Authenticated MCP + REST endpoint: hybrid retrieval (pgvector + tsvector, RRF-fused), grounded answers via OpenRouter (GLM 5.2 Max). Bearer-token gated — operator + agents only.
REST: POST /ask body {"query":"..."} header Authorization: Bearer <token>
MCP: POST /v1/mcp (JSON-RPC: initialize / tools/list / tools/call — tools: search_portfolio, ask_portfolio)
Cursor / Claude MCP config:
{"mcpServers":{"ns-rag":{"url":"https://rag.nextsolutions.studio/v1/mcp","headers":{"Authorization":"Bearer <NS_RAG_API_KEY>"}}}}
Unauthorized requests get 401. No public data is exposed.