fa-mcp-sdk 0.4.52 → 0.4.53

package/cli-template/.claude/skills/readme-generator/reference/templates.md

@@ -0,0 +1,385 @@
+# Section Templates (Main README)
+
+Canonical blocks for the main `README.md` of an `fa-mcp-sdk`-based MCP server. Copy, then adapt
+placeholders (`<NAME>`, `<PORT>`, `<prefix>`, `<upstream>`) to the actual project.
+
+---
+
+## 1. Title + one-liner
+
+```markdown
+# <Project Name>
+
+<One-sentence description: "MCP server for <Upstream System> — lets AI agents <primary action>.">
+```
+
+Example:
+
+```markdown
+# MCP Wiki
+
+MCP server for Atlassian Confluence. Lets AI agents search, read, create, and edit wiki pages via
+the Model Context Protocol.
+```
+
+---
+
+## 2. Badges
+
+Prefer shields.io. Include only badges that are meaningful (skip build status if no CI yet).
+
+```markdown
+[![License](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
+[![Node.js](https://img.shields.io/badge/node-%3E%3D18-339933?logo=node.js&logoColor=white)](https://nodejs.org/)
+[![TypeScript](https://img.shields.io/badge/TypeScript-3178C6?logo=typescript&logoColor=white)](https://www.typescriptlang.org/)
+[![MCP](https://img.shields.io/badge/MCP-Server-DA7857)](https://modelcontextprotocol.io/)
+[![fa-mcp-sdk](https://img.shields.io/badge/built%20with-fa--mcp--sdk-526CFE)](https://github.com/Bazilio-san/fa-mcp-sdk)
+```
+
+---
+
+## 3. Overview
+
+2–4 sentences. Answer: *what is this / for whom / core value*. Active voice. No marketing fluff.
+
+```markdown
+## Overview
+
+<Project> provides comprehensive <upstream> integration for AI agents via the Model Context Protocol.
+It exposes <N> tools covering <main domains>, supports <auth methods>, and ships with <one or two
+distinguishing features>. Use it when you need <primary use case>.
+```
+
+---
+
+## 4. Tools
+
+Group by domain. Keep rows short — one-line descriptions only.
+
+```markdown
+## Tools (<N>)
+
+### <Domain 1>
+| Tool                  | Description                                        |
+|-----------------------|----------------------------------------------------|
+| `<tool_name>`         | <Short description, verb-first, ≤ 80 chars>        |
+| `<tool_name>`         | <Short description>                                |
+
+### <Domain 2>
+| Tool                  | Description                                        |
+|-----------------------|----------------------------------------------------|
+| `<tool_name>`         | <Short description>                                |
+```
+
+Notes:
+
+- Column widths consistent within the file.
+- Tool names always inline-code.
+- If a tool has a caveat (e.g. server vs. cloud behaviour), use a footnote `*` and explain below
+  the table.
+
+---
+
+## 5. Quick Start
+
+Three steps. Target: a user running the server in under 2 minutes.
+
+```markdown
+## Quick Start
+
+```bash
+npm install
+cp config/_local.yaml config/local.yaml   # configure <upstream> credentials
+npm run build
+npm start                                 # HTTP mode, port <PORT>
+```
+
+For STDIO mode (Claude Desktop direct spawn):
+
+```bash
+node dist/src/start.js stdio
+```
+```
+
+---
+
+## 6. MCP Client Integration
+
+Always in main README. Adapt custom header names (`x-<prefix>-*`) to this server's actual scheme.
+
+```markdown
+## MCP Client Integration
+
+### Claude Code
+
+Add to `~/.claude.json`:
+
+```json
+{
+  "mcpServers": {
+    "<name>": {
+      "type": "http",
+      "url": "http[s]://<host[:port]>/mcp",
+      "headers": {
+        "x-<prefix>-username": "<your username>",
+        "x-<prefix>-password": "<your password>"
+      }
+    }
+  }
+}
+```
+
+Alternatively, use a Personal Access Token:
+
+```json
+"headers": {
+  "x-<prefix>-token": "<your PAT>"
+}
+```
+
+### Claude Desktop
+
+Add to `claude_desktop_config.json`.
+
+**Option 1 — STDIO (local build, direct spawn):**
+
+```json
+{
+  "mcpServers": {
+    "<name>": {
+      "command": "node",
+      "args": ["<path>/<project>/dist/src/start.js", "stdio"],
+      "env": {}
+    }
+  }
+}
+```
+
+**Option 2 — HTTP (remote server via `mcp-remote`):**
+
+```json
+{
+  "mcpServers": {
+    "<name>": {
+      "command": "npx",
+      "args": [
+        "-y",
+        "mcp-remote@latest",
+        "http[s]://<host[:port]>/mcp",
+        "--header",
+        "x-<prefix>-username:<your username>",
+        "--header",
+        "x-<prefix>-password:<your password>",
+        "--allow-http",
+        "--transport",
+        "http-only"
+      ]
+    }
+  }
+}
+```
+
+### Qwen Code
+
+Add to `~/.qwen/settings.json`:
+
+```json
+{
+  "mcpServers": {
+    "<name>": {
+      "command": "npx",
+      "args": [
+        "-y",
+        "mcp-remote@latest",
+        "http[s]://<host[:port]>/mcp",
+        "--header",
+        "x-<prefix>-username:<your_username>",
+        "--header",
+        "x-<prefix>-password:<your_password>",
+        "--allow-http",
+        "--transport",
+        "http-only"
+      ]
+    }
+  }
+}
+```
+```
+
+---
+
+## 7. Key Features
+
+5–8 bullets. Include enabled SDK subsystems and project-specific capabilities. One line each.
