@frontmcp/skills 1.1.2 → 1.2.1

package/catalog/frontmcp-config/SKILL.md

@@ -65,8 +65,9 @@ Entry point for configuring FrontMCP servers. This skill helps you find the righ
 | Understand auth mode details (public/transparent/local/remote) | `configure-auth-modes`                 | Authentication mode details (public, transparent, local, remote)    |
 | Fine-tune guard configuration for throttling                   | `configure-throttle-guard-config`      | Advanced guard configuration for throttling                         |
 | Use transport protocol presets                                 | `configure-transport-protocol-presets` | Transport protocol preset configurations                            |
-| Configure multi-target deployments and frontmcp.config.ts      | `configure-deployment-targets`         | Typed config with defineConfig(), 8 deployment targets, JSON schema |
+| Configure multi-target deployments and frontmcp.config.ts      | `configure-deployment-targets`         | Typed config with defineConfig(), 9 deployment targets, JSON schema |
 | Add CSP, HSTS, X-Frame-Options, and other security headers     | `configure-security-headers`           | CSP directives, report-only mode, HSTS preload, custom headers      |
+| Configure skills HTTP, instructions injection, or audit log    | `configure-skills-http`                | Full `skillsConfig` reference: auth, cache, instructions, audit log |
 | Split apps into separate scopes (`splitByApp`)                 | `decorators-guide`                     | Per-app scope and basePath isolation on `@FrontMcp`                 |
 | Enable widget-to-host communication (ext-apps)                 | `decorators-guide`                     | `extApps` host capabilities, session validation, widget comms       |
 | Enable background jobs and workflows                           | `decorators-guide`                     | `jobs: { enabled: true, store? }` on `@FrontMcp`                    |
@@ -144,13 +145,115 @@ Server (@FrontMcp)     ← Global defaults
 
