Add architectural decision documentation for reverse proxy vs application-layer gateway (#125)

* Implement pre-built container publishing and deployment (#122)

- Add GitHub Actions workflow for automated container publishing
- Create publish_containers.sh script for manual container publishing
- Add docker-compose.prebuilt.yml for fast deployment using pre-built images
- Update build_and_run.sh to support --prebuilt option
- Add comprehensive documentation for container publishing
- Update README.md with improved quick start guide using pre-built images
- Fix Docker image reference format issues in prebuilt compose file
- Support both personal and organization accounts for Docker Hub/GitHub

Resolves #122 - Users can now deploy instantly using pre-built containers

* Add prominent 'Get Running Now' link to navigation for instant setup

* Fix Keycloak URL resolution for host-based credential generation

- Update ingress_oauth.py to prioritize KEYCLOAK_ADMIN_URL for local access
- Export Keycloak environment variables in generate_creds.sh for child processes
- Update .env.example to use localhost as default REGISTRY_URL
- Fix SECRET_KEY in .env.example to be uncommented with security warning

This ensures generate_creds.sh works correctly when run from the host machine
by using localhost:8080 instead of internal Docker hostname keycloak:8080.

* Fix broken link to testing section in README quick start guide

* Implement AUTH_PROVIDER environment variable filtering for OAuth providers

- Modified get_enabled_providers() to respect AUTH_PROVIDER env variable
- Auth server now filters OAuth providers based on .env configuration
- Only shows the provider specified in AUTH_PROVIDER (e.g., keycloak)
- Added comprehensive error handling and warning messages
- Prevents need to rebuild containers when switching auth providers
- Provides clear feedback when filtering out enabled providers

Fixes issue where both Keycloak and Cognito appeared on login page
despite AUTH_PROVIDER=keycloak setting in .env file.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* Remove automatic container publishing GitHub workflow

- Deleted .github/workflows/publish-containers.yml
- Containers will now only be published manually using scripts/publish_containers.sh
- Provides better control over when and how containers are published
- Prevents unintended automatic deployments on every push/tag

Manual publishing command:
./scripts/publish_containers.sh --dockerhub --version v1.0.0

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* Fix token generation script and add credential redaction

- Fixed relative import errors in generate_tokens.py that were causing false failure reports
- Added robust import handling with fallback mechanisms for utils module
- Implemented credential redaction showing only first 8 characters of sensitive values
- Added redaction to both Keycloak token generation and generic OAuth flow
- Script now correctly reports "5/5 successful" instead of "0/5 successful"

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* Add architectural comparison documentation

- Compare reverse proxy vs tools gateway approaches
- Analyze performance, security, maintainability, scaling aspects
- Document implementation language considerations
- Include ASCII diagrams for both architectures
- Related to GitHub issue #124

* Restructure architectural comparison into separate tables

- Break down large comparison table into focused sections
- Add clear markdown headings for each aspect (Performance, Security, etc.)
- Bold key impactful differences like protocol independence and scaling
- Improve readability and scanability of architectural trade-offs

* Clarify resource isolation and add implementation complexity

- Update resource isolation to explain data plane vs health check separation
- Add implementation complexity row highlighting state management differences
- Emphasize long-term maintenance implications of protocol awareness
- Better explain why reverse proxy approach is simpler to maintain

* Update title and rename file for clarity

- Change title from 'Reverse Proxy vs Tools Gateway' to 'Reverse Proxy vs Application-Layer Gateway'
- Rename file to match new title and better reflect architectural decision focus
- Clarifies that we're comparing transparent proxy vs application-aware approaches

* Add MCP specification evolution burden to implementation challenges

- Highlight that application-layer gateway must keep MCP client updated with spec changes
- Emphasize ongoing maintenance overhead vs protocol-agnostic reverse proxy approach
- Document long-term technical debt implications of protocol coupling

