# Remote Auth and Consent Path

## Local development
- Default transport: `stdio`
- Credentials for backing stores are host-managed environment variables.
- Tool calls that mutate memory or run state still require explicit host invocation.

## Remote deployment model
V1 keeps remote deployment disabled by default. When enabled, the MCP server should be treated as a protected resource server.

Required path:
1. Publish OAuth 2.1-compatible discovery metadata for the authorization server and resource server.
2. Use short-lived access tokens and rotating refresh tokens where applicable.
3. Bind scopes to read-only memory access, memory writes, checkpoint mutation, and admin actions separately.
4. Require explicit user or host consent before exposing project data or allowing mutating tools.
5. Log the protocol version, client identity, granted scopes, and consent decision for each remote session.

## Consent rules
- Read-only resources can be granted with read scopes.
- Mutating tools such as memory writes and checkpoint mutation require explicit consent and should be deny-by-default.
- External side-effecting actions remain approval-gated even after remote authentication.