Add MCP auth status to kb_status and update server instructions

- kb_status now returns authenticated: true/false so clients can verify auth
- Server instructions mention Bearer token auth requirement
- Add .env, .venv/, test_mcp_client.py to .gitignore

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.gitignore

@@ -4,3 +4,6 @@ __pycache__/
 engine/data/
 
 TMP/
+.env
+.venv/
+test_mcp_client.py

mcp/server.py

@@ -87,7 +87,12 @@ async def _ensure_exclusive_collection(doc_id: int, collection: str) -> None:
 
 mcp = FastMCP(
     "kb",
-    instructions="Knowledge base MCP server. Provides tools for searching, adding, and managing documents and notes.",
+    instructions=(
+        "Knowledge base MCP server. Provides tools for searching, adding, and "
+        "managing documents and notes. This server requires Bearer token "
+        "authentication — all requests are authenticated via the Authorization "
+        "header at the HTTP transport layer."
+    ),
 )
 
 
@@ -218,6 +223,7 @@ async def kb_status() -> str:
     database size, and ingestion queue state.
     """
     result = engine.get_status()
+    result["authenticated"] = bool(config.KB_MCP_API_KEY)
     return json.dumps(result, indent=2)
 
 
@@ -323,9 +329,7 @@ class BearerAuthMiddleware(BaseHTTPMiddleware):
             return await call_next(request)
 
         auth_header = request.headers.get("authorization", "")
-        if auth_header.startswith("Bearer "):
+        if auth_header.startswith("Bearer ") and auth_header[7:] == config.KB_MCP_API_KEY:
-            token = auth_header[7:]
-            if token == config.KB_MCP_API_KEY:
             return await call_next(request)
 
         return JSONResponse(