diff --git a/CHANGELOG.md b/CHANGELOG.md
index d2b854c8..eef36d88 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,17 @@
 
 ## [Unreleased]
 
+### Phase 8 — MCP remote HTTP (streamable) transport (AI-049) (2026-06-16)
+
+A REMOTE HTTP transport for the MCP server so clients connect over HTTP behind the existing nginx + Cloudflare tunnel (no new cloud), as a new localhost-only Docker service. **stdio behavior is byte-identical** — the http transport is additive. Critical design point: remote HTTP is **multi-user** — each connection authenticates via its OWN `Authorization: Bearer` header (the AI-050 device-flow JWT pasted into the client config), NOT a server-side token cache.
+
+- **Dual-mode host** (`Program.cs` + new `McpHosts`). Transport selected by env `MCP_TRANSPORT` (`stdio` default | `http`) or the `--http` CLI flag (`McpBridgeOptions.Transport`). **stdio** (default, UNCHANGED): `Host.CreateApplicationBuilder`, logs→stderr (the JSON-RPC-on-stdout invariant preserved), `.WithStdioServerTransport()`, singleton DI, device-flow/static token — one process identity. **http** (AI-049): `WebApplication`, normal logging (no JSON-RPC on stdout here), `AddHttpContextAccessor()`, `.WithHttpTransport(o => o.Stateless = true)`, `app.MapMcp("/mcp")` + `GET /health` (Docker probe), `ASPNETCORE_URLS=http://+:8090`.
+- **Per-connection identity** (`Auth/HttpContextTokenProvider.cs`, http only). `IMcpTokenProvider` that reads the bearer off `IHttpContextAccessor.HttpContext.Request.Headers.Authorization` (case-insensitive `Bearer ` strip): non-empty → `Authorized(jwt)`; missing/empty/`"Bearer "`-only/malformed → `Failed("authentication required — set Authorization: Bearer <token> in your MCP client")`. NEVER does device flow, NEVER touches `TokenCache`.
+- **DI lifetime — the real impact.** http mode registers `IMcpTokenProvider` → `HttpContextTokenProvider` **scoped** and `McpToolCatalog` **scoped** (the `tools/call` handler resolves from request-scoped `request.Services`; the typed `AddHttpClient<TextStackApiClient>` is request-scoped already) so the per-request bearer can't leak across connections. stdio mode keeps the SINGLETON registrations exactly as before. The http host additionally turns DI **scope validation ON** (`UseDefaultServiceProvider` → `ValidateScopes = true`, `ValidateOnBuild = true`) as defense-in-depth for the public multi-user endpoint: a future regression that registers an identity service as a singleton capturing a scoped dep fails at build instead of silently leaking one user's bearer (stdio keeps the defaults — singleton-by-design). The lifetime-agnostic `ListTools`/`CallTool` handler delegates + shared client config are extracted to `McpBridgeCore` so both hosts register identical handlers. `TextStackApiClient`/`McpToolCatalog` are UNCHANGED (already call `GetTokenAsync()`, map `Failed` → clean auth-required `IsError`, public tools use `PublicRequest`).
+- **Package.** `ModelContextProtocol.AspNetCore` 1.4.0 (matches the pinned `ModelContextProtocol` 1.4.0) added to `Directory.Packages.props`; the MCP csproj keeps `Microsoft.NET.Sdk` (NOT `.Web`) + an explicit `<FrameworkReference Include="Microsoft.AspNetCore.App" />`. Real API used: `builder.Services.AddMcpServer(...).WithHttpTransport(o => o.Stateless = true)` + `app.MapMcp("/mcp")`.
+- **Deploy.** `backend/Docker/Mcp.Dockerfile` (alpine sdk build → aspnet runtime, restores/publishes ONLY the thin MCP csproj, non-root `app`, `ASPNETCORE_URLS=http://+:8090`, EXPOSE 8090). `docker-compose.yml` `mcp-server` behind a **`mcp` profile** (so the CI docker/e2e jobs' bare `docker compose up` does NOT start it): `MCP_TRANSPORT=http`, `TEXTSTACK_API_URL=http://api:8080` (INTERNAL docker network, no Cloudflare round-trip), `TEXTSTACK_SITE_HOST=textstack.app`, `ports: 127.0.0.1:8090:8090`, `/health` healthcheck, `depends_on: api healthy`, `restart: always`, 256M cap. `infra/nginx/textstack.conf`: `upstream textstack_mcp` (keepalive 32), `mcp_limit` zone (10r/s burst 20), `location /mcp` with SSE/streaming settings (`proxy_http_version 1.1`, `Connection ""`, relays `Authorization`, `proxy_buffering off`, `proxy_cache off`, 3600s read/send timeouts) — applied manually on the server at deploy.
+- **Tests** (`tests/TextStack.UnitTests/McpHttpTransportTests.cs`, CI-safe, no network/live server): `HttpContextTokenProvider` header→`TokenResult` (bearer→`Authorized`, case-insensitive scheme, absent/empty/`"Bearer "`-only/wrong-scheme/malformed→`Failed`, no-context→`Failed`); composition (catalog over the provider, no bearer → clean auth-required `IsError`, ZERO sends); multi-user guarantee (different bearers → different tokens; same provider re-reads the live request); dual-mode startup (`ResolveTransport` parses env + `--http`; `BuildStdio` constructs; `BuildHttp` starts a `WebApplication` with `/health`→200). No `ITool` added (StudyBuddy set-equality stays green).
+
 ### Phase 8 — `save_highlight` MCP write tool (AI-048b) (2026-06-16)
 
 The first WRITE tool on the MCP↔HTTP bridge, completing the 7-tool surface (the 6 reads + `save_highlight`). Now safe to ship because AI-050b gives a per-user consented token, so the write runs on the user's OWN identity, not a shared static secret. All in `backend/src/Ai/TextStack.Ai.Mcp/` + unit tests — **no backend change**.
diff --git a/CLAUDE.md b/CLAUDE.md
index 88c6650d..dbc05e5e 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -456,13 +456,13 @@ That single command builds the AAB and pushes it to Internal Testing. Service ac
 
 ```
 Internet → Cloudflare (DNS+SSL) → Cloudflare Tunnel → nginx (port 80)
-  ├─ textstack.app → SSG static files + /api/ proxy to :8080
+  ├─ textstack.app → SSG static files + /api/ proxy to :8080 + /mcp proxy to :8090
   └─ textstack.dev → admin panel (:81)
 ```
 
-Docker services: `db` (postgres:16), `migrator`, `api`, `worker`, `admin`, `ssg-worker`, `aspire-dashboard` (profile-gated), `ollama`. All localhost-only, no public ports except 80 via tunnel.
+Docker services: `db` (postgres:16), `migrator`, `api`, `worker`, `admin`, `ssg-worker`, `aspire-dashboard` (profile-gated), `ollama`, `mcp-server` (profile-gated, `--profile mcp`). All localhost-only, no public ports except 80 via tunnel.
 
-**Nginx bot detection**: Regex map identifies crawlers (Google, Bing, Yandex, social bots) → routes to prerendered SSG HTML. Rate limiting zones: API (10r/s), uploads (1r/s), translation (5r/m).
+**Nginx bot detection**: Regex map identifies crawlers (Google, Bing, Yandex, social bots) → routes to prerendered SSG HTML. Rate limiting zones: API (10r/s), uploads (1r/s), translation (5r/m), MCP (10r/s).
 
 **Systemd services**: `seo-publish-poller` (auto-publish with SEO generation).
 
@@ -474,6 +474,16 @@ Supported formats: EPUB, PDF, FB2. Processing order: Spelling → Hyphenation 
 
 FB2 (`Fb2TextExtractor`): XML-based FictionBook 2.0. Cover from binary elements, metadata extraction, chapter flattening, namespace detection for non-compliant files.
 
