test: Inc delay for alice

test: Increase stagger delay 0.5 -> 2s
test: Increase callback timeout 10s -> 30s
2025-10-15 11:36:54 +02:00 · 2025-10-15 11:07:06 +02:00 · 2025-10-15 10:57:21 +02:00 · 2025-10-15 10:36:27 +02:00 · 2025-10-15 10:35:22 +02:00 · 2025-10-15 03:46:01 +02:00
103 changed files with 20610 additions and 779 deletions
@@ -1,8 +1,7 @@
 *

 !pyproject.toml
-!poetry.lock
 !README.md
 !uv.lock

-!nextcloud_mcp_server/
+!nextcloud_mcp_server/**/*.py
@@ -15,7 +15,7 @@ jobs:
      packages: write
    steps:
      - name: Check out
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
        with:
          fetch-depth: 0
          token: "${{ secrets.PERSONAL_ACCESS_TOKEN }}"
@@ -25,7 +25,7 @@ jobs:
          github_token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
          changelog_increment_filename: body.md
      - name: Release
-        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2
+        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
        with:
          body_path: "body.md"
          tag_name: v${{ env.REVISION }}
@@ -12,11 +12,11 @@ jobs:
      packages: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5

      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5
        with:
          # list of Docker images to use as base name for tags
          images: |
@@ -37,7 +37,7 @@ jobs:

      - name: Log in to GitHub Container Registry
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -9,9 +9,9 @@ jobs:
  linting:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba # v6
+        uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0
      - name: Check format
        run: |
          uv run --frozen ruff format --diff
@@ -24,14 +24,20 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Run docker compose
-        uses: hoverkraft-tech/compose-action@40041ff1b97dbf152cd2361138c2b03fa29139df # v2.3.0
+        uses: hoverkraft-tech/compose-action@3846bcd61da338e9eaaf83e7ed0234a12b099b72 # v2.4.1
        with:
          compose-file: "./docker-compose.yml"
+          up-flags: "--build"
+
      - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba # v6
+        uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0
+
+      - name: Install Playwright dependencies
+        run: |
+          uv run playwright install firefox --with-deps

      - name: Wait for service to be ready
        run: |
@@ -56,4 +62,4 @@ jobs:
          NEXTCLOUD_USERNAME: "admin"
          NEXTCLOUD_PASSWORD: "admin"
        run: |
-          uv run --frozen python -m pytest
+          uv run pytest -v --browser firefox
@@ -1,2 +1,9 @@
 __pycache__/
 .coverage
+.env
+*.env
+.env.local
+.env.*.local
+
+# Generated by pytest used to login users
+.nextcloud_oauth_shared_test_client.json
@@ -1,13 +1,20 @@
 repos:
 - repo: https://github.com/commitizen-tools/commitizen
-  rev: v4.8.2
+  rev: v4.9.0
  hooks:
  - id: commitizen
  - id: commitizen-branch
    stages:
    - pre-push
- repo: https://github.com/astral-sh/ruff-pre-commit
-  rev: v0.12.2
+- repo: local
  hooks:
    - id: ruff-check
+      name: ruff-check
+      entry: uv run ruff check
+      language: system
+      types: [python]
    - id: ruff-format
+      name: ruff-format
+      entry: uv run ruff format
+      language: system
+      types: [python]
@@ -1,3 +1,169 @@
+## v0.13.0 (2025-10-13)
+
+### Feat
+
+- **server**: Experimental support for OAuth2/OIDC authentication
+
+## v0.12.6 (2025-10-11)
+
+### Fix
+
+- **deps**: update dependency mcp to >=1.17,<1.18
+
+## v0.12.5 (2025-10-03)
+
+### Fix
+
+- **deps**: update dependency mcp to >=1.16,<1.17
+
+## v0.12.4 (2025-09-25)
+
+### Fix
+
+- **deps**: update dependency mcp to >=1.15,<1.16
+
+## v0.12.3 (2025-09-23)
+
+### Refactor
+
+- Add tools for all resources to enable tool-only workflows
+
+## v0.12.2 (2025-09-20)
+
+### Refactor
+
+- Add `http` to --transport option
+
+## v0.12.1 (2025-09-11)
+
+### Fix
+
+- **docker**: Provide --host 0.0.0.0 in default docker image
+
+## v0.12.0 (2025-09-11)
+
+### Feat
+
+- **server**: Add support for `streamable-http` transport type
+
+## v0.11.1 (2025-09-11)
+
+### Fix
+
+- **deps**: update dependency mcp to >=1.13,<1.14
+
+## v0.11.0 (2025-09-11)
+
+### Feat
+
+- **deck**: Add support for stack, cards, labels
+- **deck**: Initialize Deck app client/server
+
+## v0.10.0 (2025-09-10)
+
+### Feat
+
+- Add WebDAV resource copy functionality
+- Add WebDAV resource move/rename functionality
+
+## v0.9.0 (2025-09-10)
+
+### BREAKING CHANGE
+
+- FASTMCP_-prefixed env vars have been replaced by CLI
+arguments. Refer to the README for updated usage.
+
+### Feat
+
+- **cli**: Replace `mcp run` with click CLI and runtime options
+
+## v0.8.3 (2025-08-31)
+
+### Fix
+
+- **server**: Replace ErrorResponses with standard McpErrors
+- **notes**: Include ETags in responses to avoid accidently updates
+
+## v0.8.2 (2025-08-31)
+
+### Fix
+
+- **notes**: Remove note contents from responses to reduce token usage
+
+## v0.8.1 (2025-08-30)
+
+### Fix
+
+- **model**: Serialize timestamps in RFC3339 format
+
+## v0.8.0 (2025-08-30)
+
+### Feat
+
+- **client**: Preserve fields when modifying contacts/calendar resources
+- **server**: Add structured output to all tool/resource output
+
+### Refactor
+
+- Use _make_request where available
+
+## v0.7.2 (2025-08-30)
+
+### Fix
+
+- **client**: Use paging to fetch all notes
+
+## v0.7.1 (2025-08-08)
+
+### Fix
+
+- **client**: Strip cookies from responses to avoid falsely raising CSRF errors
+
+## v0.7.0 (2025-08-03)
+
+### Feat
+
+- **contacts**: Initialize Contacts App
+
+## v0.6.1 (2025-08-01)
+
+### Fix
+
+- **calendar**: Fix iCalendar date vs datetime format
+- **calendar**: Remove try/except in calendar API
+
+## v0.6.0 (2025-07-29)
+
+### Feat
+
+- **calendar**: add comprehensive Calendar app support via CalDAV protocol
+
+### Fix
+
+- apply ruff formatting to pass CI checks
+- **calendar**: address PR feedback from maintainer
+
+### Refactor
+
+- **calendar**: optimize logging for production readiness
+
+## v0.5.0 (2025-07-26)
+
+### Feat
+
+- Update webdav client create_directory method to handle recursive directories
+- **webdav**: add complete file system support
+
+### Fix
+
+- apply ruff formatting to test_webdav_operations.py
+
+## v0.4.1 (2025-07-10)
+
+### Fix
+
+- **deps**: update dependency mcp to >=1.10,<1.11
+
 ## v0.4.0 (2025-07-06)

 ### Feat
@@ -0,0 +1,195 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Development Commands
+
+### Testing
+```bash
+# Run all tests
+uv run pytest
+
+# Run integration tests only
+uv run pytest -m integration
+
+# Run tests with coverage
+uv run pytest --cov
+
+# Skip integration tests
+uv run pytest -m "not integration"
+```
+
+### Code Quality
+```bash
+# Format and lint code
+uv run ruff check
+uv run ruff format
+
+# Type checking
+# No explicit type checker configured - this is a Python project using ruff for linting
+```
+
+### Running the Server
+```bash
+# Local development - load environment variables and run
+export $(grep -v '^#' .env | xargs)
+mcp run --transport sse nextcloud_mcp_server.app:mcp
+
+# Docker development environment with Nextcloud instance
+docker-compose up
+
+# After code changes, rebuild and restart the appropriate MCP server container:
+# For basic auth changes (most common) - uses admin credentials
+docker-compose up --build -d mcp
+
+# For OAuth changes - uses OAuth authentication flow
+docker-compose up --build -d mcp-oauth
+
+# Build Docker image
+docker build -t nextcloud-mcp-server .
+```
+
+**Important: Two MCP Server Containers**
+- **`mcp`** (port 8000): Uses basic auth with admin credentials. Use this for most development and testing.
+- **`mcp-oauth`** (port 8001): Uses OAuth authentication. Only use this when working on OAuth-specific features or tests.
+
+### Environment Setup
+```bash
+# Install dependencies
+uv sync
+
+# Install development dependencies
+uv sync --group dev
+```
+
+## Architecture Overview
+
+This is a Python MCP (Model Context Protocol) server that provides LLM integration with Nextcloud. The architecture follows a layered pattern:
+
+### Core Components
+
+- **`nextcloud_mcp_server/app.py`** - Main MCP server entry point using FastMCP framework
+- **`nextcloud_mcp_server/client/`** - HTTP client implementations for different Nextcloud APIs
+- **`nextcloud_mcp_server/server/`** - MCP tool/resource definitions that expose client functionality
+- **`nextcloud_mcp_server/controllers/`** - Business logic controllers (e.g., notes search)
+
+### Client Architecture
+
+- **`NextcloudClient`** - Main orchestrating client that manages all app-specific clients
+- **`BaseNextcloudClient`** - Abstract base class providing common HTTP functionality and retry logic
+- **App-specific clients**: `NotesClient`, `CalendarClient`, `ContactsClient`, `TablesClient`, `WebDAVClient`
+
+### Server Integration
+
+Each Nextcloud app has a corresponding server module that:
+1. Defines MCP tools using `@mcp.tool()` decorators
+2. Defines MCP resources using `@mcp.resource()` decorators
+3. Uses the context pattern to access the `NextcloudClient` instance
+
+### Supported Nextcloud Apps
+
+- **Notes** - Full CRUD operations and search
+- **Calendar** - CalDAV integration with events, recurring events, attendees
+- **Contacts** - CardDAV integration with address book operations
+- **Tables** - Row-level operations on Nextcloud Tables
+- **WebDAV** - Complete file system access
+
+### Key Patterns
+
+1. **Environment-based configuration** - Uses `NextcloudClient.from_env()` to load credentials from environment variables
+2. **Async/await throughout** - All operations are async using httpx
+3. **Retry logic** - `@retry_on_429` decorator handles rate limiting
+4. **Context injection** - MCP context provides access to the authenticated client instance
+5. **Modular design** - Each Nextcloud app is isolated in its own client/server pair
+
+### Testing Structure
+
+- **Integration tests** in `tests/integration/` and `tests/client/`, `tests/server/` - Test real Nextcloud API interactions
+- **Fixtures** in `tests/conftest.py` - Shared test setup and utilities
+- Tests are marked with `@pytest.mark.integration` for selective running
+- **Important**: Integration tests run against live Docker containers. After making code changes:
+  - For basic auth tests: rebuild with `docker-compose up --build -d mcp`
+  - For OAuth tests: rebuild with `docker-compose up --build -d mcp-oauth`
+
+#### Testing Best Practices
+- **MANDATORY: Always run tests after implementing features or fixing bugs**
+  - Run tests to completion before considering any task complete
+  - If tests require modifications to pass, ask for permission before proceeding
+  - **Rebuild the correct container** after code changes:
+    - For basic auth tests (most common): `docker-compose up --build -d mcp`
+    - For OAuth tests: `docker-compose up --build -d mcp-oauth`
+- **Use existing fixtures** from `tests/conftest.py` to avoid duplicate setup work:
+  - `nc_mcp_client` - MCP client session for tool/resource testing (uses `mcp` container)
+  - `nc_mcp_oauth_client` - MCP client session for OAuth testing (uses `mcp-oauth` container)
+  - `nc_client` - Direct NextcloudClient for setup/cleanup operations
+  - `temporary_note` - Creates and cleans up test notes automatically
+  - `temporary_addressbook` - Creates and cleans up test address books
+  - `temporary_contact` - Creates and cleans up test contacts
+- **Test specific functionality** after changes:
+  - For Notes changes: `uv run pytest tests/integration/test_mcp.py -k "notes" -v`
+  - For specific API changes: `uv run pytest tests/integration/test_notes_api.py -v`
+  - For OAuth changes: `uv run pytest tests/server/test_oauth*.py -v` (remember to rebuild `mcp-oauth` container)
+- **Avoid creating standalone test scripts** - use pytest with proper fixtures instead
+
+#### OAuth/OIDC Testing
+OAuth integration tests support both **automated** (Playwright) and **interactive** authentication flows:
+
+**Automated Testing (Default - Recommended for CI/CD):**
+- **Default fixtures**: `nc_oauth_client`, `nc_mcp_oauth_client` now use Playwright automation by default
+- Uses Playwright headless browser automation to complete OAuth flow programmatically
+- **Shared OAuth Client**: All test users authenticate using a single OAuth client (matching MCP server behavior)
+  - Single `client_id`/`client_secret` pair is registered and reused for all test users
+  - Stored in `.nextcloud_oauth_shared_test_client.json` with `force_register=False` for reuse
+  - Reduces OAuth client registrations and matches production MCP server architecture
+- All Playwright fixtures: `playwright_oauth_token`, `nc_oauth_client`, `nc_mcp_oauth_client`, `nc_oauth_client_playwright`, `nc_mcp_oauth_client_playwright`
+- Multi-user fixtures: `alice_oauth_token`, `bob_oauth_token`, `charlie_oauth_token`, `diana_oauth_token`
+  - All use `shared_oauth_client_credentials` fixture for consistent client credentials
+  - Each user gets unique access tokens via same OAuth client (like multiple users using the MCP server)
+- Requires: `NEXTCLOUD_HOST`, `NEXTCLOUD_USERNAME`, `NEXTCLOUD_PASSWORD` environment variables
+- Uses `pytest-playwright-asyncio` for async Playwright fixtures
+- Playwright configuration: Use pytest CLI args like `--browser firefox --headed` to customize
+- Install browsers: `uv run playwright install firefox` (or `chromium`, `webkit`)
+- Example:
+  ```bash
+  # Run all OAuth tests with automated Playwright flow using Firefox
+  uv run pytest tests/server/test_oauth*.py --browser firefox -v
+
+  # Run specific Playwright tests with visible browser for debugging
+  uv run pytest tests/server/test_mcp_oauth.py --browser firefox --headed -v
+
+  # Run with Chromium (default)
+  uv run pytest tests/server/test_oauth*.py -v
+  ```
+
+**Interactive Testing (Manual browser login):**
+- Opens system browser and waits for manual login/authorization
+- Fixtures: `interactive_oauth_token`, `nc_oauth_client_interactive`, `nc_mcp_oauth_client_interactive`
+- Requires: User to complete browser-based login when prompted
+- Useful for: Debugging OAuth flows, testing with 2FA, local development
+- **Automatically skipped in GitHub Actions CI** - Interactive fixtures check for `GITHUB_ACTIONS` environment variable
+- Example:
+  ```bash
+  # Run OAuth tests with interactive flow (will open browser and wait for manual login)
+  uv run pytest tests/client/test_oauth_interactive.py -v
+  ```
+
+**Test Environment Setup:**
+- **Two MCP server containers are available:**
+  - `mcp` (port 8000): Uses basic auth with admin credentials - for most testing
+  - `mcp-oauth` (port 8001): Uses OAuth authentication - for OAuth-specific testing
+- Start OAuth MCP server: `docker-compose up --build -d mcp-oauth`
+- **Important**: When working on OAuth functionality, always rebuild `mcp-oauth` container, not `mcp`
+- Shared OAuth client is registered once and reused across test runs
+- Client credentials cached in `.nextcloud_oauth_shared_test_client.json`
+
+**CI/CD Considerations:**
+- Interactive OAuth tests are automatically skipped when `GITHUB_ACTIONS` environment variable is set
+- Automated Playwright tests will run in CI/CD environments
+- Use Firefox browser in CI: `--browser firefox` (Chromium may have issues with localhost redirects)
+- Shared client approach reduces test time and API calls to Nextcloud
+
+### Configuration Files
+
+- **`pyproject.toml`** - Python project configuration using uv for dependency management
+- **`.env`** (from `env.sample`) - Environment variables for Nextcloud connection
+- **`docker-compose.yml`** - Complete development environment with Nextcloud + database
@@ -1,4 +1,4 @@
-FROM ghcr.io/astral-sh/uv:0.7.19-python3.11-alpine@sha256:03f28e0c1ffc6dd8061a4e79c890bfd0441fb9ec1d648ce8ad5abfcaaa68789a
+FROM ghcr.io/astral-sh/uv:0.9.2-python3.11-alpine@sha256:59c7cb3e4a4fe9ccff6a5bf0d952a0b1b0101adda48e305c02beea3c22256208

 WORKDIR /app

@@ -6,4 +6,6 @@ COPY . .

 RUN uv sync --locked --no-dev

-CMD ["/app/.venv/bin/mcp", "run", "--transport", "sse", "/app/nextcloud_mcp_server/server.py:mcp"]
+ENV PYTHONUNBUFFERED=1
+
+ENTRYPOINT ["/app/.venv/bin/nextcloud-mcp-server", "--host", "0.0.0.0"]
@@ -2,143 +2,235 @@

 [![Docker Image](https://img.shields.io/badge/docker-ghcr.io/cbcoutinho/nextcloud--mcp--server-blue)](https://github.com/cbcoutinho/nextcloud-mcp-server/pkgs/container/nextcloud-mcp-server)

-The Nextcloud MCP (Model Context Protocol) server allows Large Language Models (LLMs) like OpenAI's GPT, Google's Gemini, or Anthropic's Claude to interact with your Nextcloud instance. This enables automation of various Nextcloud actions, starting with the Notes API.
+**Enable AI assistants to interact with your Nextcloud instance.**
+
+The Nextcloud MCP (Model Context Protocol) server allows Large Language Models like Claude, GPT, and Gemini to interact with your Nextcloud data through a secure API. Create notes, manage calendars, organize contacts, work with files, and more - all through natural language.

 ## Features

-The server provides integration with multiple Nextcloud apps, enabling LLMs to interact with your Nextcloud data through a rich set of tools and resources.
+### Supported Nextcloud Apps

-## Supported Nextcloud Apps
+| App | Support | Features |
+|-----|---------|----------|
+| **Notes** | ✅ Full | Create, read, update, delete, search notes. Handle attachments. |
+| **Calendar** | ✅ Full | Manage events, recurring events, reminders, attendees via CalDAV. |
+| **Contacts** | ✅ Full | CRUD operations for contacts and address books via CardDAV. |
+| **Files (WebDAV)** | ✅ Full | Complete file system access - browse, read, write, organize files. |
+| **Deck** | ✅ Full | Project management - boards, stacks, cards, labels, assignments. |
+| **Tables** | ⚠️ Partial | Row-level operations. Table management not yet supported. |
+| **Tasks** | ❌ Planned | [Issue #73](https://github.com/cbcoutinho/nextcloud-mcp-server/issues/73) |

-| App | Support Status | Description |
-|-----|----------------|-------------|
-| **Notes** | ✅ Full Support | Create, read, update, delete, and search notes. Handle attachments via WebDAV. |
-| **Tables** | ⚠️ Row Operations | Read table schemas and perform CRUD operations on table rows. Table management not yet supported. |
+Want to see another Nextcloud app supported? [Open an issue](https://github.com/cbcoutinho/nextcloud-mcp-server/issues) or contribute a pull request!

-## Available Tools
+### Authentication

-### Notes Tools
+| Mode | Security | Best For |
+|------|----------|----------|
+| **OAuth2/OIDC** ✅ | 🔒 High | Production, multi-user deployments |
+| **Basic Auth** ⚠️ | Lower | Development, testing |

-| Tool | Description |
-|------|-------------|
-| `nc_get_note` | Get a specific note by ID |
-| `nc_notes_create_note` | Create a new note with title, content, and category |
-| `nc_notes_update_note` | Update an existing note by ID |
-| `nc_notes_append_content` | Append content to an existing note with a clear separator |
-| `nc_notes_delete_note` | Delete a note by ID |
-| `nc_notes_search_notes` | Search notes by title or content |
+OAuth2/OIDC provides secure, per-user authentication with access tokens. See [Authentication Guide](docs/authentication.md) for details.

-### Tables Tools
+## Quick Start

-| Tool | Description |
-|------|-------------|
-| `nc_tables_list_tables` | List all tables available to the user |
-| `nc_tables_get_schema` | Get the schema/structure of a specific table including columns and views |
-| `nc_tables_read_table` | Read rows from a table with optional pagination |
-| `nc_tables_insert_row` | Insert a new row into a table |
-| `nc_tables_update_row` | Update an existing row in a table |
-| `nc_tables_delete_row` | Delete a row from a table |
-
-## Available Resources
-
-| Resource | Description |
-|----------|-------------|
-| `nc://capabilities` | Access Nextcloud server capabilities |
-| `notes://settings` | Access Notes app settings |
-| `nc://Notes/{note_id}/attachments/{attachment_filename}` | Access attachments for notes |
-
-### Note Attachments
-
-This server supports adding and retrieving note attachments via WebDAV. Please note the following behavior regarding attachments:
-
-* When a note is deleted, its attachments remain in the system. This matches the behavior of the official Nextcloud Notes app.
-* Orphaned attachments (attachments whose parent notes have been deleted) may accumulate over time.
-* WebDAV permissions must be properly configured for attachment operations to work correctly.
-
-## Installation
-
-### Prerequisites
-
-*   Python 3.8+
-*   Access to a Nextcloud instance
-
-### Local Installation
-
-1.  Clone the repository (if running from source):
-    ```bash
-    git clone https://github.com/cbcoutinho/nextcloud-mcp-server.git
-    cd nextcloud-mcp-server
-    ```
-2.  Install the package (if running as a library):
-    ```bash
-    poetry install
-    ```
-
-### Docker
-
-A pre-built Docker image is available: `ghcr.io/cbcoutinho/nextcloud-mcp-server`
-
-## Configuration
-
-The server requires credentials to connect to your Nextcloud instance. Create a file named `.env` (or any name you prefer) in the directory where you'll run the server, based on the `env.sample` file:
-
-```dotenv
-# .env
-NEXTCLOUD_HOST=https://your.nextcloud.instance.com
-NEXTCLOUD_USERNAME=your_nextcloud_username
-NEXTCLOUD_PASSWORD=your_nextcloud_app_password_or_login_password
-```
-
-*   `NEXTCLOUD_HOST`: The full URL of your Nextcloud instance.
-*   `NEXTCLOUD_USERNAME`: Your Nextcloud username.
-*   `NEXTCLOUD_PASSWORD`: **Important:** It is highly recommended to use a dedicated Nextcloud App Password for security. You can generate one in your Nextcloud Security settings. Alternatively, you can use your regular login password, but this is less secure.
-
-## Running the Server
-
-### Locally
-
-Ensure your environment variables are loaded, then run the server using `mcp run`:
+### 1. Install

 ```bash
-# Load environment variables from your .env file
+# Clone the repository
+git clone https://github.com/cbcoutinho/nextcloud-mcp-server.git
+cd nextcloud-mcp-server
+
+# Install with uv (recommended)
+uv sync
+
+# Or using Docker
+docker pull ghcr.io/cbcoutinho/nextcloud-mcp-server:latest
+```
+
+See [Installation Guide](docs/installation.md) for detailed instructions.
+
+### 2. Configure
+
+Create a `.env` file:
+
+```bash
+# Copy the sample
+cp env.sample .env
+```
+
+**For OAuth (recommended):**
+```dotenv
+NEXTCLOUD_HOST=https://your.nextcloud.instance.com
+```
+
+**For Basic Auth:**
+```dotenv
+NEXTCLOUD_HOST=https://your.nextcloud.instance.com
+NEXTCLOUD_USERNAME=your_username
+NEXTCLOUD_PASSWORD=your_app_password
+```
+
+See [Configuration Guide](docs/configuration.md) for all options.
+
+### 3. Set Up Authentication
+
+**OAuth Setup (recommended):**
+1. Install Nextcloud OIDC apps (`oidc` + `user_oidc`)
+2. Enable dynamic client registration
+3. Configure Bearer token validation
+4. Start the server
+
+See [OAuth Quick Start](docs/quickstart-oauth.md) for 5-minute setup or [OAuth Setup Guide](docs/oauth-setup.md) for production deployment.
+
+### 4. Run the Server
+
+```bash
+# Load environment variables
 export $(grep -v '^#' .env | xargs)

-# Run the server
-mcp run --transport sse nextcloud_mcp_server.server:mcp
+# Start the server
+uv run nextcloud-mcp-server --oauth
+
+# Or with Docker
+docker run -p 127.0.0.1:8000:8000 --env-file .env --rm \
+  ghcr.io/cbcoutinho/nextcloud-mcp-server:latest --oauth
 ```

-The server will start, typically listening on `http://0.0.0.0:8000`.
+The server starts on `http://127.0.0.1:8000` by default.

-### Using Docker
+See [Running the Server](docs/running.md) for more options.

-Mount your environment file when running the container:
+### 5. Connect an MCP Client
+
+Test with MCP Inspector:

 ```bash
-docker run -p 127.0.0.1:8000:8000 --env-file .env --rm ghcr.io/cbcoutinho/nextcloud-mcp-server:latest
+uv run mcp dev
 ```

-This will start the server and expose it on port 8000 of your local machine.
+Or connect from:
+- Claude Desktop
+- Any MCP-compatible client

-## Usage
+## Documentation

-Once the server is running, you can connect to it using an MCP client like `uvx`. Add the server to your `uvx` configuration:
+### Getting Started
+- **[Installation](docs/installation.md)** - Install the server
+- **[Configuration](docs/configuration.md)** - Environment variables and settings
+- **[Authentication](docs/authentication.md)** - OAuth vs BasicAuth
+- **[Running the Server](docs/running.md)** - Start and manage the server
+
+### OAuth Documentation
+- **[OAuth Quick Start](docs/quickstart-oauth.md)** - 5-minute setup guide
+- **[OAuth Setup Guide](docs/oauth-setup.md)** - Production deployment
+- **[OAuth Architecture](docs/oauth-architecture.md)** - How OAuth works
+- **[OAuth Troubleshooting](docs/oauth-troubleshooting.md)** - OAuth-specific issues
+- **[Upstream Status](docs/oauth-upstream-status.md)** - Required patches and PRs
+
+### Reference
+- **[Troubleshooting](docs/troubleshooting.md)** - Common issues and solutions
+
+### App-Specific Documentation
+- [Notes API](docs/notes.md)
+- [Calendar (CalDAV)](docs/calendar.md)
+- [Contacts (CardDAV)](docs/contacts.md)
+- [Deck](docs/deck.md)
+- [Tables](docs/table.md)
+- [WebDAV](docs/webdav.md)
+
+## MCP Tools & Resources
+
+The server exposes Nextcloud functionality through MCP tools (for actions) and resources (for data browsing).
+
+### Tools
+Tools enable AI assistants to perform actions:
+- `nc_notes_create_note` - Create a new note
+- `deck_create_card` - Create a Deck card
+- `nc_calendar_create_event` - Create a calendar event
+- `nc_contacts_create_contact` - Create a contact
+- And many more...
+
+### Resources
+Resources provide read-only access to Nextcloud data:
+- `nc://capabilities` - Server capabilities
+- `nc://Deck/boards/{board_id}` - Deck board data
+- `notes://settings` - Notes app settings
+- And more...
+
+Run `uv run nextcloud-mcp-server --help` to see all available options.
+
+## Examples
+
+### Create a Note
+```
+AI: "Create a note called 'Meeting Notes' with today's agenda"
+→ Uses nc_notes_create_note tool
+```
+
+### Manage Calendar
+```
+AI: "Schedule a team meeting for next Tuesday at 2pm"
+→ Uses nc_calendar_create_event tool
+```
+
+### Organize Files
+```
+AI: "Create a folder called 'Project X' and move all PDFs there"
+→ Uses WebDAV tools (nc_webdav_create_directory, nc_webdav_move)
+```
+
+### Project Management
+```
+AI: "Create a new Deck board for Q1 planning with Todo, In Progress, and Done stacks"
+→ Uses deck_create_board and deck_create_stack tools
+```
+
+## Transport Protocols
+
+The server supports multiple MCP transport protocols:
+
+- **streamable-http** (recommended) - Modern streaming protocol
+- **sse** (default, deprecated) - Server-Sent Events for backward compatibility
+- **http** - Standard HTTP protocol

 ```bash
-uvx mcp add nextcloud-mcp http://localhost:8000 --default-transport sse
+# Use streamable-http (recommended)
+uv run nextcloud-mcp-server --transport streamable-http
 ```

-You can then interact with the server's tools and resources through your LLM interface connected to `uvx`.
-
-## References:
-
- https://github.com/modelcontextprotocol/python-sdk
+> [!WARNING]
+> SSE transport is deprecated and will be removed in a future MCP specification version. Please migrate to `streamable-http`.

 ## Contributing

-Contributions are welcome! Please feel free to submit issues or pull requests on the [GitHub repository](https://github.com/cbcoutinho/nextcloud-mcp-server).
+Contributions are welcome!
+
+- Report bugs or request features: [GitHub Issues](https://github.com/cbcoutinho/nextcloud-mcp-server/issues)
+- Submit improvements: [Pull Requests](https://github.com/cbcoutinho/nextcloud-mcp-server/pulls)
+- Read [CLAUDE.md](CLAUDE.md) for development guidelines
+
+## Security
+
+[![MseeP.ai Security Assessment](https://mseep.net/pr/cbcoutinho-nextcloud-mcp-server-badge.png)](https://mseep.ai/app/cbcoutinho-nextcloud-mcp-server)
+
+This project takes security seriously:
+- OAuth2/OIDC support for secure authentication
+- No credential storage with OAuth mode
+- Per-user access tokens
+- Regular security assessments
+
+Found a security issue? Please report it privately to the maintainers.

 ## License

-This project is licensed under the AGPL-3.0 License. See the [LICENSE](./LICENSE) file for details.
+This project is licensed under the AGPL-3.0 License. See [LICENSE](./LICENSE) for details.

-[![MseeP.ai Security Assessment Badge](https://mseep.net/pr/cbcoutinho-nextcloud-mcp-server-badge.png)](https://mseep.ai/app/cbcoutinho-nextcloud-mcp-server)
+## Star History
+
+[![Star History Chart](https://api.star-history.com/svg?repos=cbcoutinho/nextcloud-mcp-server&type=Date)](https://www.star-history.com/#cbcoutinho/nextcloud-mcp-server&Date)
+
+## References
+
+- [Model Context Protocol](https://github.com/modelcontextprotocol)
+- [MCP Python SDK](https://github.com/modelcontextprotocol/python-sdk)
+- [Nextcloud](https://nextcloud.com/)
@@ -0,0 +1,69 @@
+From deab2dac3d73d25f20a95c18103f327ab48f837a Mon Sep 17 00:00:00 2001
+From: Chris Coutinho <chris@coutinho.io>
+Date: Sun, 12 Oct 2025 21:09:29 +0200
+Subject: [PATCH 1/1] Fix Bearer token authentication causing session logout
+
+When using Bearer token authentication with OIDC, API requests to
+endpoints with @CORS annotations (like Notes API) were failing with
+401 Unauthorized errors. This occurred because:
+
+1. Bearer token validation successfully authenticated the user
+2. A session was created for the authenticated user
+3. Nextcloud's CORSMiddleware detected the logged-in session but no
+   CSRF token, causing it to call session->logout()
+4. The logout invalidated the session, breaking the API request
+
+This fix sets the 'app_api' session flag during Bearer token
+authentication, which instructs CORSMiddleware to skip the CSRF check
+and logout logic. This is the same mechanism used by Nextcloud's
+AppAPI framework for external application authentication.
+
+The flag is set at all successful Bearer token authentication points:
+- Line 243: After OIDC Identity Provider validation
+- Line 310: After auto-provisioning with bearer provisioning
+- Line 315: After existing user authentication
+- Line 337: After LDAP user sync
+
+Fixes: Bearer token authentication for all Nextcloud APIs
+Tested-with: nextcloud-mcp-server integration tests
+Signed-off-by: Chris Coutinho <chris@coutinho.io>
+---
+ lib/User/Backend.php | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/User/Backend.php b/lib/User/Backend.php
+index 23cfb18..65665cc 100644
+--- a/lib/User/Backend.php
+++ b/lib/User/Backend.php
+@@ -240,6 +240,7 @@ class Backend extends ABackend implements IPasswordConfirmationBackend, IGetDisp
+ 					$this->eventDispatcher->dispatchTyped($validationEvent);
+ 					$oidcProviderUserId = $validationEvent->getUserId();
+ 					if ($oidcProviderUserId !== null) {
+						$this->session->set('app_api', true);
+ 						return $oidcProviderUserId;
+ 					} else {
+ 						$this->logger->debug('[NextcloudOidcProviderValidator] The bearer token validation has failed');
+@@ -306,10 +307,12 @@ class Backend extends ABackend implements IPasswordConfirmationBackend, IGetDisp
+ 							}
+ 
+ 							$this->session->set('last-password-confirm', strtotime('+4 year', time()));
+							$this->session->set('app_api', true);
+ 							return $userId;
+ 						} elseif ($this->userExists($tokenUserId)) {
+ 							$this->checkFirstLogin($tokenUserId);
+ 							$this->session->set('last-password-confirm', strtotime('+4 year', time()));
+							$this->session->set('app_api', true);
+ 							return $tokenUserId;
+ 						} else {
+ 							// check if the user exists locally
+@@ -331,6 +334,7 @@ class Backend extends ABackend implements IPasswordConfirmationBackend, IGetDisp
+ 							}
+ 							$this->checkFirstLogin($tokenUserId);
+ 							$this->session->set('last-password-confirm', strtotime('+4 year', time()));
+							$this->session->set('app_api', true);
+ 							return $tokenUserId;
+ 						}
+ 					}
+-- 
+2.51.0
+
@@ -0,0 +1,16 @@
+diff --git a/lib/Util/DiscoveryGenerator.php b/lib/Util/DiscoveryGenerator.php
+index ee3cd57..6429f94 100644
+--- a/lib/Util/DiscoveryGenerator.php
+++ b/lib/Util/DiscoveryGenerator.php
+@@ -171,6 +171,11 @@ class DiscoveryGenerator
+             $discoveryPayload['registration_endpoint'] = $host . $this->urlGenerator->linkToRoute('oidc.DynamicRegistration.registerClient', []);
+         }
+ 
+        // Add PKCE support if enabled
+        if ($this->appConfig->getAppValueBool('proof_key_for_code_exchange', false)) {
+            $discoveryPayload['code_challenge_methods_supported'] = ['S256'];
+        }
+
+         $this->logger->info('Request to Discovery Endpoint.');
+ 
+         $response = new JSONResponse($discoveryPayload);
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -euox pipefail
+
+echo "Installing and configuring Calendar app..."
+
+# Enable calendar app
+php /var/www/html/occ app:enable calendar
+
+# Wait for calendar app to be fully initialized
+echo "Waiting for calendar app to initialize..."
+sleep 5
+
+# Increase limits on calendar creation for integration tests (100 in 60s)
+php occ config:app:set dav rateLimitCalendarCreation --type=integer --value=100
+php occ config:app:set dav rateLimitPeriodCalendarCreation --type=integer --value=60
+
+# Ensure maintenance mode is off before calendar operations
+php /var/www/html/occ maintenance:mode --off
+
+# Sync DAV system to ensure proper initialization
+echo "Syncing DAV system..."
+php /var/www/html/occ dav:sync-system-addressbook
+
+# Repair calendar app to ensure proper setup
+echo "Repairing calendar app..."
+php /var/www/html/occ maintenance:repair --include-expensive
+
+# Final wait to ensure CalDAV service is fully ready
+echo "Final CalDAV initialization wait..."
+sleep 5
+
+echo "Calendar app installation complete!"
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -euox pipefail
+
+php /var/www/html/occ app:enable contacts
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -euox pipefail
+
+php /var/www/html/occ app:enable deck
@@ -1,3 +1,5 @@
 #!/bin/bash

+set -euox pipefail
+
 php /var/www/html/occ app:enable notes
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -euox pipefail
+
+echo "Installing and configuring OIDC apps for testing..."
+
+# Enable the OIDC Identity Provider app
+php /var/www/html/occ app:enable oidc
+
+# Enable the user_oidc app (OIDC client for bearer token validation)
+php /var/www/html/occ app:enable user_oidc
+
+patch -u /var/www/html/custom_apps/user_oidc/lib/User/Backend.php -i /docker-entrypoint-hooks.d/post-installation/0001-Fix-Bearer-token-authentication-causing-session-logo.patch
+patch -u /var/www/html/custom_apps/oidc/lib/Util/DiscoveryGenerator.php -i /docker-entrypoint-hooks.d/post-installation/0002-Add-PKCE-code-challenge-methods-to-discovery-documen.patch
+
+# Configure OIDC Identity Provider with dynamic client registration enabled
+php /var/www/html/occ config:app:set oidc dynamic_client_registration --value='true'
+php /var/www/html/occ config:app:set oidc proof_key_for_code_exchange --value=true --type=boolean
+
+# Configure user_oidc to validate bearer tokens from the OIDC Identity Provider
+php /var/www/html/occ config:system:set user_oidc oidc_provider_bearer_validation --value=true --type=boolean
+
+echo "OIDC apps installed and configured successfully"
@@ -1,3 +1,5 @@
 #!/bin/bash

+set -euox pipefail
+
 php /var/www/html/occ app:enable tables
@@ -3,7 +3,7 @@ services:
  # https://hub.docker.com/_/mariadb
  db:
    # Note: Check the recommend version here: https://docs.nextcloud.com/server/latest/admin_manual/installation/system_requirements.html#server
-    image: mariadb:lts@sha256:1e4ec03d1b73af8e7a63137b8ef4820ac7d54c654a1e99eb76235f210f7f0a06
+    image: docker.io/library/mariadb:lts@sha256:ae6119716edac6998ae85508431b3d2e666530ddf4e94c61a10710caec9b0f71
    restart: always
    command: --transaction-isolation=READ-COMMITTED
    volumes:
@@ -17,18 +17,14 @@ services:
  # Note: Redis is an external service. You can find more information about the configuration here:
  # https://hub.docker.com/_/redis
  redis:
-    image: redis:alpine@sha256:73734b014e53b3067916918b70718ca188c16895511a272a020c9a71084eecda
+    image: docker.io/library/redis:alpine@sha256:59b6e694653476de2c992937ebe1c64182af4728e54bb49e9b7a6c26614d8933
    restart: always

  app:
-    image: nextcloud:31.0.6@sha256:588609d76b217cfd0feda653eea9894eeb12e612b327d2f1dcd38221ad242be0
-    #user: www-data:www-data
+    image: docker.io/library/nextcloud:32.0.0@sha256:3e70e4dfe882ef44738fdc30d9896fb07c12febb27c4a1177e3d63dc0004a0b4
    restart: always
-    #post_start:
-      #- command: chown -R www-data:www-data /var/www/html && while ! nc -z db 3306; do sleep 1; echo sleeping; done
-        #user: root
    ports:
-      - 8080:80
+      - 0.0.0.0:8080:80
    depends_on:
      - redis
      - db
@@ -46,13 +42,34 @@ services:

  mcp:
    build: .
+    command: ["--transport", "streamable-http"]
+    restart: always
+    depends_on:
+      - app
    ports:
-      - 8000:8000
+      - 127.0.0.1:8000:8000
    environment:
      - NEXTCLOUD_HOST=http://app:80
      - NEXTCLOUD_USERNAME=admin
      - NEXTCLOUD_PASSWORD=admin

