docs: fix script cmds and unnecessary content

nypdmax · nypdmax · commit 9e1a9abc8ee9 · 2026-02-06T23:29:31.000+08:00
diff --git a/docs/authorization-multiprotocol.md b/docs/authorization-multiprotocol.md
@@ -465,39 +465,68 @@ See `RequireAuthMiddleware` and PRM handler in `mcp.server.auth` for how these a
 
 ## 4. Integration test examples
 
-### 4.1 Phase 2: Multi-protocol (API Key, OAuth, mTLS placeholder)
+### 4.1 Multi-protocol (API Key, OAuth, mTLS placeholder)
 
-**Script:** `./scripts/run_phase2_multiprotocol_integration_test.sh` (from repo root).
+**Script:** `./examples/clients/simple-auth-multiprotocol-client/run_multiprotocol_test.sh`
 
-**Behavior:**
+**Quick start (from repo root):**
 
-- Starts the multi-protocol resource server (`simple-auth-multiprotocol-rs`) on port 8002 with `--api-keys=demo-api-key-12345`. For OAuth, also starts the AS (`simple-auth-as`) on port 9000.
-- Waits for PRM: `GET http://localhost:8002/.well-known/oauth-protected-resource/mcp`.
-- Runs the client based on `MCP_AUTH_PROTOCOL`:
-  - **api_key** (default): `simple-auth-multiprotocol-client` with `MCP_SERVER_URL=http://localhost:8002/mcp` and `MCP_API_KEY=demo-api-key-12345`. No AS is required.
-  - **oauth**: `simple-auth-client` against the same RS; the user completes OAuth in the browser, then runs `list`, `call get_time {}`, `quit`.
-  - **mutual_tls**: the same multiprotocol client without an API key; mTLS is a placeholder (no real client certificate validation).
+```bash
+# API Key (non-interactive, default)
+./examples/clients/simple-auth-multiprotocol-client/run_multiprotocol_test.sh
+
+# OAuth (interactive — complete authorization in browser)
+MCP_AUTH_PROTOCOL=oauth ./examples/clients/simple-auth-multiprotocol-client/run_multiprotocol_test.sh
+
+# Mutual TLS placeholder (expect "not implemented" error)
+MCP_AUTH_PROTOCOL=mutual_tls ./examples/clients/simple-auth-multiprotocol-client/run_multiprotocol_test.sh
+```
+
+The script starts the multi-protocol RS on port 8002 (and AS on 9000 for OAuth), waits for PRM readiness, then runs the client with the selected protocol. For `api_key` and `mutual_tls`, the script is fully automated and prints PASS/FAIL. For `oauth`, the user completes OAuth in the browser, then runs `list`, `call get_time {}`, `quit`.
+
+**Env variables:** `MCP_RS_PORT` (default 8002), `MCP_AS_PORT` (default 9000), `MCP_AUTH_PROTOCOL` (default `api_key`), `MCP_SKIP_OAUTH=1` (skip manual OAuth test).
 
 **Demonstrates:** PRM and optional unified discovery, protocol selection (API Key vs OAuth), and API Key authentication without an AS.
 
-### 4.2 Phase 4: DPoP integration
+### 4.2 DPoP integration
+
+**Script:** `./examples/clients/simple-auth-multiprotocol-client/run_dpop_test.sh`
+
+**Quick start (from repo root):**
+
+```bash
+# Automated tests only (no browser)
+MCP_SKIP_OAUTH=1 ./examples/clients/simple-auth-multiprotocol-client/run_dpop_test.sh
 
-**Script:** `./scripts/run_phase4_dpop_integration_test.sh` (from repo root).
+# Full test including manual OAuth+DPoP (requires browser)
+./examples/clients/simple-auth-multiprotocol-client/run_dpop_test.sh
+```
+
+The script starts AS on port 9000 and RS on port 8002 with `--dpop-enabled`, then runs automated curl tests:
 
-**Behavior:**
+- API Key request → 200 (DPoP does not affect API Key).
+- Bearer token without DPoP proof → 401 (RS requires DPoP when token is DPoP-bound).
+- Negative: fake token, wrong htm/htu, DPoP without Authorization → 401.
 
