feat: native OAuth login page, architecture docs, docs site update

- Add GET/POST /login to hermes for first-party cookie during OAuth popup
  (fixes browser CHIPS cookie partitioning that broke claude.ai connection)
- Add role column to all findCustomer* SQL queries in src/auth.ts
- Add claude.ai tab to docs/getting-started.html with OAuth flow steps
- Add ARCHITECTURE.md with system diagrams, data flow, and key invariants
- Rewrite README.md and DEPLOY.md to reflect actual MicroK8s deployment
- Deploy updated docs site (squaremcp-docs sha256 updated)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docs/Dockerfile

@@ -0,0 +1,7 @@
+FROM nginx:1.27-alpine
+COPY docs/index.html /usr/share/nginx/html/index.html
+COPY docs/getting-started.html /usr/share/nginx/html/getting-started.html
+COPY docs/platforms.html /usr/share/nginx/html/platforms.html
+COPY docs/agent-tutorial.html /usr/share/nginx/html/agent-tutorial.html
+COPY docs/styles.css /usr/share/nginx/html/styles.css
+EXPOSE 80

docs/docs-k8s.yaml

@@ -0,0 +1,65 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: squaremcp-docs
+  namespace: fetcherpay
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: squaremcp-docs
+  template:
+    metadata:
+      labels:
+        app: squaremcp-docs
+    spec:
+      containers:
+        - name: squaremcp-docs
+          image: localhost:32000/squaremcp-docs@sha256:adbc221aca3cae4ce42a48d30a69e1745601baa6e425a113f4ae78eed06a5b3a
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 80
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 80
+            initialDelaySeconds: 3
+            periodSeconds: 10
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: squaremcp-docs
+  namespace: fetcherpay
+spec:
+  selector:
+    app: squaremcp-docs
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: squaremcp-docs-ingress
+  namespace: fetcherpay
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: docs.squaremcp.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: squaremcp-docs
+                port:
+                  number: 80
+  tls:
+    - hosts:
+        - docs.squaremcp.com
+      secretName: squaremcp-docs-tls

docs/getting-started.html

@@ -53,12 +53,39 @@
   <h2>Step 2 — Configure your MCP client</h2>
 
   <div class="tabs">
-    <button class="tab active" onclick="switchTab(this,'claude')">Claude Desktop</button>
+    <button class="tab active" onclick="switchTab(this,'claudeai')">claude.ai</button>
+    <button class="tab" onclick="switchTab(this,'claude')">Claude Desktop</button>
     <button class="tab" onclick="switchTab(this,'codex')">Codex CLI</button>
     <button class="tab" onclick="switchTab(this,'opencode')">opencode</button>
   </div>
 
-  <div id="tab-claude" class="tab-content tab-panel active">
+  <div id="tab-claudeai" class="tab-content tab-panel active">
+    <p>Connect SquareMCP directly inside the claude.ai web interface — no config files needed.</p>
+    <ol class="steps">
+      <li><div><strong>Open MCP Servers</strong> — go to <strong>claude.ai → Settings → MCP Servers</strong> and click <strong>Add</strong>.</div></li>
+      <li><div><strong>Enter the server URL</strong></div></li>
+    </ol>
+<pre><code>https://hermes.squaremcp.com</code></pre>
+    <ol class="steps" start="3">
+      <li>
+        <div>
+          <strong>Complete the OAuth flow</strong> — a popup will open at <code>hermes.squaremcp.com/login</code>.
+          Sign in with your SquareMCP account credentials. After signing in you will be shown a consent page — click <strong>Connect MCP client</strong>.
+          The popup closes and the connector shows as <strong>Connected</strong>.
+        </div>
+      </li>
+    </ol>
+    <div class="callout">
+      <strong>Why a separate login page?</strong>
+      Browsers partition cookies per top-level site. The OAuth popup runs on <code>hermes.squaremcp.com</code>, so your session must be established there — not on <code>app.squaremcp.com</code> — for the cookie to be visible.
+    </div>
+    <h3>Troubleshooting claude.ai connections</h3>
+    <p><strong>Popup doesn't open</strong> — make sure your browser isn't blocking pop-ups from claude.ai. Allow pop-ups for claude.ai and retry.</p>
+    <p><strong>Stuck on login after connecting</strong> — the popup may have been closed before the OAuth flow finished. Remove the server entry, click Add again, and complete the full popup flow.</p>
+    <p><strong>Shows connected but tools don't appear</strong> — start a new conversation. Tools from newly connected MCP servers appear in the next conversation's tool picker.</p>
+  </div>
+
+  <div id="tab-claude" class="tab-content tab-panel">
 <pre><code><span class="cmt">// ~/Library/Application Support/Claude/claude_desktop_config.json  (macOS)</span>
 <span class="cmt">// %APPDATA%\Claude\claude_desktop_config.json                       (Windows)</span>
 {

docs/platforms.html

@@ -51,7 +51,7 @@
     <li>
       <div>
         <strong>Create a LinkedIn app</strong>
-        Go to <a href="https://developer.linkedin.com/apps" target="_blank">developer.linkedin.com/apps</a> and create a new app. Add your company page and request the <code>w_member_social</code> and <code>r_liteprofile</code> products.
+        Go to <a href="https://www.linkedin.com/developers/apps" target="_blank">linkedin.com/developers/apps</a> and create a new app. Add your company page and request the <code>w_member_social</code> and <code>r_liteprofile</code> products.
       </div>
     </li>
     <li>