+  mcp-oauth:
+    build: .
+    command: ["--transport", "streamable-http", "--oauth", "--port", "8001"]
+    restart: always
+    depends_on:
+      - app
+    ports:
+      - 127.0.0.1:8001:8001
+    environment:
+      - NEXTCLOUD_HOST=http://app:80
+      - NEXTCLOUD_MCP_SERVER_URL=http://127.0.0.1:8001
+      - NEXTCLOUD_PUBLIC_ISSUER_URL=http://127.0.0.1:8080
+      # No USERNAME/PASSWORD - will use OAuth
+    volumes:
+      - oauth-client-storage:/app/.oauth
+
 volumes:
  nextcloud:
  db:
+  oauth-client-storage:
@@ -0,0 +1,161 @@
+# Authentication
+
+The Nextcloud MCP server supports two authentication modes for connecting to your Nextcloud instance.
+
+## Authentication Modes Comparison
+
+| Mode | Status | Security | Use Case |
+|------|--------|----------|----------|
+| **OAuth2/OIDC** | ✅ Recommended | 🔒 High | Production deployments, multi-user scenarios |
+| **Basic Auth** | ⚠️ Legacy | ⚠️ Lower | Development, backward compatibility |
+
+## OAuth2/OIDC (Recommended)
+
+OAuth2/OIDC authentication provides secure, token-based authentication following modern security standards.
+
+### Architecture
+
+The Nextcloud MCP Server acts as an **OAuth 2.0 Resource Server**, protecting access to Nextcloud resources:
+
+```
+MCP Client ←→ MCP Server (Resource Server) ←→ Nextcloud (Authorization Server + APIs)
+            OAuth Flow with PKCE            Bearer Token Auth
+```
+
+**Key Components**:
+- **MCP Server**: OAuth Resource Server (validates tokens, provides MCP tools)
+- **Nextcloud `oidc` app**: OAuth Authorization Server (issues tokens)
+- **Nextcloud `user_oidc` app**: Token validation middleware
+- **MCP Client**: Any MCP-compatible client (Claude, custom clients)
+
+For detailed architecture, see [OAuth Architecture](oauth-architecture.md).
+
+### Required Nextcloud Apps
+
+OAuth authentication requires **two Nextcloud apps** to work together:
+
+#### 1. `oidc` - OIDC Identity Provider
+**Purpose:** Makes Nextcloud an OAuth2/OIDC authorization server
+
+**Provides:**
+- OAuth2 authorization endpoint (`/apps/oidc/authorize`)
+- Token endpoint (`/apps/oidc/token`)
+- User info endpoint (`/apps/oidc/userinfo`)
+- JWKS endpoint for token validation (`/apps/oidc/jwks`)
+- Dynamic client registration endpoint (`/apps/oidc/register`)
+
+**Installation:** Available in Nextcloud App Store under "Security"
+
+#### 2. `user_oidc` - OpenID Connect User Backend
+**Purpose:** Authenticates users and validates Bearer tokens
+
+**Provides:**
+- Bearer token validation against the OIDC provider
+- User authentication via OIDC
+- Session management for authenticated users
+
+**Installation:** Available in Nextcloud App Store under "Security"
+
+**Important:** The `user_oidc` app requires a patch for Bearer token support on non-OCS endpoints (like Notes API). See [Upstream Status](oauth-upstream-status.md) for details.
+
+### Benefits
+- **Zero-config deployment** via dynamic client registration
+- **No credential storage** in environment variables
+- **Per-user authentication** with access tokens
+- **Per-user permissions** - each user has their own Nextcloud client
+- **Automatic token validation** via Nextcloud OIDC userinfo endpoint
+- **Token caching** for performance (default: 1 hour TTL)
+- **PKCE required** for enhanced security (S256 code challenge)
+- **Secure by design** following OAuth 2.0 and OpenID Connect standards
+
+### Current Implementation Limitations
+
+> [!IMPORTANT]
+> **Tested Configuration:**
+> - ✅ Nextcloud `oidc` app (OIDC Identity Provider) + `user_oidc` app (OIDC User Backend)
+> - ✅ Nextcloud acting as its own identity provider (self-hosted OIDC)
+> - ✅ MCP server as OAuth Resource Server
+> - ✅ PKCE with S256 code challenge method
+>
+> **Not Tested:**
+> - ❌ External identity providers (Azure AD, Keycloak, Okta, etc.)
+> - ❌ Using `user_oidc` with external OIDC providers
+>
+> **Known Requirements:**
+> - 🔧 The `user_oidc` app requires a patch for Bearer token support on non-OCS endpoints (see [Upstream Status](oauth-upstream-status.md))
+> - ⏱️ Dynamic client registration credentials expire (default: 1 hour) - use pre-configured clients for production
+> - 🔐 PKCE must be advertised in OIDC discovery (see [Upstream Status](oauth-upstream-status.md))
+
+### How OAuth Works
+
+The MCP server implements the OAuth 2.0 Resource Server pattern:
+
+**Phase 1: Authorization (OAuth Flow with PKCE)**
+1. MCP client connects and receives OAuth settings (issuer URL, scopes)
+2. Client initiates OAuth flow with PKCE (Proof Key for Code Exchange)
+3. User authenticates via browser to Nextcloud
+4. Nextcloud redirects back with authorization code
+5. Client exchanges code + code_verifier for access token
+
+**Phase 2: API Access (Bearer Token Validation)**
+6. Client sends MCP requests with `Authorization: Bearer <token>` header
+7. MCP server validates token by calling Nextcloud's userinfo endpoint
+8. Server creates per-user NextcloudClient instance with the token
+9. All Nextcloud API requests use the user's Bearer token
+10. User-specific permissions and audit trails apply
+
+This ensures:
+- Each user has their own authenticated session
+- Actions appear from the correct user in Nextcloud logs
+- Proper permission boundaries are maintained
+- No shared credentials between users
+
+### See Also
+- [OAuth Quick Start](quickstart-oauth.md) - 5-minute setup for development
+- [OAuth Setup Guide](oauth-setup.md) - Detailed production setup
+- [OAuth Architecture](oauth-architecture.md) - Technical details
+- [Upstream Status](oauth-upstream-status.md) - Required patches and PR status
+- [OAuth Troubleshooting](oauth-troubleshooting.md) - OAuth-specific issues
+- [Configuration](configuration.md) - Environment variables
+
+## Basic Authentication (Legacy)
+
+Basic Authentication uses username and password credentials directly.
+
+### Benefits
+- **Simple setup** with username/password
+- **Single-user** server instances
+- **Quick for development** and testing
+
+### Limitations
+- **Credentials in environment** (less secure)
+- **Single user only** - all requests use the same account
+- **No audit trail** - all actions appear from the same user
+- **Maintained for compatibility** - will be deprecated in future versions
+
+> [!WARNING]
+> **Security Notice:** Basic Authentication stores credentials in environment variables and is less secure than OAuth. It's maintained for backward compatibility only and may be deprecated in future versions. Use OAuth for production deployments.
+
+### See Also
+- [Configuration](configuration.md#basic-authentication-legacy) - BasicAuth environment variables
+- [Running the Server](running.md#basicauth-mode-legacy) - BasicAuth examples
+
+## Mode Detection
+
+The server automatically detects the authentication mode:
+
+- **OAuth mode**: When `NEXTCLOUD_USERNAME` and `NEXTCLOUD_PASSWORD` are NOT set
+- **BasicAuth mode**: When both username and password are provided
+
+You can also force a specific mode using CLI flags:
+```bash
+# Force OAuth mode
+uv run nextcloud-mcp-server --oauth
+
+# Force BasicAuth mode
+uv run nextcloud-mcp-server --no-oauth
+```
+
+## Switching Between Modes
+
+See [Troubleshooting: Switching Between OAuth and BasicAuth](troubleshooting.md#switching-between-oauth-and-basicauth) for instructions.
@@ -0,0 +1,109 @@
+# Calendar App
+
+### Calendar Tools
+
+| Tool | Description |
+|------|-------------|
+| `nc_calendar_list_calendars` | List all available calendars for the user |
+| `nc_calendar_create_event` | Create a comprehensive calendar event with full feature support (recurring, reminders, attendees, etc.) |
+| `nc_calendar_list_events` | **Enhanced:** List events with advanced filtering (min attendees, duration, categories, status, search across all calendars) |
+| `nc_calendar_get_event` | Get detailed information about a specific event |
+| `nc_calendar_update_event` | Update any aspect of an existing event |
+| `nc_calendar_delete_event` | Delete a calendar event |
+| `nc_calendar_create_meeting` | Quick meeting creation with smart defaults |
+| `nc_calendar_get_upcoming_events` | Get upcoming events in the next N days |
+| `nc_calendar_find_availability` | **New:** Intelligent availability finder - find free time slots for meetings with attendee conflict detection |
+| `nc_calendar_bulk_operations` | **New:** Bulk update, delete, or move events matching filter criteria |
+| `nc_calendar_manage_calendar` | **New:** Create, delete, and manage calendar properties |
+
+### Calendar Integration
+
+The server provides comprehensive calendar integration through CalDAV, enabling you to:
+
+- List all available calendars
+- Create, read, update, and delete calendar events  
+- Handle recurring events with RRULE support
+- Manage event reminders and notifications
+- Support all-day and timed events
+- Handle attendees and meeting invitations
+- Organize events with categories and priorities
+
+**Usage Examples:**
+
+```python
+# List available calendars
+calendars = await nc_calendar_list_calendars()
+
+# Create a simple event
+await nc_calendar_create_event(
+    calendar_name="personal",
+    title="Team Meeting", 
+    start_datetime="2025-07-28T14:00:00",
+    end_datetime="2025-07-28T15:00:00",
+    description="Weekly team sync",
+    location="Conference Room A"
+)
+
+# Create a recurring weekly meeting
+await nc_calendar_create_event(
+    calendar_name="work",
+    title="Weekly Standup",
+    start_datetime="2025-07-28T09:00:00", 
+    end_datetime="2025-07-28T09:30:00",
+    recurring=True,
+    recurrence_rule="FREQ=WEEKLY;BYDAY=MO"
+)
+
+# Quick meeting creation
+await nc_calendar_create_meeting(
+    title="Client Call",
+    date="2025-07-28",
+    time="15:00",
+    duration_minutes=60,
+    attendees="client@example.com,colleague@company.com"
+)
+
+# Get upcoming events  
+events = await nc_calendar_get_upcoming_events(days_ahead=7)
+
+# Advanced search - find all meetings with 5+ attendees lasting 2+ hours
+long_meetings = await nc_calendar_list_events(
+    calendar_name="",  # Search all calendars
+    search_all_calendars=True,
+    start_date="2025-07-01",
+    end_date="2025-07-31", 
+    min_attendees=5,
+    min_duration_minutes=120,
+    title_contains="meeting"
+)
+
+# Find availability for a 1-hour meeting with specific attendees
+availability = await nc_calendar_find_availability(
+    duration_minutes=60,
+    attendees="sarah@company.com,mike@company.com",
+    date_range_start="2025-07-28",
+    date_range_end="2025-08-04",
+    business_hours_only=True,
+    exclude_weekends=True,
+    preferred_times="09:00-12:00,14:00-17:00"
+)
+
+# Bulk update all team meetings to new location
+bulk_result = await nc_calendar_bulk_operations(
+    operation="update",
+    title_contains="team meeting",
+    start_date="2025-08-01", 
+    end_date="2025-08-31",
+    new_location="Conference Room B",
+    new_reminder_minutes=15
+)
+
+# Create a new project calendar
+new_calendar = await nc_calendar_manage_calendar(
+    action="create",
+    calendar_name="project-alpha",
+    display_name="Project Alpha Calendar",
+    description="Calendar for Project Alpha team",
+    color="#FF5722"
+)
+```
@@ -0,0 +1,253 @@
+# Configuration
+
+The Nextcloud MCP server requires configuration to connect to your Nextcloud instance. Configuration is provided through environment variables, typically stored in a `.env` file.
+
+## Quick Start
+
+Create a `.env` file based on `env.sample`:
+
+```bash
+cp env.sample .env
+# Edit .env with your Nextcloud details
+```
+
+Then choose your authentication mode:
+
+- [OAuth2/OIDC Configuration](#oauth2oidc-configuration) (Recommended)
+- [Basic Authentication Configuration](#basic-authentication-legacy)
+
+---
+
+## OAuth2/OIDC Configuration
+
+OAuth2/OIDC is the recommended authentication mode for production deployments.
+
+### Minimal Configuration (Auto-registration)
+
+```dotenv
+# .env file for OAuth with auto-registration
+NEXTCLOUD_HOST=https://your.nextcloud.instance.com
+
+# Leave these EMPTY for OAuth mode
+NEXTCLOUD_USERNAME=
+NEXTCLOUD_PASSWORD=
+```
+
+This minimal configuration uses dynamic client registration to automatically register an OAuth client at startup.
+
+### Full Configuration (Pre-configured Client)
+
+```dotenv
+# .env file for OAuth with pre-configured client
+NEXTCLOUD_HOST=https://your.nextcloud.instance.com
+
+# OAuth Client Credentials (optional - auto-registers if not provided)
+NEXTCLOUD_OIDC_CLIENT_ID=your-client-id
+NEXTCLOUD_OIDC_CLIENT_SECRET=your-client-secret
+
+# OAuth Storage and Callback Settings (optional)
+NEXTCLOUD_OIDC_CLIENT_STORAGE=.nextcloud_oauth_client.json
+NEXTCLOUD_MCP_SERVER_URL=http://localhost:8000
+
+# Leave these EMPTY for OAuth mode
+NEXTCLOUD_USERNAME=
+NEXTCLOUD_PASSWORD=
+```
+
+### Environment Variables Reference
+
+| Variable | Required | Default | Description |
+|----------|----------|---------|-------------|
+| `NEXTCLOUD_HOST` | ✅ Yes | - | Full URL of your Nextcloud instance (e.g., `https://cloud.example.com`) |
+| `NEXTCLOUD_OIDC_CLIENT_ID` | ⚠️ Optional | - | OAuth client ID (auto-registers if empty) |
+| `NEXTCLOUD_OIDC_CLIENT_SECRET` | ⚠️ Optional | - | OAuth client secret (auto-registers if empty) |
+| `NEXTCLOUD_OIDC_CLIENT_STORAGE` | ⚠️ Optional | `.nextcloud_oauth_client.json` | Path to store auto-registered client credentials |
+| `NEXTCLOUD_MCP_SERVER_URL` | ⚠️ Optional | `http://localhost:8000` | MCP server URL for OAuth callbacks |
+| `NEXTCLOUD_USERNAME` | ❌ Must be empty | - | Leave empty to enable OAuth mode |
+| `NEXTCLOUD_PASSWORD` | ❌ Must be empty | - | Leave empty to enable OAuth mode |
+
+### Prerequisites
+
+Before using OAuth configuration:
+
+1. **Install required Nextcloud apps** (both are required):
+   - **`oidc`** - OIDC Identity Provider (Apps → Security)
+   - **`user_oidc`** - OpenID Connect user backend (Apps → Security)
+
+2. **Configure the apps**:
+   - Enable dynamic client registration (if using auto-registration) - Settings → OIDC
+   - Enable Bearer token validation: `php occ config:system:set user_oidc oidc_provider_bearer_validation --value=true --type=boolean`
+
+3. **Apply Bearer token patch** - The `user_oidc` app requires a patch for non-OCS endpoints - See [Upstream Status](oauth-upstream-status.md) for details
+
+See the [OAuth Setup Guide](oauth-setup.md) for detailed step-by-step instructions, or [OAuth Quick Start](quickstart-oauth.md) for a 5-minute setup.
+
+---
+
+## Basic Authentication (Legacy)
+
+Basic Authentication is maintained for backward compatibility. It uses username and password credentials.
+
+> [!WARNING]
+> **Security Notice:** Basic Authentication stores credentials in environment variables and is less secure than OAuth. Use OAuth for production deployments.
+
+### Configuration
+
+```dotenv
+# .env file for BasicAuth mode
+NEXTCLOUD_HOST=https://your.nextcloud.instance.com
+NEXTCLOUD_USERNAME=your_nextcloud_username
+NEXTCLOUD_PASSWORD=your_app_password_or_password
+```
+
+### Environment Variables Reference
+
+| Variable | Required | Description |
+|----------|----------|-------------|
+| `NEXTCLOUD_HOST` | ✅ Yes | Full URL of your Nextcloud instance |
+| `NEXTCLOUD_USERNAME` | ✅ Yes | Your Nextcloud username |
+| `NEXTCLOUD_PASSWORD` | ✅ Yes | **Recommended:** Use a dedicated [Nextcloud App Password](https://docs.nextcloud.com/server/latest/user_manual/en/session_management.html#managing-devices). Generate one in Nextcloud Security settings. Alternatively, use your login password (less secure). |
+
+---
+
+## Loading Environment Variables
+
+After creating your `.env` file, load the environment variables:
+
+### On Linux/macOS
+
+```bash
+# Load all variables from .env
+export $(grep -v '^#' .env | xargs)
+```
+
+### On Windows (PowerShell)
+
+```powershell
+# Load variables from .env
+Get-Content .env | ForEach-Object {
+    if ($_ -match '^\s*([^#][^=]*)\s*=\s*(.*)$') {
+        [Environment]::SetEnvironmentVariable($matches[1].Trim(), $matches[2].Trim(), "Process")
+    }
+}
+```
+
+### Via Docker
+
+```bash
+# Docker automatically loads .env when using --env-file
+docker run -p 127.0.0.1:8000:8000 --env-file .env --rm \
+  ghcr.io/cbcoutinho/nextcloud-mcp-server:latest
+```
+
+---
+
+## CLI Configuration
+
+Some configuration options can also be provided via CLI arguments. CLI arguments take precedence over environment variables.
+
+### OAuth-related CLI Options
+
+```bash
+uv run nextcloud-mcp-server --help
+
+Options:
+  --oauth / --no-oauth            Force OAuth mode (if enabled) or
+                                  BasicAuth mode (if disabled). By default,
+                                  auto-detected based on environment
+                                  variables.
+  --oauth-client-id TEXT          OAuth client ID (can also use
+                                  NEXTCLOUD_OIDC_CLIENT_ID env var)
+  --oauth-client-secret TEXT      OAuth client secret (can also use
+                                  NEXTCLOUD_OIDC_CLIENT_SECRET env var)
+  --oauth-storage-path TEXT       Path to store OAuth client credentials
+                                  (can also use
+                                  NEXTCLOUD_OIDC_CLIENT_STORAGE env var)
+                                  [default: .nextcloud_oauth_client.json]
+  --mcp-server-url TEXT           MCP server URL for OAuth callbacks (can
+                                  also use NEXTCLOUD_MCP_SERVER_URL env
+                                  var)  [default: http://localhost:8000]
+```
+
+### Server Options
+
+```bash
+Options:
+  -h, --host TEXT                 Server host  [default: 127.0.0.1]
+  -p, --port INTEGER              Server port  [default: 8000]
+  -w, --workers INTEGER           Number of worker processes
+  -r, --reload                    Enable auto-reload
+  -l, --log-level [critical|error|warning|info|debug|trace]
+                                  Logging level  [default: info]
+  -t, --transport [sse|streamable-http|http]
+                                  MCP transport protocol  [default: sse]
+```
+
+### App Selection
+
+```bash
+Options:
+  -e, --enable-app [notes|tables|webdav|calendar|contacts|deck]
+                                  Enable specific Nextcloud app APIs. Can
+                                  be specified multiple times. If not
+                                  specified, all apps are enabled.
+```
+
+### Example CLI Usage
+
+```bash
+# OAuth mode with custom client and port
+uv run nextcloud-mcp-server --oauth \
+  --oauth-client-id abc123 \
+  --oauth-client-secret xyz789 \
+  --port 8080
+
+# BasicAuth mode with specific apps only
+uv run nextcloud-mcp-server --no-oauth \
+  --enable-app notes \
+  --enable-app calendar
+```
+
+---
+
+## Configuration Best Practices
+
+### For Development
+
+- Use BasicAuth for quick setup and testing
+- Or use OAuth with auto-registration (dynamic client registration)
+- Store `.env` file in your project directory
+- Add `.env` to `.gitignore`
+
+### For Production
+
+- **Always use OAuth2/OIDC** with pre-configured clients
+- Store OAuth client credentials securely
+- Use environment variables from your deployment platform (Docker secrets, Kubernetes ConfigMaps, etc.)
+- Never commit credentials to version control
+- Set appropriate file permissions on credential storage:
+  ```bash
+  chmod 600 .nextcloud_oauth_client.json
+  ```
+
+### For Docker
+
+- Mount OAuth client storage as a volume for persistence:
+  ```bash
+  docker run -v $(pwd)/.oauth:/app/.oauth --env-file .env \
+    ghcr.io/cbcoutinho/nextcloud-mcp-server:latest
+  ```
+- Use Docker secrets for sensitive values in production
+
+---
+
+## See Also
+
+- [OAuth Quick Start](quickstart-oauth.md) - 5-minute OAuth setup for development
+- [OAuth Setup Guide](oauth-setup.md) - Detailed OAuth configuration for production
+- [OAuth Architecture](oauth-architecture.md) - How OAuth works in the MCP server
+- [Upstream Status](oauth-upstream-status.md) - Required patches and upstream PRs
+- [Authentication](authentication.md) - Authentication modes comparison
+- [Running the Server](running.md) - Starting the server with different configurations
+- [Troubleshooting](troubleshooting.md) - Common configuration issues
+- [OAuth Troubleshooting](oauth-troubleshooting.md) - OAuth-specific troubleshooting
@@ -0,0 +1,12 @@
+# Contacts App
+
+### Contacts Tools
+
+| Tool | Description |
+|------|-------------|
+| `nc_contacts_list_addressbooks` | List all available addressbooks for the user |
+| `nc_contacts_list_contacts` | List all contacts in a specific addressbook |
+| `nc_contacts_create_addressbook` | Create a new addressbook |
+| `nc_contacts_delete_addressbook` | Delete an addressbook |
+| `nc_contacts_create_contact` | Create a new contact in an addressbook |
+| `nc_contacts_delete_contact` | Delete a contact from an addressbook |
@@ -0,0 +1,108 @@
+# Deck App
+
+### Deck Tools
+
+| Tool | Description |
+|------|-------------|
+| `deck_create_board` | Create a new Deck board with title and color |
+| `deck_create_stack` | Create a new stack in a board |
+| `deck_update_stack` | Update stack title and order |
+| `deck_delete_stack` | Delete a stack and all its cards |
+| `deck_create_card` | Create a new card in a stack with full options (title, description, due date, etc.) |
+| `deck_update_card` | Update any aspect of a card (title, description, owner, order, etc.) |
+| `deck_delete_card` | Delete a card |
+| `deck_archive_card` | Archive a card |
+| `deck_unarchive_card` | Unarchive a card |
+| `deck_reorder_card` | Move/reorder cards within or between stacks |
+| `deck_create_label` | Create a new label in a board |
+| `deck_update_label` | Update label title and color |
+| `deck_delete_label` | Delete a label |
+| `deck_assign_label_to_card` | Assign a label to a card |
+| `deck_remove_label_from_card` | Remove a label from a card |
+| `deck_assign_user_to_card` | Assign a user to a card |
+| `deck_unassign_user_from_card` | Remove a user assignment from a card |
+
+### Deck Resources
+| Resource | Description |
+|----------|-------------|
+| `nc://Deck/boards` | List all deck boards |
+| `nc://Deck/boards/{board_id}` | Get details of a specific board |
+| `nc://Deck/boards/{board_id}/stacks` | List all stacks in a board |
+| `nc://Deck/boards/{board_id}/stacks/{stack_id}` | Get details of a specific stack |
+| `nc://Deck/boards/{board_id}/stacks/{stack_id}/cards` | List all cards in a stack |
+| `nc://Deck/boards/{board_id}/stacks/{stack_id}/cards/{card_id}` | Get details of a specific card |
+| `nc://Deck/boards/{board_id}/labels` | List all labels in a board |
+| `nc://Deck/boards/{board_id}/labels/{label_id}` | Get details of a specific label |
+
+
+
+### Deck Project Management
+
+The server provides complete Nextcloud Deck integration, enabling you to manage projects, tasks, and workflows:
+
+- Create and manage boards, stacks, and cards
+- Organize tasks with labels and user assignments
+- Archive/unarchive cards and reorder within or between stacks
+- Full CRUD operations on all Deck entities
+- Browse project structure through hierarchical resources
+
+**Usage Examples:**
+
+```python
+# Create a new project board
+await deck_create_board(title="Website Redesign", color="1976D2")
+
+# Create workflow stacks
+await deck_create_stack(board_id=1, title="To Do", order=1)
+await deck_create_stack(board_id=1, title="In Progress", order=2)
+await deck_create_stack(board_id=1, title="Done", order=3)
+
+# Create task cards with details
+await deck_create_card(
+    board_id=1,
+    stack_id=1,
+    title="Design new homepage",
+    description="Create mockups for the new homepage layout",
+    type="plain",
+    order=1,
+    duedate="2025-08-15T17:00:00"
+)
+
+# Create and assign labels for organization
+await deck_create_label(board_id=1, title="High Priority", color="F44336")
+await deck_create_label(board_id=1, title="UI/UX", color="9C27B0")
+
+# Assign labels and users to cards
+await deck_assign_label_to_card(board_id=1, stack_id=1, card_id=1, label_id=1)
+await deck_assign_user_to_card(board_id=1, stack_id=1, card_id=1, user_id="designer")
+
+# Move cards through workflow
+await deck_reorder_card(
+    board_id=1,
+    stack_id=1,        # From "To Do"
+    card_id=1,
+    order=1,
+    target_stack_id=2  # To "In Progress"
+)
+
+# Update task progress
+await deck_update_card(
+    board_id=1,
+    stack_id=2,
+    card_id=1,
+    description="Homepage mockups completed, starting development",
+    order=1
+)
+
+# Complete tasks
+await deck_reorder_card(
+    board_id=1,
+    stack_id=2,        # From "In Progress"  
+    card_id=1,
+    order=1,
+    target_stack_id=3  # To "Done"
+)
+
+# Archive completed cards
+await deck_archive_card(board_id=1, stack_id=3, card_id=1)
+```
@@ -0,0 +1,215 @@
+# Installation
+
+This guide covers installing the Nextcloud MCP server on your system.
+
+## Prerequisites
+
+- **Python 3.11+** - Check with `python3 --version`
+- **Access to a Nextcloud instance** - Self-hosted or cloud-hosted
+- **Administrator access** (for OAuth setup) - Required to install OIDC app
+
+## Installation Methods
+
+Choose one of the following installation methods:
+
+- [From Source (Recommended)](#from-source-recommended)
+- [Using Docker](#using-docker)
+
+---
+
+## From Source (Recommended)
+
+Install from the GitHub repository using uv or pip.
+
+### Prerequisites
+
+Install [uv](https://github.com/astral-sh/uv) (recommended) or ensure pip is available:
+
+```bash
+# Install uv (recommended)
+# On macOS/Linux
+curl -LsSf https://astral.sh/uv/install.sh | sh
+
+# On Windows
+powershell -c "irm https://astral.sh/uv/install.ps1 | iex"
+```
+
+### Clone the Repository
+
+```bash
+git clone https://github.com/cbcoutinho/nextcloud-mcp-server.git
+cd nextcloud-mcp-server
+```
+
+### Install Dependencies
+
+#### Using uv (Recommended)
+
+```bash
+# Install dependencies
+uv sync
+
+# Install development dependencies (optional)
+uv sync --group dev
+```
+
+#### Using pip
+
+```bash
+# Create virtual environment
+python3 -m venv venv
+source venv/bin/activate  # On Windows: venv\Scripts\activate
+
+# Install in development mode
+pip install -e .
+
+# Install development dependencies (optional)
+pip install -e ".[dev]"
+```
+
+### Verify Installation
+
+```bash
+# With uv
+uv run nextcloud-mcp-server --help
+
+# With pip/venv
+nextcloud-mcp-server --help
+```
+
+---
+
+## Using Docker
+
+A pre-built Docker image is available for easy deployment.
+
+### Pull the Image
+
+```bash
+docker pull ghcr.io/cbcoutinho/nextcloud-mcp-server:latest
+```
+
+### Run the Container
+
+```bash
+# Prepare your .env file first (see Configuration guide)
+
+# Run with environment file
+docker run -p 127.0.0.1:8000:8000 --env-file .env --rm \
+  ghcr.io/cbcoutinho/nextcloud-mcp-server:latest
+```
+
+### Docker Compose
+
+Create a `docker-compose.yml`:
+
+```yaml
+version: '3.8'
+
+services:
+  mcp:
+    image: ghcr.io/cbcoutinho/nextcloud-mcp-server:latest
+    ports:
+      - "127.0.0.1:8000:8000"
+    env_file:
+      - .env
+    volumes:
+      # For persistent OAuth client storage
+      - ./oauth-storage:/app/.oauth
+    restart: unless-stopped
+```
+
+Start the service:
+
+```bash
+docker-compose up -d
+```
+
+---
+
+## Next Steps
+
+After installation:
+
+1. **Configure the server** - See [Configuration Guide](configuration.md)
+2. **Set up authentication** - See [OAuth Setup Guide](oauth-setup.md) or [Authentication](authentication.md)
+3. **Run the server** - See [Running the Server](running.md)
+
+## Updating
+
+### Update from Source
+
+```bash
+cd nextcloud-mcp-server
+git pull origin master
+
+# Using uv
+uv sync
+
+# Or using pip
+pip install -e .
+```
+
+### Update Docker Image
+
+```bash
+docker pull ghcr.io/cbcoutinho/nextcloud-mcp-server:latest
+
+# If using docker-compose
+docker-compose up -d  # Restart with new image
+
+# If using docker run
+# Stop the old container and start a new one with the updated image
+```
+
+## Troubleshooting Installation
+
+### Issue: "Python version too old"
+
+**Cause:** Python 3.11+ is required.
+
+**Solution:**
+```bash
+# Check your Python version
+python3 --version
+
+# Install Python 3.11+ from:
+# - https://www.python.org/downloads/
+# - Or use your system package manager (apt, brew, etc.)
+```
+
+### Issue: "Command not found: nextcloud-mcp-server"
+
+**Cause:** The package is not in your PATH.
+
+**Solution:**
+```bash
+# Ensure your virtual environment is activated
+source venv/bin/activate
+
+# Or use uv run
+uv run nextcloud-mcp-server --help
+
+# Or use python -m
+python -m nextcloud_mcp_server.app --help
+```
+
+### Issue: Docker permission denied
+
+**Cause:** Docker requires elevated permissions.
+
+**Solution:**
+```bash
+# Add your user to the docker group (Linux)
+sudo usermod -aG docker $USER
+# Log out and back in
+
+# Or use sudo
+sudo docker run ...
+```
+
+## See Also
+
+- [Configuration Guide](configuration.md) - Environment variables and settings
+- [OAuth Setup Guide](oauth-setup.md) - OAuth authentication setup
+- [Running the Server](running.md) - Starting and managing the server
@@ -0,0 +1,19 @@
+# Notes App
+
+### Notes Tools
+
+| Tool | Description |
+|------|-------------|
+| `nc_notes_create_note` | Create a new note with title, content, and category |
+| `nc_notes_update_note` | Update an existing note by ID |
+| `nc_notes_append_content` | Append content to an existing note with a clear separator |
+| `nc_notes_delete_note` | Delete a note by ID |
+| `nc_notes_search_notes` | Search notes by title or content |
+
+### Note Attachments
+
+This server supports adding and retrieving note attachments via WebDAV. Please note the following behavior regarding attachments:
+
+* When a note is deleted, its attachments remain in the system. This matches the behavior of the official Nextcloud Notes app.
+* Orphaned attachments (attachments whose parent notes have been deleted) may accumulate over time.
+* WebDAV permissions must be properly configured for attachment operations to work correctly.
@@ -0,0 +1,322 @@
+# OAuth Architecture
+
+This document explains how OAuth2/OIDC authentication works in the Nextcloud MCP Server implementation.
+
+## Overview
+
+The Nextcloud MCP Server acts as an **OAuth 2.0 Resource Server**, protecting access to Nextcloud resources. It relies on Nextcloud's OIDC Identity Provider for user authentication and token validation.
+
+## Architecture Diagram
+
+```
+┌─────────────┐                  ┌──────────────────┐                  ┌─────────────────┐
+│             │                  │                  │                  │                 │
+│ MCP Client  │                  │   MCP Server     │                  │   Nextcloud     │
+│ (Claude,    │                  │   (Resource      │                  │   Instance      │
+│  etc.)      │                  │    Server)       │                  │                 │
+│             │                  │                  │                  │                 │
+└──────┬──────┘                  └────────┬─────────┘                  └────────┬────────┘
+       │                                  │                                     │
+       │                                  │                                     │
+       │  1. Connect to MCP               │                                     │
+       ├─────────────────────────────────>│                                     │
+       │                                  │                                     │
+       │  2. Return auth settings         │                                     │
+       │     (issuer_url, scopes)         │                                     │
+       │<─────────────────────────────────┤                                     │
+       │                                  │                                     │
+       │                                  │                                     │
+       │  3. Start OAuth flow (with PKCE) │                                     │
+       ├──────────────────────────────────┼────────────────────────────────────>│
+       │                                  │   /apps/oidc/authorize              │
+       │                                  │                                     │
+       │  4. User authenticates in browser│                                     │
+       │<─────────────────────────────────┼─────────────────────────────────────┤
+       │                                  │                                     │
+       │  5. Authorization code (redirect)│                                     │
+       │<─────────────────────────────────┤                                     │
+       │                                  │                                     │
+       │  6. Exchange code for token      │                                     │
+       ├──────────────────────────────────┼────────────────────────────────────>│
+       │                                  │   /apps/oidc/token                  │
+       │                                  │                                     │
+       │  7. Access token                 │                                     │
+       │<─────────────────────────────────┼─────────────────────────────────────┤
+       │                                  │                                     │
+       │                                  │                                     │
+       │  8. API request with Bearer token│                                     │
+       ├─────────────────────────────────>│                                     │
+       │     Authorization: Bearer xxx    │                                     │
+       │                                  │                                     │
+       │                                  │  9. Validate token via userinfo     │
+       │                                  ├────────────────────────────────────>│
+       │                                  │     /apps/oidc/userinfo             │
+       │                                  │                                     │
+       │                                  │  10. User info (token valid)        │
+       │                                  │<────────────────────────────────────┤
+       │                                  │                                     │
+       │                                  │  11. Nextcloud API request          │
+       │                                  ├────────────────────────────────────>│
+       │                                  │     Authorization: Bearer xxx       │
+       │                                  │     (Notes, Calendar, etc.)         │
+       │                                  │                                     │
+       │                                  │  12. API response                   │
+       │                                  │<────────────────────────────────────┤
+       │                                  │                                     │
+       │  13. MCP tool response           │                                     │
+       │<─────────────────────────────────┤                                     │
+       │                                  │                                     │
+```
+
+## Components
+
+### 1. MCP Client
+- Any MCP-compatible client (Claude Desktop, Claude Code, custom clients)
+- Initiates OAuth flow with PKCE (Proof Key for Code Exchange)
+- Stores and sends access token with each request
+- **Example**: Claude Desktop, Claude Code
+
+### 2. MCP Server (Resource Server)
+- **Role**: OAuth 2.0 Resource Server
+- **Location**: This Nextcloud MCP Server implementation
+- **Responsibilities**:
+  - Validates Bearer tokens by calling Nextcloud's userinfo endpoint
+  - Caches validated tokens (default: 1 hour TTL)
+  - Creates authenticated Nextcloud client instances per-user
+  - Enforces PKCE requirements (S256 code challenge method)
+  - Exposes Nextcloud functionality via MCP tools
+
+**Key Files**:
+- [`app.py`](../nextcloud_mcp_server/app.py) - OAuth mode detection and configuration
+- [`auth/token_verifier.py`](../nextcloud_mcp_server/auth/token_verifier.py) - Token validation logic
+- [`auth/context_helper.py`](../nextcloud_mcp_server/auth/context_helper.py) - Per-user client creation
+
+### 3. Nextcloud OIDC Apps
+
+#### a) `oidc` - OIDC Identity Provider
+- **Role**: OAuth 2.0 Authorization Server
+- **Location**: Nextcloud app (`apps/oidc`)
+- **Endpoints**:
+  - `/.well-known/openid-configuration` - Discovery endpoint
+  - `/apps/oidc/authorize` - Authorization endpoint
+  - `/apps/oidc/token` - Token endpoint
+  - `/apps/oidc/userinfo` - User info endpoint (token validation)
+  - `/apps/oidc/jwks` - JSON Web Key Set
+  - `/apps/oidc/register` - Dynamic client registration
+
+**Configuration**:
+```bash
+# Enable dynamic client registration (optional)
+# Settings → OIDC → "Allow dynamic client registration"
+```
+
+#### b) `user_oidc` - OpenID Connect User Backend
+- **Role**: Bearer token validation middleware
+- **Location**: Nextcloud app (`apps/user_oidc`)
+- **Responsibilities**:
+  - Validates Bearer tokens for Nextcloud API requests
+  - Creates user sessions from valid Bearer tokens
+  - Integrates with Nextcloud's authentication system
+
+**Configuration**:
+```bash
+# Enable Bearer token validation (required)
+php occ config:system:set user_oidc oidc_provider_bearer_validation --value=true --type=boolean
+```
+
+> [!IMPORTANT]
+> The `user_oidc` app requires a patch to properly support Bearer token authentication for non-OCS endpoints. See [Upstream Status](oauth-upstream-status.md) for details.
+
+### 4. Nextcloud Instance
+- **Role**: Resource Owner / API Provider
+- **Provides**: Notes, Calendar, Contacts, Deck, Files, etc.
+
+## Authentication Flow
+
+### Phase 1: OAuth Authorization (Steps 1-7)
+
+1. **Client Connects**: MCP client connects to MCP server
+2. **Auth Settings**: MCP server returns OAuth settings:
+   ```json
+   {
+     "issuer_url": "https://nextcloud.example.com",
+     "resource_server_url": "http://localhost:8000",
+     "required_scopes": ["openid", "profile"]
+   }
+   ```
+3. **OAuth Flow**: Client initiates OAuth flow with PKCE
+   - Generates `code_verifier` (random string)
+   - Calculates `code_challenge` = SHA256(code_verifier)
+   - Redirects user to `/apps/oidc/authorize` with `code_challenge`
+4. **User Authentication**: User logs in to Nextcloud via browser
+5. **Authorization Code**: Nextcloud redirects back with authorization code
+6. **Token Exchange**: Client exchanges code for access token
+   - Sends `code` + `code_verifier` to `/apps/oidc/token`
+   - OIDC app validates PKCE challenge
+7. **Access Token**: Client receives access token (JWT or opaque)
+
+### Phase 2: API Access (Steps 8-13)
+
+8. **API Request**: Client sends MCP request with Bearer token
+9. **Token Validation**: MCP server validates token:
+   - Checks cache (1-hour TTL by default)
+   - If not cached, calls `/apps/oidc/userinfo` with Bearer token
+   - Extracts username from `sub` or `preferred_username` claim
+10. **User Info**: Nextcloud returns user info if token is valid
+11. **Nextcloud API Call**: MCP server calls Nextcloud API on behalf of user
+    - Creates `NextcloudClient` instance with Bearer token
+    - User-specific permissions apply
+12. **API Response**: Nextcloud returns data
+13. **MCP Response**: MCP server returns formatted response to client
+
+## Token Validation
+
+The MCP server validates tokens using the **userinfo endpoint approach**:
+
+### Why Userinfo (vs JWT Validation)?
+
+**Advantages**:
+- Works with both JWT and opaque tokens
+- No need to manage JWKS rotation
+- Always up-to-date (respects token revocation)
+- Simpler implementation
+
+**Caching Strategy**:
+- Validated tokens cached for 1 hour (configurable)
+- Cache keyed by token string
+- Expired tokens re-validated automatically
+
+**Implementation**: See [`NextcloudTokenVerifier`](../nextcloud_mcp_server/auth/token_verifier.py)
+
+## PKCE Requirement
+
+The MCP server **requires** PKCE with S256 code challenge method:
+
+1. Server validates OIDC discovery advertises PKCE support
+2. Checks for `code_challenge_methods_supported` field
+3. Verifies `S256` is included in supported methods
+4. Logs error if PKCE not properly advertised
+
+**Why PKCE?**:
+- Required by MCP specification
+- Protects against authorization code interception
+- Essential for public clients (desktop apps, CLI tools)
+
+**Implementation**: See [`validate_pkce_support()`](../nextcloud_mcp_server/app.py#L31-L93)
+
+## Client Registration
+
+The MCP server supports two client registration modes:
+
+### Automatic Registration (Dynamic Client Registration)
+
+```bash
+# No client credentials needed
+NEXTCLOUD_HOST=https://nextcloud.example.com
+```
+
+**How it works**:
+1. Server checks `/.well-known/openid-configuration` for `registration_endpoint`
+2. Calls `/apps/oidc/register` to register new client
+3. Saves credentials to `.nextcloud_oauth_client.json`
+4. Re-registers if credentials expire
+
+**Best for**: Development, testing, short-lived deployments
+
+### Pre-configured Client
+
+```bash
+# Manual client registration via CLI
+php occ oidc:create --name="MCP Server" --type=confidential --redirect-uri="http://localhost:8000/oauth/callback"
+
+# Configure MCP server
+NEXTCLOUD_HOST=https://nextcloud.example.com
+NEXTCLOUD_OIDC_CLIENT_ID=abc123
+NEXTCLOUD_OIDC_CLIENT_SECRET=xyz789
+```
+
+**Best for**: Production, long-running deployments
+
+## Per-User Client Instances
+
+Each authenticated user gets their own `NextcloudClient` instance:
+
+```python
+# From MCP context (contains validated token)
+client = get_client_from_context(ctx)
+
+# Creates NextcloudClient with:
+# - username: from token's 'sub' or 'preferred_username' claim
+# - auth: BearerAuth(token)
+```
+
+**Benefits**:
+- User-specific permissions
+- Audit trail (actions appear from correct user)
+- No shared credentials
+- Multi-user support
+
+**Implementation**: See [`get_client_from_context()`](../nextcloud_mcp_server/auth/context_helper.py)
+
+## Security Considerations
+
+### Token Storage
+- MCP client stores access token
+- MCP server does NOT store tokens (validates per-request)
+- Token validation results cached in-memory only
+
+### PKCE Protection
+- Server validates PKCE is advertised
+- Client MUST use PKCE with S256
+- Protects against authorization code interception
+
+### Scopes
+- Required scopes: `openid`, `profile`
+- Additional scopes inferred from userinfo response
+
+### Token Validation
+- Every MCP request validates Bearer token
+- Cached for performance (1-hour default)
+- Calls userinfo endpoint for validation
+
+## Configuration
+
+See [Configuration Guide](configuration.md) for all OAuth environment variables:
+
+| Variable | Purpose |
+|----------|---------|
+| `NEXTCLOUD_HOST` | Nextcloud instance URL |
+| `NEXTCLOUD_OIDC_CLIENT_ID` | Pre-configured client ID (optional) |
+| `NEXTCLOUD_OIDC_CLIENT_SECRET` | Pre-configured client secret (optional) |
+| `NEXTCLOUD_MCP_SERVER_URL` | MCP server URL for OAuth callbacks |
+| `NEXTCLOUD_OIDC_CLIENT_STORAGE` | Path for auto-registered credentials |
+
+## Testing
+
+The integration test suite includes comprehensive OAuth testing:
+
+- **Automated tests** (Playwright): [`tests/integration/test_oauth_playwright.py`](../tests/integration/test_oauth_playwright.py)
+- **Interactive tests**: [`tests/integration/test_oauth_interactive.py`](../tests/integration/test_oauth_interactive.py)
+- **Fixtures**: [`tests/conftest.py`](../tests/conftest.py)
+
+Run OAuth tests:
+```bash
+# Start OAuth-enabled MCP server
+docker-compose up --build -d mcp-oauth
+
+# Run automated tests
+uv run pytest tests/integration/test_oauth_playwright.py --browser firefox -v
+
+# Run interactive tests (manual login)
+uv run pytest tests/integration/test_oauth_interactive.py -v
+```
+
+## See Also
+
+- [OAuth Setup Guide](oauth-setup.md) - Configuration steps
+- [OAuth Quick Start](quickstart-oauth.md) - Get started quickly
+- [Upstream Status](oauth-upstream-status.md) - Required upstream patches
+- [OAuth Troubleshooting](oauth-troubleshooting.md) - Common issues
+- [RFC 6749](https://www.rfc-editor.org/rfc/rfc6749) - OAuth 2.0 Authorization Framework
+- [RFC 7636](https://www.rfc-editor.org/rfc/rfc7636) - PKCE
+- [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html)
@@ -0,0 +1,545 @@
+# OAuth Setup Guide
+
+This guide walks you through setting up OAuth2/OIDC authentication for the Nextcloud MCP server in production.
+
+> **Quick Start?** If you want a 5-minute setup for development, see [OAuth Quick Start](quickstart-oauth.md).
+
+## Table of Contents
+
+- [Prerequisites](#prerequisites)
+- [Architecture Overview](#architecture-overview)
+- [Step 1: Install Nextcloud Apps](#step-1-install-nextcloud-apps)
+- [Step 2: Configure OIDC Apps](#step-2-configure-oidc-apps)
+- [Step 3: Choose Deployment Mode](#step-3-choose-deployment-mode)
+- [Step 4: Configure MCP Server](#step-4-configure-mcp-server)
+- [Step 5: Start and Verify](#step-5-start-and-verify)
+- [Testing Authentication](#testing-authentication)
+- [Production Recommendations](#production-recommendations)
+
+## Prerequisites
+
+Before beginning, ensure you have:
+
+- **Nextcloud instance** with administrator access
+- **Nextcloud version** 28 or later
+- **SSH/CLI access** to Nextcloud server (for `occ` commands)
+- **Python 3.11+** installed on MCP server host
+- **MCP server installed** (see [Installation Guide](installation.md))
+
+## Architecture Overview
+
+The OAuth implementation uses the following components:
+
+```
+MCP Client ←→ MCP Server (Resource Server) ←→ Nextcloud (Authorization Server + APIs)
+            OAuth Flow                       Bearer Token Auth
+```
+
+**Key Roles**:
+- **MCP Server**: OAuth Resource Server (validates tokens, provides MCP tools)
+- **Nextcloud `oidc` app**: OAuth Authorization Server (issues tokens)
+- **Nextcloud `user_oidc` app**: Token validation middleware
+
+For detailed architecture, see [OAuth Architecture](oauth-architecture.md).
+
+## Step 1: Install Nextcloud Apps
+
+OAuth authentication requires **two Nextcloud apps** to work together.
+
+### Required Apps
+
+#### 1. `oidc` - OIDC Identity Provider
+
+**Purpose**: Makes Nextcloud an OAuth2/OIDC authorization server
+
+**Installation**:
+1. Open Nextcloud as administrator
+2. Navigate to **Apps** → **Security**
+3. Find **"OIDC"** (full name: "OIDC Identity Provider")
+4. Click **Enable** or **Download and enable**
+
+**Provides**:
+- OAuth2 authorization endpoint
+- Token endpoint
+- User info endpoint
+- JWKS endpoint
+- Dynamic client registration endpoint (optional)
+
+#### 2. `user_oidc` - OpenID Connect User Backend
+
+**Purpose**: Authenticates users and validates Bearer tokens
+
+**Installation**:
+1. In **Apps** → **Security**
+2. Find **"OpenID Connect user backend"** (app ID: `user_oidc`)
+3. Click **Enable** or **Download and enable**
+
+**Provides**:
+- Bearer token validation against OIDC provider
+- User authentication via OIDC
+- Session management for authenticated users
+
+> [!IMPORTANT]
+> **Upstream Patch Required**: The `user_oidc` app needs a patch for Bearer token support with app-specific APIs (Notes, Calendar, etc.). The patch is pending upstream review.
+>
+> **Status**: See [Upstream Status](oauth-upstream-status.md) for current PR status and workarounds.
+>
+> **Impact**: OCS APIs work without patch, but app-specific APIs require the patch.
+
+### Verify Installation
+
+```bash
+# Check both apps are installed and enabled
+php occ app:list | grep -E "oidc|user_oidc"
+
+# Expected output:
+#  - oidc: enabled
+#  - user_oidc: enabled
+```
+
+## Step 2: Configure OIDC Apps
+
+### Configure `oidc` App (Identity Provider)
+
+#### Option A: Dynamic Client Registration (Development)
+
+**Best for**: Development, testing, auto-registration
+
+1. Navigate to **Settings** → **OIDC** (Administration settings)
+2. Enable **"Allow dynamic client registration"**
+3. (Optional) Configure client expiration:
+   ```bash
+   # Default: 3600 seconds (1 hour)
+   php occ config:app:set oidc expire_time --value "86400"  # 24 hours
+   ```
+
+#### Option B: Pre-configured Clients (Production)
+
+**Best for**: Production, long-running deployments
+
+Skip the dynamic registration setting. You'll manually register clients via CLI in Step 3.
+
+### Configure `user_oidc` App (Token Validation)
+
+**Required**: Enable Bearer token validation:
+
+```bash
+# SSH into Nextcloud server
+php occ config:system:set user_oidc oidc_provider_bearer_validation --value=true --type=boolean
+```
+
+This tells `user_oidc` to validate Bearer tokens against Nextcloud's OIDC Identity Provider.
+
+### Verify OIDC Discovery
+
+Test that OIDC discovery endpoint is accessible:
+
+```bash
+curl https://your.nextcloud.instance.com/.well-known/openid-configuration | jq
+```
+
+Expected response:
+```json
+{
+  "issuer": "https://your.nextcloud.instance.com",
+  "authorization_endpoint": "https://your.nextcloud.instance.com/apps/oidc/authorize",
+  "token_endpoint": "https://your.nextcloud.instance.com/apps/oidc/token",
+  "userinfo_endpoint": "https://your.nextcloud.instance.com/apps/oidc/userinfo",
+  "jwks_uri": "https://your.nextcloud.instance.com/apps/oidc/jwks",
+  "registration_endpoint": "https://your.nextcloud.instance.com/apps/oidc/register",
+  ...
+}
+```
+
+### PKCE Support
+
+The MCP server **requires PKCE** (Proof Key for Code Exchange) with S256 code challenge method.
+
+**Validation**: The MCP server automatically validates PKCE support at startup by checking the discovery response for `code_challenge_methods_supported`.
+
+**Note**: If PKCE is not advertised in discovery metadata, the server logs a warning but continues (PKCE still works, it's just not advertised). See [Upstream Status](oauth-upstream-status.md) for tracking.
+
+## Step 3: Choose Deployment Mode
+
+You have two options for managing OAuth clients:
+
+### Mode A: Automatic Registration (Dynamic Client Registration)
+
+**Best for**: Development, testing, short-lived deployments
+
+**How it works**:
+- MCP server automatically registers OAuth client at startup
+- Uses Nextcloud's dynamic client registration endpoint
+- Saves credentials to `.nextcloud_oauth_client.json`
+- Re-registers automatically if credentials expire
+
+**Pros**:
+- Zero configuration required
+- Quick setup
+- No manual client management
+
+**Cons**:
+- Clients expire (default: 1 hour, configurable)
+- Must re-register on restart if expired
+- Not ideal for long-running production
+
+**Configuration**: Skip to [Step 4](#step-4-configure-mcp-server) with minimal config.
+
+---
+
+### Mode B: Pre-configured Client (Production)
+
+**Best for**: Production, long-running deployments, stable environments
+
+**How it works**:
+- You manually register OAuth client via Nextcloud CLI
+- Provide client credentials to MCP server
+- Credentials don't expire
+
+**Pros**:
+- Credentials don't expire
+- Stable for production
+- More control over client configuration
+- Better for audit trails
+
+**Cons**:
+- Requires manual setup
+- Needs SSH/CLI access to Nextcloud server
+
+**Setup**: Register a client via CLI:
+
+```bash
+# SSH into Nextcloud server
+php occ oidc:create \
+  --name="Nextcloud MCP Server" \
+  --type=confidential \
+  --redirect-uri="http://localhost:8000/oauth/callback"
+
+# Example output:
+# Client ID: abc123xyz789
+# Client Secret: secret456def012
+
+# Save these credentials for Step 4
+```
+
+**Important**: Adjust `--redirect-uri` to match your MCP server URL:
+- Local: `http://localhost:8000/oauth/callback`
+- Remote: `http://your-server:8000/oauth/callback`
+- Custom port: `http://your-server:PORT/oauth/callback`
+
+The redirect URI **must** be:
+```
+{NEXTCLOUD_MCP_SERVER_URL}/oauth/callback
+```
+
+## Step 4: Configure MCP Server
+
+Create or update your `.env` file with OAuth configuration.
+
+### For Mode A (Automatic Registration)
+
+```bash
+# Copy sample if needed
+cp env.sample .env
+
+# Edit .env
+cat > .env << 'EOF'
+# Nextcloud Instance
+NEXTCLOUD_HOST=https://your.nextcloud.instance.com
+
+# Leave EMPTY for OAuth mode (do not set USERNAME/PASSWORD)
+NEXTCLOUD_USERNAME=
+NEXTCLOUD_PASSWORD=
+
+# Optional: MCP server URL (for OAuth callbacks)
+NEXTCLOUD_MCP_SERVER_URL=http://localhost:8000
+
+# Optional: Client storage path
+NEXTCLOUD_OIDC_CLIENT_STORAGE=.nextcloud_oauth_client.json
+EOF
+```
+
+### For Mode B (Pre-configured Client)
+
+```bash
+# Copy sample if needed
+cp env.sample .env
+
+# Edit .env
+cat > .env << 'EOF'
+# Nextcloud Instance
+NEXTCLOUD_HOST=https://your.nextcloud.instance.com
+
+# OAuth Client Credentials (from Step 3)
+NEXTCLOUD_OIDC_CLIENT_ID=abc123xyz789
+NEXTCLOUD_OIDC_CLIENT_SECRET=secret456def012
+
+# MCP server URL (must match redirect URI)
+NEXTCLOUD_MCP_SERVER_URL=http://localhost:8000
+
+# Leave EMPTY for OAuth mode
+NEXTCLOUD_USERNAME=
+NEXTCLOUD_PASSWORD=
+EOF
+```
+
+### Environment Variables Reference
+
+| Variable | Required | Default | Description |
+|----------|----------|---------|-------------|
+| `NEXTCLOUD_HOST` | ✅ Yes | - | Full URL of Nextcloud instance |
+| `NEXTCLOUD_OIDC_CLIENT_ID` | ⚠️ Mode B only | - | OAuth client ID |
+| `NEXTCLOUD_OIDC_CLIENT_SECRET` | ⚠️ Mode B only | - | OAuth client secret |
+| `NEXTCLOUD_MCP_SERVER_URL` | ⚠️ Optional | `http://localhost:8000` | MCP server URL for callbacks |
+| `NEXTCLOUD_OIDC_CLIENT_STORAGE` | ⚠️ Optional | `.nextcloud_oauth_client.json` | Client credentials storage path |
+| `NEXTCLOUD_USERNAME` | ❌ Must be empty | - | Leave empty for OAuth |
+| `NEXTCLOUD_PASSWORD` | ❌ Must be empty | - | Leave empty for OAuth |
+
+See [Configuration Guide](configuration.md) for all options.
+
+## Step 5: Start and Verify
+
+### Load Environment Variables
+
+```bash
+# Load from .env file
+export $(grep -v '^#' .env | xargs)
+
+# Verify key variables are set
+echo "NEXTCLOUD_HOST: $NEXTCLOUD_HOST"
+echo "NEXTCLOUD_MCP_SERVER_URL: $NEXTCLOUD_MCP_SERVER_URL"
+```
+
+### Start MCP Server
+
+```bash
+# Start with OAuth mode
+uv run nextcloud-mcp-server --oauth
+
+# Or with custom options
+uv run nextcloud-mcp-server --oauth --port 8000 --log-level info
+```
+
+### Verify Startup
+
+Look for these success messages:
+
+**For Mode A (Auto-registration)**:
+```
+INFO     OAuth mode detected (NEXTCLOUD_USERNAME/PASSWORD not set)
+INFO     Configuring MCP server for OAuth mode
+INFO     Performing OIDC discovery: https://your.nextcloud.instance.com/.well-known/openid-configuration
+✓ PKCE support validated: ['S256']
+INFO     OIDC discovery successful
+INFO     Attempting dynamic client registration...
+INFO     Dynamic client registration successful
+INFO     OAuth client ready: <client-id>...
+INFO     Saved OAuth client credentials to .nextcloud_oauth_client.json
+INFO     OAuth initialization complete
+INFO     MCP server ready at http://127.0.0.1:8000
+```
+
+**For Mode B (Pre-configured)**:
+```
+INFO     OAuth mode detected (NEXTCLOUD_USERNAME/PASSWORD not set)
+INFO     Configuring MCP server for OAuth mode
+INFO     Performing OIDC discovery: https://your.nextcloud.instance.com/.well-known/openid-configuration
+✓ PKCE support validated: ['S256']
+INFO     OIDC discovery successful
+INFO     Using pre-configured OAuth client: abc123xyz789
+INFO     OAuth initialization complete
+INFO     MCP server ready at http://127.0.0.1:8000
+```
+
+### Common Startup Issues
+
+| Issue | Solution |
+|-------|----------|
+| "OAuth mode requires NEXTCLOUD_HOST" | Set `NEXTCLOUD_HOST` in `.env` |
+| "OIDC discovery failed" | Verify Nextcloud URL and network connectivity |
+| "Dynamic registration failed" | Enable dynamic registration in OIDC app settings |
+| "PKCE validation failed" | See [Upstream Status](oauth-upstream-status.md) |
+
+See [OAuth Troubleshooting](oauth-troubleshooting.md) for detailed solutions.
+
+## Testing Authentication
+
+### Test with MCP Inspector
+
+The MCP Inspector provides a web UI for testing:
+
+```bash
+# In a new terminal
+uv run mcp dev
+
+# Opens browser at http://localhost:6272
+```
+
+In the MCP Inspector UI:
+1. Enter server URL: `http://localhost:8000/mcp`
+2. Click **Connect**
+3. Complete OAuth flow in browser popup:
+   - Login to Nextcloud
+   - Authorize MCP server access
+   - Redirected back to MCP Inspector
+4. Test tools:
+   - Try `nc_notes_create_note`
+   - Try `nc_notes_search_notes`
+   - Try `nc_calendar_list_events`
+
+### Test from Command Line
+
+```bash
+# Get an OAuth token (you'll need to implement client flow or extract from browser)
+TOKEN="your_access_token_here"
+
+# Test OCS API (should work)
+curl -H "Authorization: Bearer $TOKEN" \
+  "$NEXTCLOUD_HOST/ocs/v2.php/cloud/capabilities?format=json" \
+  -H "OCS-APIRequest: true"
+
+# Test Notes API (requires upstream patch)
+curl -H "Authorization: Bearer $TOKEN" \
+  "$NEXTCLOUD_HOST/apps/notes/api/v1/notes"
+```
+
+### Verify Token Validation
+
+Check MCP server logs for token validation:
+
+```bash
+# Start server with debug logging
+uv run nextcloud-mcp-server --oauth --log-level debug
+
+# Look for:
+# DEBUG    Token validation via userinfo endpoint
+# DEBUG    Token validated successfully for user: username
+```
+
+## Production Recommendations
+
+### Security Best Practices
+
+1. **Use Pre-configured Clients** (Mode B)
+   - More stable
+   - Better audit trails
+   - No expiration issues
+
+2. **Secure Credential Storage**
+   ```bash
+   # Set restrictive permissions
+   chmod 600 .nextcloud_oauth_client.json
+   chmod 600 .env
+   ```
+
+3. **Use HTTPS for MCP Server**
+   - Especially important for remote access
+   - Use reverse proxy (nginx, Apache) with SSL
+
+4. **Restrict Redirect URIs**
+   - Only register necessary redirect URIs
+   - Use specific URLs (not wildcards)
+
+### Deployment Considerations
+
+1. **MCP Server URL**
+   - Must be accessible to OAuth clients
+   - Must match redirect URI registered with Nextcloud
+   - For Docker: expose port and use correct host
+
+2. **Network Configuration**
+   - MCP server must reach Nextcloud (OIDC endpoints)
+   - OAuth clients must reach MCP server (callbacks)
+   - OAuth clients must reach Nextcloud (authorization flow)
+
+3. **Process Management**
+   - Use systemd, supervisord, or Docker for MCP server
+   - Ensure automatic restart on failure
+   - Monitor logs for OAuth errors
+
+### Example Production Configs
+
+#### Docker Compose
+
+```yaml
+version: '3'
+services:
+  nextcloud-mcp:
+    image: ghcr.io/cbcoutinho/nextcloud-mcp-server:latest
+    ports:
+      - "127.0.0.1:8000:8000"
+    environment:
+      NEXTCLOUD_HOST: https://your.nextcloud.instance.com
+      NEXTCLOUD_OIDC_CLIENT_ID: ${NEXTCLOUD_OIDC_CLIENT_ID}
+      NEXTCLOUD_OIDC_CLIENT_SECRET: ${NEXTCLOUD_OIDC_CLIENT_SECRET}
+      NEXTCLOUD_MCP_SERVER_URL: http://your-server:8000
+    volumes:
+      - ./oauth_client.json:/app/.nextcloud_oauth_client.json
+    command: ["--oauth", "--transport", "streamable-http"]
+    restart: unless-stopped
+```
+
+#### Systemd Service
+
+```ini
+[Unit]
+Description=Nextcloud MCP Server (OAuth)
+After=network.target
+
+[Service]
+Type=simple
+User=mcp
+WorkingDirectory=/opt/nextcloud-mcp-server
+Environment="NEXTCLOUD_HOST=https://your.nextcloud.instance.com"
+Environment="NEXTCLOUD_OIDC_CLIENT_ID=abc123xyz789"
+Environment="NEXTCLOUD_OIDC_CLIENT_SECRET=secret456def012"
+Environment="NEXTCLOUD_MCP_SERVER_URL=http://your-server:8000"
+ExecStart=/opt/nextcloud-mcp-server/.venv/bin/nextcloud-mcp-server --oauth
+Restart=on-failure
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target
+```
+
+### Monitoring and Maintenance
+
+1. **Log Monitoring**
+   ```bash
+   # Watch for OAuth errors
+   tail -f /var/log/nextcloud-mcp/server.log | grep -i "oauth\|token"
+   ```
+
+2. **Token Expiration** (Mode A only)
+   - Monitor for "Stored client has expired" messages
+   - Consider increasing expiration or switching to Mode B
+
+3. **Upstream Patches**
+   - Subscribe to [Upstream Status](oauth-upstream-status.md)
+   - Plan to update when patches are merged
+
+## Troubleshooting
+
+For OAuth-specific issues, see [OAuth Troubleshooting](oauth-troubleshooting.md).
+
+Common issues:
+- [OIDC discovery failed](oauth-troubleshooting.md#oidc-discovery-failed)
+- [Bearer token auth fails](oauth-troubleshooting.md#bearer-token-authentication-fails)
+- [Client expired](oauth-troubleshooting.md#client-expired)
+- [PKCE errors](oauth-troubleshooting.md#pkce-not-advertised)
+
+## Next Steps
+
+- [OAuth Architecture](oauth-architecture.md) - Understand how OAuth works
+- [OAuth Troubleshooting](oauth-troubleshooting.md) - Solve common issues
+- [Upstream Status](oauth-upstream-status.md) - Track required patches
+- [Configuration](configuration.md) - All environment variables
+- [Running the Server](running.md) - Additional server options
+
+## See Also
+
+- [Authentication Overview](authentication.md) - OAuth vs BasicAuth comparison
+- [Quick Start Guide](quickstart-oauth.md) - 5-minute setup for development
+- [MCP Specification](https://spec.modelcontextprotocol.io/) - MCP protocol details
+- [RFC 6749](https://www.rfc-editor.org/rfc/rfc6749) - OAuth 2.0 Framework
+- [RFC 7636](https://www.rfc-editor.org/rfc/rfc7636) - PKCE Extension
@@ -0,0 +1,554 @@
+# OAuth Troubleshooting
+
+This guide covers OAuth-specific issues and solutions for the Nextcloud MCP server.
+
+For general troubleshooting, see [Troubleshooting Guide](troubleshooting.md).
+
+## Quick Diagnosis
+
+Start here to identify your issue:
+
+| Symptom | Likely Cause | Quick Fix Link |
+|---------|--------------|----------------|
+| "OAuth mode requires NEXTCLOUD_HOST" | Missing environment variable | [Missing NEXTCLOUD_HOST](#missing-nextcloud_host) |
+| "OAuth mode requires client credentials OR dynamic registration" | OIDC apps not configured | [Missing OIDC Apps](#missing-or-misconfigured-oidc-apps) |
+| "PKCE support validation failed" | OIDC app doesn't advertise PKCE | [PKCE Not Advertised](#pkce-not-advertised) |
+| "Stored client has expired" | Dynamic client expired | [Client Expired](#client-expired) |
+| HTTP 401 for Notes API | Bearer token patch missing | [Bearer Token Auth Fails](#bearer-token-authentication-fails) |
+| "OIDC discovery failed" | Network or configuration issue | [Discovery Failed](#oidc-discovery-failed) |
+| "Permission denied" on .nextcloud_oauth_client.json | File permissions issue | [File Permission Error](#file-permission-error) |
+
+## Configuration Issues
+
+### Missing NEXTCLOUD_HOST
+
+**Error Message**:
+```
+OAuth mode requires NEXTCLOUD_HOST environment variable
+```
+
+**Cause**: The `NEXTCLOUD_HOST` environment variable is not set or empty.
+
+**Solution**:
+
+1. Add to your `.env` file:
+   ```bash
+   NEXTCLOUD_HOST=https://your.nextcloud.instance.com
+   ```
+
+2. Reload environment variables:
+   ```bash
+   export $(grep -v '^#' .env | xargs)
+   ```
+
+3. Verify it's set:
+   ```bash
+   echo $NEXTCLOUD_HOST
+   # Should output: https://your.nextcloud.instance.com
+   ```
+
+---
+
+### Missing or Misconfigured OIDC Apps
+
+**Error Message**:
+```
+OAuth mode requires either client credentials OR dynamic client registration
+```
+
+**Cause**: The required Nextcloud OIDC apps are either:
+- Not installed
+- Not enabled
+- Missing configuration
+
+**Solution**:
+
+**Step 1**: Verify both apps are installed:
+
+```bash
+# Check installed apps
+php occ app:list | grep -E "oidc|user_oidc"
+
+# Should show:
+#  - oidc: enabled
+#  - user_oidc: enabled
+```
+
+If not installed:
+1. Open Nextcloud as administrator
+2. Navigate to **Apps** → **Security**
+3. Install **"OIDC"** (OIDC Identity Provider)
+4. Install **"OpenID Connect user backend"** (user_oidc)
+5. Enable both apps
+
+**Step 2**: Enable dynamic client registration:
+
+1. Go to **Settings** → **OIDC** (Administration)
+2. Enable **"Allow dynamic client registration"**
+
+**Step 3**: Configure Bearer token validation:
+
+```bash
+php occ config:system:set user_oidc oidc_provider_bearer_validation --value=true --type=boolean
+```
+
+**Step 4**: Verify discovery endpoint:
+
+```bash
+curl https://your.nextcloud.instance.com/.well-known/openid-configuration | jq '.registration_endpoint'
+
+# Should output:
+# "https://your.nextcloud.instance.com/apps/oidc/register"
+```
+
+**Alternative**: Use pre-configured client credentials:
+
+```bash
+# Register client via CLI
+php occ oidc:create \
+  --name="Nextcloud MCP Server" \
+  --type=confidential \
+  --redirect-uri="http://localhost:8000/oauth/callback"
+
+# Add to .env
+echo "NEXTCLOUD_OIDC_CLIENT_ID=<client-id>" >> .env
+echo "NEXTCLOUD_OIDC_CLIENT_SECRET=<client-secret>" >> .env
+```
+
+---
+
+### Client Expired
+
+**Error Message**:
+```
+Stored client has expired
+```
+
+**Cause**: Dynamically registered OAuth clients expire (default: 1 hour).
+
+**Solution**:
+
+**Option 1: Restart the Server** (Automatic re-registration)
+
+```bash
+uv run nextcloud-mcp-server --oauth
+# Server automatically re-registers if credentials expired
+```
+
+**Option 2: Use Pre-configured Credentials** (Recommended for production)
+
+```bash
+# Register permanent client via Nextcloud CLI
+php occ oidc:create \
+  --name="Nextcloud MCP Server" \
+  --type=confidential \
+  --redirect-uri="http://localhost:8000/oauth/callback"
+
+# Add to .env
+NEXTCLOUD_OIDC_CLIENT_ID=<from-output>
+NEXTCLOUD_OIDC_CLIENT_SECRET=<from-output>
+```
+
+Pre-configured clients don't expire.
+
+**Option 3: Increase Expiration Time**
+
+```bash
+# Via Nextcloud CLI (default: 3600 seconds = 1 hour)
+php occ config:app:set oidc expire_time --value "86400"  # 24 hours
+```
+
+---
+
+### File Permission Error
+
+**Error Message**:
+```
+Permission denied when reading/writing .nextcloud_oauth_client.json
+```
+
+**Cause**: The server cannot access the OAuth client storage file.
+
+**Solution**:
+
+```bash
+# Check file permissions
+ls -la .nextcloud_oauth_client.json
+
+# Fix file permissions (owner read/write only)
+chmod 600 .nextcloud_oauth_client.json
+
+# Ensure directory is writable
+chmod 755 $(dirname .nextcloud_oauth_client.json)
+
+# If file doesn't exist, ensure directory is writable
+mkdir -p $(dirname .nextcloud_oauth_client.json)
+```
+
+For custom storage paths:
+```bash
+# Set custom path in .env
+NEXTCLOUD_OIDC_CLIENT_STORAGE=/path/to/custom/oauth_client.json
+
+# Ensure directory exists and is writable
+mkdir -p $(dirname /path/to/custom/oauth_client.json)
+chmod 755 $(dirname /path/to/custom/oauth_client.json)
+```
+
+---
+
+## Discovery and Connection Issues
+
+### OIDC Discovery Failed
+
+**Error Message**:
+```
+OIDC discovery failed
+Cannot reach OIDC discovery endpoint
+```
+
+**Cause**: The server cannot reach the Nextcloud OIDC discovery endpoint.
+
+**Solution**:
+
+**Step 1**: Verify Nextcloud URL is correct:
+
+```bash
+echo $NEXTCLOUD_HOST
+# Should be full URL: https://your.nextcloud.instance.com
+```
+
+**Step 2**: Test discovery endpoint manually:
+
+```bash
+curl https://your.nextcloud.instance.com/.well-known/openid-configuration
+
+# Should return JSON with OIDC configuration
+# {
+#   "issuer": "https://your.nextcloud.instance.com",
+#   "authorization_endpoint": "https://your.nextcloud.instance.com/apps/oidc/authorize",
+#   ...
+# }
+```
+
+**Step 3**: Check network connectivity:
+
+```bash
+# Test basic connectivity
+ping your.nextcloud.instance.com
+
+# Test HTTPS
+curl -I https://your.nextcloud.instance.com
+```
+
+**Step 4**: Verify both OIDC apps are enabled:
+
+```bash
+php occ app:list | grep -E "oidc|user_oidc"
+```
+
+**Step 5**: Check firewall rules (if using Docker):
+
+```bash
+# Check if MCP server can reach Nextcloud
+docker exec nextcloud-mcp-server curl https://your.nextcloud.instance.com/.well-known/openid-configuration
+```
+
+---
+
+## Authentication Issues
+
+### Bearer Token Authentication Fails
+
+**Error Message**:
+```
+HTTP 401 Unauthorized when calling Nextcloud APIs
+```
+
+**Symptoms**:
+- OCS APIs work (`/ocs/v2.php/cloud/capabilities`)
+- App APIs fail (`/apps/notes/api/`, `/apps/calendar/`, etc.)
+
+**Cause**: The `user_oidc` app's CORS middleware interferes with Bearer token authentication for non-OCS endpoints.
+
+**Solution**: Apply the Bearer token patch to `user_oidc` app.
+
+See [Upstream Status](oauth-upstream-status.md#1-bearer-token-support-for-non-ocs-endpoints) for details.
+
+**Quick Patch**:
+
+```bash
+# SSH into Nextcloud server
+cd /path/to/nextcloud/apps/user_oidc
+
+# Edit lib/User/Backend.php
+# Add this line before each return statement in getCurrentUserId() method:
+$this->session->set('app_api', true);
+
+# Lines to modify: ~243, ~310, ~315, ~337
+```
+
+**Test the fix**:
+
+```bash
+# Get an OAuth token (from MCP client or test)
+TOKEN="your_access_token"
+
+# Test Notes API
+curl -H "Authorization: Bearer $TOKEN" \
+  https://your.nextcloud.instance.com/apps/notes/api/v1/notes
+
+# Should return notes JSON (not 401)
+```
+
+---
+
+### PKCE Not Advertised
+
+**Error Message**:
+```
+ERROR: OIDC CONFIGURATION ERROR - Missing PKCE Support Advertisement
+⚠️  MCP clients (like Claude Code) WILL REJECT this provider!
+```
+
+**Cause**: The OIDC discovery endpoint doesn't include `code_challenge_methods_supported` field.
+
+**Impact**:
+- Some MCP clients may refuse to connect
+- Standards compliance issue (RFC 8414)
+- **Functionality still works** (PKCE is accepted, just not advertised)
+
+**Solution**:
+
+**Short-term**: The MCP server logs a warning but continues. OAuth flow still works.
+
+**Long-term**: Update the `oidc` app to advertise PKCE support.
+
+See [Upstream Status](oauth-upstream-status.md#2-pkce-support-advertisement-in-discovery) for tracking.
+
+**Verify**:
+
+```bash
+curl https://your.nextcloud.instance.com/.well-known/openid-configuration | jq '.code_challenge_methods_supported'
+
+# Should return:
+# ["S256", "plain"]
+
+# If null, PKCE isn't advertised (but still works)
+```
+
+---
+
+## Runtime Issues
+
+### MCP Client Can't Authenticate
+
+**Symptoms**:
+- Client connects but OAuth flow fails
+- Authorization redirects don't work
+- Token exchange fails
+
+**Diagnosis**:
+
+**Step 1**: Verify OAuth is configured correctly:
+
+```bash
+uv run nextcloud-mcp-server --oauth --log-level debug
+```
+
+Look for:
+```
+INFO     OAuth initialization complete
+INFO     MCP server ready at http://127.0.0.1:8000
+```
+
+**Step 2**: Check OIDC discovery:
+
+```bash
+curl https://your.nextcloud.instance.com/.well-known/openid-configuration
+```
+
+**Step 3**: Verify MCP server URL matches client expectations:
+
+```bash
+echo $NEXTCLOUD_MCP_SERVER_URL
+# Should match the URL clients use to connect
+# Default: http://localhost:8000
+```
+
+If MCP server is on a different host/port, update:
+```bash
+NEXTCLOUD_MCP_SERVER_URL=http://actual-host:actual-port
+```
+
+**Step 4**: Check redirect URI configuration:
+
+For pre-configured clients, ensure redirect URI matches:
+```bash
+# Client redirect URI should be:
+http://your-mcp-server-url/oauth/callback
+
+# Example for local server:
+http://localhost:8000/oauth/callback
+```
+
+---
+
+### Tools Return 401 Errors
+
+**Symptoms**:
+- OAuth flow completes successfully
+- Token is valid
+- MCP tools return 401 errors
+
+**Cause**: Bearer token not working with Nextcloud APIs.
+
+**Solution**: See [Bearer Token Authentication Fails](#bearer-token-authentication-fails) above.
+
+---
+
+## Switching Authentication Modes
+
+### From BasicAuth to OAuth
+
+```bash
+# 1. Remove or comment out USERNAME/PASSWORD in .env
+sed -i 's/^NEXTCLOUD_USERNAME/#NEXTCLOUD_USERNAME/' .env
+sed -i 's/^NEXTCLOUD_PASSWORD/#NEXTCLOUD_PASSWORD/' .env
+
+# 2. Ensure NEXTCLOUD_HOST is set
+grep NEXTCLOUD_HOST .env
+
+# 3. Restart server with OAuth
+export $(grep -v '^#' .env | xargs)
+uv run nextcloud-mcp-server --oauth
+```
+
+### From OAuth to BasicAuth
+
+```bash
+# 1. Add USERNAME/PASSWORD to .env
+echo "NEXTCLOUD_USERNAME=your-username" >> .env
+echo "NEXTCLOUD_PASSWORD=your-password" >> .env
+
+# 2. Restart server (BasicAuth auto-detected)
+export $(grep -v '^#' .env | xargs)
+uv run nextcloud-mcp-server --no-oauth
+```
+
+---
+
+## Advanced Debugging
+
+### Enable Debug Logging
+
+```bash
+uv run nextcloud-mcp-server --oauth --log-level debug
+```
+
+Look for:
+- OIDC discovery details
+- Client registration attempts
+- Token validation logs
+- API request/response details
+
+### Test Discovery Endpoint
+
+```bash
+# Full discovery response
+curl https://your.nextcloud.instance.com/.well-known/openid-configuration | jq
+
+# Check specific fields
+curl https://your.nextcloud.instance.com/.well-known/openid-configuration | jq '{
+  issuer,
+  authorization_endpoint,
+  token_endpoint,
+  userinfo_endpoint,
+  registration_endpoint,
+  code_challenge_methods_supported
+}'
+```
+
+### Test Token Validation
+
+```bash
+# Get userinfo with token
+curl -H "Authorization: Bearer $TOKEN" \
+  https://your.nextcloud.instance.com/apps/oidc/userinfo
+
+# Should return user info:
+# {
+#   "sub": "username",
+#   "preferred_username": "username",
+#   "name": "Display Name",
+#   ...
+# }
+```
+
+### Test Nextcloud API Access
+
+```bash
+# Test OCS API (should work)
+curl -H "Authorization: Bearer $TOKEN" \
+  "$NEXTCLOUD_HOST/ocs/v2.php/cloud/capabilities?format=json" \
+  -H "OCS-APIRequest: true"
+
+# Test app API (requires patch)
+curl -H "Authorization: Bearer $TOKEN" \
+  "$NEXTCLOUD_HOST/apps/notes/api/v1/notes"
+```
+
+---
+
+## Getting Help
+
+If you continue to experience issues:
+
+### 1. Collect Diagnostic Information
+
+```bash
+# Server version
+uv run nextcloud-mcp-server --version
+
+# Python version
+python3 --version
+
+# Server logs with debug
+uv run nextcloud-mcp-server --oauth --log-level debug 2>&1 | tee mcp-server.log
+
+# OIDC discovery
+curl https://your.nextcloud.instance.com/.well-known/openid-configuration > oidc-discovery.json
+
+# Nextcloud version
+# Check in Nextcloud admin panel or:
+php occ -V
+```
+
+### 2. Check Documentation
+
+- [OAuth Architecture](oauth-architecture.md) - How OAuth works
+- [OAuth Setup Guide](oauth-setup.md) - Configuration steps
+- [Upstream Status](oauth-upstream-status.md) - Required patches
+- [Configuration](configuration.md) - Environment variables
+
+### 3. Open an Issue
+
+If problems persist, [open an issue](https://github.com/cbcoutinho/nextcloud-mcp-server/issues) with:
+
+- **Error messages** (full text)
+- **Server logs** (with `--log-level debug`)
+- **OIDC discovery response** (from curl command above)
+- **Nextcloud version**
+- **OIDC app versions** (`oidc` and `user_oidc`)
+- **Steps to reproduce**
+- **Environment details** (OS, Python version, Docker vs local)
+
+---
+
+## See Also
+
+- [OAuth Quick Start](quickstart-oauth.md) - Get started quickly
+- [OAuth Setup Guide](oauth-setup.md) - Detailed configuration
+- [OAuth Architecture](oauth-architecture.md) - Technical details
+- [Upstream Status](oauth-upstream-status.md) - Required patches
+- [General Troubleshooting](troubleshooting.md) - Non-OAuth issues
@@ -0,0 +1,226 @@
+# OAuth Upstream Status
+
+This document tracks the status of upstream patches and pull requests required for full OAuth functionality.
+
+## Overview
+
+The Nextcloud MCP Server's OAuth implementation relies on two Nextcloud apps:
+- **`oidc`** - OIDC Identity Provider (Authorization Server)
+- **`user_oidc`** - OpenID Connect user backend (Token validation)
+
+While the core OAuth flow works, there are **pending upstream improvements** that enhance functionality and standards compliance.
+
+## Required Patches
+
+### 1. Bearer Token Support for Non-OCS Endpoints
+
+**Status**: 🟡 **Patch Required** (Pending Upstream)
+
+**Affected Component**: `user_oidc` app
+
+**Issue**: Bearer token authentication fails for app-specific APIs (Notes, Calendar, etc.) with `401 Unauthorized` errors, even though OCS APIs work correctly.
+
+**Root Cause**: The `CORSMiddleware` in Nextcloud logs out sessions created by Bearer token authentication when CSRF tokens are missing, which breaks API requests.
+
+**Solution**: Set the `app_api` session flag during Bearer token authentication to bypass CSRF checks.
+
+**Upstream PR**: [nextcloud/user_oidc#1221](https://github.com/nextcloud/user_oidc/issues/1221)
+
+**Workaround**: Manually apply the patch to `lib/User/Backend.php` in the `user_oidc` app
+
+**Impact**:
+- ✅ **Works**: OCS APIs (`/ocs/v2.php/cloud/capabilities`)
+- ❌ **Requires Patch**: App APIs (`/apps/notes/api/`, `/apps/calendar/`, etc.)
+
+**Files Modified**: `lib/User/Backend.php` in `user_oidc` app
+
+**Patch Summary**:
+```php
+// Add before successful Bearer token authentication returns
+$this->session->set('app_api', true);
+```
+
+This is added at lines ~243, ~310, ~315, and ~337 in `Backend.php`.
+
+---
+
+### 2. PKCE Support Advertisement in Discovery
+
+**Status**: 🟢 **PR Submitted** (Pending Review)
+
+**Affected Component**: `oidc` app
+
+**Issue**: The OIDC discovery endpoint (`/.well-known/openid-configuration`) does not advertise PKCE support in the `code_challenge_methods_supported` field.
+
+**Why It Matters**:
+- MCP specification requires PKCE with S256 code challenge method
+- RFC 8414 states that absence of `code_challenge_methods_supported` means PKCE is **not supported**
+- Some MCP clients may reject providers without proper PKCE advertisement
+
+**Current Behavior**:
+- PKCE **functionally works** (the OIDC app accepts and validates PKCE)
+- PKCE just isn't **advertised** in discovery metadata
+
+**Recommended Fix**: Update `oidc` app to include:
+```json
+{
+  "code_challenge_methods_supported": ["S256"]
+}
+```
+
+**Workaround**: The MCP server implements PKCE validation and logs a warning if not advertised. Functionality still works.
+
