diff --git a/README.md b/README.md
index d4ed663..2239bec 100644
--- a/README.md
+++ b/README.md
@@ -15,6 +15,7 @@ The JFrog plugin provides the following capabilities, grouped by component:
 
 | Component | Feature | Description |
 | --- | --- | --- |
+| **MCP** | JFrog MCP (always-on) | Built-in JFrog MCP routed through `@jfrog/agent-guard` to `${JFROG_URL}/mcp`. Always available, not subject to AI Catalog policy — see [JFrog MCP](#jfrog-mcp). |
 | **Hook** | Agent Guard | Copilot manage MCPs through the JFrog Agent Guard. Through it you can discover, install, configure, update, and remove MCP servers from the JFrog AI Catalog approved for your project, and authenticate to remote HTTP MCPs via OAuth, API key, or bearer token. |
 
 ---
@@ -115,6 +116,15 @@ After authentication, open a workspace in VS Code. The session-start hook instal
 | "Log in to the remote Jira MCP server using OAuth." | Authenticates with a remote HTTP-based MCP server (OAuth, API key, or bearer token). |
 | "Log out of the Jira MCP server." | Removes stored authentication credentials for a server. |
 
+### JFrog MCP
+
+The plugin ships a built-in `jfrog` MCP registered in `.mcp.json`. VS Code
+launches it automatically as `npx @jfrog/agent-guard` with
+`_JF_ARGS=mcp=jfrog-mcp`. agent-guard recognizes that shape, skips the AI
+Catalog, and connects directly to `${JFROG_URL}/mcp` with
+`Authorization: Bearer ${JFROG_ACCESS_TOKEN}` (both env vars are listed
+under [Authentication](#authentication)).
+
 ### How secrets are handled
 
 When an MCP server requires a sensitive configuration, the agent cannot set the value directly. Instead, it returns a CLI command for you to copy and run in your terminal. Secrets such as API keys, tokens, and connection strings are never exposed in the agent chat history.
diff --git a/marketplace.json b/marketplace.json
index 9c8506a..655c1b2 100644
--- a/marketplace.json
+++ b/marketplace.json
@@ -9,7 +9,7 @@
     {
       "name": "jfrog",
       "description": "JFrog Platform integration with MCP, security skills, and supply-chain best practices",
-      "version": "1.0.3",
+      "version": "1.0.4",
       "source": "plugin",
       "categories": ["security", "artifact-management", "supply-chain", "devops", "mcp", "mlops", "agent-guard", "ai-catalog"],
       "platforms": ["darwin", "linux", "windows"],
diff --git a/plugin/.mcp.json b/plugin/.mcp.json
new file mode 100644
index 0000000..b0c9447
--- /dev/null
+++ b/plugin/.mcp.json
@@ -0,0 +1,15 @@
+{
+  "mcpServers": {
+    "jfrog": {
+      "command": "npx",
+      "args": [
+        "--yes",
+        "--registry", "https://releases.jfrog.io/artifactory/api/npm/coding-agents-npm",
+        "@jfrog/agent-guard"
+      ],
+      "env": {
+        "_JF_ARGS": "mcp=jfrog-mcp"
+      }
+    }
+  }
+}
diff --git a/plugin/templates/copilot-instructions.md b/plugin/templates/copilot-instructions.md
index ebd361e..ef5b3aa 100644
--- a/plugin/templates/copilot-instructions.md
+++ b/plugin/templates/copilot-instructions.md
@@ -12,6 +12,12 @@ environment variable if it is set. Only use the default
 
 ## Adding an MCP
 
+**Note - built-in `jfrog`:** the bundled `jfrog` entry
+(`_JF_ARGS=mcp=jfrog-mcp`, bypasses the catalog) is NEVER installed,
+inspected, or edited via this flow. For catalog-managed tool policy
+on JFrog, install the catalog version under a DIFFERENT `servers`
+key (e.g., `jfrog-catalog`) so it coexists with the built-in.
+
 When the user asks to add an MCP, do ALL of the following autonomously -
 do NOT ask the user for project, server, package name, or binary path
 unless absolutely necessary:
@@ -222,7 +228,17 @@ working.
    refresh token is likely dead. Re-run Step 5; the new tokens
    overwrite the old ones.
 
-2. **Anything else** - ask the user to open `MCP: List Servers`,
+2. **Built-in `jfrog` MCP missing** - almost always `JFROG_URL` /
+   `JFROG_ACCESS_TOKEN` not exported in the launching shell
+   (agent-guard reads them from the shell for the plugin's bundled
+   `jfrog` entry — they MUST NEVER be added to any `mcp.json` `env`
+   block, including the bundled one; `JFROG_URL` must include
+   `https://`; agent-guard fails fast at startup and the entry shows
+   as failed in **MCP: List Servers**). Tell the user not to edit the
+   plugin's bundled `.mcp.json`; reinstall the plugin to restore the
+   entry.
+
+3. **Anything else** - ask the user to open `MCP: List Servers`,
    right-click the failed (or 0-tools) server, choose **Show
    Output**, and paste the last 50 lines. Read the output before
    guessing at a cause. Common recoveries based on what the output
@@ -240,6 +256,9 @@ working.
 
 ## Removing an MCP
 
+**Note - built-in `jfrog`:** removal is only via uninstalling the
+JFrog plugin from VS Code; never delete it from the bundled `.mcp.json`.
+
 Delete the entry from `servers` in `.vscode/mcp.json` and any now-unused
 entries from the top-level `inputs` array.
 
@@ -250,7 +269,8 @@ entries from the top-level `inputs` array.
 Read the `servers` entries from the VS Code MCP config file (workspace
 `.vscode/mcp.json` or in the user profile settings) and list each entry
 by display name, showing its package name (from `_JF_ARGS`)
-and server ID.
+and server ID. The bundled `jfrog` entry (`_JF_ARGS=mcp=jfrog-mcp`)
+is reported with `scope: plugin (jfrog)`, `package: jfrog-mcp (bundled)`.
 
 ### Available MCPs (JFrog AI Catalog)