+## MCP Server (`backend/src/Ai/TextStack.Ai.Mcp/`)
+
+Thin, stateless MCP↔HTTP bridge (Phase 8) — every tool call becomes an HTTP request to the public TextStack API (no DB/EF/OpenAI). 7 tools: `search_books`, `get_book`, `get_chapter` (public) + `list_my_highlights`, `list_my_vocabulary`, `ask_book`, `save_highlight` (Bearer).
+
+**Dual transport** (env `MCP_TRANSPORT`: `stdio` default | `http`; `--http` flag also selects http). Shared wiring (tool catalog handlers, typed `TextStackApiClient`) in `McpBridgeCore`; the two host builders in `McpHosts`.
+- **stdio** (local, single identity): `Host.CreateApplicationBuilder`, **logs→stderr** (stdout is JSON-RPC only — never `Console.Write*`), singleton DI, token from `TEXTSTACK_MCP_TOKEN` (static) or the device flow (`DeviceFlowTokenProvider`, AI-050). Byte-identical to the pre-049 server.
+- **http** (AI-049, remote, **multi-user**): `WebApplication`, `.WithHttpTransport(o => o.Stateless = true)`, `app.MapMcp("/mcp")` + `GET /health`. Each connection authenticates with its OWN `Authorization: Bearer <token>` — the AI-050 device-flow JWT pasted into the client config — read per-request by `HttpContextTokenProvider` (SCOPED; `McpToolCatalog` + provider scoped so no identity leaks across connections). NEVER touches the device-flow cache. Package: `ModelContextProtocol.AspNetCore` 1.4.0 (matches the pinned `ModelContextProtocol`).
+
+**Deploy** (http mode): Docker `mcp-server` (`backend/Docker/Mcp.Dockerfile`, profile `mcp`) binds `http://+:8090`, mapped `127.0.0.1:8090`; talks to the API over the **internal** docker network (`TEXTSTACK_API_URL=http://api:8080`). nginx `location /mcp` (upstream `textstack_mcp`, zone `mcp_limit`) proxies with SSE settings (`proxy_buffering off`, `Connection ""`, relays `Authorization`, 3600s timeouts). Behind Cloudflare tunnel — no new cloud. Bring up: `docker compose --profile mcp up -d mcp-server`. nginx `/mcp` block is applied manually on the server at deploy.
+
 ## Telemetry
 