+**Upstream PR**: [H2CK/oidc#584](https://github.com/H2CK/oidc/pull/584) - Submitted 2025-10-13
+- **Changes**: Adds `code_challenge_methods_supported: ["S256"]` to discovery document when PKCE is enabled
+- **Size**: +5 lines added, 0 deleted
+- **Status**: Open, awaiting review
+
+---
+
+## Upstream PRs Status
+
+| PR/Issue | Component | Status | Priority | Notes |
+|----------|-----------|--------|----------|-------|
+| [user_oidc#1221](https://github.com/nextcloud/user_oidc/issues/1221) | `user_oidc` | 🟡 Open | High | Required for app-specific APIs |
+| [H2CK/oidc#584](https://github.com/H2CK/oidc/pull/584) | `oidc` | 🟢 PR Open | Medium | PKCE advertisement for standards compliance |
+
+## What Works Without Patches
+
+The following functionality works **out of the box** without any patches:
+
+✅ **OAuth Flow**:
+- OIDC discovery
+- Dynamic client registration
+- Authorization code flow with PKCE
+- Token exchange
+- Userinfo endpoint
+
+✅ **MCP Server as Resource Server**:
+- Token validation via userinfo
+- Per-user client instances
+- Token caching
+
+✅ **Nextcloud OCS APIs**:
+- Capabilities endpoint
+- All OCS-based APIs
+
+## What Requires Patches
+
+The following functionality requires upstream patches:
+
+🟡 **App-Specific APIs** (Requires user_oidc#1221):
+- Notes API (`/apps/notes/api/`)
+- Calendar API (CalDAV)
+- Contacts API (CardDAV)
+- Deck API
+- Tables API
+- Custom app APIs
+
+🟡 **Standards Compliance** (PKCE advertisement):
+- Full RFC 8414 compliance
+- MCP client compatibility guarantee
+
+## Installation Instructions
+
+### For Development/Testing
+
+If the upstream PRs are not yet merged, you can apply patches manually:
+
+#### 1. Apply Bearer Token Patch
+
+```bash
+# SSH into Nextcloud server
+cd /path/to/nextcloud/apps/user_oidc
+
+# Download and apply patch
+# (Patch file to be created once PR is ready)
+wget https://github.com/nextcloud/user_oidc/pull/XXXX.patch
+git apply XXXX.patch
+
+# Or manually edit lib/User/Backend.php
+# Add this line before each return statement in getCurrentUserId():
+#   $this->session->set('app_api', true);
+```
+
+#### 2. Verify Installation
+
+```bash
+# Test with OAuth token
+curl -H "Authorization: Bearer YOUR_TOKEN" \
+  https://your.nextcloud.com/apps/notes/api/v1/notes
+
+# Should return notes JSON (not 401)
+```
+
+### For Production
+
+**Recommendation**: Wait for upstream PRs to be merged and included in official Nextcloud releases before deploying OAuth in production.
+
+**Alternative**: Use a patched version of `user_oidc` app in your deployment:
+1. Fork the `user_oidc` app
+2. Apply the required patches
+3. Install your patched version
+4. Document the changes for your team
+
+## Testing
+
+The integration test suite validates OAuth functionality:
+
+```bash
+# Start OAuth-enabled MCP server
+docker-compose up --build -d mcp-oauth
+
+# Run comprehensive OAuth tests
+uv run pytest tests/integration/test_oauth_playwright.py --browser firefox -v
+
+# Tests verify:
+# - OAuth flow completion
+# - Token validation
+# - MCP tool calls with Bearer tokens
+# - Notes API access (requires patch)
+```
+
+## Monitoring Upstream Progress
+
+To track progress on these issues:
+
+1. **Watch the upstream repositories**:
+   - [nextcloud/user_oidc](https://github.com/nextcloud/user_oidc)
+   - [nextcloud/oidc](https://github.com/nextcloud/oidc)
+
+2. **Subscribe to specific issues**:
+   - [user_oidc#1221](https://github.com/nextcloud/user_oidc/issues/1221) - Bearer token support
+
+3. **Check Nextcloud release notes** for mentions of:
+   - Bearer token authentication improvements
+   - OIDC/OAuth enhancements
+   - AppAPI compatibility
+
+## Contributing
+
+Want to help get these patches merged?
+
+1. **Test the patches**: Run the integration tests and report results
+2. **Review PRs**: Provide feedback on upstream pull requests
+3. **Document issues**: Report any problems or edge cases
+4. **Contribute code**: Submit improvements or fixes to upstream
+
+## Timeline Expectations
+
+**Best Case**: PRs merged in next Nextcloud minor release (est. 3-6 months)
+
+**Realistic**: PRs reviewed and merged within 6-12 months
+
+**Meanwhile**: Use the workarounds documented in this guide
+
+## See Also
+
+- [OAuth Architecture](oauth-architecture.md) - How OAuth works in this implementation
+- [OAuth Troubleshooting](oauth-troubleshooting.md) - Common issues and solutions
+- [OAuth Setup Guide](oauth-setup.md) - Configuration instructions
+
+---
+
+**Last Updated**: 2025-10-14
+
+**Next Review**: When PR #584 or issue #1221 has activity
@@ -0,0 +1,163 @@
+# OAuth Quick Start Guide
+
+Get up and running with OAuth authentication in 5 minutes.
+
+## Prerequisites Checklist
+
+Before you begin, ensure you have:
+
+- [ ] Nextcloud instance with **administrator access**
+- [ ] Nextcloud version 28 or later
+- [ ] Python 3.11+ installed
+- [ ] `uv` package manager installed ([installation instructions](https://docs.astral.sh/uv/getting-started/installation/))
+
+## Step 1: Install Nextcloud Apps
+
+Install **both** required apps in your Nextcloud instance:
+
+1. Open Nextcloud as administrator
+2. Navigate to **Apps** → **Security**
+3. Install:
+   - **OIDC** (OIDC Identity Provider app)
+   - **OpenID Connect user backend** (user_oidc app)
+4. Enable both apps
+
+> [!IMPORTANT]
+> The `user_oidc` app requires an upstream patch for Bearer token support. See [Upstream Status](oauth-upstream-status.md) for details. The functionality works, but the PR is pending.
+
+## Step 2: Configure Nextcloud OIDC
+
+Enable dynamic client registration and Bearer token validation:
+
+### Via Web UI
+
+1. Go to **Settings** → **OIDC** (Administration settings)
+2. Enable **"Allow dynamic client registration"**
+
+### Via CLI (Required)
+
+SSH into your Nextcloud server and run:
+
+```bash
+# Enable Bearer token validation
+php occ config:system:set user_oidc oidc_provider_bearer_validation --value=true --type=boolean
+```
+
+## Step 3: Install MCP Server
+
+Clone and install the MCP server:
+
+```bash
+# Clone repository
+git clone https://github.com/cbcoutinho/nextcloud-mcp-server.git
+cd nextcloud-mcp-server
+
+# Install dependencies
+uv sync
+```
+
+## Step 4: Configure Environment
+
+Create a `.env` file with minimal configuration:
+
+```bash
+# Copy sample
+cp env.sample .env
+
+# Edit .env and set:
+NEXTCLOUD_HOST=https://your.nextcloud.instance.com
+
+# IMPORTANT: Leave these EMPTY for OAuth mode
+NEXTCLOUD_USERNAME=
+NEXTCLOUD_PASSWORD=
+```
+
+## Step 5: Start the Server
+
+Load environment variables and start the server:
+
+```bash
+# Load environment
+export $(grep -v '^#' .env | xargs)
+
+# Start server with OAuth
+uv run nextcloud-mcp-server --oauth
+```
+
+Look for this success message:
+
+```
+✓ PKCE support validated: ['S256']
+INFO     OAuth initialization complete
+INFO     MCP server ready at http://127.0.0.1:8000
+```
+
+## Step 6: Test with MCP Inspector
+
+Open a new terminal and test the connection:
+
+```bash
+# Start MCP Inspector
+uv run mcp dev
+```
+
+This opens your browser. In the MCP Inspector UI:
+
+1. Enter server URL: `http://127.0.0.1:8000/mcp`
+2. Click **Connect**
+3. Complete the OAuth flow in the browser popup
+4. After authorization, you'll see available tools and resources
+
+Test a tool by trying:
+- **Tool**: `nc_notes_create_note`
+- **Title**: "Test Note"
+- **Content**: "Hello from MCP!"
+- **Category**: "Notes"
+
+## Troubleshooting Quick Fixes
+
+### PKCE Error
+
+If you see:
+```
+ERROR: OIDC CONFIGURATION ERROR - Missing PKCE Support Advertisement
+```
+
+**Fix**: The Nextcloud OIDC app needs to be updated to advertise PKCE support. See [Upstream Status](oauth-upstream-status.md) for the required PR.
+
+### 401 Unauthorized for Notes API
+
+If OAuth works but Notes API returns 401:
+
+**Fix**: The `user_oidc` app needs the Bearer token patch. See [Upstream Status](oauth-upstream-status.md) for details.
+
+### Can't Reach OIDC Discovery Endpoint
+
+**Fix**: Verify your Nextcloud URL is correct and accessible:
+
+```bash
+curl https://your.nextcloud.instance.com/.well-known/openid-configuration
+```
+
+## Next Steps
+
+- [OAuth Setup Guide](oauth-setup.md) - Detailed configuration options
+- [OAuth Architecture](oauth-architecture.md) - How it works under the hood
+- [OAuth Troubleshooting](oauth-troubleshooting.md) - Common issues and solutions
+- [Configuration](configuration.md) - All environment variables
+
+## Development vs Production
+
+This quick start uses **automatic client registration** which is perfect for:
+- Development
+- Testing
+- Short-lived deployments
+
+For **production deployments**, you should:
+1. Pre-register OAuth clients manually
+2. Use dedicated client credentials
+3. See [OAuth Setup Guide](oauth-setup.md) for production configuration
+
+---
+
+**Need help?** Check [OAuth Troubleshooting](oauth-troubleshooting.md) or [open an issue](https://github.com/cbcoutinho/nextcloud-mcp-server/issues).
@@ -0,0 +1,440 @@
+# Running the Server
+
+This guide covers different ways to start and run the Nextcloud MCP server.
+
+## Prerequisites
+
+Before running the server:
+
+1. **Install the server** - See [Installation Guide](installation.md)
+2. **Configure environment** - See [Configuration Guide](configuration.md)
+3. **Set up authentication** - See [OAuth Setup](oauth-setup.md) or [Authentication](authentication.md)
+
+---
+
+## Quick Start
+
+Load your environment variables and start the server:
+
+```bash
+# Load environment variables from .env
+export $(grep -v '^#' .env | xargs)
+
+# Start the server
+uv run nextcloud-mcp-server
+```
+
+The server will start on `http://127.0.0.1:8000` by default.
+
+---
+
+## Running Locally
+
+### Method 1: Using nextcloud-mcp-server CLI (Recommended)
+
+The CLI provides a simple interface with built-in defaults:
+
+#### OAuth Mode
+
+```bash
+# Auto-detected when NEXTCLOUD_USERNAME/PASSWORD not set
+uv run nextcloud-mcp-server
+
+# Explicitly force OAuth mode
+uv run nextcloud-mcp-server --oauth
+
+# OAuth with custom host and port
+uv run nextcloud-mcp-server --oauth --host 0.0.0.0 --port 8080
+
+# OAuth with pre-configured client
+uv run nextcloud-mcp-server --oauth \
+  --oauth-client-id abc123 \
+  --oauth-client-secret xyz789
+
+# OAuth with specific apps only
+uv run nextcloud-mcp-server --oauth \
+  --enable-app notes \
+  --enable-app calendar
+```
+
+#### BasicAuth Mode (Legacy)
+
+```bash
+# Auto-detected when NEXTCLOUD_USERNAME/PASSWORD are set
+uv run nextcloud-mcp-server
+
+# Explicitly force BasicAuth mode
+uv run nextcloud-mcp-server --no-oauth
+
+# BasicAuth with specific apps
+uv run nextcloud-mcp-server --no-oauth \
+  --enable-app notes \
+  --enable-app webdav
+```
+
+### Method 2: Using uvicorn
+
+For more control over server options (workers, reload, etc.):
+
+```bash
+# Load environment variables
+export $(grep -v '^#' .env | xargs)
+
+# Run with uvicorn
+uv run uvicorn nextcloud_mcp_server.app:get_app \
+  --factory \
+  --host 127.0.0.1 \
+  --port 8000 \
+  --reload  # Enable auto-reload for development
+```
+
+See all uvicorn options at [https://www.uvicorn.org/settings/](https://www.uvicorn.org/settings/)
+
+### Method 3: Using Python Module
+
+```bash
+# Load environment variables
+export $(grep -v '^#' .env | xargs)
+
+# Run as Python module
+python -m nextcloud_mcp_server.app --oauth --port 8000
+```
+
+---
+
+## Running with Docker
+
+### Basic Docker Run
+
+```bash
+# OAuth mode
+docker run -p 127.0.0.1:8000:8000 --env-file .env --rm \
+  ghcr.io/cbcoutinho/nextcloud-mcp-server:latest --oauth
+
+# BasicAuth mode
+docker run -p 127.0.0.1:8000:8000 --env-file .env --rm \
+  ghcr.io/cbcoutinho/nextcloud-mcp-server:latest
+```
+
+### Docker with Persistent OAuth Storage
+
+```bash
+docker run -p 127.0.0.1:8000:8000 --env-file .env \
+  -v $(pwd)/.oauth:/app/.oauth \
+  --rm ghcr.io/cbcoutinho/nextcloud-mcp-server:latest --oauth
+```
+
+### Docker Compose
+
+Create `docker-compose.yml`:
+
+```yaml
+version: '3.8'
+
+services:
+  mcp:
+    image: ghcr.io/cbcoutinho/nextcloud-mcp-server:latest
+    command: --oauth --enable-app notes --enable-app calendar
+    ports:
+      - "127.0.0.1:8000:8000"
+    env_file:
+      - .env
+    volumes:
+      - ./oauth-storage:/app/.oauth
+    restart: unless-stopped
+```
+
+Start the service:
+
+```bash
+# Start in foreground
+docker-compose up
+
+# Start in background
+docker-compose up -d
+
+# View logs
+docker-compose logs -f
+
+# Stop the service
+docker-compose down
+```
+
+---
+
+## Server Options
+
+### Host and Port
+
+```bash
+# Bind to all interfaces (accessible from network)
+uv run nextcloud-mcp-server --host 0.0.0.0 --port 8000
+
+# Bind to localhost only (default, more secure)
+uv run nextcloud-mcp-server --host 127.0.0.1 --port 8000
+
+# Use a different port
+uv run nextcloud-mcp-server --port 8080
+```
+
+**Security Note:** Using `--host 0.0.0.0` exposes the server to your network. Only use this if you understand the security implications.
+
+### Transport Protocols
+
+The server supports multiple MCP transport protocols:
+
+```bash
+# Streamable HTTP (recommended)
+uv run nextcloud-mcp-server --transport streamable-http
+
+# SSE - Server-Sent Events (default, deprecated)
+uv run nextcloud-mcp-server --transport sse
+
+# HTTP
+uv run nextcloud-mcp-server --transport http
+```
+
+> [!WARNING]
+> SSE transport is deprecated and will be removed in a future version of the MCP spec. Please migrate to `streamable-http`.
+
+### Logging
+
+```bash
+# Set log level (critical, error, warning, info, debug, trace)
+uv run nextcloud-mcp-server --log-level debug
+
+# Production: use warning or error
+uv run nextcloud-mcp-server --log-level warning
+```
+
+### Selective App Enablement
+
+By default, all supported Nextcloud apps are enabled. You can enable specific apps only:
+
+```bash
+# Available apps: notes, tables, webdav, calendar, contacts, deck
+
+# Enable all apps (default)
+uv run nextcloud-mcp-server
+
+# Enable only Notes
+uv run nextcloud-mcp-server --enable-app notes
+
+# Enable multiple apps
+uv run nextcloud-mcp-server \
+  --enable-app notes \
+  --enable-app calendar \
+  --enable-app contacts
+
+# Enable only WebDAV for file operations
+uv run nextcloud-mcp-server --enable-app webdav
+```
+
+**Use cases:**
+- Reduce memory usage and startup time
+- Limit functionality for security/organizational reasons
+- Test specific app integrations
+- Run lightweight instances with only needed features
+
+---
+
+## Development Mode
+
+For active development with auto-reload:
+
+```bash
+# Using uvicorn with reload
+uv run uvicorn nextcloud_mcp_server.app:get_app \
+  --factory \
+  --reload \
+  --host 127.0.0.1 \
+  --port 8000 \
+  --log-level debug
+```
+
+Or use the CLI with reload flag:
+
+```bash
+uv run nextcloud-mcp-server --reload --log-level debug
+```
+
+---
+
+## Connecting to the Server
+
+### Using MCP Inspector
+
+MCP Inspector is a browser-based tool for testing MCP servers:
+
+```bash
+# Start MCP Inspector
+uv run mcp dev
+
+# In the browser:
+# 1. Enter server URL: http://localhost:8000
+# 2. Complete OAuth flow (if using OAuth)
+# 3. Explore tools and resources
+```
+
+### Using MCP Clients
+
+MCP clients (like Claude Desktop, LLM IDEs) can connect to your server:
+
+1. Configure the client with your server URL
+2. Complete OAuth authentication (if enabled)
+3. Start interacting with Nextcloud through the LLM
+
+---
+
+## Verifying Server Status
+
+### Check Server Health
+
+```bash
+# Test if server is responding
+curl http://localhost:8000/health
+
+# Expected response: HTTP 200 OK
+```
+
+### Check OAuth Configuration
+
+Look for these log messages on startup:
+
+**OAuth mode:**
+```
+INFO     OAuth mode detected (NEXTCLOUD_USERNAME/PASSWORD not set)
+INFO     Configuring MCP server for OAuth mode
+INFO     OIDC discovery successful
+INFO     OAuth client ready: <client-id>...
+INFO     OAuth initialization complete
+```
+
+**BasicAuth mode:**
+```
+INFO     BasicAuth mode detected (NEXTCLOUD_USERNAME/PASSWORD set)
+INFO     Initializing Nextcloud client with BasicAuth
+```
+
+---
+
+## Process Management
+
+### Running as a Background Service
+
+#### Using systemd (Linux)
+
+Create `/etc/systemd/system/nextcloud-mcp.service`:
+
+```ini
+[Unit]
+Description=Nextcloud MCP Server
+After=network.target
+
+[Service]
+Type=simple
+User=your-user
+WorkingDirectory=/path/to/nextcloud-mcp-server
+EnvironmentFile=/path/to/.env
+ExecStart=/path/to/uv run nextcloud-mcp-server --oauth
+Restart=on-failure
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target
+```
+
+Enable and start:
+
+```bash
+sudo systemctl daemon-reload
+sudo systemctl enable nextcloud-mcp
+sudo systemctl start nextcloud-mcp
+sudo systemctl status nextcloud-mcp
+```
+
+#### Using Docker Compose
+
+See [Docker Compose section](#docker-compose) above - includes `restart: unless-stopped`.
+
+### Monitoring Logs
+
+```bash
+# Local installation with systemd
+sudo journalctl -u nextcloud-mcp -f
+
+# Docker
+docker logs -f <container-name>
+
+# Docker Compose
+docker-compose logs -f mcp
+```
+
+---
+
+## Performance Tuning
+
+### Multiple Workers
+
+For production deployments with higher load:
+
+```bash
+# Using CLI (if supported)
+uv run nextcloud-mcp-server --workers 4
+
+# Using uvicorn
+uv run uvicorn nextcloud_mcp_server.app:get_app \
+  --factory \
+  --workers 4 \
+  --host 0.0.0.0 \
+  --port 8000
+```
+
+### Production Settings
+
+```bash
+# Recommended production configuration
+uv run nextcloud-mcp-server \
+  --oauth \
+  --host 127.0.0.1 \
+  --port 8000 \
+  --log-level warning \
+  --transport streamable-http \
+  --workers 2
+```
+
+---
+
+## Troubleshooting
+
+### Server won't start
+
+Check logs for errors:
+```bash
+uv run nextcloud-mcp-server --log-level debug
+```
+
+Common issues:
+- Environment variables not loaded - See [Configuration](configuration.md#loading-environment-variables)
+- Port already in use - Try a different port with `--port`
+- OAuth configuration errors - See [Troubleshooting](troubleshooting.md)
+
+### Can't connect to server
+
+1. Verify server is running: `curl http://localhost:8000/health`
+2. Check firewall settings
+3. Verify host binding (use `0.0.0.0` to allow network access)
+4. Check OAuth authentication if enabled
+
+### OAuth authentication fails
+
+See [Troubleshooting OAuth](troubleshooting.md) for detailed OAuth troubleshooting.
+
+---
+
+## See Also
+
+- [Configuration Guide](configuration.md) - Environment variables
+- [OAuth Setup](oauth-setup.md) - OAuth authentication setup
+- [Troubleshooting](troubleshooting.md) - Common issues and solutions
+- [Installation](installation.md) - Installing the server
@@ -0,0 +1,12 @@
+# Tables App
+
+### Tables Tools
+
+| Tool | Description |
+|------|-------------|
+| `nc_tables_list_tables` | List all tables available to the user |
+| `nc_tables_get_schema` | Get the schema/structure of a specific table including columns and views |
+| `nc_tables_read_table` | Read rows from a table with optional pagination |
+| `nc_tables_insert_row` | Insert a new row into a table |
+| `nc_tables_update_row` | Update an existing row in a table |
+| `nc_tables_delete_row` | Delete a row from a table |
@@ -0,0 +1,556 @@
+# Troubleshooting
+
+This guide covers common issues and solutions for the Nextcloud MCP server.
+
+> **OAuth-specific issues?** See the dedicated [OAuth Troubleshooting Guide](oauth-troubleshooting.md) for OAuth authentication problems, OIDC discovery issues, token validation failures, and more.
+
+## OAuth Issues (Quick Reference)
+
+### Issue: "OAuth mode requires NEXTCLOUD_HOST environment variable"
+
+**Cause:** The `NEXTCLOUD_HOST` environment variable is not set or empty.
+
+**Solution:**
+
+```bash
+# Ensure NEXTCLOUD_HOST is set in your .env file
+echo "NEXTCLOUD_HOST=https://your.nextcloud.instance.com" >> .env
+
+# Load environment variables
+export $(grep -v '^#' .env | xargs)
+
+# Verify it's set
+echo $NEXTCLOUD_HOST
+```
+
+---
+
+### Issue: "OAuth mode requires either client credentials OR dynamic client registration"
+
+**Cause:** The required Nextcloud OIDC apps are either:
+1. Not installed (both `oidc` and `user_oidc` apps are required)
+2. Don't have dynamic client registration enabled
+3. Aren't providing a registration endpoint
+
+**Solution:**
+
+**Option 1: Enable dynamic client registration**
+
+1. Verify **both** OIDC apps are installed:
+   - Navigate to Nextcloud **Apps** → **Security**
+   - Install **"OIDC"** (OIDC Identity Provider app) if not present
+   - Install **"OpenID Connect user backend"** (user_oidc app) if not present
+
+2. Enable dynamic client registration:
+   - Go to **Settings** → **OIDC** (Administration)
+   - Enable "Allow dynamic client registration"
+
+3. Configure Bearer token validation:
+   ```bash
+   # Required for user_oidc app to validate tokens
+   php occ config:system:set user_oidc oidc_provider_bearer_validation --value=true --type=boolean
+   ```
+
+3. Verify the registration endpoint exists:
+   ```bash
+   curl https://your.nextcloud.instance.com/.well-known/openid-configuration | jq '.registration_endpoint'
+   # Should output: "https://your.nextcloud.instance.com/apps/oidc/register"
+   ```
+
+**Option 2: Provide pre-configured credentials**
+
+Register a client and add credentials to `.env`:
+
+```bash
+# On your Nextcloud server
+php occ oidc:create \
+  --name="Nextcloud MCP Server" \
+  --type=confidential \
+  --redirect-uri="http://localhost:8000/oauth/callback"
+
+# Add to .env
+echo "NEXTCLOUD_OIDC_CLIENT_ID=<from-output>" >> .env
+echo "NEXTCLOUD_OIDC_CLIENT_SECRET=<from-output>" >> .env
+```
+
+See [OAuth Setup Guide](oauth-setup.md) for detailed instructions.
+
+---
+
+### Issue: "Stored client has expired"
+
+**Cause:** Dynamically registered OAuth clients expire (default: 1 hour).
+
+**Solution:**
+
+**Option 1: Restart the server** (automatic re-registration)
+
+```bash
+# Server checks credentials at startup and re-registers if expired
+uv run nextcloud-mcp-server --oauth
+```
+
+**Option 2: Use pre-configured credentials** (recommended for production)
+
+```bash
+# Register permanent client via Nextcloud CLI
+php occ oidc:create \
+  --name="Nextcloud MCP Server" \
+  --type=confidential \
+  --redirect-uri="http://localhost:8000/oauth/callback"
+
+# Add to .env
+NEXTCLOUD_OIDC_CLIENT_ID=<from-output>
+NEXTCLOUD_OIDC_CLIENT_SECRET=<from-output>
+```
+
+**Option 3: Increase expiration time**
+
+```bash
+# Via Nextcloud occ command (default: 3600 seconds)
+php occ config:app:set oidc expire_time --value "86400"  # 24 hours
+```
+
+---
+
+### Issue: "HTTP 401 Unauthorized" when calling Nextcloud APIs
+
+**Cause:** OAuth Bearer tokens may not work with certain Nextcloud endpoints due to session handling in the CORS middleware.
+
+**Background:** The `user_oidc` app's CORS middleware interferes with Bearer token authentication for non-OCS endpoints (like Notes API). This affects app-specific APIs but not OCS APIs.
+
+**Solution:**
+
+A patch for the `user_oidc` app is required to fix Bearer token support. See [oauth2-bearer-token-session-issue.md](oauth2-bearer-token-session-issue.md) for:
+- Detailed explanation of the issue
+- Patch to apply to the `user_oidc` app
+- Link to upstream pull request
+
+**Affected endpoints:**
+- Notes API (`/apps/notes/api/`)
+- Other app-specific endpoints
+
+**Unaffected endpoints:**
+- OCS APIs (`/ocs/v2.php/`)
+- Capabilities endpoint
+
+---
+
+### Issue: "Permission denied" when reading/writing OAuth client credentials file
+
+**Cause:** The server cannot access the OAuth client storage file (default: `.nextcloud_oauth_client.json`).
+
+**Solution:**
+
+```bash
+# Check file permissions
+ls -la .nextcloud_oauth_client.json
+
+# Fix file permissions (should be 0600 - owner read/write only)
+chmod 600 .nextcloud_oauth_client.json
+
+# Ensure the directory is writable
+chmod 755 $(dirname .nextcloud_oauth_client.json)
+
+# If the file doesn't exist, ensure the directory is writable so it can be created
+mkdir -p $(dirname .nextcloud_oauth_client.json)
+```
+
+---
+
+### Issue: "OIDC discovery failed" or "Cannot reach OIDC discovery endpoint"
+
+**Cause:** The server cannot reach the Nextcloud OIDC discovery endpoint.
+
+**Solution:**
+
+1. Verify the Nextcloud URL is correct:
+   ```bash
+   echo $NEXTCLOUD_HOST
+   # Should be the full URL: https://your.nextcloud.instance.com
+   ```
+
+2. Test the discovery endpoint manually:
+   ```bash
+   curl https://your.nextcloud.instance.com/.well-known/openid-configuration
+   # Should return JSON with OIDC configuration
+   ```
+
+3. Check network connectivity:
+   ```bash
+   ping your.nextcloud.instance.com
+   ```
+
+4. Verify **both** OIDC apps are installed and enabled in Nextcloud:
+   - `oidc` - OIDC Identity Provider
+   - `user_oidc` - OpenID Connect user backend
+
+5. Check firewall rules if using Docker
+
+---
+
+### Switching Between OAuth and BasicAuth
+
+#### To switch from BasicAuth to OAuth:
+
+```bash
+# 1. Remove or comment out USERNAME/PASSWORD in .env
+sed -i 's/^NEXTCLOUD_USERNAME/#NEXTCLOUD_USERNAME/' .env
+sed -i 's/^NEXTCLOUD_PASSWORD/#NEXTCLOUD_PASSWORD/' .env
+
+# 2. Ensure NEXTCLOUD_HOST is set
+grep NEXTCLOUD_HOST .env
+
+# 3. Restart server with OAuth
+export $(grep -v '^#' .env | xargs)
+uv run nextcloud-mcp-server --oauth
+```
+
+#### To switch from OAuth to BasicAuth:
+
+```bash
+# 1. Add USERNAME/PASSWORD to .env
+echo "NEXTCLOUD_USERNAME=your-username" >> .env
+echo "NEXTCLOUD_PASSWORD=your-password" >> .env
+
+# 2. Restart server (BasicAuth auto-detected, or use --no-oauth)
+export $(grep -v '^#' .env | xargs)
+uv run nextcloud-mcp-server --no-oauth
+```
+
+---
+
+### For More OAuth Help
+
+See the dedicated **[OAuth Troubleshooting Guide](oauth-troubleshooting.md)** for:
+- Bearer token authentication failures
+- PKCE validation errors
+- Token validation issues
+- Client registration problems
+- Advanced OAuth debugging
+- And much more...
+
+---
+
+## Configuration Issues
+
+### Issue: Environment variables not loaded
+
+**Cause:** Environment variables from `.env` file are not loaded into the shell.
+
+**Solution:**
+
+**On Linux/macOS:**
+```bash
+# Load all variables from .env
+export $(grep -v '^#' .env | xargs)
+
+# Verify variables are set
+env | grep NEXTCLOUD
+```
+
+**On Windows (PowerShell):**
+```powershell
+# Load variables from .env
+Get-Content .env | ForEach-Object {
+    if ($_ -match '^\s*([^#][^=]*)\s*=\s*(.*)$') {
+        [Environment]::SetEnvironmentVariable($matches[1].Trim(), $matches[2].Trim(), "Process")
+    }
+}
+
+# Verify variables are set
+Get-ChildItem Env:NEXTCLOUD*
+```
+
+**With Docker:**
+```bash
+# Docker automatically loads .env when using --env-file
+docker run -p 127.0.0.1:8000:8000 --env-file .env --rm \
+  ghcr.io/cbcoutinho/nextcloud-mcp-server:latest
+```
+
+---
+
+### Issue: ".env file not found"
+
+**Cause:** The `.env` file doesn't exist or is in the wrong location.
+
+**Solution:**
+
+```bash
+# Create .env from sample
+cp env.sample .env
+
+# Edit with your Nextcloud details
+nano .env  # or vim, code, etc.
+
+# Ensure you're in the correct directory when running commands
+pwd  # Should be in the project directory containing .env
+```
+
+---
+
+### Issue: "Invalid Nextcloud credentials"
+
+**Cause:** BasicAuth credentials are incorrect or the app password has been revoked.
+
+**Solution:**
+
+1. **Verify username:**
+   ```bash
+   # Username should match your Nextcloud login
+   echo $NEXTCLOUD_USERNAME
+   ```
+
+2. **Generate a new app password:**
+   - Log in to Nextcloud
+   - Go to **Settings** → **Security**
+   - Under "Devices & sessions", create a new app password
+   - Update `.env` with the new password
+
+3. **Test credentials manually:**
+   ```bash
+   curl -u "$NEXTCLOUD_USERNAME:$NEXTCLOUD_PASSWORD" \
+     "$NEXTCLOUD_HOST/ocs/v2.php/cloud/capabilities" \
+     -H "OCS-APIRequest: true"
+   # Should return XML with capabilities
+   ```
+
+---
+
+## Server Issues
+
+### Issue: "Address already in use" / Port conflict
+
+**Cause:** Another process is using port 8000.
+
+**Solution:**
+
+**Option 1: Use a different port**
+```bash
+uv run nextcloud-mcp-server --port 8080
+```
+
+**Option 2: Find and kill the process using the port**
+```bash
+# On Linux/macOS
+lsof -ti:8000 | xargs kill -9
+
+# On Windows
+netstat -ano | findstr :8000
+taskkill /PID <pid> /F
+```
+
+**Option 3: Stop other MCP server instances**
+```bash
+# Check for running instances
+ps aux | grep nextcloud-mcp-server
+
+# Kill specific process
+kill <pid>
+```
+
+---
+
+### Issue: Server starts but can't connect
+
+**Cause:** Server is bound to localhost only, or firewall is blocking connections.
+
+**Solution:**
+
+1. **Check server binding:**
+   ```bash
+   # Bind to all interfaces to allow network access
+   uv run nextcloud-mcp-server --host 0.0.0.0 --port 8000
+   ```
+
+2. **Test connectivity:**
+   ```bash
+   # Test from same machine
+   curl http://localhost:8000/health
+
+   # Test from network (if using --host 0.0.0.0)
+   curl http://<server-ip>:8000/health
+   ```
+
+3. **Check firewall:**
+   ```bash
+   # Linux (ufw)
+   sudo ufw allow 8000/tcp
+
+   # Linux (firewalld)
+   sudo firewall-cmd --add-port=8000/tcp --permanent
+   sudo firewall-cmd --reload
+   ```
+
+---
+
+### Issue: Server crashes or restarts frequently
+
+**Cause:** Various issues including memory limits, uncaught exceptions, or OAuth token expiration.
+
+**Solution:**
+
+1. **Check logs with debug level:**
+   ```bash
+   uv run nextcloud-mcp-server --log-level debug
+   ```
+
+2. **Monitor resource usage:**
+   ```bash
+   # Check memory and CPU
+   top -p $(pgrep -f nextcloud-mcp-server)
+   ```
+
+3. **Use process manager for automatic restart:**
+   ```bash
+   # With systemd (see Running guide for full config)
+   sudo systemctl restart nextcloud-mcp
+
+   # With Docker Compose (includes restart: unless-stopped)
+   docker-compose up -d
+   ```
+
+4. **Check for OAuth credential expiration** (if using dynamic registration):
+   - See ["Stored client has expired"](#issue-stored-client-has-expired) above
+
+---
+
+## Connection Issues
+
+### Issue: MCP client can't authenticate
+
+**Cause:** OAuth flow failing or credentials invalid.
+
+**Solution:**
+
+**For OAuth:**
+1. Verify OAuth is configured correctly:
+   ```bash
+   uv run nextcloud-mcp-server --oauth --log-level debug
+   # Look for "OAuth initialization complete"
+   ```
+
+2. Check that OIDC app is accessible:
+   ```bash
+   curl https://your.nextcloud.instance.com/.well-known/openid-configuration
+   ```
+
+3. Verify MCP_SERVER_URL matches your setup:
+   ```bash
+   echo $NEXTCLOUD_MCP_SERVER_URL
+   # Should match the URL clients use to connect
+   ```
+
+**For BasicAuth:**
+1. Verify credentials work:
+   ```bash
+   curl -u "$NEXTCLOUD_USERNAME:$NEXTCLOUD_PASSWORD" \
+     "$NEXTCLOUD_HOST/ocs/v2.php/cloud/capabilities" \
+     -H "OCS-APIRequest: true"
+   ```
+
+---
+
+### Issue: Tools return errors or don't work
+
+**Cause:** Missing Nextcloud apps, incorrect permissions, or API issues.
+
+**Solution:**
+
+1. **Verify required Nextcloud apps are installed:**
+   - Notes: Install "Notes" app
+   - Calendar: Ensure CalDAV is enabled
+   - Contacts: Ensure CardDAV is enabled
+   - Deck: Install "Deck" app
+
+2. **Check user permissions:**
+   - Ensure the authenticated user has access to the resources
+   - Check sharing permissions for shared resources
+
+3. **Test API directly:**
+   ```bash
+   # Test Notes API
+   curl -u "$NEXTCLOUD_USERNAME:$NEXTCLOUD_PASSWORD" \
+     "$NEXTCLOUD_HOST/apps/notes/api/v1/notes"
+
+   # Test with OAuth Bearer token
+   curl -H "Authorization: Bearer $TOKEN" \
+     "$NEXTCLOUD_HOST/apps/notes/api/v1/notes"
+   ```
+
+4. **Check server logs for specific errors:**
+   ```bash
+   uv run nextcloud-mcp-server --log-level debug
+   ```
+
+---
+
+## Getting Help
+
+If you continue to experience issues:
+
+### 1. Enable Debug Logging
+
+```bash
+uv run nextcloud-mcp-server --log-level debug
+```
+
+Review the logs for specific error messages.
+
+### 2. Verify OIDC Configuration (OAuth mode)
+
+```bash
+# Check OIDC discovery
+curl https://your.nextcloud.instance.com/.well-known/openid-configuration
+
+# Check registration endpoint exists
+curl https://your.nextcloud.instance.com/.well-known/openid-configuration | jq '.registration_endpoint'
+```
+
+### 3. Test Nextcloud API Access
+
+```bash
+# Test OCS API (should work with OAuth)
+curl -H "Authorization: Bearer $TOKEN" \
+  "$NEXTCLOUD_HOST/ocs/v2.php/cloud/capabilities?format=json" \
+  -H "OCS-APIRequest: true"
+
+# Test app API (may need patch - see oauth2-bearer-token-session-issue.md)
+curl -H "Authorization: Bearer $TOKEN" \
+  "$NEXTCLOUD_HOST/apps/notes/api/v1/notes"
+```
+
+### 4. Check Versions
+
+```bash
+# MCP Server version
+uv run nextcloud-mcp-server --version
+
+# Python version
+python3 --version
+
+# Nextcloud version (check in admin panel)
+```
+
+### 5. Open an Issue
+
+If problems persist, open an issue on the [GitHub repository](https://github.com/cbcoutinho/nextcloud-mcp-server/issues) with:
+
+- **Server logs** (with `--log-level debug`)
+- **Nextcloud version**
+- **OIDC app version** (if using OAuth)
+- **Error messages**
+- **Steps to reproduce**
+- **Environment details** (OS, Python version, Docker vs local)
+
+---
+
+## See Also
+
+- **[OAuth Troubleshooting](oauth-troubleshooting.md)** - Dedicated OAuth troubleshooting guide
+- [OAuth Setup Guide](oauth-setup.md) - OAuth configuration
+- [OAuth Architecture](oauth-architecture.md) - How OAuth works
+- [Upstream Status](oauth-upstream-status.md) - Required patches and upstream PRs
+- [Configuration](configuration.md) - Environment variables
+- [Running the Server](running.md) - Server options
@@ -0,0 +1,62 @@
+# WebDAV support
+
+### WebDAV File System Tools
+
+| Tool | Description |
+|------|-------------|
+| `nc_webdav_list_directory` | List files and directories in any NextCloud path |
+| `nc_webdav_read_file` | Read file content (text files decoded, binary as base64) |
+| `nc_webdav_write_file` | Create or update files in NextCloud |
+| `nc_webdav_create_directory` | Create new directories |
+| `nc_webdav_delete_resource` | Delete files or directories |
+| `nc_webdav_move_resource` | Move or rename files and directories |
+| `nc_webdav_copy_resource` | Copy files and directories |
+
+### WebDAV File System Access
+
+The server provides complete file system access to your NextCloud instance, enabling you to:
+
+- Browse any directory structure
+- Read and write files of any type
+- Create and delete directories
+- Manage your NextCloud files directly through LLM interactions
+
+**Usage Examples:**
+
+```python
+# List files in root directory
+await nc_webdav_list_directory("")
+
+# Browse a specific folder
+await nc_webdav_list_directory("Documents/Projects")
+
+# Read a text file
+content = await nc_webdav_read_file("Documents/readme.txt")
+
+# Create a new directory
+await nc_webdav_create_directory("NewProject/docs")
+
+# Write content to a file
+await nc_webdav_write_file("NewProject/docs/notes.md", "# My Notes\n\nContent here...")
+
+# Delete a file or directory
+await nc_webdav_delete_resource("old_file.txt")
+
+# Move or rename a file
+await nc_webdav_move_resource("document.txt", "new_name.txt")
+
+# Move a file to another directory
+await nc_webdav_move_resource("document.txt", "Archive/document.txt")
+
+# Move a directory
+await nc_webdav_move_resource("Projects/OldProject", "Projects/NewProject")
+
+# Copy a file
+await nc_webdav_copy_resource("document.txt", "document_copy.txt")
+
+# Copy a file to another directory
+await nc_webdav_copy_resource("document.txt", "Backup/document.txt")
+
+# Copy a directory
+await nc_webdav_copy_resource("Projects/ProjectA", "Projects/ProjectA_Backup")
+```
@@ -1,3 +1,23 @@
+# Nextcloud Instance
 NEXTCLOUD_HOST=
+
+# ===== AUTHENTICATION MODE =====
+# Choose ONE of the following:
+
+# Option 1: OAuth2/OIDC (RECOMMENDED - More Secure)
+# - Requires Nextcloud OIDC app installed and configured
+# - Admin must enable "Dynamic Client Registration" in OIDC app settings
+# - Leave NEXTCLOUD_USERNAME and NEXTCLOUD_PASSWORD empty to use OAuth mode
+# - Optional: Pre-register client and provide credentials (otherwise auto-registers)
+NEXTCLOUD_OIDC_CLIENT_ID=
+NEXTCLOUD_OIDC_CLIENT_SECRET=
+NEXTCLOUD_OIDC_CLIENT_STORAGE=.nextcloud_oauth_client.json
+NEXTCLOUD_MCP_SERVER_URL=http://localhost:8000
+
+# Option 2: Basic Authentication (LEGACY - Less Secure)
+# - Requires username and password
+# - Credentials stored in environment variables
+# - Use only for backward compatibility or if OAuth unavailable
+# - If these are set, OAuth mode is disabled
 NEXTCLOUD_USERNAME=
 NEXTCLOUD_PASSWORD=
@@ -0,0 +1,609 @@
+import logging
+import os
+from collections.abc import AsyncIterator
+from contextlib import AsyncExitStack, asynccontextmanager
+from dataclasses import dataclass
+
+import click
+import uvicorn
+from mcp.server.auth.settings import AuthSettings
+from mcp.server.fastmcp import Context, FastMCP
+from pydantic import AnyHttpUrl
+from starlette.applications import Starlette
+from starlette.routing import Mount
+
+from nextcloud_mcp_server.auth import NextcloudTokenVerifier, load_or_register_client
+from nextcloud_mcp_server.client import NextcloudClient
+from nextcloud_mcp_server.config import setup_logging
+from nextcloud_mcp_server.context import get_client as get_nextcloud_client
+from nextcloud_mcp_server.server import (
+    configure_calendar_tools,
+    configure_contacts_tools,
+    configure_deck_tools,
+    configure_notes_tools,
+    configure_sharing_tools,
+    configure_tables_tools,
+    configure_webdav_tools,
+)
+
+logger = logging.getLogger(__name__)
+
+
+def validate_pkce_support(discovery: dict, discovery_url: str) -> None:
+    """
+    Validate that the OIDC provider properly advertises PKCE support.
+
+    According to RFC 8414, if code_challenge_methods_supported is absent,
+    it means the authorization server does not support PKCE.
+
+    MCP clients require PKCE with S256 and will refuse to connect if this
+    field is missing or doesn't include S256.
+    """
+
+    code_challenge_methods = discovery.get("code_challenge_methods_supported")
+
+    if code_challenge_methods is None:
+        click.echo("=" * 80, err=True)
+        click.echo(
+            "ERROR: OIDC CONFIGURATION ERROR - Missing PKCE Support Advertisement",
+            err=True,
+        )
+        click.echo("=" * 80, err=True)
+        click.echo(f"Discovery URL: {discovery_url}", err=True)
+        click.echo("", err=True)
+        click.echo(
+            "The OIDC discovery document is missing 'code_challenge_methods_supported'.",
+            err=True,
+        )
+        click.echo(
+            "According to RFC 8414, this means the server does NOT support PKCE.",
+            err=True,
+        )
+        click.echo("", err=True)
+        click.echo("⚠️  MCP clients (like Claude Code) WILL REJECT this provider!")
+        click.echo("", err=True)
+        click.echo("How to fix:", err=True)
+        click.echo(
+            "  1. Ensure PKCE is enabled in Nextcloud OIDC app settings", err=True
+        )
+        click.echo(
+            "  2. Update the OIDC app to advertise PKCE support in discovery", err=True
+        )
+        click.echo("  3. See: RFC 8414 Section 2 (Authorization Server Metadata)")
+        click.echo("=" * 80, err=True)
+        click.echo("", err=True)
+        return
+
+    if "S256" not in code_challenge_methods:
+        click.echo("=" * 80, err=True)
+        click.echo(
+            "WARNING: OIDC CONFIGURATION WARNING - S256 Challenge Method Not Advertised",
+            err=True,
+        )
+        click.echo("=" * 80, err=True)
+        click.echo(f"Discovery URL: {discovery_url}", err=True)
+        click.echo(f"Advertised methods: {code_challenge_methods}", err=True)
+        click.echo("", err=True)
+        click.echo("MCP specification requires S256 code challenge method.", err=True)
+        click.echo("Some clients may reject this provider.", err=True)
+        click.echo("=" * 80, err=True)
+        click.echo("", err=True)
+        return
+
+    click.echo(f"✓ PKCE support validated: {code_challenge_methods}")
+
+
+@dataclass
+class AppContext:
+    """Application context for BasicAuth mode."""
+
+    client: NextcloudClient
+
+
+@dataclass
+class OAuthAppContext:
+    """Application context for OAuth mode."""
+
+    nextcloud_host: str
+    token_verifier: NextcloudTokenVerifier
+
+
+def is_oauth_mode() -> bool:
+    """
+    Determine if OAuth mode should be used.
+
+    OAuth mode is enabled when:
+    - NEXTCLOUD_USERNAME and NEXTCLOUD_PASSWORD are NOT set
+    - Or explicitly enabled via configuration
+
+    Returns:
+        True if OAuth mode, False if BasicAuth mode
+    """
+    username = os.getenv("NEXTCLOUD_USERNAME")
+    password = os.getenv("NEXTCLOUD_PASSWORD")
+
+    # If both username and password are set, use BasicAuth
+    if username and password:
+        logger.info(
+            "BasicAuth mode detected (NEXTCLOUD_USERNAME and NEXTCLOUD_PASSWORD set)"
+        )
+        return False
+
+    logger.info("OAuth mode detected (NEXTCLOUD_USERNAME/PASSWORD not set)")
+    return True
+
+
+@asynccontextmanager
+async def app_lifespan_basic(server: FastMCP) -> AsyncIterator[AppContext]:
+    """
+    Manage application lifecycle for BasicAuth mode.
+
+    Creates a single Nextcloud client with basic authentication
+    that is shared across all requests.
+    """
+    logger.info("Starting MCP server in BasicAuth mode")
+    logger.info("Creating Nextcloud client with BasicAuth")
+
+    client = NextcloudClient.from_env()
+    logger.info("Client initialization complete")
+
+    try:
+        yield AppContext(client=client)
+    finally:
+        logger.info("Shutting down BasicAuth mode")
+        await client.close()
+
+
+@asynccontextmanager
+async def app_lifespan_oauth(server: FastMCP) -> AsyncIterator[OAuthAppContext]:
+    """
+    Manage application lifecycle for OAuth mode.
+
+    Initializes OAuth client registration and token verifier.
+    Does NOT create a Nextcloud client - clients are created per-request.
+    """
+    logger.info("Starting MCP server in OAuth mode")
+
+    nextcloud_host = os.getenv("NEXTCLOUD_HOST")
+    if not nextcloud_host:
+        raise ValueError("NEXTCLOUD_HOST environment variable is required")
+
+    nextcloud_host = nextcloud_host.rstrip("/")
+
+    # Get OAuth discovery endpoint
+    discovery_url = f"{nextcloud_host}/.well-known/openid-configuration"
+
+    try:
+        # Fetch OIDC discovery
+        import httpx
+
+        async with httpx.AsyncClient() as client:
+            response = await client.get(discovery_url)
+            response.raise_for_status()
+            discovery = response.json()
+
+        logger.info(f"OIDC discovery successful: {discovery_url}")
+
+        # Extract endpoints
+        userinfo_uri = discovery["userinfo_endpoint"]
+        registration_endpoint = discovery.get("registration_endpoint")
+
+        logger.info(f"Userinfo endpoint: {userinfo_uri}")
+
+        # Handle client registration
+        client_id = os.getenv("NEXTCLOUD_OIDC_CLIENT_ID")
+        client_secret = os.getenv("NEXTCLOUD_OIDC_CLIENT_SECRET")
+        storage_path = os.getenv(
+            "NEXTCLOUD_OIDC_CLIENT_STORAGE", ".nextcloud_oauth_client.json"
+        )
+
+        if client_id and client_secret:
+            logger.info("Using pre-configured OAuth client credentials")
+        elif registration_endpoint:
+            logger.info("Dynamic client registration available")
+            mcp_server_url = os.getenv(
+                "NEXTCLOUD_MCP_SERVER_URL", "http://localhost:8000"
+            )
+            redirect_uris = [f"{mcp_server_url}/oauth/callback"]
+
+            # Load or register client
+            client_info = await load_or_register_client(
+                nextcloud_url=nextcloud_host,
+                registration_endpoint=registration_endpoint,
+                storage_path=storage_path,
+                client_name="Nextcloud MCP Server",
+                redirect_uris=redirect_uris,
+            )
+
+            logger.info(f"OAuth client ready: {client_info.client_id[:16]}...")
+        else:
+            raise ValueError(
+                "OAuth mode requires either:\n"
+                "1. NEXTCLOUD_OIDC_CLIENT_ID and NEXTCLOUD_OIDC_CLIENT_SECRET, OR\n"
+                "2. Dynamic client registration enabled on Nextcloud OIDC app"
+            )
+
+        # Create token verifier
+        token_verifier = NextcloudTokenVerifier(
+            nextcloud_host=nextcloud_host, userinfo_uri=userinfo_uri
+        )
+
+        logger.info("OAuth initialization complete")
+
+        try:
+            yield OAuthAppContext(
+                nextcloud_host=nextcloud_host, token_verifier=token_verifier
+            )
+        finally:
+            logger.info("Shutting down OAuth mode")
+            await token_verifier.close()
+
+    except Exception as e:
+        logger.error(f"Failed to initialize OAuth mode: {e}")
+        raise
+
+
+async def setup_oauth_config():
+    """
+    Setup OAuth configuration by performing OIDC discovery and client registration.
+
+    This is done synchronously before FastMCP initialization because FastMCP
+    requires token_verifier at construction time.
+
+    Returns:
+        Tuple of (nextcloud_host, token_verifier, auth_settings)
+    """
+    nextcloud_host = os.getenv("NEXTCLOUD_HOST")
+    if not nextcloud_host:
+        raise ValueError(
+            "NEXTCLOUD_HOST environment variable is required for OAuth mode"
+        )
+
+    nextcloud_host = nextcloud_host.rstrip("/")
+    discovery_url = f"{nextcloud_host}/.well-known/openid-configuration"
+
+    logger.info(f"Performing OIDC discovery: {discovery_url}")
+
+    # Fetch OIDC discovery
+    import httpx
+
+    async with httpx.AsyncClient() as client:
+        response = await client.get(discovery_url)
+        response.raise_for_status()
+        discovery = response.json()
+
+    logger.info("OIDC discovery successful")
+
+    # Validate PKCE support
+    validate_pkce_support(discovery, discovery_url)
+
+    # Extract endpoints
+    issuer = discovery["issuer"]
+    userinfo_uri = discovery["userinfo_endpoint"]
+    registration_endpoint = discovery.get("registration_endpoint")
+
+    # Allow override of public issuer URL for clients
+    # (useful when MCP server accesses Nextcloud via internal URL
+    # but needs to advertise a different URL to clients)
+    public_issuer = os.getenv("NEXTCLOUD_PUBLIC_ISSUER_URL")
+    if public_issuer:
+        public_issuer = public_issuer.rstrip("/")
+        logger.info(f"Using public issuer URL for clients: {public_issuer}")
+        issuer = public_issuer
+
+    # Handle client registration
+    client_id = os.getenv("NEXTCLOUD_OIDC_CLIENT_ID")
+    client_secret = os.getenv("NEXTCLOUD_OIDC_CLIENT_SECRET")
+
+    if client_id and client_secret:
+        logger.info("Using pre-configured OAuth client credentials")
+    elif registration_endpoint:
+        logger.info("Dynamic client registration available")
+        storage_path = os.getenv(
+            "NEXTCLOUD_OIDC_CLIENT_STORAGE", ".nextcloud_oauth_client.json"
+        )
+        mcp_server_url = os.getenv("NEXTCLOUD_MCP_SERVER_URL", "http://localhost:8000")
+        redirect_uris = [f"{mcp_server_url}/oauth/callback"]
+
+        # Load or register client
+        client_info = await load_or_register_client(
+            nextcloud_url=nextcloud_host,
+            registration_endpoint=registration_endpoint,
+            storage_path=storage_path,
+            client_name="Nextcloud MCP Server",
+            redirect_uris=redirect_uris,
+        )
+
+        logger.info(f"OAuth client ready: {client_info.client_id[:16]}...")
+    else:
+        raise ValueError(
+            "OAuth mode requires either:\n"
+            "1. NEXTCLOUD_OIDC_CLIENT_ID and NEXTCLOUD_OIDC_CLIENT_SECRET, OR\n"
+            "2. Dynamic client registration enabled on Nextcloud OIDC app"
+        )
+
+    # Create token verifier
+    token_verifier = NextcloudTokenVerifier(
+        nextcloud_host=nextcloud_host, userinfo_uri=userinfo_uri
+    )
+
+    # Create auth settings
+    mcp_server_url = os.getenv("NEXTCLOUD_MCP_SERVER_URL", "http://localhost:8000")
+    auth_settings = AuthSettings(
+        issuer_url=AnyHttpUrl(issuer),
+        resource_server_url=AnyHttpUrl(mcp_server_url),
+        required_scopes=["openid", "profile"],
+    )
+
+    logger.info("OAuth configuration complete")
+
+    return nextcloud_host, token_verifier, auth_settings
+
+
+def get_app(transport: str = "sse", enabled_apps: list[str] | None = None):
+    setup_logging()
+
+    # Determine authentication mode
+    oauth_enabled = is_oauth_mode()
+
+    if oauth_enabled:
+        logger.info("Configuring MCP server for OAuth mode")
+        # Asynchronously get the OAuth configuration
+        import asyncio
+
+        nextcloud_host, token_verifier, auth_settings = asyncio.run(
+            setup_oauth_config()
+        )
+        mcp = FastMCP(
+            "Nextcloud MCP",
+            lifespan=app_lifespan_oauth,
+            token_verifier=token_verifier,
+            auth=auth_settings,
+        )
+    else:
+        logger.info("Configuring MCP server for BasicAuth mode")
+        mcp = FastMCP("Nextcloud MCP", lifespan=app_lifespan_basic)
+
+    @mcp.resource("nc://capabilities")
+    async def nc_get_capabilities():
+        """Get the Nextcloud Host capabilities"""
+        ctx: Context = mcp.get_context()
+        client = get_nextcloud_client(ctx)
+        return await client.capabilities()
+
+    # Define available apps and their configuration functions
+    available_apps = {
+        "notes": configure_notes_tools,
+        "tables": configure_tables_tools,
+        "webdav": configure_webdav_tools,
+        "sharing": configure_sharing_tools,
+        "calendar": configure_calendar_tools,
+        "contacts": configure_contacts_tools,
+        "deck": configure_deck_tools,
+    }
+
+    # If no specific apps are specified, enable all
+    if enabled_apps is None:
+        enabled_apps = list(available_apps.keys())
+
+    # Configure only the enabled apps
+    for app_name in enabled_apps:
+        if app_name in available_apps:
+            logger.info(f"Configuring {app_name} tools")
+            available_apps[app_name](mcp)
+        else:
+            logger.warning(
+                f"Unknown app: {app_name}. Available apps: {list(available_apps.keys())}"
+            )
+
+    if transport == "sse":
+        mcp_app = mcp.sse_app()
+        lifespan = None
+    elif transport in ("http", "streamable-http"):
+        mcp_app = mcp.streamable_http_app()
+
+        @asynccontextmanager
+        async def lifespan(app: Starlette):
+            async with AsyncExitStack() as stack:
+                await stack.enter_async_context(mcp.session_manager.run())
+                yield
+
+    app = Starlette(routes=[Mount("/", app=mcp_app)], lifespan=lifespan)
+
+    return app
+
+
+@click.command()
+@click.option(
+    "--host", "-h", default="127.0.0.1", show_default=True, help="Server host"
+)
+@click.option(
+    "--port", "-p", type=int, default=8000, show_default=True, help="Server port"
+)
+@click.option(
+    "--workers", "-w", type=int, default=None, help="Number of worker processes"
+)
+@click.option("--reload", "-r", is_flag=True, help="Enable auto-reload")
+@click.option(
+    "--log-level",
+    "-l",
+    default="info",
+    show_default=True,
+    type=click.Choice(["critical", "error", "warning", "info", "debug", "trace"]),
+    help="Logging level",
+)
+@click.option(
+    "--transport",
+    "-t",
+    default="sse",
+    show_default=True,
+    type=click.Choice(["sse", "streamable-http", "http"]),
+    help="MCP transport protocol",
+)
+@click.option(
+    "--enable-app",
+    "-e",
+    multiple=True,
+    type=click.Choice(["notes", "tables", "webdav", "calendar", "contacts", "deck"]),
+    help="Enable specific Nextcloud app APIs. Can be specified multiple times. If not specified, all apps are enabled.",
+)
+@click.option(
+    "--oauth/--no-oauth",
+    default=None,
+    help="Force OAuth mode (if enabled) or BasicAuth mode (if disabled). By default, auto-detected based on environment variables.",
+)
+@click.option(
+    "--oauth-client-id",
+    envvar="NEXTCLOUD_OIDC_CLIENT_ID",
+    help="OAuth client ID (can also use NEXTCLOUD_OIDC_CLIENT_ID env var)",
+)
+@click.option(
+    "--oauth-client-secret",
+    envvar="NEXTCLOUD_OIDC_CLIENT_SECRET",
+    help="OAuth client secret (can also use NEXTCLOUD_OIDC_CLIENT_SECRET env var)",
+)
+@click.option(
+    "--oauth-storage-path",
+    envvar="NEXTCLOUD_OIDC_CLIENT_STORAGE",
+    default=".nextcloud_oauth_client.json",
+    show_default=True,
+    help="Path to store OAuth client credentials (can also use NEXTCLOUD_OIDC_CLIENT_STORAGE env var)",
+)
+@click.option(
+    "--mcp-server-url",
+    envvar="NEXTCLOUD_MCP_SERVER_URL",
+    default="http://localhost:8000",
+    show_default=True,
+    help="MCP server URL for OAuth callbacks (can also use NEXTCLOUD_MCP_SERVER_URL env var)",
+)
+def run(
+    host: str,
+    port: int,
+    workers: int,
+    reload: bool,
+    log_level: str,
+    transport: str,
+    enable_app: tuple[str, ...],
+    oauth: bool | None,
+    oauth_client_id: str | None,
+    oauth_client_secret: str | None,
+    oauth_storage_path: str,
+    mcp_server_url: str,
+):
+    """
+    Run the Nextcloud MCP server.
+
+    \b
+    Authentication Modes:
+      - BasicAuth: Set NEXTCLOUD_USERNAME and NEXTCLOUD_PASSWORD
+      - OAuth: Leave USERNAME/PASSWORD unset (requires OIDC app enabled)
+
+    \b
+    Examples:
+      # BasicAuth mode (legacy)
+      $ nextcloud-mcp-server --host 0.0.0.0 --port 8000
+
+      # OAuth mode with auto-registration
+      $ nextcloud-mcp-server --oauth
+
+      # OAuth mode with pre-configured client
+      $ nextcloud-mcp-server --oauth --oauth-client-id=xxx --oauth-client-secret=yyy
+    """
+    # Set OAuth env vars from CLI options if provided
+    if oauth_client_id:
+        os.environ["NEXTCLOUD_OIDC_CLIENT_ID"] = oauth_client_id
+    if oauth_client_secret:
+        os.environ["NEXTCLOUD_OIDC_CLIENT_SECRET"] = oauth_client_secret
+    if oauth_storage_path:
+        os.environ["NEXTCLOUD_OIDC_CLIENT_STORAGE"] = oauth_storage_path
+    if mcp_server_url:
+        os.environ["NEXTCLOUD_MCP_SERVER_URL"] = mcp_server_url
+
+    # Force OAuth mode if explicitly requested
+    if oauth is True:
+        # Clear username/password to force OAuth mode
+        if "NEXTCLOUD_USERNAME" in os.environ:
+            click.echo(
+                "Warning: --oauth flag set, ignoring NEXTCLOUD_USERNAME", err=True
+            )
+            del os.environ["NEXTCLOUD_USERNAME"]
+        if "NEXTCLOUD_PASSWORD" in os.environ:
+            click.echo(
+                "Warning: --oauth flag set, ignoring NEXTCLOUD_PASSWORD", err=True
+            )
+            del os.environ["NEXTCLOUD_PASSWORD"]
+
+        # Validate OAuth configuration
+        nextcloud_host = os.getenv("NEXTCLOUD_HOST")
+        if not nextcloud_host:
+            raise click.ClickException(
+                "OAuth mode requires NEXTCLOUD_HOST environment variable to be set"
+            )
+
+        # Check if we have client credentials OR if dynamic registration is possible
+        has_client_creds = os.getenv("NEXTCLOUD_OIDC_CLIENT_ID") and os.getenv(
+            "NEXTCLOUD_OIDC_CLIENT_SECRET"
+        )
+
+        if not has_client_creds:
+            # No client credentials - will attempt dynamic registration
+            # Show helpful message before server starts
+            click.echo("", err=True)
+            click.echo("OAuth Configuration:", err=True)
+            click.echo("  Mode: Dynamic Client Registration", err=True)
+            click.echo("  Host: " + nextcloud_host, err=True)
+            click.echo(
+                "  Storage: "
+                + os.getenv(
+                    "NEXTCLOUD_OIDC_CLIENT_STORAGE", ".nextcloud_oauth_client.json"
+                ),
+                err=True,
+            )
+            click.echo("", err=True)
+            click.echo(
+                "Note: Make sure 'Dynamic Client Registration' is enabled", err=True
+            )
+            click.echo("      in your Nextcloud OIDC app settings.", err=True)
+            click.echo("", err=True)
+        else:
+            click.echo("", err=True)
+            click.echo("OAuth Configuration:", err=True)
+            click.echo("  Mode: Pre-configured Client", err=True)
+            click.echo("  Host: " + nextcloud_host, err=True)
+            click.echo(
+                "  Client ID: "
+                + os.getenv("NEXTCLOUD_OIDC_CLIENT_ID", "")[:16]
+                + "...",
+                err=True,
+            )
+            click.echo("", err=True)
+
+    elif oauth is False:
+        # Force BasicAuth mode - verify credentials exist
+        if not os.getenv("NEXTCLOUD_USERNAME") or not os.getenv("NEXTCLOUD_PASSWORD"):
+            raise click.ClickException(
+                "--no-oauth flag set but NEXTCLOUD_USERNAME or NEXTCLOUD_PASSWORD not set"
+            )
+
+    enabled_apps = list(enable_app) if enable_app else None
+
+    if reload or workers:
+        app = "nextcloud_mcp_server.app:get_app"
+        factory = True
+    else:
+        app = get_app(transport=transport, enabled_apps=enabled_apps)
+        factory = False
+
+    uvicorn.run(
+        app=app,
+        factory=factory,
+        host=host,
+        port=port,
+        reload=reload,
+        workers=workers,
+        log_level=log_level,
+    )
+
+
+if __name__ == "__main__":
+    run()
@@ -0,0 +1,14 @@
+"""OAuth authentication components for Nextcloud MCP server."""
+
+from .bearer_auth import BearerAuth
+from .client_registration import load_or_register_client, register_client
+from .context_helper import get_client_from_context
+from .token_verifier import NextcloudTokenVerifier
+
+__all__ = [
+    "BearerAuth",
+    "NextcloudTokenVerifier",
+    "register_client",
+    "load_or_register_client",
+    "get_client_from_context",
+]
@@ -0,0 +1,34 @@
+"""Bearer token authentication for httpx."""
+
+from httpx import Auth, Request
+
+
+class BearerAuth(Auth):
+    """
+    Bearer token authentication flow for httpx.
+
+    This auth class adds the Authorization: Bearer <token> header
+    to all outgoing requests.
+    """
+
+    def __init__(self, token: str):
+        """
+        Initialize bearer authentication.
+
+        Args:
+            token: The bearer token to use for authentication
+        """
+        self.token = token
+
+    def auth_flow(self, request: Request):
+        """
+        Add Authorization header to the request.
+
+        Args:
+            request: The outgoing HTTP request
+
+        Yields:
+            The modified request with Authorization header
+        """
+        request.headers["Authorization"] = f"Bearer {self.token}"
+        yield request
@@ -0,0 +1,260 @@
+"""Dynamic client registration for Nextcloud OIDC."""
+
+import json
+import logging
+import os
+import time
+from pathlib import Path
+from typing import Any
+
+import httpx
+
+logger = logging.getLogger(__name__)
+
+
+class ClientInfo:
+    """Client registration information."""
+
+    def __init__(
+        self,
+        client_id: str,
+        client_secret: str,
+        client_id_issued_at: int,
+        client_secret_expires_at: int,
+        redirect_uris: list[str],
+    ):
+        self.client_id = client_id
+        self.client_secret = client_secret
+        self.client_id_issued_at = client_id_issued_at
+        self.client_secret_expires_at = client_secret_expires_at
+        self.redirect_uris = redirect_uris
+
+    @property
+    def is_expired(self) -> bool:
+        """Check if the client has expired."""
+        return time.time() >= self.client_secret_expires_at
+
+    @property
+    def expires_soon(self) -> bool:
+        """Check if client expires within 5 minutes."""
+        return time.time() >= (self.client_secret_expires_at - 300)
+
+    def to_dict(self) -> dict[str, Any]:
+        """Convert to dictionary for storage."""
+        return {
+            "client_id": self.client_id,
+            "client_secret": self.client_secret,
+            "client_id_issued_at": self.client_id_issued_at,
+            "client_secret_expires_at": self.client_secret_expires_at,
+            "redirect_uris": self.redirect_uris,
+        }
+
+    @classmethod
+    def from_dict(cls, data: dict[str, Any]) -> "ClientInfo":
+        """Create from dictionary."""
+        return cls(
+            client_id=data["client_id"],
+            client_secret=data["client_secret"],
+            client_id_issued_at=data["client_id_issued_at"],
+            client_secret_expires_at=data["client_secret_expires_at"],
+            redirect_uris=data["redirect_uris"],
+        )
+
+
+async def register_client(
+    nextcloud_url: str,
+    registration_endpoint: str,
+    client_name: str = "Nextcloud MCP Server",
+    redirect_uris: list[str] | None = None,
+    scopes: str = "openid profile email",
+) -> ClientInfo:
+    """
+    Register a new OAuth client with Nextcloud OIDC using dynamic client registration.
+
+    Args:
+        nextcloud_url: Base URL of the Nextcloud instance
+        registration_endpoint: Full URL to the registration endpoint
+        client_name: Name of the client application
+        redirect_uris: List of redirect URIs (default: http://localhost:8000/oauth/callback)
+        scopes: Space-separated list of scopes to request
+
+    Returns:
+        ClientInfo with registration details
+
+    Raises:
+        httpx.HTTPStatusError: If registration fails
+        ValueError: If response is invalid
+    """
+    if redirect_uris is None:
+        redirect_uris = ["http://localhost:8000/oauth/callback"]
+
+    client_metadata = {
+        "client_name": client_name,
+        "redirect_uris": redirect_uris,
+        "token_endpoint_auth_method": "client_secret_post",
+        "grant_types": ["authorization_code", "refresh_token"],
+        "response_types": ["code"],
+        "scope": scopes,
+    }
+
+    logger.info(f"Registering OAuth client with Nextcloud: {client_name}")
+    logger.debug(f"Registration endpoint: {registration_endpoint}")
+
+    async with httpx.AsyncClient(timeout=30.0) as client:
+        try:
+            response = await client.post(
+                registration_endpoint,
+                json=client_metadata,
+                headers={"Content-Type": "application/json"},
+            )
+            response.raise_for_status()
+
+            client_info = response.json()
+            logger.info(
+                f"Successfully registered client: {client_info.get('client_id')}"
+            )
+            logger.info(
+                f"Client expires at: {client_info.get('client_secret_expires_at')} "
+                f"(in {client_info.get('client_secret_expires_at', 0) - int(time.time())} seconds)"
+            )
+
+            return ClientInfo(
+                client_id=client_info["client_id"],
+                client_secret=client_info["client_secret"],
+                client_id_issued_at=client_info.get(
+                    "client_id_issued_at", int(time.time())
+                ),
+                client_secret_expires_at=client_info.get(
+                    "client_secret_expires_at", int(time.time()) + 3600
+                ),
+                redirect_uris=client_info.get("redirect_uris", redirect_uris),
+            )
+
+        except httpx.HTTPStatusError as e:
+            logger.error(f"Failed to register client: HTTP {e.response.status_code}")
+            logger.error(f"Response: {e.response.text}")
+            raise
+        except KeyError as e:
+            logger.error(f"Invalid response from registration endpoint: missing {e}")
+            raise ValueError(f"Invalid registration response: missing {e}")
+
+
+def load_client_from_file(storage_path: Path) -> ClientInfo | None:
+    """
+    Load client credentials from storage file.
+
+    Args:
+        storage_path: Path to the JSON file containing client credentials
+
+    Returns:
+        ClientInfo if file exists and is valid, None otherwise
+    """
+    if not storage_path.exists():
+        logger.debug(f"Client storage file not found: {storage_path}")
+        return None
+
+    try:
+        with open(storage_path, "r") as f:
+            data = json.load(f)
+
+        client_info = ClientInfo.from_dict(data)
+
+        if client_info.is_expired:
+            logger.warning(
+                f"Stored client has expired (expired at {client_info.client_secret_expires_at})"
+            )
+            return None
+
+        logger.info(f"Loaded client from storage: {client_info.client_id[:16]}...")
+        if client_info.expires_soon:
+            logger.warning("Client expires soon (within 5 minutes)")
+
+        return client_info
+
+    except (json.JSONDecodeError, KeyError, ValueError) as e:
+        logger.error(f"Failed to load client from file: {e}")
+        return None
+
+
+def save_client_to_file(client_info: ClientInfo, storage_path: Path):
+    """
+    Save client credentials to storage file.
+
+    Args:
+        client_info: Client information to save
+        storage_path: Path to save the JSON file
+
+    Raises:
+        OSError: If file cannot be written
+    """
+    try:
+        # Create directory if it doesn't exist
+        storage_path.parent.mkdir(parents=True, exist_ok=True)
+
+        # Write client info
+        with open(storage_path, "w") as f:
+            json.dump(client_info.to_dict(), f, indent=2)
+
+        # Set restrictive permissions (owner read/write only)
+        os.chmod(storage_path, 0o600)
+
+        logger.info(f"Saved client credentials to {storage_path}")
+
+    except OSError as e:
+        logger.error(f"Failed to save client credentials: {e}")
+        raise
+
+
+async def load_or_register_client(
+    nextcloud_url: str,
+    registration_endpoint: str,
+    storage_path: str | Path,
+    client_name: str = "Nextcloud MCP Server",
+    redirect_uris: list[str] | None = None,
+    force_register: bool = True,
+) -> ClientInfo:
+    """
+    Load client from storage or register a new one if not found/expired.
+
+    This function:
+    1. Checks for existing client credentials in storage
+    2. Validates the credentials are not expired
+    3. Registers a new client if needed
+    4. Saves the new client credentials
+
+    Args:
+        nextcloud_url: Base URL of the Nextcloud instance
+        registration_endpoint: Full URL to the registration endpoint
+        storage_path: Path to store client credentials
+        client_name: Name of the client application
+        redirect_uris: List of redirect URIs
+        force_register: Force registration even if valid credentials exist
+
+    Returns:
+        ClientInfo with valid credentials
+
+    Raises:
+        httpx.HTTPStatusError: If registration fails
+        ValueError: If response is invalid
+    """
+    storage_path = Path(storage_path)
+
+    # Try to load existing client unless forced to register
+    if not force_register:
+        client_info = load_client_from_file(storage_path)
+        if client_info:
+            return client_info
+
+    # Register new client
+    logger.info("Registering new OAuth client...")
+    client_info = await register_client(
+        nextcloud_url=nextcloud_url,
+        registration_endpoint=registration_endpoint,
+        client_name=client_name,
+        redirect_uris=redirect_uris,
+    )
+
+    # Save to storage
+    save_client_to_file(client_info, storage_path)
+
+    return client_info
@@ -0,0 +1,65 @@
+"""Helper functions for extracting OAuth context from MCP requests."""
+
+import logging
+
+from mcp.server.auth.provider import AccessToken
+from mcp.server.fastmcp import Context
+
+from ..client import NextcloudClient
+
+logger = logging.getLogger(__name__)
+
+
+def get_client_from_context(ctx: Context, base_url: str) -> NextcloudClient:
+    """
+    Extract authenticated user context from MCP request and create NextcloudClient.
+
+    This function retrieves the OAuth access token from the MCP context,
+    extracts the username from the token's resource field (where we stored it
+    during token verification), and creates a NextcloudClient with bearer auth.
+
+    Args:
+        ctx: MCP request context containing session info
+        base_url: Nextcloud base URL
+
+    Returns:
+        NextcloudClient configured with bearer token auth
+
+    Raises:
+        AttributeError: If context doesn't contain expected OAuth session data
+        ValueError: If username cannot be extracted from token
+    """
+    try:
+        # In Starlette with FastMCP OAuth, the authenticated user info is stored in request.user
+        # The FastMCP auth middleware sets request.user to an AuthenticatedUser object
+        # which contains the access_token
+        if hasattr(ctx.request_context.request, "user") and hasattr(
+            ctx.request_context.request.user, "access_token"
+        ):
+            access_token: AccessToken = ctx.request_context.request.user.access_token
+            logger.debug("Retrieved access token from request.user for OAuth request")
+        else:
+            logger.error(
+                "OAuth authentication failed: No access token found in request"
+            )
+            raise AttributeError("No access token found in OAuth request context")
+
+        # Extract username from resource field (RFC 8707)
+        # We stored the username here during token verification
+        username = access_token.resource
+
+        if not username:
+            logger.error("No username found in access token resource field")
+            raise ValueError("Username not available in OAuth token context")
+
+        logger.debug(f"Creating OAuth NextcloudClient for user: {username}")
+
+        # Create client with bearer token
+        return NextcloudClient.from_token(
+            base_url=base_url, token=access_token.token, username=username
+        )
+
+    except AttributeError as e:
+        logger.error(f"Failed to extract OAuth context: {e}")
+        logger.error("This may indicate the server is not running in OAuth mode")
+        raise
@@ -0,0 +1,207 @@
+"""Token verification using Nextcloud OIDC userinfo endpoint."""
+
+import logging
+import time
+from typing import Any
+
+import httpx
+from mcp.server.auth.provider import AccessToken, TokenVerifier
+
+logger = logging.getLogger(__name__)
+
+
+class NextcloudTokenVerifier(TokenVerifier):
+    """
+    Validates access tokens using Nextcloud OIDC userinfo endpoint.
+
+    This verifier:
+    1. Calls the userinfo endpoint with the bearer token
+    2. Caches successful responses to avoid repeated API calls
+    3. Extracts username from the 'sub' or 'preferred_username' claim
+    4. Optionally supports JWT validation for performance (future enhancement)
+
+    The userinfo endpoint validates the token and returns user claims if valid,
+    or returns HTTP 400/401 if the token is invalid or expired.
+    """
+
+    def __init__(
+        self,
+        nextcloud_host: str,
+        userinfo_uri: str,
+        cache_ttl: int = 3600,
+    ):
+        """
+        Initialize the token verifier.
+
+        Args:
+            nextcloud_host: Base URL of the Nextcloud instance (e.g., https://cloud.example.com)
+            userinfo_uri: Full URL to the userinfo endpoint
+            cache_ttl: Time-to-live for cached tokens in seconds (default: 3600)
+        """
+        self.nextcloud_host = nextcloud_host.rstrip("/")
+        self.userinfo_uri = userinfo_uri
+        self.cache_ttl = cache_ttl
+
+        # Cache: token -> (userinfo, expiry_timestamp)
+        self._token_cache: dict[str, tuple[dict[str, Any], float]] = {}
+
+        # HTTP client for userinfo requests
+        self._client = httpx.AsyncClient(timeout=10.0)
+
+    async def verify_token(self, token: str) -> AccessToken | None:
+        """
+        Verify a bearer token by calling the userinfo endpoint.
+
+        This method:
+        1. Checks the cache first for recent validations
+        2. Calls the userinfo endpoint if not cached
+        3. Returns AccessToken with username stored in metadata
+
+        Args:
+            token: The bearer token to verify
+
+        Returns:
+            AccessToken if valid, None if invalid or expired
+        """
+        # Check cache first
+        cached = self._get_cached_token(token)
+        if cached:
+            logger.debug("Token found in cache")
+            return cached
+
+        # Validate via userinfo endpoint
+        try:
+            return await self._verify_via_userinfo(token)
+        except Exception as e:
+            logger.warning(f"Token verification failed: {e}")
+            return None
+
+    async def _verify_via_userinfo(self, token: str) -> AccessToken | None:
+        """
+        Validate token by calling the userinfo endpoint.
+
+        Args:
+            token: The bearer token to verify
+
+        Returns:
+            AccessToken if valid, None otherwise
+        """
+        try:
+            response = await self._client.get(
+                self.userinfo_uri, headers={"Authorization": f"Bearer {token}"}
+            )
+
+            if response.status_code == 200:
+                userinfo = response.json()
+                logger.debug(
+                    f"Token validated successfully for user: {userinfo.get('sub')}"
+                )
+
+                # Cache the result
+                expiry = time.time() + self.cache_ttl
+                self._token_cache[token] = (userinfo, expiry)
+
+                # Create AccessToken with username in resource field (workaround for MCP SDK)
+                username = userinfo.get("sub") or userinfo.get("preferred_username")
+                if not username:
+                    logger.error("No username found in userinfo response")
+                    return None
+
+                return AccessToken(
+                    token=token,
+                    client_id="",  # Not available from userinfo
+                    scopes=self._extract_scopes(userinfo),
+                    expires_at=int(expiry),
+                    resource=username,  # Store username in resource field (RFC 8707)
+                )
+
+            elif response.status_code in (400, 401, 403):
+                logger.info(f"Token validation failed: HTTP {response.status_code}")
+                return None
+            else:
+                logger.warning(
+                    f"Unexpected response from userinfo: {response.status_code}"
+                )
+                return None
+
+        except httpx.TimeoutException:
+            logger.error("Timeout while validating token via userinfo endpoint")
+            return None
+        except httpx.RequestError as e:
+            logger.error(f"Network error while validating token: {e}")
+            return None
+        except Exception as e:
+            logger.error(f"Unexpected error during token validation: {e}")
+            return None
+
+    def _get_cached_token(self, token: str) -> AccessToken | None:
+        """
+        Retrieve a token from cache if not expired.
+
+        Args:
+            token: The bearer token to look up
+
+        Returns:
+            AccessToken if cached and valid, None otherwise
+        """
+        if token not in self._token_cache:
+            return None
+
+        userinfo, expiry = self._token_cache[token]
+
+        # Check if expired
+        if time.time() >= expiry:
+            logger.debug("Cached token expired, removing from cache")
+            del self._token_cache[token]
+            return None
+
+        # Return cached AccessToken
+        username = userinfo.get("sub") or userinfo.get("preferred_username")
+        return AccessToken(
+            token=token,
+            client_id="",
+            scopes=self._extract_scopes(userinfo),
+            expires_at=int(expiry),
+            resource=username,
+        )
+
+    def _extract_scopes(self, userinfo: dict[str, Any]) -> list[str]:
+        """
+        Extract scopes from userinfo response.
+
+        Since the userinfo response doesn't include the original scopes,
+        we infer them from the claims present in the response.
+
+        Args:
+            userinfo: The userinfo response dictionary
+
+        Returns:
+            List of inferred scopes
+        """
+        scopes = ["openid"]  # Always present
+
+        if "email" in userinfo:
+            scopes.append("email")
+
+        if any(
+            key in userinfo for key in ["name", "given_name", "family_name", "picture"]
+        ):
+            scopes.append("profile")
+
+        if "roles" in userinfo:
+            scopes.append("roles")
+
+        if "groups" in userinfo:
+            scopes.append("groups")
+
+        return scopes
+
+    def clear_cache(self):
+        """Clear the token cache."""
+        self._token_cache.clear()
+        logger.debug("Token cache cleared")
+
+    async def close(self):
+        """Cleanup resources."""
+        await self._client.aclose()
+        logger.debug("Token verifier closed")
@@ -1,34 +1,58 @@
+import logging
 import os
+
 from httpx import (
+    AsyncBaseTransport,
    AsyncClient,
+    AsyncHTTPTransport,
    Auth,
    BasicAuth,
    Request,
    Response,
 )
-import logging

