docs(mcp): add public API documentation and deployment configuration

- Add MCP public API section to CLAUDE.md with configuration examples
- Document MCP_ENABLED, MCP_REQUIRE_AUTH, MCP_RATE_LIMIT settings
- Add public deployment example with environment variables
- Add rate limiting protection notes for public access deployments
- Add MCP endpoints list (/mcp/health, /mcp/tools, /mcp/server-info, /mcp)
- Update config/config.exs with enhanced MCP configuration comments
- Document public deployment example with recommended rate limit (100 req/hr)
- Add rate limiting rationale for abuse protection without authentication
- Add complete tasks.md with all 41 tasks marked complete across 7 phases

Author: GSMLG-BOT

CLAUDE.md

@@ -402,6 +402,25 @@ The MCP (Model Context Protocol) server provides AI clients with comprehensive p
 - `lib/hex_hub/mcp/transport.ex` - HTTP/WebSocket transport layer
 - `lib/hex_hub/mcp/tools/` - MCP tool implementations
 
+**Public MCP API**:
+The MCP API can be configured for public (unauthenticated) access to allow AI clients to query package information:
+
+```bash
+# Enable public access (no authentication required for read-only operations)
+export MCP_REQUIRE_AUTH=false
+export MCP_RATE_LIMIT=100  # requests per hour per IP
+```
+
+Public endpoints:
+- `GET /mcp/health` - Health check
+- `GET /mcp/tools` - List available tools
+- `GET /mcp/server-info` - Server capabilities
+- `POST /mcp` - JSON-RPC requests for package queries
+
+Rate limiting: IP-based rate limiting protects against abuse. Returns HTTP 429 with `retry-after` header when exceeded.
+
+See `specs/008-mcp-public-api/quickstart.md` for detailed usage examples.
+
 ### Development Patterns
 
 **Always Use Storage Abstraction**: Never access storage directly, use `HexHub.Storage`
@@ -464,6 +483,8 @@ Logger.info("Package #{name} published")
 - Mnesia (`:system_settings` or `:publish_configs` table for setting, existing `:users` table for anonymous user) (006-anonymous-publish-config)
 - Elixir 1.15+ / OTP 26+ + Phoenix 1.8+, Mnesia (built-in), :erl_tar (Erlang stdlib) (007-admin-backup)
 - Mnesia for metadata, HexHub.Storage for package tarballs, local filesystem for backup archives (007-admin-backup)
+- Elixir 1.15+ / OTP 26+ + Phoenix 1.8+, Mnesia, `:telemetry` (008-mcp-public-api)
+- Mnesia (existing `:packages`, `:package_releases` tables) (008-mcp-public-api)
 
 ## Recent Changes
 - 001-telemetry-logging: Added Elixir 1.15+ / OTP 26+ + `:telemetry` (already in project), `Logger` (Elixir stdlib)

config/config.exs

@@ -33,6 +33,27 @@ config :hex_hub, HexHubAdminWeb.Endpoint,
 config :hex_hub, HexHub.Mailer, adapter: Swoosh.Adapters.Local
 
 # MCP (Model Context Protocol) configuration
+#
+# MCP provides a JSON-RPC 2.0 interface for AI clients to interact with HexHub.
+#
+# Environment variables:
+#   MCP_ENABLED       - Enable/disable MCP server (default: "false")
+#   MCP_REQUIRE_AUTH  - Require API key authentication (default: "true")
+#                       Set to "false" for public read-only access to package info
+#   MCP_RATE_LIMIT    - Requests per hour per IP (default: "1000")
+#                       Rate limiting protects against abuse when auth is disabled
+#   MCP_DEBUG         - Enable debug logging (default: "false")
+#
+# Public deployment example:
+#   MCP_ENABLED=true MCP_REQUIRE_AUTH=false MCP_RATE_LIMIT=100 ./bin/hex_hub start
+#
+# Endpoints (when enabled):
+#   GET  /mcp/health      - Health check
+#   GET  /mcp/tools       - List available tools
+#   GET  /mcp/server-info - Server capabilities
+#   POST /mcp             - JSON-RPC requests
+#   WS   /mcp/ws          - WebSocket transport
+#
 config :hex_hub, :mcp,
   enabled: System.get_env("MCP_ENABLED", "false") == "true",
   websocket_path: System.get_env("MCP_WEBSOCKET_PATH", "/mcp/ws"),

specs/008-mcp-public-api/checklists/requirements.md

@@ -0,0 +1,37 @@
+# Specification Quality Checklist: Public MCP API for Package Information
+
+**Purpose**: Validate specification completeness and quality before proceeding to planning
+**Created**: 2026-01-19
+**Feature**: [spec.md](../spec.md)
+
+## Content Quality
+
+- [x] No implementation details (languages, frameworks, APIs)
+- [x] Focused on user value and business needs
+- [x] Written for non-technical stakeholders
+- [x] All mandatory sections completed
+
+## Requirement Completeness
+
+- [x] No [NEEDS CLARIFICATION] markers remain
+- [x] Requirements are testable and unambiguous
+- [x] Success criteria are measurable
+- [x] Success criteria are technology-agnostic (no implementation details)
+- [x] All acceptance scenarios are defined
+- [x] Edge cases are identified
+- [x] Scope is clearly bounded
+- [x] Dependencies and assumptions identified
+
+## Feature Readiness
+
+- [x] All functional requirements have clear acceptance criteria
+- [x] User scenarios cover primary flows
+- [x] Feature meets measurable outcomes defined in Success Criteria
+- [x] No implementation details leak into specification
+
+## Notes
+
+- Specification is ready for `/speckit.clarify` or `/speckit.plan`
+- The existing MCP infrastructure in the codebase already supports most of the required functionality
+- Key focus is on ensuring public accessibility without authentication for read-only operations
+- Rate limiting and telemetry logging align with existing project patterns