mcp / tools update + internal tool (#1283)

- Added new internal API endpoint for documentation tools, allowing
actions such as listing available docs, searching, and fetching specific
documentation by ID.
- Updated environment configuration to support optional internal secret
for enhanced security.
- Refactored existing search functionality to utilize the new docs tools
API instead of the previous MCP server.
- Improved error handling and response parsing for documentation-related
requests.
- Expanded documentation to clarify the relationship between the new
tools and existing API functionalities.

This update streamlines the documentation access process and enhances
the overall developer experience.

<!--

Make sure you've read the CONTRIBUTING.md guidelines:
https://github.com/stack-auth/stack-auth/blob/dev/CONTRIBUTING.md

-->


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Non-stream AI responses now include a consolidated finalText for
clearer answers.
* Added an internal docs-tools HTTP API to power doc listing, search,
and fetch with optional header-based access control and configurable
service origin.

* **Refinement**
* Consolidated multiple doc tooling paths into a single question-focused
flow; backend now routes to the unified docs-tools endpoint.

* **Documentation**
* Updated guides and knowledge base to describe the new docs query flow
and optional env configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: mantrakp04

apps/backend/.env

@@ -115,3 +115,6 @@ STACK_STRIPE_SECRET_KEY=# enter your stripe api key
 STACK_STRIPE_WEBHOOK_SECRET=# enter your stripe webhook secret
 STACK_TELEGRAM_BOT_TOKEN= # enter you telegram bot token
 STACK_TELEGRAM_CHAT_ID=# enter your telegram chat id
+
+# Docs AI tool bundle
+STACK_DOCS_INTERNAL_BASE_URL=# override the docs origin used by the backend's AI tool bundle to call the docs app's `/api/internal/docs-tools` endpoint. Defaults to http://localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}04 in dev, https://mcp.stack-auth.com in prod

apps/backend/.env.development

@@ -77,6 +77,7 @@ STACK_OPENAI_API_KEY=mock_openai_api_key
 STACK_STRIPE_SECRET_KEY=sk_test_mockstripekey
 STACK_STRIPE_WEBHOOK_SECRET=mock_stripe_webhook_secret
 STACK_OPENROUTER_API_KEY=FORWARD_TO_PRODUCTION
+# STACK_DOCS_INTERNAL_BASE_URL=http://localhost:8104
 # Email monitor configuration for tests
 STACK_EMAIL_MONITOR_VERIFICATION_CALLBACK_URL=http://localhost:8101/handler/email-verification
 STACK_EMAIL_MONITOR_PROJECT_ID=internal

apps/backend/src/app/api/latest/ai/query/[mode]/route.ts

@@ -118,7 +118,7 @@ export const POST = createSmartRouteHandler({
       return {
         statusCode: 200,
         bodyType: "json" as const,
-        body: { content: contentBlocks },
+        body: { content: contentBlocks, finalText: result.text },
       };
     }
   },

apps/backend/src/lib/ai/tools/docs.ts

@@ -1,21 +1,126 @@
-import { createMCPClient } from "@ai-sdk/mcp";
-import { getNodeEnvironment } from "@stackframe/stack-shared/dist/utils/env";
+import { tool } from "ai";
+import { getEnvVariable, getNodeEnvironment } from "@stackframe/stack-shared/dist/utils/env";
+import { captureError } from "@stackframe/stack-shared/dist/utils/errors";
+import { z } from "zod";
+
+type DocsToolHttpResult = {
+  content?: Array<{ type: string, text?: string }>,
+  isError?: boolean,
+};
+
+function getDocsToolsBaseUrl(): string {
+  const fromEnv = getEnvVariable("STACK_DOCS_INTERNAL_BASE_URL", "");
+  if (fromEnv !== "") {
+    return fromEnv.replace(/\/$/, "");
+  }
+  if (getNodeEnvironment() === "development") {
+    const portPrefix = getEnvVariable("NEXT_PUBLIC_STACK_PORT_PREFIX", "81");
+    return `http://localhost:${portPrefix}04`;
+  }
+  return "https://mcp.stack-auth.com";
+}
+
+async function postDocsToolAction(action: Record<string, unknown>): Promise<string> {
+  const base = getDocsToolsBaseUrl();
+
+  const res = await fetch(`${base}/api/internal/docs-tools`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(action),
+  });
+
+  if (!res.ok) {
+    const errBody = await res.text();
+    captureError("docs-tools-http-error", new Error(`Stack Auth docs tools error (${res.status}): ${errBody}`));
+    return `Stack Auth docs tools error (${res.status}): ${errBody}`;
+  }
+
+  const data = (await res.json()) as DocsToolHttpResult;
+  const text = data.content
+    ?.filter((c): c is { type: "text", text: string } => c.type === "text" && typeof c.text === "string")
+    .map((c) => c.text)
+    .join("\n") ?? "";
+
+  if (data.isError === true) {
+    return text || "Unknown docs tool error";
+  }
+
+  return text;
+}
 