 ## Troubleshooting
 
-| Problem                                 | Cause                                            | Solution                                                                                             |
-| --------------------------------------- | ------------------------------------------------ | ---------------------------------------------------------------------------------------------------- |
-| Server fails to start with config error | Invalid or missing required config field         | Check the error message; FrontMCP validates config at startup and reports the specific invalid field |
-| CORS blocked in browser                 | Missing or incorrect CORS origin config          | Add the client's origin to `http.cors.origin`; see `configure-http`                                  |
-| Rate limit too aggressive               | Global limit applied to all tools                | Add per-tool overrides for cheap tools with higher limits; see `configure-throttle`                  |
-| Sessions lost on serverless             | Using memory session store on stateless platform | Switch to Redis or Vercel KV; see `configure-session`                                                |
-| Auth callback fails                     | OAuth redirect URI mismatch                      | Ensure the callback URL in your OAuth provider matches `auth.callbackUrl`; see `configure-auth`      |
+| Problem                                 | Cause                                            | Solution                                                                                                                          |
+| --------------------------------------- | ------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------- |
+| Server fails to start with config error | Invalid or missing required config field         | Check the error message; FrontMCP validates config at startup and reports the specific invalid field                              |
+| CORS blocked in browser                 | Missing or incorrect CORS origin config          | Add the client's origin to `http.cors.origin`; see `configure-http`                                                               |
+| Rate limit too aggressive               | Global limit applied to all tools                | Add per-tool overrides for cheap tools with higher limits; see `configure-throttle`                                               |
+| Sessions lost on serverless             | Using memory session store on stateless platform | Switch to Redis or Vercel KV; see `configure-session`                                                                             |
+| Auth callback fails                     | OAuth redirect URI mismatch                      | Ensure the redirect URI registered with your OAuth provider matches the server's `/oauth/callback` endpoint; see `configure-auth` |
+
+## Examples
+
+Each reference has matching examples under [`examples/<reference>/`](./examples/):
+
+### `configure-auth-modes`
+
+| Example                                                                                       | Level        | Description                                                                                 |
+| --------------------------------------------------------------------------------------------- | ------------ | ------------------------------------------------------------------------------------------- |
+| [`local-self-signed-tokens`](./examples/configure-auth-modes/local-self-signed-tokens.md)     | Intermediate | Configure a server that signs its own JWT tokens with consent and incremental auth enabled. |
+| [`remote-enterprise-oauth`](./examples/configure-auth-modes/remote-enterprise-oauth.md)       | Advanced     | Delegate authentication to an external OAuth orchestrator with Redis-backed token storage.  |
+| [`transparent-jwt-validation`](./examples/configure-auth-modes/transparent-jwt-validation.md) | Basic        | Validate externally-issued JWTs without managing token lifecycle on the server.             |
+
+### `configure-auth`
+
+| Example                                                                           | Level        | Description                                                                                                                                                |
+| --------------------------------------------------------------------------------- | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [`multi-app-auth`](./examples/configure-auth/multi-app-auth.md)                   | Advanced     | Configure a single FrontMCP server with multiple apps, each using a different auth mode -- public for open endpoints and remote for admin endpoints.       |
+| [`public-mode-setup`](./examples/configure-auth/public-mode-setup.md)             | Basic        | Set up a FrontMCP server with public (unauthenticated) access and anonymous scopes.                                                                        |
+| [`remote-oauth-with-vault`](./examples/configure-auth/remote-oauth-with-vault.md) | Intermediate | Configure a FrontMCP server with remote OAuth 2.1 authentication and use the credential vault to call downstream APIs on behalf of the authenticated user. |
+
+### `configure-elicitation`
+
+| Example                                                                                              | Level        | Description                                                                         |
+| ---------------------------------------------------------------------------------------------------- | ------------ | ----------------------------------------------------------------------------------- |
+| [`basic-confirmation-gate`](./examples/configure-elicitation/basic-confirmation-gate.md)             | Basic        | Request user confirmation before executing a destructive action.                    |
+| [`distributed-elicitation-redis`](./examples/configure-elicitation/distributed-elicitation-redis.md) | Intermediate | Configure elicitation with Redis storage for multi-instance production deployments. |
+
+### `configure-http`
+
+| Example                                                                             | Level        | Description                                                                          |
+| ----------------------------------------------------------------------------------- | ------------ | ------------------------------------------------------------------------------------ |
+| [`cors-restricted-origins`](./examples/configure-http/cors-restricted-origins.md)   | Basic        | Configure CORS to allow only specific frontend origins with credentials.             |
+| [`entry-path-reverse-proxy`](./examples/configure-http/entry-path-reverse-proxy.md) | Intermediate | Mount the MCP server under a URL prefix for reverse proxy or multi-service setups.   |
+| [`unix-socket-local`](./examples/configure-http/unix-socket-local.md)               | Intermediate | Bind the server to a unix socket instead of a TCP port for local-only communication. |
+
+### `configure-session`
+
+| Example                                                                              | Level        | Description                                                                      |
+| ------------------------------------------------------------------------------------ | ------------ | -------------------------------------------------------------------------------- |
+| [`multi-server-key-prefix`](./examples/configure-session/multi-server-key-prefix.md) | Intermediate | Use unique key prefixes when multiple FrontMCP servers share one Redis instance. |
+| [`redis-session-store`](./examples/configure-session/redis-session-store.md)         | Basic        | Configure Redis-backed session storage for production deployments.               |
