Merge branch 'main' into update-docs-v0.16.0

Author: reyortiz3

.claude/skills/docs-review/SKILL.md

@@ -50,6 +50,7 @@ Perform critical editorial reviews as a tech writer / copyeditor, focusing on cl
 - **TOC test**: If the table of contents fills a screen, the doc is likely too long
 - **Heading count**: 20+ headings signals over-segmentation; consolidate
 - **Information flow**: Conceptual content (trade-offs, when to use) should come before implementation details, not after
+- **Admonition weight**: Tips, notes, and warnings should be supplementary. If an admonition contains primary feature documentation (full YAML examples, the only explanation of a field or concept), it should be promoted to a proper section or its own page. A good test: if this admonition is the only place a feature is documented, it's not a tip - it's a section that needs a heading and ToC visibility.
 - **Diataxis alignment**: Don't mix tutorials, how-tos, reference, and concepts in one doc without clear separation
 
 ### LLM-Generated Content Patterns
@@ -79,6 +80,7 @@ The docs follow a product-area-based information architecture under `docs/toolhi
 - **Inbound link coverage for new pages**: When a PR adds a new page, check that it is reachable beyond just the sidebar. New pages need inbound links from related pages (overviews, intros, feature lists, related how-to guides). A page with no inbound links is isolated in the user journey. For major new features, also check whether top-level intro/overview pages should mention the capability.
 - **Introduction pages**: Each product section should have an Introduction as the first sidebar child. New sections must follow this pattern.
 - **Progressive disclosure**: Core workflows should appear before advanced topics. Check that advanced content isn't mixed in with beginner-facing pages.
+- **Pattern consistency for peer concepts**: When a PR introduces a new resource type, feature, or component that has established peers in the doc set, check whether it follows the same documentation pattern (dedicated page, equivalent depth of coverage, parallel sidebar placement). A new CRD documented only as a subsection of another page, when its peer CRDs each have their own page, is a structural gap.
 - **Forward navigation path**: A reader should be able to follow "Next steps" links from the quickstart through core workflows without relying on the sidebar.
 
 ### Clarity and Readability

.claude/skills/upstream-release-docs/SKILL.md

@@ -85,17 +85,28 @@ For each PR identified in Phase 1 (skip internal/infra unless user requests):
    - Do not attempt to fabricate the "why" or consumer story from code structure alone — this produces documentation that covers the "what" and "how" but misses the perspective and voice that only comes from understanding the product intent
    - Incremental changes (new config options, default changes, annotation additions) can proceed without this step
 
-5. **Read the actual source code at the release tag** to verify every claim made in the PR description:
+5. **Check related repositories** — components often span multiple repos. For example, a server's CRD/operator may live in a different repo than the server itself. When a release changes config structures, API surfaces, or deployment models, check whether related repos (operators, CLIs, client libraries) have also released changes that affect the documentation. Ask the user which repos are related if unclear.
+
+6. **Read the actual source code at the release tag** to verify every claim made in the PR description:
 
    ```bash
    gh api repos/<OWNER>/<REPO>/contents/<PATH>?ref=<TAG>
    ```
 
    The response is base64-encoded; decode it to read the content.
 
-6. Note discrepancies between PR descriptions and actual code. Trust the code.
+7. Note discrepancies between PR descriptions and actual code. Trust the code.
+
+8. **Deep-verify behavioral claims** — these are the most common source of documentation inaccuracy. For each feature, verify not just struct definitions but actual runtime behavior:
+   - **API routes**: Check the actual route registration code (e.g., `r.Get`, `r.Post`, `r.Delete`), not just handler names. Docs often claim endpoints exist at paths where no handler is registered.
+   - **Required fields**: Check validation code (e.g., `if field == ""` checks), not just struct definitions. A field present in a struct is not necessarily required — only fields checked in validation logic are enforced.
+   - **Default values**: Check the actual defaulting code or fallback logic, not comments or struct tags. For example, "defaults to main" may actually mean "defaults to the remote's HEAD" in practice.
+   - **Precedence rules**: Read the actual `if/else` chain. For example, `if commit != "" { ... } else if branch != "" { ... } else if tag != "" { ... }` means commit > branch > tag, not commit > tag > branch.
+   - **Delete/cleanup behavior**: Check whether the code reassigns pointers, cascades deletes, or leaves orphans. Delete behavior is frequently mis-documented.
+   - **Query parameters**: Check whether parsed parameters are actually wired to the service layer and database queries. Parameters can be parsed from the URL but silently ignored if no service option or SQL filter exists for them.
+   - **Containment/authorization direction**: When documenting subset/superset checks, verify which argument is the caller and which is the resource. Getting the direction wrong produces examples that show the opposite of actual behavior.
 
