diff --git a/Directory.Packages.props b/Directory.Packages.props
index 112fc8a..6e7172f 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -74,6 +74,7 @@
     <PackageVersion Include="Reqnroll.xUnit" Version="3.0.0" />
     <PackageVersion Include="Reqnroll.Tools.MsBuild.Generation" Version="3.0.0" />
     <PackageVersion Include="Handlebars.Net" Version="2.1.6" />
+    <PackageVersion Include="QRCoder" Version="1.6.0" />
     <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="8.7.0" />
     <PackageVersion Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="9.0.0" />
     <PackageVersion Include="Duende.IdentityServer" Version="7.4.7" />
diff --git a/src/McpServer.Support.Mcp/McpServer.Support.Mcp.csproj b/src/McpServer.Support.Mcp/McpServer.Support.Mcp.csproj
index 285caa2..fcaf3a8 100644
--- a/src/McpServer.Support.Mcp/McpServer.Support.Mcp.csproj
+++ b/src/McpServer.Support.Mcp/McpServer.Support.Mcp.csproj
@@ -49,6 +49,7 @@
     <PackageReference Include="Microsoft.ML.OnnxRuntime" />
     <PackageReference Include="HNSWIndex" />
     <PackageReference Include="Handlebars.Net" />
+    <PackageReference Include="QRCoder" />
     <ProjectReference Include="..\McpServer.ServiceDefaults\McpServer.ServiceDefaults.csproj" />
     <ProjectReference Include="..\McpServer.Common.Copilot\McpServer.Common.Copilot.csproj" />
     <ProjectReference Include="..\McpServer.Storage\McpServer.Storage.csproj" />
diff --git a/src/McpServer.Support.Mcp/Program.cs b/src/McpServer.Support.Mcp/Program.cs
index b72481c..e9346dd 100644
--- a/src/McpServer.Support.Mcp/Program.cs
+++ b/src/McpServer.Support.Mcp/Program.cs
@@ -738,6 +738,55 @@ await pairingRenderer.RenderLoginPageAsync("Invalid username or password.").Conf
     return Results.Content(await pairingRenderer.RenderKeyPageAsync(o.ApiKey, serverUrl).ConfigureAwait(false), "text/html");
 }).ExcludeFromDescription();
 
+app.MapGet("/pair/qr", async (HttpContext context, IOptions<PairingOptions> opts, PairingSessionService sessions,
+    TunnelRegistry tunnelRegistry, IOptions<IdentityServerOptions> idsOpts, IOptions<OidcAuthOptions> oidcOpts) =>
+{
+    var token = context.Request.Cookies["mcp_pair"];
+    if (!sessions.Validate(token))
+        return Results.Redirect("/pair");
+
+    // Prefer the tunnel public URL so mobile devices can reach the server externally
+    string? baseUrl = null;
+    var tunnels = await tunnelRegistry.ListAsync(context.RequestAborted).ConfigureAwait(false);
+    var activeTunnel = tunnels.FirstOrDefault(t => t.IsRunning && !string.IsNullOrEmpty(t.PublicUrl));
+    if (activeTunnel is not null)
+    {
+        baseUrl = activeTunnel.PublicUrl!.TrimEnd('/');
+    }
+
+    baseUrl ??= $"{context.Request.Scheme}://{context.Request.Host}";
+
+    // When a tunnel is active, point to the identity server proxy login page
+    string loginUrl;
+    var ids = idsOpts.Value;
+    var oidc = oidcOpts.Value;
+    if (activeTunnel is not null && oidc.Enabled)
+    {
+        // External Keycloak: proxy login page through the tunnel
+        var authority = oidc.Authority.TrimEnd('/');
+        if (Uri.TryCreate(authority, UriKind.Absolute, out var authorityUri))
+        {
+            loginUrl = $"{baseUrl}/auth/ui{authorityUri.AbsolutePath}";
+        }
+        else
+        {
+            loginUrl = $"{baseUrl}/pair";
+        }
+    }
+    else if (activeTunnel is not null && ids.Enabled)
+    {
+        // Embedded IdentityServer: login page is served by the MCP server itself via tunnel
+        loginUrl = $"{baseUrl}/pair";
+    }
+    else
+    {
+        loginUrl = $"{baseUrl}/pair";
+    }
+
+    var svg = PairingQrCode.GenerateSvg(loginUrl);
+    return Results.Content(svg, "image/svg+xml");
+}).ExcludeFromDescription();
+
 // Seed IdentityServer defaults (admin user, roles) on first run
 if (identityServerOptions is { Enabled: true, SeedDefaults: true })
 {
diff --git a/src/McpServer.Support.Mcp/Web/PairingHtml.cs b/src/McpServer.Support.Mcp/Web/PairingHtml.cs
index 0fdd04b..1514a25 100644
--- a/src/McpServer.Support.Mcp/Web/PairingHtml.cs
+++ b/src/McpServer.Support.Mcp/Web/PairingHtml.cs
@@ -1,141 +1,148 @@
-using System.Net;
-
-namespace McpServer.Support.Mcp.Web;
-
-/// <summary>
-/// Inline HTML templates for the <c>/pair</c> web login flow.