+| [`vercel-kv-session`](./examples/configure-session/vercel-kv-session.md)             | Intermediate | Configure Vercel KV for session storage in serverless Vercel deployments.        |
+
+### `configure-throttle-guard-config`
+
+| Example                                                                                      | Level    | Description                                                              |
+| -------------------------------------------------------------------------------------------- | -------- | ------------------------------------------------------------------------ |
+| [`full-guard-config`](./examples/configure-throttle-guard-config/full-guard-config.md)       | Advanced | Complete GuardConfig using every available field for maximum protection. |
+| [`minimal-guard-config`](./examples/configure-throttle-guard-config/minimal-guard-config.md) | Basic    | Enable throttle with just a global rate limit and default timeout.       |
+
+### `configure-throttle`
+
+| Example                                                                                     | Level        | Description                                                                                 |
+| ------------------------------------------------------------------------------------------- | ------------ | ------------------------------------------------------------------------------------------- |
+| [`distributed-redis-throttle`](./examples/configure-throttle/distributed-redis-throttle.md) | Advanced     | Configure Redis-backed rate limiting for multi-instance deployments behind a load balancer. |
+| [`per-tool-rate-limit`](./examples/configure-throttle/per-tool-rate-limit.md)               | Intermediate | Override server defaults with per-tool rate limits and concurrency caps.                    |
+| [`server-level-rate-limit`](./examples/configure-throttle/server-level-rate-limit.md)       | Basic        | Configure global rate limits and IP filtering at the server level.                          |
+
+### `configure-transport-protocol-presets`
+
+| Example                                                                                                   | Level        | Description                                                                   |
+| --------------------------------------------------------------------------------------------------------- | ------------ | ----------------------------------------------------------------------------- |
+| [`legacy-preset-nodejs`](./examples/configure-transport-protocol-presets/legacy-preset-nodejs.md)         | Basic        | Use the default legacy preset for maximum compatibility with all MCP clients. |
+| [`stateless-api-serverless`](./examples/configure-transport-protocol-presets/stateless-api-serverless.md) | Intermediate | Use the stateless-api preset for Vercel, Lambda, or Cloudflare Workers.       |
+
+### `configure-transport`
+
+| Example                                                                                      | Level        | Description                                                                              |
+| -------------------------------------------------------------------------------------------- | ------------ | ---------------------------------------------------------------------------------------- |
+| [`custom-protocol-flags`](./examples/configure-transport/custom-protocol-flags.md)           | Advanced     | Override individual protocol flags instead of using a preset for fine-grained control.   |
+| [`distributed-sessions-redis`](./examples/configure-transport/distributed-sessions-redis.md) | Intermediate | Configure transport with Redis persistence for multi-instance load-balanced deployments. |
+| [`stateless-serverless`](./examples/configure-transport/stateless-serverless.md)             | Basic        | Configure stateless transport for Vercel, Lambda, or Cloudflare deployments.             |
+
+### `configure-deployment-targets`
+
+| Example                                                                                               | Level        | Description                                                                                                                      |
+| ----------------------------------------------------------------------------------------------------- | ------------ | -------------------------------------------------------------------------------------------------------------------------------- |
+| [`multi-target-with-security`](./examples/configure-deployment-targets/multi-target-with-security.md) | Intermediate | Configure a FrontMCP project with node + distributed targets, CSP headers, and HSTS                                              |
+| [`distributed-ha-config`](./examples/configure-deployment-targets/distributed-ha-config.md)           | Advanced     | Configure a distributed deployment target with HA settings for heartbeat, session takeover, and Redis-backed session persistence |
+| [`json-schema-ide-support`](./examples/configure-deployment-targets/json-schema-ide-support.md)       | Basic        | Use frontmcp.config.json with JSON Schema for VS Code and WebStorm autocomplete                                                  |
+
+### `configure-security-headers`
+
+| Example                                                                                       | Level        | Description                                                                                                            |
+| --------------------------------------------------------------------------------------------- | ------------ | ---------------------------------------------------------------------------------------------------------------------- |
+| [`csp-report-only`](./examples/configure-security-headers/csp-report-only.md)                 | Basic        | Test CSP policies in report-only mode to identify violations before enforcement                                        |
+| [`full-production-headers`](./examples/configure-security-headers/full-production-headers.md) | Intermediate | Complete security headers configuration for production with CSP enforcement, HSTS preload, and clickjacking protection |
+
+## Accessing This Skill
+
+Skills are distributed as plain SKILL.md files plus a sibling `references/`
+and `examples/` tree, so consumers can pick whichever access mode fits:
+
+| Mode               | How it works                                                                                                                                                                                                                                                                                                                                    |
+| ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Filesystem**     | Read `libs/skills/catalog/frontmcp-config/` directly from a clone of the catalog repo, or from a published `@frontmcp/skills` install. SKILL.md is the entry point.                                                                                                                                                                             |
+| **`frontmcp` CLI** | `frontmcp skills list`, `frontmcp skills read frontmcp-config`, `frontmcp skills read frontmcp-config:references/<file>.md`, `frontmcp skills install frontmcp-config` — no server required.                                                                                                                                                    |
+| **MCP `skill://`** | When a developer mounts this skill into their own FrontMCP server (`@FrontMcp({ skills: [...] })`), the SDK exposes it via SEP-2640 resources: `skill://frontmcp-config/SKILL.md`, `skill://frontmcp-config/references/{file}.md`, etc. The server’s `skill://index.json` returns the SEP-2640 discovery document for everything mounted on it. |
+
+The catalog itself is **not** an MCP server. The `skill://` URIs only resolve
+when a server has been configured to host this skill.
 