-7. Identify:
+9. Identify:
    - **Auto-generated content** — files generated from upstream (OpenAPI specs, CLI reference docs, JSON schemas). Do not manually edit these; flag them for automated update instead. However, auto-generated reference docs (e.g., API endpoints from a swagger spec) do **not** replace the need for conceptual explanations, guide content, or cross-references in existing pages. A new feature with auto-generated API docs still needs: (1) a conceptual explanation of what it is and why it exists, (2) mentions and cross-references in related existing pages (intro pages, feature lists, related guides), and (3) guide content if the feature has non-trivial workflows. Only skip creating a **duplicate API reference page** — never skip the surrounding documentation.
    - **Hidden/experimental features** — look for indicators like `Hidden: true` in CLI command definitions, feature flags, or internal-only annotations. Do not document these unless the user explicitly asks.
 
@@ -167,7 +178,7 @@ Apply the approved changes:
 
 ## Phase 5: Validation
 
-1. **Re-verify every factual claim** against source code at the tag. This is the third verification pass (after Phase 2 and Phase 4).
+1. **Re-verify every factual claim** against source code at the tag. This is the third verification pass (after Phase 2 and Phase 4). For large doc sets, spawn parallel verification agents — one per file or topic area — to check all claims concurrently. Each agent should read the doc file and verify every factual claim (struct fields, API routes, defaults, behavioral logic) against the actual source code at the release tag. Collect and resolve any discrepancies before proceeding.
 
 2. **Build the site** — run the project's build command to check for broken links, missing references, or build errors.
 

docs/toolhive/integrations/aws-sts.mdx

@@ -119,20 +119,18 @@ mapping.
 
 ### Understanding the AWS MCP Server permission model
 
-AWS MCP Server authorization works in two layers:
+AWS MCP Server authorization works at the AWS service level using standard IAM
+policies. There are no separate `aws-mcp:*` actions — you grant the AWS service
+permissions you want users to have, and the AWS MCP Server enforces them.
 
-1. **MCP layer** (`aws-mcp:*` actions) - controls which categories of MCP tools
-   the user can invoke
-2. **AWS service layer** (e.g., `s3:*`, `ec2:*`) - controls what the
-   `aws___call_aws` tool can actually do when it makes AWS API calls
+Two IAM condition keys let you scope policies specifically to MCP traffic:
 
-The `aws-mcp` namespace defines three actions:
-
-- `InvokeMcp` - required to connect and discover available tools
-- `CallReadOnlyTool` - search documentation, list regions, get CLI suggestions
-  (most tools)
-- `CallReadWriteTool` - execute real AWS API calls via the `aws___call_aws` tool
-  (requires additional service permissions)
+- `aws:ViaAWSMCPService` (Bool) — `true` for any request routed through an
+  AWS-managed MCP server. Use this when you want to allow access via any AWS MCP
+  server, or to deny direct API access outside of MCP.
+- `aws:CalledViaAWSMCP` (String) — identifies the specific MCP server that
+  originated the request (for example, `aws-mcp.amazonaws.com`). Use this when
+  you want to restrict access to a particular MCP server endpoint.
 
 ### Default role
 
@@ -163,17 +161,35 @@ condition rejects tokens meant for other services:
 }
 ```
 
-The permission policy grants read-only MCP access. Users can search AWS
-documentation and get suggestions, but cannot execute AWS API calls:
+The permission policy grants minimal access. It allows `sts:GetCallerIdentity`
+as a smoke test (so you can verify the role assumption works), and includes a
+deny guardrail that prevents the credentials from being used outside of MCP:
 
 ```json title="default-mcp-permissions.json"
 {
   "Version": "2012-10-17",
   "Statement": [
     {
+      "Sid": "AllowMinimalAccessViaMCP",
       "Effect": "Allow",
-      "Action": ["aws-mcp:InvokeMcp", "aws-mcp:CallReadOnlyTool"],
-      "Resource": "*"
+      "Action": "sts:GetCallerIdentity",
+      "Resource": "*",
+      "Condition": {
+        "Bool": {
+          "aws:ViaAWSMCPService": "true"
+        }
+      }
+    },
+    {
+      "Sid": "DenyDirectAPIAccess",
+      "Effect": "Deny",
+      "Action": "*",
+      "Resource": "*",
+      "Condition": {
+        "BoolIfExists": {
+          "aws:ViaAWSMCPService": "false"
+        }
+      }
     }
   ]
 }
@@ -207,34 +223,42 @@ blast radius even if a role's identity policy is overly permissive.
 
