docs: add documentation for routing modes, quarantine, TypeScript, and modern JS

- Routing modes (direct, retrieve_tools, code_execution) in config docs
- Tool quarantine auto-approve behavior and UX in security-quarantine.md
- TypeScript code execution support in code-execution.md and overview.md
- Quarantine stats in REST API docs (servers endpoint)
- Doctor quarantine stats in CLI command reference

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: claude

docs/api/mcp-protocol.md

@@ -11,13 +11,30 @@ keywords: [mcp, protocol, tools, proxy]
 
 MCPProxy implements the Model Context Protocol (MCP) specification, providing AI clients with unified access to multiple upstream MCP servers.
 
-## Endpoint
+## Endpoints
+
+### Default Endpoint
 
 ```
 http://127.0.0.1:8080/mcp
 ```
 
-**Note:** The MCP endpoint does not require API key authentication for client compatibility.
+Serves the routing mode configured in `routing_mode` (default: `retrieve_tools`).
+
+### Routing Mode Endpoints
+
+Each routing mode has a dedicated endpoint that is always available regardless of the configured default:
+
+| Endpoint | Mode | Description |
+|----------|------|-------------|
+| `/mcp` | *(configured)* | Default routing mode from config |
+| `/mcp/call` | `retrieve_tools` | BM25 search via `retrieve_tools` + `call_tool` variants |
+| `/mcp/all` | `direct` | All upstream tools as `serverName__toolName` |
+| `/mcp/code` | `code_execution` | JavaScript orchestration via `code_execution` tool |
+
+See [Routing Modes](../features/routing-modes.md) for details on each mode.
+
+**Note:** MCP endpoints do not require API key authentication for client compatibility.
 
 ## Built-in Tools
 

docs/api/rest-api.md

@@ -263,6 +263,93 @@ OAuth errors return structured error responses for better debugging:
 
 Clear OAuth tokens and disconnect a server.
 
+### Tool Quarantine
+
+#### POST /api/v1/servers/{name}/tools/approve
+
+Approve pending or changed tools for a server. See [Tool Quarantine](../features/tool-quarantine.md) for details.
+
+**Request Body:**
+```json
+{
+  "tools": ["create_issue", "delete_repo"]
+}
+```
+
+Or approve all pending/changed tools:
+```json
+{
+  "approve_all": true
+}
+```
+
+**Response:**
+```json
+{
+  "success": true,
+  "data": {
+    "approved": 2,
+    "tools": ["create_issue", "delete_repo"],
+    "message": "Approved 2 tools for server github-server"
+  }
+}
+```
+
+#### GET /api/v1/servers/{name}/tools/{tool}/diff
+
+Get the description/schema diff for a changed tool.
+
+**Response:**
+```json
+{
+  "success": true,
+  "data": {
+    "server_name": "github-server",
+    "tool_name": "delete_repo",
+    "status": "changed",
+    "approved_hash": "abc123...",
+    "current_hash": "def456...",
+    "previous_description": "Delete a repository",
+    "current_description": "Delete a repository (modified description)",
+    "previous_schema": "...",
+    "current_schema": "..."
+  }
+}
+```
+
+#### GET /api/v1/servers/{name}/tools/export
+
+Export all tool descriptions and schemas for a server. Useful for audit and compliance.
+
+**Query Parameters:**
+- `format` - Export format: `json` (default) or `text`
+
+### Routing
+
+#### GET /api/v1/routing
+
+Get the current routing mode and available MCP endpoints.
+
+**Response:**
+```json
+{
+  "success": true,
+  "data": {
+    "routing_mode": "retrieve_tools",
+    "description": "BM25 search via retrieve_tools + call_tool variants (default)",
+    "endpoints": {
+      "default": "/mcp",
+      "direct": "/mcp/all",
+      "code_execution": "/mcp/code",
+      "retrieve_tools": "/mcp/call"
+    },
+    "available_modes": ["retrieve_tools", "direct", "code_execution"]
+  }
+}
+```
+
+See [Routing Modes](../features/routing-modes.md) for details on each mode.
+
 ### Tools
 
 #### GET /api/v1/tools

docs/cli/command-reference.md

@@ -139,15 +139,23 @@ mcpproxy serve [flags]
 Run health diagnostics:
 
 ```bash
-mcpproxy doctor
+mcpproxy doctor [flags]
 ```
 
