refactor: reorganize security docs into more logical locations (#816)

EricGustin · claude · github-actions[bot] · web-flow · commit 417fa8ba0664 · 2026-03-04T15:38:09.000-08:00
* refactor: reorganize security docs into more logical locations

Move security research program to resources/ and dissolve the guides/security
section, placing the MCP server security guides under guides/create-tools/secure-your-server.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

* fix: collapse redirect chain for home/build-tools/secure-your-mcp-server

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

* Update app/en/references/changelog/page.mdx

Co-authored-by: github-actions[bot] &lt;41898282+github-actions[bot]@users.noreply.github.com&gt;

* fix: update broken security link in tanstack-ai guide

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;

* revert: restore next-env.d.ts to production build path

The dev-specific `.next/dev/types/routes.d.ts` import was an unintentional
artifact from running `pnpm dev/build` locally. Restore to the canonical
`.next/types/routes.d.ts` path. This file is auto-generated by Next.js and
should not be manually edited.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;

* 🤖 Regenerate LLMs.txt

* fix: restore public/llms.txt accidentally deleted during rebase

The llms.txt was deleted when resolving a modify/delete conflict in
a CI bot commit during rebase. Restore to main's current version.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;

* fix: restore audit-logs markdown file accidentally deleted during rebase

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;

* 🤖 Regenerate LLMs.txt

---------

Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
Co-authored-by: github-actions[bot] &lt;41898282+github-actions[bot]@users.noreply.github.com&gt;
Co-authored-by: github-actions[bot] &lt;github-actions[bot]@users.noreply.github.com&gt;
diff --git a/app/en/get-started/agent-frameworks/tanstack-ai/page.mdx b/app/en/get-started/agent-frameworks/tanstack-ai/page.mdx
@@ -697,7 +697,7 @@ On first use, you'll see an authorization button. Click it to connect your Gmail
 
 1. **Add more tools**: Browse the [MCP server catalog](/resources/integrations) and add tools for GitHub, Notion, Linear, and more.
 2. **Try different providers**: Swap `@tanstack/ai-openai` for `@tanstack/ai-anthropic` or `@tanstack/ai-gemini` to use different AI models.
-3. **Add user authentication**: In production, get `userId` from your auth system instead of environment variables. See [Security](/guides/security) for best practices.
+3. **Add user authentication**: In production, get `userId` from your auth system instead of environment variables. See [Secure your server](/guides/create-tools/secure-your-server) for best practices.
 4. **Deploy your chatbot**: TanStack Start supports deployment to Vercel, Netlify, Cloudflare, and Node.js servers.
 
 ## Complete code
diff --git a/app/en/get-started/agent-frameworks/vercelai/page.mdx b/app/en/get-started/agent-frameworks/vercelai/page.mdx
@@ -597,7 +597,7 @@ On first use, you'll see an authorization button. Click it to connect your Gmail
 ## Next steps
 
 1. **Add more tools**: Browse the [MCP server catalog](/resources/integrations) and add tools for GitHub, Notion, Linear, and more.
-2. **Add user authentication**: In production, get `userId` from your auth system instead of environment variables. See [Security](/guides/security) for best practices.
+2. **Add user authentication**: In production, get `userId` from your auth system instead of environment variables. See [Secure your server](/guides/create-tools/secure-your-server) for best practices.
 3. **Deploy to Vercel**: Push your chatbot to GitHub and [deploy to Vercel](https://vercel.com/docs/deployments/overview) with one click. Add your environment variables in the Vercel dashboard.
 
 ## Complete code
diff --git a/app/en/guides/_meta.tsx b/app/en/guides/_meta.tsx
@@ -22,9 +22,6 @@ export const meta: MetaRecord = {
   "deployment-hosting": {
     title: "Deployment & hosting",
   },
-  security: {
-    title: "Security & Compliance",
-  },
 };
 