-/// Users authenticate with a configured username/password to view the server API key.
-/// </summary>
-internal static class PairingHtml
-{
-    /// <summary>Renders the login form. Shows an error banner when <paramref name="errorMessage"/> is not empty.</summary>
-    public static string LoginPage(string? errorMessage = null)
-    {
-        var errorBanner = string.IsNullOrWhiteSpace(errorMessage)
-            ? string.Empty
-            : $"<div style='background:#fee;color:#c00;padding:10px 16px;border-radius:6px;margin-bottom:16px;border:1px solid #fcc'>{WebUtility.HtmlEncode(errorMessage)}</div>";
-
-        return $$"""
-        <!DOCTYPE html>
-        <html lang="en">
-        <head>
-          <meta charset="utf-8"/>
-          <meta name="viewport" content="width=device-width,initial-scale=1"/>
-          <title>MCP Server — Pair</title>
-          <style>
-            *{box-sizing:border-box;margin:0;padding:0}
-            body{font-family:system-ui,-apple-system,sans-serif;background:#f5f5f5;display:flex;align-items:center;justify-content:center;min-height:100vh}
-            .card{background:#fff;border-radius:12px;box-shadow:0 2px 12px rgba(0,0,0,.08);padding:32px;width:100%;max-width:380px}
-            h1{font-size:1.3rem;margin-bottom:4px;color:#111}
-            .sub{font-size:.85rem;color:#666;margin-bottom:20px}
-            label{display:block;font-size:.85rem;font-weight:600;margin-bottom:4px;color:#333}
-            input[type=text],input[type=password]{width:100%;padding:10px 12px;border:1px solid #ddd;border-radius:6px;font-size:.95rem;margin-bottom:14px}
-            input:focus{outline:none;border-color:#0969da;box-shadow:0 0 0 3px rgba(9,105,218,.15)}
-            button{width:100%;padding:10px;background:#0969da;color:#fff;border:none;border-radius:6px;font-size:.95rem;font-weight:600;cursor:pointer}
-            button:hover{background:#0860c4}
-          </style>
-        </head>
-        <body>
-          <div class="card">
-            <h1>🔗 MCP Server Pairing</h1>
-            <p class="sub">Sign in to view your API key.</p>
-            {{errorBanner}}
-            <form method="post" action="/pair">
-              <label for="username">Username</label>
-              <input type="text" id="username" name="username" autocomplete="username" required autofocus/>
-              <label for="password">Password</label>
-              <input type="password" id="password" name="password" autocomplete="current-password" required/>
-              <button type="submit">Sign In</button>
-            </form>
-          </div>
-        </body>
-        </html>
-        """;
-    }
-
-    /// <summary>Renders the API key display page.</summary>
-    public static string KeyPage(string apiKey, string serverUrl)
-    {
-        return $$"""
-        <!DOCTYPE html>
-        <html lang="en">
-        <head>
-          <meta charset="utf-8"/>
-          <meta name="viewport" content="width=device-width,initial-scale=1"/>
-          <title>MCP Server — API Key</title>
-          <style>
-            *{box-sizing:border-box;margin:0;padding:0}
-            body{font-family:system-ui,-apple-system,sans-serif;background:#f5f5f5;display:flex;align-items:center;justify-content:center;min-height:100vh}
-            .card{background:#fff;border-radius:12px;box-shadow:0 2px 12px rgba(0,0,0,.08);padding:32px;width:100%;max-width:480px}
-            h1{font-size:1.3rem;margin-bottom:4px;color:#111}
-            .sub{font-size:.85rem;color:#666;margin-bottom:20px}