---------

Co-authored-by: Claude <[email protected]>

Author: aarora79

docs/architectural-decision-reverse-proxy-vs-application-layer-gateway.md

@@ -0,0 +1,171 @@
+# Core Architectural Decision: Reverse Proxy vs Application-Layer Gateway
+
+## Executive Summary
+
+This document discusses two potential architectures that were considered during the design phase of this solution: a **reverse proxy architecture** and an alternative **tools gateway architecture**. We analyze both approaches from multiple perspectives: performance, security, long-term maintainability, scaling, and operational complexity, and explain why the reverse proxy approach was selected.
+
+The reverse proxy approach provides better performance, protocol independence, and allows continued Python development while leveraging Nginx for message routing. The tools gateway approach offers better developer experience and enterprise integration but requires Go/Rust implementation for enterprise performance requirements.
+
+These recommendations are not universal but represent the architectural choices we made while building this system.
+
+## Architecture Overview
+
+### Reverse Proxy Pattern (Current)
+
+```
+AI Agent/Coding Assistant
+           |
+           | Multiple Endpoints
+           v
+    ┌─────────────────┐
+    │  Nginx Gateway  │
+    │  /fininfo/      │ ──auth_request──> Auth Server
+    │  /mcpgw/        │                        │
+    │  /currenttime/  │ <──auth_headers───────┘
+    └─────────────────┘
+           │ │ │
+           │ │ └─── localhost:8003 (currenttime)
+           │ └───── localhost:8002 (mcpgw)
+           └─────── localhost:8001 (fininfo)
+                        │
+                        v
+                Individual MCP Servers
+```
+
+**Key Characteristics:**
+- Path-based routing (`/fininfo/`, `/mcpgw/`, etc.)
+- Nginx handles auth validation and proxying
+- Direct streaming connections to backend servers
+- Protocol-agnostic (HTTP, WebSocket, SSE, etc.)
+
+### Tools Gateway Pattern (Alternative)
+
+```
+AI Agent/Coding Assistant
+           |
+           | Single Endpoint
+           v
+    ┌─────────────────┐
+    │  Tools Gateway  │ ──auth_request──> Auth Server
+    │     /mcp        │                        │
+    │  (aggregates    │ <──auth_headers───────┘
+    │   all tools)    │
+    └─────────────────┘
+           │
+           | Tool routing logic
+           v
+    ┌─────────────────┐
+    │ MCP Client Pool │
+    │  fininfo_*      │ ──> localhost:8001 (fininfo)
+    │  mcpgw_*        │ ──> localhost:8002 (mcpgw)
+    │  currenttime_*  │ ──> localhost:8003 (currenttime)
+    └─────────────────┘
+```
+
+**Key Characteristics:**
+- Single endpoint with tool aggregation
+- Gateway implements MCP protocol parsing
+- Connection termination and re-establishment
+- Tool name prefixing for disambiguation
+
+## Architectural Comparison
+
+### Performance
+
+| Aspect | Reverse Proxy (Current) | Tools Gateway | Preferable Approach |
+|--------|-------------------------|---------------|-------------------|
+| Latency | Direct proxy routing = minimal overhead (~1-2ms) | Additional hop through gateway logic (~5-10ms minimum) | Reverse Proxy |
+| Throughput | Each connection directly streams to target server | Gateway becomes bottleneck for all tool calls | Reverse Proxy |
+| Network Efficiency | Client maintains persistent connections to specific servers | Gateway must proxy all request/response payloads | Reverse Proxy |
+| CPU Usage | [Nginx](https://Nginx.org/) handles routing, minimal Python involvement | Gateway must parse, route, and proxy every MCP message | Reverse Proxy |
+| Memory | Low gateway memory usage, servers handle their own state | Gateway must buffer requests/responses, maintain backend connections | Reverse Proxy |
+| **Protocol Independence** | **Nginx passes through any protocol - not MCP-specific** | **Gateway must understand MCP protocol specifics** | **Reverse Proxy** |
+| Implementation Language | Python suitable due to Nginx handling message routing | **Requires Go/Rust for enterprise performance requirements** | Reverse Proxy |
+| **Implementation Complexity** | **Nginx handles protocol details, minimal state management needed** | **Requires elaborate state management, protocol awareness, connection lifecycle management** | **Reverse Proxy** |
+
+### Security
+
+| Aspect | Reverse Proxy (Current) | Tools Gateway | Preferable Approach |
+|--------|-------------------------|---------------|-------------------|
+| Authentication | Nginx auth_request pattern = proven, battle-tested | Gateway must implement auth validation | Equivalent |
+| Authorization | Fine-grained scope validation per server/tool before routing | Can implement same fine-grained scopes | Equivalent |
+| Audit Trail | Complete Nginx access logs + auth server logs + IdP logs | Gateway logs all tool calls | Equivalent |
+| Attack Surface | Direct server access blocked, only authenticated routes exposed | Single endpoint, easier to monitor but single point of failure | Equivalent |
+| Token Validation | Centralized in auth server, cached for performance | Must implement JWT/session validation | Equivalent |
+
+### Maintainability
+
+| Aspect | Reverse Proxy (Current) | Tools Gateway | Preferable Approach |
+|--------|-------------------------|---------------|-------------------|
+| Service Registration & Configuration | Dynamic Nginx config generation and reload for new servers | Dynamic tool registration without infrastructure changes | Tools Gateway |
+| Debugging | Multi-component debugging (Nginx + auth server + target server) | Centralized logging and error handling | Tools Gateway |