 ## Reference
 

package/catalog/frontmcp-config/examples/configure-auth-modes/local-self-signed-tokens.md

@@ -6,7 +6,7 @@ description: 'Configure a server that signs its own JWT tokens with consent and
 tags: [config, auth, redis, local, auth-modes, modes]
 features:
   - "Using `mode: 'local'` so the server signs its own JWTs"
-  - 'Setting `local.issuer` and `local.audience` to control token claims'
+  - 'Setting `local.issuer` and `expectedAudience` to control token claims'
   - 'Enabling `consent` for explicit user authorization flow'
   - 'Enabling `incrementalAuth` to request additional scopes progressively'
   - 'Using Redis for token storage in production'
@@ -40,9 +40,9 @@ class ManageUsersTool extends ToolContext {
     mode: 'local',
     local: {
       issuer: 'my-internal-server',
-      audience: 'internal-api',
     },
-    tokenStorage: 'redis',
+    expectedAudience: 'internal-api',
+    tokenStorage: { redis: { host: process.env['REDIS_HOST'] ?? 'localhost', port: 6379 } },
     consent: { enabled: true },
     incrementalAuth: { enabled: true },
   },
@@ -65,7 +65,7 @@ class Server {}
 ## What This Demonstrates
 
 - Using `mode: 'local'` so the server signs its own JWTs
-- Setting `local.issuer` and `local.audience` to control token claims
+- Setting `local.issuer` and `expectedAudience` to control token claims
 - Enabling `consent` for explicit user authorization flow
 - Enabling `incrementalAuth` to request additional scopes progressively
 - Using Redis for token storage in production

package/catalog/frontmcp-config/examples/configure-auth-modes/remote-enterprise-oauth.md

@@ -40,7 +40,13 @@ class QueryDataTool extends ToolContext {
     provider: 'https://auth.example.com',
     clientId: process.env['OAUTH_CLIENT_ID']!,
     clientSecret: process.env['OAUTH_CLIENT_SECRET'],
-    tokenStorage: 'redis',
+    tokenStorage: {
+      redis: {
+        host: process.env['REDIS_HOST'] ?? 'redis.internal',
+        port: Number(process.env['REDIS_PORT'] ?? 6379),
+        password: process.env['REDIS_PASSWORD'],
+      },
+    },
   },
   tools: [QueryDataTool],
 })

package/catalog/frontmcp-config/examples/configure-deployment-targets/distributed-ha-config.md

@@ -19,7 +19,7 @@ Configure a distributed deployment target with HA settings for heartbeat, sessio
 
 ```typescript
 // frontmcp.config.ts
-import { defineConfig } from '@frontmcp/cli';
+import { defineConfig } from 'frontmcp';
 
 export default defineConfig({
   name: 'ha-server',

package/catalog/frontmcp-config/examples/configure-deployment-targets/json-schema-ide-support.md

@@ -18,7 +18,7 @@ Use frontmcp.config.json with JSON Schema for VS Code and WebStorm autocomplete
 
