docs: Cloud-first README + move internals to docs/

README.md

@@ -1,203 +1,163 @@
+<p align="center">
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="images/appwrite-logo-darkbg.png">
+    <img alt="Appwrite" src="images/appwrite-logo-lightbg.png" width="280">
+  </picture>
+</p>
+
 # Appwrite MCP server
 
 mcp-name: io.github.appwrite/mcp
 
-## Overview
-
-A Model Context Protocol server for interacting with Appwrite's API. It provides tools to manage databases, users, functions, teams, and more within your Appwrite project.
+A [Model Context Protocol](https://modelcontextprotocol.io) server for Appwrite.
+It exposes Appwrite's API — databases, users, functions, teams, storage, and more
+— as tools your MCP client can call.
 
-Appwrite Cloud is available as a hosted [OAuth 2.1 Resource Server](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization) over MCP [Streamable HTTP](https://modelcontextprotocol.io/specification/2025-06-18/basic/transports). Self-hosted Appwrite instances use the local MCP `stdio` transport with an Appwrite project API key.
+Connect to the hosted server at **`https://mcp.appwrite.io/mcp`** and authenticate
+through your browser. The first time you connect, your client opens an Appwrite
+consent screen; approve the scopes and you're connected. There are no keys to
+copy.
 
-## Quick Links
-- [Cloud hosted MCP](#cloud-hosted-mcp)
-- [Self-hosted stdio MCP](#self-hosted-stdio-mcp)
-- [How Cloud authentication works](#how-cloud-authentication-works)
-- [Tool surface](#tool-surface)
-- [Local development](#local-development)
-- [Debugging](#debugging)
+## Connect your client
 
-## Cloud hosted MCP
+Pick your client below. Each adds the hosted Appwrite Cloud server.
 
-Add the server to any MCP client that supports remote (Streamable HTTP) servers by its URL:
+<details open>
+<summary><b>Claude Code</b></summary>
 
+```bash
+claude mcp add --transport http appwrite https://mcp.appwrite.io/mcp
 ```
-https://mcp.appwrite.io/mcp
-```
 
-For example, in a client that accepts a JSON server config:
+</details>
+
+<details>
+<summary><b>Claude Desktop</b></summary>
+
+Go to **Settings → Connectors → Add custom connector** and paste
+`https://mcp.appwrite.io/mcp`.
+
+On the free plan, bridge the remote server through stdio instead (requires
+Node.js) by editing your config via **Settings → Developer → Edit Config**:
 
 ```json
 {
   "mcpServers": {
     "appwrite": {
-      "type": "http",
-      "url": "https://mcp.appwrite.io/mcp"
+      "command": "npx",
+      "args": ["mcp-remote", "https://mcp.appwrite.io/mcp"]
     }
   }
 }
 ```
 
-The first time you connect, the client opens an Appwrite consent screen in your browser. Approve the requested scopes and the client is connected — there are no keys to copy.
+</details>
 
-## Self-hosted stdio MCP
+<details>
+<summary><b>Cursor</b></summary>
 
-Self-hosted users should run the MCP server locally over stdio and authenticate with a project API key from their Appwrite Console.
-
-Create a project API key with the scopes you want the MCP server to use, then configure your MCP client with:
+Edit `~/.cursor/mcp.json` (global) or `.cursor/mcp.json` (project).
 