-from .notes import NotesClient
-from .webdav import WebDAVClient
-from .tables import TablesClient
 from ..controllers.notes_search import NotesSearchController
+from .calendar import CalendarClient
+from .contacts import ContactsClient
+from .deck import DeckClient
+from .groups import GroupsClient
+from .notes import NotesClient
+from .sharing import SharingClient
+from .tables import TablesClient
+from .webdav import WebDAVClient
+from .users import UsersClient

 logger = logging.getLogger(__name__)


-def log_request(request: Request):
-    logger.info(
+async def log_request(request: Request):
+    logger.debug(
        "Request event hook: %s %s - Waiting for content",
        request.method,
        request.url,
    )
-    logger.info("Request body: %s", request.content)
-    logger.info("Headers: %s", request.headers)
+    logger.debug("Request body: %s", request.content)
+    logger.debug("Headers: %s", request.headers)


-def log_response(response: Response):
-    response.read()  # Explicitly read the stream before accessing .text
-    logger.info("Response [%s] %s", response.status_code, response.text)
+async def log_response(response: Response):
+    await response.aread()
+    logger.debug("Response [%s] %s", response.status_code, response.text)
+
+
+class AsyncDisableCookieTransport(AsyncBaseTransport):
+    """This Transport disable cookies from accumulating in the httpx AsyncClient
+
+    Thanks to: https://github.com/encode/httpx/issues/2992#issuecomment-2133258994
+    """
+
+    def __init__(self, transport: AsyncBaseTransport):
+        self.transport = transport
+
+    async def handle_async_request(self, request: Request) -> Response:
+        response = await self.transport.handle_async_request(request)
+        response.headers.pop("set-cookie", None)
+        return response


 class NextcloudClient:
@@ -39,13 +63,20 @@ class NextcloudClient:
        self._client = AsyncClient(
            base_url=base_url,
            auth=auth,
-            # event_hooks={"request": [log_request], "response": [log_response]},
+            transport=AsyncDisableCookieTransport(AsyncHTTPTransport()),
+            event_hooks={"request": [log_request], "response": [log_response]},
        )

        # Initialize app clients
        self.notes = NotesClient(self._client, username)
        self.webdav = WebDAVClient(self._client, username)
        self.tables = TablesClient(self._client, username)
+        self.calendar = CalendarClient(self._client, username)
+        self.contacts = ContactsClient(self._client, username)
+        self.deck = DeckClient(self._client, username)
+        self.users = UsersClient(self._client, username)
+        self.groups = GroupsClient(self._client, username)
+        self.sharing = SharingClient(self._client, username)

        # Initialize controllers
        self._notes_search = NotesSearchController()
@@ -60,6 +91,23 @@ class NextcloudClient:
        # Pass username to constructor
        return cls(base_url=host, username=username, auth=BasicAuth(username, password))

+    @classmethod
+    def from_token(cls, base_url: str, token: str, username: str):
+        """Create NextcloudClient with OAuth bearer token.
+
+        Args:
+            base_url: Nextcloud base URL
+            token: OAuth access token
+            username: Nextcloud username
+
+        Returns:
+            NextcloudClient configured with bearer token authentication
+        """
+        from ..auth import BearerAuth
+
+        logger.info(f"Creating NC Client for user '{username}' using OAuth token")
+        return cls(base_url=base_url, username=username, auth=BearerAuth(token))
+
    async def capabilities(self):
        response = await self._client.get(
            "/ocs/v2.php/cloud/capabilities",
@@ -1,12 +1,74 @@
 """Base client for Nextcloud operations with shared authentication."""