 OpenTelemetry → Aspire Dashboard (`localhost:18888`). OTLP: `:18889`. Services: `textstack-api`, `textstack-worker`.
diff --git a/Directory.Packages.props b/Directory.Packages.props
index c336930a..e39ad6dc 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -32,6 +32,12 @@
          TextStack.Ai.Mcp — the SDK ships the stdio transport + low-level
          ListTools/CallTool handler API used by the runtime tool catalog. -->
     <PackageVersion Include="ModelContextProtocol" Version="1.4.0" />
+    <!-- HTTP (streamable) transport for the MCP server (AI-049, Phase 8). Separate
+         package layered on ModelContextProtocol; pinned to the SAME 1.4.0 as the
+         core SDK. Brings WithHttpTransport(o => o.Stateless = true) + MapMcp("/mcp")
+         on a WebApplication. Pulls in the ASP.NET Core framework reference for the
+         TextStack.Ai.Mcp http transport branch. -->
+    <PackageVersion Include="ModelContextProtocol.AspNetCore" Version="1.4.0" />
     <!-- Tool-args validation (AI-030): real JSON Schema draft 2020-12 evaluation before dispatch -->
     <PackageVersion Include="JsonSchema.Net" Version="7.3.4" />
     <!-- AI eval framework (MEAI.Evaluation). Stable 10.6.0 — IChatClient seam +
diff --git a/backend/Docker/Mcp.Dockerfile b/backend/Docker/Mcp.Dockerfile
new file mode 100644
index 00000000..0f9f4221
--- /dev/null
+++ b/backend/Docker/Mcp.Dockerfile
@@ -0,0 +1,27 @@
+# TextStack MCP server — remote HTTP (streamable) transport (AI-049, Phase 8).
+# Mirrors Api.Dockerfile (alpine sdk build → alpine aspnet runtime). The project
+# is a thin, stateless MCP↔HTTP bridge: it references ONLY the MCP SDK packages
+# (no Application / Infrastructure / Domain), so the restore layer copies just its
+# csproj + the central package/build props.
+FROM mcr.microsoft.com/dotnet/sdk:10.0-alpine AS build
+WORKDIR /src
+
+COPY Directory.Build.props Directory.Packages.props ./
+COPY backend/src/Ai/TextStack.Ai.Mcp/TextStack.Ai.Mcp.csproj backend/src/Ai/TextStack.Ai.Mcp/
+RUN dotnet restore backend/src/Ai/TextStack.Ai.Mcp/TextStack.Ai.Mcp.csproj
+
+COPY backend/src/Ai/TextStack.Ai.Mcp/ backend/src/Ai/TextStack.Ai.Mcp/
+RUN dotnet publish backend/src/Ai/TextStack.Ai.Mcp/TextStack.Ai.Mcp.csproj -c Release -o /app/publish
+
+FROM mcr.microsoft.com/dotnet/aspnet:10.0-alpine AS runtime
+RUN deluser app 2>/dev/null; delgroup app 2>/dev/null; \
+    addgroup -g 1000 app && adduser -D -u 1000 -G app app
+WORKDIR /app
+COPY --from=build /app/publish .
+USER app
+# Remote, multi-user transport: each connection carries its own Bearer; the
+# container binds all interfaces on 8090 (compose maps it to 127.0.0.1 only,
+# nginx fronts /mcp). MCP_TRANSPORT=http is supplied by compose.
+ENV ASPNETCORE_URLS=http://+:8090
+EXPOSE 8090
+ENTRYPOINT ["dotnet", "TextStack.Ai.Mcp.dll"]
diff --git a/backend/src/Ai/TextStack.Ai.Mcp/Auth/HttpContextTokenProvider.cs b/backend/src/Ai/TextStack.Ai.Mcp/Auth/HttpContextTokenProvider.cs
new file mode 100644
index 00000000..5c380db4
--- /dev/null
+++ b/backend/src/Ai/TextStack.Ai.Mcp/Auth/HttpContextTokenProvider.cs
@@ -0,0 +1,49 @@
+using Microsoft.AspNetCore.Http;
+
+namespace TextStack.Ai.Mcp.Auth;
+
+/// <summary>
+/// HTTP-mode <see cref="IMcpTokenProvider"/> (AI-049). The remote transport is
+/// MULTI-USER: each connection authenticates with its OWN
+/// <c>Authorization: Bearer &lt;token&gt;</c> header, NOT a server-side device-flow
+/// cache. This provider reads that header off the CURRENT request and never does
+/// device flow / never touches <see cref="TokenCache"/>.
+///
+/// Registered SCOPED (so the per-request bearer can't leak across connections);
+/// resolves the live request via <see cref="IHttpContextAccessor"/>.
+///   • non-empty bearer → <see cref="TokenResult.Authorized"/> (the raw JWT).
+///   • missing / empty / "Bearer "-only / malformed → <see cref="TokenResult.Failed"/>
+///     with an actionable "set Authorization: Bearer &lt;token&gt;" message that the
+///     catalog renders as a clean auth-required IsError (the HTTP call is never made).
+///
+/// NEVER yields <see cref="TokenResult.Pending"/> — there is no device flow in http
+/// mode; the user pastes the AI-050 device-flow JWT into their MCP client config.
+/// </summary>
+public sealed class HttpContextTokenProvider : IMcpTokenProvider
+{
+    private const string BearerScheme = "Bearer ";
+
+    private static readonly TokenResult.Failed NoBearer = new(
+        "authentication required — set Authorization: Bearer <token> in your MCP client");
+
+    private readonly IHttpContextAccessor _accessor;
+
+    public HttpContextTokenProvider(IHttpContextAccessor accessor) => _accessor = accessor;
+
+    public Task<TokenResult> GetTokenAsync(CancellationToken ct)
+    {
+        // No live request (defensive) → fail-clean, no throw.
+        var header = _accessor.HttpContext?.Request.Headers.Authorization.ToString();
+        if (string.IsNullOrWhiteSpace(header))
+            return Task.FromResult<TokenResult>(NoBearer);
+
+        // Strip the scheme case-insensitively. A header that is NOT a Bearer scheme,
+        // or "Bearer " with nothing after it, is treated as missing.
+        if (!header.StartsWith(BearerScheme, StringComparison.OrdinalIgnoreCase))
+            return Task.FromResult<TokenResult>(NoBearer);
+
+        var token = header[BearerScheme.Length..].Trim();
+        return Task.FromResult<TokenResult>(
+            token.Length == 0 ? NoBearer : new TokenResult.Authorized(token));
+    }
+}
diff --git a/backend/src/Ai/TextStack.Ai.Mcp/McpBridgeCore.cs b/backend/src/Ai/TextStack.Ai.Mcp/McpBridgeCore.cs
new file mode 100644
index 00000000..45e2ab6e
--- /dev/null
+++ b/backend/src/Ai/TextStack.Ai.Mcp/McpBridgeCore.cs
@@ -0,0 +1,96 @@
+using System.Reflection;
+using System.Text.Json;
+using Microsoft.Extensions.DependencyInjection;
+using ModelContextProtocol.Protocol;
+using ModelContextProtocol.Server;
+using TextStack.Ai.Mcp.Http;
+using TextStack.Ai.Mcp.Tools;
+
+namespace TextStack.Ai.Mcp;
+
+/// <summary>
+/// Transport-agnostic wiring shared by BOTH hosts (stdio + http, AI-049): the
+/// typed <see cref="TextStackApiClient"/> HTTP config and the
+/// <c>tools/list</c> / <c>tools/call</c> handler delegates.
+///
+/// The handlers resolve <see cref="McpToolCatalog"/> from <c>request.Services</c>
+/// (which is request-scoped under HTTP and the root provider under stdio), so they
+/// are lifetime-agnostic and IDENTICAL across hosts. Only the DI lifetime of the
+/// catalog / token provider differs per transport, registered by the callers.
+/// </summary>
+internal static class McpBridgeCore
+{
+    /// <summary>
+    /// Registers the typed <see cref="TextStackApiClient"/> over the public API.
+    /// The Host header is set per-request inside the client so
+    /// <c>SiteContextMiddleware</c> resolves the site. Bound timeout so a stuck
+    /// upstream can't hang a tool call for the default 100s.
+    /// </summary>
+    public static void AddApiClient(IServiceCollection services, McpBridgeOptions options) =>
+        services.AddHttpClient<TextStackApiClient>(http =>
+        {
+            http.BaseAddress = new Uri(options.ApiBaseUrl, UriKind.Absolute);
+            http.Timeout = TimeSpan.FromSeconds(McpTimeoutSeconds());
+        });
+
+    /// <summary>
+    /// The shared MCP server handlers. Both hosts register the SAME pair; identity
+    /// (and lifetime) is supplied by whatever <see cref="McpToolCatalog"/> the
+    /// request scope resolves.
+    /// </summary>
+    public static McpServerHandlers BuildHandlers() => new()
+    {
+        // tools/list — projected from the runtime catalog.
+        ListToolsHandler = (request, _) =>
+        {
+            var catalog = request.Services!.GetRequiredService<McpToolCatalog>();
+            return ValueTask.FromResult(new ListToolsResult { Tools = catalog.ListTools() });
+        },
+        // tools/call — dispatch by name; args dictionary → a single JSON object for
+        // the catalog handler (which validates against the input schema).
+        CallToolHandler = async (request, ct) =>
+        {
+            var catalog = request.Services!.GetRequiredService<McpToolCatalog>();
+            var name = request.Params!.Name;
+            var arguments = ToArgumentsObject(request.Params.Arguments);
+            return await catalog.CallAsync(name, arguments, ct);
+        },
+    };
+
+    /// <summary>Server identity advertised in both transports.</summary>
+    public static Implementation ServerInfo() => new()
+    {
+        Name = "textstack",
+        Version = Assembly.GetExecutingAssembly().GetName().Version?.ToString() ?? "1.0.0",
+    };
+
+    /// <summary>Tools-only capability set (no prompts/resources).</summary>
+    public static ServerCapabilities Capabilities() => new() { Tools = new ToolsCapability() };
+
+    // Rebuilds the MCP-supplied args dictionary into a single JSON object element so
+    // the catalog handler can validate/read it as one schema-shaped value.
+    private static JsonElement? ToArgumentsObject(IDictionary<string, JsonElement>? arguments)
+    {
+        if (arguments is null)
+            return null;
+
+        var node = new System.Text.Json.Nodes.JsonObject();
+        foreach (var (key, value) in arguments)
+            node[key] = System.Text.Json.Nodes.JsonNode.Parse(value.GetRawText());
+
+        return JsonSerializer.SerializeToElement(node);
+    }
+
+    // HttpClient timeout in seconds. Env: TEXTSTACK_MCP_TIMEOUT_SECONDS (default 15);
+    // a non-positive / unparseable value falls back to the 15s default. internal so
+    // the stdio device-flow client (McpHosts) shares the SAME env-overridable value
+    // as the typed TextStackApiClient — no drift.
+    internal static double McpTimeoutSeconds()
+    {
+        var raw = Environment.GetEnvironmentVariable("TEXTSTACK_MCP_TIMEOUT_SECONDS");
+        if (double.TryParse(raw, out var seconds) && seconds > 0)
+            return seconds;
+
+        return 15;
+    }
+}
diff --git a/backend/src/Ai/TextStack.Ai.Mcp/McpBridgeOptions.cs b/backend/src/Ai/TextStack.Ai.Mcp/McpBridgeOptions.cs
index 4f18d1e9..63ac695e 100644
--- a/backend/src/Ai/TextStack.Ai.Mcp/McpBridgeOptions.cs
+++ b/backend/src/Ai/TextStack.Ai.Mcp/McpBridgeOptions.cs
@@ -31,7 +31,18 @@ public sealed class McpBridgeOptions
     /// </summary>
     public string? TokenCachePath { get; init; }
 
