ns-rag — portfolio RAG over _docs/ + _memory/

Authenticated MCP + REST endpoint: hybrid retrieval (pgvector + tsvector, RRF-fused), grounded answers via OpenRouter (GLM 5.2 Max). Bearer-token gated — operator + agents only.

REST: POST /ask body {"query":"..."} header Authorization: Bearer <token>

MCP: POST /v1/mcp (JSON-RPC: initialize / tools/list / tools/call — tools: search_portfolio, ask_portfolio)

Cursor / Claude MCP config:

{"mcpServers":{"ns-rag":{"url":"https://rag.nextsolutions.studio/v1/mcp","headers":{"Authorization":"Bearer <NS_RAG_API_KEY>"}}}}

Unauthorized requests get 401. No public data is exposed.