+
+```markdown
+## Key Features
+
+- **Multi-auth**: Basic, PAT, OAuth 2.0 with automatic token refresh
+- **Per-request credentials**: override server config via `x-<prefix>-*` headers
+- **Batch operations** for high-throughput scenarios
+- **Fuzzy entity resolution** via external microservice
+- **Aggressive caching** with thundering-herd protection
+- **Webhook callbacks** for audit / chaining (`x-web-hook`)
+- **Agent Tester UI + Headless API** for end-to-end testing
+```
+
+---
+
+## 8. Transports
+
+```markdown
+## Transports
+
+- **HTTP** — web integrations. Endpoints:
+  - `/mcp` — MCP protocol (JSON-RPC 2.0)
+  - `/api/*` — REST API (if custom API is present)
+  - `/docs` — Swagger UI
+  - `/health` — healthcheck
+  - `/admin` — token generator UI
+  - `/agent-tester` — Agent Tester web UI
+- **STDIO** — for Claude Desktop direct spawn (no network)
+
+Port is set in `config/default.yaml` → `webServer.port` (default <PORT>).
+```
+
+Keep endpoints that actually exist; drop the rest.
+
+---
+
+## 9. Configuration Basics
+
+Compact table with 5–10 most important keys. Link to full reference when the list grows.
+
+```markdown
+## Configuration Basics
+
+Priority: env vars > `config/local.yaml` > `config/{NODE_ENV}.yaml` > `config/default.yaml`.
+
+| Key                              | Description                         | Default   |
+|----------------------------------|-------------------------------------|-----------|
+| `<upstream>.url`                 | <Upstream> base URL                 | —         |
+| `<upstream>.auth.pat`            | Personal Access Token               | —         |
+| `<upstream>.auth.basic.username` | Basic auth username                 | —         |
+| `<upstream>.auth.basic.password` | Basic auth password                 | —         |
+| `webServer.port`                 | HTTP server port                    | `<PORT>`  |
+| `webServer.auth.enabled`         | MCP server authorization on/off     | `false`   |
+| `mcp.toolAnswerAs`               | Response format (`text` / `json`)   | `text`    |
+
+Full reference: [Configuration](./readme-docs/configuration.md).
+```
+
+---
+
+## 10. Build & Run
+
+```markdown
+## Build & Run
+
+```bash
+npm run build        # tsc + copy static assets
+npm start            # HTTP server
+npm run dev          # tsc --watch
+```
+
+Lint / typecheck / test:
+
+```bash
+npm run lint:fix
+npm run typecheck
+npm test
+```
+
+Environment variables:
+
+- `NODE_ENV` — picks `config/{NODE_ENV}.yaml` overlay
+- `DEBUG` — namespace-based logging (see [Debug Logging](./readme-docs/debugging.md))
+```
+
+---
+
+## 11. Authentication (summary + link)
+
+Keep this short. Push tables and invariants into `readme-docs/authentication.md`.
+
+```markdown
+## Authentication
+
+The server supports per-request credentials via `x-<prefix>-*` headers (Basic, PAT) and
+config-level defaults with OAuth 2.0 token refresh. When `x-on-behalf-of-user` is set, the request
+is routed through the impersonation proxy.
+
+Priority rules, resolution order, and invariants: [Authentication](./readme-docs/authentication.md).
+```
+
+---
+
+## 12. Dynamic feature sections
+
+One short subsection per enabled optional subsystem. 2–3 sentences each, with a link to the
+satellite file when details warrant one.
+
+```markdown
+### Consul service discovery
+
+Server registers itself on startup and deregisters on SIGTERM; health check path is `/health`.
+Setup: [Consul](./readme-docs/consul.md).
+
+### Active Directory
+
+Tools can gate access by AD group membership. Configuration and per-domain setup:
+[Active Directory](./readme-docs/active-directory.md).
+
+### Webhooks
+
+After every tool invocation the server can POST the result to an external URL via the `x-web-hook`
+header or a per-tool `hook` return value. Body schema and priority:
+[Webhooks](./readme-docs/webhooks.md).
+
+### Agent Tester
+
+Built-in web UI (`/agent-tester`) and Headless API (`/agent-tester/api/chat/test`) for end-to-end
+testing with a real LLM. Full guide: [Testing](./readme-docs/testing.md).
+```
+
+---
+
+## 13. Skills
+
+```markdown
+## Claude Code Skills
+
+The project ships with custom skills in `.claude/skills/`:
+
+| Command             | Description                                         |
+|---------------------|-----------------------------------------------------|
+| `/gen-jwt`          | Generate JWT tokens for MCP server authentication   |
+| `/headless-test`    | Run headless tests for all MCP tools via curl API   |
+| `/upgrade-guide`    | Generate migration guide for fa-mcp-sdk upgrades    |
+
+Details, launch modes, and examples: [SKILL_README.md](./SKILL_README.md).
+```
+
+---
+
+## 14. Stack
+
+```markdown
+## Stack
+
+- **Framework**: [fa-mcp-sdk](https://github.com/Bazilio-san/fa-mcp-sdk)
+- **Transport**: MCP (STDIO, HTTP, SSE)
+- **Language**: TypeScript (ESM)
+- **HTTP client**: Axios
+- **Key libs**: <fill in the notable dependencies>
+```
+
+---
+
+## 15. License
+
+```markdown
+## License
+
+<License name> © <Owner>. See [LICENSE](./LICENSE).
+```

