docs(ai-tools): MCP server is enabled by default, not disabled (#1228)

[marcusbellamyshaw-cell]

What does this PR do?

The AI Tools guide stated the MCP server is "disabled by default" and showed mcp: true to enable it. The integration mounts /_emdash/api/mcp unless mcp is explicitly false (integration/index.ts), so it is on by default. This corrects the guide to describe the actual behavior, notes the endpoint always requires authentication, and shows mcp: false to disable it.

This is the docs-only resolution of #1228 (aligning docs to code). It does not change the default; if maintainers prefer flipping the default to opt-in instead, that's a separate behavior change.

Closes #1228

Type of change

• Documentation

Checklist

• I have read CONTRIBUTING.md
• pnpm typecheck — n/a (docs only)
• pnpm lint — n/a (docs only)
• pnpm test — n/a (docs only)
• pnpm format has been run (prettier clean)
• tests — n/a (docs only)
• i18n — n/a
• changeset — n/a (no published package changed)
• Discussion — n/a

AI-generated code disclosure

• This PR includes AI-generated code — model/tool: Claude Opus 4.8 ultracode

[changeset-bot]

⚠️ No Changeset found

Latest commit: b55e25a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[emdashbot]

Approach

This is a docs-only correction to the AI Tools guide, aligning it with the actual code behavior of the MCP integration. The author correctly scoped it to docs rather than flipping the default to opt-in (which would be a breaking behavior change requiring a Discussion and changeset) — that judgment is called out explicitly in the PR description. The right change, solving the right problem, in a way that fits EmDash.

What I checked

I verified every factual claim the new doc text makes against the source:

• "enabled by default ... the route at /_emdash/api/mcp is mounted unless you explicitly turn it off" — confirmed at packages/core/src/astro/integration/index.ts:446: if (resolvedConfig.mcp !== false) { injectMcpRoute(injectRoute); }. The same !== false guard gates the dev-server info line (line 511).
• mcp: false to disable — matches the config schema at packages/core/src/astro/integration/runtime.ts:283, which declares mcp?: boolean with @default true and the docstring "Enabled by default ... Set to false to disable."
• "It always requires authentication, so no content is exposed without valid credentials" — confirmed. The auth middleware (packages/core/src/astro/middleware/auth.ts:275-277) returns mcpUnauthorizedResponse (401) for /_emdash/api/mcp whenever the request isn't bearer-token authenticated, before the route handler runs. The route handler (packages/core/src/astro/routes/api/mcp.ts) additionally returns 401 if !user; GET/DELETE return 405 and never content. So no content leaks without a valid token.
• No stale contradictions — grepped docs/ for "disabled by default", "mcp: true", "Enable the MCP"; the only remaining references are in the corrected guide. docs-mcp.mdx and reference/mcp-server.mdx are consistent with the corrected behavior (the reference describes auth methods/scopes without claiming a default state).

No source code is changed, so the SQL-safety, Lingui, RTL, authorization, locale-filter, index, and changeset conventions don't apply. Changeset is correctly n/a (no published package changed).

Conclusion

Clean, accurate, well-scoped docs fix. The headline claim and the authentication note both check out against the integration, config schema, and auth middleware. No findings.

[pkg-pr-new]

Open in StackBlitz

@emdash-cms/admin

npm i https://pkg.pr.new/@emdash-cms/admin@1574

@emdash-cms/auth

npm i https://pkg.pr.new/@emdash-cms/auth@1574

@emdash-cms/auth-atproto

npm i https://pkg.pr.new/@emdash-cms/auth-atproto@1574

@emdash-cms/blocks

npm i https://pkg.pr.new/@emdash-cms/blocks@1574

@emdash-cms/cloudflare

npm i https://pkg.pr.new/@emdash-cms/cloudflare@1574

@emdash-cms/contentful-to-portable-text

npm i https://pkg.pr.new/@emdash-cms/contentful-to-portable-text@1574

emdash

npm i https://pkg.pr.new/emdash@1574

create-emdash

npm i https://pkg.pr.new/create-emdash@1574

@emdash-cms/gutenberg-to-portable-text

npm i https://pkg.pr.new/@emdash-cms/gutenberg-to-portable-text@1574

@emdash-cms/plugin-cli

npm i https://pkg.pr.new/@emdash-cms/plugin-cli@1574

@emdash-cms/plugin-types

npm i https://pkg.pr.new/@emdash-cms/plugin-types@1574

@emdash-cms/registry-client

npm i https://pkg.pr.new/@emdash-cms/registry-client@1574

@emdash-cms/registry-lexicons

npm i https://pkg.pr.new/@emdash-cms/registry-lexicons@1574

@emdash-cms/sandbox-workerd

npm i https://pkg.pr.new/@emdash-cms/sandbox-workerd@1574

@emdash-cms/x402

npm i https://pkg.pr.new/@emdash-cms/x402@1574

@emdash-cms/plugin-ai-moderation

npm i https://pkg.pr.new/@emdash-cms/plugin-ai-moderation@1574

@emdash-cms/plugin-atproto

npm i https://pkg.pr.new/@emdash-cms/plugin-atproto@1574

@emdash-cms/plugin-audit-log

npm i https://pkg.pr.new/@emdash-cms/plugin-audit-log@1574

@emdash-cms/plugin-color

npm i https://pkg.pr.new/@emdash-cms/plugin-color@1574

@emdash-cms/plugin-embeds

npm i https://pkg.pr.new/@emdash-cms/plugin-embeds@1574

@emdash-cms/plugin-field-kit

npm i https://pkg.pr.new/@emdash-cms/plugin-field-kit@1574

@emdash-cms/plugin-forms

npm i https://pkg.pr.new/@emdash-cms/plugin-forms@1574

@emdash-cms/plugin-webhook-notifier

npm i https://pkg.pr.new/@emdash-cms/plugin-webhook-notifier@1574

commit: b55e25a