-from abc import ABC
-from httpx import AsyncClient
 import logging
+import time
+from abc import ABC
+from functools import wraps
+
+from httpx import AsyncClient, HTTPStatusError, RequestError, codes

 logger = logging.getLogger(__name__)


+def retry_on_429(func):
+    """This decorator handles the 429 response from REST APIs
+
+    The `func` is assumed to be a method that is similar to `httpx.Client.get`,
+    and returns an `httpx.Response` object. In the case of `Too Many Requests` HTTP
+    response, the function will wait for a couple of seconds and retry the request.
+    """
+
+    MAX_RETRIES = 5
+
+    @wraps(func)
+    async def wrapper(*args, **kwargs):
+        retries = 0
+
+        while retries < MAX_RETRIES:
+            try:
+                # Make GET API call
+                retries += 1
+                response = await func(*args, **kwargs)
+                break
+
+            except HTTPStatusError as e:
+                # If we get a '429 Client Error: Too Many Requests'
+                # error we wait a couple of seconds and do a retry
+                if e.response.status_code == codes.TOO_MANY_REQUESTS:
+                    logger.warning(
+                        f"429 Client Error: Too Many Requests, Number of attempts: {retries}"
+                    )
+                    time.sleep(5)
+                elif e.response.status_code == 404:
+                    # 404 errors are often expected (e.g., checking if attachments exist)
+                    # Log as debug instead of warning
+                    logger.debug(
+                        f"HTTPStatusError {e.response.status_code}: {e}, Number of attempts: {retries}"
+                    )
+                    raise
+                else:
+                    logger.warning(
+                        f"HTTPStatusError {e.response.status_code}: {e}, Number of attempts: {retries}"
+                    )
+                    raise
+            except RequestError as e:
+                logger.warning(
+                    f"RequestError {e.request.url}: {e}, Number of attempts: {retries}"
+                )
+                raise
+
+        # If for loop ends without break statement
+        else:
+            logger.warning("All API call retries failed")
+            raise RuntimeError(
+                f"Maximum number of retries ({MAX_RETRIES}) exceeded without success"
+            )
+
+        return response
+
+    return wrapper
+
+
 class BaseNextcloudClient(ABC):
    """Base class for all Nextcloud app clients."""

@@ -24,6 +86,7 @@ class BaseNextcloudClient(ABC):
        """Helper to get the base WebDAV path for the authenticated user."""
        return f"/remote.php/dav/files/{self.username}"

+    @retry_on_429
    async def _make_request(self, method: str, url: str, **kwargs):
        """Common request wrapper with logging and error handling.

@@ -0,0 +1,438 @@
+"""CardDAV client for NextCloud contacts operations."""
+
+import logging
+import xml.etree.ElementTree as ET
+
+from pythonvCard4.vcard import Contact
+
+from .base import BaseNextcloudClient
+
+logger = logging.getLogger(__name__)
+
+
+class ContactsClient(BaseNextcloudClient):
+    """Client for NextCloud CardDAV contact operations."""
+
+    def _get_carddav_base_path(self) -> str:
+        """Helper to get the base CardDAV path for contacts."""
+        return f"/remote.php/dav/addressbooks/users/{self.username}"
+
+    async def list_addressbooks(self):
+        """List all available addressbooks for the user."""
+
+        carddav_path = self._get_carddav_base_path()
+
+        propfind_body = """<?xml version="1.0" encoding="utf-8"?>
+        <d:propfind xmlns:d="DAV:" xmlns:cs="http://calendarserver.org/ns/">
+            <d:prop>
+                <d:displayname/>
+                <d:getctag />
+            </d:prop>
+        </d:propfind>"""
+
+        headers = {
+            # "Depth": "0",
+            "Content-Type": "application/xml",
+            "Accept": "application/xml",
+        }
+
+        response = await self._make_request(
+            "PROPFIND", carddav_path, content=propfind_body, headers=headers
+        )
+
+        ns = {"d": "DAV:"}
+
+        # logger.info(response.content)
+        root = ET.fromstring(response.content)
+        addressbooks = []
+        for response_elem in root.findall(".//d:response", ns):
+            href = response_elem.find(".//d:href", ns)
+            if href is None:
+                continue
+
+            href_text = href.text or ""
+            if not href_text.endswith("/"):
+                continue  # Skip non-addressbook resources
+
+            # Extract addressbook name from href
+            addressbook_name = href_text.rstrip("/").split("/")[-1]
+            if not addressbook_name or addressbook_name == self.username:
+                continue
+
+            # Get properties
+            propstat = response_elem.find(".//d:propstat", ns)
+            if propstat is None:
+                continue
+
+            prop = propstat.find(".//d:prop", ns)
+            if prop is None:
+                continue
+
+            displayname_elem = prop.find(".//d:displayname", ns)
+            displayname = (
+                displayname_elem.text
+                if displayname_elem is not None
+                else addressbook_name
+            )
+
+            getctag_elem = prop.find(".//d:getctag", ns)
+            getctag = getctag_elem.text if getctag_elem is not None else None
+
+            addressbooks.append(
+                {
+                    "name": addressbook_name,
+                    "display_name": displayname,
+                    "getctag": getctag,
+                }
+            )
+
+        logger.debug(f"Found {len(addressbooks)} addressbooks")
+        return addressbooks
+
+    async def create_addressbook(self, *, name: str, display_name: str):
+        """Create a new addressbook."""
+        carddav_path = self._get_carddav_base_path()
+        url = f"{carddav_path}/{name}/"
+
+        prop_body = f"""<?xml version="1.0" encoding="utf-8"?>
+        <d:mkcol xmlns:d="DAV:" xmlns:c="urn:ietf:params:xml:ns:carddav">
+            <d:set>
+                <d:prop>
+                    <d:resourcetype>
+                        <d:collection/>
+                        <c:addressbook/>
+                    </d:resourcetype>
+                    <d:displayname>{display_name}</d:displayname>
+                </d:prop>
+            </d:set>
+        </d:mkcol>"""
+
+        headers = {
+            "Content-Type": "application/xml",
+        }
+
+        await self._make_request("MKCOL", url, content=prop_body, headers=headers)
+
+    async def delete_addressbook(self, *, name: str):
+        """Delete an addressbook."""
+        carddav_path = self._get_carddav_base_path()
+        url = f"{carddav_path}/{name}/"
+        await self._make_request("DELETE", url)
+
+    async def create_contact(self, *, addressbook: str, uid: str, contact_data: dict):
+        """Create a new contact."""
+        carddav_path = self._get_carddav_base_path()
+        url = f"{carddav_path}/{addressbook}/{uid}.vcf"
+
+        contact = Contact(fn=contact_data.get("fn"), uid=uid)
+        if "email" in contact_data:
+            contact.email = [{"value": contact_data["email"], "type": ["HOME"]}]
+        if "tel" in contact_data:
+            contact.tel = [{"value": contact_data["tel"], "type": ["HOME"]}]
+
+        vcard = contact.to_vcard()
+
+        headers = {
+            "Content-Type": "text/vcard; charset=utf-8",
+            "If-None-Match": "*",
+        }
+
+        await self._make_request("PUT", url, content=vcard, headers=headers)
+
+    async def delete_contact(self, *, addressbook: str, uid: str):
+        """Delete a contact."""
+        carddav_path = self._get_carddav_base_path()
+        url = f"{carddav_path}/{addressbook}/{uid}.vcf"
+        await self._make_request("DELETE", url)
+
+    async def update_contact(
+        self, *, addressbook: str, uid: str, contact_data: dict, etag: str = ""
+    ):
+        """Update an existing contact while preserving all existing properties."""
+        carddav_path = self._get_carddav_base_path()
+        url = f"{carddav_path}/{addressbook}/{uid}.vcf"
+
+        # Get raw vCard content to preserve all properties including extended ones
+        raw_vcard_content = ""
+        if not etag:
+            try:
+                raw_vcard_content, current_etag = await self._get_raw_vcard(
+                    addressbook, uid
+                )
+                etag = current_etag
+            except Exception:
+                # Fall back to creating new vCard if we can't get existing
+                logger.warning(
+                    f"Could not fetch existing vCard for {uid}, creating new"
+                )
+                raw_vcard_content = ""
+
+        # Create updated vCard preserving existing properties
+        if raw_vcard_content:
+            vcard_content = self._merge_vcard_properties(
+                raw_vcard_content, contact_data, uid
+            )
+        else:
+            # Fallback to creating new vCard if we couldn't get existing
+            contact = Contact(fn=contact_data.get("fn"), uid=uid)
+            if "email" in contact_data:
+                contact.email = [{"value": contact_data["email"], "type": ["HOME"]}]
+            if "tel" in contact_data:
+                contact.tel = [{"value": contact_data["tel"], "type": ["HOME"]}]
+            vcard_content = contact.to_vcard()
+
+        headers = {
+            "Content-Type": "text/vcard; charset=utf-8",
+        }
+        if etag:
+            headers["If-Match"] = etag
+
+        await self._make_request("PUT", url, content=vcard_content, headers=headers)
+
+    async def list_contacts(self, *, addressbook: str):
+        """List all available contacts for addressbook."""
+
+        carddav_path = self._get_carddav_base_path()
+
+        report_body = """<?xml version="1.0" encoding="utf-8"?>
+        <card:addressbook-query xmlns:d="DAV:" xmlns:card="urn:ietf:params:xml:ns:carddav">
+            <d:prop>
+                <d:getetag />
+                <card:address-data />
+            </d:prop>
+        </card:addressbook-query>"""
+
+        headers = {
+            "Depth": "1",
+            "Content-Type": "application/xml",
+            "Accept": "application/xml",
+        }
+
+        response = await self._make_request(
+            "REPORT",
+            f"{carddav_path}/{addressbook}",
+            content=report_body,
+            headers=headers,
+        )
+
+        ns = {"d": "DAV:", "card": "urn:ietf:params:xml:ns:carddav"}
+
+        # logger.info(response.text)
+        root = ET.fromstring(response.content)
+        contacts = []
+        for response_elem in root.findall(".//d:response", ns):
+            href = response_elem.find(".//d:href", ns)
+            if href is None:
+                logger.info("Skip missing href")
+                continue
+
+            href_text = href.text or ""
+            # logger.info("Href text: %s", href_text)
+            # if not href_text.endswith("/"):
+            # logger.info("# Skip non-addressbook resources")
+            # continue
+
+            # Extract vcard id from href
+            vcard_id = href_text.rstrip("/").split("/")[-1]
+            if not vcard_id:
+                logger.info("Skip missing vcard_id")
+                continue
+            vcard_id = vcard_id.replace(".vcf", "")
+
+            # Get properties
+            propstat = response_elem.find(".//d:propstat", ns)
+            if propstat is None:
+                logger.info("Skip missing propstat")
+                continue
+
+            prop = propstat.find(".//d:prop", ns)
+            if prop is None:
+                logger.info("Skip missing prop")
+                continue
+
+            getetag_elem = prop.find(".//d:getetag", ns)
+            getetag = getetag_elem.text if getetag_elem is not None else None
+
+            addressdata_elem = prop.find(".//card:address-data", ns)
+            addressdata = (
+                addressdata_elem.text if addressdata_elem is not None else None
+            )
+            if addressdata is None:
+                logger.info("Skip missing addressdata")
+                continue
+
+            contact = Contact.from_vcard(addressdata)
+
+            contacts.append(
+                {
+                    "vcard_id": vcard_id,
+                    "getetag": getetag,
+                    "contact": {
+                        "fullname": contact.fn,
+                        "nickname": contact.nickname,
+                        "birthday": contact.bday,
+                        "email": contact.email,
+                    },
+                    "addressdata": addressdata,
+                }
+            )
+
+        logger.debug(f"Found {len(contacts)} contacts")
+        return contacts
+
+    async def _get_raw_vcard(self, addressbook: str, uid: str) -> tuple[str, str]:
+        """Get raw vCard content for a contact without parsing."""
+        carddav_path = self._get_carddav_base_path()
+        url = f"{carddav_path}/{addressbook}/{uid}.vcf"
+
+        try:
+            response = await self._make_request("GET", url)
+            etag = response.headers.get("etag", "")
+            return response.text, etag
+        except Exception as e:
+            logger.error(f"Error getting raw vCard for {uid}: {e}")
+            raise
+
+    def _merge_vcard_properties(
+        self, raw_vcard: str, contact_data: dict, uid: str
+    ) -> str:
+        """Merge new contact data into existing raw vCard while preserving all properties."""
+        try:
+            # Instead of using pythonvCard4 which has formatting issues,
+            # let's do a simple text-based merge to preserve exact formatting
+
+            # Start with the original vCard
+            lines = raw_vcard.strip().split("\n")
+            updated_lines = []
+
+            # Track what we've updated to avoid duplicates
+            updated_properties = set()
+
+            for line in lines:
+                line = line.strip()
+                if not line:
+                    continue
+
+                # Skip the END:VCARD line for now
+                if line == "END:VCARD":
+                    continue
+
+                property_name = line.split(":")[0].split(";")[0]
+
+                # Handle updates for specific properties
+                if property_name == "FN" and "fn" in contact_data:
+                    updated_lines.append(f"FN:{contact_data['fn']}")
+                    updated_properties.add("fn")
+                elif property_name == "EMAIL" and "email" in contact_data:
+                    # Replace first email with new one, preserve others
+                    if "email" not in updated_properties:
+                        if isinstance(contact_data["email"], str):
+                            # Try to preserve the original format as much as possible
+                            if ";TYPE=" in line:
+                                type_part = line.split(";TYPE=")[1].split(":")[0]
+                                updated_lines.append(
+                                    f"EMAIL;TYPE={type_part}:{contact_data['email']}"
+                                )
+                            else:
+                                updated_lines.append(f"EMAIL:{contact_data['email']}")
+                        updated_properties.add("email")
+                    else:
+                        # Keep additional emails unchanged
+                        updated_lines.append(line)
+                elif property_name == "TEL" and "tel" in contact_data:
+                    # Similar handling for phone numbers
+                    if "tel" not in updated_properties:
+                        if isinstance(contact_data["tel"], str):
+                            if ";TYPE=" in line:
+                                type_part = line.split(";TYPE=")[1].split(":")[0]
+                                updated_lines.append(
+                                    f"TEL;TYPE={type_part}:{contact_data['tel']}"
+                                )
+                            else:
+                                updated_lines.append(f"TEL:{contact_data['tel']}")
+                        updated_properties.add("tel")
+                    else:
+                        # Keep additional phone numbers unchanged
+                        updated_lines.append(line)
+                elif property_name == "NOTE" and "note" in contact_data:
+                    updated_lines.append(f"NOTE:{contact_data['note']}")
+                    updated_properties.add("note")
+                elif property_name == "NICKNAME" and "nickname" in contact_data:
+                    nickname_value = contact_data["nickname"]
+                    if isinstance(nickname_value, list):
+                        nickname_value = ",".join(nickname_value)
+                    updated_lines.append(f"NICKNAME:{nickname_value}")
+                    updated_properties.add("nickname")
+                elif property_name == "BDAY" and "bday" in contact_data:
+                    updated_lines.append(f"BDAY:{contact_data['bday']}")
+                    updated_properties.add("bday")
+                elif property_name == "CATEGORIES" and "categories" in contact_data:
+                    categories_value = contact_data["categories"]
+                    if isinstance(categories_value, list):
+                        categories_value = ",".join(categories_value)
+                    updated_lines.append(f"CATEGORIES:{categories_value}")
+                    updated_properties.add("categories")
+                elif property_name == "ORG" and (
+                    "org" in contact_data or "organization" in contact_data
+                ):
+                    org_value = contact_data.get("org") or contact_data.get(
+                        "organization"
+                    )
+                    updated_lines.append(f"ORG:{org_value}")
+                    updated_properties.add("org")
+                elif property_name == "TITLE" and "title" in contact_data:
+                    updated_lines.append(f"TITLE:{contact_data['title']}")
+                    updated_properties.add("title")
+                else:
+                    # Keep all other properties unchanged (preserves all extended/custom fields)
+                    updated_lines.append(line)
+
+            # Add any new properties that weren't in the original vCard
+            for key, value in contact_data.items():
+                if key not in updated_properties:
+                    if key == "fn":
+                        updated_lines.append(f"FN:{value}")
+                    elif key == "email" and isinstance(value, str):
+                        updated_lines.append(f"EMAIL:{value}")
+                    elif key == "tel" and isinstance(value, str):
+                        updated_lines.append(f"TEL:{value}")
+                    elif key == "note":
+                        updated_lines.append(f"NOTE:{value}")
+                    elif key == "nickname":
+                        nickname_value = (
+                            value if isinstance(value, str) else ",".join(value)
+                        )
+                        updated_lines.append(f"NICKNAME:{nickname_value}")
+                    elif key == "bday":
+                        updated_lines.append(f"BDAY:{value}")
+                    elif key == "categories":
+                        categories_value = (
+                            value if isinstance(value, str) else ",".join(value)
+                        )
+                        updated_lines.append(f"CATEGORIES:{categories_value}")
+                    elif key in ["org", "organization"]:
+                        updated_lines.append(f"ORG:{value}")
+                    elif key == "title":
+                        updated_lines.append(f"TITLE:{value}")
+
+            # Add the END:VCARD line
+            updated_lines.append("END:VCARD")
+
+            # Join all lines
+            return "\n".join(updated_lines)
+
+        except Exception as e:
+            logger.error(f"Error merging vCard properties: {e}")
+            # Fallback to creating basic vCard matching Nextcloud format
+            basic_vcard = f"""BEGIN:VCARD
+VERSION:3.0
+UID:{uid}
+FN:{contact_data.get("fn", "Unknown")}"""
+
+            if "email" in contact_data:
+                basic_vcard += f"\nEMAIL:{contact_data['email']}"
+            if "tel" in contact_data:
+                basic_vcard += f"\nTEL:{contact_data['tel']}"
+
+            basic_vcard += "\nEND:VCARD"
+            return basic_vcard
@@ -0,0 +1,613 @@
+from typing import Any, Dict, List, Optional
+
+from nextcloud_mcp_server.client.base import BaseNextcloudClient
+from nextcloud_mcp_server.models.deck import (
+    DeckACL,
+    DeckAttachment,
+    DeckBoard,
+    DeckCard,
+    DeckComment,
+    DeckConfig,
+    DeckLabel,
+    DeckSession,
+    DeckStack,
+)
+
+
+class DeckClient(BaseNextcloudClient):
+    """Client for Nextcloud Deck app operations."""
+
+    def _get_deck_headers(
+        self, additional_headers: Optional[Dict[str, str]] = None
+    ) -> Dict[str, str]:
+        """Get standard headers required for Deck API calls."""
+        headers = {"OCS-APIRequest": "true", "Content-Type": "application/json"}
+        if additional_headers:
+            headers.update(additional_headers)
+        return headers
+
+    # Boards
+    async def get_boards(
+        self, details: bool = False, if_modified_since: Optional[str] = None
+    ) -> List[DeckBoard]:
+        additional_headers = {}
+        if if_modified_since:
+            additional_headers["If-Modified-Since"] = if_modified_since
+        headers = self._get_deck_headers(additional_headers)
+        params = {"details": "true"} if details else {}
+        response = await self._make_request(
+            "GET", "/apps/deck/api/v1.0/boards", headers=headers, params=params
+        )
+        return [DeckBoard(**board) for board in response.json()]
+
+    async def create_board(self, title: str, color: str) -> DeckBoard:
+        json_data = {"title": title, "color": color}
+        headers = self._get_deck_headers()
+        response = await self._make_request(
+            "POST", "/apps/deck/api/v1.0/boards", json=json_data, headers=headers
+        )
+        return DeckBoard(**response.json())
+
+    async def get_board(self, board_id: int) -> DeckBoard:
+        headers = self._get_deck_headers()
+        response = await self._make_request(
+            "GET", f"/apps/deck/api/v1.0/boards/{board_id}", headers=headers
+        )
+        return DeckBoard(**response.json())
+
+    async def update_board(
+        self,
+        board_id: int,
+        title: Optional[str] = None,
+        color: Optional[str] = None,
+        archived: Optional[bool] = None,
+    ) -> None:
+        json_data = {}
+        if title is not None:
+            json_data["title"] = title
+        if color is not None:
+            json_data["color"] = color
+        if archived is not None:
+            json_data["archived"] = archived
+        headers = self._get_deck_headers()
+        await self._make_request(
+            "PUT",
+            f"/apps/deck/api/v1.0/boards/{board_id}",
+            json=json_data,
+            headers=headers,
+        )
+
+    async def delete_board(self, board_id: int) -> None:
+        headers = self._get_deck_headers()
+        await self._make_request(
+            "DELETE", f"/apps/deck/api/v1.0/boards/{board_id}", headers=headers
+        )
+
+    async def undo_delete_board(self, board_id: int) -> None:
+        headers = self._get_deck_headers()
+        await self._make_request(
+            "POST",
+            f"/apps/deck/api/v1.0/boards/{board_id}/undo_delete",
+            headers=headers,
+        )
+
+    async def add_acl_rule(
+        self,
+        board_id: int,
+        type: int,
+        participant: str,
+        permission_edit: bool,
+        permission_share: bool,
+        permission_manage: bool,
+    ) -> DeckACL:
+        json_data = {
+            "type": type,
+            "participant": participant,
+            "permissionEdit": permission_edit,
+            "permissionShare": permission_share,
+            "permissionManage": permission_manage,
+        }
+        headers = self._get_deck_headers()
+        response = await self._make_request(
+            "POST",
+            f"/apps/deck/api/v1.0/boards/{board_id}/acl",
+            json=json_data,
+            headers=headers,
+        )
+        return DeckACL(**response.json())
+
+    async def update_acl_rule(
+        self,
+        board_id: int,
+        acl_id: int,
+        permission_edit: Optional[bool] = None,
+        permission_share: Optional[bool] = None,
+        permission_manage: Optional[bool] = None,
+    ) -> None:
+        json_data = {}
+        if permission_edit is not None:
+            json_data["permissionEdit"] = permission_edit
+        if permission_share is not None:
+            json_data["permissionShare"] = permission_share
+        if permission_manage is not None:
+            json_data["permissionManage"] = permission_manage
+        headers = self._get_deck_headers()
+        await self._make_request(
+            "PUT",
+            f"/apps/deck/api/v1.0/boards/{board_id}/acl/{acl_id}",
+            json=json_data,
+            headers=headers,
+        )
+
+    async def delete_acl_rule(self, board_id: int, acl_id: int) -> None:
+        headers = self._get_deck_headers()
+        await self._make_request(
+            "DELETE",
+            f"/apps/deck/api/v1.0/boards/{board_id}/acl/{acl_id}",
+            headers=headers,
+        )
+
+    async def clone_board(
+        self,
+        board_id: int,
+        with_cards: bool = False,
+        with_assignments: bool = False,
+        with_labels: bool = False,
+        with_due_date: bool = False,
+        move_cards_to_left_stack: bool = False,
+        restore_archived_cards: bool = False,
+    ) -> DeckBoard:
+        json_data = {
+            "withCards": with_cards,
+            "withAssignments": with_assignments,
+            "withLabels": with_labels,
+            "withDueDate": with_due_date,
+            "moveCardsToLeftStack": move_cards_to_left_stack,
+            "restoreArchivedCards": restore_archived_cards,
+        }
+        response = await self._make_request(
+            "POST", f"/apps/deck/api/v1.0/boards/{board_id}/clone", json=json_data
+        )
+        return DeckBoard(**response.json())
+
+    # Stacks
+    async def get_stacks(
+        self, board_id: int, if_modified_since: Optional[str] = None
+    ) -> List[DeckStack]:
+        additional_headers = {}
+        if if_modified_since:
+            additional_headers["If-Modified-Since"] = if_modified_since
+        headers = self._get_deck_headers(additional_headers)
+        response = await self._make_request(
+            "GET", f"/apps/deck/api/v1.0/boards/{board_id}/stacks", headers=headers
+        )
+        return [DeckStack(**stack) for stack in response.json()]
+
+    async def get_archived_stacks(self, board_id: int) -> List[DeckStack]:
+        response = await self._make_request(
+            "GET", f"/apps/deck/api/v1.0/boards/{board_id}/stacks/archived"
+        )
+        return [DeckStack(**stack) for stack in response.json()]
+
+    async def get_stack(self, board_id: int, stack_id: int) -> DeckStack:
+        response = await self._make_request(
+            "GET", f"/apps/deck/api/v1.0/boards/{board_id}/stacks/{stack_id}"
+        )
+        return DeckStack(**response.json())
+
+    async def create_stack(self, board_id: int, title: str, order: int) -> DeckStack:
+        json_data = {"title": title, "order": order}
+        headers = self._get_deck_headers()
+        response = await self._make_request(
+            "POST",
+            f"/apps/deck/api/v1.0/boards/{board_id}/stacks",
+            json=json_data,
+            headers=headers,
+        )
+        return DeckStack(**response.json())
+
+    async def update_stack(
+        self,
+        board_id: int,
+        stack_id: int,
+        title: Optional[str] = None,
+        order: Optional[int] = None,
+    ) -> None:
+        json_data = {}
+        if title is not None:
+            json_data["title"] = title
+        if order is not None:
+            json_data["order"] = order
+        headers = self._get_deck_headers()
+        await self._make_request(
+            "PUT",
+            f"/apps/deck/api/v1.0/boards/{board_id}/stacks/{stack_id}",
+            json=json_data,
+            headers=headers,
+        )
+
+    async def delete_stack(self, board_id: int, stack_id: int) -> None:
+        await self._make_request(
+            "DELETE", f"/apps/deck/api/v1.0/boards/{board_id}/stacks/{stack_id}"
+        )
+
+    # Cards
+    async def get_card(self, board_id: int, stack_id: int, card_id: int) -> DeckCard:
+        headers = self._get_deck_headers()
+        response = await self._make_request(
+            "GET",
+            f"/apps/deck/api/v1.0/boards/{board_id}/stacks/{stack_id}/cards/{card_id}",
+            headers=headers,
+        )
+        return DeckCard(**response.json())
+
+    async def create_card(
+        self,
+        board_id: int,
+        stack_id: int,
+        title: str,
+        type: str = "plain",
+        order: int = 999,
+        description: Optional[str] = None,
+        duedate: Optional[str] = None,
+    ) -> DeckCard:
+        json_data = {
+            "title": title,
+            "type": type,
+            "order": order,
+        }
+        if description is not None:
+            json_data["description"] = description
+        if duedate is not None:
+            json_data["duedate"] = duedate
+        headers = self._get_deck_headers()
+        response = await self._make_request(
+            "POST",
+            f"/apps/deck/api/v1.0/boards/{board_id}/stacks/{stack_id}/cards",
+            json=json_data,
+            headers=headers,
+        )
+        return DeckCard(**response.json())
+
+    async def update_card(
+        self,
+        board_id: int,
+        stack_id: int,
+        card_id: int,
+        title: Optional[str] = None,
+        description: Optional[str] = None,
+        type: Optional[str] = None,
+        owner: Optional[str] = None,
+        order: Optional[int] = None,
+        duedate: Optional[str] = None,
+        archived: Optional[bool] = None,
+        done: Optional[str] = None,
+    ) -> None:
+        # First, get the current card to use existing values for required fields
+        current_card = await self.get_card(board_id, stack_id, card_id)
+
+        json_data = {}
+        if title is not None:
+            json_data["title"] = title
+        if description is not None:
+            json_data["description"] = description
+        # Type is required by the API, use provided or keep current
+        json_data["type"] = type if type is not None else current_card.type
+        # Owner is required by the API, use provided or keep current
+        json_data["owner"] = (
+            owner
+            if owner is not None
+            else (
+                current_card.owner
+                if isinstance(current_card.owner, str)
+                else current_card.owner.uid
+                if hasattr(current_card.owner, "uid")
+                else current_card.owner.primaryKey
+            )
+        )
+        if order is not None:
+            json_data["order"] = order
+        if duedate is not None:
+            json_data["duedate"] = duedate
+        if archived is not None:
+            json_data["archived"] = archived
+        if done is not None:
+            json_data["done"] = done
+        headers = self._get_deck_headers()
+        await self._make_request(
+            "PUT",
+            f"/apps/deck/api/v1.0/boards/{board_id}/stacks/{stack_id}/cards/{card_id}",
+            json=json_data,
+            headers=headers,
+        )
+
+    async def delete_card(self, board_id: int, stack_id: int, card_id: int) -> None:
+        headers = self._get_deck_headers()
+        await self._make_request(
+            "DELETE",
+            f"/apps/deck/api/v1.0/boards/{board_id}/stacks/{stack_id}/cards/{card_id}",
+            headers=headers,
+        )
+
+    async def archive_card(self, board_id: int, stack_id: int, card_id: int) -> None:
+        await self._make_request(
+            "PUT",
+            f"/apps/deck/api/v1.0/boards/{board_id}/stacks/{stack_id}/cards/{card_id}/archive",
+        )
+
+    async def unarchive_card(self, board_id: int, stack_id: int, card_id: int) -> None:
+        await self._make_request(
+            "PUT",
+            f"/apps/deck/api/v1.0/boards/{board_id}/stacks/{stack_id}/cards/{card_id}/unarchive",
+        )
+
+    async def assign_label_to_card(
+        self, board_id: int, stack_id: int, card_id: int, label_id: int
+    ) -> None:
+        json_data = {"labelId": label_id}
+        await self._make_request(
+            "PUT",
+            f"/apps/deck/api/v1.0/boards/{board_id}/stacks/{stack_id}/cards/{card_id}/assignLabel",
+            json=json_data,
+        )
+
+    async def remove_label_from_card(
+        self, board_id: int, stack_id: int, card_id: int, label_id: int
+    ) -> None:
+        json_data = {"labelId": label_id}
+        await self._make_request(
+            "PUT",
+            f"/apps/deck/api/v1.0/boards/{board_id}/stacks/{stack_id}/cards/{card_id}/removeLabel",
+            json=json_data,
+        )
+
+    async def assign_user_to_card(
+        self, board_id: int, stack_id: int, card_id: int, user_id: str
+    ) -> None:
+        json_data = {"userId": user_id}
+        await self._make_request(
+            "PUT",
+            f"/apps/deck/api/v1.0/boards/{board_id}/stacks/{stack_id}/cards/{card_id}/assignUser",
+            json=json_data,
+        )
+
+    async def unassign_user_from_card(
+        self, board_id: int, stack_id: int, card_id: int, user_id: str
+    ) -> None:
+        json_data = {"userId": user_id}
+        await self._make_request(
+            "PUT",
+            f"/apps/deck/api/v1.0/boards/{board_id}/stacks/{stack_id}/cards/{card_id}/unassignUser",
+            json=json_data,
+        )
+
+    async def reorder_card(
+        self,
+        board_id: int,
+        stack_id: int,
+        card_id: int,
+        order: int,
+        target_stack_id: int,
+    ) -> None:
+        json_data = {"order": order, "stackId": target_stack_id}
+        await self._make_request(
+            "PUT",
+            f"/apps/deck/api/v1.0/boards/{board_id}/stacks/{stack_id}/cards/{card_id}/reorder",
+            json=json_data,
+        )
+
+    # Labels
+    async def get_label(self, board_id: int, label_id: int) -> DeckLabel:
+        headers = self._get_deck_headers()
+        response = await self._make_request(
+            "GET",
+            f"/apps/deck/api/v1.0/boards/{board_id}/labels/{label_id}",
+            headers=headers,
+        )
+        return DeckLabel(**response.json())
+
+    async def create_label(self, board_id: int, title: str, color: str) -> DeckLabel:
+        json_data = {"title": title, "color": color}
+        headers = self._get_deck_headers()
+        response = await self._make_request(
+            "POST",
+            f"/apps/deck/api/v1.0/boards/{board_id}/labels",
+            json=json_data,
+            headers=headers,
+        )
+        return DeckLabel(**response.json())
+
+    async def update_label(
+        self,
+        board_id: int,
+        label_id: int,
+        title: Optional[str] = None,
+        color: Optional[str] = None,
+    ) -> None:
+        json_data = {}
+        if title is not None:
+            json_data["title"] = title
+        if color is not None:
+            json_data["color"] = color
+        await self._make_request(
+            "PUT",
+            f"/apps/deck/api/v1.0/boards/{board_id}/labels/{label_id}",
+            json=json_data,
+        )
+
+    async def delete_label(self, board_id: int, label_id: int) -> None:
+        await self._make_request(
+            "DELETE", f"/apps/deck/api/v1.0/boards/{board_id}/labels/{label_id}"
+        )
+
+    # Attachments
+    async def get_attachments(
+        self, board_id: int, stack_id: int, card_id: int
+    ) -> List[DeckAttachment]:
+        response = await self._make_request(
+            "GET",
+            f"/apps/deck/api/v1.0/boards/{board_id}/stacks/{stack_id}/cards/{card_id}/attachments",
+        )
+        return [DeckAttachment(**attachment) for attachment in response.json()]
+
+    async def get_attachment_file(
+        self, board_id: int, stack_id: int, card_id: int, attachment_id: int
+    ) -> Any:
+        # This endpoint returns the raw file, so we return the raw response content
+        response = await self._make_request(
+            "GET",
+            f"/apps/deck/api/v1.0/boards/{board_id}/stacks/{stack_id}/cards/{card_id}/attachments/{attachment_id}",
+        )
+        return response.content
+
+    async def upload_attachment(
+        self,
+        board_id: int,
+        stack_id: int,
+        card_id: int,
+        file_data: bytes,
+        file_type: str = "file",
+    ) -> DeckAttachment:
+        # The API expects binary data directly, not JSON
+        headers = {"Content-Type": "application/octet-stream"}
+        params = {"type": file_type}
+        response = await self._make_request(
+            "POST",
+            f"/apps/deck/api/v1.0/boards/{board_id}/stacks/{stack_id}/cards/{card_id}/attachments",
+            headers=headers,
+            params=params,
+            data=file_data,
+        )
+        return DeckAttachment(**response.json())
+
+    async def update_attachment(
+        self,
+        board_id: int,
+        stack_id: int,
+        card_id: int,
+        attachment_id: int,
+        file_data: bytes,
+        file_type: str = "deck_file",
+    ) -> DeckAttachment:
+        headers = {"Content-Type": "application/octet-stream"}
+        params = {"type": file_type}
+        response = await self._make_request(
+            "PUT",
+            f"/apps/deck/api/v1.0/boards/{board_id}/stacks/{stack_id}/cards/{card_id}/attachments/{attachment_id}",
+            headers=headers,
+            params=params,
+            data=file_data,
+        )
+        return DeckAttachment(**response.json())
+
+    async def delete_attachment(
+        self, board_id: int, stack_id: int, card_id: int, attachment_id: int
+    ) -> None:
+        await self._make_request(
+            "DELETE",
+            f"/apps/deck/api/v1.0/boards/{board_id}/stacks/{stack_id}/cards/{card_id}/attachments/{attachment_id}",
+        )
+
+    async def restore_attachment(
+        self, board_id: int, stack_id: int, card_id: int, attachment_id: int
+    ) -> None:
+        await self._make_request(
+            "PUT",
+            f"/apps/deck/api/v1.0/boards/{board_id}/stacks/{stack_id}/cards/{card_id}/attachments/{attachment_id}/restore",
+        )
+
+    # OCS API Endpoints (Config, Comments, Sessions)
+    async def get_config(self) -> DeckConfig:
+        headers = {"OCS-APIRequest": "true", "Accept": "application/json"}
+        response = await self._make_request(
+            "GET", "/ocs/v2.php/apps/deck/api/v1.0/config", headers=headers
+        )
+        return DeckConfig(**response.json()["ocs"]["data"])
+
+    async def set_config_value(
+        self, key: str, value: Any, board_id: Optional[int] = None
+    ) -> Any:
+        path = f"/ocs/v2.php/apps/deck/api/v1.0/config/{key}"
+        if board_id:
+            path = f"/ocs/v2.php/apps/deck/api/v1.0/config/board:{board_id}:{key}"
+        json_data = {"value": value}
+        response = await self._make_request(
+            "POST",
+            path,
+            json=json_data,
+            headers={"OCS-APIRequest": "true", "Accept": "application/json"},
+        )
+        return response.json()["ocs"]["data"]
+
+    async def get_comments(
+        self, card_id: int, limit: int = 20, offset: int = 0
+    ) -> List[DeckComment]:
+        params = {"limit": limit, "offset": offset}
+        response = await self._make_request(
+            "GET",
+            f"/ocs/v2.php/apps/deck/api/v1.0/cards/{card_id}/comments",
+            params=params,
+            headers={"OCS-APIRequest": "true", "Accept": "application/json"},
+        )
+        return [DeckComment(**comment) for comment in response.json()["ocs"]["data"]]
+
+    async def create_comment(
+        self, card_id: int, message: str, parent_id: Optional[int] = None
+    ) -> DeckComment:
+        json_data = {"message": message}
+        if parent_id is not None:
+            json_data["parentId"] = parent_id
+        response = await self._make_request(
+            "POST",
+            f"/ocs/v2.php/apps/deck/api/v1.0/cards/{card_id}/comments",
+            json=json_data,
+            headers={"OCS-APIRequest": "true", "Accept": "application/json"},
+        )
+        return DeckComment(**response.json()["ocs"]["data"])
+
+    async def update_comment(
+        self, card_id: int, comment_id: int, message: str
+    ) -> DeckComment:
+        json_data = {"message": message}
+        response = await self._make_request(
+            "PUT",
+            f"/ocs/v2.php/apps/deck/api/v1.0/cards/{card_id}/comments/{comment_id}",
+            json=json_data,
+            headers={"OCS-APIRequest": "true", "Accept": "application/json"},
+        )
+        return DeckComment(**response.json()["ocs"]["data"])
+
+    async def delete_comment(self, card_id: int, comment_id: int) -> None:
+        await self._make_request(
+            "DELETE",
+            f"/ocs/v2.php/apps/deck/api/v1.0/cards/{card_id}/comments/{comment_id}",
+            headers={"OCS-APIRequest": "true", "Accept": "application/json"},
+        )
+
+    async def create_session(self, board_id: int) -> DeckSession:
+        json_data = {"boardId": board_id}
+        response = await self._make_request(
+            "PUT",
+            "/ocs/v2.php/apps/deck/api/v1.0/session/create",
+            json=json_data,
+            headers={"OCS-APIRequest": "true", "Accept": "application/json"},
+        )
+        return DeckSession(**response.json()["ocs"]["data"])
+
+    async def sync_session(self, board_id: int, token: str) -> None:
+        json_data = {"boardId": board_id, "token": token}
+        await self._make_request(
+            "POST",
+            "/ocs/v2.php/apps/deck/api/v1.0/session/sync",
+            json=json_data,
+            headers={"OCS-APIRequest": "true", "Accept": "application/json"},
+        )
+
+    async def close_session(self, board_id: int, token: str) -> None:
+        json_data = {"boardId": board_id, "token": token}
+        await self._make_request(
+            "POST",
+            "/ocs/v2.php/apps/deck/api/v1.0/session/close",
+            json=json_data,
+            headers={"OCS-APIRequest": "true", "Accept": "application/json"},
+        )
@@ -0,0 +1,151 @@
+"""Nextcloud Groups API client."""
+
+import logging
+from typing import List
+
+from .base import BaseNextcloudClient, retry_on_429
+
+logger = logging.getLogger(__name__)
+
+
+class GroupsClient(BaseNextcloudClient):
+    """Client for Nextcloud Groups API operations."""
+
+    @retry_on_429
+    async def search_groups(
+        self,
+        search: str | None = None,
+        limit: int | None = None,
+        offset: int | None = None,
+    ) -> List[str]:
+        """
+        Search for groups on the Nextcloud server.
+
+        Args:
+            search: Optional search string to filter groups
+            limit: Optional limit for number of results
+            offset: Optional offset for pagination
+
+        Returns:
+            List of group IDs matching the search criteria
+        """
+        params = {}
+        if search is not None:
+            params["search"] = search
+        if limit is not None:
+            params["limit"] = limit
+        if offset is not None:
+            params["offset"] = offset
+
+        response = await self._client.get(
+            "/ocs/v2.php/cloud/groups",
+            params=params,
+            headers={"OCS-APIRequest": "true", "Accept": "application/json"},
+        )
+        response.raise_for_status()
+        data = response.json()
+
+        groups = data["ocs"]["data"].get("groups", [])
+        return groups
+
+    @retry_on_429
+    async def create_group(self, groupid: str) -> None:
+        """
+        Create a new group.
+
+        Args:
+            groupid: The group ID to create
+
+        Raises:
+            HTTPStatusError: If the request fails (e.g., group already exists)
+        """
+        response = await self._client.post(
+            "/ocs/v2.php/cloud/groups",
+            data={"groupid": groupid},
+            headers={"OCS-APIRequest": "true", "Accept": "application/json"},
+        )
+        response.raise_for_status()
+        logger.info(f"Created group: {groupid}")
+
+    @retry_on_429
+    async def delete_group(self, groupid: str) -> None:
+        """
+        Delete a group.
+
+        Args:
+            groupid: The group ID to delete
+
+        Raises:
+            HTTPStatusError: If the request fails (e.g., group doesn't exist)
+        """
+        response = await self._client.delete(
+            f"/ocs/v2.php/cloud/groups/{groupid}",
+            headers={"OCS-APIRequest": "true", "Accept": "application/json"},
+        )
+        response.raise_for_status()
+        logger.info(f"Deleted group: {groupid}")
+
+    @retry_on_429
+    async def get_group_members(self, groupid: str) -> List[str]:
+        """
+        Get members of a group.
+
+        Args:
+            groupid: The group ID
+
+        Returns:
+            List of usernames in the group
+        """
+        response = await self._client.get(
+            f"/ocs/v2.php/cloud/groups/{groupid}",
+            headers={"OCS-APIRequest": "true", "Accept": "application/json"},
+        )
+        response.raise_for_status()
+        data = response.json()
+
+        users = data["ocs"]["data"].get("users", [])
+        return users
+
+    @retry_on_429
+    async def get_group_subadmins(self, groupid: str) -> List[str]:
+        """
+        Get subadmins of a group.
+
+        Args:
+            groupid: The group ID
+
+        Returns:
+            List of usernames who are subadmins of the group
+        """
+        response = await self._client.get(
+            f"/ocs/v2.php/cloud/groups/{groupid}/subadmins",
+            headers={"OCS-APIRequest": "true", "Accept": "application/json"},
+        )
+        response.raise_for_status()
+        data = response.json()
+
+        # The API returns data as a list or dict depending on results
+        subadmins_data = data["ocs"]["data"]
+        if isinstance(subadmins_data, list):
+            return subadmins_data
+        return []
+
+    @retry_on_429
+    async def update_group_displayname(self, groupid: str, displayname: str) -> None:
+        """
+        Update a group's display name.
+
+        Args:
+            groupid: The group ID
+            displayname: The new display name
+
+        Raises:
+            HTTPStatusError: If the request fails
+        """
+        response = await self._client.put(
+            f"/ocs/v2.php/cloud/groups/{groupid}",
+            data={"key": "displayname", "value": displayname},
+            headers={"OCS-APIRequest": "true", "Accept": "application/json"},
+        )
+        response.raise_for_status()
+        logger.info(f"Updated group {groupid} displayname to: {displayname}")
@@ -1,7 +1,7 @@
 """Client for Nextcloud Notes app operations."""

-from typing import Dict, List, Any, Optional
 import logging
+from typing import Any, Dict, List, Optional

 from .base import BaseNextcloudClient

@@ -18,8 +18,21 @@ class NotesClient(BaseNextcloudClient):

    async def get_all_notes(self) -> List[Dict[str, Any]]:
        """Get all notes."""
-        response = await self._make_request("GET", "/apps/notes/api/v1/notes")
-        return response.json()
+        notes = []
+        cursor = ""
+
+        while True:
+            response = await self._make_request(
+                "GET",
+                "/apps/notes/api/v1/notes",
+                params={"chunkSize": 50, "chunkCursor": cursor},
+            )
+            notes.extend(response.json())
+            if "X-Notes-Chunk-Cursor" not in response.headers:
+                break
+            cursor = response.headers["X-Notes-Chunk-Cursor"]
+
+        return notes

    async def get_note(self, note_id: int) -> Dict[str, Any]:
        """Get a specific note by ID."""
@@ -0,0 +1,208 @@
+"""Nextcloud OCS Sharing API client for file/folder sharing operations."""
+
+import logging
+from typing import Any
+
+from .base import BaseNextcloudClient, retry_on_429
+
+logger = logging.getLogger(__name__)
+
+
+class SharingClient(BaseNextcloudClient):
+    """Client for Nextcloud OCS Sharing API operations."""
+
+    @retry_on_429
+    async def create_share(
+        self,
+        path: str,
+        share_with: str,
+        share_type: int = 0,
+        permissions: int = 1,
+    ) -> dict[str, Any]:
+        """Create a share for a file or folder.
+
+        Args:
+            path: Path to file/folder to share (relative to user's files)
+            share_with: Username (for user share) or group name (for group share)
+            share_type: Share type (0=user, 1=group, 3=public link)
+            permissions: Share permissions:
+                - 1 = read
+                - 2 = update
+                - 4 = create
+                - 8 = delete
+                - 16 = share
+                - 31 = all permissions
+                Common combinations: 1 (read-only), 3 (read+update), 15 (read+update+create+delete)
+
+        Returns:
+            Share data including share ID
+
+        Raises:
+            HTTPStatusError: If the request fails
+        """
+        response = await self._client.post(
+            "/ocs/v2.php/apps/files_sharing/api/v1/shares",
+            headers={"OCS-APIRequest": "true", "Accept": "application/json"},
+            data={
+                "path": path,
+                "shareType": share_type,
+                "shareWith": share_with,
+                "permissions": permissions,
+            },
+        )
+        response.raise_for_status()
+        data = response.json()
+
+        # OCS API v2 uses HTTP-style status codes (200 for success)
+        # OCS API v1 used custom codes (100 for success)
+        ocs_status = data["ocs"]["meta"]["statuscode"]
+        if ocs_status not in (100, 200):
+            ocs_message = data["ocs"]["meta"].get("message", "Unknown error")
+            raise RuntimeError(f"OCS API error (code {ocs_status}): {ocs_message}")
+
+        share_data = data["ocs"]["data"]
+
+        # Handle case where data might be an empty list on error
+        if not share_data or (isinstance(share_data, list) and len(share_data) == 0):
+            ocs_message = data["ocs"]["meta"].get("message", "Unknown error")
+            raise RuntimeError(
+                f"Share creation failed: {ocs_message} (status {ocs_status})"
+            )
+
+        logger.info(
+            f"Created share {share_data['id']}: {path} -> {share_with} "
+            f"(type={share_type}, permissions={permissions})"
+        )
+        return share_data
+
+    @retry_on_429
+    async def delete_share(self, share_id: int) -> None:
+        """Delete a share by its ID.
+
+        Args:
+            share_id: The share ID to delete
+
+        Raises:
+            HTTPStatusError: If the request fails
+        """
+        response = await self._client.delete(
+            f"/ocs/v2.php/apps/files_sharing/api/v1/shares/{share_id}",
+            headers={"OCS-APIRequest": "true", "Accept": "application/json"},
+        )
+        response.raise_for_status()
+        data = response.json()
+
+        if data["ocs"]["meta"]["statuscode"] not in (100, 200):
+            raise RuntimeError(
+                f"OCS API error: {data['ocs']['meta'].get('message', 'Unknown error')}"
+            )
+
+        logger.info(f"Deleted share {share_id}")
+
+    @retry_on_429
+    async def get_share(self, share_id: int) -> dict[str, Any]:
+        """Get information about a specific share.
+
+        Args:
+            share_id: The share ID
+
+        Returns:
+            Share data
+
+        Raises:
+            HTTPStatusError: If the request fails
+        """
+        response = await self._client.get(
+            f"/ocs/v2.php/apps/files_sharing/api/v1/shares/{share_id}",
+            headers={"OCS-APIRequest": "true", "Accept": "application/json"},
+        )
+        response.raise_for_status()
+        data = response.json()
+
+        if data["ocs"]["meta"]["statuscode"] not in (100, 200):
+            raise RuntimeError(
+                f"OCS API error: {data['ocs']['meta'].get('message', 'Unknown error')}"
+            )
+
+        share_data = data["ocs"]["data"]
+        # The API returns a list with a single share, extract the first element
+        if isinstance(share_data, list) and len(share_data) > 0:
+            return share_data[0]
+        return share_data
+
+    @retry_on_429
+    async def list_shares(
+        self, path: str | None = None, shared_with_me: bool = False
+    ) -> list[dict[str, Any]]:
+        """List shares.
+
+        Args:
+            path: Optional path to filter shares for a specific file/folder
+            shared_with_me: If True, list shares shared with the current user
+
+        Returns:
+            List of share data
+
+        Raises:
+            HTTPStatusError: If the request fails
+        """
+        params = {}
+        if path:
+            params["path"] = path
+        if shared_with_me:
+            params["shared_with_me"] = "true"
+
+        response = await self._client.get(
+            "/ocs/v2.php/apps/files_sharing/api/v1/shares",
+            params=params,
+            headers={"OCS-APIRequest": "true", "Accept": "application/json"},
+        )
+        response.raise_for_status()
+        data = response.json()
+
+        if data["ocs"]["meta"]["statuscode"] not in (100, 200):
+            raise RuntimeError(
+                f"OCS API error: {data['ocs']['meta'].get('message', 'Unknown error')}"
+            )
+
+        # Handle both single share and list of shares
+        shares_data = data["ocs"]["data"]
+        if isinstance(shares_data, dict):
+            return [shares_data]
+        return shares_data if shares_data else []
+
+    @retry_on_429
+    async def update_share(
+        self, share_id: int, permissions: int | None = None
+    ) -> dict[str, Any]:
+        """Update a share's permissions.
+
+        Args:
+            share_id: The share ID to update
+            permissions: New permissions value (see create_share for values)
+
+        Returns:
+            Updated share data
+
+        Raises:
+            HTTPStatusError: If the request fails
+        """
+        data = {}
+        if permissions is not None:
+            data["permissions"] = permissions
+
+        response = await self._client.put(
+            f"/ocs/v2.php/apps/files_sharing/api/v1/shares/{share_id}",
+            headers={"OCS-APIRequest": "true", "Accept": "application/json"},
+            data=data,
+        )
+        response.raise_for_status()
+        result = response.json()
+
+        if result["ocs"]["meta"]["statuscode"] not in (100, 200):
+            raise RuntimeError(
+                f"OCS API error: {result['ocs']['meta'].get('message', 'Unknown error')}"
+            )
+
+        logger.info(f"Updated share {share_id}")
+        return result["ocs"]["data"]
@@ -1,7 +1,7 @@
 """Client for Nextcloud Tables app operations."""