-- Starts AS on 9000 and RS on 8002 with `--dpop-enabled` and an API key.
-- Runs **automated** curl tests:
-  - **B2:** API Key request → 200 (DPoP does not affect API Key).
-  - **A2:** Bearer token without DPoP proof → 401 (RS requires DPoP when token is DPoP-bound).
-  - Negative: fake token, wrong htm/htu, DPoP without Authorization → 401.
-- Optionally runs a **manual** OAuth+DPoP client test: `MCP_USE_OAUTH=1 MCP_DPOP_ENABLED=1` with the multiprotocol client; the user completes OAuth in the browser, then runs `list`, `call get_time {}`, `quit`. Server logs should show "Authentication successful with DPoP".
+When `MCP_SKIP_OAUTH` is not set, the script also runs a manual OAuth+DPoP client test: the user completes OAuth in the browser, then runs `list`, `call get_time {}`, `quit`. Server logs should show "Authentication successful with DPoP".
 
-**Env:** `MCP_SKIP_OAUTH=1` skips the manual client step and runs only the automated curl tests.
+**Env variables:** `MCP_RS_PORT` (default 8002), `MCP_AS_PORT` (default 9000), `MCP_SKIP_OAUTH=1` (skip manual OAuth+DPoP test).
 
 **Demonstrates:** DPoP proof verification on the server, rejection of Bearer tokens without a proof when DPoP is required, and a successful OAuth+DPoP flow with the example client.
 
-### 4.3 Test matrix (reference)
+### 4.3 OAuth2 backward compatibility
+
+**Script:** `./examples/clients/simple-auth-multiprotocol-client/run_oauth2_test.sh`
+
+**Quick start (from repo root):**
+
+```bash
+./examples/clients/simple-auth-multiprotocol-client/run_oauth2_test.sh
+```
+
+Starts the `simple-auth` AS and RS (OAuth-only, no multi-protocol), then runs `simple-auth-client`. The user completes OAuth in the browser, then runs `list`, `call get_time {}`, `quit`. Verifies that the existing OAuth-only path still works unchanged.
+
+### 4.4 Test matrix (reference)
 
 | Case | Auth type        | Expected result |
 |------|------------------|-----------------|
diff --git a/examples/README.md b/examples/README.md
@@ -11,16 +11,15 @@ for real-world servers.
 ### API Key
 
 - Use `MCP_API_KEY` on the client; start RS with `--api-keys=...` (no AS required).
-- One-command test (from repo root): `MCP_AUTH_PROTOCOL=api_key ./scripts/run_phase2_multiprotocol_integration_test.sh`
+- One-command test (from repo root): `./examples/clients/simple-auth-multiprotocol-client/run_multiprotocol_test.sh`
 
 ### OAuth + DPoP
 
 - Start AS and RS with `--dpop-enabled`; client: `MCP_USE_OAUTH=1 MCP_DPOP_ENABLED=1`.
-- One-command test (from repo root): `./scripts/run_phase4_dpop_integration_test.sh` (use `MCP_SKIP_OAUTH=1` to skip manual OAuth step).
+- One-command test (from repo root): `./examples/clients/simple-auth-multiprotocol-client/run_dpop_test.sh` (use `MCP_SKIP_OAUTH=1` to skip manual OAuth step).
 
 ### Mutual TLS (placeholder)
 
-- mTLS is a placeholder (no client cert validation). Script: `MCP_AUTH_PROTOCOL=mutual_tls ./scripts/run_phase2_multiprotocol_integration_test.sh`
-- mTLS is a placeholder (no client cert validation). Script: `MCP_AUTH_PROTOCOL=mutual_tls ./scripts/run_phase2_multiprotocol_integration_test.sh`
+- mTLS is a placeholder (no client cert validation). Script: `MCP_AUTH_PROTOCOL=mutual_tls ./examples/clients/simple-auth-multiprotocol-client/run_multiprotocol_test.sh`
 