-    public static McpBridgeOptions FromEnvironment()
+    /// <summary>
+    /// Server transport (AI-049). <c>stdio</c> (default) = the local single-identity
+    /// host (device-flow / static token). <c>http</c> = the remote, multi-user
+    /// streamable HTTP host behind nginx, where each connection carries its own
+    /// <c>Authorization: Bearer</c> (see
+    /// <see cref="Auth.HttpContextTokenProvider"/>). Env: <c>MCP_TRANSPORT</c>;
+    /// the <c>--http</c> CLI flag also selects http. Defaults to <c>stdio</c> so
+    /// callers that don't set it keep the pre-049, byte-identical behaviour.
+    /// </summary>
+    public McpTransport Transport { get; init; } = McpTransport.Stdio;
+
+    public static McpBridgeOptions FromEnvironment(string[]? args = null)
     {
         var apiUrl = Environment.GetEnvironmentVariable("TEXTSTACK_API_URL");
         if (string.IsNullOrWhiteSpace(apiUrl))
@@ -48,6 +59,33 @@ public static McpBridgeOptions FromEnvironment()
             // When set → static-token mode (CI / escape hatch); else device flow.
             McpToken = Environment.GetEnvironmentVariable("TEXTSTACK_MCP_TOKEN"),
             TokenCachePath = Environment.GetEnvironmentVariable("TEXTSTACK_MCP_TOKEN_CACHE"),
+            Transport = ResolveTransport(
+                Environment.GetEnvironmentVariable("MCP_TRANSPORT"), args),
         };
     }
+
+    /// <summary>
+    /// http when <c>MCP_TRANSPORT=http</c> (case-insensitive) OR the <c>--http</c>
+    /// CLI flag is present; stdio otherwise (the default, byte-identical to today).
+    /// Any unrecognized MCP_TRANSPORT value falls back to stdio.
+    /// </summary>
+    internal static McpTransport ResolveTransport(string? envValue, string[]? args)
+    {
+        if (args is not null && Array.Exists(args, a => string.Equals(a, "--http", StringComparison.OrdinalIgnoreCase)))
+            return McpTransport.Http;
+
+        return string.Equals(envValue?.Trim(), "http", StringComparison.OrdinalIgnoreCase)
+            ? McpTransport.Http
+            : McpTransport.Stdio;
+    }
+}
+
+/// <summary>Selected MCP server transport (AI-049).</summary>
+public enum McpTransport
+{
+    /// <summary>Local stdio (default). One process identity; device-flow / static token.</summary>
+    Stdio,
+
+    /// <summary>Remote streamable HTTP. Multi-user; per-request bearer.</summary>
+    Http,
 }
diff --git a/backend/src/Ai/TextStack.Ai.Mcp/McpHosts.cs b/backend/src/Ai/TextStack.Ai.Mcp/McpHosts.cs
new file mode 100644
index 00000000..08ab731b
--- /dev/null
+++ b/backend/src/Ai/TextStack.Ai.Mcp/McpHosts.cs
@@ -0,0 +1,135 @@
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+using ModelContextProtocol.Server;
+using TextStack.Ai.Mcp.Auth;
+using TextStack.Ai.Mcp.Tools;
+
+namespace TextStack.Ai.Mcp;
+
+/// <summary>
+/// Builds the two transport hosts (AI-049). Extracted from <c>Program.cs</c> so
+/// the wiring is unit-testable (construct without throwing; mode switch) and so the
+/// shared bits (<see cref="McpBridgeCore"/>) are registered identically.
+///
+/// stdio = byte-identical to the pre-049 server (singletons, logs→stderr,
+/// device-flow / static token). http = multi-user streamable HTTP (scoped per-
+/// request identity via <see cref="HttpContextTokenProvider"/>, normal logging,
+/// <c>/mcp</c> + a <c>/health</c> probe).
+/// </summary>
+public static class McpHosts
+{
+    // ── stdio (default — UNCHANGED from the original Program.cs) ─────────────────
+
+    /// <summary>
+    /// Local single-identity host. stdout carries ONLY JSON-RPC, so ALL logging
+    /// goes to stderr. Singleton DI; token from the static env var OR the device
+    /// flow. This path must stay byte-identical to the pre-049 behaviour.
+    /// </summary>
+    public static IHost BuildStdio(McpBridgeOptions options, string[] args)
+    {
+        var builder = Host.CreateApplicationBuilder(args);
+
+        // stdout is reserved for JSON-RPC — route every log record to stderr.
+        builder.Logging.ClearProviders();
+        builder.Logging.AddConsole(o => o.LogToStandardErrorThreshold = LogLevel.Trace);
+
+        builder.Services.AddSingleton(options);
+        AddTokenProviderStdio(builder.Services, options);
+        McpBridgeCore.AddApiClient(builder.Services, options);
+        builder.Services.AddSingleton<McpToolCatalog>();
+
+        builder.Services
+            .AddMcpServer(o =>
+            {
+                o.ServerInfo = McpBridgeCore.ServerInfo();
+                o.Capabilities = McpBridgeCore.Capabilities();
+                o.Handlers = McpBridgeCore.BuildHandlers();
+            })
+            .WithStdioServerTransport();
+
+        return builder.Build();
+    }
+
+    // Stdio token provider: static env var → StaticEnvTokenProvider (CI / escape
+    // hatch); else the device flow (cached token → refresh → device authorization).
+    private static void AddTokenProviderStdio(IServiceCollection services, McpBridgeOptions options)
+    {
+        if (!string.IsNullOrWhiteSpace(options.McpToken))
+        {
+            services.AddSingleton<IMcpTokenProvider, StaticEnvTokenProvider>();
+            return;
+        }
+
+        services.AddSingleton(new TokenCache(TokenCache.ResolvePath(options.TokenCachePath)));
+
+        const string deviceFlowClient = "device-flow";
+        services.AddHttpClient(deviceFlowClient, http =>
+        {
+            http.BaseAddress = new Uri(options.ApiBaseUrl, UriKind.Absolute);
+            http.DefaultRequestHeaders.Host = options.SiteHost;
+            // Env-overridable (TEXTSTACK_MCP_TIMEOUT_SECONDS, default 15) — same helper
+            // the typed TextStackApiClient uses, so the auth client never drifts.
+            http.Timeout = TimeSpan.FromSeconds(McpBridgeCore.McpTimeoutSeconds());
+        });
+
+        services.AddSingleton<IMcpTokenProvider>(sp => new DeviceFlowTokenProvider(
+            sp.GetRequiredService<IHttpClientFactory>().CreateClient(deviceFlowClient),
+            sp.GetRequiredService<TokenCache>(),
+            sp.GetRequiredService<ILogger<DeviceFlowTokenProvider>>()));
+    }
+
+    // ── http (AI-049 — remote, multi-user streamable transport) ─────────────────
+
+    /// <summary>
+    /// Remote streamable HTTP host. NORMAL logging (no JSON-RPC on stdout here).
+    /// Each connection carries its OWN bearer, so identity is per-request: the
+    /// token provider + catalog are SCOPED and read the live request via
+    /// <see cref="IHttpContextAccessor"/>. Stateless transport. Exposes
+    /// <c>/mcp</c> (the MCP endpoint) and <c>/health</c> (Docker probe).
+    /// </summary>
+    public static WebApplication BuildHttp(McpBridgeOptions options, string[] args)
+    {
+        var builder = WebApplication.CreateBuilder(args);
+
+        // Defense-in-depth for the public multi-user endpoint: turn the DI safety net
+        // ON regardless of environment (this host doesn't run in Development, so both
+        // would default OFF). A future regression that registers an identity service
+        // (HttpContextTokenProvider / McpToolCatalog) as a SINGLETON capturing a scoped
+        // dep would then fail at build instead of silently leaking one user's bearer.
+        builder.Host.UseDefaultServiceProvider((_, o) =>
+        {
+            o.ValidateScopes = true;
+            o.ValidateOnBuild = true;
+        });
+
+        builder.Services.AddSingleton(options);
+        builder.Services.AddHttpContextAccessor();
+
+        // Per-request bearer → scoped provider + scoped catalog (NEVER singletons,
+        // or one connection's identity would leak to another).
+        builder.Services.AddScoped<IMcpTokenProvider, HttpContextTokenProvider>();
+        McpBridgeCore.AddApiClient(builder.Services, options); // typed client is request-scoped already
+        builder.Services.AddScoped<McpToolCatalog>();
+
+        builder.Services
+            .AddMcpServer(o =>
+            {
+                o.ServerInfo = McpBridgeCore.ServerInfo();
+                o.Capabilities = McpBridgeCore.Capabilities();
+                o.Handlers = McpBridgeCore.BuildHandlers();
+            })
+            .WithHttpTransport(t => t.Stateless = true);
+
+        var app = builder.Build();
+
+        // Docker healthcheck — plain 200, no auth, no MCP framing.
+        app.MapGet("/health", () => Results.Ok("ok"));
+
+        app.MapMcp("/mcp");
+
+        return app;
+    }
+}
diff --git a/backend/src/Ai/TextStack.Ai.Mcp/Program.cs b/backend/src/Ai/TextStack.Ai.Mcp/Program.cs
index 89165fd0..639107c0 100644
--- a/backend/src/Ai/TextStack.Ai.Mcp/Program.cs
+++ b/backend/src/Ai/TextStack.Ai.Mcp/Program.cs
@@ -1,138 +1,37 @@
-using System.Reflection;
-using System.Text.Json;
-using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
-using Microsoft.Extensions.Logging;
-using ModelContextProtocol.Protocol;
-using ModelContextProtocol.Server;
 using TextStack.Ai.Mcp;
-using TextStack.Ai.Mcp.Auth;
-using TextStack.Ai.Mcp.Http;
-using TextStack.Ai.Mcp.Tools;
 