 export default meta;
diff --git a/app/en/guides/create-tools/_meta.tsx b/app/en/guides/create-tools/_meta.tsx
@@ -16,6 +16,9 @@ export const meta: MetaRecord = {
     title: "Handle errors",
     href: "/guides/create-tools/error-handling",
   },
+  "secure-your-server": {
+    title: "Secure your server",
+  },
   "migrate-toolkits": {
     title: "Migrate from toolkits to MCP servers",
   },
diff --git a/app/en/guides/create-tools/secure-your-server/_meta.tsx b/app/en/guides/create-tools/secure-your-server/_meta.tsx
@@ -11,14 +11,8 @@ const meta: MetaRecord = {
   index: {
     title: "Overview",
   },
-  "securing-arcade-mcp": {
-    title: "Securing Arcade MCP",
-  },
   "secure-your-mcp-server": {
-    title: "Secure your MCP server",
-  },
-  "security-research-program": {
-    title: "Security research program",
+    title: "Add Resource Server auth",
   },
 };
 
diff --git a/app/en/guides/create-tools/secure-your-server/page.mdx b/app/en/guides/create-tools/secure-your-server/page.mdx
@@ -21,8 +21,4 @@ This approach is ideal when:
 
 Resource Server auth works alongside tool-level authorization. Resource Server auth secures access to the MCP server itself, while tool-level auth enables your tools to access third-party APIs on behalf of the authenticated user.
 
-Learn more about adding front-door OAuth to your MCP server [here](/guides/security/secure-your-mcp-server).
-
-### Client ID Metadata Documents (Coming soon)
-
-Coming soon, you will be able to secure your MCP server using Client ID Metadata Documents (CIMD) for authorization. Learn more about how MCP integrates with OAuth [here](https://blog.modelcontextprotocol.io/posts/client_registration/).
+Learn more about adding front-door OAuth to your MCP server [here](/guides/create-tools/secure-your-server/secure-your-mcp-server).
diff --git a/app/en/guides/create-tools/secure-your-server/secure-your-mcp-server/page.mdx b/app/en/guides/create-tools/secure-your-server/secure-your-mcp-server/page.mdx
diff --git a/app/en/guides/security/page.mdx b/app/en/guides/security/page.mdx
diff --git a/app/en/learn/server-level-vs-tool-level-auth/page.mdx b/app/en/learn/server-level-vs-tool-level-auth/page.mdx
@@ -17,7 +17,7 @@ Arcade MCP servers support two distinct layers of authorization that work togeth
 
 ## Quick Comparison
 
-| Aspect                | [Resource Server Auth (Front-Door)](/guides/security/secure-your-mcp-server) | [Tool-Level Authorization](/guides/create-tools/tool-basics/create-tool-auth) |
+| Aspect                | [Resource Server Auth (Front-Door)](/guides/create-tools/secure-your-server/secure-your-mcp-server) | [Tool-Level Authorization](/guides/create-tools/tool-basics/create-tool-auth) |
 | --------------------- | ---------------------------------------------------------------------------- | ----------------------------------------------------------------------------- |
 | **What it secures**   | Access to your MCP server                                                    | Access to third-party APIs                                                    |
 | **Who authenticates** | The user calling your server                                                 | The user's access to external services                                        |
diff --git a/app/en/references/changelog/page.mdx b/app/en/references/changelog/page.mdx
@@ -141,7 +141,7 @@ _Here's what's new at Arcade.dev!_
 
 **Arcade MCP Servers**
 
-- `[feature - 🚀]` OAuth authentication for `arcade-mcp` servers. Learn more about it [here](/guides/security/secure-your-mcp-server!
+- `[feature - 🚀]` OAuth authentication for `arcade-mcp` servers. Learn more about it [here](/guides/create-tools/secure-your-server/secure-your-mcp-server)
 - `[maintenance - 🔧]` Ability to run multiple uvicorn workers
 - `[maintenance - 🔧]` Include type annotations for `arcade_mcp_server`
 