-            .key-box{background:#f6f8fa;border:1px solid #d0d7de;border-radius:6px;padding:14px 16px;font-family:'Cascadia Code','Fira Code',monospace;font-size:.95rem;word-break:break-all;margin-bottom:16px;position:relative}
-            .copy-btn{position:absolute;top:8px;right:8px;background:#0969da;color:#fff;border:none;border-radius:4px;padding:4px 10px;font-size:.8rem;cursor:pointer}
-            .copy-btn:hover{background:#0860c4}
-            .section{margin-bottom:20px}
-            .section h2{font-size:1rem;margin-bottom:8px;color:#333}
-            pre{background:#f6f8fa;border:1px solid #d0d7de;border-radius:6px;padding:14px 16px;font-size:.82rem;overflow-x:auto;line-height:1.5}
-            .warn{font-size:.8rem;color:#888;margin-top:12px}
-          </style>
-        </head>
-        <body>
-          <div class="card">
-            <h1>🔑 Your API Key</h1>
-            <p class="sub">Use this key to authenticate mutating API calls.</p>
-            <div class="key-box">
-              <span id="key">{{apiKey}}</span>
-              <button class="copy-btn" onclick="navigator.clipboard.writeText(document.getElementById('key').textContent)">Copy</button>
-            </div>
-            <div class="section">
-              <h2>MCP Client Config</h2>
-              <pre>{
-          "mcpServers": {
-            "mcp-server": {
-              "url": "{{serverUrl}}/mcp-transport"
-            }
-          }
-        }</pre>
-            </div>
-            <div class="section">
-              <h2>cURL Example</h2>
-              <pre>curl {{serverUrl}}/mcpserver/workspace \
-          -H "X-Api-Key: {{apiKey}}"</pre>
-            </div>
-            <p class="warn">Keep this key secret. It grants write access to workspace and tool endpoints.</p>
-          </div>
-        </body>
-        </html>
-        """;
-    }
-
-    /// <summary>Renders a page shown when pairing is not configured.</summary>
-    public static string NotConfiguredPage()
-    {
-        return """
-        <!DOCTYPE html>
-        <html lang="en">
-        <head>
-          <meta charset="utf-8"/>
-          <meta name="viewport" content="width=device-width,initial-scale=1"/>
-          <title>MCP Server — Pairing Not Configured</title>
-          <style>
-            *{box-sizing:border-box;margin:0;padding:0}
-            body{font-family:system-ui,-apple-system,sans-serif;background:#f5f5f5;display:flex;align-items:center;justify-content:center;min-height:100vh}
-            .card{background:#fff;border-radius:12px;box-shadow:0 2px 12px rgba(0,0,0,.08);padding:32px;width:100%;max-width:380px;text-align:center}
-            h1{font-size:1.3rem;margin-bottom:12px;color:#111}
-            p{color:#666;font-size:.9rem;line-height:1.5}
-            code{background:#f6f8fa;padding:2px 6px;border-radius:4px;font-size:.85rem}
-          </style>
-        </head>
-        <body>
-          <div class="card">
-            <h1>⚠️ Pairing Not Configured</h1>
-            <p>To enable the pairing page, add one or more users to
-            <code>Mcp:PairingUsers</code> in your configuration and set
-            <code>Mcp:ApiKey</code> to a non-empty value.</p>
-          </div>
-        </body>
-        </html>
-        """;
-    }
-}
+using System.Net;
+
+namespace McpServer.Support.Mcp.Web;
+
+/// <summary>
+/// Inline HTML templates for the <c>/pair</c> web login flow.
+/// Users authenticate with a configured username/password to view the server API key.