-from typing import Dict, List, Any, Optional
 import logging
+from typing import Any, Dict, List, Optional

 from .base import BaseNextcloudClient

@@ -0,0 +1,222 @@
+from typing import List, Optional, Dict
+from nextcloud_mcp_server.client.base import BaseNextcloudClient
+from nextcloud_mcp_server.models.users import UserDetails
+
+
+class UsersClient(BaseNextcloudClient):
+    """Client for Nextcloud User API operations."""
+
+    def _get_user_headers(
+        self, additional_headers: Optional[Dict[str, str]] = None
+    ) -> Dict[str, str]:
+        """Get standard headers required for User API calls."""
+        headers = {"OCS-APIRequest": "true", "Accept": "application/json"}
+        if additional_headers:
+            headers.update(additional_headers)
+        return headers
+
+    async def create_user(
+        self,
+        userid: str,
+        password: Optional[str] = None,
+        display_name: Optional[str] = None,
+        email: Optional[str] = None,
+        groups: Optional[List[str]] = None,
+        subadmin_groups: Optional[List[str]] = None,
+        quota: Optional[str] = None,
+        language: Optional[str] = None,
+    ) -> None:
+        """
+        Create a new user on the Nextcloud server.
+        """
+        data = {"userid": userid}
+        if password is not None:
+            data["password"] = password
+        if display_name is not None:
+            data["displayName"] = display_name
+        if email is not None:
+            data["email"] = email
+        if groups is not None:
+            for i, group in enumerate(groups):
+                data[f"groups[{i}]"] = group
+        if subadmin_groups is not None:
+            for i, group in enumerate(subadmin_groups):
+                data[f"subadmin[{i}]"] = group
+        if quota is not None:
+            data["quota"] = quota
+        if language is not None:
+            data["language"] = language
+
+        headers = self._get_user_headers()
+        await self._make_request(
+            "POST", "/ocs/v2.php/cloud/users", data=data, headers=headers
+        )
+
+    async def search_users(
+        self,
+        search: Optional[str] = None,
+        limit: Optional[int] = None,
+        offset: Optional[int] = None,
+    ) -> List[str]:
+        """
+        Retrieves a list of users from the Nextcloud server.
+        """
+        params = {}
+        if search is not None:
+            params["search"] = search
+        if limit is not None:
+            params["limit"] = limit
+        if offset is not None:
+            params["offset"] = offset
+
+        headers = self._get_user_headers()
+        response = await self._make_request(
+            "GET", "/ocs/v2.php/cloud/users", params=params, headers=headers
+        )
+        # The v2 API returns JSON with users as a direct list under data.users
+        data = response.json()["ocs"]["data"]
+        return data.get("users", [])
+
+    async def get_user_details(self, userid: str) -> UserDetails:
+        """
+        Retrieves information about a single user.
+        """
+        headers = self._get_user_headers()
+        response = await self._make_request(
+            "GET", f"/ocs/v2.php/cloud/users/{userid}", headers=headers
+        )
+        return UserDetails(**response.json()["ocs"]["data"])
+
+    async def update_user_field(self, userid: str, key: str, value: str) -> None:
+        """
+        Edits attributes related to a user.
+        """
+        data = {"key": key, "value": value}
+        headers = self._get_user_headers()
+        await self._make_request(
+            "PUT", f"/ocs/v2.php/cloud/users/{userid}", data=data, headers=headers
+        )
+
+    async def get_editable_user_fields(self) -> List[str]:
+        """
+        Gets the list of editable data fields for a user.
+        """
+        headers = self._get_user_headers()
+        response = await self._make_request(
+            "GET", "/ocs/v2.php/cloud/user/fields", headers=headers
+        )
+        # The v2 API returns data as a direct list
+        data = response.json()["ocs"]["data"]
+        return data if isinstance(data, list) else []
+
+    async def disable_user(self, userid: str) -> None:
+        """
+        Disables a user on the Nextcloud server.
+        """
+        headers = self._get_user_headers()
+        await self._make_request(
+            "PUT", f"/ocs/v2.php/cloud/users/{userid}/disable", headers=headers
+        )
+
+    async def enable_user(self, userid: str) -> None:
+        """
+        Enables a user on the Nextcloud server.
+        """
+        headers = self._get_user_headers()
+        await self._make_request(
+            "PUT", f"/ocs/v2.php/cloud/users/{userid}/enable", headers=headers
+        )
+
+    async def delete_user(self, userid: str) -> None:
+        """
+        Deletes a user from the Nextcloud server.
+        """
+        headers = self._get_user_headers()
+        await self._make_request(
+            "DELETE", f"/ocs/v2.php/cloud/users/{userid}", headers=headers
+        )
+
+    async def get_user_groups(self, userid: str) -> List[str]:
+        """
+        Retrieves a list of groups the specified user is a member of.
+        """
+        headers = self._get_user_headers()
+        response = await self._make_request(
+            "GET", f"/ocs/v2.php/cloud/users/{userid}/groups", headers=headers
+        )
+        # The v2 API returns groups as a direct list under data.groups
+        data = response.json()["ocs"]["data"]
+        return data.get("groups", [])
+
+    async def add_user_to_group(self, userid: str, groupid: str) -> None:
+        """
+        Adds the specified user to the specified group.
+        """
+        data = {"groupid": groupid}
+        headers = self._get_user_headers()
+        await self._make_request(
+            "POST",
+            f"/ocs/v2.php/cloud/users/{userid}/groups",
+            data=data,
+            headers=headers,
+        )
+
+    async def remove_user_from_group(self, userid: str, groupid: str) -> None:
+        """
+        Removes the specified user from the specified group.
+        """
+        data = {"groupid": groupid}
+        headers = self._get_user_headers()
+        await self._make_request(
+            "DELETE",
+            f"/ocs/v2.php/cloud/users/{userid}/groups",
+            data=data,
+            headers=headers,
+        )
+
+    async def promote_user_to_subadmin(self, userid: str, groupid: str) -> None:
+        """
+        Makes a user the subadmin of a group.
+        """
+        data = {"groupid": groupid}
+        headers = self._get_user_headers()
+        await self._make_request(
+            "POST",
+            f"/ocs/v2.php/cloud/users/{userid}/subadmins",
+            data=data,
+            headers=headers,
+        )
+
+    async def demote_user_from_subadmin(self, userid: str, groupid: str) -> None:
+        """
+        Removes the subadmin rights for the user specified from the group specified.
+        """
+        data = {"groupid": groupid}
+        headers = self._get_user_headers()
+        await self._make_request(
+            "DELETE",
+            f"/ocs/v2.php/cloud/users/{userid}/subadmins",
+            data=data,
+            headers=headers,
+        )
+
+    async def get_user_subadmin_groups(self, userid: str) -> List[str]:
+        """
+        Returns the groups in which the user is a subadmin.
+        """
+        headers = self._get_user_headers()
+        response = await self._make_request(
+            "GET", f"/ocs/v2.php/cloud/users/{userid}/subadmins", headers=headers
+        )
+        # The v2 API returns data as a direct list
+        data = response.json()["ocs"]["data"]
+        return data if isinstance(data, list) else []
+
+    async def resend_welcome_email(self, userid: str) -> None:
+        """
+        Triggers the welcome email for this user again.
+        """
+        headers = self._get_user_headers()
+        await self._make_request(
+            "POST", f"/ocs/v2.php/cloud/users/{userid}/welcome", headers=headers
+        )
@@ -1,8 +1,10 @@
 """WebDAV client for Nextcloud file operations."""

-import mimetypes
-from typing import Tuple, Dict, Any, Optional
 import logging
+import mimetypes
+import xml.etree.ElementTree as ET
+from typing import Any, Dict, List, Optional, Tuple
+
 from httpx import HTTPStatusError

 from .base import BaseNextcloudClient
@@ -22,46 +24,39 @@ class WebDAVClient(BaseNextcloudClient):
            path_with_slash = path

        webdav_path = f"{self._get_webdav_base_path()}/{path_with_slash.lstrip('/')}"
-        logger.info(f"Deleting WebDAV resource: {webdav_path}")
+        logger.debug(f"Deleting WebDAV resource: {webdav_path}")

        headers = {"OCS-APIRequest": "true"}
        try:
            # First try a PROPFIND to verify resource exists
            propfind_headers = {"Depth": "0", "OCS-APIRequest": "true"}
            try:
-                propfind_resp = await self._client.request(
+                propfind_resp = await self._make_request(
                    "PROPFIND", webdav_path, headers=propfind_headers
                )
-                logger.info(
-                    f"Resource exists check (PROPFIND) status: {propfind_resp.status_code}"
+                logger.debug(
+                    f"Resource exists check status: {propfind_resp.status_code}"
                )
            except HTTPStatusError as e:
                if e.response.status_code == 404:
-                    logger.info(
-                        f"Resource '{webdav_path}' doesn't exist, no deletion needed."
-                    )
+                    logger.debug(f"Resource '{path}' doesn't exist, no deletion needed")
                    return {"status_code": 404}
                # For other errors, continue with deletion attempt

            # Proceed with deletion
-            response = await self._client.delete(webdav_path, headers=headers)
-            response.raise_for_status()
-            logger.info(
-                f"Successfully deleted WebDAV resource '{webdav_path}' (Status: {response.status_code})"
-            )
+            response = await self._make_request("DELETE", webdav_path, headers=headers)
+            logger.debug(f"Successfully deleted WebDAV resource '{path}'")
            return {"status_code": response.status_code}

        except HTTPStatusError as e:
-            logger.warning(f"HTTP error deleting WebDAV resource '{webdav_path}': {e}")
-            if e.response.status_code != 404:
-                raise e
-            else:
-                logger.info(f"Resource '{webdav_path}' not found, no deletion needed.")
+            if e.response.status_code == 404:
+                logger.debug(f"Resource '{path}' not found, no deletion needed")
                return {"status_code": 404}
+            else:
+                logger.error(f"HTTP error deleting WebDAV resource '{path}': {e}")
+                raise e
        except Exception as e:
-            logger.warning(
-                f"Unexpected error deleting WebDAV resource '{webdav_path}': {e}"
-            )
+            logger.error(f"Unexpected error deleting WebDAV resource '{path}': {e}")
            raise e

    async def cleanup_old_attachment_directory(
@@ -73,10 +68,10 @@ class WebDAVClient(BaseNextcloudClient):
            f"Notes/{old_category_path_part}.attachments.{note_id}/"
        )

-        logger.info(f"Cleaning up old attachment directory: {old_attachment_dir_path}")
+        logger.debug(f"Cleaning up old attachment directory: {old_attachment_dir_path}")
        try:
            delete_result = await self.delete_resource(path=old_attachment_dir_path)
-            logger.info(f"Cleanup of old attachment directory result: {delete_result}")
+            logger.debug(f"Cleanup result: {delete_result}")
            return delete_result
        except Exception as e:
            logger.error(f"Error during cleanup of old attachment directory: {e}")
@@ -89,19 +84,15 @@ class WebDAVClient(BaseNextcloudClient):
        cat_path_part = f"{category}/" if category else ""
        attachment_dir_path = f"Notes/{cat_path_part}.attachments.{note_id}/"

-        logger.info(
-            f"Attempting to delete attachment directory for note {note_id} in category '{category}' via WebDAV: {attachment_dir_path}"
+        logger.debug(
+            f"Cleaning up attachments for note {note_id} in category '{category}'"
        )
        try:
            delete_result = await self.delete_resource(path=attachment_dir_path)
-            logger.info(
-                f"WebDAV deletion for category '{category}' attachment directory: {delete_result}"
-            )
+            logger.debug(f"Cleanup result for note {note_id}: {delete_result}")
            return delete_result
        except Exception as e:
-            logger.warning(
-                f"Failed during WebDAV deletion for category '{category}' attachment directory: {e}"
-            )
+            logger.error(f"Failed cleaning up attachments for note {note_id}: {e}")
            raise e

    async def add_note_attachment(
@@ -123,14 +114,7 @@ class WebDAVClient(BaseNextcloudClient):
        parent_dir_path = f"{webdav_base}/{parent_dir_webdav_rel_path}"
        attachment_path = f"{parent_dir_path}/{filename}"

-        logger.info(
-            f"Uploading attachment for note {note_id} (category: '{category or ''}') to WebDAV path: {attachment_path}"
-        )
-
-        # Log current auth settings
-        logger.info(
-            f"WebDAV auth settings - Username: {self.username}, Auth Type: {type(self._client.auth).__name__}"
-        )
+        logger.debug(f"Uploading attachment '{filename}' for note {note_id}")

        if not mime_type:
            mime_type, _ = mimetypes.guess_type(filename)
@@ -141,17 +125,13 @@ class WebDAVClient(BaseNextcloudClient):
        try:
            # First check if we can access WebDAV at all
            notes_dir_path = f"{webdav_base}/Notes"
-            logger.info(f"Testing WebDAV access to Notes directory: {notes_dir_path}")
-
            propfind_headers = {"Depth": "0", "OCS-APIRequest": "true"}
-            notes_dir_response = await self._client.request(
+            notes_dir_response = await self._make_request(
                "PROPFIND", notes_dir_path, headers=propfind_headers
            )

            if notes_dir_response.status_code == 401:
-                logger.error(
-                    "WebDAV authentication failed for Notes directory. Please verify WebDAV permissions."
-                )
+                logger.error("WebDAV authentication failed for Notes directory")
                raise HTTPStatusError(
                    f"Authentication error accessing WebDAV Notes directory: {notes_dir_response.status_code}",
                    request=notes_dir_response.request,
@@ -162,37 +142,27 @@ class WebDAVClient(BaseNextcloudClient):
                    f"Error accessing WebDAV Notes directory: {notes_dir_response.status_code}"
                )
                notes_dir_response.raise_for_status()
-            else:
-                logger.info(
-                    f"Successfully accessed WebDAV Notes directory (Status: {notes_dir_response.status_code})"
-                )

            # Ensure the parent directory exists using MKCOL
-            logger.info(f"Ensuring attachments directory exists: {parent_dir_path}")
            mkcol_headers = {"OCS-APIRequest": "true"}
-            mkcol_response = await self._client.request(
+            mkcol_response = await self._make_request(
                "MKCOL", parent_dir_path, headers=mkcol_headers
            )

            # MKCOL should return 201 Created or 405 Method Not Allowed (if directory already exists)
            if mkcol_response.status_code not in [201, 405]:
-                logger.warning(
+                logger.error(
                    f"Unexpected status code {mkcol_response.status_code} when creating attachments directory"
                )
                mkcol_response.raise_for_status()
-            else:
-                logger.info(
-                    f"Created/verified directory: {parent_dir_path} (Status: {mkcol_response.status_code})"
-                )

            # Proceed with the PUT request
-            logger.info(f"Putting attachment file to: {attachment_path}")
-            response = await self._client.put(
-                attachment_path, content=content, headers=headers
+            response = await self._make_request(
+                "PUT", attachment_path, content=content, headers=headers
            )
            response.raise_for_status()
-            logger.info(
-                f"Successfully uploaded attachment '{filename}' to note {note_id} (Status: {response.status_code})"
+            logger.debug(
+                f"Successfully uploaded attachment '{filename}' to note {note_id}"
            )
            return {"status_code": response.status_code}

@@ -216,29 +186,387 @@ class WebDAVClient(BaseNextcloudClient):
        attachment_dir_segment = f".attachments.{note_id}"
        attachment_path = f"{webdav_base}/Notes/{category_path_part}{attachment_dir_segment}/{filename}"

-        logger.info(
-            f"Fetching attachment for note {note_id} (category: '{category or ''}') from WebDAV path: {attachment_path}"
-        )
+        logger.debug(f"Fetching attachment '{filename}' for note {note_id}")

        try:
-            response = await self._client.get(attachment_path)
+            response = await self._make_request("GET", attachment_path)
            response.raise_for_status()

            content = response.content
            mime_type = response.headers.get("content-type", "application/octet-stream")

-            logger.info(
-                f"Successfully fetched attachment '{filename}' ({mime_type}, {len(content)} bytes)"
+            logger.debug(
+                f"Successfully fetched attachment '{filename}' ({len(content)} bytes)"
            )
            return content, mime_type

        except HTTPStatusError as e:
-            logger.error(
-                f"HTTP error fetching attachment '{filename}' for note {note_id}: {e}"
-            )
+            if e.response.status_code == 404:
+                logger.debug(f"Attachment '{filename}' not found for note {note_id}")
+            else:
+                logger.error(
+                    f"HTTP error fetching attachment '{filename}' for note {note_id}: {e}"
+                )
            raise e
        except Exception as e:
            logger.error(
                f"Unexpected error fetching attachment '{filename}' for note {note_id}: {e}"
            )
            raise e
+
+    async def list_directory(self, path: str = "") -> List[Dict[str, Any]]:
+        """List files and directories in the specified path via WebDAV PROPFIND."""
+        webdav_path = f"{self._get_webdav_base_path()}/{path.lstrip('/')}"
+        if not webdav_path.endswith("/"):
+            webdav_path += "/"
+
+        logger.debug(f"Listing directory: {path}")
+
+        propfind_body = """<?xml version="1.0"?>
+        <d:propfind xmlns:d="DAV:">
+            <d:prop>
+                <d:displayname/>
+                <d:getcontentlength/>
+                <d:getcontenttype/>
+                <d:getlastmodified/>
+                <d:resourcetype/>
+            </d:prop>
+        </d:propfind>"""
+
+        headers = {"Depth": "1", "Content-Type": "text/xml", "OCS-APIRequest": "true"}
+
+        try:
+            response = await self._make_request(
+                "PROPFIND", webdav_path, content=propfind_body, headers=headers
+            )
+            response.raise_for_status()
+
+            # Parse the XML response
+            root = ET.fromstring(response.content)
+            items = []
+
+            # Skip the first response (the directory itself)
+            responses = root.findall(".//{DAV:}response")[1:]
+
+            for response_elem in responses:
+                href = response_elem.find(".//{DAV:}href")
+                if href is None:
+                    continue
+
+                # Extract file/directory name from href
+                href_text = href.text or ""
+                name = href_text.rstrip("/").split("/")[-1]
+                if not name:
+                    continue
+
+                # Get properties
+                propstat = response_elem.find(".//{DAV:}propstat")
+                if propstat is None:
+                    continue
+
+                prop = propstat.find(".//{DAV:}prop")
+                if prop is None:
+                    continue
+
+                # Determine if it's a directory
+                resourcetype = prop.find(".//{DAV:}resourcetype")
+                is_directory = (
+                    resourcetype is not None
+                    and resourcetype.find(".//{DAV:}collection") is not None
+                )
+
+                # Get other properties
+                size_elem = prop.find(".//{DAV:}getcontentlength")
+                size = (
+                    int(size_elem.text)
+                    if size_elem is not None and size_elem.text
+                    else 0
+                )
+
+                content_type_elem = prop.find(".//{DAV:}getcontenttype")
+                content_type = (
+                    content_type_elem.text if content_type_elem is not None else None
+                )
+
+                modified_elem = prop.find(".//{DAV:}getlastmodified")
+                modified = modified_elem.text if modified_elem is not None else None
+
+                items.append(
+                    {
+                        "name": name,
+                        "path": f"{path.rstrip('/')}/{name}" if path else name,
+                        "is_directory": is_directory,
+                        "size": size if not is_directory else None,
+                        "content_type": content_type,
+                        "last_modified": modified,
+                    }
+                )
+
+            logger.debug(f"Found {len(items)} items in directory: {path}")
+            return items
+
+        except HTTPStatusError as e:
+            logger.error(f"HTTP error listing directory '{webdav_path}': {e}")
+            raise e
+        except Exception as e:
+            logger.error(f"Unexpected error listing directory '{webdav_path}': {e}")
+            raise e
+
+    async def read_file(self, path: str) -> Tuple[bytes, str]:
+        """Read a file's content via WebDAV GET."""
+        webdav_path = f"{self._get_webdav_base_path()}/{path.lstrip('/')}"
+
+        logger.debug(f"Reading file: {path}")
+
+        try:
+            response = await self._make_request("GET", webdav_path)
+            response.raise_for_status()
+
+            content = response.content
+            content_type = response.headers.get(
+                "content-type", "application/octet-stream"
+            )
+
+            logger.debug(f"Successfully read file '{path}' ({len(content)} bytes)")
+            return content, content_type
+
+        except HTTPStatusError as e:
+            logger.error(f"HTTP error reading file '{path}': {e}")
+            raise e
+        except Exception as e:
+            logger.error(f"Unexpected error reading file '{path}': {e}")
+            raise e
+
+    async def write_file(
+        self, path: str, content: bytes, content_type: Optional[str] = None
+    ) -> Dict[str, Any]:
+        """Write content to a file via WebDAV PUT."""
+        webdav_path = f"{self._get_webdav_base_path()}/{path.lstrip('/')}"
+
+        logger.debug(f"Writing file: {path}")
+
+        if not content_type:
+            content_type, _ = mimetypes.guess_type(path)
+            if not content_type:
+                content_type = "application/octet-stream"
+
+        headers = {"Content-Type": content_type, "OCS-APIRequest": "true"}
+
+        try:
+            response = await self._make_request(
+                "PUT", webdav_path, content=content, headers=headers
+            )
+            response.raise_for_status()
+
+            logger.debug(f"Successfully wrote file '{path}'")
+            return {"status_code": response.status_code}
+
+        except HTTPStatusError as e:
+            logger.error(f"HTTP error writing file '{path}': {e}")
+            raise e
+        except Exception as e:
+            logger.error(f"Unexpected error writing file '{path}': {e}")
+            raise e
+
+    async def create_directory(
+        self, path: str, recursive: bool = False
+    ) -> Dict[str, Any]:
+        """Create a directory via WebDAV MKCOL."""
+        webdav_path = f"{self._get_webdav_base_path()}/{path.lstrip('/')}"
+        if not webdav_path.endswith("/"):
+            webdav_path += "/"
+
+        logger.debug(f"Creating directory: {path}")
+
+        headers = {"OCS-APIRequest": "true"}
+
+        try:
+            response = await self._make_request("MKCOL", webdav_path, headers=headers)
+            response.raise_for_status()
+
+            logger.debug(f"Successfully created directory '{path}'")
+            return {"status_code": response.status_code}
+
+        except HTTPStatusError as e:
+            # Method Not Allowed - directory already exists
+            if e.response.status_code == 405:
+                logger.debug(f"Directory '{path}' already exists")
+                return {"status_code": 405, "message": "Directory already exists"}
+
+            # File Conflict - parent directory does not exist
+            if e.response.status_code == 409 and recursive:
+                # Extract parent directory path
+                path_parts = path.strip("/").split("/")
+                if len(path_parts) > 1:
+                    parent_dir = "/".join(path_parts[:-1])
+                    logger.debug(
+                        f"Parent directory '{parent_dir}' doesn't exist, creating recursively"
+                    )
+                    await self.create_directory(parent_dir, recursive)
+                    # Now try to create the original directory again
+                    return await self.create_directory(path, recursive)
+                else:
+                    # This shouldn't happen for single-level directories under root
+                    logger.error(f"409 conflict for single-level directory '{path}'")
+                    raise e
+
+            logger.error(f"HTTP error creating directory '{path}': {e}")
+            raise e
+        except Exception as e:
+            logger.error(f"Unexpected error creating directory '{path}': {e}")
+            raise e
+
+    async def move_resource(
+        self, source_path: str, destination_path: str, overwrite: bool = False
+    ) -> Dict[str, Any]:
+        """Move or rename a resource (file or directory) via WebDAV MOVE.
+
+        Args:
+            source_path: The path of the file or directory to move
+            destination_path: The new path for the file or directory
+            overwrite: Whether to overwrite the destination if it exists
+
+        Returns:
+            Dict with status_code and optional message
+        """
+        source_webdav_path = f"{self._get_webdav_base_path()}/{source_path.lstrip('/')}"
+        destination_webdav_path = (
+            f"{self._get_webdav_base_path()}/{destination_path.lstrip('/')}"
+        )
+
+        # Ensure paths have consistent trailing slashes for directories
+        if source_path.endswith("/") and not destination_path.endswith("/"):
+            destination_webdav_path += "/"
+        elif not source_path.endswith("/") and destination_path.endswith("/"):
+            source_webdav_path += "/"
+
+        logger.debug(f"Moving resource from '{source_path}' to '{destination_path}'")
+
+        headers = {
+            "OCS-APIRequest": "true",
+            "Destination": destination_webdav_path,
+            "Overwrite": "T" if overwrite else "F",
+        }
+
+        try:
+            response = await self._make_request(
+                "MOVE", source_webdav_path, headers=headers
+            )
+            response.raise_for_status()
+
+            logger.debug(
+                f"Successfully moved resource from '{source_path}' to '{destination_path}'"
+            )
+            return {"status_code": response.status_code}
+
+        except HTTPStatusError as e:
+            if e.response.status_code == 404:
+                logger.debug(f"Source resource '{source_path}' not found")
+                return {"status_code": 404, "message": "Source resource not found"}
+            elif e.response.status_code == 412:
+                logger.debug(
+                    f"Destination '{destination_path}' already exists and overwrite is false"
+                )
+                return {
+                    "status_code": 412,
+                    "message": "Destination already exists and overwrite is false",
+                }
+            elif e.response.status_code == 409:
+                logger.debug(
+                    f"Parent directory of destination '{destination_path}' doesn't exist"
+                )
+                return {
+                    "status_code": 409,
+                    "message": "Parent directory of destination doesn't exist",
+                }
+                logger.debug(
+                    f"Parent directory of destination '{destination_path}' doesn't exist"
+                )
+                return {
+                    "status_code": 409,
+                    "message": "Parent directory of destination doesn't exist",
+                }
+            else:
+                logger.error(
+                    f"HTTP error moving resource from '{source_path}' to '{destination_path}': {e}"
+                )
+                raise e
+        except Exception as e:
+            logger.error(
+                f"Unexpected error moving resource from '{source_path}' to '{destination_path}': {e}"
+            )
+            raise e
+
+    async def copy_resource(
+        self, source_path: str, destination_path: str, overwrite: bool = False
+    ) -> Dict[str, Any]:
+        """Copy a resource (file or directory) via WebDAV COPY.
+
+        Args:
+            source_path: The path of the file or directory to copy
+            destination_path: The destination path for the copy
+            overwrite: Whether to overwrite the destination if it exists
+
+        Returns:
+            Dict with status_code and optional message
+        """
+        source_webdav_path = f"{self._get_webdav_base_path()}/{source_path.lstrip('/')}"
+        destination_webdav_path = (
+            f"{self._get_webdav_base_path()}/{destination_path.lstrip('/')}"
+        )
+
+        # Ensure paths have consistent trailing slashes for directories
+        if source_path.endswith("/") and not destination_path.endswith("/"):
+            destination_webdav_path += "/"
+        elif not source_path.endswith("/") and destination_path.endswith("/"):
+            source_webdav_path += "/"
+
+        logger.debug(f"Copying resource from '{source_path}' to '{destination_path}'")
+
+        headers = {
+            "OCS-APIRequest": "true",
+            "Destination": destination_webdav_path,
+            "Overwrite": "T" if overwrite else "F",
+        }
+
+        try:
+            response = await self._make_request(
+                "COPY", source_webdav_path, headers=headers
+            )
+            response.raise_for_status()
+
+            logger.debug(
+                f"Successfully copied resource from '{source_path}' to '{destination_path}'"
+            )
+            return {"status_code": response.status_code}
+
+        except HTTPStatusError as e:
+            if e.response.status_code == 404:
+                logger.debug(f"Source resource '{source_path}' not found")
+                return {"status_code": 404, "message": "Source resource not found"}
+            elif e.response.status_code == 412:
+                logger.debug(
+                    f"Destination '{destination_path}' already exists and overwrite is false"
+                )
+                return {
+                    "status_code": 412,
+                    "message": "Destination already exists and overwrite is false",
+                }
+            elif e.response.status_code == 409:
+                logger.debug(
+                    f"Parent directory of destination '{destination_path}' doesn't exist"
+                )
+                return {
+                    "status_code": 409,
+                    "message": "Parent directory of destination doesn't exist",
+                }
+            else:
+                logger.error(
+                    f"HTTP error copying resource from '{source_path}' to '{destination_path}': {e}"
+                )
+                raise e
+        except Exception as e:
+            logger.error(
+                f"Unexpected error copying resource from '{source_path}' to '{destination_path}': {e}"
+            )
+            raise e
@@ -21,12 +21,12 @@ LOGGING_CONFIG = {
        },
        "httpx": {
            "handlers": ["default"],
-            "level": "DEBUG",
+            "level": "INFO",
            "propagate": False,  # Prevent propagation to root logger
        },
        "httpcore": {
            "handlers": ["default"],
-            "level": "DEBUG",
+            "level": "INFO",
            "propagate": False,  # Prevent propagation to root logger
        },
    },
@@ -0,0 +1,51 @@
+"""Helper functions for accessing context in MCP tools."""
+
+from mcp.server.fastmcp import Context
+
+from nextcloud_mcp_server.client import NextcloudClient
+
+
+def get_client(ctx: Context) -> NextcloudClient:
+    """
+    Get the appropriate Nextcloud client based on authentication mode.
+
+    In BasicAuth mode, returns the shared client from lifespan context.
+    In OAuth mode, creates a new client per-request using the OAuth context.
+
+    This function automatically detects the authentication mode by checking
+    the type of the lifespan context.
+
+    Args:
+        ctx: MCP request context
+
+    Returns:
+        NextcloudClient configured for the current authentication mode
+
+    Raises:
+        AttributeError: If context doesn't contain expected data
+
+    Example:
+        ```python
+        @mcp.tool()
+        async def my_tool(ctx: Context):
+            client = get_client(ctx)
+            return await client.capabilities()
+        ```
+    """
+    lifespan_ctx = ctx.request_context.lifespan_context
+
+    # Try BasicAuth mode first (has 'client' attribute)
+    if hasattr(lifespan_ctx, "client"):
+        return lifespan_ctx.client
+
+    # OAuth mode (has 'nextcloud_host' attribute)
+    if hasattr(lifespan_ctx, "nextcloud_host"):
+        from nextcloud_mcp_server.auth import get_client_from_context
+
+        return get_client_from_context(ctx, lifespan_ctx.nextcloud_host)
+
+    # Unknown context type
+    raise AttributeError(
+        f"Lifespan context does not have 'client' or 'nextcloud_host' attribute. "
+        f"Type: {type(lifespan_ctx)}"
+    )
@@ -1,6 +1,6 @@
 """Controller for notes search functionality."""