 ```json
 {
   "mcpServers": {
     "appwrite": {
-      "command": "uvx",
-      "args": ["mcp-server-appwrite"],
-      "env": {
-        "APPWRITE_PROJECT_ID": "<YOUR_PROJECT_ID>",
-        "APPWRITE_API_KEY": "<YOUR_API_KEY>",
-        "APPWRITE_ENDPOINT": "https://<YOUR_APPWRITE_DOMAIN>/v1"
-      }
+      "url": "https://mcp.appwrite.io/mcp"
     }
   }
 }
 ```
 
-For the local Appwrite development compose setup in `/Users/chiragaggarwal/Desktop/appwrite/appwrite`, the endpoint is typically:
-
-```text
-http://localhost:9501/v1
-```
-
-`stdio` is the default transport for the package command. You can also make it explicit:
-
-```bash
-APPWRITE_ENDPOINT=http://localhost:9501/v1 \
-APPWRITE_PROJECT_ID=<YOUR_PROJECT_ID> \
-APPWRITE_API_KEY=<YOUR_API_KEY> \
-uvx mcp-server-appwrite --transport stdio
-```
-
-The server validates the endpoint, project ID, API key, and at least one supported service during startup. If credentials or scopes are wrong, the MCP server fails before accepting tool calls.
+</details>
 
-## How Cloud authentication works
+<details>
+<summary><b>VS Code</b> (GitHub Copilot)</summary>
 
-The MCP server validates the bearer access token on every request and forwards it to the Appwrite REST API, which accepts the OAuth2 access token directly. The flow (handled automatically by MCP-aware clients):
+Edit `.vscode/mcp.json` (workspace) or your user configuration via the Command
+Palette → **MCP: Open User Configuration**.
 
-1. The client requests `/mcp` without a token and receives `401` with a `WWW-Authenticate` header pointing to the protected-resource metadata.
-2. The client fetches `GET /.well-known/oauth-protected-resource/mcp` (RFC 9728), which lists the authorization server (`<APPWRITE_ENDPOINT>/oauth2/console`) and supported scopes.
-3. The client discovers the authorization server (RFC 8414 / OIDC) and **self-registers** via RFC 7591 Dynamic Client Registration — the OAuth server exposes an open `registration_endpoint`, so there is no client ID or secret to pre-provision. MCP clients register as public (PKCE) clients automatically.
-4. The client runs the OAuth 2.1 + PKCE authorization-code flow, including the RFC 8707 `resource` parameter that binds the token's audience to this server.
-5. The client calls `/mcp` with `Authorization: Bearer <token>`.
-
-## Tool surface
-
-The server starts in a compact workflow so the MCP client only sees a small operator-style surface while the full Appwrite catalog stays internal.
-
-- Up to 4 MCP tools are exposed to the model:
-  - `appwrite_get_context`
-  - `appwrite_search_tools`
-  - `appwrite_call_tool`
-  - `appwrite_search_docs` — semantic search over the Appwrite documentation (only registered when the docs index and `OPENAI_API_KEY` are present; see [Documentation search](#documentation-search)).
-- The full Appwrite tool catalog stays internal and is searched at runtime.
-- `appwrite_get_context` gives the client a quick workspace summary. With a local project API key it returns the configured project and readable service totals/samples. With hosted OAuth it also includes account, organization, and discovered project context.
-- Large tool outputs are stored as MCP resources and returned as preview text plus a resource URI.
-- Mutating hidden tools require `confirm_write=true`.
-- Every Appwrite service the installed SDK ships is registered automatically — 25 in total, each becoming a tool-name prefix: `account`, `activities`, `advisor`, `apps`, `avatars`, `backups`, `databases`, `functions`, `graphql`, `health`, `locale`, `messaging`, `oauth2`, `organization`, `presences`, `project`, `proxy`, `sites`, `storage`, `tables_db`, `teams`, `tokens`, `usage`, `users`, and `webhooks`. Which ones a given user can actually call is gated by the scopes their OAuth token was granted (enforced per-route by the Appwrite API), not by the catalog.
-
-## Documentation search
-
-`appwrite_search_docs` runs semantic search over the Appwrite documentation entirely in-process, replacing the standalone docs MCP server. It embeds the query with OpenAI `text-embedding-3-small` and ranks a prebuilt index of doc pages by cosine similarity, returning the most relevant pages with their full content. It needs no `project_id`.
-
-The index is a small artifact committed under `src/mcp_server_appwrite/data/` (`docs_index.npz` + `docs_index_meta.json`) and shipped in the image. The tool is registered only when both the artifact and `OPENAI_API_KEY` are available; otherwise the server boots without it.
-
-### Runtime configuration
-
-- `OPENAI_API_KEY` — required to embed incoming queries (one OpenAI call per search).
-- `DOCS_SEARCH_MIN_SCORE` — minimum cosine score for a match (default `0.25`).
-- `DOCS_SEARCH_LIMIT` — default maximum pages returned (default `5`, max `10`).
-
-### Rebuilding the index
-
-Re-run the build script when the docs change and commit the refreshed artifact:
-
-```bash
-OPENAI_API_KEY=sk-... uv run python scripts/build_docs_index.py
-```
-
-It downloads `appwrite/website` docs from GitHub, chunks each page, embeds the chunks, and writes the artifact. Optional env vars: `DOCS_WEBSITE_REF` (git ref, default `main`), `DOCS_EMBED_BATCH` (default `100`).
-
-## Local development
-
-### Clone and install `uv`
-
-```bash
-git clone https://github.com/appwrite/mcp.git
-cd mcp
-# Linux or MacOS
-curl -LsSf https://astral.sh/uv/install.sh | sh
-# Windows (PowerShell)
-# powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex"
+```json
+{
+  "servers": {
+    "appwrite": {
+      "type": "http",
+      "url": "https://mcp.appwrite.io/mcp"
+    }
+  }
+}
 ```
 
-### Run the server
-
-With Docker Compose, the server runs the hosted HTTP/OAuth transport:
+</details>
 
-```bash
-docker compose up --build
-```
+<details>
+<summary><b>Codex</b></summary>
 
-Compose defaults to `MCP_PUBLIC_URL=http://localhost:8000` and exposes the MCP endpoint at:
+Edit `~/.codex/config.toml`.
 