 // ════════════════════════════════════════════════════════════════════════════
-// TextStack MCP server — stdio transport, HTTP bridge (AI-047).
+// TextStack MCP server — dual transport (AI-047 stdio + AI-049 remote HTTP).
 //
-// INVARIANT: stdout carries ONLY MCP JSON-RPC framing. A single stray byte on
-// stdout corrupts the protocol stream. Therefore:
-//   • ALL logging goes to stderr (configured below).
-//   • NEVER call Console.WriteLine / Console.Write anywhere in this project.
+// Transport is selected by env MCP_TRANSPORT (stdio | http; default stdio) or the
+// --http CLI flag. The two hosts live in McpHosts; the shared wiring (tool catalog
+// handlers, typed API client) lives in McpBridgeCore.
 //
-// This process is a thin, stateless MCP↔HTTP adapter: every tool call becomes
-// an HTTP request to the existing public TextStack API. No DB, no EF, no OpenAI,
-// no reference to Application/Infrastructure.
+// STDIO MODE (default — byte-identical to the pre-049 server):
+//   stdout carries ONLY MCP JSON-RPC framing. A single stray byte corrupts the
+//   stream, so ALL logging goes to stderr and we NEVER call Console.Write* in the
+//   stdio path. Singleton DI; device-flow / static-env token (one process identity).
+//
+// HTTP MODE (AI-049 — remote, multi-user):
+//   Streamable HTTP behind nginx + the Cloudflare tunnel. NOT one identity: each
+//   connection authenticates with its OWN Authorization: Bearer header (scoped
+//   HttpContextTokenProvider) — the device-flow cache is never used here. Normal
+//   logging is fine (no JSON-RPC on stdout). Exposes /mcp and a /health probe.
+//
+// Either way this process is a thin, stateless MCP↔HTTP adapter: every tool call
+// becomes an HTTP request to the existing TextStack API. No DB, no EF, no OpenAI.
 // ════════════════════════════════════════════════════════════════════════════
 
-var builder = Host.CreateApplicationBuilder(args);
-
-// stdout is reserved for JSON-RPC — route every log record to stderr.
-builder.Logging.ClearProviders();
-builder.Logging.AddConsole(options => options.LogToStandardErrorThreshold = LogLevel.Trace);
+var options = McpBridgeOptions.FromEnvironment(args);
 
-var bridgeOptions = McpBridgeOptions.FromEnvironment();
-builder.Services.AddSingleton(bridgeOptions);
-
-// Bearer token for the user-scoped tools. ONE branch:
-//   • TEXTSTACK_MCP_TOKEN set → StaticEnvTokenProvider (CI / escape hatch).
-//   • else → DeviceFlowTokenProvider (the real, default flow): cached token →
-//     refresh → device authorization, non-blocking (returns Pending immediately,
-//     polls in the background). Either way ALL tools stay listed for stable
-//     discovery; user-scoped calls fail-clean (auth required) until a token exists.
-if (!string.IsNullOrWhiteSpace(bridgeOptions.McpToken))
+if (options.Transport == McpTransport.Http)
 {
-    builder.Services.AddSingleton<IMcpTokenProvider, StaticEnvTokenProvider>();
+    var app = McpHosts.BuildHttp(options, args);
+    await app.RunAsync();
 }
 else
 {
-    // The device-flow token cache (0600 on Unix). Path: env override →
-    // $XDG_CONFIG_HOME/textstack → ~/.textstack.
-    builder.Services.AddSingleton(new TokenCache(TokenCache.ResolvePath(bridgeOptions.TokenCachePath)));
-
-    // Named HTTP client to the auth endpoints, Host header pinned so
-    // SiteContextMiddleware resolves the site. Same 15s timeout convention.
-    const string deviceFlowClient = "device-flow";
-    builder.Services.AddHttpClient(deviceFlowClient, http =>
-    {
-        http.BaseAddress = new Uri(bridgeOptions.ApiBaseUrl, UriKind.Absolute);
-        http.DefaultRequestHeaders.Host = bridgeOptions.SiteHost;
-        http.Timeout = TimeSpan.FromSeconds(McpTimeoutSeconds());
-    });
-
-    // Singleton — the provider holds the cache + single-flight device-flow state
-    // across tool calls. Pull its HttpClient from the factory's named config.
-    builder.Services.AddSingleton<IMcpTokenProvider>(sp => new DeviceFlowTokenProvider(
-        sp.GetRequiredService<IHttpClientFactory>().CreateClient(deviceFlowClient),
-        sp.GetRequiredService<TokenCache>(),
-        sp.GetRequiredService<ILogger<DeviceFlowTokenProvider>>()));
-}
-
-// Typed HTTP client over the public API. Host header is set per-request inside
-// TextStackApiClient so SiteContextMiddleware resolves the site for /search.
-builder.Services.AddHttpClient<TextStackApiClient>(http =>
-{
-    http.BaseAddress = new Uri(bridgeOptions.ApiBaseUrl, UriKind.Absolute);
-    // Bound a stuck upstream: default 100s would hang the tool call that long.
-    // Matches the repo's TTS 15s convention; overridable via env. A timeout
-    // surfaces as OperationCanceledException with the caller token NOT cancelled,
-    // which the catalog handler maps to a clean IsError tool result (AI-047 P2).
-    http.Timeout = TimeSpan.FromSeconds(McpTimeoutSeconds());
-});
-
-builder.Services.AddSingleton<McpToolCatalog>();
-
-var serverVersion = Assembly.GetExecutingAssembly().GetName().Version?.ToString() ?? "1.0.0";
-
-builder.Services
-    .AddMcpServer(options =>
-    {
-        options.ServerInfo = new Implementation { Name = "textstack", Version = serverVersion };
-        // Advertise the tools capability ONLY — no prompts/resources in AI-047.
-        options.Capabilities = new ServerCapabilities { Tools = new ToolsCapability() };
-        options.Handlers = new McpServerHandlers
-        {
-            // tools/list — projected from the runtime catalog.
-            ListToolsHandler = (request, _) =>
-            {
-                var catalog = request.Services!.GetRequiredService<McpToolCatalog>();
-                return ValueTask.FromResult(new ListToolsResult { Tools = catalog.ListTools() });
-            },
-            // tools/call — dispatch by name; args dictionary → a single JSON object
-            // for the catalog handler (which validates against the input schema).
-            CallToolHandler = async (request, ct) =>
-            {
-                var catalog = request.Services!.GetRequiredService<McpToolCatalog>();
-                var name = request.Params!.Name;
-                var arguments = ToArgumentsObject(request.Params.Arguments);
-                return await catalog.CallAsync(name, arguments, ct);
-            },
-        };
-    })
-    .WithStdioServerTransport();
-
-// Generic Host + stdio transport handle stdin EOF / SIGINT for clean shutdown.
-await builder.Build().RunAsync();
-
-// Rebuilds the MCP-supplied args dictionary into a single JSON object element so
-// the catalog handler can validate/read it as one schema-shaped value.
-static JsonElement? ToArgumentsObject(IDictionary<string, JsonElement>? arguments)
-{
-    if (arguments is null)
-        return null;
-
-    var node = new System.Text.Json.Nodes.JsonObject();
-    foreach (var (key, value) in arguments)
-        node[key] = System.Text.Json.Nodes.JsonNode.Parse(value.GetRawText());
-
-    return JsonSerializer.SerializeToElement(node);
-}
-
-// HttpClient timeout in seconds. Env: TEXTSTACK_MCP_TIMEOUT_SECONDS (default 15);
-// a non-positive / unparseable value falls back to the 15s default.
-static double McpTimeoutSeconds()
-{
-    var raw = Environment.GetEnvironmentVariable("TEXTSTACK_MCP_TIMEOUT_SECONDS");
-    if (double.TryParse(raw, out var seconds) && seconds > 0)
-        return seconds;
-
-    return 15;
+    var host = McpHosts.BuildStdio(options, args);
+    await host.RunAsync();
 }
diff --git a/backend/src/Ai/TextStack.Ai.Mcp/TextStack.Ai.Mcp.csproj b/backend/src/Ai/TextStack.Ai.Mcp/TextStack.Ai.Mcp.csproj
index 273e71ab..54ff1422 100644
--- a/backend/src/Ai/TextStack.Ai.Mcp/TextStack.Ai.Mcp.csproj
+++ b/backend/src/Ai/TextStack.Ai.Mcp/TextStack.Ai.Mcp.csproj
@@ -17,10 +17,22 @@
          registration (WithListToolsHandler/WithCallToolHandler) we drive the
          runtime catalog through. -->
     <PackageReference Include="ModelContextProtocol" />
+    <!-- HTTP (streamable) transport (AI-049). Used ONLY in the http branch
+         (MCP_TRANSPORT=http): WithHttpTransport(o => o.Stateless = true) +
+         MapMcp("/mcp") on a WebApplication. The stdio branch never touches it. -->
+    <PackageReference Include="ModelContextProtocol.AspNetCore" />
     <PackageReference Include="Microsoft.Extensions.Hosting" />
     <PackageReference Include="Microsoft.Extensions.Http" />
   </ItemGroup>
 