+/// </summary>
+internal static class PairingHtml
+{
+    /// <summary>Renders the login form. Shows an error banner when <paramref name="errorMessage"/> is not empty.</summary>
+    public static string LoginPage(string? errorMessage = null)
+    {
+        var errorBanner = string.IsNullOrWhiteSpace(errorMessage)
+            ? string.Empty
+            : $"<div style='background:#fee;color:#c00;padding:10px 16px;border-radius:6px;margin-bottom:16px;border:1px solid #fcc'>{WebUtility.HtmlEncode(errorMessage)}</div>";
+
+        return $$"""
+        <!DOCTYPE html>
+        <html lang="en">
+        <head>
+          <meta charset="utf-8"/>
+          <meta name="viewport" content="width=device-width,initial-scale=1"/>
+          <title>MCP Server — Pair</title>
+          <style>
+            *{box-sizing:border-box;margin:0;padding:0}
+            body{font-family:system-ui,-apple-system,sans-serif;background:#f5f5f5;display:flex;align-items:center;justify-content:center;min-height:100vh}
+            .card{background:#fff;border-radius:12px;box-shadow:0 2px 12px rgba(0,0,0,.08);padding:32px;width:100%;max-width:380px}
+            h1{font-size:1.3rem;margin-bottom:4px;color:#111}
+            .sub{font-size:.85rem;color:#666;margin-bottom:20px}
+            label{display:block;font-size:.85rem;font-weight:600;margin-bottom:4px;color:#333}
+            input[type=text],input[type=password]{width:100%;padding:10px 12px;border:1px solid #ddd;border-radius:6px;font-size:.95rem;margin-bottom:14px}
+            input:focus{outline:none;border-color:#0969da;box-shadow:0 0 0 3px rgba(9,105,218,.15)}
+            button{width:100%;padding:10px;background:#0969da;color:#fff;border:none;border-radius:6px;font-size:.95rem;font-weight:600;cursor:pointer}
+            button:hover{background:#0860c4}
+          </style>
+        </head>
+        <body>
+          <div class="card">
+            <h1>🔗 MCP Server Pairing</h1>
+            <p class="sub">Sign in to view your API key.</p>
+            {{errorBanner}}
+            <form method="post" action="/pair">
+              <label for="username">Username</label>
+              <input type="text" id="username" name="username" autocomplete="username" required autofocus/>
+              <label for="password">Password</label>
+              <input type="password" id="password" name="password" autocomplete="current-password" required/>
+              <button type="submit">Sign In</button>
+            </form>
+          </div>
+        </body>
+        </html>
+        """;
+    }
+
+    /// <summary>Renders the API key display page.</summary>
+    public static string KeyPage(string apiKey, string serverUrl)
+    {
+        return $$"""
+        <!DOCTYPE html>
+        <html lang="en">
+        <head>
+          <meta charset="utf-8"/>
+          <meta name="viewport" content="width=device-width,initial-scale=1"/>
+          <title>MCP Server — API Key</title>
+          <style>
+            *{box-sizing:border-box;margin:0;padding:0}
+            body{font-family:system-ui,-apple-system,sans-serif;background:#f5f5f5;display:flex;align-items:center;justify-content:center;min-height:100vh}
+            .card{background:#fff;border-radius:12px;box-shadow:0 2px 12px rgba(0,0,0,.08);padding:32px;width:100%;max-width:480px}
+            h1{font-size:1.3rem;margin-bottom:4px;color:#111}
+            .sub{font-size:.85rem;color:#666;margin-bottom:20px}
+            .key-box{background:#f6f8fa;border:1px solid #d0d7de;border-radius:6px;padding:14px 16px;font-family:'Cascadia Code','Fira Code',monospace;font-size:.95rem;word-break:break-all;margin-bottom:16px;position:relative}
+            .copy-btn{position:absolute;top:8px;right:8px;background:#0969da;color:#fff;border:none;border-radius:4px;padding:4px 10px;font-size:.8rem;cursor:pointer}