package/cli-template/CLAUDE.md

@@ -342,25 +342,11 @@ This log serves as:
 - **Progress tracker** — which tools/scenarios are covered, which remain
 - **Handoff document** — if the session is interrupted, the next session can read the log and continue
 
-## Editing files in `.claude/`
-
-Files inside `.claude/` (SKILL.md and others) are monitored by Claude Code and reloaded on change. To avoid partial reads during multi-edit sessions, follow this protocol:
-
-1. **Copy** the target file to a temp location outside `.claude/`:
-   ```bash
-   node scripts/fcp.js tmp-skill.md .claude/skills/<skill-name>/SKILL.md
-   ```
-2. **Edit** `tmp-skill.md` — make ALL changes there (multiple Edit calls are fine).
-3. **Save** atomically via the helper script:
-   ```bash
-   node scripts/fcp.js .claude/skills/<skill-name>/SKILL.md tmp-skill.md
-   ```
-4. **Remove** the temp file:
-   ```bash
-   rm tmp-skill.md
-   ```
-
-CRITICAL: Never use `Edit` or `Write` directly on files inside `.claude/` — always go through the temp-copy workflow above.
+## Editing files in `.claude/` (Skill /edit-claude-files)
+
+Any edit or new file under `.claude/**` (SKILL.md, scripts, hooks, agents, `settings.json`) is blocked
+by `settings.json` — direct `Write`/`Edit` will fail. Invoke the `/edit-claude-files` skill, which
+describes the required `scripts/fcp.js` temp-copy protocol.
 