 You can create additional roles with different permissions and map them to
 specific groups using ToolHive's role mappings. This example creates a role that
-grants `CallReadWriteTool` (so the `aws___call_aws` tool can execute API calls)
-and scopes the underlying AWS permissions to S3 read-only access:
+grants S3 read-only access when using the AWS MCP Server:
 
 ```json title="s3-readonly-permissions.json"
 {
   "Version": "2012-10-17",
   "Statement": [
     {
+      "Sid": "AllowS3ReadAccessViaMCP",
       "Effect": "Allow",
-      "Action": [
-        "aws-mcp:InvokeMcp",
-        "aws-mcp:CallReadOnlyTool",
-        "aws-mcp:CallReadWriteTool"
-      ],
-      "Resource": "*"
+      "Action": ["s3:GetObject", "s3:ListBucket"],
+      "Resource": "*",
+      "Condition": {
+        "StringEquals": {
+          "aws:CalledViaAWSMCP": "aws-mcp.amazonaws.com"
+        }
+      }
     },
     {
-      "Effect": "Allow",
-      "Action": ["s3:GetObject", "s3:ListBucket"],
-      "Resource": "*"
+      "Sid": "DenyDirectAPIAccess",
+      "Effect": "Deny",
+      "Action": "*",
+      "Resource": "*",
+      "Condition": {
+        "BoolIfExists": {
+          "aws:ViaAWSMCPService": "false"
+        }
+      }
     }
   ]
 }
 ```
 
-The first statement unlocks the `aws___call_aws` tool. The second statement
-limits what that tool can actually do - in this case, only S3 read operations.
-Without the S3 permissions, API calls to other services would be denied by IAM.
+No `aws-mcp:*` actions are required — you grant only the AWS service permissions
+you need. The `aws:CalledViaAWSMCP` condition scopes access to requests
+originating from the AWS MCP Server, and the deny guardrail prevents the
+temporary credentials from being used outside of MCP.
 
 ```bash
 aws iam create-role \
@@ -263,6 +287,9 @@ spec:
   awsSts:
     region: <YOUR_AWS_REGION>
 
+    # SigV4 service name for the AWS MCP Server
+    service: aws-mcp
+
     # Default role when no role mapping matches
     fallbackRoleArn: >-
       arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/DefaultMCPRole
@@ -347,10 +374,13 @@ spec:
   # OIDC configuration for validating incoming client tokens
   oidcConfig:
     type: inline
+    # Public URL of this proxy's MCP endpoint, advertised to clients
+    # via WWW-Authenticate so they can discover your OIDC provider.
+    # Must match the hostname you configure in Step 5.
+    resourceUrl: https://<YOUR_DOMAIN>/mcp
     inline:
       issuer: https://<YOUR_OIDC_ISSUER>
       audience: <YOUR_OIDC_AUDIENCE>
-      clientId: <YOUR_OIDC_CLIENT_ID>
 
   proxyPort: 8080
   transport: streamable-http
@@ -492,11 +522,19 @@ TOKEN=$(oauth2c https://<YOUR_OIDC_ISSUER> \
   --response-types code \
   --pkce | jq -r '.access_token')
 
-# This should return a list of tools
+# Step 1: initialize the MCP session and capture the session ID
+SESSION=$(curl -si -X POST http://localhost:8080/mcp \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-06-18","capabilities":{},"clientInfo":{"name":"curl-test","version":"1.0"}}}' \
+  | grep -i "^mcp-session-id:" | awk '{print $2}' | tr -d '\r')
+
+# Step 2: list available tools using the session ID
 curl -X POST http://localhost:8080/mcp \
   -H "Authorization: Bearer $TOKEN" \
   -H "Content-Type: application/json" \
-  -d '{"jsonrpc":"2.0","method":"tools/list","id":1}'
+  -H "Mcp-Session-Id: $SESSION" \
+  -d '{"jsonrpc":"2.0","id":2,"method":"tools/list","params":{}}'
 ```
 
 Check the proxy logs to confirm role selection is working:
@@ -508,6 +546,58 @@ kubectl logs -n toolhive-system \
 
 Look for log entries showing role selection and STS exchange results.
 