 **Client**: [simple-auth-multiprotocol-client](clients/simple-auth-multiprotocol-client/) — supports API Key (`MCP_API_KEY`), OAuth+DPoP (`MCP_USE_OAUTH=1`, `MCP_DPOP_ENABLED=1`), and mTLS placeholder.
diff --git a/examples/clients/simple-auth-multiprotocol-client/README.md b/examples/clients/simple-auth-multiprotocol-client/README.md
@@ -26,7 +26,7 @@ MCP_SERVER_URL=http://localhost:8002/mcp MCP_API_KEY=demo-api-key-12345 uv run m
 ```
 
 **One-command test** from repo root:  
-`MCP_AUTH_PROTOCOL=api_key ./scripts/run_phase2_multiprotocol_integration_test.sh`  
+`./examples/clients/simple-auth-multiprotocol-client/run_multiprotocol_test.sh`  
 starts the resource server and this client with API Key; at `mcp>` run `list`, `call get_time {}`, `quit`.
 
 ## Running with OAuth + DPoP
@@ -45,16 +45,16 @@ MCP_SERVER_URL=http://localhost:8002/mcp MCP_USE_OAUTH=1 MCP_DPOP_ENABLED=1 uv r
 Complete OAuth in the browser; then at `mcp>` run `list`, `call get_time {}`, `quit`. Server logs should show "Authentication successful with DPoP".
 
 **One-command test** from repo root:  
-`./scripts/run_phase4_dpop_integration_test.sh` — starts AS and RS with DPoP, then runs this client (OAuth+DPoP). Use `MCP_SKIP_OAUTH=1` to run only the automated curl tests and skip the manual client step.
+`./examples/clients/simple-auth-multiprotocol-client/run_dpop_test.sh` — starts AS and RS with DPoP, then runs this client (OAuth+DPoP). Use `MCP_SKIP_OAUTH=1` to run only the automated curl tests and skip the manual client step.
 
 ## Running with Mutual TLS (placeholder)
 
 Mutual TLS is a **placeholder** in this example: the client registers the `mutual_tls` protocol but does **not** perform client certificate authentication. Selecting mTLS will show a "not implemented" style message.
 
-- **`MCP_AUTH_PROTOCOL=mutual_tls`** (with the phase2 script) runs this client in mTLS mode; the client will start but mTLS auth is not implemented.
+- **`MCP_AUTH_PROTOCOL=mutual_tls`** runs this client in mTLS mode; the client will start but mTLS auth is not implemented.
 
 **One-command test** from repo root:  
-`MCP_AUTH_PROTOCOL=mutual_tls ./scripts/run_phase2_multiprotocol_integration_test.sh`
+`MCP_AUTH_PROTOCOL=mutual_tls ./examples/clients/simple-auth-multiprotocol-client/run_multiprotocol_test.sh`
 
 ## Commands
 
diff --git a/examples/servers/simple-auth-multiprotocol/README.md b/examples/servers/simple-auth-multiprotocol/README.md
@@ -38,7 +38,7 @@ You can run the Resource Server **without** the Authorization Server when using
 3. At the `mcp>` prompt, run `list`, `call get_time {}`, then `quit`.
 
 **One-command verification** (from repo root):  
-`MCP_AUTH_PROTOCOL=api_key ./scripts/run_phase2_multiprotocol_integration_test.sh`  
+`./examples/clients/simple-auth-multiprotocol-client/run_multiprotocol_test.sh`  
 This starts the RS, then the client with API Key; complete the session with `list`, `call get_time {}`, `quit`.
 
 ## Running with DPoP (OAuth + DPoP)
@@ -63,15 +63,15 @@ DPoP (Demonstrating Proof-of-Possession, RFC 9449) binds the access token to a c
    Complete OAuth in the browser, then at `mcp>` run `list`, `call get_time {}`, `quit`. Server logs should show "Authentication successful with DPoP".
 
 **One-command verification** (from repo root):  
-`./scripts/run_phase4_dpop_integration_test.sh` — starts AS and RS (with `--dpop-enabled`), runs automated DPoP tests, then optionally the OAuth+DPoP client (use `MCP_SKIP_OAUTH=1` to skip the manual OAuth step).
+`./examples/clients/simple-auth-multiprotocol-client/run_dpop_test.sh` — starts AS and RS (with `--dpop-enabled`), runs automated DPoP tests, then optionally the OAuth+DPoP client (use `MCP_SKIP_OAUTH=1` to skip the manual OAuth step).
 
 ## Running with Mutual TLS (placeholder)
 
 Mutual TLS is a **placeholder** in this example: the server accepts the `mutual_tls` protocol in PRM/discovery but does **not** perform client certificate validation. Selecting mTLS in the client will show a "not implemented" style message.
 
 - **Server**: No extra flags; `auth_protocols` already includes `mutual_tls`.
 - **Client** (from repo root):  
-  `MCP_AUTH_PROTOCOL=mutual_tls ./scripts/run_phase2_multiprotocol_integration_test.sh`  
+  `MCP_AUTH_PROTOCOL=mutual_tls ./examples/clients/simple-auth-multiprotocol-client/run_multiprotocol_test.sh`  
   The client will start but mTLS authentication is not implemented in this example.
 
 ## Options