+            .copy-btn:hover{background:#0860c4}
+            .qr-section{text-align:center;margin-bottom:20px}
+            .qr-section h2{font-size:1rem;margin-bottom:12px;color:#333}
+            .qr-section img{display:inline-block;padding:12px;background:#fff;border:1px solid #d0d7de;border-radius:8px;width:256px;height:256px}
+            .section{margin-bottom:20px}
+            .section h2{font-size:1rem;margin-bottom:8px;color:#333}
+            pre{background:#f6f8fa;border:1px solid #d0d7de;border-radius:6px;padding:14px 16px;font-size:.82rem;overflow-x:auto;line-height:1.5}
+            .warn{font-size:.8rem;color:#888;margin-top:12px}
+          </style>
+        </head>
+        <body>
+          <div class="card">
+            <h1>🔑 Your API Key</h1>
+            <p class="sub">Scan the QR code with the MCP Server mobile app, or copy the key below.</p>
+            <div class="qr-section">
+              <h2>📱 Scan to Pair</h2>
+              <img src="/pair/qr" alt="QR code for pairing"/>
+            </div>
+            <div class="key-box">
+              <span id="key">{{apiKey}}</span>
+              <button class="copy-btn" onclick="navigator.clipboard.writeText(document.getElementById('key').textContent)">Copy</button>
+            </div>
+            <div class="section">
+              <h2>MCP Client Config</h2>
+              <pre>{
+          "mcpServers": {
+            "mcp-server": {
+              "url": "{{serverUrl}}/mcp-transport"
+            }
+          }
+        }</pre>
+            </div>
+            <div class="section">
+              <h2>cURL Example</h2>
+              <pre>curl {{serverUrl}}/mcpserver/workspace \
+          -H "X-Api-Key: {{apiKey}}"</pre>
+            </div>
+            <p class="warn">Keep this key secret. It grants write access to workspace and tool endpoints.</p>
+          </div>
+        </body>
+        </html>
+        """;
+    }
+
+    /// <summary>Renders a page shown when pairing is not configured.</summary>
+    public static string NotConfiguredPage()
+    {
+        return """
+        <!DOCTYPE html>
+        <html lang="en">
+        <head>
+          <meta charset="utf-8"/>
+          <meta name="viewport" content="width=device-width,initial-scale=1"/>
+          <title>MCP Server — Pairing Not Configured</title>
+          <style>
+            *{box-sizing:border-box;margin:0;padding:0}
+            body{font-family:system-ui,-apple-system,sans-serif;background:#f5f5f5;display:flex;align-items:center;justify-content:center;min-height:100vh}
+            .card{background:#fff;border-radius:12px;box-shadow:0 2px 12px rgba(0,0,0,.08);padding:32px;width:100%;max-width:380px;text-align:center}
+            h1{font-size:1.3rem;margin-bottom:12px;color:#111}
+            p{color:#666;font-size:.9rem;line-height:1.5}
+            code{background:#f6f8fa;padding:2px 6px;border-radius:4px;font-size:.85rem}
+          </style>
+        </head>
+        <body>
+          <div class="card">
+            <h1>⚠️ Pairing Not Configured</h1>
+            <p>To enable the pairing page, add one or more users to
+            <code>Mcp:PairingUsers</code> in your configuration and set
+            <code>Mcp:ApiKey</code> to a non-empty value.</p>
+          </div>
+        </body>
+        </html>
+        """;
+    }
+}
diff --git a/src/McpServer.Support.Mcp/Web/PairingQrCode.cs b/src/McpServer.Support.Mcp/Web/PairingQrCode.cs
new file mode 100644
index 0000000..0b4016e
--- /dev/null
+++ b/src/McpServer.Support.Mcp/Web/PairingQrCode.cs
@@ -0,0 +1,18 @@
+using QRCoder;
+
+namespace McpServer.Support.Mcp.Web;
+
+/// <summary>
+/// Generates QR code SVG images for the pairing flow.