+  <!-- The http branch builds a WebApplication. ModelContextProtocol.AspNetCore
+       pulls the framework ref transitively, but declare it explicitly so the
+       ASP.NET Core types (WebApplication, IHttpContextAccessor) are always
+       available on Microsoft.NET.Sdk (NOT .Web). -->
+  <ItemGroup>
+    <FrameworkReference Include="Microsoft.AspNetCore.App" />
+  </ItemGroup>
+
   <!-- Deliberately thin: NO reference to Application / Infrastructure / Ai.Tools.
        This is a stateless MCP <-> HTTP bridge; every tool call becomes an HTTP
        call to the existing public API. -->
diff --git a/docker-compose.yml b/docker-compose.yml
index a486f4d0..e71e5647 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -173,6 +173,47 @@ services:
         reservations:
           memory: 64M
 
+  # ===========================================
+  # MCP server - remote HTTP (streamable) transport (AI-049)
+  # ===========================================
+  # Multi-user MCP bridge: each connection authenticates with its OWN
+  # Authorization: Bearer (the AI-050 device-flow JWT pasted into the client
+  # config) — NOT a server-side token cache. Talks to the API over the INTERNAL
+  # docker network (no Cloudflare round-trip). nginx fronts /mcp → 127.0.0.1:8090.
+  #
+  # Behind the `mcp` profile so the default `docker compose up` (used by the CI
+  # docker/e2e jobs, which only wait on the API /health) does NOT start it. Bring
+  # it up on the server with: docker compose --profile mcp up -d mcp-server
+  mcp-server:
+    build:
+      context: .
+      dockerfile: backend/Docker/Mcp.Dockerfile
+    container_name: textstack_mcp_prod
+    profiles: ["mcp"]
+    environment:
+      MCP_TRANSPORT: http
+      TEXTSTACK_API_URL: http://api:8080
+      TEXTSTACK_SITE_HOST: textstack.app
+      ASPNETCORE_URLS: http://+:8090
+    ports:
+      - "127.0.0.1:8090:8090"  # localhost only - nginx proxies /mcp
+    restart: always
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- http://localhost:8090/health || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 15s
+    depends_on:
+      api:
+        condition: service_healthy
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+        reservations:
+          memory: 64M
+
   # ===========================================
   # SSG Worker - prerenders SEO pages
   # ===========================================
diff --git a/infra/nginx/textstack.conf b/infra/nginx/textstack.conf
index 99b4749f..2aa5c0d5 100644
--- a/infra/nginx/textstack.conf
+++ b/infra/nginx/textstack.conf
@@ -7,6 +7,8 @@
 limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
 limit_req_zone $binary_remote_addr zone=upload_limit:10m rate=1r/s;
 limit_req_zone $binary_remote_addr zone=translate_limit:10m rate=5r/m;
+# Remote MCP transport (AI-049) — same shape as the API zone (10r/s, burst 20).
+limit_req_zone $binary_remote_addr zone=mcp_limit:10m rate=10r/s;
 
 # Bot detection — serve SSG only to crawlers, SPA to real users
 # NOTE: ~*ahrefs intentionally broad — covers AhrefsBot AND AhrefsSiteAudit/X.X
@@ -85,6 +87,13 @@ upstream textstack_admin {
     server 127.0.0.1:81;
 }
 
+# Upstream for the remote MCP server (AI-049) — Docker container, localhost only.
+# Streamable HTTP / SSE; keepalive so long-lived connections reuse upstream sockets.
+upstream textstack_mcp {
+    server 127.0.0.1:8090;
+    keepalive 32;
+}
+
 # --- textstack.app (Public site) ---
 # Cloudflare terminates SSL, traffic arrives as HTTP
 server {
@@ -213,6 +222,34 @@ server {
         proxy_read_timeout 300s;
     }
 