 ```json
 {
-  "$schema": "./node_modules/@frontmcp/cli/frontmcp.schema.json",
+  "$schema": "./node_modules/frontmcp/frontmcp.schema.json",
   "name": "my-server",
   "version": "1.0.0",
   "deployments": [

package/catalog/frontmcp-config/examples/configure-deployment-targets/multi-target-with-security.md

@@ -20,7 +20,7 @@ Configure a FrontMCP project with node + distributed targets, CSP headers, and H
 
 ```typescript
 // frontmcp.config.ts
-import { defineConfig } from '@frontmcp/cli';
+import { defineConfig } from 'frontmcp';
 
 export default defineConfig({
   name: 'secure-server',
@@ -33,13 +33,13 @@ export default defineConfig({
         http: { port: 3000 },
         csp: {
           enabled: true,
-          directives: [
-            "default-src 'self'",
-            "script-src 'self' https://cdn.example.com",
-            "style-src 'self' 'unsafe-inline'",
-            'img-src * data:',
-            'upgrade-insecure-requests',
-          ].join('; '),
+          directives: {
+            'default-src': "'self'",
+            'script-src': "'self' https://cdn.example.com",
+            'style-src': "'self' 'unsafe-inline'",
+            'img-src': '* data:',
+            'upgrade-insecure-requests': '', // value-less directive
+          },
         },
         headers: {
           hsts: 'max-age=31536000; includeSubDomains; preload',
@@ -60,7 +60,10 @@ export default defineConfig({
       server: {
         csp: {
           enabled: true,
-          directives: "default-src 'self'; upgrade-insecure-requests",
+          directives: {
+            'default-src': "'self'",
+            'upgrade-insecure-requests': '',
+          },
           reportUri: 'https://report.example.com/csp',
           reportOnly: false,
         },

package/catalog/frontmcp-config/examples/configure-http/cors-restricted-origins.md

@@ -19,7 +19,7 @@ Configure CORS to allow only specific frontend origins with credentials.
 
 ```typescript
 // src/server.ts
-import { FrontMcp, App } from '@frontmcp/sdk';
+import { App, FrontMcp } from '@frontmcp/sdk';
 
 @App({ name: 'my-app' })
 class MyApp {}
@@ -28,7 +28,7 @@ class MyApp {}
   info: { name: 'cors-server', version: '1.0.0' },
   apps: [MyApp],
   http: {
-    port: Number(process.env['PORT']) || 3001,
+    port: Number(process.env['PORT']) || 3000,
     cors: {
       origin: ['https://myapp.com', 'https://staging.myapp.com'],
       credentials: true,

package/catalog/frontmcp-config/examples/configure-http/entry-path-reverse-proxy.md

@@ -43,7 +43,7 @@ class ApiApp {}
   info: { name: 'proxy-server', version: '1.0.0' },
   apps: [ApiApp],
   http: {
-    port: 3001,
+    port: 3000,
     entryPath: '/api/mcp', // no trailing slash
     cors: {
       origin: (origin: string) => {

package/catalog/frontmcp-config/examples/configure-security-headers/csp-report-only.md

@@ -18,7 +18,7 @@ Test CSP policies in report-only mode to identify violations before enforcement
 
 ```typescript
 // frontmcp.config.ts
-import { defineConfig } from '@frontmcp/cli';
+import { defineConfig } from 'frontmcp';
 
 export default defineConfig({
   name: 'csp-test-server',

package/catalog/frontmcp-config/examples/configure-security-headers/full-production-headers.md

@@ -19,7 +19,7 @@ Complete security headers configuration for production with CSP enforcement, HST
 
 ```typescript
 // frontmcp.config.ts
-import { defineConfig } from '@frontmcp/cli';
+import { defineConfig } from 'frontmcp';
 
 export default defineConfig({
   name: 'production-server',

package/catalog/frontmcp-config/examples/configure-skills-http/audit-log-basic.md