+/// </summary>
+internal static class PairingQrCode
+{
+    /// <summary>Generates an SVG string containing a QR code for the given <paramref name="text"/>.</summary>
+    public static string GenerateSvg(string text)
+    {
+        using var generator = new QRCodeGenerator();
+        using var data = generator.CreateQrCode(text, QRCodeGenerator.ECCLevel.M);
+        using var svg = new SvgQRCode(data);
+        return svg.GetGraphic(8);
+    }
+}
diff --git a/templates/prompt-templates.yaml b/templates/prompt-templates.yaml
index defaccb..26b4a41 100644
--- a/templates/prompt-templates.yaml
+++ b/templates/prompt-templates.yaml
@@ -216,16 +216,20 @@ templates:
       \    h1{font-size:1.3rem;margin-bottom:4px;color:#111}\n    .sub{font-size:.85rem;color:#666;margin-bottom:20px}\n \
       \   .key-box{background:#f6f8fa;border:1px solid #d0d7de;border-radius:6px;padding:14px 16px;font-family:'Cascadia Code','Fira\
       \ Code',monospace;font-size:.95rem;word-break:break-all;margin-bottom:16px;position:relative}\n    .copy-btn{position:absolute;top:8px;right:8px;background:#0969da;color:#fff;border:none;border-radius:4px;padding:4px\
-      \ 10px;font-size:.8rem;cursor:pointer}\n    .copy-btn:hover{background:#0860c4}\n    .section{margin-bottom:20px}\n\
+      \ 10px;font-size:.8rem;cursor:pointer}\n    .copy-btn:hover{background:#0860c4}\n    .qr-section{text-align:center;margin-bottom:20px}\n\
+      \    .qr-section h2{font-size:1rem;margin-bottom:12px;color:#333}\n    .qr-section img{display:inline-block;padding:12px;background:#fff;border:1px\
+      \ solid #d0d7de;border-radius:8px;width:256px;height:256px}\n    .section{margin-bottom:20px}\n\
       \    .section h2{font-size:1rem;margin-bottom:8px;color:#333}\n    pre{background:#f6f8fa;border:1px solid #d0d7de;border-radius:6px;padding:14px\
       \ 16px;font-size:.82rem;overflow-x:auto;line-height:1.5}\n    .warn{font-size:.8rem;color:#888;margin-top:12px}\n  </style>\n\
-      </head>\n<body>\n  <div class=\"card\">\n    <h1>\U0001F511 Your API Key</h1>\n    <p class=\"sub\">Use this key to\
-      \ authenticate mutating API calls.</p>\n    <div class=\"key-box\">\n      <span id=\"key\">{apiKey}</span>\n      <button\
-      \ class=\"copy-btn\" onclick=\"navigator.clipboard.writeText(document.getElementById('key').textContent)\">Copy</button>\n\
-      \    </div>\n    <div class=\"section\">\n      <h2>MCP Client Config</h2>\n      <pre>{\n  \"mcpServers\": {\n    \"\
-      mcp-server\": {\n      \"url\": \"{serverUrl}/mcp-transport\"\n    }\n  }\n}</pre>\n    </div>\n    <div class=\"section\"\
-      >\n      <h2>cURL Example</h2>\n      <pre>curl {serverUrl}/mcpserver/workspace \\\n  -H \"X-Api-Key: {apiKey}\"</pre>\n\
-      \    </div>\n    <p class=\"warn\">Keep this key secret. It grants write access to workspace and tool endpoints.</p>\n\
+      </head>\n<body>\n  <div class=\"card\">\n    <h1>\U0001F511 Your API Key</h1>\n    <p class=\"sub\">Scan the QR code\
+      \ with the MCP Server mobile app, or copy the key below.</p>\n    <div class=\"qr-section\">\n      <h2>\U0001F4F1 Scan\
+      \ to Pair</h2>\n      <img src=\"/pair/qr\" alt=\"QR code for pairing\"/>\n    </div>\n    <div class=\"key-box\">\n\
+      \      <span id=\"key\">{apiKey}</span>\n\
+      \      <button class=\"copy-btn\" onclick=\"navigator.clipboard.writeText(document.getElementById('key').textContent)\"\
+      >Copy</button>\n    </div>\n    <div class=\"section\">\n      <h2>MCP Client Config</h2>\n      <pre>{\n  \"mcpServers\"\
+      : {\n    \"mcp-server\": {\n      \"url\": \"{serverUrl}/mcp-transport\"\n    }\n  }\n}</pre>\n    </div>\n    <div class=\"\
+      section\">\n      <h2>cURL Example</h2>\n      <pre>curl {serverUrl}/mcpserver/workspace \\\n  -H \"X-Api-Key: {apiKey}\"\
+      </pre>\n    </div>\n    <p class=\"warn\">Keep this key secret. It grants write access to workspace and tool endpoints.</p>\n\
       \  </div>\n</body>\n</html>\n"
   pairing-not-configured-page:
     title: Pairing Not Configured Page
@@ -277,19 +281,19 @@ templates:
 
       ## Session Start (Run Once Per Session)
 
-      1. Read this marker file for connection details and API key.