+    # Remote MCP endpoint (AI-049) — streamable HTTP transport behind nginx +
+    # the Cloudflare tunnel. Multi-user: each client sends its own
+    # Authorization: Bearer <device-flow JWT> (relayed verbatim below); the MCP
+    # server validates it per request (no server-side token cache here).
+    #
+    # SSE/streaming settings: HTTP/1.1 with no upstream "Connection: close",
+    # buffering/cache off so server-pushed events flush immediately, and long
+    # read/send timeouts for held-open streams.
+    location /mcp {
+        limit_req zone=mcp_limit burst=20 nodelay;
+        proxy_pass http://textstack_mcp;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        # Relay the client's bearer to the MCP server (it authenticates per request).
+        proxy_set_header Authorization $http_authorization;
+        # Clear Connection so keepalive to the upstream works (no "close"/"upgrade").
+        proxy_set_header Connection "";
+        # Streaming: do not buffer or cache server-sent events.
+        proxy_buffering off;
+        proxy_cache off;
+        # Hold long-lived streams open.
+        proxy_read_timeout 3600s;
+        proxy_send_timeout 3600s;
+    }
+
     # Storage
     location /storage/ {
         alias /home/vasyl/projects/onlinelib/textstack/data/storage/;
diff --git a/tests/TextStack.UnitTests/McpHttpTransportTests.cs b/tests/TextStack.UnitTests/McpHttpTransportTests.cs
new file mode 100644
index 00000000..7b941485
--- /dev/null
+++ b/tests/TextStack.UnitTests/McpHttpTransportTests.cs
@@ -0,0 +1,342 @@
+using System.Net;
+using System.Text;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.DependencyInjection;
+using ModelContextProtocol.Protocol;
+using TextStack.Ai.Mcp;
+using TextStack.Ai.Mcp.Auth;
+using TextStack.Ai.Mcp.Http;
+using TextStack.Ai.Mcp.Tools;
+
+namespace TextStack.UnitTests;
+
+/// <summary>
+/// AI-049 — the remote HTTP (streamable) transport. Covers the per-connection
+/// identity provider (<see cref="HttpContextTokenProvider"/>), the multi-user
+/// guarantee (different bearers → different tokens), the catalog composition over
+/// it (no bearer → clean auth-required IsError, zero HTTP), and the dual-mode host
+/// switch (http builds a WebApplication with /health → 200; stdio still constructs;
+/// MCP_TRANSPORT parses).
+///
+/// CI-safe: no live server, no network. The http host is started on an ephemeral
+/// loopback port. Introduces NO ITool (StudyBuddy set-equality stays green).
+/// </summary>
+public class McpHttpTransportTests
+{
+    // ── fakes ────────────────────────────────────────────────────────────────────
+
+    private sealed class CapturingHandler(HttpResponseMessage response) : HttpMessageHandler
+    {
+        public int Sends { get; private set; }
+        public HttpRequestMessage? LastRequest { get; private set; }
+        protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken ct)
+        {
+            Sends++;
+            LastRequest = request;
+            return Task.FromResult(response);
+        }
+    }
+
+    private static HttpResponseMessage Json(string body, HttpStatusCode status = HttpStatusCode.OK) =>
+        new(status) { Content = new StringContent(body, Encoding.UTF8, "application/json") };
+
+    private static System.Text.Json.JsonElement Args(string json) =>
+        System.Text.Json.JsonDocument.Parse(json).RootElement;
+
+    private static string TextOf(CallToolResult r) => ((TextContentBlock)r.Content[0]).Text;
+
+    // A fake IHttpContextAccessor pinned to ONE request context. Unlike the framework
+    // HttpContextAccessor (a process-wide AsyncLocal), separate instances are fully
+    // isolated — which is exactly how two concurrent scoped providers behave, each
+    // bound to its own request scope.
+    private sealed class FakeHttpContextAccessor(HttpContext? context) : IHttpContextAccessor
+    {
+        public HttpContext? HttpContext { get; set; } = context;
+    }
+
+    // A fake accessor whose HttpContext carries the given Authorization header
+    // (null = no context at all; "" / value = header on the request).
+    private static IHttpContextAccessor AccessorWith(string? authorizationHeader)
+    {
+        var ctx = new DefaultHttpContext();
+        if (authorizationHeader is not null)
+            ctx.Request.Headers.Authorization = authorizationHeader;
+        return new FakeHttpContextAccessor(ctx);
+    }
+
+    // ── HttpContextTokenProvider: header → TokenResult ───────────────────────────
+
+    [Fact]
+    public async Task GetTokenAsync_BearerHeader_ReturnsAuthorizedWithRawJwt()
+    {
+        var provider = new HttpContextTokenProvider(AccessorWith("Bearer jwt-abc.def.ghi"));
+
+        var result = await provider.GetTokenAsync(CancellationToken.None);
+
+        Assert.Equal("jwt-abc.def.ghi", Assert.IsType<TokenResult.Authorized>(result).AccessToken);
+    }
+
+    [Theory]
+    [InlineData("bearer jwt-lower")]   // lower-case scheme
+    [InlineData("BEARER jwt-upper")]   // upper-case scheme
+    [InlineData("BeArEr jwt-mixed")]   // mixed-case scheme
+    public async Task GetTokenAsync_SchemeIsCaseInsensitive(string header)
+    {
+        var provider = new HttpContextTokenProvider(AccessorWith(header));
+
+        var result = await provider.GetTokenAsync(CancellationToken.None);
+
+        Assert.StartsWith("jwt-", Assert.IsType<TokenResult.Authorized>(result).AccessToken);
+    }
+
+    [Theory]
+    [InlineData(null)]              // no header
+    [InlineData("")]               // empty header
+    [InlineData("   ")]            // whitespace
+    [InlineData("Bearer ")]        // scheme only
+    [InlineData("Bearer    ")]     // scheme + only whitespace
+    [InlineData("Basic abc123")]   // wrong scheme
+    [InlineData("jwt-no-scheme")]  // malformed, no scheme
+    public async Task GetTokenAsync_MissingOrMalformed_ReturnsFailedWithGuidance(string? header)
+    {
+        var provider = new HttpContextTokenProvider(AccessorWith(header));
+
+        var result = await provider.GetTokenAsync(CancellationToken.None);
+
+        var failed = Assert.IsType<TokenResult.Failed>(result);
+        Assert.Contains("Authorization: Bearer", failed.Message);
+    }
+
+    [Fact]
+    public async Task GetTokenAsync_NoHttpContext_ReturnsFailed_NoThrow()
+    {
+        var provider = new HttpContextTokenProvider(new FakeHttpContextAccessor(null));
+
+        var result = await provider.GetTokenAsync(CancellationToken.None);
+
+        Assert.IsType<TokenResult.Failed>(result);
+    }
+
+    // ── composition: catalog over HttpContextTokenProvider, no bearer → IsError ───
+
+    [Fact]
+    public async Task UserScopedTool_NoBearer_ReturnsAuthRequired_AndIssuesZeroSends()
+    {
+        var handler = new CapturingHandler(Json("[]"));
+        var http = new HttpClient(handler) { BaseAddress = new Uri("https://api.example/") };
+        var options = new McpBridgeOptions
+        {
+            ApiBaseUrl = "https://api.example",
+            SiteHost = "textstack.test",
+            Transport = McpTransport.Http,
+        };
+        var provider = new HttpContextTokenProvider(AccessorWith(null)); // no bearer
+        var catalog = new McpToolCatalog(new TextStackApiClient(http, options, provider));
+
+        var result = await catalog.CallAsync(
+            "list_my_highlights",
+            Args("""{"editionId":"33333333-3333-3333-3333-333333333333"}"""),
+            CancellationToken.None);
+
+        Assert.True(result.IsError);
+        Assert.Contains("authentication required", TextOf(result));
+        Assert.Equal(0, handler.Sends); // never issued the HTTP call
+    }
+
+    // ── multi-user guarantee: different bearers → different tokens ───────────────
+
+    [Fact]
+    public async Task PerRequestProvider_DifferentBearers_YieldDifferentTokens()
+    {
+        // Two independent request contexts (as two scopes would have under HTTP).
+        var alice = new HttpContextTokenProvider(AccessorWith("Bearer alice-token"));
+        var bob = new HttpContextTokenProvider(AccessorWith("Bearer bob-token"));
+
+        var a = await alice.GetTokenAsync(CancellationToken.None);
+        var b = await bob.GetTokenAsync(CancellationToken.None);
+
+        Assert.Equal("alice-token", Assert.IsType<TokenResult.Authorized>(a).AccessToken);
+        Assert.Equal("bob-token", Assert.IsType<TokenResult.Authorized>(b).AccessToken);
+    }
+
+    [Fact]
+    public async Task SameProviderInstance_ReReadsLiveRequest_NoCapturedBearer()
