From 7d53c79a36fd90a025565fe82e673edf2901bd8d Mon Sep 17 00:00:00 2001
From: Joaquin Rodriguez <jrhuerta@alayacare.com>
Date: Wed, 11 Mar 2026 20:05:55 -0400
Subject: [PATCH] docs: move MCP client config to top of README with Docker
 usage

Place the MCP client configuration prominently after badges so users
see it first. Update the example to use the published GHCR image with
--env-file for secrets and a read-only policy volume mount.
---
 README.md | 53 ++++++++++++++++++++++++++++-------------------------
 1 file changed, 28 insertions(+), 25 deletions(-)

diff --git a/README.md b/README.md
index b351e85..118d1d3 100644
--- a/README.md
+++ b/README.md
@@ -5,6 +5,34 @@ Read-only SQL MCP server with strict table/column policy controls.
 [![CI](https://github.com/jrhuerta/secure-sql-mcp/actions/workflows/ci.yml/badge.svg)](https://github.com/jrhuerta/secure-sql-mcp/actions/workflows/ci.yml)
 [![GHCR](https://img.shields.io/badge/ghcr-jrhuerta%2Fsecure--sql--mcp-blue)](https://github.com/jrhuerta/secure-sql-mcp/pkgs/container/secure-sql-mcp)
 
+## MCP Client Configuration
+
+To use this server with Cursor, Claude Desktop, or other MCP clients, add it to your MCP config:
+
+**Cursor** (`.cursor/mcp.json` or Cursor Settings → MCP):
+
+```json
+{
+  "mcpServers": {
+    "secure-sql": {
+      "command": "docker",
+      "args": [
+        "run",
+        "-i",
+        "--rm",
+        "--env-file", "/path/to/your/secrets",
+        "-v", "/path/to/your/policy:/run/policy:ro",
+        "ghcr.io/jrhuerta/secure-sql-mcp:v0.1.0"
+      ]
+    }
+  }
+}
+```
+
+**Claude Desktop** (`claude_desktop_config.json`): same structure under `mcpServers`.
+
+The `--env-file` should point to a file containing `DATABASE_URL` and `ALLOWED_POLICY_FILE=/run/policy/allowed_policy.txt` (see Environment Variables below). The volume mounts the policy directory read-only. Pull the image first: `docker pull ghcr.io/jrhuerta/secure-sql-mcp:v0.1.0`
+
 ## Security Model
 
 - Database credentials stay server-side (env vars), never in prompts.
@@ -157,31 +185,6 @@ Or with Docker Compose (builds from local Dockerfile):
 docker compose up --build
 ```
 
-## MCP Client Configuration
-
-To use this server with Cursor, Claude Desktop, or other MCP clients, add it to your MCP config:
-
-**Cursor** (`.cursor/mcp.json` or Cursor Settings → MCP):
-
-```json
-{
-  "mcpServers": {
-    "secure-sql": {
-      "command": "python",
-      "args": ["-m", "secure_sql_mcp.server"],
-      "env": {
-        "DATABASE_URL": "sqlite+aiosqlite:///./example.db",
-        "ALLOWED_POLICY_FILE": "./policy/allowed_policy.txt"
-      }
-    }
-  }
-}
-```
-
-**Claude Desktop** (`claude_desktop_config.json`): same structure under `mcpServers`.
-
-Ensure the policy file path and database URL are correct for your environment.
-
 ## Secrets Best Practices
 
 - Put credentials only in `.env` (or your secret manager), never in prompts.