diff --git a/services/mcp-server/.env.example b/services/mcp-server/.env.example
index 441a71fc..ca1d092f 100644
--- a/services/mcp-server/.env.example
+++ b/services/mcp-server/.env.example
@@ -10,5 +10,12 @@ EXTRACTION_SERVICE_URL=http://localhost:4005
 # Auth — same JWT_SECRET as platform-service (tokens issued there are validated here)
 JWT_SECRET=change-me-in-production
 
+# Optional: restrict CORS origin (default: unrestricted — set in production)
+CORS_ORIGIN=
+
+# Query limits (defaults: max 100, page 20)
+QUERY_MAX_LIMIT=100
+QUERY_DEFAULT_LIMIT=20
+
 # Optional: AKV resolution
 AZURE_KEYVAULT_URL=
diff --git a/services/mcp-server/src/server.ts b/services/mcp-server/src/server.ts
index 2a1474b1..ac8477c8 100644
--- a/services/mcp-server/src/server.ts
+++ b/services/mcp-server/src/server.ts
@@ -1,11 +1,11 @@
 /**
- * ByteLyst MCP Server — port 4006
+ * ByteLyst MCP Server — port 4007
  *
  * Exposes tool namespaces:
- *   platform.telemetry.*  — query events, clusters, metrics
- *   platform.diagnostics.* — manage debug sessions, read logs/traces
- *   extraction.*          — run extraction, list models, cache stats
- *   support.*             — compound tools (createDebugPack)
+ *   platform.telemetry.*         — query events, clusters, metrics, policy CRUD
+ *   platform.diagnostics.*       — manage debug sessions, read logs/traces, cancel
+ *   extraction.*                 — run extraction, list models, cache stats, sidecar health
+ *   support.*                    — compound tools (createDebugPack, runIncidentPipeline)
  *
  * Auth: JWT Bearer tokens issued by platform-service (same JWT_SECRET).
  * Role gating: viewer / admin / super_admin per tool.