-```text
-http://localhost:8000/mcp
+```toml
+[mcp_servers.appwrite]
+url = "https://mcp.appwrite.io/mcp"
 ```
 
-To enable documentation search locally, provide `OPENAI_API_KEY` in your shell or a local `.env` file before running Compose.
-
-With `uv` directly:
+</details>
 
-```bash
-MCP_PUBLIC_URL=http://localhost:8000 APPWRITE_ENDPOINT=https://cloud.appwrite.io/v1 \
-  uv run mcp-server-appwrite --transport http
-```
+<details>
+<summary><b>OpenCode</b></summary>
 
-For local self-hosted stdio development, run with API-key credentials:
+Edit `opencode.json` (project) or `~/.config/opencode/opencode.json` (global).
 
-```bash
-APPWRITE_ENDPOINT=http://localhost:9501/v1 \
-APPWRITE_PROJECT_ID=<YOUR_PROJECT_ID> \
-APPWRITE_API_KEY=<YOUR_API_KEY> \
-uv run mcp-server-appwrite
+```json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "mcp": {
+    "appwrite": {
+      "type": "remote",
+      "url": "https://mcp.appwrite.io/mcp",
+      "enabled": true
+    }
+  }
+}
 ```
 
-## Testing
+</details>
 
-### Unit tests
+<details>
+<summary><b>Windsurf</b></summary>
 
-```bash
-uv run python -m unittest discover -s tests/unit -v
-```
+Edit `~/.codeium/windsurf/mcp_config.json`.
 
-### Live integration tests
-
-These create and delete real Appwrite resources against a real project. They authenticate to the Appwrite API with an API key supplied via the environment or `.env` (`APPWRITE_PROJECT_ID`, `APPWRITE_API_KEY`, `APPWRITE_ENDPOINT`) and are skipped when no credentials are present.
-
-```bash
-uv run --extra integration python -m unittest discover -s tests/integration -v
+```json
+{
+  "mcpServers": {
+    "appwrite": {
+      "serverUrl": "https://mcp.appwrite.io/mcp"
+    }
+  }
+}
 ```
 
-## Debugging
+</details>
 
-Use the MCP Inspector against a running server URL:
+## Self-hosted Appwrite
 
-```bash
-npx @modelcontextprotocol/inspector
-```
+Running your own Appwrite instance? Run the MCP server locally over `stdio` and
+authenticate with a project API key. See [docs/self-hosted.md](docs/self-hosted.md)
+for per-client setup.
 
-Point it at `https://mcp.appwrite.io/mcp` and complete the OAuth flow when prompted.
+## Documentation
 
-For self-hosted stdio debugging, start Inspector in stdio mode and use `uv run mcp-server-appwrite` as the command with the `APPWRITE_*` environment variables above.
+- [Tool surface](docs/tool-surface.md) — the tools exposed to the model and the
+  internal Appwrite catalog.
+- [How Cloud authentication works](docs/authentication.md) — the OAuth 2.1 flow.
+- [Documentation search](docs/documentation-search.md) — the in-process
+  `appwrite_search_docs` tool and how to rebuild its index.
+- [Self-hosted Appwrite](docs/self-hosted.md) — run the server locally with a
+  project API key.
+- [Local development](docs/development.md) — running, testing, and debugging the
+  server locally.
+- [AGENTS.md](AGENTS.md) — full contributor guide and pre-PR checklist.
 
 ## License
 
-This MCP server is licensed under the MIT License. This means you are free to use, modify, and distribute the software, subject to the terms and conditions of the MIT License. For more details, please see the LICENSE file in the project repository.
+This MCP server is licensed under the MIT License. See the [LICENSE](LICENSE) file
+for details.

docs/authentication.md

@@ -0,0 +1,44 @@
+# How Cloud authentication works
+
+Appwrite Cloud is a hosted
+[OAuth 2.1 Resource Server](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization)
+served over MCP
+[Streamable HTTP](https://modelcontextprotocol.io/specification/2025-06-18/basic/transports).
+On every request it validates the client's bearer token and forwards it to the
+Appwrite REST API, which accepts the OAuth2 access token directly.
+
+## The flow
+
+MCP-aware clients run this automatically:
+
+```mermaid
+sequenceDiagram
+    participant C as MCP Client
+    participant S as MCP Server (/mcp)
+    participant A as Appwrite OAuth Server
+    participant API as Appwrite REST API
+
+    C->>S: GET /mcp (no token)
+    S-->>C: 401 + WWW-Authenticate → metadata URL
+    C->>S: GET /.well-known/oauth-protected-resource/mcp
+    S-->>C: auth server + scopes (RFC 9728)
+    C->>A: Discover (RFC 8414 / OIDC)
+    C->>A: Self-register as public PKCE client (RFC 7591)
+    A-->>C: client_id (no secret to pre-provision)
+    C->>A: OAuth 2.1 + PKCE auth-code flow (RFC 8707 resource)
+    A-->>C: access token (audience bound to this server)
+    C->>S: GET /mcp + Authorization: Bearer <token>
+    S->>API: Forward bearer token
+    API-->>S: Response
+    S-->>C: Response
+```
+
+## Standards in play
+
+| Step | Standard | Purpose |
+| --- | --- | --- |
+| Protected-resource metadata | RFC 9728 | Points the client at the auth server (`<APPWRITE_ENDPOINT>/oauth2/console`) and scopes |
+| Auth-server discovery | RFC 8414 / OIDC | Locates token & registration endpoints |
+| Dynamic client registration | RFC 7591 | Open `registration_endpoint` → no client ID/secret to pre-provision |
+| Authorization-code + PKCE | OAuth 2.1 | Secure token issuance for public clients |
+| Resource indicator | RFC 8707 | Binds token audience to this server |