diff --git a/app/en/resources/_meta.tsx b/app/en/resources/_meta.tsx
@@ -16,6 +16,9 @@ export const meta: MetaRecord = {
   faq: {
     title: "FAQ",
   },
+  "security-research-program": {
+    title: "Security research program",
+  },
   "contact-us": {
     title: "Contact",
   },
diff --git a/app/en/resources/contact-us/contact-cards.tsx b/app/en/resources/contact-us/contact-cards.tsx
@@ -306,7 +306,7 @@ export function ContactCards() {
         />
         <QuickStartCard
           description="Report security vulnerabilities responsibly. Learn about our security research program and disclosure process."
-          href="/guides/security/security-research-program"
+          href="/resources/security-research-program"
           icon={Shield}
           title="Security Research"
         />
diff --git a/app/en/resources/security-research-program/page.mdx b/app/en/resources/security-research-program/page.mdx
diff --git a/next.config.ts b/next.config.ts
@@ -24,6 +24,28 @@ const nextConfig: NextConfig = withLlmsTxt({
   withNextra({
     async redirects() {
       return [
+        // Dissolved guides/security section
+        {
+          source: "/:locale/guides/security/security-research-program",
+          destination: "/:locale/resources/security-research-program",
+          permanent: true,
+        },
+        {
+          source: "/:locale/guides/security/securing-arcade-mcp",
+          destination: "/:locale/guides/create-tools/secure-your-server",
+          permanent: true,
+        },
+        {
+          source: "/:locale/guides/security/secure-your-mcp-server",
+          destination:
+            "/:locale/guides/create-tools/secure-your-server/secure-your-mcp-server",
+          permanent: true,
+        },
+        {
+          source: "/:locale/guides/security",
+          destination: "/:locale/guides/create-tools/secure-your-server",
+          permanent: true,
+        },
         // Auto-added redirects for deleted pages
         {
           source: "/:locale/references/mcp/python/transports",
@@ -397,7 +419,8 @@ const nextConfig: NextConfig = withLlmsTxt({
         },
         {
           source: "/:locale/home/build-tools/secure-your-mcp-server",
-          destination: "/:locale/guides/security/secure-your-mcp-server",
+          destination:
+            "/:locale/guides/create-tools/secure-your-server/secure-your-mcp-server",
           permanent: true,
         },
         {
diff --git a/public/llms.txt b/public/llms.txt
@@ -1,4 +1,4 @@
-<!-- git-sha: 166187ea1e64c335af069a1b51573e5ec37caff0 generation-date: 2026-03-04T22:00:56.615Z -->
+<!-- git-sha: ed8c003bb3aae6dc320e4ad4e8ecd5d7ed5fd4b1 generation-date: 2026-03-04T23:24:42.109Z -->
 