 /**
- * Creates an MCP client connected to the Stack Auth documentation server.
+ * Documentation tools backed by the docs app's `/api/internal/docs-tools` endpoint.
  *
- * In development: connects to local docs server at http://localhost:8126
- * In production: connects to production docs server at https://mcp.stack-auth.com
+ * The public MCP server at the same docs origin exposes only `ask_stack_auth`, which proxies to
+ * `/api/latest/ai/query/generate`; these tools avoid MCP recursion by calling the HTTP API directly.
  */
 export async function createDocsTools() {
-  const mcpUrl =
-    getNodeEnvironment() === "development"
-      ? new URL("/api/internal/mcp", "http://localhost:8126")
-      : new URL("/api/internal/mcp", "https://mcp.stack-auth.com");
+  return {
+    list_available_docs: tool({
+      description:
+        "Use this tool to learn about what Stack Auth is, available documentation, and see if you can use it for what you're working on. It returns a list of all available Stack Auth Documentation pages.",
+      inputSchema: z.object({}),
+      execute: async () => {
+        return await postDocsToolAction({ action: "list_available_docs" });
+      },
+    }),
 
-  const stackAuthMcp = await createMCPClient({
-    transport: { type: "http", url: mcpUrl.toString() },
-  });
+    search_docs: tool({
+      description:
+        "Search through all Stack Auth documentation including API docs, guides, and examples. Returns ranked results with snippets and relevance scores.",
+      inputSchema: z.object({
+        search_query: z.string().describe("The search query to find relevant documentation"),
+        result_limit: z.number().optional().describe("Maximum number of results to return (default: 50)"),
+      }),
+      execute: async ({ search_query, result_limit = 50 }) => {
+        return await postDocsToolAction({
+          action: "search_docs",
+          search_query,
+          result_limit,
+        });
+      },
+    }),
+
+    get_docs_by_id: tool({
+      description:
+        "Use this tool to retrieve a specific Stack Auth Documentation page by its ID. It gives you the full content of the page so you can know exactly how to use specific Stack Auth APIs. Whenever using Stack Auth, you should always check the documentation first to have the most up-to-date information. When you write code using Stack Auth documentation you should reference the content you used in your comments.",
+      inputSchema: z.object({
+        id: z.string(),
+      }),
+      execute: async ({ id }) => {
+        return await postDocsToolAction({ action: "get_docs_by_id", id });
+      },
+    }),
+
+    get_stack_auth_setup_instructions: tool({
+      description:
+        "Use this tool when the user wants to set up authentication in a new project. It provides step-by-step instructions for installing and configuring Stack Auth authentication.",
+      inputSchema: z.object({}),
+      execute: async () => {
+        return await postDocsToolAction({ action: "get_stack_auth_setup_instructions" });
+      },
+    }),
+
+    search: tool({
+      description:
+        "Search for Stack Auth documentation pages.\n\nUse this tool to find documentation pages that contain a specific keyword or phrase.",
+      inputSchema: z.object({
+        query: z.string(),
+      }),
+      execute: async ({ query }) => {
+        return await postDocsToolAction({ action: "search", query });
+      },
+    }),
 