-from typing import List, Dict, Any
+from typing import Any, Dict, List


 class NotesSearchController:
@@ -0,0 +1,136 @@
+"""Pydantic models for structured MCP server responses."""
+
+# Base models
+from .base import BaseResponse, IdResponse, StatusResponse
+
+# Calendar models
+from .calendar import (
+    AvailabilitySlot,
+    BulkOperationResponse,
+    BulkOperationResult,
+    Calendar,
+    CalendarEvent,
+    CalendarEventSummary,
+    CreateEventResponse,
+    CreateMeetingResponse,
+    DeleteEventResponse,
+    FindAvailabilityResponse,
+    ListCalendarsResponse,
+    ListEventsResponse,
+    ManageCalendarResponse,
+    UpcomingEventsResponse,
+    UpdateEventResponse,
+)
+
+# Contacts models
+from .contacts import (
+    AddressBook,
+    Contact,
+    ContactField,
+    CreateAddressBookResponse,
+    CreateContactResponse,
+    DeleteAddressBookResponse,
+    DeleteContactResponse,
+    ListAddressBooksResponse,
+    ListContactsResponse,
+    UpdateContactResponse,
+)
+
+# Notes models
+from .notes import (
+    AppendContentResponse,
+    CreateNoteResponse,
+    DeleteNoteResponse,
+    Note,
+    NoteSearchResult,
+    NotesSettings,
+    SearchNotesResponse,
+    UpdateNoteResponse,
+)
+
+# Tables models
+from .tables import (
+    CreateRowResponse,
+    DeleteRowResponse,
+    GetSchemaResponse,
+    ListTablesResponse,
+    ReadTableResponse,
+    Table,
+    TableColumn,
+    TableRow,
+    TableSchema,
+    TableView,
+    UpdateRowResponse,
+)
+
+# WebDAV models
+from .webdav import (
+    CreateDirectoryResponse,
+    DeleteResourceResponse,
+    DirectoryListing,
+    FileInfo,
+    ReadFileResponse,
+    WriteFileResponse,
+)
+
+__all__ = [
+    # Base models
+    "BaseResponse",
+    "IdResponse",
+    "StatusResponse",
+    # Notes models
+    "Note",
+    "NoteSearchResult",
+    "NotesSettings",
+    "CreateNoteResponse",
+    "UpdateNoteResponse",
+    "DeleteNoteResponse",
+    "AppendContentResponse",
+    "SearchNotesResponse",
+    # Calendar models
+    "Calendar",
+    "CalendarEvent",
+    "CalendarEventSummary",
+    "CreateEventResponse",
+    "UpdateEventResponse",
+    "DeleteEventResponse",
+    "ListEventsResponse",
+    "ListCalendarsResponse",
+    "AvailabilitySlot",
+    "FindAvailabilityResponse",
+    "BulkOperationResult",
+    "BulkOperationResponse",
+    "CreateMeetingResponse",
+    "UpcomingEventsResponse",
+    "ManageCalendarResponse",
+    # Contacts models
+    "AddressBook",
+    "Contact",
+    "ContactField",
+    "ListAddressBooksResponse",
+    "ListContactsResponse",
+    "CreateContactResponse",
+    "UpdateContactResponse",
+    "DeleteContactResponse",
+    "CreateAddressBookResponse",
+    "DeleteAddressBookResponse",
+    # Tables models
+    "Table",
+    "TableColumn",
+    "TableRow",
+    "TableView",
+    "TableSchema",
+    "ListTablesResponse",
+    "GetSchemaResponse",
+    "ReadTableResponse",
+    "CreateRowResponse",
+    "UpdateRowResponse",
+    "DeleteRowResponse",
+    # WebDAV models
+    "FileInfo",
+    "DirectoryListing",
+    "ReadFileResponse",
+    "WriteFileResponse",
+    "CreateDirectoryResponse",
+    "DeleteResourceResponse",
+]
@@ -0,0 +1,48 @@
+"""Base Pydantic models for common response patterns."""
+
+from datetime import datetime, timezone
+from typing import Optional, Union
+
+from pydantic import BaseModel, Field, field_serializer
+
+
+def _utc_now() -> datetime:
+    """Generate UTC timestamp for responses."""
+    return datetime.now(timezone.utc)
+
+
+class BaseResponse(BaseModel):
+    """Base response model for all MCP tool responses."""
+
+    success: bool = Field(
+        default=True, description="Whether the operation was successful"
+    )
+    timestamp: datetime = Field(
+        default_factory=_utc_now, description="Response timestamp"
+    )
+
+    @field_serializer("timestamp")
+    def serialize_timestamp(self, timestamp: datetime) -> str:
+        """Serialize timestamp to RFC3339 format for MCP compliance."""
+        if timestamp.tzinfo is None:
+            # If somehow we get a naive datetime, assume UTC
+            timestamp = timestamp.replace(tzinfo=timezone.utc)
+        # Use isoformat() which produces RFC3339 compliant format
+        # For UTC times, replace '+00:00' with 'Z' as preferred by many systems
+        iso_string = timestamp.isoformat()
+        if iso_string.endswith("+00:00"):
+            return iso_string[:-6] + "Z"
+        return iso_string
+
+
+class IdResponse(BaseResponse):
+    """Response model for operations that return a new ID."""
+
+    id: Union[int, str] = Field(description="ID of the created or affected resource")
+
+
+class StatusResponse(BaseResponse):
+    """Response model for operations that return just a status."""
+
+    status_code: Optional[int] = Field(None, description="HTTP status code")
+    message: Optional[str] = Field(None, description="Status message")
@@ -0,0 +1,182 @@
+"""Pydantic models for Calendar app responses."""
+
+from typing import List, Optional
+
+from pydantic import BaseModel, Field
+
+from .base import BaseResponse, StatusResponse
+
+
+class Calendar(BaseModel):
+    """Model for a Nextcloud calendar."""
+
+    name: str = Field(description="Calendar name/ID")
+    display_name: str = Field(description="Calendar display name")
+    description: Optional[str] = Field(None, description="Calendar description")
+    color: Optional[str] = Field(None, description="Calendar color")
+    href: Optional[str] = Field(None, description="Calendar DAV href")
+    timezone: Optional[str] = Field(None, description="Calendar timezone")
+    enabled: bool = Field(default=True, description="Whether calendar is enabled")
+    ctag: Optional[str] = Field(None, description="Calendar tag for synchronization")
+
+
+class CalendarEventSummary(BaseModel):
+    """Model for calendar event summary (for lists)."""
+
+    uid: str = Field(description="Event UID")
+    summary: str = Field(description="Event summary/title")
+    start: str = Field(description="Event start datetime (ISO format)")
+    end: Optional[str] = Field(None, description="Event end datetime (ISO format)")
+    all_day: bool = Field(default=False, description="Whether event is all-day")
+    location: Optional[str] = Field(None, description="Event location")
+    description: Optional[str] = Field(None, description="Event description")
+    categories: List[str] = Field(default_factory=list, description="Event categories")
+    status: Optional[str] = Field(
+        None, description="Event status (CONFIRMED, TENTATIVE, CANCELLED)"
+    )
+
+
+class CalendarEvent(CalendarEventSummary):
+    """Model for a complete calendar event."""
+
+    created: Optional[str] = Field(None, description="Event creation datetime")
+    last_modified: Optional[str] = Field(None, description="Last modification datetime")
+    recurring: bool = Field(default=False, description="Whether event is recurring")
+    recurrence_rule: Optional[str] = Field(None, description="RFC5545 recurrence rule")
+    recurrence_end: Optional[str] = Field(None, description="Recurrence end date")
+    attendees: List[str] = Field(
+        default_factory=list, description="List of attendee email addresses"
+    )
+    organizer: Optional[str] = Field(None, description="Event organizer")
+    priority: Optional[int] = Field(None, description="Event priority (1-9)")
+    privacy: Optional[str] = Field(None, description="Event privacy level")
+    url: Optional[str] = Field(None, description="Event URL")
+    duration_minutes: Optional[int] = Field(
+        None, description="Event duration in minutes"
+    )
+    reminder_minutes: Optional[int] = Field(
+        None, description="Reminder time in minutes before event"
+    )
+    reminder_email: bool = Field(
+        default=False, description="Whether to send email reminder"
+    )
+    color: Optional[str] = Field(None, description="Event color")
+    etag: Optional[str] = Field(None, description="ETag for versioning")
+
+
+class CreateEventResponse(BaseResponse):
+    """Response model for event creation."""
+
+    event: CalendarEvent = Field(description="The created event")
+    calendar_name: str = Field(
+        description="Name of the calendar the event was created in"
+    )
+
+
+class UpdateEventResponse(BaseResponse):
+    """Response model for event updates."""
+
+    event: CalendarEvent = Field(description="The updated event")
+    calendar_name: str = Field(description="Name of the calendar the event belongs to")
+
+
+class DeleteEventResponse(StatusResponse):
+    """Response model for event deletion."""
+
+    deleted_uid: str = Field(description="UID of the deleted event")
+    calendar_name: str = Field(
+        description="Name of the calendar the event was deleted from"
+    )
+
+
+class ListEventsResponse(BaseResponse):
+    """Response model for listing events."""
+
+    events: List[CalendarEventSummary] = Field(description="List of events")
+    calendar_name: Optional[str] = Field(
+        None, description="Calendar name (if filtered to one calendar)"
+    )
+    start_date: Optional[str] = Field(None, description="Start date filter applied")
+    end_date: Optional[str] = Field(None, description="End date filter applied")
+    total_found: int = Field(description="Total number of events found")
+
+
+class ListCalendarsResponse(BaseResponse):
+    """Response model for listing calendars."""
+
+    calendars: List[Calendar] = Field(description="List of available calendars")
+    total_count: int = Field(description="Total number of calendars")
+
+
+class AvailabilitySlot(BaseModel):
+    """Model for an available time slot."""
+
+    start: str = Field(description="Slot start datetime (ISO format)")
+    end: str = Field(description="Slot end datetime (ISO format)")
+    duration_minutes: int = Field(description="Slot duration in minutes")
+    date: str = Field(description="Date of the slot (YYYY-MM-DD)")
+
+
+class FindAvailabilityResponse(BaseResponse):
+    """Response model for finding availability."""
+
+    available_slots: List[AvailabilitySlot] = Field(
+        description="List of available time slots"
+    )
+    duration_requested: int = Field(description="Requested duration in minutes")
+    date_range_start: str = Field(description="Start date of search range")
+    date_range_end: str = Field(description="End date of search range")
+    attendees_checked: List[str] = Field(
+        default_factory=list, description="Attendees checked for availability"
+    )
+    business_hours_only: bool = Field(
+        description="Whether search was limited to business hours"
+    )
+
+
+class BulkOperationResult(BaseModel):
+    """Model for bulk operation results."""
+
+    operation: str = Field(description="Operation performed (update, delete, move)")
+    events_processed: int = Field(description="Number of events processed")
+    events_successful: int = Field(
+        description="Number of events successfully processed"
+    )
+    events_failed: int = Field(description="Number of events that failed processing")
+    failed_events: List[str] = Field(
+        default_factory=list, description="UIDs of events that failed"
+    )
+    errors: List[str] = Field(default_factory=list, description="Error messages")
+
+
+class BulkOperationResponse(BaseResponse):
+    """Response model for bulk operations."""
+
+    result: BulkOperationResult = Field(description="Bulk operation result")
+
+
+class CreateMeetingResponse(CreateEventResponse):
+    """Response model for meeting creation (same as event creation)."""
+
+    pass
+
+
+class UpcomingEventsResponse(BaseResponse):
+    """Response model for upcoming events."""
+
+    events: List[CalendarEventSummary] = Field(description="List of upcoming events")
+    days_ahead: int = Field(description="Number of days ahead searched")
+    calendar_name: Optional[str] = Field(
+        None, description="Calendar name (if filtered to one calendar)"
+    )
+
+
+class ManageCalendarResponse(BaseResponse):
+    """Response model for calendar management operations."""
+
+    action: str = Field(description="Action performed (create, delete, update, list)")
+    calendar: Optional[Calendar] = Field(None, description="Calendar that was affected")
+    calendars: Optional[List[Calendar]] = Field(
+        None, description="List of calendars (for list action)"
+    )
+    message: str = Field(description="Success message")
@@ -0,0 +1,130 @@
+"""Pydantic models for Contacts app responses."""
+
+from typing import Any, Dict, List, Optional
+
+from pydantic import BaseModel, Field
+
+from .base import BaseResponse, StatusResponse
+
+
+class AddressBook(BaseModel):
+    """Model for a Nextcloud address book."""
+
+    uri: str = Field(description="Address book URI")
+    displayname: str = Field(description="Address book display name")
+    description: Optional[str] = Field(None, description="Address book description")
+    ctag: Optional[str] = Field(
+        None, description="Address book tag for synchronization"
+    )
+
+
+class ContactField(BaseModel):
+    """Model for a contact field (email, phone, etc.)."""
+
+    type: str = Field(description="Field type (e.g., 'email', 'phone', 'address')")
+    value: str = Field(description="Field value")
+    label: Optional[str] = Field(None, description="Field label (e.g., 'work', 'home')")
+    preferred: bool = Field(
+        default=False, description="Whether this is the preferred field of this type"
+    )
+
+
+class Contact(BaseModel):
+    """Model for a Nextcloud contact."""
+
+    uid: str = Field(description="Contact UID")
+    fn: str = Field(description="Full name (formatted name)")
+    given_name: Optional[str] = Field(None, description="Given name")
+    family_name: Optional[str] = Field(None, description="Family name")
+    organization: Optional[str] = Field(None, description="Organization")
+    title: Optional[str] = Field(None, description="Job title")
+    emails: List[ContactField] = Field(
+        default_factory=list, description="Email addresses"
+    )
+    phones: List[ContactField] = Field(
+        default_factory=list, description="Phone numbers"
+    )
+    addresses: List[ContactField] = Field(default_factory=list, description="Addresses")
+    urls: List[ContactField] = Field(default_factory=list, description="URLs")
+    note: Optional[str] = Field(None, description="Notes")
+    photo: Optional[str] = Field(None, description="Photo URL or base64 data")
+    birthday: Optional[str] = Field(None, description="Birthday (ISO date format)")
+    categories: List[str] = Field(
+        default_factory=list, description="Contact categories"
+    )
+    custom_fields: Dict[str, Any] = Field(
+        default_factory=dict, description="Custom fields"
+    )
+    etag: Optional[str] = Field(None, description="ETag for versioning")
+
+    @property
+    def primary_email(self) -> Optional[str]:
+        """Get the primary email address."""
+        if not self.emails:
+            return None
+        # Return preferred email if available, otherwise first email
+        preferred = next(
+            (email.value for email in self.emails if email.preferred), None
+        )
+        return preferred or self.emails[0].value
+
+    @property
+    def primary_phone(self) -> Optional[str]:
+        """Get the primary phone number."""
+        if not self.phones:
+            return None
+        # Return preferred phone if available, otherwise first phone
+        preferred = next(
+            (phone.value for phone in self.phones if phone.preferred), None
+        )
+        return preferred or self.phones[0].value
+
+
+class ListAddressBooksResponse(BaseResponse):
+    """Response model for listing address books."""
+
+    addressbooks: List[AddressBook] = Field(
+        description="List of available address books"
+    )
+    total_count: int = Field(description="Total number of address books")
+
+
+class ListContactsResponse(BaseResponse):
+    """Response model for listing contacts."""
+
+    contacts: List[Contact] = Field(description="List of contacts")
+    addressbook: str = Field(description="Address book name")
+    total_count: int = Field(description="Total number of contacts")
+
+
+class CreateContactResponse(BaseResponse):
+    """Response model for contact creation."""
+
+    contact: Contact = Field(description="The created contact")
+    addressbook: str = Field(description="Address book the contact was created in")
+
+
+class UpdateContactResponse(BaseResponse):
+    """Response model for contact updates."""
+
+    contact: Contact = Field(description="The updated contact")
+    addressbook: str = Field(description="Address book the contact belongs to")
+
+
+class DeleteContactResponse(StatusResponse):
+    """Response model for contact deletion."""
+
+    deleted_uid: str = Field(description="UID of the deleted contact")
+    addressbook: str = Field(description="Address book the contact was deleted from")
+
+
+class CreateAddressBookResponse(BaseResponse):
+    """Response model for address book creation."""
+
+    addressbook: AddressBook = Field(description="The created address book")
+
+
+class DeleteAddressBookResponse(StatusResponse):
+    """Response model for address book deletion."""
+
+    deleted_name: str = Field(description="Name of the deleted address book")
@@ -0,0 +1,268 @@
+from datetime import datetime
+from typing import Any, Dict, List, Optional, Union
+
+from pydantic import BaseModel, Field, field_validator
+
+from .base import BaseResponse, StatusResponse
+
+
+class DeckUser(BaseModel):
+    primaryKey: str
+    uid: str
+    displayname: str
+
+
+class DeckPermissions(BaseModel):
+    PERMISSION_READ: bool
+    PERMISSION_EDIT: bool
+    PERMISSION_MANAGE: bool
+    PERMISSION_SHARE: bool
+
+
+class DeckLabel(BaseModel):
+    id: int
+    title: str
+    color: str
+    boardId: Optional[int] = None
+    cardId: Optional[int] = None
+
+
+class DeckACL(BaseModel):
+    id: int
+    participant: DeckUser
+    type: int
+    boardId: int
+    permissionEdit: bool
+    permissionShare: bool
+    permissionManage: bool
+    owner: bool
+
+
+class DeckBoardSettings(BaseModel):
+    calendar: bool
+    cardDetailsInModal: Optional[bool] = Field(default=None, alias="cardDetailsInModal")
+    cardIdBadge: Optional[bool] = Field(default=None, alias="cardIdBadge")
+    groupLimit: Optional[List[Dict[str, str]]] = Field(default=None, alias="groupLimit")
+    notify_due: Optional[str] = Field(default=None, alias="notify-due")
+
+
+class DeckBoard(BaseModel):
+    id: int
+    title: str
+    owner: DeckUser
+    color: str
+    archived: bool
+    labels: List[DeckLabel]
+    acl: List[DeckACL]
+    permissions: DeckPermissions
+    users: List[DeckUser]
+    deletedAt: int
+    lastModified: Optional[int] = None
+    settings: Optional[DeckBoardSettings] = None
+    etag: Optional[str] = Field(default=None, alias="ETag")
+
+    @field_validator("settings", mode="before")
+    @classmethod
+    def validate_settings(cls, v):
+        # Handle case where API returns empty array instead of dict/null
+        if isinstance(v, list) and len(v) == 0:
+            return None
+        return v
+
+
+class DeckAssignedUser(BaseModel):
+    id: int
+    participant: DeckUser
+    cardId: int
+    type: int
+
+
+class DeckCard(BaseModel):
+    id: int
+    title: str
+    stackId: int
+    type: str
+    order: int
+    archived: bool
+    owner: Union[str, DeckUser]  # Can be either string or user object
+    description: Optional[str] = None
+    duedate: Optional[datetime] = None
+    done: Optional[datetime] = None
+    lastModified: Optional[int] = None
+    createdAt: Optional[int] = None
+    labels: Optional[List[DeckLabel]] = None
+    assignedUsers: Optional[List[Union[DeckUser, DeckAssignedUser]]] = None
+    attachments: Optional[List[Any]] = None  # Define a proper Attachment model later
+    attachmentCount: Optional[int] = None
+    deletedAt: Optional[int] = None
+    commentsUnread: Optional[int] = None
+    overdue: Optional[int] = None
+    etag: Optional[str] = Field(default=None, alias="ETag")
+
+    @field_validator("owner", mode="before")
+    @classmethod
+    def validate_owner(cls, v):
+        # Handle case where API returns user object instead of string
+        if isinstance(v, dict):
+            return v.get("uid", v.get("primaryKey", str(v)))
+        return v
+
+    @field_validator("assignedUsers", mode="before")
+    @classmethod
+    def validate_assigned_users(cls, v):
+        # Handle different formats of assigned users from the API
+        if not v:
+            return v
+
+        validated_users = []
+        for user in v:
+            if isinstance(user, dict):
+                # Check if it's an assignment object with participant
+                if "participant" in user:
+                    validated_users.append(user)
+                # Check if it's a direct user object
+                elif "uid" in user or "primaryKey" in user:
+                    validated_users.append(user)
+            else:
+                validated_users.append(user)
+
+        return validated_users
+
+
+class DeckStack(BaseModel):
+    id: int
+    title: str
+    boardId: int
+    order: int
+    deletedAt: int
+    lastModified: Optional[int] = None
+    cards: Optional[List[DeckCard]] = None
+    etag: Optional[str] = Field(default=None, alias="ETag")
+
+
+class DeckAttachmentExtendedData(BaseModel):
+    filesize: int
+    mimetype: str
+    info: Dict[str, str]
+
+
+class DeckAttachment(BaseModel):
+    id: int
+    cardId: int
+    type: str
+    data: str
+    lastModified: int
+    createdAt: int
+    createdBy: str
+    deletedAt: int
+    extendedData: DeckAttachmentExtendedData
+
+
+class DeckComment(BaseModel):
+    id: int
+    objectId: int
+    message: str
+    actorId: str
+    actorType: str
+    actorDisplayName: str
+    creationDateTime: datetime
+    mentions: List[Dict[str, str]]
+    replyTo: Optional[Any] = None  # Self-referencing, handle later if needed
+
+
+class DeckSession(BaseModel):
+    token: str
+
+
+class DeckConfig(BaseModel):
+    calendar: bool
+    cardDetailsInModal: bool
+    cardIdBadge: bool
+    groupLimit: Optional[List[Dict[str, str]]] = None
+
+
+# Response Models for MCP Tools
+
+
+class ListBoardsResponse(BaseResponse):
+    """Response model for listing deck boards."""
+
+    boards: List[DeckBoard] = Field(description="List of deck boards")
+    total: int = Field(description="Total number of boards")
+
+
+class CreateBoardResponse(BaseResponse):
+    """Response model for board creation."""
+
+    id: int = Field(description="The created board ID")
+    title: str = Field(description="The created board title")
+    color: str = Field(description="The created board color")
+
+
+class BoardOperationResponse(StatusResponse):
+    """Response model for board operations like update/delete."""
+
+    board_id: int = Field(description="ID of the affected board")
+
+
+# Stack Response Models
+
+
+class ListStacksResponse(BaseResponse):
+    """Response model for listing deck stacks."""
+
+    stacks: List[DeckStack] = Field(description="List of deck stacks")
+    total: int = Field(description="Total number of stacks")
+
+
+class CreateStackResponse(BaseResponse):
+    """Response model for stack creation."""
+
+    id: int = Field(description="The created stack ID")
+    title: str = Field(description="The created stack title")
+    order: int = Field(description="The created stack order")
+
+
+class StackOperationResponse(StatusResponse):
+    """Response model for stack operations like update/delete."""
+
+    stack_id: int = Field(description="ID of the affected stack")
+    board_id: int = Field(description="ID of the board containing the stack")
+
+
+# Card Response Models
+
+
+class CreateCardResponse(BaseResponse):
+    """Response model for card creation."""
+
+    id: int = Field(description="The created card ID")
+    title: str = Field(description="The created card title")
+    description: Optional[str] = Field(description="The created card description")
+    stackId: int = Field(description="The stack ID the card belongs to")
+
+
+class CardOperationResponse(StatusResponse):
+    """Response model for card operations like update/delete."""
+
+    card_id: int = Field(description="ID of the affected card")
+    stack_id: int = Field(description="ID of the stack containing the card")
+    board_id: int = Field(description="ID of the board containing the card")
+
+
+# Label Response Models
+
+
+class CreateLabelResponse(BaseResponse):
+    """Response model for label creation."""
+
+    id: int = Field(description="The created label ID")
+    title: str = Field(description="The created label title")
+    color: str = Field(description="The created label color")
+
+
+class LabelOperationResponse(StatusResponse):
+    """Response model for label operations like update/delete."""
+
+    label_id: int = Field(description="ID of the affected label")
+    board_id: int = Field(description="ID of the board containing the label")
@@ -0,0 +1,85 @@
+"""Pydantic models for Notes app responses."""
+
+from datetime import datetime
+from typing import List, Optional
+
+from pydantic import BaseModel, Field
+
+from .base import BaseResponse, IdResponse, StatusResponse
+
+
+class Note(BaseModel):
+    """Model for a Nextcloud note."""
+
+    id: int = Field(description="Note ID")
+    title: str = Field(description="Note title")
+    content: str = Field(description="Note content in markdown")
+    category: str = Field(default="", description="Note category")
+    modified: int = Field(description="Unix timestamp of last modification")
+    favorite: bool = Field(
+        default=False, description="Whether note is marked as favorite"
+    )
+    etag: str = Field(description="ETag for versioning")
+    readonly: bool = Field(default=False, description="Whether note is read-only")
+
+    @property
+    def modified_datetime(self) -> datetime:
+        """Convert Unix timestamp to datetime."""
+        return datetime.fromtimestamp(self.modified)
+
+
+class NoteSearchResult(BaseModel):
+    """Model for note search results (limited fields)."""
+
+    id: int = Field(description="Note ID")
+    title: str = Field(description="Note title")
+    category: str = Field(default="", description="Note category")
+    score: Optional[float] = Field(None, description="Search relevance score")
+
+
+class NotesSettings(BaseModel):
+    """Model for Notes app settings."""
+
+    notesPath: str = Field(description="Path to notes directory")
+    fileSuffix: str = Field(description="File suffix for notes")
+    noteMode: str = Field(description="Note mode setting")
+
+
+class CreateNoteResponse(IdResponse):
+    """Response model for note creation."""
+
+    title: str = Field(description="The created note title")
+    category: str = Field(description="The created note category")
+    etag: str = Field(description="Current ETag for the created note")
+
+
+class UpdateNoteResponse(BaseResponse):
+    """Response model for note updates."""
+
+    id: int = Field(description="The updated note ID")
+    title: str = Field(description="The updated note title")
+    category: str = Field(description="The updated note category")
+    etag: str = Field(description="Current ETag for the updated note")
+
+
+class DeleteNoteResponse(StatusResponse):
+    """Response model for note deletion."""
+
+    deleted_id: int = Field(description="ID of the deleted note")
+
+
+class AppendContentResponse(BaseResponse):
+    """Response model for appending content to a note."""
+
+    id: int = Field(description="The updated note ID")
+    title: str = Field(description="The updated note title")
+    category: str = Field(description="The updated note category")
+    etag: str = Field(description="Current ETag for the updated note")
+
+
+class SearchNotesResponse(BaseResponse):
+    """Response model for note search."""
+
+    results: List[NoteSearchResult] = Field(description="Search results")
+    query: str = Field(description="The search query used")
+    total_found: int = Field(description="Total number of notes found")
@@ -0,0 +1,142 @@
+"""Pydantic models for Tables app responses."""
+
+from typing import Any, Dict, List, Optional
+
+from pydantic import BaseModel, Field
+
+from .base import BaseResponse, IdResponse, StatusResponse
+
+
+class TableColumn(BaseModel):
+    """Model for a table column definition."""
+
+    id: int = Field(description="Column ID")
+    title: str = Field(description="Column title")
+    type: str = Field(description="Column type (text, number, datetime, etc.)")
+    subtype: Optional[str] = Field(None, description="Column subtype")
+    mandatory: bool = Field(default=False, description="Whether column is mandatory")
+    description: Optional[str] = Field(None, description="Column description")
+    text_default: Optional[str] = Field(None, description="Default text value")
+    text_allowed_pattern: Optional[str] = Field(
+        None, description="Allowed text pattern"
+    )
+    text_max_length: Optional[int] = Field(None, description="Maximum text length")
+    number_default: Optional[float] = Field(None, description="Default number value")
+    number_min: Optional[float] = Field(None, description="Minimum number value")
+    number_max: Optional[float] = Field(None, description="Maximum number value")
+    number_decimals: Optional[int] = Field(None, description="Number of decimal places")
+    datetime_default: Optional[str] = Field(None, description="Default datetime value")
+    selection_options: List[str] = Field(
+        default_factory=list, description="Selection options"
+    )
+    selection_default: Optional[str] = Field(
+        None, description="Default selection value"
+    )
+
+
+class TableRow(BaseModel):
+    """Model for a table row."""
+
+    id: int = Field(description="Row ID")
+    created_by: Optional[str] = Field(None, description="User who created the row")
+    created_at: Optional[str] = Field(None, description="Row creation timestamp")
+    last_edit_by: Optional[str] = Field(
+        None, description="User who last edited the row"
+    )
+    last_edit_at: Optional[str] = Field(None, description="Last edit timestamp")
+    data: Dict[int, Any] = Field(description="Row data keyed by column ID")
+
+
+class TableView(BaseModel):
+    """Model for a table view."""
+
+    id: int = Field(description="View ID")
+    title: str = Field(description="View title")
+    emoji: Optional[str] = Field(None, description="View emoji")
+    description: Optional[str] = Field(None, description="View description")
+    columns: List[int] = Field(
+        default_factory=list, description="List of column IDs in this view"
+    )
+    sort: List[Dict[str, Any]] = Field(
+        default_factory=list, description="Sort configuration"
+    )
+    filter: List[Dict[str, Any]] = Field(
+        default_factory=list, description="Filter configuration"
+    )
+
+
+class Table(BaseModel):
+    """Model for a Nextcloud table."""
+
+    id: int = Field(description="Table ID")
+    title: str = Field(description="Table title")
+    emoji: Optional[str] = Field(None, description="Table emoji")
+    ownership: str = Field(description="Table ownership")
+    owner_display_name: str = Field(description="Display name of table owner")
+    created_by: Optional[str] = Field(None, description="User who created the table")
+    created_at: Optional[str] = Field(None, description="Table creation timestamp")
+    last_edit_by: Optional[str] = Field(
+        None, description="User who last edited the table"
+    )
+    last_edit_at: Optional[str] = Field(None, description="Last edit timestamp")
+    row_count: int = Field(default=0, description="Number of rows in the table")
+    has_shares: bool = Field(default=False, description="Whether table is shared")
+    archived: bool = Field(default=False, description="Whether table is archived")
+    is_shared: bool = Field(
+        default=False, description="Whether table is shared with current user"
+    )
+    on_share_permissions: Optional[Dict[str, Any]] = Field(
+        None, description="Share permissions"
+    )
+
+
+class TableSchema(BaseModel):
+    """Model for complete table schema including columns and views."""
+
+    table: Table = Field(description="Table information")
+    columns: List[TableColumn] = Field(description="Table columns")
+    views: List[TableView] = Field(description="Table views")
+
+
+class ListTablesResponse(BaseResponse):
+    """Response model for listing tables."""
+
+    tables: List[Table] = Field(description="List of available tables")
+    total_count: int = Field(description="Total number of tables")
+
+
+class GetSchemaResponse(BaseResponse):
+    """Response model for getting table schema."""
+
+    table_schema: TableSchema = Field(description="Table schema information")
+
+
+class ReadTableResponse(BaseResponse):
+    """Response model for reading table rows."""
+
+    rows: List[TableRow] = Field(description="Table rows")
+    table_id: int = Field(description="Table ID")
+    total_count: Optional[int] = Field(
+        None, description="Total number of rows (if known)"
+    )
+    offset: Optional[int] = Field(None, description="Offset used for pagination")
+    limit: Optional[int] = Field(None, description="Limit used for pagination")
+
+
+class CreateRowResponse(IdResponse):
+    """Response model for row creation."""
+
+    row: TableRow = Field(description="The created row")
+    table_id: int = Field(description="Table ID the row was created in")
+
+
+class UpdateRowResponse(BaseResponse):
+    """Response model for row updates."""
+
+    row: TableRow = Field(description="The updated row")
+
+
+class DeleteRowResponse(StatusResponse):
+    """Response model for row deletion."""
+
+    deleted_id: int = Field(description="ID of the deleted row")
@@ -0,0 +1,40 @@
+from typing import Any, Dict, List, Optional, Union
+from pydantic import BaseModel, ConfigDict, Field
+
+
+class User(BaseModel):
+    """Model for creating a new user."""
+
+    userid: str
+    password: Optional[str] = None
+    displayName: Optional[str] = None
+    email: Optional[str] = None
+    groups: Optional[List[str]] = Field(default_factory=list)
+    subadmin: Optional[List[str]] = Field(default_factory=list)
+    quota: Optional[str] = None
+    language: Optional[str] = None
+
+
+class UserDetails(BaseModel):
+    """Model for retrieving detailed user information."""
+
+    model_config = ConfigDict(populate_by_name=True)
+
+    enabled: bool
+    id: str
+    quota: Union[str, Dict[str, Any]]  # Can be string or quota object
+    email: Optional[str] = None  # Can be null
+    displayname: str = Field(
+        alias="display-name"
+    )  # Handle both displayname and display-name
+    phone: Optional[str] = None
+    address: Optional[str] = None
+    website: Optional[str] = None
+    twitter: Optional[str] = None
+    groups: Optional[List[str]] = Field(default_factory=list)
+
+
+class Group(BaseModel):
+    """Model for a user group."""
+
+    id: str
@@ -0,0 +1,108 @@
+"""Pydantic models for WebDAV responses."""
+
+from datetime import datetime
+from typing import List, Optional
+
+from pydantic import BaseModel, Field
+
+from .base import BaseResponse, StatusResponse
+
+
+class FileInfo(BaseModel):
+    """Model for file/directory information."""
+
+    name: str = Field(description="File/directory name")
+    path: str = Field(description="Full path")
+    is_directory: bool = Field(description="Whether this is a directory")
+    size: Optional[int] = Field(
+        None, description="File size in bytes (None for directories)"
+    )
+    content_type: Optional[str] = Field(None, description="MIME content type")
+    last_modified: Optional[str] = Field(
+        None, description="Last modification time (ISO format)"
+    )
+    etag: Optional[str] = Field(None, description="ETag for versioning")
+
+    @property
+    def last_modified_datetime(self) -> Optional[datetime]:
+        """Convert last modified string to datetime."""
+        if not self.last_modified:
+            return None
+        try:
+            return datetime.fromisoformat(self.last_modified.replace("Z", "+00:00"))
+        except (ValueError, AttributeError):
+            return None
+
+
+class DirectoryListing(BaseResponse):
+    """Response model for directory listings."""
+
+    path: str = Field(description="Directory path")
+    items: List[FileInfo] = Field(description="Files and directories in the path")
+    total_count: int = Field(description="Total number of items")
+    directories_count: int = Field(description="Number of directories")
+    files_count: int = Field(description="Number of files")
+    total_size: int = Field(default=0, description="Total size of all files in bytes")
+
+
+class ReadFileResponse(BaseResponse):
+    """Response model for reading file contents."""
+
+    path: str = Field(description="File path")
+    content: str = Field(description="File content (text or base64 for binary)")
+    content_type: str = Field(description="MIME content type")
+    size: int = Field(description="File size in bytes")
+    encoding: Optional[str] = Field(
+        None, description="Encoding used (e.g., 'base64' for binary files)"
+    )
+    etag: Optional[str] = Field(None, description="ETag for versioning")
+    last_modified: Optional[str] = Field(None, description="Last modification time")
+
+
+class WriteFileResponse(StatusResponse):
+    """Response model for writing files."""
+
+    path: str = Field(description="File path that was written")
+    size: Optional[int] = Field(None, description="Size of the written file")
+    created: bool = Field(description="Whether a new file was created (vs overwritten)")
+
+
+class CreateDirectoryResponse(StatusResponse):
+    """Response model for directory creation."""
+
+    path: str = Field(description="Directory path that was created")
+    created: bool = Field(
+        description="Whether directory was created or already existed"
+    )
+
+
+class DeleteResourceResponse(StatusResponse):
+    """Response model for resource deletion."""
+
+    path: str = Field(description="Path that was deleted")
+    was_directory: bool = Field(
+        description="Whether the deleted resource was a directory"
+    )
+    items_deleted: Optional[int] = Field(
+        None, description="Number of items deleted (for directories)"
+    )
+
+
+class MoveResourceResponse(StatusResponse):
+    """Response model for resource move/rename operations."""
+
+    source_path: str = Field(description="Original path of the resource")
+    destination_path: str = Field(description="New path of the resource")
+    overwrite: bool = Field(
+        description="Whether the destination was overwritten if it existed"
+    )
+
+
+class CopyResourceResponse(StatusResponse):
+    """Response model for resource copy operations."""
+
+    source_path: str = Field(description="Original path of the resource")
+    destination_path: str = Field(description="Destination path for the copy")
+    overwrite: bool = Field(
+        description="Whether the destination was overwritten if it existed"
+    )
@@ -1,200 +0,0 @@
-# server.py
-import logging
-from nextcloud_mcp_server.config import setup_logging
-from contextlib import asynccontextmanager
-from dataclasses import dataclass
-from mcp.server.fastmcp import FastMCP, Context
-from collections.abc import AsyncIterator
-from nextcloud_mcp_server.client import NextcloudClient
-
-setup_logging()
-
-
-@dataclass
-class AppContext:
-    client: NextcloudClient
-
-
-@asynccontextmanager
-async def app_lifespan(server: FastMCP) -> AsyncIterator[AppContext]:
-    """Manage application lifecycle with type-safe context"""
-    # Initialize on startup
-    logging.info("Creating Nextcloud client")
-    client = NextcloudClient.from_env()
-    logging.info("Client initialization wait complete.")
-    try:
-        yield AppContext(client=client)
-    finally:
-        # Cleanup on shutdown
-        await client.close()
-
-
-# Create an MCP server
-mcp = FastMCP("Nextcloud MCP", lifespan=app_lifespan)
-
-logger = logging.getLogger(__name__)
-
-
-@mcp.resource("nc://capabilities")
-async def nc_get_capabilities():
-    """Get the Nextcloud Host capabilities"""
-    ctx = (
-        mcp.get_context()
-    )  # https://github.com/modelcontextprotocol/python-sdk/issues/244
-    client: NextcloudClient = ctx.request_context.lifespan_context.client
-    return await client.capabilities()
-
-
-@mcp.resource("notes://settings")
-async def notes_get_settings():
-    """Get the Notes App settings"""
-    ctx = (
-        mcp.get_context()
-    )  # https://github.com/modelcontextprotocol/python-sdk/issues/244
-    client: NextcloudClient = ctx.request_context.lifespan_context.client
-    return await client.notes.get_settings()
-
-
-@mcp.tool()
-async def nc_get_note(note_id: int, ctx: Context):
-    """Get user note using note id"""
-    client: NextcloudClient = ctx.request_context.lifespan_context.client
-    return await client.notes.get_note(note_id)
-
-
-@mcp.tool()
-async def nc_notes_create_note(title: str, content: str, category: str, ctx: Context):
-    """Create a new note"""
-    client: NextcloudClient = ctx.request_context.lifespan_context.client
-    return await client.notes.create_note(
-        title=title,
-        content=content,
-        category=category,
-    )
-
-
-@mcp.tool()
-async def nc_notes_update_note(
-    note_id: int,
-    etag: str,
-    title: str | None,
-    content: str | None,
-    category: str | None,
-    ctx: Context,
-):
-    logger.info("Updating note %s", note_id)
-    client: NextcloudClient = ctx.request_context.lifespan_context.client
-    return await client.notes.update(
-        note_id=note_id,
-        etag=etag,
-        title=title,
-        content=content,
-        category=category,
-    )
-
-
-@mcp.tool()
-async def nc_notes_append_content(note_id: int, content: str, ctx: Context):
-    """Append content to an existing note with a clear separator"""
-    logger.info("Appending content to note %s", note_id)
-    client: NextcloudClient = ctx.request_context.lifespan_context.client
-    return await client.notes.append_content(note_id=note_id, content=content)
-
-
-@mcp.tool()
-async def nc_notes_search_notes(query: str, ctx: Context):
-    """Search notes by title or content, returning only id, title, and category."""
-    client: NextcloudClient = ctx.request_context.lifespan_context.client
-    return await client.notes_search_notes(query=query)
-
-
-@mcp.tool()
-async def nc_notes_delete_note(note_id: int, ctx: Context):
-    logger.info("Deleting note %s", note_id)
-    client: NextcloudClient = ctx.request_context.lifespan_context.client
-    return await client.notes.delete_note(note_id)
-
-
-# Tables tools
-@mcp.tool()
-async def nc_tables_list_tables(ctx: Context):
-    """List all tables available to the user"""
-    client: NextcloudClient = ctx.request_context.lifespan_context.client
-    return await client.tables.list_tables()
-
-
-@mcp.tool()
-async def nc_tables_get_schema(table_id: int, ctx: Context):
-    """Get the schema/structure of a specific table including columns and views"""
-    client: NextcloudClient = ctx.request_context.lifespan_context.client
-    return await client.tables.get_table_schema(table_id)
-
-
-@mcp.tool()
-async def nc_tables_read_table(
-    table_id: int,
-    limit: int | None = None,
-    offset: int | None = None,
-    ctx: Context = None,
-):
-    """Read rows from a table with optional pagination"""
-    client: NextcloudClient = ctx.request_context.lifespan_context.client
-    return await client.tables.get_table_rows(table_id, limit, offset)
-
-
-@mcp.tool()
-async def nc_tables_insert_row(table_id: int, data: dict, ctx: Context):
-    """Insert a new row into a table.
-
-    Data should be a dictionary mapping column IDs to values, e.g. {1: "text", 2: 42}
-    """
-    client: NextcloudClient = ctx.request_context.lifespan_context.client
-    return await client.tables.create_row(table_id, data)
-
-
-@mcp.tool()
-async def nc_tables_update_row(row_id: int, data: dict, ctx: Context):
-    """Update an existing row in a table.
-
-    Data should be a dictionary mapping column IDs to new values, e.g. {1: "new text", 2: 99}
-    """
-    client: NextcloudClient = ctx.request_context.lifespan_context.client
-    return await client.tables.update_row(row_id, data)
-
-
-@mcp.tool()
-async def nc_tables_delete_row(row_id: int, ctx: Context):
-    """Delete a row from a table"""
-    client: NextcloudClient = ctx.request_context.lifespan_context.client
-    return await client.tables.delete_row(row_id)
-
-
-@mcp.resource("nc://Notes/{note_id}/attachments/{attachment_filename}")
-async def nc_notes_get_attachment(note_id: int, attachment_filename: str):
-    """Get a specific attachment from a note"""
-    ctx = mcp.get_context()
-    client: NextcloudClient = ctx.request_context.lifespan_context.client
-    # Assuming a method get_note_attachment exists in the client
-    # This method should return the raw content and determine the mime type
-    content, mime_type = await client.webdav.get_note_attachment(
-        note_id=note_id, filename=attachment_filename
-    )
-    return {
-        "contents": [
-            {
-                # Use uppercase 'Notes' to match the decorator
-                "uri": f"nc://Notes/{note_id}/attachments/{attachment_filename}",
-                "mimeType": mime_type,  # Client needs to determine this
-                "data": content,  # Return raw bytes/data
-            }
-        ]
-    }
-
-
-def run():
-    mcp.run()
-
-
-if __name__ == "__main__":
-    logger.info("Starting now")
-    mcp.run()
@@ -0,0 +1,17 @@
+from .calendar import configure_calendar_tools
+from .contacts import configure_contacts_tools
+from .deck import configure_deck_tools
+from .notes import configure_notes_tools
+from .sharing import configure_sharing_tools
+from .tables import configure_tables_tools
+from .webdav import configure_webdav_tools
+
+__all__ = [
+    "configure_calendar_tools",
+    "configure_contacts_tools",
+    "configure_deck_tools",
+    "configure_notes_tools",
+    "configure_sharing_tools",
+    "configure_tables_tools",
+    "configure_webdav_tools",
+]
@@ -0,0 +1,798 @@
+import datetime as dt
+import logging
+from typing import Optional
+
+from mcp.server.fastmcp import Context, FastMCP
+
+from nextcloud_mcp_server.context import get_client
+from nextcloud_mcp_server.models.calendar import Calendar, ListCalendarsResponse
+
+logger = logging.getLogger(__name__)
+
+
+def configure_calendar_tools(mcp: FastMCP):
+    # Calendar tools
+    @mcp.tool()
+    async def nc_calendar_list_calendars(ctx: Context) -> ListCalendarsResponse:
+        """List all available calendars for the user"""
+        client = get_client(ctx)
+        calendars_data = await client.calendar.list_calendars()
+
+        calendars = [Calendar(**cal_data) for cal_data in calendars_data]
+        return ListCalendarsResponse(calendars=calendars, total_count=len(calendars))
+
+    @mcp.tool()
+    async def nc_calendar_create_event(
+        calendar_name: str,
+        title: str,
+        start_datetime: str,
+        ctx: Context,
+        end_datetime: str = "",
+        all_day: bool = False,
+        description: str = "",
+        location: str = "",
+        categories: str = "",
+        recurring: bool = False,
+        recurrence_rule: str = "",
+        recurrence_end_date: str = "",
+        reminder_minutes: int = 15,
+        reminder_email: bool = False,
+        status: str = "CONFIRMED",
+        priority: int = 5,
+        privacy: str = "PUBLIC",
+        attendees: str = "",
+        url: str = "",
+        color: str = "",
+    ):
+        """Create a comprehensive calendar event with full feature support
+
+        Args:
+            calendar_name: Name of the calendar to create the event in
+            title: Event title
+            start_datetime: ISO format: "2025-01-15T14:00:00" or "2025-01-15" for all-day
+            ctx: MCP context
+            end_datetime: ISO format end time, empty for all-day events
+            all_day: Whether this is an all-day event
+            description: Event description/details
+            location: Event location
+            categories: Comma-separated categories (e.g., "work,meeting")
+            recurring: Whether this is a recurring event
+            recurrence_rule: RFC5545 RRULE (e.g., "FREQ=WEEKLY;BYDAY=MO,WE,FR")
+            recurrence_end_date: When to stop recurring
+            reminder_minutes: Minutes before event to send reminder
+            reminder_email: Whether to send email notification
+            status: Event status: CONFIRMED, TENTATIVE, or CANCELLED
+            priority: Priority level 1-9 (1=highest, 9=lowest, 5=normal)
+            privacy: Privacy level: PUBLIC, PRIVATE, or CONFIDENTIAL
+            attendees: Comma-separated email addresses
+            url: Related URL for the event
+            color: Event color (hex or name)
+
+        Returns:
+            Dict with event creation result
+        """
+        client = get_client(ctx)
+
+        event_data = {
+            "title": title,
+            "start_datetime": start_datetime,
+            "end_datetime": end_datetime,
+            "all_day": all_day,
+            "description": description,
+            "location": location,
+            "categories": categories,
+            "recurring": recurring,
+            "recurrence_rule": recurrence_rule,
+            "recurrence_end_date": recurrence_end_date,
+            "reminder_minutes": reminder_minutes,
+            "reminder_email": reminder_email,
+            "status": status,
+            "priority": priority,
+            "privacy": privacy,
+            "attendees": attendees,
+            "url": url,
+            "color": color,
+        }
+
+        return await client.calendar.create_event(calendar_name, event_data)
+
+    @mcp.tool()
+    async def nc_calendar_list_events(
+        calendar_name: str,
+        ctx: Context,
+        start_date: str = "",
+        end_date: str = "",
+        limit: int = 50,
+        min_attendees: Optional[int] = None,
+        min_duration_minutes: Optional[int] = None,
+        categories: Optional[str] = None,
+        status: Optional[str] = None,
+        title_contains: Optional[str] = None,
+        location_contains: Optional[str] = None,
+        search_all_calendars: bool = False,
+    ):
+        """List events in a calendar (or all calendars) within date range with advanced filtering.
+
+        Args:
+            calendar_name: Name of the calendar to search. Ignored if search_all_calendars=True.
+            ctx: MCP context
+            start_date: Start date for search (YYYY-MM-DD format, e.g., "2025-01-01")
+            end_date: End date for search (YYYY-MM-DD format, e.g., "2025-01-31")
+            limit: Maximum number of events to return
+            min_attendees: Filter events with at least this many attendees
+            min_duration_minutes: Filter events with at least this duration
+            categories: Filter events containing any of these categories (comma-separated, e.g., "work,meeting")
+            status: Filter events by status (CONFIRMED, TENTATIVE, or CANCELLED)
+            title_contains: Filter events where title contains this text
+            location_contains: Filter events where location contains this text
+            search_all_calendars: If True, search across all calendars instead of just one
+
+        Returns:
+            List of events matching the filters
+        """
+        client = get_client(ctx)
+
+        # Convert YYYY-MM-DD format dates to datetime objects
+        start_datetime = None
+        end_datetime = None
+
+        if start_date:
+            try:
+                start_datetime = dt.datetime.strptime(start_date, "%Y-%m-%d")
+            except ValueError:
+                # If parsing fails, try to parse as ISO format
+                try:
+                    start_datetime = dt.datetime.fromisoformat(start_date)
+                except ValueError:
+                    logger.warning(f"Invalid start_date format: {start_date}")
+
+        if end_date:
+            try:
+                # For end date, set to end of day (23:59:59)
+                end_datetime = dt.datetime.strptime(end_date, "%Y-%m-%d").replace(
+                    hour=23, minute=59, second=59
+                )
+            except ValueError:
+                # If parsing fails, try to parse as ISO format
+                try:
+                    end_datetime = dt.datetime.fromisoformat(end_date)
+                except ValueError:
+                    logger.warning(f"Invalid end_date format: {end_date}")
+
+        # Build filters dictionary
+        filters = {}
+        if min_attendees is not None:
+            filters["min_attendees"] = min_attendees
+        if min_duration_minutes is not None:
+            filters["min_duration_minutes"] = min_duration_minutes
+        if categories is not None:
+            filters["categories"] = [cat.strip() for cat in categories.split(",")]
+        if status is not None:
+            filters["status"] = status
+        if title_contains is not None:
+            filters["title_contains"] = title_contains
+        if location_contains is not None:
+            filters["location_contains"] = location_contains
+
+        if search_all_calendars:
+            # Search across all calendars with filters
+            events = await client.calendar.search_events_across_calendars(
+                start_datetime=start_datetime,
+                end_datetime=end_datetime,
+                filters=filters if filters else None,
+            )
+            return events[:limit]
+        else:
+            # Search in specific calendar
+            events = await client.calendar.get_calendar_events(
+                calendar_name=calendar_name,
+                start_datetime=start_datetime,
+                end_datetime=end_datetime,
+                limit=limit,
+            )
+
+            # Apply filters if provided
+            if filters:
+                events = client.calendar._apply_event_filters(events, filters)
+
+            return events
+
+    @mcp.tool()
+    async def nc_calendar_get_event(
+        calendar_name: str,
+        event_uid: str,
+        ctx: Context,
+    ):
+        """Get detailed information about a specific event"""
+        client = get_client(ctx)
+        event_data, etag = await client.calendar.get_event(calendar_name, event_uid)
+        return event_data
+
+    @mcp.tool()
+    async def nc_calendar_update_event(
+        calendar_name: str,
+        event_uid: str,
+        ctx: Context,
+        # All the same parameters as create_event but optional
+        title: str | None = None,
+        start_datetime: str | None = None,
+        end_datetime: str | None = None,
+        all_day: bool | None = None,
+        description: str | None = None,
+        location: str | None = None,
+        categories: str | None = None,
+        # Recurrence updates
+        recurring: bool | None = None,
+        recurrence_rule: str | None = None,
+        # Notification updates
+        reminder_minutes: int | None = None,
+        reminder_email: bool | None = None,
+        # Event property updates
+        status: str | None = None,
+        priority: int | None = None,
+        privacy: str | None = None,
+        attendees: str | None = None,
+        url: str | None = None,
+        color: str | None = None,
+        etag: str = "",
+    ):
+        """Update any aspect of an existing event"""
+        client = get_client(ctx)
+
+        # Build update data with only non-None values
+        event_data = {}
+        if title is not None:
+            event_data["title"] = title
+        if start_datetime is not None:
+            event_data["start_datetime"] = start_datetime
+        if end_datetime is not None:
+            event_data["end_datetime"] = end_datetime
+        if all_day is not None:
+            event_data["all_day"] = all_day
+        if description is not None:
+            event_data["description"] = description
+        if location is not None:
+            event_data["location"] = location
+        if categories is not None:
+            event_data["categories"] = categories
+        if recurring is not None:
+            event_data["recurring"] = recurring
+        if recurrence_rule is not None:
+            event_data["recurrence_rule"] = recurrence_rule
+        if reminder_minutes is not None:
+            event_data["reminder_minutes"] = reminder_minutes
+        if reminder_email is not None:
+            event_data["reminder_email"] = reminder_email
+        if status is not None:
+            event_data["status"] = status
+        if priority is not None:
+            event_data["priority"] = priority
+        if privacy is not None:
+            event_data["privacy"] = privacy
+        if attendees is not None:
+            event_data["attendees"] = attendees
+        if url is not None:
+            event_data["url"] = url
+        if color is not None:
+            event_data["color"] = color
+
+        return await client.calendar.update_event(
+            calendar_name, event_uid, event_data, etag
+        )
+
+    @mcp.tool()
+    async def nc_calendar_delete_event(
+        calendar_name: str,
+        event_uid: str,
+        ctx: Context,
+    ):
+        """Delete a calendar event"""
+        client = get_client(ctx)
+        return await client.calendar.delete_event(calendar_name, event_uid)
+
+    @mcp.tool()
+    async def nc_calendar_create_meeting(
+        title: str,
+        date: str,
+        time: str,
+        ctx: Context,
+        duration_minutes: int = 60,
+        calendar_name: str = "personal",
+        attendees: str = "",
+        location: str = "",
+        description: str = "",
+        reminder_minutes: int = 15,
+    ):
+        """Quick meeting creation with smart defaults
+
+        This is a convenience function for creating events with common meeting defaults.
+        It automatically:
+        - Calculates end time based on duration
+        - Sets status to CONFIRMED
+        - Adds a reminder
+        - Uses simpler date/time inputs instead of full ISO format
+
+        For full control over all event properties, use nc_calendar_create_event instead.
+
+        Args:
+            title: Meeting title
+            date: Meeting date (YYYY-MM-DD format, e.g., "2025-01-15")
+            time: Meeting start time (HH:MM format, e.g., "14:00")
+            ctx: MCP context
+            duration_minutes: Meeting duration in minutes (default: 60)
+            calendar_name: Calendar to create the meeting in (default: "personal")
+            attendees: Comma-separated email addresses of attendees
+            location: Meeting location
+            description: Meeting description/agenda
+            reminder_minutes: Minutes before meeting to send reminder (default: 15)
+
+        Returns:
+            Dict with meeting creation result
+        """
+        client = get_client(ctx)
+
+        # Combine date and time for start_datetime
+        start_datetime = f"{date}T{time}:00"
+
+        # Calculate end_datetime
+        start_dt = dt.datetime.fromisoformat(start_datetime)
+        end_dt = start_dt + dt.timedelta(minutes=duration_minutes)
+        end_datetime = end_dt.isoformat()
+
+        event_data = {
+            "title": title,
+            "start_datetime": start_datetime,
+            "end_datetime": end_datetime,
+            "all_day": False,
+            "description": description,
+            "location": location,
+            "attendees": attendees,
+            "reminder_minutes": reminder_minutes,
+            "status": "CONFIRMED",
+            "priority": 5,
+            "privacy": "PUBLIC",
+        }
+
+        return await client.calendar.create_event(calendar_name, event_data)
+
+    @mcp.tool()
+    async def nc_calendar_get_upcoming_events(
+        ctx: Context,
+        calendar_name: str = "",  # Empty = all calendars
+        days_ahead: int = 7,
+        limit: int = 10,
+    ):
+        """Get upcoming events in next N days"""
+        client = get_client(ctx)
+
+        now = dt.datetime.now()
+        end_datetime = now + dt.timedelta(days=days_ahead)
+
+        if calendar_name:
+            # Get events from specific calendar
+            return await client.calendar.get_calendar_events(
+                calendar_name=calendar_name,
+                start_datetime=now,
+                end_datetime=end_datetime,
+                limit=limit,
+            )
+        else:
+            # Get events from all calendars
+            all_calendars = await client.calendar.list_calendars()
+            all_events = []
+
+            for calendar in all_calendars:
+                try:
+                    events = await client.calendar.get_calendar_events(
+                        calendar_name=calendar["name"],
+                        start_datetime=now,
+                        end_datetime=end_datetime,
+                        limit=limit,
+                    )
+                    # Add calendar info to each event
+                    for event in events:
+                        event["calendar_name"] = calendar["name"]
+                        event["calendar_display_name"] = calendar["display_name"]
+                    all_events.extend(events)
+                except Exception as e:
+                    logger.warning(
+                        f"Error getting events from calendar {calendar['name']}: {e}"
+                    )
+                    continue
+
+            # Sort by start time and limit
+            all_events.sort(key=lambda x: x.get("start_datetime", ""))
+            return all_events[:limit]
+
+    @mcp.tool()
+    async def nc_calendar_find_availability(
+        duration_minutes: int,
+        ctx: Context,
+        attendees: str = "",  # Comma-separated email list
+        date_range_start: str = "",  # "2025-07-28"
+        date_range_end: str = "",  # "2025-08-04"
+        business_hours_only: bool = True,
+        exclude_weekends: bool = True,
+        preferred_times: str = "",  # Comma-separated time ranges like "09:00-12:00,14:00-17:00"
+    ):
+        """Find available time slots for scheduling meetings.
+
+        This tool intelligently analyzes existing calendar events to find free time slots
+        that work for all specified attendees within the given constraints.
+
+        Args:
+            duration_minutes: Required duration for the meeting in minutes
+            attendees: Comma-separated list of attendee email addresses to check availability for
+            date_range_start: Start date for availability search (YYYY-MM-DD)
+            date_range_end: End date for availability search (YYYY-MM-DD)
+            business_hours_only: Only suggest slots during business hours (9 AM - 5 PM)
+            exclude_weekends: Skip weekends when finding availability
+            preferred_times: Preferred time ranges as "HH:MM-HH:MM" (comma-separated)
+
+        Returns:
+            List of available time slots with start/end times and duration
+        """
+        client = get_client(ctx)
+
+        # Parse attendees
+        attendee_list = []
+        if attendees:
+            attendee_list = [
+                email.strip() for email in attendees.split(",") if email.strip()
+            ]
+
+        # Parse preferred times
+        preferred_time_list = []
+        if preferred_times:
+            preferred_time_list = [
+                time_range.strip()
+                for time_range in preferred_times.split(",")
+                if time_range.strip()
+            ]
+
+        # Convert date strings to datetime objects
+        start_datetime = None
+        end_datetime = None
+
+        if date_range_start:
+            try:
+                start_datetime = dt.datetime.strptime(date_range_start, "%Y-%m-%d")
+            except ValueError:
+                logger.warning(f"Invalid date_range_start format: {date_range_start}")
+
+        if date_range_end:
+            try:
+                end_datetime = dt.datetime.strptime(date_range_end, "%Y-%m-%d").replace(
+                    hour=23, minute=59, second=59
+                )
+            except ValueError:
+                logger.warning(f"Invalid date_range_end format: {date_range_end}")
+
+        # Build constraints
+        constraints = {
+            "business_hours_only": business_hours_only,
+            "exclude_weekends": exclude_weekends,
+            "preferred_times": preferred_time_list,
+        }
+
+        return await client.calendar.find_availability(
+            duration_minutes=duration_minutes,
+            attendees=attendee_list,
+            start_datetime=start_datetime,
+            end_datetime=end_datetime,
+            constraints=constraints,
+        )
+
+    @mcp.tool()
+    async def nc_calendar_bulk_operations(
+        operation: str,  # "update", "delete", "move"
+        ctx: Context,
+        title_contains: Optional[str] = None,
+        categories: Optional[str] = None,  # Comma-separated
+        calendar_name: Optional[str] = None,
+        start_date: str = "",  # "2025-07-01"
+        end_date: str = "",  # "2025-07-31"
+        status: Optional[str] = None,
+        location_contains: Optional[str] = None,
+        # Update operation parameters
+        new_title: Optional[str] = None,
+        new_description: Optional[str] = None,
+        new_location: Optional[str] = None,
+        new_categories: Optional[str] = None,
+        new_priority: Optional[int] = None,
+        new_reminder_minutes: Optional[int] = None,
+        # Move operation parameters
+        target_calendar: Optional[str] = None,
+    ):
+        """Perform bulk operations (update/delete) on events matching filter criteria.
+
+        This tool allows you to efficiently modify or delete multiple events at once
+        by applying filters to find matching events and then performing the specified operation.
+
+        Args:
+            operation: Type of operation - "update" or "delete"
+            title_contains: Filter events where title contains this text
+            categories: Filter events containing any of these categories (comma-separated)
+            calendar_name: Filter events from this specific calendar
+            start_date: Filter events starting from this date (YYYY-MM-DD)
+            end_date: Filter events ending before this date (YYYY-MM-DD)
+            status: Filter events by status (CONFIRMED, TENTATIVE, CANCELLED)
+            location_contains: Filter events where location contains this text
+
+            # For update operations:
+            new_title: New title for matching events
+            new_description: New description for matching events
+            new_location: New location for matching events
+            new_categories: New categories for matching events (comma-separated)
+            new_priority: New priority for matching events (1-9, 5=normal)
+            new_reminder_minutes: New reminder time in minutes before event
+
+            # For move operations:
+            target_calendar: Calendar to move events to (requires operation="move")
+
+        Returns:
+            Summary of operation results including counts and details
+        """
+        client = get_client(ctx)
+
+        if operation not in ["update", "delete", "move"]:
+            raise ValueError("Operation must be 'update', 'delete', or 'move'")
+
+        # Convert date strings to datetime objects
+        start_datetime = None
+        end_datetime = None
+
+        if start_date:
+            try:
+                start_datetime = dt.datetime.strptime(start_date, "%Y-%m-%d")
+            except ValueError:
+                logger.warning(f"Invalid start_date format: {start_date}")
+
+        if end_date:
+            try:
+                end_datetime = dt.datetime.strptime(end_date, "%Y-%m-%d").replace(
+                    hour=23, minute=59, second=59
+                )
+            except ValueError:
+                logger.warning(f"Invalid end_date format: {end_date}")
+
+        # Build filter criteria
+        filter_criteria = {}
+        if title_contains is not None:
+            filter_criteria["title_contains"] = title_contains
+        if categories is not None:
+            filter_criteria["categories"] = [
+                cat.strip() for cat in categories.split(",")
+            ]
+        if status is not None:
+            filter_criteria["status"] = status
+        if location_contains is not None:
+            filter_criteria["location_contains"] = location_contains
+        # Add datetime strings for client compatibility
+        if start_date:
+            filter_criteria["start_date"] = start_date
+        if end_date:
+            filter_criteria["end_date"] = end_date
+
+        if operation == "delete":
+            # Find matching events and delete them
+            if calendar_name:
+                events = await client.calendar.get_calendar_events(
+                    calendar_name=calendar_name,
+                    start_datetime=start_datetime,
+                    end_datetime=end_datetime,
+                )
+                if filter_criteria:
+                    events = client.calendar._apply_event_filters(
+                        events, filter_criteria
+                    )
+            else:
+                events = await client.calendar.search_events_across_calendars(
+                    start_datetime=start_datetime,
+                    end_datetime=end_datetime,
+                    filters=filter_criteria,
+                )
+
+            deleted_count = 0
+            failed_count = 0
+            results = []
+
+            for event in events:
+                try:
+                    await client.calendar.delete_event(
+                        event.get("calendar_name", calendar_name), event["uid"]
+                    )
+                    deleted_count += 1
+                    results.append(
+                        {
+                            "uid": event["uid"],
+                            "status": "deleted",
+                            "title": event.get("title", ""),
+                        }
+                    )
+                except Exception as e:
+                    failed_count += 1
+                    results.append(
+                        {
+                            "uid": event["uid"],
+                            "status": "failed",
+                            "error": str(e),
+                            "title": event.get("title", ""),
+                        }
+                    )
+
+            return {
+                "operation": "delete",
+                "total_found": len(events),
+                "deleted_count": deleted_count,
+                "failed_count": failed_count,
+                "results": results,
+            }
+
+        elif operation == "update":
+            # Build update data
+            update_data = {}
+            if new_title is not None:
+                update_data["title"] = new_title
+            if new_description is not None:
+                update_data["description"] = new_description
+            if new_location is not None:
+                update_data["location"] = new_location
+            if new_categories is not None:
+                update_data["categories"] = new_categories
+            if new_priority is not None:
+                update_data["priority"] = new_priority
+            if new_reminder_minutes is not None:
+                update_data["reminder_minutes"] = new_reminder_minutes
+
+            if not update_data:
+                raise ValueError("No update data provided for update operation")
+
+            return await client.calendar.bulk_update_events(
+                filter_criteria, update_data
+            )
+
+        elif operation == "move":
+            if not target_calendar:
+                raise ValueError("target_calendar is required for move operation")
+
+            # Find matching events
+            if calendar_name:
+                events = await client.calendar.get_calendar_events(
+                    calendar_name=calendar_name,
+                    start_datetime=start_datetime,
+                    end_datetime=end_datetime,
+                )
+                if filter_criteria:
+                    events = client.calendar._apply_event_filters(
+                        events, filter_criteria
+                    )
+            else:
+                events = await client.calendar.search_events_across_calendars(
+                    start_datetime=start_datetime,
+                    end_datetime=end_datetime,
+                    filters=filter_criteria,
+                )
+
+            moved_count = 0
+            failed_count = 0
+            results = []
+
+            for event in events:
+                try:
+                    # Create event in target calendar
+                    event_data = {
+                        k: v
+                        for k, v in event.items()
+                        if k
+                        not in [
+                            "uid",
+                            "href",
+                            "etag",
+                            "calendar_name",
+                            "calendar_display_name",
+                        ]
+                    }
+
+                    await client.calendar.create_event(target_calendar, event_data)
+
+                    # Delete from source calendar
+                    await client.calendar.delete_event(
+                        event.get("calendar_name", calendar_name), event["uid"]
+                    )
+
+                    moved_count += 1
+                    results.append(
+                        {
+                            "uid": event["uid"],
+                            "status": "moved",
+                            "title": event.get("title", ""),
+                            "from_calendar": event.get("calendar_name", calendar_name),
+                            "to_calendar": target_calendar,
+                        }
+                    )
+                except Exception as e:
+                    failed_count += 1
+                    results.append(
+                        {
+                            "uid": event["uid"],
+                            "status": "failed",
+                            "error": str(e),
+                            "title": event.get("title", ""),
+                        }
+                    )
+
+            return {
+                "operation": "move",
+                "total_found": len(events),
+                "moved_count": moved_count,
+                "failed_count": failed_count,
+                "target_calendar": target_calendar,
+                "results": results,
+            }
+
+    @mcp.tool()
+    async def nc_calendar_manage_calendar(
+        action: str,  # "create", "delete", "update", "list"
+        ctx: Context,
+        calendar_name: str = "",
+        display_name: str = "",
+        description: str = "",
+        color: str = "#1976D2",  # Default blue color
+    ):
+        """Manage calendar creation, deletion, and properties.
+
+        This tool provides comprehensive calendar management functionality including
+        creating new calendars, deleting existing ones, and updating calendar properties.
+
+        Args:
+            action: Action to perform - "create", "delete", "update", or "list"
+            calendar_name: Internal name for the calendar (required for create/delete/update)
+            display_name: Human-readable name for the calendar (used for create/update)
+            description: Description for the calendar (used for create/update)
+            color: Hex color code for the calendar (e.g., "#1976D2" for blue)
+
+        Returns:
+            Result of the calendar management operation
+        """
+        client = get_client(ctx)
+
+        if action == "list":
+            return await client.calendar.list_calendars()
+
+        elif action == "create":
+            if not calendar_name:
+                raise ValueError("calendar_name is required for create action")
+
+            return await client.calendar.create_calendar(
+                calendar_name=calendar_name,
+                display_name=display_name or calendar_name,
+                description=description,
+                color=color,
+            )
+
+        elif action == "delete":
+            if not calendar_name:
+                raise ValueError("calendar_name is required for delete action")
+
+            return await client.calendar.delete_calendar(calendar_name)
+
+        elif action == "update":
+            if not calendar_name:
+                raise ValueError("calendar_name is required for update action")
+
+            # Note: Calendar property updates require additional CalDAV PROPPATCH implementation
+            # For now, return an informative message
+            return {
+                "status": "not_implemented",
+                "message": "Calendar property updates require PROPPATCH implementation",
+                "calendar_name": calendar_name,
+                "requested_changes": {
+                    "display_name": display_name,
+                    "description": description,
+                    "color": color,
+                },
+            }
+
+        else:
+            raise ValueError("Action must be 'create', 'delete', 'update', or 'list'")
@@ -0,0 +1,82 @@
+import logging
+
+from mcp.server.fastmcp import Context, FastMCP
+
+from nextcloud_mcp_server.context import get_client
+
+logger = logging.getLogger(__name__)
+
+
+def configure_contacts_tools(mcp: FastMCP):
+    # Contacts tools
+    @mcp.tool()
+    async def nc_contacts_list_addressbooks(ctx: Context):
+        """List all addressbooks for the user."""
+        client = get_client(ctx)
+        return await client.contacts.list_addressbooks()
+
+    @mcp.tool()
+    async def nc_contacts_list_contacts(ctx: Context, *, addressbook: str):
+        """List all contacts in the specified addressbook."""
+        client = get_client(ctx)
+        return await client.contacts.list_contacts(addressbook=addressbook)
+
+    @mcp.tool()
+    async def nc_contacts_create_addressbook(
+        ctx: Context, *, name: str, display_name: str
+    ):
+        """Create a new addressbook.
+
+        Args:
+            name: The name of the addressbook.
+            display_name: The display name of the addressbook.
+        """
+        client = get_client(ctx)
+        return await client.contacts.create_addressbook(
+            name=name, display_name=display_name
+        )
+
+    @mcp.tool()
+    async def nc_contacts_delete_addressbook(ctx: Context, *, name: str):
+        """Delete an addressbook."""
+        client = get_client(ctx)
+        return await client.contacts.delete_addressbook(name=name)
+
+    @mcp.tool()
+    async def nc_contacts_create_contact(
+        ctx: Context, *, addressbook: str, uid: str, contact_data: dict
+    ):
+        """Create a new contact.
+
+        Args:
+            addressbook: The name of the addressbook to create the contact in.
+            uid: The unique ID for the contact.
+            contact_data: A dictionary with the contact's details, e.g. {"fn": "John Doe", "email": "john.doe@example.com"}.
+        """
+        client = get_client(ctx)
+        return await client.contacts.create_contact(
+            addressbook=addressbook, uid=uid, contact_data=contact_data
+        )
+
+    @mcp.tool()
+    async def nc_contacts_delete_contact(ctx: Context, *, addressbook: str, uid: str):
+        """Delete a contact."""
+        client = get_client(ctx)
+        return await client.contacts.delete_contact(addressbook=addressbook, uid=uid)
+
+    @mcp.tool()
+    async def nc_contacts_update_contact(
+        ctx: Context, *, addressbook: str, uid: str, contact_data: dict, etag: str = ""
+    ):
+        """Update an existing contact while preserving all existing properties.
+
+        Args:
+            addressbook: The name of the addressbook containing the contact.
+            uid: The unique ID of the contact to update.
+            contact_data: A dictionary with the contact's updated details, e.g. {"fn": "Jane Doe", "email": "jane.doe@example.com"}.
+            etag: Optional ETag for optimistic concurrency control.
+        """
+        client = get_client(ctx)
+        return await client.contacts.update_contact(
+            addressbook=addressbook, uid=uid, contact_data=contact_data, etag=etag
+        )
@@ -0,0 +1,584 @@
+import logging
+from typing import Optional
+
+from mcp.server.fastmcp import Context, FastMCP
+
+from nextcloud_mcp_server.context import get_client
+from nextcloud_mcp_server.models.deck import (
+    CardOperationResponse,
+    CreateBoardResponse,
+    CreateCardResponse,
+    CreateLabelResponse,
+    CreateStackResponse,
+    DeckBoard,
+    DeckCard,
+    DeckLabel,
+    DeckStack,
+    LabelOperationResponse,
+    StackOperationResponse,
+)
+
+logger = logging.getLogger(__name__)
+
+
+def configure_deck_tools(mcp: FastMCP):
+    """Configure Nextcloud Deck tools and resources for the MCP server."""
+
+    # Resources
+    @mcp.resource("nc://Deck/boards")
+    async def deck_boards_resource():
+        """List all Nextcloud Deck boards"""
+        ctx: Context = mcp.get_context()
+        await ctx.warning("This message is deprecated, use the deck_get_board instead")
+        client = get_client(ctx)
+        boards = await client.deck.get_boards()
+        return [board.model_dump() for board in boards]
+
+    @mcp.resource("nc://Deck/boards/{board_id}")
+    async def deck_board_resource(board_id: int):
+        """Get details of a specific Nextcloud Deck board"""
+        ctx: Context = mcp.get_context()
+        await ctx.warning(
+            "This resource is deprecated, use the deck_get_board tool instead"
+        )
+        client = get_client(ctx)
+        board = await client.deck.get_board(board_id)
+        return board.model_dump()
+
+    @mcp.resource("nc://Deck/boards/{board_id}/stacks")
+    async def deck_stacks_resource(board_id: int):
+        """List all stacks in a Nextcloud Deck board"""
+        ctx: Context = mcp.get_context()
+        await ctx.warning(
+            "This resource is deprecated, use the deck_get_stacks tool instead"
+        )
+        client = get_client(ctx)
+        stacks = await client.deck.get_stacks(board_id)
+        return [stack.model_dump() for stack in stacks]
+
+    @mcp.resource("nc://Deck/boards/{board_id}/stacks/{stack_id}")
+    async def deck_stack_resource(board_id: int, stack_id: int):
+        """Get details of a specific Nextcloud Deck stack"""
+        ctx: Context = mcp.get_context()
+        await ctx.warning(
+            "This resource is deprecated, use the deck_get_stack tool instead"
+        )
+        client = get_client(ctx)
+        stack = await client.deck.get_stack(board_id, stack_id)
+        return stack.model_dump()
+
+    @mcp.resource("nc://Deck/boards/{board_id}/stacks/{stack_id}/cards")
+    async def deck_cards_resource(board_id: int, stack_id: int):
+        """List all cards in a Nextcloud Deck stack"""
+        ctx: Context = mcp.get_context()
+        await ctx.warning(
+            "This resource is deprecated, use the deck_get_cards tool instead"
+        )
+        client = get_client(ctx)
+        stack = await client.deck.get_stack(board_id, stack_id)
+        if stack.cards:
+            return [card.model_dump() for card in stack.cards]
+        return []
+
+    @mcp.resource("nc://Deck/boards/{board_id}/stacks/{stack_id}/cards/{card_id}")
+    async def deck_card_resource(board_id: int, stack_id: int, card_id: int):
+        """Get details of a specific Nextcloud Deck card"""
+        ctx: Context = mcp.get_context()
+        await ctx.warning(
+            "This resource is deprecated, use the deck_get_card tool instead"
+        )
+        client = get_client(ctx)
+        card = await client.deck.get_card(board_id, stack_id, card_id)
+        return card.model_dump()
+
+    @mcp.resource("nc://Deck/boards/{board_id}/labels")
+    async def deck_labels_resource(board_id: int):
+        """List all labels in a Nextcloud Deck board"""
+        ctx: Context = mcp.get_context()
+        await ctx.warning(
+            "This resource is deprecated, use the deck_get_labels tool instead"
+        )
+        client = get_client(ctx)
+        board = await client.deck.get_board(board_id)
+        return [label.model_dump() for label in board.labels]
+
+    @mcp.resource("nc://Deck/boards/{board_id}/labels/{label_id}")
+    async def deck_label_resource(board_id: int, label_id: int):
+        """Get details of a specific Nextcloud Deck label"""
+        ctx: Context = mcp.get_context()
+        await ctx.warning(
+            "This resource is deprecated, use the deck_get_label tool instead"
+        )
+        client = get_client(ctx)
+        label = await client.deck.get_label(board_id, label_id)
+        return label.model_dump()
+
+    # Read Tools (converted from resources)
+
+    @mcp.tool()
+    async def deck_get_boards(ctx: Context) -> list[DeckBoard]:
+        """Get all Nextcloud Deck boards"""
+        client = get_client(ctx)
+        boards = await client.deck.get_boards()
+        return boards
+
+    @mcp.tool()
+    async def deck_get_board(ctx: Context, board_id: int) -> DeckBoard:
+        """Get details of a specific Nextcloud Deck board"""
+        client = get_client(ctx)
+        board = await client.deck.get_board(board_id)
+        return board
+
+    @mcp.tool()
+    async def deck_get_stacks(ctx: Context, board_id: int) -> list[DeckStack]:
+        """Get all stacks in a Nextcloud Deck board"""
+        client = get_client(ctx)
+        stacks = await client.deck.get_stacks(board_id)
+        return stacks
+
+    @mcp.tool()
+    async def deck_get_stack(ctx: Context, board_id: int, stack_id: int) -> DeckStack:
+        """Get details of a specific Nextcloud Deck stack"""
+        client = get_client(ctx)
+        stack = await client.deck.get_stack(board_id, stack_id)
+        return stack
+
+    @mcp.tool()
+    async def deck_get_cards(
+        ctx: Context, board_id: int, stack_id: int
+    ) -> list[DeckCard]:
+        """Get all cards in a Nextcloud Deck stack"""
+        client = get_client(ctx)
+        stack = await client.deck.get_stack(board_id, stack_id)
+        if stack.cards:
+            return stack.cards
+        return []
+
+    @mcp.tool()
+    async def deck_get_card(
+        ctx: Context, board_id: int, stack_id: int, card_id: int
+    ) -> DeckCard:
+        """Get details of a specific Nextcloud Deck card"""
+        client = get_client(ctx)
+        card = await client.deck.get_card(board_id, stack_id, card_id)
+        return card
+
+    @mcp.tool()
+    async def deck_get_labels(ctx: Context, board_id: int) -> list[DeckLabel]:
+        """Get all labels in a Nextcloud Deck board"""
+        client = get_client(ctx)
+        board = await client.deck.get_board(board_id)
+        return board.labels
+
+    @mcp.tool()
+    async def deck_get_label(ctx: Context, board_id: int, label_id: int) -> DeckLabel:
+        """Get details of a specific Nextcloud Deck label"""
+        client = get_client(ctx)
+        label = await client.deck.get_label(board_id, label_id)
+        return label
+
+    # Create/Update/Delete Tools
+
+    @mcp.tool()
+    async def deck_create_board(
+        ctx: Context, title: str, color: str
+    ) -> CreateBoardResponse:
+        """Create a new Nextcloud Deck board
+
+        Args:
+            title: The title of the new board
+            color: The hexadecimal color of the new board (e.g. FF0000)
+        """
+        client = get_client(ctx)
+        board = await client.deck.create_board(title, color)
+        return CreateBoardResponse(id=board.id, title=board.title, color=board.color)
+
+    # Stack Tools
+
+    @mcp.tool()
+    async def deck_create_stack(
+        ctx: Context, board_id: int, title: str, order: int
+    ) -> CreateStackResponse:
+        """Create a new stack in a Nextcloud Deck board
+
+        Args:
+            board_id: The ID of the board
+            title: The title of the new stack
+            order: Order for sorting the stacks
+        """
+        client = get_client(ctx)
+        stack = await client.deck.create_stack(board_id, title, order)
+        return CreateStackResponse(id=stack.id, title=stack.title, order=stack.order)
+
+    @mcp.tool()
+    async def deck_update_stack(
+        ctx: Context,
+        board_id: int,
+        stack_id: int,
+        title: Optional[str] = None,
+        order: Optional[int] = None,
+    ) -> StackOperationResponse:
+        """Update a Nextcloud Deck stack
+
+        Args:
+            board_id: The ID of the board
+            stack_id: The ID of the stack
+            title: New title for the stack
+            order: New order for the stack
+        """
+        client = get_client(ctx)
+        await client.deck.update_stack(board_id, stack_id, title, order)
+        return StackOperationResponse(
+            success=True,
+            message="Stack updated successfully",
+            stack_id=stack_id,
+            board_id=board_id,
+        )
+
+    @mcp.tool()
+    async def deck_delete_stack(
+        ctx: Context, board_id: int, stack_id: int
+    ) -> StackOperationResponse:
+        """Delete a Nextcloud Deck stack
+
+        Args:
+            board_id: The ID of the board
+            stack_id: The ID of the stack
+        """
+        client = get_client(ctx)
+        await client.deck.delete_stack(board_id, stack_id)
+        return StackOperationResponse(
+            success=True,
+            message="Stack deleted successfully",
+            stack_id=stack_id,
+            board_id=board_id,
+        )
+
+    # Card Tools
+    @mcp.tool()
+    async def deck_create_card(
+        ctx: Context,
+        board_id: int,
+        stack_id: int,
+        title: str,
+        type: str = "plain",
+        order: int = 999,
+        description: Optional[str] = None,
+        duedate: Optional[str] = None,
+    ) -> CreateCardResponse:
+        """Create a new card in a Nextcloud Deck stack
+
+        Args:
+            board_id: The ID of the board
+            stack_id: The ID of the stack
+            title: The title of the new card
+            type: Type of the card (default: plain)
+            order: Order for sorting the cards
+            description: Description of the card
+            duedate: Due date of the card (ISO-8601 format)
+        """
+        client = get_client(ctx)
+        card = await client.deck.create_card(
+            board_id, stack_id, title, type, order, description, duedate
+        )
+        return CreateCardResponse(
+            id=card.id,
+            title=card.title,
+            description=card.description,
+            stackId=card.stackId,
+        )
+
+    @mcp.tool()
+    async def deck_update_card(
+        ctx: Context,
+        board_id: int,
+        stack_id: int,
+        card_id: int,
+        title: Optional[str] = None,
+        description: Optional[str] = None,
+        type: Optional[str] = None,
+        owner: Optional[str] = None,
+        order: Optional[int] = None,
+        duedate: Optional[str] = None,
+        archived: Optional[bool] = None,
+        done: Optional[str] = None,
+    ) -> CardOperationResponse:
+        """Update a Nextcloud Deck card
+
+        Args:
+            board_id: The ID of the board
+            stack_id: The ID of the stack
+            card_id: The ID of the card
+            title: New title for the card
+            description: New description for the card
+            type: New type for the card
+            owner: New owner for the card
+            order: New order for the card
+            duedate: New due date for the card (ISO-8601 format)
+            archived: Whether the card should be archived
+            done: Completion date for the card (ISO-8601 format)
+        """
+        client = get_client(ctx)
+        await client.deck.update_card(
+            board_id,
+            stack_id,
+            card_id,
+            title,
+            description,
+            type,
+            owner,
+            order,
+            duedate,
+            archived,
+            done,
+        )
+        return CardOperationResponse(
+            success=True,
+            message="Card updated successfully",
+            card_id=card_id,
+            stack_id=stack_id,
+            board_id=board_id,
+        )
+
+    @mcp.tool()
+    async def deck_delete_card(
+        ctx: Context, board_id: int, stack_id: int, card_id: int
+    ) -> CardOperationResponse:
+        """Delete a Nextcloud Deck card
+
+        Args:
+            board_id: The ID of the board
+            stack_id: The ID of the stack
+            card_id: The ID of the card
+        """
+        client = get_client(ctx)
+        await client.deck.delete_card(board_id, stack_id, card_id)
+        return CardOperationResponse(
+            success=True,
+            message="Card deleted successfully",
+            card_id=card_id,
+            stack_id=stack_id,
+            board_id=board_id,
+        )
+
+    @mcp.tool()
+    async def deck_archive_card(
+        ctx: Context, board_id: int, stack_id: int, card_id: int
+    ) -> CardOperationResponse:
+        """Archive a Nextcloud Deck card
+
+        Args:
+            board_id: The ID of the board
+            stack_id: The ID of the stack
+            card_id: The ID of the card
+        """
+        client = get_client(ctx)
+        await client.deck.archive_card(board_id, stack_id, card_id)
+        return CardOperationResponse(
+            success=True,
+            message="Card archived successfully",
+            card_id=card_id,
+            stack_id=stack_id,
+            board_id=board_id,
+        )
+
+    @mcp.tool()
+    async def deck_unarchive_card(
+        ctx: Context, board_id: int, stack_id: int, card_id: int
+    ) -> CardOperationResponse:
+        """Unarchive a Nextcloud Deck card
+
+        Args:
+            board_id: The ID of the board
+            stack_id: The ID of the stack
+            card_id: The ID of the card
+        """
+        client = get_client(ctx)
+        await client.deck.unarchive_card(board_id, stack_id, card_id)
+        return CardOperationResponse(
+            success=True,
+            message="Card unarchived successfully",
+            card_id=card_id,
+            stack_id=stack_id,
+            board_id=board_id,
+        )
+
+    @mcp.tool()
+    async def deck_reorder_card(
+        ctx: Context,
+        board_id: int,
+        stack_id: int,
+        card_id: int,
+        order: int,
+        target_stack_id: int,
+    ) -> CardOperationResponse:
+        """Reorder/move a Nextcloud Deck card
+
+        Args:
+            board_id: The ID of the board
+            stack_id: The ID of the current stack
+            card_id: The ID of the card
+            order: New position in the target stack
+            target_stack_id: The ID of the target stack
+        """
+        client = get_client(ctx)
+        await client.deck.reorder_card(
+            board_id, stack_id, card_id, order, target_stack_id
+        )
+        return CardOperationResponse(
+            success=True,
+            message="Card reordered successfully",
+            card_id=card_id,
+            stack_id=target_stack_id,
+            board_id=board_id,
+        )
+
+    # Label Tools
+    @mcp.tool()
+    async def deck_create_label(
+        ctx: Context, board_id: int, title: str, color: str
+    ) -> CreateLabelResponse:
+        """Create a new label in a Nextcloud Deck board
+
+        Args:
+            board_id: The ID of the board
+            title: The title of the new label
+            color: The color of the new label (hex format without #)
+        """
+        client = get_client(ctx)
+        label = await client.deck.create_label(board_id, title, color)
+        return CreateLabelResponse(id=label.id, title=label.title, color=label.color)
+
+    @mcp.tool()
+    async def deck_update_label(
+        ctx: Context,
+        board_id: int,
+        label_id: int,
+        title: Optional[str] = None,
+        color: Optional[str] = None,
+    ) -> LabelOperationResponse:
+        """Update a Nextcloud Deck label
+
+        Args:
+            board_id: The ID of the board
+            label_id: The ID of the label
+            title: New title for the label
+            color: New color for the label (hex format without #)
+        """
+        client = get_client(ctx)
+        await client.deck.update_label(board_id, label_id, title, color)
+        return LabelOperationResponse(
+            success=True,
+            message="Label updated successfully",
+            label_id=label_id,
+            board_id=board_id,
+        )
+
+    @mcp.tool()
+    async def deck_delete_label(
+        ctx: Context, board_id: int, label_id: int
+    ) -> LabelOperationResponse:
+        """Delete a Nextcloud Deck label
+
+        Args:
+            board_id: The ID of the board
+            label_id: The ID of the label
+        """
+        client = get_client(ctx)
+        await client.deck.delete_label(board_id, label_id)
+        return LabelOperationResponse(
+            success=True,
+            message="Label deleted successfully",
+            label_id=label_id,
+            board_id=board_id,
+        )
+
+    # Card-Label Assignment Tools
+    @mcp.tool()
+    async def deck_assign_label_to_card(
+        ctx: Context, board_id: int, stack_id: int, card_id: int, label_id: int
+    ) -> CardOperationResponse:
+        """Assign a label to a Nextcloud Deck card
+
+        Args:
+            board_id: The ID of the board
+            stack_id: The ID of the stack
+            card_id: The ID of the card
+            label_id: The ID of the label to assign
+        """
+        client = get_client(ctx)
+        await client.deck.assign_label_to_card(board_id, stack_id, card_id, label_id)
+        return CardOperationResponse(
+            success=True,
+            message="Label assigned to card successfully",
+            card_id=card_id,
+            stack_id=stack_id,
+            board_id=board_id,
+        )
+
+    @mcp.tool()
+    async def deck_remove_label_from_card(
+        ctx: Context, board_id: int, stack_id: int, card_id: int, label_id: int
+    ) -> CardOperationResponse:
+        """Remove a label from a Nextcloud Deck card
+
+        Args:
+            board_id: The ID of the board
+            stack_id: The ID of the stack
+            card_id: The ID of the card
+            label_id: The ID of the label to remove
+        """
+        client = get_client(ctx)
+        await client.deck.remove_label_from_card(board_id, stack_id, card_id, label_id)
+        return CardOperationResponse(
+            success=True,
+            message="Label removed from card successfully",
+            card_id=card_id,
+            stack_id=stack_id,
+            board_id=board_id,
+        )
+
+    # Card-User Assignment Tools
+    @mcp.tool()
+    async def deck_assign_user_to_card(
+        ctx: Context, board_id: int, stack_id: int, card_id: int, user_id: str
+    ) -> CardOperationResponse:
+        """Assign a user to a Nextcloud Deck card
+
+        Args:
+            board_id: The ID of the board
+            stack_id: The ID of the stack
+            card_id: The ID of the card
+            user_id: The user ID to assign
+        """
+        client = get_client(ctx)
+        await client.deck.assign_user_to_card(board_id, stack_id, card_id, user_id)
+        return CardOperationResponse(
+            success=True,
+            message="User assigned to card successfully",
+            card_id=card_id,
+            stack_id=stack_id,
+            board_id=board_id,
+        )
+
+    @mcp.tool()
+    async def deck_unassign_user_from_card(
+        ctx: Context, board_id: int, stack_id: int, card_id: int, user_id: str
+    ) -> CardOperationResponse:
+        """Unassign a user from a Nextcloud Deck card
+
+        Args:
+            board_id: The ID of the board
+            stack_id: The ID of the stack
+            card_id: The ID of the card
+            user_id: The user ID to unassign
+        """
+        client = get_client(ctx)
+        await client.deck.unassign_user_from_card(board_id, stack_id, card_id, user_id)
+        return CardOperationResponse(
+            success=True,
+            message="User unassigned from card successfully",
+            card_id=card_id,
+            stack_id=stack_id,
+            board_id=board_id,
+        )
@@ -0,0 +1,349 @@
+import logging
+
+from httpx import HTTPStatusError
+from mcp.server.fastmcp import Context, FastMCP
+from mcp.shared.exceptions import McpError
+from mcp.types import ErrorData
+
+from nextcloud_mcp_server.context import get_client
+from nextcloud_mcp_server.models.notes import (
+    AppendContentResponse,
+    CreateNoteResponse,
+    DeleteNoteResponse,
+    Note,
+    NoteSearchResult,
+    NotesSettings,
+    SearchNotesResponse,
+    UpdateNoteResponse,
+)
+
+logger = logging.getLogger(__name__)
+
+
+def configure_notes_tools(mcp: FastMCP):
+    @mcp.resource("notes://settings")
+    async def notes_get_settings():
+        """Get the Notes App settings"""
+        ctx: Context = (
+            mcp.get_context()
+        )  # https://github.com/modelcontextprotocol/python-sdk/issues/244
+        client = get_client(ctx)
+        settings_data = await client.notes.get_settings()
+        return NotesSettings(**settings_data)
+
+    @mcp.resource("nc://Notes/{note_id}/attachments/{attachment_filename}")
+    async def nc_notes_get_attachment_resource(note_id: int, attachment_filename: str):
+        """Get a specific attachment from a note"""
+        ctx: Context = mcp.get_context()
+        client = get_client(ctx)
+        # Assuming a method get_note_attachment exists in the client
+        # This method should return the raw content and determine the mime type
+        content, mime_type = await client.webdav.get_note_attachment(
+            note_id=note_id, filename=attachment_filename
+        )
+        return {
+            "contents": [
+                {
+                    # Use uppercase 'Notes' to match the decorator
+                    "uri": f"nc://Notes/{note_id}/attachments/{attachment_filename}",
+                    "mimeType": mime_type,  # Client needs to determine this
+                    "data": content,  # Return raw bytes/data
+                }
+            ]
+        }
+
+    @mcp.resource("nc://Notes/{note_id}")
+    async def nc_get_note_resource(note_id: int):
+        """Get user note using note id"""
+
+        ctx: Context = mcp.get_context()
+        client = get_client(ctx)
+        try:
+            note_data = await client.notes.get_note(note_id)
+            return Note(**note_data)
+        except HTTPStatusError as e:
+            if e.response.status_code == 404:
+                raise McpError(ErrorData(code=-1, message=f"Note {note_id} not found"))
+            elif e.response.status_code == 403:
+                raise McpError(
+                    ErrorData(code=-1, message=f"Access denied to note {note_id}")
+                )
+            else:
+                raise McpError(
+                    ErrorData(
+                        code=-1,
+                        message=f"Failed to retrieve note {note_id}: {e.response.reason_phrase}",
+                    )
+                )
+
+    @mcp.tool()
+    async def nc_notes_create_note(
+        title: str, content: str, category: str, ctx: Context
+    ) -> CreateNoteResponse:
+        """Create a new note"""
+        client = get_client(ctx)
+        try:
+            note_data = await client.notes.create_note(
+                title=title,
+                content=content,
+                category=category,
+            )
+            note = Note(**note_data)
+            return CreateNoteResponse(
+                id=note.id, title=note.title, category=note.category, etag=note.etag
+            )
+        except HTTPStatusError as e:
+            if e.response.status_code == 403:
+                raise McpError(
+                    ErrorData(
+                        code=-1,
+                        message="Access denied: insufficient permissions to create notes",
+                    )
+                )
+            elif e.response.status_code == 413:
+                raise McpError(ErrorData(code=-1, message="Note content too large"))
+            elif e.response.status_code == 409:
+                raise McpError(
+                    ErrorData(
+                        code=-1,
+                        message=f"A note with title '{title}' already exists in this category",
+                    )
+                )
+            else:
+                raise McpError(
+                    ErrorData(
+                        code=-1,
+                        message=f"Failed to create note: server error ({e.response.status_code})",
+                    )
+                )
+
+    @mcp.tool()
+    async def nc_notes_update_note(
+        note_id: int,
+        etag: str,
+        title: str | None,
+        content: str | None,
+        category: str | None,
+        ctx: Context,
+    ) -> UpdateNoteResponse:
+        """Update an existing note's title, content, or category.
+
+        REQUIRED: etag parameter must be provided to prevent overwriting concurrent changes.
+        Get the current ETag by first retrieving the note using nc_notes_get_note tool.
+        If the note has been modified by someone else since you retrieved it,
+        the update will fail with a 412 error."""
+        logger.info("Updating note %s", note_id)
+        client = get_client(ctx)
+        try:
+            note_data = await client.notes.update(
+                note_id=note_id,
+                etag=etag,
+                title=title,
+                content=content,
+                category=category,
+            )
+            note = Note(**note_data)
+            return UpdateNoteResponse(
+                id=note.id, title=note.title, category=note.category, etag=note.etag
+            )
+        except HTTPStatusError as e:
+            if e.response.status_code == 404:
+                raise McpError(ErrorData(code=-1, message=f"Note {note_id} not found"))
+            elif e.response.status_code == 412:
+                raise McpError(
+                    ErrorData(
+                        code=-1,
+                        message=f"Note {note_id} has been modified by someone else. Please refresh and try again.",
+                    )
+                )
+            elif e.response.status_code == 403:
+                raise McpError(
+                    ErrorData(
+                        code=-1,
+                        message=f"Access denied: insufficient permissions to update note {note_id}",
+                    )
+                )
+            elif e.response.status_code == 413:
+                raise McpError(
+                    ErrorData(code=-1, message="Updated note content is too large")
+                )
+            else:
+                raise McpError(
+                    ErrorData(
+                        code=-1,
+                        message=f"Failed to update note {note_id}: server error ({e.response.status_code})",
+                    )
+                )
+
+    @mcp.tool()
+    async def nc_notes_append_content(
+        note_id: int, content: str, ctx: Context
+    ) -> AppendContentResponse:
+        """Append content to an existing note. The tool adds a `\n---\n`
+        between the note and what will be appended."""
+
+        logger.info("Appending content to note %s", note_id)
+        client = get_client(ctx)
+        try:
+            note_data = await client.notes.append_content(
+                note_id=note_id, content=content
+            )
+            note = Note(**note_data)
+            return AppendContentResponse(
+                id=note.id, title=note.title, category=note.category, etag=note.etag
+            )
+        except HTTPStatusError as e:
+            if e.response.status_code == 404:
+                raise McpError(ErrorData(code=-1, message=f"Note {note_id} not found"))
+            elif e.response.status_code == 403:
+                raise McpError(
+                    ErrorData(
+                        code=-1,
+                        message=f"Access denied: insufficient permissions to modify note {note_id}",
+                    )
+                )
+            elif e.response.status_code == 413:
+                raise McpError(
+                    ErrorData(
+                        code=-1,
+                        message="Content to append would make the note too large",
+                    )
+                )
+            else:
+                raise McpError(
+                    ErrorData(
+                        code=-1,
+                        message=f"Failed to append content to note {note_id}: server error ({e.response.status_code})",
+                    )
+                )
+
+    @mcp.tool()
+    async def nc_notes_search_notes(query: str, ctx: Context) -> SearchNotesResponse:
+        """Search notes by title or content, returning only id, title, and category."""
+        client = get_client(ctx)
+        try:
+            search_results_raw = await client.notes_search_notes(query=query)
+
+            # Convert to NoteSearchResult models, including the _score field
+            results = [
+                NoteSearchResult(
+                    id=result["id"],
+                    title=result["title"],
+                    category=result["category"],
+                    score=result.get("_score"),  # Include search score if available
+                )
+                for result in search_results_raw
+            ]
+
+            return SearchNotesResponse(
+                results=results, query=query, total_found=len(results)
+            )
+        except HTTPStatusError as e:
+            if e.response.status_code == 403:
+                raise McpError(
+                    ErrorData(
+                        code=-1,
+                        message="Access denied: insufficient permissions to search notes",
+                    )
+                )
+            elif e.response.status_code == 400:
+                raise McpError(
+                    ErrorData(code=-1, message="Invalid search query format")
+                )
+            else:
+                raise McpError(
+                    ErrorData(
+                        code=-1,
+                        message=f"Search failed: server error ({e.response.status_code})",
+                    )
+                )
+
+    @mcp.tool()
+    async def nc_notes_get_note(note_id: int, ctx: Context) -> Note:
+        """Get a specific note by its ID"""
+        client = get_client(ctx)
+        try:
+            note_data = await client.notes.get_note(note_id)
+            return Note(**note_data)
+        except HTTPStatusError as e:
+            if e.response.status_code == 404:
+                raise McpError(ErrorData(code=-1, message=f"Note {note_id} not found"))
+            elif e.response.status_code == 403:
+                raise McpError(
+                    ErrorData(code=-1, message=f"Access denied to note {note_id}")
+                )
+            else:
+                raise McpError(
+                    ErrorData(
+                        code=-1,
+                        message=f"Failed to retrieve note {note_id}: {e.response.reason_phrase}",
+                    )
+                )
+
+    @mcp.tool()
+    async def nc_notes_get_attachment(
+        note_id: int, attachment_filename: str, ctx: Context
+    ) -> dict[str, str]:
+        """Get a specific attachment from a note"""
+        client = get_client(ctx)
+        try:
+            content, mime_type = await client.webdav.get_note_attachment(
+                note_id=note_id, filename=attachment_filename
+            )
+            return {
+                "uri": f"nc://Notes/{note_id}/attachments/{attachment_filename}",
+                "mimeType": mime_type,
+                "data": content,
+            }
+        except HTTPStatusError as e:
+            if e.response.status_code == 404:
+                raise McpError(
+                    ErrorData(
+                        code=-1,
+                        message=f"Attachment {attachment_filename} not found for note {note_id}",
+                    )
+                )
+            elif e.response.status_code == 403:
+                raise McpError(
+                    ErrorData(
+                        code=-1,
+                        message=f"Access denied to attachment {attachment_filename} for note {note_id}",
+                    )
+                )
+            else:
+                raise McpError(
+                    ErrorData(
+                        code=-1,
+                        message=f"Failed to retrieve attachment: {e.response.reason_phrase}",
+                    )
+                )
+
+    @mcp.tool()
+    async def nc_notes_delete_note(note_id: int, ctx: Context) -> DeleteNoteResponse:
+        """Delete a note permanently"""
+        logger.info("Deleting note %s", note_id)
+        client = get_client(ctx)
+        try:
+            await client.notes.delete_note(note_id)
+            return DeleteNoteResponse(
+                status_code=200,
+                message=f"Note {note_id} deleted successfully",
+                deleted_id=note_id,
+            )
+        except HTTPStatusError as e:
+            if e.response.status_code == 404:
+                raise McpError(ErrorData(code=-1, message=f"Note {note_id} not found"))
+            elif e.response.status_code == 403:
+                raise McpError(
+                    ErrorData(
+                        code=-1,
+                        message=f"Access denied: insufficient permissions to delete note {note_id}",
+                    )
+                )
+            else:
+                raise McpError(
+                    ErrorData(
+                        code=-1,
+                        message=f"Failed to delete note {note_id}: server error ({e.response.status_code})",
+                    )
+                )
@@ -0,0 +1,133 @@
+"""MCP tools for Nextcloud file/folder sharing operations."""
+
+import json
+
+from nextcloud_mcp_server.context import get_client
+from mcp.server.fastmcp import Context, FastMCP
+
+
+def configure_sharing_tools(mcp: FastMCP):
+    """Configure sharing-related MCP tools.
+
+    Args:
+        mcp: FastMCP server instance
+    """
+
+    @mcp.tool()
+    async def nc_share_create(
+        path: str,
+        share_with: str,
+        ctx: Context,
+        share_type: int = 0,
+        permissions: int = 1,
+    ) -> str:
+        """Create a share for a file or folder in Nextcloud.
+
+        Share a file or folder with another user or group. The authenticated user
+        must own the file/folder being shared.
+
+        Args:
+            path: Path to file/folder to share (relative to your files, e.g., "/document.txt")
+            share_with: Username (for user share) or group name (for group share)
+            share_type: Share type - 0 for user (default), 1 for group, 3 for public link
+            permissions: Share permissions (default: 1 for read-only):
+                - 1 = read
+                - 2 = update
+                - 4 = create
+                - 8 = delete
+                - 16 = share
+                - 31 = all permissions
+                Common: 1 (read-only), 3 (read+update), 15 (read+update+create+delete)
+
+        Returns:
+            JSON string with share information including share ID
+        """
+        client = get_client(ctx)
+        share_data = await client.sharing.create_share(
+            path=path,
+            share_with=share_with,
+            share_type=share_type,
+            permissions=permissions,
+        )
+        return json.dumps(share_data, indent=2)
+
+    @mcp.tool()
+    async def nc_share_delete(share_id: int, ctx: Context) -> str:
+        """Delete a share by its ID.
+
+        Remove a share that you created. You must be the owner of the share.
+
+        Args:
+            share_id: The ID of the share to delete
+
+        Returns:
+            JSON string confirming deletion
+        """
+        client = get_client(ctx)
+        await client.sharing.delete_share(share_id)
+        return json.dumps(
+            {"success": True, "message": f"Share {share_id} deleted"}, indent=2
+        )
+
+    @mcp.tool()
+    async def nc_share_get(share_id: int, ctx: Context) -> str:
+        """Get information about a specific share.
+
+        Retrieve details about a share by its ID. You must have access to the share
+        (either as owner or recipient).
+
+        Args:
+            share_id: The ID of the share
+
+        Returns:
+            JSON string with share information
+        """
+        client = get_client(ctx)
+        share_data = await client.sharing.get_share(share_id)
+        return json.dumps(share_data, indent=2)
+
+    @mcp.tool()
+    async def nc_share_list(
+        ctx: Context, path: str | None = None, shared_with_me: bool = False
+    ) -> str:
+        """List shares created by you or shared with you.
+
+        Args:
+            path: Optional path to filter shares for a specific file/folder
+            shared_with_me: If True, list shares that others shared with you.
+                          If False (default), list shares you created.
+
+        Returns:
+            JSON string with list of shares
+        """
+        client = get_client(ctx)
+        shares = await client.sharing.list_shares(
+            path=path, shared_with_me=shared_with_me
+        )
+        return json.dumps(shares, indent=2)
+
+    @mcp.tool()
+    async def nc_share_update(share_id: int, permissions: int, ctx: Context) -> str:
+        """Update the permissions of an existing share.
+
+        Modify the permissions for a share you created. You must be the owner.
+
+        Args:
+            share_id: The ID of the share to update
+            permissions: New permissions value:
+                - 1 = read
+                - 2 = update
+                - 4 = create
+                - 8 = delete
+                - 16 = share
+                - 31 = all permissions
+                Common: 1 (read-only), 3 (read+update), 15 (read+update+create+delete)
+
+        Returns:
+            JSON string with updated share information
+        """
+        client = get_client(ctx)
+        share_data = await client.sharing.update_share(
+            share_id=share_id, permissions=permissions
+        )
+        return json.dumps(share_data, indent=2)
@@ -0,0 +1,57 @@
+import logging
+
+from mcp.server.fastmcp import Context, FastMCP
+
+from nextcloud_mcp_server.context import get_client
+
+logger = logging.getLogger(__name__)
+
+
+def configure_tables_tools(mcp: FastMCP):
+    # Tables tools
+    @mcp.tool()
+    async def nc_tables_list_tables(ctx: Context):
+        """List all tables available to the user"""
+        client = get_client(ctx)
+        return await client.tables.list_tables()
+
+    @mcp.tool()
+    async def nc_tables_get_schema(table_id: int, ctx: Context):
+        """Get the schema/structure of a specific table including columns and views"""
+        client = get_client(ctx)
+        return await client.tables.get_table_schema(table_id)
+
+    @mcp.tool()
+    async def nc_tables_read_table(
+        table_id: int,
+        ctx: Context,
+        limit: int | None = None,
+        offset: int | None = None,
+    ):
+        """Read rows from a table with optional pagination"""
+        client = get_client(ctx)
+        return await client.tables.get_table_rows(table_id, limit, offset)
+
+    @mcp.tool()
+    async def nc_tables_insert_row(table_id: int, data: dict, ctx: Context):
+        """Insert a new row into a table.
+
+        Data should be a dictionary mapping column IDs to values, e.g. {1: "text", 2: 42}
+        """
+        client = get_client(ctx)
+        return await client.tables.create_row(table_id, data)
+
+    @mcp.tool()
+    async def nc_tables_update_row(row_id: int, data: dict, ctx: Context):
+        """Update an existing row in a table.
+
+        Data should be a dictionary mapping column IDs to new values, e.g. {1: "new text", 2: 99}
+        """
+        client = get_client(ctx)
+        return await client.tables.update_row(row_id, data)
+
+    @mcp.tool()
+    async def nc_tables_delete_row(row_id: int, ctx: Context):
+        """Delete a row from a table"""
+        client = get_client(ctx)
+        return await client.tables.delete_row(row_id)
@@ -0,0 +1,215 @@
+import logging
+
+from mcp.server.fastmcp import Context, FastMCP
+
+from nextcloud_mcp_server.context import get_client
+
+logger = logging.getLogger(__name__)
+
+
+def configure_webdav_tools(mcp: FastMCP):
+    # WebDAV file system tools
+    @mcp.tool()
+    async def nc_webdav_list_directory(ctx: Context, path: str = ""):
+        """List files and directories in the specified NextCloud path.
+
+        Args:
+            path: Directory path to list (empty string for root directory)
+
+        Returns:
+            List of items with metadata including name, path, is_directory, size, content_type, last_modified
+
+        Examples:
+            # List root directory
+            await nc_webdav_list_directory("")
+
+            # List a specific folder
+            await nc_webdav_list_directory("Documents/Projects")
+        """
+        client = get_client(ctx)
+        return await client.webdav.list_directory(path)
+
+    @mcp.tool()
+    async def nc_webdav_read_file(path: str, ctx: Context):
+        """Read the content of a file from NextCloud.
+
+        Args:
+            path: Full path to the file to read
+
+        Returns:
+            Dict with path, content, content_type, size, and encoding (if binary)
+            Text files are decoded to UTF-8, binary files are base64 encoded
+
+        Examples:
+            # Read a text file
+            result = await nc_webdav_read_file("Documents/readme.txt")
+            logger.info(result['content'])  # Decoded text content
+
+            # Read a binary file
+            result = await nc_webdav_read_file("Images/photo.jpg")
+            logger.info(result['encoding'])  # 'base64'
+        """
+        client = get_client(ctx)
+        content, content_type = await client.webdav.read_file(path)
+
+        # For text files, decode content for easier viewing
+        if content_type and content_type.startswith("text/"):
+            try:
+                decoded_content = content.decode("utf-8")
+                return {
+                    "path": path,
+                    "content": decoded_content,
+                    "content_type": content_type,
+                    "size": len(content),
+                }
+            except UnicodeDecodeError:
+                pass
+
+        # For binary files, return metadata and base64 encoded content
+        import base64
+
+        return {
+            "path": path,
+            "content": base64.b64encode(content).decode("ascii"),
+            "content_type": content_type,
+            "size": len(content),
+            "encoding": "base64",
+        }
+
+    @mcp.tool()
+    async def nc_webdav_write_file(
+        path: str, content: str, ctx: Context, content_type: str | None = None
+    ):
+        """Write content to a file in NextCloud.
+
+        Args:
+            path: Full path where to write the file
+            content: File content (text or base64 for binary)
+            content_type: MIME type (auto-detected if not provided, use 'type;base64' for binary)
+
+        Returns:
+            Dict with status_code indicating success
+
+        Examples:
+            # Write a text file
+            await nc_webdav_write_file("Documents/notes.md", "# My Notes\nContent here...")
+
+            # Write binary data (base64 encoded)
+            await nc_webdav_write_file("files/data.bin", base64_content, "application/octet-stream;base64")
+        """
+        client = get_client(ctx)
+
+        # Handle base64 encoded content
+        if content_type and "base64" in content_type.lower():
+            import base64
+
+            content_bytes = base64.b64decode(content)
+            content_type = content_type.replace(";base64", "")
+        else:
+            content_bytes = content.encode("utf-8")
+
+        return await client.webdav.write_file(path, content_bytes, content_type)
+
+    @mcp.tool()
+    async def nc_webdav_create_directory(path: str, ctx: Context):
+        """Create a directory in NextCloud.
+
+        Args:
+            path: Full path of the directory to create
+
+        Returns:
+            Dict with status_code (201 for created, 405 if already exists)
+
+        Examples:
+            # Create a single directory
+            await nc_webdav_create_directory("NewProject")
+
+            # Create nested directories (parent must exist)
+            await nc_webdav_create_directory("Projects/MyApp/docs")
+        """
+        client = get_client(ctx)
+        return await client.webdav.create_directory(path)
+
+    @mcp.tool()
+    async def nc_webdav_delete_resource(path: str, ctx: Context):
+        """Delete a file or directory in NextCloud.
+
+        Args:
+            path: Full path of the file or directory to delete
+
+        Returns:
+            Dict with status_code indicating result (404 if not found)
+
+        Examples:
+            # Delete a file
+            await nc_webdav_delete_resource("old_document.txt")
+
+            # Delete a directory (will delete all contents)
+            await nc_webdav_delete_resource("temp_folder")
+        """
+        client = get_client(ctx)
+        return await client.webdav.delete_resource(path)
+
+    @mcp.tool()
+    async def nc_webdav_move_resource(
+        source_path: str, destination_path: str, ctx: Context, overwrite: bool = False
+    ):
+        """Move or rename a file or directory in NextCloud.
+
+        Args:
+            source_path: Full path of the file or directory to move
+            destination_path: New path for the file or directory
+            overwrite: Whether to overwrite the destination if it exists (default: False)
+
+        Returns:
+            Dict with status_code indicating result (404 if source not found, 412 if destination exists and overwrite is False)
+
+        Examples:
+            # Rename a file
+            await nc_webdav_move_resource("document.txt", "new_name.txt")
+
+            # Move a file to another directory
+            await nc_webdav_move_resource("document.txt", "Archive/document.txt")
+
+            # Move a directory
+            await nc_webdav_move_resource("Projects/OldProject", "Projects/NewProject")
+
+            # Move and overwrite if destination exists
+            await nc_webdav_move_resource("document.txt", "Archive/document.txt", overwrite=True)
+        """
+        client = get_client(ctx)
+        return await client.webdav.move_resource(
+            source_path, destination_path, overwrite
+        )
+
+    @mcp.tool()
+    async def nc_webdav_copy_resource(
+        source_path: str, destination_path: str, ctx: Context, overwrite: bool = False
+    ):
+        """Copy a file or directory in NextCloud.
+
+        Args:
+            source_path: Full path of the file or directory to copy
+            destination_path: Destination path for the copy
+            overwrite: Whether to overwrite the destination if it exists (default: False)
+
+        Returns:
+            Dict with status_code indicating result (404 if source not found, 412 if destination exists and overwrite is False)
+
+        Examples:
+            # Copy a file
+            await nc_webdav_copy_resource("document.txt", "document_copy.txt")
+
+            # Copy a file to another directory
+            await nc_webdav_copy_resource("document.txt", "Backup/document.txt")
+
+            # Copy a directory
+            await nc_webdav_copy_resource("Projects/ProjectA", "Projects/ProjectA_Backup")
+
+            # Copy and overwrite if destination exists
+            await nc_webdav_copy_resource("document.txt", "Backup/document.txt", overwrite=True)
+        """
+        client = get_client(ctx)
+        return await client.webdav.copy_resource(
+            source_path, destination_path, overwrite
+        )
@@ -1,6 +1,6 @@
 [project]
 name = "nextcloud-mcp-server"
-version = "0.4.0"
+version = "0.13.0"
 description = ""
 authors = [
    {name = "Chris Coutinho",email = "chris@coutinho.io"}
@@ -8,23 +8,28 @@ authors = [
 readme = "README.md"
 requires-python = ">=3.11"
 dependencies = [
-    "mcp[cli] (>=1.9,<1.10)",
+    "mcp[cli] (>=1.17,<1.18)",
    "httpx (>=0.28.1,<0.29.0)",
-    "pillow (>=11.2.1,<12.0.0)"
+    "pillow (>=11.2.1,<12.0.0)",
+    "icalendar (>=6.0.0,<7.0.0)",
+    "pythonvcard4>=0.2.0",
+    "pydantic>=2.11.4",
+    "click>=8.1.8",
 ]