 # Arcade
 
@@ -65,7 +65,7 @@ Arcade delivers three core capabilities: Deploy agents even your security team w
 - [Add metadata to your tools](https://docs.arcade.dev/en/guides/create-tools/tool-basics/add-tool-metadata): This documentation page guides users on how to enhance their MCP tools with structured metadata using `ToolMetadata`, enabling better understanding and interaction by MCP clients, policy engines, and tool-selection systems. Users will learn to classify their tools, describe their behavior, and
 - [Add remote MCP servers](https://docs.arcade.dev/en/guides/mcp-gateways/add-remote-servers): This documentation page provides a step-by-step guide for users to register and connect a remote MCP server to their Arcade project, enabling the use of its tools within MCP Gateways and SDKs. Users will learn how to configure connection settings, manage tool visibility
 - [Add user authorization to your MCP tools](https://docs.arcade.dev/en/guides/create-tools/tool-basics/create-tool-auth): This documentation page guides users on how to implement user authorization in their custom MCP tools using Arcade, OAuth, and various auth providers, specifically illustrating the process with a Reddit integration example. Users will learn to create tools that require OAuth for access, manage authorization
-- [Adding Resource Server Auth to Your MCP Server](https://docs.arcade.dev/en/guides/security/secure-your-mcp-server): This documentation page guides users on how to secure their HTTP MCP server using OAuth 2.1 Resource Server authentication, enabling tool-level authorization and the safe handling of secrets. It outlines the prerequisites, benefits, and configuration steps necessary for implementing this security feature
+- [Adding Resource Server Auth to Your MCP Server](https://docs.arcade.dev/en/guides/create-tools/secure-your-server/secure-your-mcp-server): This documentation page guides users on how to secure their HTTP MCP server using OAuth 2.1 Resource Server authentication, enabling tool-level authorization and secrets management. It outlines the prerequisites, benefits, and configuration steps necessary for implementing this security measure, ensuring that
 - [Agentic development](https://docs.arcade.dev/en/get-started/setup/connect-arcade-docs): This documentation page provides guidance on utilizing agents in Integrated Development Environments (IDEs) to enhance development efficiency by accessing well-formatted markdown documentation directly from the Arcade site. It explains how AI agents can retrieve content without manual copying and introduces the LLM
 - [Arcade Cloud infrastructure](https://docs.arcade.dev/en/guides/deployment-hosting/arcade-cloud): This documentation page provides an overview of the infrastructure supporting Arcade Cloud, detailing aspects such as data storage, protection, and sovereignty options. Users can learn about the management of their data, including retention policies and consent models for training data, as well as the
 - [Arcade Gateway Assistant](https://docs.arcade.dev/en/guides/mcp-gateways/create-via-ai): The Arcade Gateway Assistant documentation guides users in creating and managing MCP gateways through a chat interface using natural language commands. It outlines the prerequisites for setup, including creating an Arcade account and connecting to compatible chat clients, and provides step-by-step instructions for authentication and
@@ -131,9 +131,8 @@ Arcade delivers three core capabilities: Deploy agents even your security team w
 - [Run evaluations](https://docs.arcade.dev/en/guides/create-tools/evaluate-tools/run-evaluations): This documentation page provides guidance on using the `arcade evals` command to run evaluation suites across multiple providers and models, allowing users to execute, compare, and analyze evaluation results in various output formats. It covers features such as multi-provider support,
 - [Running an Server](https://docs.arcade.dev/en/guides/contextual-access/examples): This documentation page provides users with guidance on running open-source example webhook servers to implement Contextual Access. It includes detailed instructions for setting up both a full-featured advanced server and minimal focused examples, allowing users to quickly start using or customizing these servers for
 - [Secure and Brand the Auth Flow in Production](https://docs.arcade.dev/en/guides/user-facing-agents/secure-auth-production): This documentation page guides users on how to secure and customize authentication flows in production using Arcade.dev. It outlines the use of the default Arcade user verifier for development and the implementation of a custom user verifier for production applications, ensuring user safety and a tailored user
-- [Securing Arcade MCP Deployments](https://docs.arcade.dev/en/guides/security/securing-arcade-mcp): This documentation page provides guidance on securing Arcade MCP deployments, outlining two primary methods: deploying the MCP server to the Arcade platform for built-in security features and implementing OAuth 2.1 Resource Server authentication for self-hosted setups. Users will learn how to
-- [Security](https://docs.arcade.dev/en/guides/security): This documentation page provides essential security best practices for developing and deploying MCP servers and Arcade tools, emphasizing the importance of safeguarding sensitive data and ensuring robust security measures in production environments. It also outlines resources and guidance for implementing secure tools and highlights the ongoing security research
-- [Security Research Program](https://docs.arcade.dev/en/guides/security/security-research-program): The Security Research Program documentation page outlines how users can report security vulnerabilities within Arcade's tools and services, emphasizing the importance of community involvement in enhancing security. It details the scope of issues covered, the reporting process, and guidelines for responsible disclosure. Additionally,
+- [Securing Arcade MCP Deployments](https://docs.arcade.dev/en/guides/create-tools/secure-your-server): This documentation page provides guidance on securing Arcade MCP deployments by outlining two primary methods: deploying the MCP server through the Arcade platform for built-in security features and implementing OAuth 2.1 Resource Server authentication for self-hosted setups. Users will learn how to
+- [Security Research Program](https://docs.arcade.dev/en/resources/security-research-program): The Security Research Program documentation page outlines how users can report security vulnerabilities in Arcade's tools and services, emphasizing the importance of community involvement in enhancing security. It details the types of vulnerabilities sought, the reporting process, and guidelines for responsible disclosure. Additionally,
 - [Server-Level vs Tool-Level Authorization](https://docs.arcade.dev/en/learn/server-level-vs-tool-level-auth): This documentation page explains the differences between server-level authorization (Resource Server auth) and tool-level authorization in Arcade MCP servers, highlighting their respective roles in securing access to the server and external APIs. It provides guidance on when to implement each type of authorization and
 - [Setup Arcade with Google ADK (Python)](https://docs.arcade.dev/en/get-started/agent-frameworks/google-adk/setup-python): This documentation page provides a comprehensive guide for users to set up and integrate Arcade tools with the Google ADK framework using Python. It outlines the necessary prerequisites, teaches users how to build a Google ADK agent that utilizes Arcade tools, and explains how to
 - [Setup Arcade with Google ADK (TypeScript)](https://docs.arcade.dev/en/get-started/agent-frameworks/google-adk/setup-typescript): This documentation page guides users through the process of setting up an AI agent using Arcade tools with the Google ADK in TypeScript. It covers prerequisites, integration steps, and key concepts such as tool conversion and session management, enabling users to build agents that