-
-      2. Bootstrap your preferred agent entrypoint (load docs/context/module-bootstrap.md from MCP context via context_search/context_pack; do not treat it as a local file path):
-         - **Preferred**: Launch `mcpserver-repl --workspace "{{workspace.WorkspacePath}}"` for YAML-over-STDIO interaction (eliminates shell quoting failures).
-         - **Supported**: Bootstrap PowerShell or Bash helper modules from the Tool Registry (`McpSession.psm1`, `McpTodo.psm1`) for direct script integration.
-
-      3. Verify the marker signature using the workspace API key in this file before contacting the server.
-
-      4. Call /health with a random nonce and confirm the response echoes that exact nonce.
-
-      5. Review recent session history and current TODOs only after signature and nonce verification succeed.
-
-      6. Post an initial session log turn for the session.
+      1. Read this marker file for connection details and API key.
+
+      2. Bootstrap your preferred agent entrypoint (load docs/context/module-bootstrap.md from MCP context via context_search/context_pack; do not treat it as a local file path):
+         - **Preferred**: Launch `mcpserver-repl --workspace "{{workspace.WorkspacePath}}"` for YAML-over-STDIO interaction (eliminates shell quoting failures).
+         - **Supported**: Bootstrap PowerShell or Bash helper modules from the Tool Registry (`McpSession.psm1`, `McpTodo.psm1`) for direct script integration.
+
+      3. Verify the marker signature using the workspace API key in this file before contacting the server.
+
+      4. Call /health with a random nonce and confirm the response echoes that exact nonce.
+
+      5. Review recent session history and current TODOs only after signature and nonce verification succeed.
+
+      6. Post an initial session log turn for the session.
 
 
       ## Per User Message
@@ -304,54 +308,54 @@ templates:
       ## Re-run Full Session Start Only If
 
       - The user explicitly says "Start Session".
-      - Signature verification fails.
-      - /health fails.
-      - /health nonce verification fails.
-      - Any /mcpserver/* call returns 401.
-      - The marker endpoint/key changes after a server restart.
+      - Signature verification fails.
+      - /health fails.
+      - /health nonce verification fails.
+      - Any /mcpserver/* call returns 401.
+      - The marker endpoint/key changes after a server restart.
 
 
       ## Rules
 
-      0. NEVER write to TODO.yaml directly.
-
-      1. Generate SessionId values using `session.init` (REPL) or `New-McpSessionLogSlug -Agent <SourceType> -Model <Model>` (PowerShell module), then create session logs with `session.new` (REPL) or `New-McpSessionLog -SessionId` (PowerShell). Do not handcraft SessionId values.
-
-      1a. Agents must identify themselves accurately in session logs. `sourceType` and the SessionId `<Agent>` prefix must use the agent''s real identity in Pascal-Case. Do not use lowercase forms, placeholders, or legacy aliases.
-
+      0. NEVER write to TODO.yaml directly.
+
+      1. Generate SessionId values using `session.init` (REPL) or `New-McpSessionLogSlug -Agent <SourceType> -Model <Model>` (PowerShell module), then create session logs with `session.new` (REPL) or `New-McpSessionLog -SessionId` (PowerShell). Do not handcraft SessionId values.
+
+      1a. Agents must identify themselves accurately in session logs. `sourceType` and the SessionId `<Agent>` prefix must use the agent''s real identity in Pascal-Case. Do not use lowercase forms, placeholders, or legacy aliases.
+
       2. Post a new session log turn (`session.turn.add` for REPL or `Add-McpSessionTurn` for PowerShell) before starting work. Update it with results (`Response`) and actions (`Add-McpAction` / `session.action.add`) when done. Persist after each meaningful update, not just at the end.