-  return await stackAuthMcp.tools();
+    fetch: tool({
+      description:
+        "Fetch a particular Stack Auth Documentation page by its ID.\n\nThis tool is identical to `get_docs_by_id`.",
+      inputSchema: z.object({
+        id: z.string(),
+      }),
+      execute: async ({ id }) => {
+        return await postDocsToolAction({ action: "fetch", id });
+      },
+    }),
+  };
 }

claude/CLAUDE-KNOWLEDGE.md

@@ -139,6 +139,8 @@ A: Update affected inline snapshots in `apps/e2e/tests/backend/endpoints/api/v1/
 Q: How should `createOrUpdateProjectWithLegacyConfig` handle `onboardingStatus` for forward-compat checks?
 A: Only write `onboardingStatus` when the `Project.onboardingStatus` column exists (for example by checking `information_schema.columns` in-transaction) so current code can still run against older schemas where that column is absent.
 
+Q: How does the Stack Auth docs MCP relate to the ask-chat API and doc tools?
+A: The public MCP (`/api/internal/mcp` on the docs site) exposes only `ask_stack_auth`, which POSTs to `/api/latest/ai/query/generate` with `tools: ["docs"]` and `systemPrompt: "docs-ask-ai"`. The backend no longer loads doc tools via MCP; `createDocsTools()` calls the docs app `POST /api/internal/docs-tools` with typed actions (same behavior as before). Optional `STACK_INTERNAL_DOCS_TOOLS_SECRET` gates the internal route; `STACK_DOCS_INTERNAL_BASE_URL` overrides the docs origin for the backend.
 Q: What caused the March 19, 2026 QEMU local emulator deps startup regression?
 A: The QEMU runtime path regressed when it switched from mounting `docker/local-emulator/base.env` into the runtime ISO to mounting the generated hidden file `docker/local-emulator/.env.development` instead. In testing, the `.env.development` QEMU path left cold boot stuck with only PostgreSQL healthy, while restoring the runtime ISO back to `base.env` brought deps startup back to about 12-13 seconds. The env payloads were effectively the same, so the likely issue was the QEMU runtime bundle/path handling for `.env.development`, not the actual env values.
 Q: Where is the private sign-up risk engine generated entrypoint in backend now?

docs/.env

@@ -0,0 +1,6 @@
+# Basic
+NEXT_PUBLIC_STACK_API_URL=# the base URL of Stack's backend/API
+NEXT_PUBLIC_STACK_PROJECT_ID=# the project ID to use
+NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY=# publishable client key for the project
+STACK_SECRET_SERVER_KEY=# secret server key for the project
+STACK_OPENROUTER_API_KEY=# OpenRouter API key for AI-enabled chat

docs/content/docs/(guides)/others/mcp-setup.mdx

@@ -10,6 +10,8 @@ title: MCP Setup
 
 Set up Stack Auth's Model Context Protocol (MCP) server to get intelligent code assistance in your development environment.
 
+The MCP server exposes a single tool, **`ask_stack_auth`**, which sends your question to the same Stack Auth documentation AI used on [docs.stack-auth.com](https://docs.stack-auth.com).
+
 <Tabs defaultValue="cursor">
   <TabsList>
     <TabsTrigger value="cursor">Cursor</TabsTrigger>
@@ -231,10 +233,9 @@ by [![Hypr MCP](https://hyprmcp.com/hyprmcp_20px.svg)](https://hyprmcp.com/)`}</
 
 ## Features
 
-The Stack Auth MCP server provides:
+The Stack Auth MCP server exposes **`ask_stack_auth`**, which answers questions using live documentation retrieval and the docs-site AI assistant. It can help with:
 
-- **Authentication Flow Assistance**: Get help implementing sign-in, sign-up, and user management
-- **API Documentation**: Access Stack Auth API documentation and examples
-- **Code Generation**: Generate boilerplate code for common authentication patterns
-- **Best Practices**: Receive guidance on security best practices and implementation patterns
+- **Authentication flows**: Sign-in, sign-up, and user management
+- **APIs and SDKs**: Endpoints, examples, and framework integration
+- **Best practices**: Security and configuration guidance