Docs: document Gemini CLI MCP auth (oauth.scopes mcp_orbit) for native HTTP transport
## Problem
Gemini CLI fails to authenticate to the Orbit MCP endpoint using its native HTTP transport (`httpUrl` config). Claude Code works because it negotiates the OAuth scope automatically. Surfaced by a real customer (Carrefour) in #f_orbit_dev.
Customer config that failed:
```json
"gitlab-orbit": {
"httpUrl": "https://gitlab.com/api/v4/orbit/mcp",
"timeout": 5000
}
```
## Root cause
Clients on the native HTTP MCP transport must explicitly request the `mcp_orbit` OAuth scope. Without it, auth fails. Verified fix (Dmitry Gruzd):
```json
{
"mcpServers": {
"gitlab-orbit": {
"url": "https://gitlab.com/api/v4/orbit/mcp",
"type": "http",
"timeout": 5000,
"oauth": { "enabled": true, "scopes": ["mcp_orbit"] }
}
}
}
```
## Docs gap
In `docs/source/remote/access/mcp.md`:
- Gemini CLI is listed as a supported client but has no config example.
- Every JSON example routes through the `npx mcp-remote` wrapper. None show the native HTTP path, so the `oauth.scopes` requirement is documented nowhere.
- The `mcp_orbit` OAuth scope is never mentioned. Prerequisites only cover `read_api` for PATs.
## Proposed fix
- Add a Gemini CLI subsection with the verified native-HTTP config including `oauth.scopes: ["mcp_orbit"]`.
- Add a troubleshooting note: if a client uses native HTTP transport and auth fails, add `oauth.scopes: ["mcp_orbit"]` to the server config.
- Confirm the correct Gemini config key (`url` + `type` vs `httpUrl`) before merging.
## Why now
Auth/403 failures are on the June 10 launch punch list. This is a real customer hitting it during beta. Low effort, high impact for field and design partners.
issue