+| Flag | Description | Default |
+|------|-------------|---------|
+| `--output, -o` | Output format: `pretty`, `json` | `pretty` |
+| `--log-level, -l` | Log level | `warn` |
+| `--config, -c` | Path to config file | auto-detect |
+
 Checks for:
 - Upstream server connection errors
 - OAuth authentication requirements
 - Missing secrets
 - Runtime warnings
 - Docker isolation status
+- Tools pending quarantine approval (pending/changed counts per server)
+- Security features status (routing mode, sensitive data detection)
 
 ## Upstream Management
 
@@ -185,6 +193,54 @@ mcpproxy upstream restart <server-name>
 mcpproxy upstream restart --all
 ```
 
+### upstream inspect
+
+Inspect tool approval status for a server (tool-level quarantine):
+
+```bash
+mcpproxy upstream inspect <server-name> [flags]
+```
+
+| Flag | Description | Default |
+|------|-------------|---------|
+| `--tool` | Inspect a specific tool by name | all tools |
+| `--output, -o` | Output format: table, json | `table` |
+
+**Examples:**
+
+```bash
+# Show all tool approvals for a server
+mcpproxy upstream inspect github-server
+
+# Inspect a specific tool (shows diff if changed)
+mcpproxy upstream inspect github-server --tool create_issue
+
+# JSON output for scripting
+mcpproxy upstream inspect github-server --output=json
+```
+
+See [Tool Quarantine](/features/tool-quarantine) for details.
+
+### upstream approve
+
+Approve quarantined tools for a server:
+
+```bash
+mcpproxy upstream approve <server-name> [tool-names...]
+```
+
+Without specific tool names, approves all pending/changed tools.
+
+**Examples:**
+
+```bash
+# Approve all pending/changed tools
+mcpproxy upstream approve github-server
+
+# Approve specific tools
+mcpproxy upstream approve github-server create_issue list_repos
+```
+
 ### upstream enable/disable
 
 Enable or disable a server:
@@ -344,24 +400,32 @@ mcpproxy call tool-destructive --tool-name=github:delete_repo --json_args='{"rep
 
 ### code exec
 
-Execute JavaScript code:
+Execute JavaScript or TypeScript code:
 
 ```bash
 mcpproxy code exec [flags]
 ```
 
 | Flag | Description | Default |
 |------|-------------|---------|
-| `--code` | JavaScript code to execute | - |
-| `--file` | Path to JavaScript file (alternative to --code) | - |
+| `--code` | JavaScript or TypeScript code to execute | - |
+| `--file` | Path to JS/TS file (alternative to --code) | - |
+| `--language` | Source code language: `javascript`, `typescript` | `javascript` |
 | `--input` | JSON input data | `{}` |
 | `--input-file` | Path to JSON file containing input data | - |
 | `--max-tool-calls` | Maximum tool calls (0 = unlimited) | `0` |
 | `--allowed-servers` | Comma-separated list of allowed servers | - |
 
-**Example:**
+**Examples:**
 ```bash
+# JavaScript (default)
 mcpproxy code exec --code="({ result: input.value * 2 })" --input='{"value": 21}'
+
+# TypeScript with type annotations
+mcpproxy code exec --language typescript --code="const x: number = 42; ({ result: x })"
+
+# TypeScript from file
+mcpproxy code exec --language typescript --file=script.ts --input-file=params.json
 ```
 
 See [Code Execution](/features/code-execution) for detailed documentation.

docs/cli/status-command.md

@@ -50,6 +50,7 @@ MCPProxy Status
   Uptime:      2h 15m
   API Key:     a1b2****gh78
   Web UI:      http://127.0.0.1:8080/ui/?apikey=a1b2...gh78
+  Routing:     retrieve_tools
   Servers:     12 connected, 2 quarantined
   Socket:      /Users/you/.mcpproxy/mcpproxy.sock
   Config:      /Users/you/.mcpproxy/mcp_config.json
@@ -125,6 +126,7 @@ mcpproxy status -o json
   "uptime_seconds": 8100,
   "api_key": "a1b2****gh78",
   "web_ui_url": "http://127.0.0.1:8080/ui/?apikey=...",
+  "routing_mode": "retrieve_tools",
   "servers": {
     "connected": 12,
     "quarantined": 2,

docs/code_execution/overview.md

@@ -428,7 +428,7 @@ mcpproxy code exec --language typescript \
 
 - TypeScript support uses type-stripping only (no type checking or semantic validation)
 - Valid JavaScript is also valid TypeScript, so you can always use `language: "typescript"` even for plain JS
-- The transpiled output runs in the same ES5.1+ goja sandbox with all existing capabilities
+- The transpiled output runs in the same ES2020+ goja sandbox with all existing capabilities
 - Transpilation errors return the `TRANSPILE_ERROR` error code with line/column information
 
 ## Best Practices