+    {
+        // Guards against a singleton capturing the first request's bearer: swap the
+        // accessor's live context between calls and confirm the provider follows it.
+        var accessor = new FakeHttpContextAccessor(new DefaultHttpContext());
+        var provider = new HttpContextTokenProvider(accessor);
+
+        accessor.HttpContext!.Request.Headers.Authorization = "Bearer first";
+        var first = await provider.GetTokenAsync(CancellationToken.None);
+
+        accessor.HttpContext = new DefaultHttpContext();
+        accessor.HttpContext.Request.Headers.Authorization = "Bearer second";
+        var second = await provider.GetTokenAsync(CancellationToken.None);
+
+        Assert.Equal("first", Assert.IsType<TokenResult.Authorized>(first).AccessToken);
+        Assert.Equal("second", Assert.IsType<TokenResult.Authorized>(second).AccessToken);
+    }
+
+    // ── HERMETIC isolation through the REAL http DI container (AI-049 P1) ─────────
+    // The provider-level tests above use hand-built instances. These resolve through
+    // the container BuildHttp actually wires, so a singleton-capture regression
+    // (e.g. someone flips McpToolCatalog/HttpContextTokenProvider to AddSingleton)
+    // fails HERE, not just in a fake.
+
+    private static McpBridgeOptions HttpOptions() => new()
+    {
+        ApiBaseUrl = "http://api:8080",
+        SiteHost = "textstack.app",
+        Transport = McpTransport.Http,
+    };
+
+    [Fact]
+    public void BuildHttp_IdentityServices_AreNotSingletons()
+    {
+        // The catastrophic-failure guard: if the token provider, catalog, or api
+        // client were singletons, the FIRST connection's bearer would be reused for
+        // every later connection. Each must be scope-local (distinct per scope) and
+        // the token provider must NOT be resolvable from the ROOT (scoped-only).
+        using var app = McpHosts.BuildHttp(HttpOptions(), args: []);
+        var root = app.Services;
+
+        using var scopeA = root.CreateScope();
+        using var scopeB = root.CreateScope();
+
+        var providerA = scopeA.ServiceProvider.GetRequiredService<IMcpTokenProvider>();
+        var providerB = scopeB.ServiceProvider.GetRequiredService<IMcpTokenProvider>();
+        var catalogA = scopeA.ServiceProvider.GetRequiredService<McpToolCatalog>();
+        var catalogB = scopeB.ServiceProvider.GetRequiredService<McpToolCatalog>();
+        var clientA = scopeA.ServiceProvider.GetRequiredService<TextStackApiClient>();
+        var clientB = scopeB.ServiceProvider.GetRequiredService<TextStackApiClient>();
+
+        Assert.IsType<HttpContextTokenProvider>(providerA);
+        // The isolation property: a DISTINCT instance per scope. A singleton
+        // registration (the catastrophic regression) would make these Same and the
+        // first connection's identity would leak to the second.
+        Assert.NotSame(providerA, providerB); // per-request identity, never shared
+        Assert.NotSame(catalogA, catalogB);
+        Assert.NotSame(clientA, clientB);
+
+        // Same scope → same instance (sanity: scoped, not transient — the catalog and
+        // its api client are stable WITHIN one request).
+        Assert.Same(providerA, scopeA.ServiceProvider.GetRequiredService<IMcpTokenProvider>());
+        Assert.Same(catalogA, scopeA.ServiceProvider.GetRequiredService<McpToolCatalog>());
+
+        // NOTE: scope validation is OFF in this host (WebApplication outside
+        // Development), so resolving a scoped service from the ROOT does NOT throw.
+        // The code never does that (stateless transport resolves from the per-request
+        // scope — verified in BuildHttp_TwoScopes_DifferentBearers_NoCrossTalk), but
+        // the runtime safety-net is absent. See bug report (P3).
+    }
+
+    [Fact]
+    public async Task BuildHttp_TwoScopes_DifferentBearers_NoCrossTalk()
+    {
+        // End-to-end through the real container: two request scopes, each with its
+        // OWN HttpContext bearer set on the (singleton, AsyncLocal-backed) accessor.
+        // The token provider resolved in each scope must read ITS scope's bearer —
+        // proving no scope captured the other's identity. Done sequentially (one
+        // logical context at a time) to mirror how a request flows.
+        using var app = McpHosts.BuildHttp(HttpOptions(), args: []);
+        var root = app.Services;
+
+        async Task<string> BearerInScopeAsync(string token)
+        {
+            using var scope = root.CreateScope();
+            // Populate the live request for THIS scope, exactly as the middleware
+            // would, then resolve the scoped provider and read it.
+            var accessor = scope.ServiceProvider.GetRequiredService<IHttpContextAccessor>();
+            var ctx = new DefaultHttpContext();
+            ctx.Request.Headers.Authorization = $"Bearer {token}";
+            accessor.HttpContext = ctx;
+
+            var provider = scope.ServiceProvider.GetRequiredService<IMcpTokenProvider>();
+            var result = await provider.GetTokenAsync(CancellationToken.None);
+            return Assert.IsType<TokenResult.Authorized>(result).AccessToken;
+        }
+
+        var alice = await BearerInScopeAsync("alice-jwt");
+        var bob = await BearerInScopeAsync("bob-jwt");
+
+        Assert.Equal("alice-jwt", alice);
+        Assert.Equal("bob-jwt", bob); // bob did NOT inherit alice's token
+    }
+
+    // ── dual-mode startup: transport switch + http host /health ──────────────────
+
+    [Theory]
+    [InlineData("http", McpTransport.Http)]
+    [InlineData("HTTP", McpTransport.Http)]
+    [InlineData("stdio", McpTransport.Stdio)]
+    [InlineData(null, McpTransport.Stdio)]
+    [InlineData("", McpTransport.Stdio)]
+    [InlineData("garbage", McpTransport.Stdio)]
+    public void ResolveTransport_FromEnv_ParsesMode(string? env, McpTransport expected) =>
+        Assert.Equal(expected, McpBridgeOptions.ResolveTransport(env, args: null));
+
+    [Fact]
+    public void ResolveTransport_HttpFlag_SelectsHttp_EvenWithoutEnv() =>
+        Assert.Equal(McpTransport.Http, McpBridgeOptions.ResolveTransport(envValue: null, args: ["--http"]));
+
+    [Fact]
+    public void BuildStdio_Constructs_WithoutThrowing()
+    {
+        // MCP_TRANSPORT unset → stdio path. Static token avoids touching the real
+        // device-flow token cache file. Host must construct (DI graph resolves).
+        var options = new McpBridgeOptions
+        {
+            ApiBaseUrl = "https://api.example",
+            SiteHost = "textstack.test",
+            McpToken = "static-ci-token",
+            Transport = McpTransport.Stdio,
+        };
+
+        using var host = McpHosts.BuildStdio(options, args: []);
+
+        Assert.NotNull(host);
+    }
+
+    [Fact]
+    public async Task BuildHttp_StartsWebApplication_HealthReturns200()
+    {
+        var options = new McpBridgeOptions
+        {
+            ApiBaseUrl = "http://api:8080",
+            SiteHost = "textstack.app",
+            Transport = McpTransport.Http,
+        };
+
+        // Bind an ephemeral loopback port so the test never collides with a real one.
+        var port = FreeTcpPort();
+        var ct = TestContext.Current.CancellationToken;
+        var app = McpHosts.BuildHttp(options, args: [$"--urls=http://127.0.0.1:{port}"]);
+        await app.StartAsync(ct);
+        try
+        {
+            // Connect via "localhost" because the TEST host environment may apply host
+            // filtering (so we use a host the filter accepts). The PRODUCTION MCP
+            // container has NO appsettings.json → AllowedHosts=* (open filter), which is
+            // correct: it's localhost-only (127.0.0.1:8090) behind nginx, which sets the
+            // Host header. So the container probe is unaffected either way.
+            using var client = new HttpClient { BaseAddress = new Uri($"http://localhost:{port}") };
+            using var resp = await client.GetAsync("/health", ct);
+            Assert.Equal(HttpStatusCode.OK, resp.StatusCode);
+        }
+        finally
+        {
+            await app.StopAsync(ct);
+            await app.DisposeAsync();
+        }
+    }
+
+    private static int FreeTcpPort()
+    {
+        var listener = new System.Net.Sockets.TcpListener(IPAddress.Loopback, 0);
+        listener.Start();
+        var port = ((IPEndPoint)listener.LocalEndpoint).Port;
+        listener.Stop();
+        return port;
+    }
+}