 
 ## Formatting

package/cli-template/FA-MCP-SDK-DOC/00-FA-MCP-SDK-index.md

@@ -13,7 +13,7 @@ npm install fa-mcp-sdk
 | File | Content | Read When |
 |------|---------|-----------|
 | [01-getting-started](01-getting-started.md) | `initMcpServer()`, `McpServerData`, `IPromptData`, `IResourceData`, `AppConfig` | Starting new project |
-| [02-1-tools-and-api](02-1-tools-and-api.md) | Tool definitions, `toolHandler`, REST API with tsoa, OpenAPI/Swagger | Creating tools, REST endpoints |
+| [02-1-tools-and-api](02-1-tools-and-api.md) | Tool definitions, `toolHandler`, outbound webhooks, REST API with tsoa, OpenAPI/Swagger | Creating tools, REST endpoints, webhook callbacks |
 | [02-2-prompts-and-resources](02-2-prompts-and-resources.md) | Standard/custom prompts, resources, `requireAuth` | Configuring prompts/resources |
 | [03-configuration](03-configuration.md) | `appConfig`, YAML config, cache, PostgreSQL | Server configuration, DB |
 | [04-authentication](04-authentication.md) | JWT, Basic auth, server tokens, `createAuthMW()`, Token Generator, CLI Token Generator, JWT Generation API | Authentication setup |

package/cli-template/FA-MCP-SDK-DOC/02-1-tools-and-api.md

@@ -62,6 +62,66 @@ const clientIP = headers?.['x-real-ip'] || headers?.['x-forwarded-for'];
 `IToolHandlerParams` includes `ITransportContext` fields (`transport`, `headers`, `payload`).
 See [ITransportContext](./02-2-prompts-and-resources.md#itransportcontext).
 
+### Outbound Webhooks
+
+The SDK does not ship a built-in webhook — it is a **handler-level pattern** enabled by
+the fact that `params.headers` already carries every client header through to the tool.
+Use it when the caller should be notified of each tool result (audit, dashboards, CI
+chains). Reference implementation: `mcp-jira` (`src/tools/tools-manager.ts`,
+`callWebHook` + dispatch block).
+
+**Recipe:**
+
+1. **Declare the header** so Agent Tester and `use://http-headers` advertise it:
+
+   ```typescript
+   usedHttpHeaders: [
+     { name: 'x-web-hook', description: 'URL to POST the tool result to.', isOptional: true },
+   ],
+   ```
+
+2. **Dispatch inside the handler** — fire-and-forget, never throw, never block the reply:
+
+   ```typescript
+   import axios from 'axios';
+   import { appConfig, logger, toStr, IToolHandlerParams } from 'fa-mcp-sdk';
+
+   const URL_REGEX = /^https?:\/\/[^\s]+$/i;
+
+   const callWebHook = (url: string, tool: string, response: unknown, user?: string): void => {
+     if (!URL_REGEX.test(url)) { return; }
+     axios.post(url, { mcpName: appConfig.name, tool, user, response }, { timeout: 10_000 })
+       .catch((err) => logger.warn(`Web-hook POST ${url} failed: ${toStr(err?.message || err)}`));
+   };
+
+   export const handleToolCall = async (params: IToolHandlerParams) => {
+     const { name, headers = {} } = params;
+     const result = await runTool(params);                // produce { text, json, hook? }
+     const hookUrl = (result.hook || headers['x-web-hook'] || '').trim();
+     if (hookUrl) { callWebHook(hookUrl, name, result.json, resolveUser(headers, params.payload)); }
+     return formatToolResult(result.json);
+   };
+   ```
+
+3. **Per-tool override (optional)** — let a tool return its own `hook` URL that wins over
+   the client header. Extend your internal tool-response type:
+
+   ```typescript
+   export interface IToolResponse { text: string; json: Record<string, any>; hook?: string; }
+   ```
+
+**Body contract** (recommended; keep stable across tools):
+
+| Field | Description |
+|-------|-------------|
+| `mcpName` | `appConfig.name` — which MCP sent the callback |
+| `tool` | Tool name that was invoked |
+| `user` | Caller identity (JWT `payload.user`, auth header, or a lookup — project-specific) |
+| `response` | Full JSON the tool produced |
+
+**Rules of thumb:** validate the URL (`http(s)://…`), short timeout (≤10 s), catch+log
+only, **never** `await` the POST, and never let a webhook failure surface as a tool error.
+
 