+| Transport Support | Must handle SSE/HTTP variations per server | Must implement transport variations in gateway code | Equivalent |
+| Error Handling | Error propagation through multiple layers | Must implement error translation from backends | Equivalent |
+
+### Scaling
+
+| Aspect | Reverse Proxy (Current) | Tools Gateway | Preferable Approach |
+|--------|-------------------------|---------------|-------------------|
+| Horizontal Scaling | Can load balance multiple gateway instances easily | Gateway must maintain backend connection pools | Reverse Proxy |
+| **Backend Scaling** | **Each MCP server scales independently** | **Gateway must implement backend load balancing** | **Reverse Proxy** |
+| **Resource Isolation** | **Both handle backend failures via health checks, but Nginx transparently proxies data plane traffic end-to-end** | **Gateway must maintain both data plane MCP connections AND separate health checks to backends** | **Reverse Proxy** |
+| Connection Pooling | Direct client connections to needed servers only | Gateway must manage M×N connection pools | Reverse Proxy |
+| Geographic Distribution | Can proxy to servers in different regions | Complex backend routing required | Reverse Proxy |
+| **Protocol Extensibility** | **Same architecture works for Agent-to-Agent (A2A) or other protocols** | **MCP-specific implementation limits future protocol support** | **Reverse Proxy** |
+
+### Operational Complexity
+
+| Aspect | Reverse Proxy (Current) | Tools Gateway | Preferable Approach |
+|--------|-------------------------|---------------|-------------------|
+| Monitoring | Must monitor Nginx + auth server + N backend servers | Monitor gateway + auth server + N backend servers (simpler) | Tools Gateway |
+| Service Discovery | Complex Nginx config regeneration | Dynamic tool registration | Tools Gateway |
+| Health Checking | Health status triggers Nginx config regeneration and reload | Gateway makes runtime routing decisions based on health | Equivalent |
+| Certificate Management | Single domain cert for gateway endpoint | Only gateway needs external certs | Equivalent |
+| Log Aggregation | Focused logs per component (Nginx, auth, individual MCP servers) | All tool calls centralized in gateway logs | Equivalent |
+
+### Enterprise Integration & User Experience
+
+| Aspect | Reverse Proxy (Current) | Tools Gateway | Preferable Approach |
+|--------|-------------------------|---------------|-------------------|
+| **Client Configuration & Mental Model** | **Must configure N server endpoints, understand Nginx routing + auth + backend servers** | **Single endpoint configuration, simple "one gateway, many tools" concept** | **Tools Gateway** |
+| Network Policies | Must allowlist N different paths | Single path to allowlist | Tools Gateway |
+| Change Management | Adding new server requires client reconfiguration | New tools appear automatically via discovery | Tools Gateway |
+| Vendor Integration | Each vendor needs separate endpoint configuration | Vendors configure single endpoint | Tools Gateway |
+| Tool Discovery | Discovery via Registry UI or MCPGW MCP server | Automatic through tools/list call | Equivalent |
+| Error Messages | May be confusing due to multiple layers | Clearer, centralized error formatting | Tools Gateway |
+| Testing | Must test each server endpoint individually | Single endpoint for all testing | Tools Gateway |
+
+## Implementation Considerations
+
+### Protocol Independence Benefits
+The reverse proxy architecture provides protocol independence:
+- **Future Protocols**: Can support Agent-to-Agent (A2A), custom protocols without gateway changes
+- **Protocol Evolution**: MCP protocol changes don't require gateway modifications
+- **Mixed Environments**: Can proxy HTTP, WebSocket, gRPC, or custom protocols simultaneously
+
+### Tools Gateway Implementation Challenges
+A tools gateway requires:
+- **Language Choice**: Python insufficient for performance; requires Go/Rust implementation
+- **MCP Client Library**: Must embed full MCP client for backend communication and keep client updated with evolving MCP specification changes
+- **Protocol Parsing**: Must understand and parse all MCP message types
+- **Connection Handling**: Complex connection lifecycle management
+- **Error Translation**: Convert backend MCP errors to client-readable format
+
+
+
+## Conclusion
+
+Both architectures have merits:
+
+- **Reverse Proxy**: Better performance, proven scalability, protocol independence, battle-tested Nginx foundation, allows Python implementation due to Nginx handling message routing
+- **Tools Gateway**: Better developer experience, easier enterprise adoption, simpler operations, requires Go/Rust implementation for enterprise performance requirements
+
+The choice depends on organizational priorities:
+
+- **Performance-first organizations** (high-frequency trading, real-time systems): Stay with reverse proxy
+- **Protocol-diverse environments** (supporting A2A, custom protocols): Reverse proxy provides flexibility
+- **Python-preferred development teams**: Reverse proxy allows continued Python development while Nginx handles performance-critical routing
+- **Developer experience-first organizations** (internal tooling, enterprise IT): Consider tools gateway but must invest in Go/Rust development expertise
+- **Hybrid organizations**: Implement both patterns and let teams choose
+
+The current implementation is production-ready and protocol-independent. The reverse proxy approach provides more architectural flexibility for future protocol support while allowing the team to continue developing in Python.