@@ -0,0 +1,76 @@
+---
+name: audit-log-basic
+reference: configure-skills-http
+level: basic
+description: Enable the skill audit log with the in-memory store and HS256 signer for development and tests.
+tags: [config, skills, audit, hs256, development]
+features:
+  - 'Bootstraps the audit subsystem via setSkillAuditFactory(...) before FrontMcp registers'
+  - 'MemoryAuditStore keeps records in-process — perfect for tests, lost on restart'
+  - 'Hs256AuditSigner refuses to start when NODE_ENV === production with a random key'
+  - "subjectMode: 'hash' redacts user identifiers while keeping them correlatable"
+---
+
+# Audit Log (Basic, Dev-Mode)
+
+Enable the skill audit log with the in-memory store and HS256 signer for development and tests.
+
+## Code
+
+```typescript
+// src/server.ts
+import {
+  Hs256AuditSigner,
+  MemoryAuditStore,
+  setSkillAuditFactory,
+  SkillAuditWriter,
+  SkillAuditWriterToken,
+} from '@frontmcp/adapters/skills';
+import { FrontMcp } from '@frontmcp/sdk';
+import { randomBytes } from '@frontmcp/utils';
+
+import { MainApp } from './main.app';
+
+// Register the audit module record with the SDK at boot. The SDK constructs
+// the writer using the positional signature
+// `new SkillAuditWriter(store, signer, logger, metrics?, options?)` and
+// forwards `subjectMode` from `skillsConfig.audit`. The SDK does NOT
+// statically depend on @frontmcp/adapters/skills — this keeps the static
+// dependency graph clean and works in Edge / CSP runtimes.
+setSkillAuditFactory(() => ({
+  SkillAuditWriterToken,
+  SkillAuditWriter,
+  Hs256AuditSigner,
+  MemoryAuditStore,
+}));
+
+@FrontMcp({
+  info: { name: 'dev-server', version: '1.0.0' },
+  apps: [MainApp],
+  skillsConfig: {
+    enabled: true,
+    audit: {
+      enabled: true,
+      // WARNING: Hs256AuditSigner with a randomBytes() key refuses to fire
+      // when NODE_ENV === 'production'. Use Rs256AuditSigner in prod.
+      // Constructor signature: new Hs256AuditSigner(secret, keyId)
+      signer: new Hs256AuditSigner(randomBytes(32), 'dev'),
+      store: new MemoryAuditStore(),
+      subjectMode: 'hash',
+    },
+  },
+})
+export default class DevServer {}
+```
+
+## What This Demonstrates
+
+- Bootstraps the audit subsystem via setSkillAuditFactory(...) before FrontMcp registers
+- MemoryAuditStore keeps records in-process — perfect for tests, lost on restart
+- Hs256AuditSigner refuses to start when NODE_ENV === production with a random key
+- subjectMode: 'hash' redacts user identifiers while keeping them correlatable
+
+## Related
+
+- See `skill-audit-log` for the full architecture, threat model, and verification recipe
+- See `audit-log-redis` for the production-grade variant with persistent storage

package/catalog/frontmcp-config/examples/configure-skills-http/audit-log-redis.md