+## Security best practices
+
+### The deny guardrail pattern
+
+Both policy examples above include a `DenyDirectAPIAccess` statement that uses
+`BoolIfExists`:
+
+```json
+{
+  "Sid": "DenyDirectAPIAccess",
+  "Effect": "Deny",
+  "Action": "*",
+  "Resource": "*",
+  "Condition": {
+    "BoolIfExists": {
+      "aws:ViaAWSMCPService": "false"
+    }
+  }
+}
+```
+
+`BoolIfExists` is important here. Without the `IfExists` suffix, the deny would
+apply even when the condition key is absent — which would block legitimate STS
+operations like `AssumeRoleWithWebIdentity` itself. With `IfExists`, the
+condition only evaluates when the key is present:
+
+| `aws:ViaAWSMCPService` present? | Value   | Deny applies? |
+| ------------------------------- | ------- | ------------- |
+| No (key absent)                 | —       | No            |
+| Yes                             | `true`  | No            |
+| Yes                             | `false` | Yes           |
+
+This means credentials can only be used when the request flows through an AWS
+MCP server. If the temporary credentials are ever extracted and used directly
+against the AWS API, the deny fires and access is blocked.
+
+### Choosing between condition keys
+
+Use `aws:ViaAWSMCPService` when you want to:
+
+- Allow or deny access based on whether the request came through _any_
+  AWS-managed MCP server
+- Write deny guardrails that apply regardless of which MCP server is used
+
+Use `aws:CalledViaAWSMCP` when you want to:
+
+- Scope access to a _specific_ MCP server endpoint (for example,
+  `aws-mcp.amazonaws.com`)
+- Prevent credentials from being used with other MCP servers
+
+You can combine both in a single policy for the tightest scoping.
+
 ## Observability and audit
 
 ToolHive sets the STS session name to the user's `sub` claim from their JWT.
@@ -550,7 +640,7 @@ aws iam delete-open-id-connect-provider \
   arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:oidc-provider/<YOUR_OIDC_ISSUER>
 ```
 
-## What's next?
+## Next steps
 
 - Learn about the concepts behind
   [backend authentication](../concepts/backend-auth.mdx) and
@@ -589,19 +679,22 @@ aws iam get-role --role-name DefaultMCPRole \
 
 <details>
 <summary>Service access denied: "User is not authorized to perform
-aws-mcp:InvokeMcp"</summary>
+s3:ListBucket" (or similar)</summary>
 
-This error means the assumed role doesn't have the required permissions. Verify
-the permission policy attached to the role includes the necessary actions:
+This error means the assumed role doesn't have the required AWS service
+permissions. Authorization is now at the service level — there are no
+`aws-mcp:*` actions. Verify the permission policy attached to the role includes
+the actions the MCP tool needs:
 
 ```bash
 aws iam get-role-policy \
-  --role-name DefaultMCPRole \
-  --policy-name DefaultMCPPolicy
+  --role-name S3ReadOnlyMCPRole \
+  --policy-name S3ReadOnlyMCPPolicy
 ```
 
-Ensure the policy includes `aws-mcp:InvokeMcp` and any other actions your MCP
-tools require.
+Ensure the policy includes the relevant service actions (for example,
+`s3:GetObject`, `s3:ListBucket`) and that the `aws:CalledViaAWSMCP` or
+`aws:ViaAWSMCPService` conditions are correctly set.
 
 </details>
 

docusaurus.config.ts

@@ -103,24 +103,6 @@ const config: Config = {
         },
       };
     },
-    function thredSearchSignals() {
-      return {
-        name: 'thred-search-signals',
-        injectHtmlTags() {
-          if (!isProductionDeploy) return {};
-          return {
-            postBodyTags: [
-              {
-                tagName: 'script',
-                attributes: {
-                  src: 'https://cdn.thred.dev/thred-track.js?browserKey=8516ce3e-18ef-4f7f-be44-2bf408657d14',
-                },
-              },
-            ],
-          };
-        },
-      };
-    },
   ],
 
   // Set the production url of your site here
@@ -216,21 +198,6 @@ const config: Config = {
     ],
   ],
 
-  scripts: [
-    // HubSpot tracking script (production only)
-    ...(isProductionDeploy
-      ? [
-          {
-            id: 'hs-script-loader',
-            type: 'text/javascript',
-            src: '//js-na2.hs-scripts.com/42544743.js',
-            async: true,
-            defer: true,
-          },
-        ]
-      : []),
-  ],
-
   themeConfig: {
     colorMode: {
       defaultMode: 'dark',