 ## REST API Endpoints
 

package/cli-template/FA-MCP-SDK-DOC/04-authentication.md

@@ -50,16 +50,18 @@ The admin panel (`/admin`) supports 4 authentication types and can be configured
 
 ```yaml
 # config/default.yaml
-webServer:
-  adminAuth:
-    enabled: true
-    # Single type (string)
-    type: 'basic'
-    # Or multiple types (array) — login page shows tabs to choose
-    type: ['jwtToken', 'basic']
+adminPanel:
+  enabled: true
+  # Single type (string)
+  authType: 'basic'
+  # Or multiple types (array) — login page shows tabs to choose
+  authType: ['jwtToken', 'basic']
+  # 'none' / null / empty array / not set — panel opens WITHOUT authentication
+  # (convenience for local development; do NOT use in production).
+  authType: 'none'
 ```
 
-**Supported types:** `permanentServerTokens`, `basic`, `jwtToken`, `ntlm`
+**Supported types:** `permanentServerTokens`, `basic`, `jwtToken`, `ntlm`, `none` (= open access)
 
 When multiple types are configured (e.g. `['jwtToken', 'basic']`), the login page shows tabs:
 - **Token** tab — for `permanentServerTokens` and `jwtToken` authentication

package/cli-template/README.md

@@ -167,6 +167,7 @@ The project ships with custom skills in `.claude/skills/`:
 | `/gen-jwt`           | Generate JWT tokens for MCP server authentication                       |
 | `/upgrade-guide`     | Generate migration guide for `fa-mcp-sdk` upgrades                      |
 | `/feature-generator` | Turn a feature description into a self-sufficient prompt for an AI CLI  |
+| `/readme-generator`  | Generate structured README.md + satellite `readme-docs/*.md`            |
 
 Details, launch modes, and examples: [SKILL_README.md](SKILL_README.md)
 
@@ -174,7 +175,7 @@ Details, launch modes, and examples: [SKILL_README.md](SKILL_README.md)
 
 ### Admin panel JWT requirement
 
-When `adminAuth.type` includes `jwtToken`, the admin panel (`/admin`) accepts a JWT
+When `adminPanel.authType` includes `jwtToken`, the admin panel (`/admin`) accepts a JWT
 **only if its payload contains `allow: 'gen-token'`**. JWTs without this claim are
 rejected with `401` — this blocks short-lived tokens issued for other purposes (for
 example, the 5-minute JWT auto-generated by the Agent Tester page and written into its

package/cli-template/SKILL_README.md

@@ -97,3 +97,43 @@ Characteristics:
 /feature-generator REQ-1234: implement webhook callback receiver for external events
 /feature-generator Add OAuth2 token refresh logic to the HTTP client
 ```
+
+---
+
+### `/readme-generator` — MCP Server README Generator
+
+Generates a structured, user-friendly `README.md` for an `fa-mcp-sdk`-based MCP server and a set
+of satellite documents under `readme-docs/`. The main README stays scannable (what is this / what
+tools / how to use); reference tables, priority rules, and long technical topics are moved into
+`readme-docs/*.md` and linked from the main.
+
+What it does:
+
+- **Inventories** the project: `package.json`, `config/*.yaml`, `src/tools/`, `src/api/`,
+  `src/prompts/`, `.claude/skills/`
+- **Detects enabled SDK subsystems** (Consul, AD, Database, Admin Panel, Agent Tester, Swagger,
+  Cache, Webhooks, Impersonation, JWT, configurable tool set) and project-specific capabilities
+- **Classifies each finding** — drop / inline / satellite — and produces the satellite file set
+  dynamically. No stubs for disabled features.
+- **Always inlines** in the main README: the tool list, Quick Start, MCP Client Integration
+  snippets (Claude Code / Desktop / Qwen — adapted to this server's custom header names), and
+  Key Features
+- **Always uses folder `readme-docs/`** — the SDK's `doc://readme` MCP resource automatically
+  inlines every satellite linked from the main README, delivering the full document to the MCP
+  registry's RAG index. Any other folder name would be ignored.
+
+Characteristics:
+
+- **Launch**: by command `/readme-generator` or by trigger phrases ("generate readme", "update
+  readme", "обнови README", "сгенерируй README для MCP")
+- **Input**: none required — reads the current project
+- **Output**: `README.md` in project root, `readme-docs/*.md` (one per satellite topic), backup
+  of the previous README as `README.backup.md` when rewriting
+
+**Examples:**
+
+```
+/readme-generator
+/readme-generator refresh the README after adding 3 new tools
+/readme-generator обнови README с учётом того, что теперь подключён PostgreSQL
+```

package/cli-template/package.json

@@ -50,7 +50,7 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.29.0",
     "dotenv": "^17.4.1",
-    "fa-mcp-sdk": "^0.4.52"
+    "fa-mcp-sdk": "^0.4.53"
   },
   "devDependencies": {
     "@types/express": "^5.0.6",

package/cli-template/prompt-example-new-MCP.md

@@ -69,8 +69,9 @@ webServer:
          isCheckIP: false
       permanentServerTokens: ['psToken1']
 
-   adminAuth:
-      type: 'permanentServerTokens'
+adminPanel:
+   enabled: true
+   authType: 'permanentServerTokens'
 ```
 