@@ -0,0 +1,116 @@
+---
+name: audit-log-redis
+reference: configure-skills-http
+level: advanced
+description: Production-grade audit log with the Redis-backed StorageAdapterAuditStore and the RS256 bundle-signing key.
+tags: [config, skills, audit, rs256, redis, production]
+features:
+  - 'StorageAdapterAuditStore persists records to Redis via the standard storage adapter'
+  - 'Rs256AuditSigner reuses the bundle-signing keypair for forensic-friendly signatures'
+  - 'Single-writer constraint: only one pod should write the chain in v1.2.0'
+  - 'verifyChain(records, trustedKeys, defaultAuditSignatureVerifier) detects tampering'
+---
+
+# Audit Log (Production, Redis + RS256)
+
+Production-grade audit log with the Redis-backed StorageAdapterAuditStore and the RS256 bundle-signing key.
+
+## Code
+
+```typescript
+// src/server.ts — must be an ES module (`"type": "module"` in package.json,
+// or `.mts` extension) so the top-level `await createStorageAdapter(...)`
+// below is allowed. CommonJS consumers should wrap the bootstrap inside an
+// `async function init() { ... }` and await it before constructing the
+// FrontMcp class.
+import {
+  Hs256AuditSigner,
+  MemoryAuditStore,
+  Rs256AuditSigner,
+  setSkillAuditFactory,
+  SkillAuditWriter,
+  SkillAuditWriterToken,
+  StorageAdapterAuditStore,
+} from '@frontmcp/adapters/skills';
+import { FrontMcp } from '@frontmcp/sdk';
+import { createStorageAdapter } from '@frontmcp/utils';
+
+import { MainApp } from './main.app';
+
+// Register the audit module record with the SDK. The SDK constructs the
+// writer with the positional signature
+// `new SkillAuditWriter(store, signer, logger, metrics?, options?)` and
+// forwards `subjectMode` from `skillsConfig.audit` into the options bag.
+setSkillAuditFactory(() => ({
+  SkillAuditWriterToken,
+  SkillAuditWriter,
+  Hs256AuditSigner,
+  MemoryAuditStore,
+}));
+
+const auditStorage = await createStorageAdapter({
+  provider: 'redis',
+  host: process.env.REDIS_HOST!,
+  port: 6379,
+  keyPrefix: 'mcp:skill-audit:',
+});
+
+// Constructor signature: new Rs256AuditSigner(privateJwk, keyId).
+// Convert a PEM secret to a JWK first if your secret store ships PEMs.
+const auditSigner = new Rs256AuditSigner(JSON.parse(process.env.BUNDLE_SIGNING_PRIVATE_JWK!), 'bundle-signing-2026-01');
+
+@FrontMcp({
+  info: { name: 'prod-server', version: '1.0.0' },
+  apps: [MainApp],
+  redis: { provider: 'redis', host: process.env.REDIS_HOST!, port: 6379 },
+  skillsConfig: {
+    enabled: true,
+    auth: 'bearer',
+    jwt: { issuer: process.env.JWT_ISSUER!, audience: 'skills-api' },
+    cache: {
+      enabled: true,
+      redis: { provider: 'redis', host: process.env.REDIS_HOST!, port: 6379 },
+      ttlMs: 60_000,
+    },
+    audit: {
+      enabled: true,
+      signer: auditSigner,
+      store: new StorageAdapterAuditStore(auditStorage),
+      subjectMode: 'hash',
+    },
+  },
+})
+export default class ProductionServer {}
+```
+
+```typescript
+// scripts/verify-audit-chain.ts — run in CI
+import { defaultAuditSignatureVerifier, StorageAdapterAuditStore, verifyChain } from '@frontmcp/adapters/skills';
+import { createStorageAdapter } from '@frontmcp/utils';
+
+const storage = await createStorageAdapter({ provider: 'redis', host: process.env.REDIS_HOST!, port: 6379 });
+const store = new StorageAdapterAuditStore(storage);
+const records = await store.iterate();
+
+const trustedKeys = {
+  'bundle-signing-2026-01': process.env.BUNDLE_SIGNING_PUBLIC_KEY!,
+};
+
+const result = verifyChain(records, trustedKeys, defaultAuditSignatureVerifier);
+if (!result.ok) {
+  console.error('Audit chain broken at', result.breakAt, result.reason);
+  process.exit(1);
+}
+```
+
+## What This Demonstrates
+
+- StorageAdapterAuditStore persists records to Redis via the standard storage adapter
+- Rs256AuditSigner reuses the bundle-signing keypair for forensic-friendly signatures
+- Single-writer constraint: only one pod should write the chain in v1.2.0
+- verifyChain(records, trustedKeys, defaultAuditSignatureVerifier) detects tampering
+
+## Related
+
+- See `skill-audit-log` for the architecture, threat model, and custom signer / custom store recipes
+- See `audit-log-basic` for the dev-mode variant

package/catalog/frontmcp-config/examples/configure-skills-http/inject-instructions.md

