREAS = [
   {
     area: 'Auth, roles, sessions, OAuth',
     tables: ['user_definition', 'role_definition', 'api_token_definition', 'session_definition', 'oauth_config_definition', 'oauth_account_definition'],
-    workflow: 'MCP auth exchanges ENFYRA_API_TOKEN through /auth/token/exchange. Configure an API token from eApp /me.',
+    workflow: 'MCP auth exchanges ENFYRA_API_TOKEN through /auth/token/exchange. Configure an API token from Enfyra admin UI /me.',
   },
   {
     area: 'Guards and permissions',
@@ -2467,7 +2467,7 @@ server.tool(
     const payload = {
       guidance: {
         publicAccess: 'publicMethods bypass RoleGuard and do not require route_permission_definition.',
-        authenticatedAccess: 'For non-public methods, eApp PermissionGate and backend RoleGuard both expect enabled route_permission_definition rows with matching route + HTTP method.',
+        authenticatedAccess: 'For non-public methods, Enfyra admin UI PermissionGate and backend RoleGuard both expect enabled route_permission_definition rows with matching route + HTTP method.',
         directUserAccess: 'allowedRoutePermissions on /me represent direct user-scoped route permissions; role.routePermissions represent role-scoped permissions.',
       },
       expectedScope: {
@@ -2910,7 +2910,7 @@ server.tool(
   'create_extension',
   [
     'Create an extension (Vue SFC page, widget, or global shell extension). Code must be Vue SFC: <template>...</template> + <script setup>...</script> — NO imports, use globals (ref, useToast, useApi, UButton, etc).',
-    'For type=page: create menu first (create_menu), get id, then pass menuId. For type=widget: no menu, embed via <Widget>. For type=global: no menu, eApp mounts it invisibly at shell level for registries/realtime. Server auto-compiles and should emit realtime reload to open eApp tabs. See extension rules in MCP instructions.',
+    'For type=page: create menu first (create_menu), get id, then pass menuId. For type=widget: no menu, embed via <Widget>. For type=global: no menu, the Enfyra admin UI mounts it invisibly at shell level for registries/realtime. Server auto-compiles and should emit realtime reload to open Enfyra admin tabs. See extension rules in MCP instructions.',
   ].join(' '),
   {
     name: z.string().describe('Extension name (unique)'),
@@ -2935,7 +2935,7 @@ server.tool(
     }
     const result = await fetchAPI(ENFYRA_API_URL, '/extension_definition', { method: 'POST', body: JSON.stringify(body) });
     const created = firstDataRecord(result);
-    return { content: [{ type: 'text', text: `Extension created (ID: ${getId(created)}). Open eApp tabs should update through the realtime reload contract.\n${JSON.stringify(result, null, 2)}` }] };
+    return { content: [{ type: 'text', text: `Extension created (ID: ${getId(created)}). Open Enfyra admin tabs should update through the realtime reload contract.\n${JSON.stringify(result, null, 2)}` }] };
   },
 );