 # Task

package/config/custom-environment-variables.yaml

@@ -1,3 +1,7 @@
+adminPanel:
+  enabled: ADMIN_PANEL_ENABLED
+  authType: ADMIN_PANEL_AUTH_TYPE  # permanentServerTokens | basic | jwtToken | ntlm | none
+
 agentTester:
   enabled: AGENT_TESTER_ENABLED
   useAuth: AGENT_TESTER_USE_AUTH
@@ -52,6 +56,3 @@ webServer:
       username: WS_AUTH_BASIC_USERNAME
       password: WS_AUTH_BASIC_PASSWORD
   genJwtApiEnable: WS_GEN_JWT_API_ENABLE
-  adminAuth:
-    enabled: WS_ADMIN_AUTH_ENABLED
-    type: WS_ADMIN_AUTH_TYPE  # permanentServerTokens | basic | jwtToken | ntlm

package/config/default.yaml

@@ -22,6 +22,26 @@
 #     #> Override the Consul service name to look up (defaults to the alias key)
 #     consulServiceName: <consulServiceName>
 
+#> ========================================================================
+#> ADMIN PANEL
+#> Token generation & validation UI served at /admin.
+#> Supports 4 authentication methods: permanentServerTokens, basic, jwtToken, ntlm.
+#> ========================================================================
+adminPanel:
+  #> Enable/disable admin panel. false — /admin is not mounted at all.
+  enabled: true
+  #> Authentication type: 'permanentServerTokens' | 'basic' | 'jwtToken' | 'ntlm' | 'none'
+  #> Accepts a single type (string) or multiple types (array):
+  #>   authType: 'basic'
+  #>   authType: ['jwtToken', 'basic']
+  #> 'none' / null / empty array / not set → panel opens WITHOUT authentication
+  #>   (convenience for local development and debugging; do NOT use in production).
+  #> For permanentServerTokens, basic, jwtToken — uses credentials from webServer.auth section.
+  #> For ntlm — uses AD configuration from ad.domains section.
+  #> When multiple types are set (e.g. ['jwtToken', 'basic']), the login page shows tabs
+  #> to choose between Token and Login (username/password) authentication.
+  authType: 'basic'
+
 #> Active Directory / LDAP settings.
 #> Used for authentication/authorization (e.g., NTLM in admin panel) and checking user membership in AD groups.
 ad:
@@ -318,21 +338,3 @@ webServer:
   #> Requires valid Authorization header (any method configured in webServer.auth).
   #> ========================================================================
   genJwtApiEnable: false
-
-  #> ========================================================================
-  #> ADMIN PANEL AUTHENTICATION
-  #> Token generation page available at /admin endpoint
-  #> Supports 4 authentication methods: permanentServerTokens, basic, jwtToken, ntlm
-  #> ========================================================================
-  adminAuth:
-    #> Enable/disable admin panel
-    enabled: true
-    #> Authentication type for admin panel: 'permanentServerTokens' | 'basic' | 'jwtToken' | 'ntlm'
-    #> Accepts a single type (string) or multiple types (array):
-    #>   type: 'basic'
-    #>   type: ['jwtToken', 'basic']
-    #> For permanentServerTokens, basic, jwtToken — uses credentials from webServer.auth section
-    #> For ntlm — uses AD configuration from ad.domains section (no additional credentials needed)
-    #> When multiple types are set (e.g. ['jwtToken', 'basic']), the login page shows tabs
-    #> to choose between Token and Login (username/password) authentication.
-    type: 'basic'