refactor: remove Docker and HTTP transport support, fix hypothesis cache directory

.env.example

@@ -8,7 +8,10 @@ UNRAID_API_KEY=your_unraid_api_key
 
 # MCP Server Settings
 # -------------------
-UNRAID_MCP_TRANSPORT=streamable-http  # Options: streamable-http (recommended), sse (deprecated), stdio
+# Default transport is stdio (for Claude Desktop / local use).
+# Docker Compose overrides this to streamable-http automatically.
+# Options: stdio (default), streamable-http, sse (deprecated)
+UNRAID_MCP_TRANSPORT=stdio
 UNRAID_MCP_HOST=0.0.0.0
 UNRAID_MCP_PORT=6970
 
@@ -41,41 +44,15 @@ UNRAID_MAX_RECONNECT_ATTEMPTS=10
 # Override the credentials directory (default: ~/.unraid-mcp/)
 # UNRAID_CREDENTIALS_DIR=/custom/path/to/credentials
 
-# Google OAuth Protection (Optional)
-# -----------------------------------
-# Protects the MCP HTTP server — clients must authenticate with Google before calling tools.
-# Requires streamable-http or sse transport (not stdio).
+# Authentication
+# --------------
+# This server has NO built-in authentication.
+# When running as HTTP (streamable-http transport), protect the endpoint with
+# an external OAuth gateway or identity-aware proxy:
 #
-# Setup:
-#   1. Google Cloud Console → APIs & Services → Credentials
-#   2. Create OAuth 2.0 Client ID (Web application)
-#   3. Authorized redirect URIs: <UNRAID_MCP_BASE_URL>/auth/callback
-#   4. Copy Client ID and Client Secret below
+#   Reverse proxy with auth:  nginx + OAuth2-proxy, Caddy + forward auth
+#   Identity-aware proxy:     Authelia, Authentik, Pomerium
+#   Network isolation:        bind to 127.0.0.1, use VPN/Tailscale for access
+#   Firewall rules:           restrict source IPs at the network layer
 #
-# UNRAID_MCP_BASE_URL: Public URL clients use to reach THIS server (for redirect URIs).
-#   Examples:
-#     http://10.1.0.2:6970          (LAN)
-#     http://100.x.x.x:6970         (Tailscale)
-#     https://mcp.yourdomain.com    (reverse proxy)
-#
-# UNRAID_MCP_JWT_SIGNING_KEY: Stable secret for signing FastMCP JWT tokens.
-#   Generate once: python3 -c "import secrets; print(secrets.token_hex(32))"
-#   NEVER change after first use — all client sessions will be invalidated.
-#
-# Leave GOOGLE_CLIENT_ID empty to disable OAuth (server runs unprotected).
-# GOOGLE_CLIENT_ID=
-# GOOGLE_CLIENT_SECRET=
-# UNRAID_MCP_BASE_URL=http://10.1.0.2:6970
-# UNRAID_MCP_JWT_SIGNING_KEY=<generate with command above>
-
-# API Key Authentication (Optional)
-# -----------------------------------
-# Alternative to Google OAuth — clients present this key as a bearer token:
-#   Authorization: Bearer <UNRAID_MCP_API_KEY>
-#
-# Can be the same value as UNRAID_API_KEY (reuse your Unraid key), or a
-# separate dedicated secret.  Set both GOOGLE_CLIENT_ID and UNRAID_MCP_API_KEY
-# to accept either auth method (MultiAuth).
-#
-# Leave empty to disable API key auth.
-# UNRAID_MCP_API_KEY=
+# stdio transport (default) is inherently local — no network exposure.