 
       2a. Before any compaction step, persist the current session log state. After compaction, update the session log again to record the compaction outcome and recovered context.
 
-      3. If signature verification, the /health request, or nonce verification fails, log `MCP_UNTRUSTED`, continue without the MCP server, and do not probe additional MCP endpoints.
-
-      4. Marker signatures use HMAC-SHA256 with the workspace API key in this file as the verifier. Recompute the canonical payload exactly as described by the marker metadata before trusting the file.
-
-      5. Use `mcpserver-repl` (preferred) or PowerShell/Bash helper modules for session log and TODO operations — they handle workspace routing automatically. Do not use raw API calls.
-
-      6. Write decisions, requirements, and state to the session log, not just conversation. Capture rich turn detail: interpretation, response/status, actions (type/status/filePath), contextList, filesModified, designDecisions, requirementsDiscovered, blockers, and key processingDialog updates.
-
-      7. Follow workspace conventions in AGENTS.md and .github/copilot-instructions.md.
-
-      8. When you need API schemas, module examples, or compliance rules, load them from docs/context/ or use context_search.
-
-      9. Do not fabricate information. Acknowledge mistakes. Distinguish facts from speculation.
-
-      10. Prioritize correctness over speed. Do not ship code you have not verified compiles.
+      3. If signature verification, the /health request, or nonce verification fails, log `MCP_UNTRUSTED`, continue without the MCP server, and do not probe additional MCP endpoints.
+
+      4. Marker signatures use HMAC-SHA256 with the workspace API key in this file as the verifier. Recompute the canonical payload exactly as described by the marker metadata before trusting the file.
+
+      5. Use `mcpserver-repl` (preferred) or PowerShell/Bash helper modules for session log and TODO operations — they handle workspace routing automatically. Do not use raw API calls.
+
+      6. Write decisions, requirements, and state to the session log, not just conversation. Capture rich turn detail: interpretation, response/status, actions (type/status/filePath), contextList, filesModified, designDecisions, requirementsDiscovered, blockers, and key processingDialog updates.
+
+      7. Follow workspace conventions in AGENTS.md and .github/copilot-instructions.md.
+
+      8. When you need API schemas, module examples, or compliance rules, load them from docs/context/ or use context_search.
+
+      9. Do not fabricate information. Acknowledge mistakes. Distinguish facts from speculation.
+
+      10. Prioritize correctness over speed. Do not ship code you have not verified compiles.
 
 
       ## Naming Conventions
 
 
-      - Persisted TODO IDs must be uppercase canonical ids in either <SDLC-PHASE>-<AREA>-### form
-      (regex: ^[A-Z]+-[A-Z0-9]+-\d{3}$) or ISSUE-{number} form (regex: ^ISSUE-\d+$).
-
-      - Valid TODO IDs: PLAN-NAMINGCONVENTIONS-001, MCP-API-042, ISSUE-17.
-
-      - Invalid TODO IDs: plan-api-001, MCP-API-42, ISSUE-ABC, MCPAPI001.
-
-      - Create requests may use ISSUE-NEW only when the intent is to create a new GitHub-backed TODO.
-      The server will create the GitHub issue immediately and persist the TODO using the canonical ISSUE-{number} id.
+      - Persisted TODO IDs must be uppercase canonical ids in either <SDLC-PHASE>-<AREA>-### form
+      (regex: ^[A-Z]+-[A-Z0-9]+-\d{3}$) or ISSUE-{number} form (regex: ^ISSUE-\d+$).
+
+      - Valid TODO IDs: PLAN-NAMINGCONVENTIONS-001, MCP-API-042, ISSUE-17.
+
+      - Invalid TODO IDs: plan-api-001, MCP-API-42, ISSUE-ABC, MCPAPI001.
+
+      - Create requests may use ISSUE-NEW only when the intent is to create a new GitHub-backed TODO.
+      The server will create the GitHub issue immediately and persist the TODO using the canonical ISSUE-{number} id.
 
       - Session IDs must use <Agent>-<yyyyMMddTHHmmssZ>-<suffix> and start with the exact agent/source type prefix.
 