@@ -0,0 +1,59 @@
+---
+name: inject-instructions
+reference: configure-skills-http
+level: basic
+description: Set a server-level instructions string and append the skill catalog summary on every initialize response.
+tags: [config, skills, instructions, injection, initialize]
+features:
+  - 'Top-level `instructions` on `@FrontMcp` exposes a global system prompt to MCP clients'
+  - "`skillsConfig.injectInstructions: 'append'` adds the skill catalog summary after the user prompt"
+  - 'Dynamic skills are picked up because the composer runs on every initialize request'
+  - 'Catalog summary is bounded at 16 KB with a truncation footer pointing at skill://catalog'
+---
+
+# Inject Instructions on Initialize
+
+Set a server-level instructions string and append the skill catalog summary on every initialize response.
+
+## Code
+
+```typescript
+// src/server.ts
+import { FrontMcp } from '@frontmcp/sdk';
+
+import { MainApp } from './main.app';
+
+@FrontMcp({
+  info: { name: 'flight-bot', version: '1.0.0' },
+  apps: [MainApp],
+
+  // Server-level instructions surfaced to MCP clients
+  instructions: [
+    'You are a helpful assistant for booking flights.',
+    'Always confirm dates with the user before issuing a booking.',
+  ].join('\n'),
+
+  skillsConfig: {
+    enabled: true,
+    mcpResources: true,
+    // 'append' (default) — the skill catalog summary is appended after instructions
+    // 'prepend' — summary first, then instructions
+    // 'replace' — summary only (skills drive the entire system prompt)
+    // 'off'    — instructions sent as-is, no summary
+    injectInstructions: 'append',
+  },
+})
+export default class FlightBotServer {}
+```
+
+## What This Demonstrates
+
+- Top-level `instructions` on `@FrontMcp` exposes a global system prompt to MCP clients
+- `skillsConfig.injectInstructions: 'append'` adds the skill catalog summary after the user prompt
+- Dynamic skills are picked up because the composer runs on every initialize request
+- Catalog summary is bounded at 16 KB with a truncation footer pointing at skill://catalog
+
+## Related
+
+- See `configure-skills-http` for the full `skillsConfig` reference
+- See `decorators-guide` for the `@FrontMcp` decorator's complete option table

package/catalog/frontmcp-config/references/configure-auth-modes.md

@@ -1,6 +1,6 @@
 ---
 name: configure-auth-modes
-description: Detailed comparison of public, transparent, remote, and managed auth modes
+description: Detailed comparison of public, transparent, local, and remote auth modes
 ---
 
 # Auth Modes Detailed Comparison
@@ -14,7 +14,7 @@ auth: {
   mode: 'public',
   sessionTtl: 3600,
   anonymousScopes: ['read', 'write'],
-  publicAccess: { tools: true, resources: true, prompts: true },
+  publicAccess: { tools: 'all', prompts: 'all' },
 }
 ```
 
@@ -44,9 +44,9 @@ auth: {
   mode: 'local',
   local: {
     issuer: 'my-server',
-    audience: 'my-api',
   },
-  tokenStorage: 'redis',
+  expectedAudience: 'my-api',
+  tokenStorage: { redis: { host: process.env['REDIS_HOST'] ?? 'localhost', port: 6379 } },
   consent: { enabled: true },
   incrementalAuth: { enabled: true },
 }
@@ -64,7 +64,7 @@ auth: {
   provider: 'https://auth.example.com',
   clientId: 'my-client-id',
   clientSecret: process.env.AUTH_SECRET,
-  tokenStorage: 'redis',
+  tokenStorage: { redis: { host: process.env['REDIS_HOST'] ?? 'localhost', port: 6379 } },
 }
 ```