-[project.scripts]
-nc-mcp-server = "nextcloud_mcp_server.server:run"
-
 [tool.pytest.ini_options]
 asyncio_mode = "auto"
 asyncio_default_test_loop_scope = "session"
 asyncio_default_fixture_loop_scope = "session"
 log_cli = 1
-log_cli_level = "WARN"
-log_level = "WARN"
+log_cli_level = "INFO"
+log_level = "INFO"
 markers = [
-    "integration: marks tests as slow (deselect with '-m \"not slow\"')"
+    "integration: marks tests as slow (deselect with '-m \"not slow\"')",
+    "oauth: marks tests as oauth (deselect with '-m \"not oauth\"')"
+]
+testpaths = [
+    "tests",
 ]

 [tool.commitizen]
@@ -43,8 +48,13 @@ build-backend = "poetry.core.masonry.api"
 dev = [
    "commitizen>=4.8.2",
    "ipython>=9.2.0",
+    "playwright>=1.49.1",
    "pytest>=8.3.5",
    "pytest-asyncio>=1.0.0",
    "pytest-cov>=6.1.1",
+    "pytest-playwright-asyncio>=0.7.1",
    "ruff>=0.11.13",
 ]
+
+[project.scripts]
+nextcloud-mcp-server = "nextcloud_mcp_server.app:run"
@@ -0,0 +1,426 @@
+"""Integration tests for Calendar CalDAV operations."""
+
+import logging
+import uuid
+from datetime import datetime, timedelta
+
+import pytest
+from httpx import HTTPStatusError
+
+from nextcloud_mcp_server.client import NextcloudClient
+
+logger = logging.getLogger(__name__)
+
+# Mark all tests in this module as integration tests
+pytestmark = pytest.mark.integration
+
+
+@pytest.fixture
+def test_calendar_name():
+    """Unique calendar name for testing."""
+    return f"test_calendar_{uuid.uuid4().hex[:8]}"
+
+
+@pytest.fixture
+async def temporary_calendar(nc_client: NextcloudClient, test_calendar_name: str):
+    """Create a temporary calendar for testing and clean up afterward."""
+    calendar_name = test_calendar_name
+
+    try:
+        # Create a test calendar
+        logger.info(f"Creating temporary calendar: {calendar_name}")
+        result = await nc_client.calendar.create_calendar(
+            calendar_name=calendar_name,
+            display_name=f"Test Calendar {calendar_name}",
+            description="Temporary calendar for integration testing",
+            color="#FF5722",
+        )
+
+        if result["status_code"] not in [200, 201]:
+            pytest.skip(f"Failed to create temporary calendar: {result}")
+
+        logger.info(f"Created temporary calendar: {calendar_name}")
+        yield calendar_name
+
+    except Exception as e:
+        logger.error(f"Error setting up temporary calendar: {e}")
+        pytest.skip(f"Calendar setup failed: {e}")
+
+    finally:
+        # Cleanup: Delete the temporary calendar
+        try:
+            logger.info(f"Cleaning up temporary calendar: {calendar_name}")
+            await nc_client.calendar.delete_calendar(calendar_name)
+            logger.info(f"Successfully deleted temporary calendar: {calendar_name}")
+        except Exception as e:
+            logger.error(f"Error deleting temporary calendar {calendar_name}: {e}")
+
+
+@pytest.fixture
+async def temporary_event(nc_client: NextcloudClient, temporary_calendar: str):
+    """Create a temporary event for testing and clean up afterward."""
+    event_uid = None
+    calendar_name = temporary_calendar
+
+    # Create a test event
+    tomorrow = datetime.now() + timedelta(days=1)
+    event_data = {
+        "title": f"Test Event {uuid.uuid4().hex[:8]}",
+        "start_datetime": tomorrow.strftime("%Y-%m-%dT14:00:00"),
+        "end_datetime": tomorrow.strftime("%Y-%m-%dT15:00:00"),
+        "description": "Test event created by integration tests",
+        "location": "Test Location",
+        "categories": "testing",
+        "status": "CONFIRMED",
+        "priority": 5,
+    }
+
+    try:
+        logger.info(f"Creating temporary event in calendar: {calendar_name}")
+        result = await nc_client.calendar.create_event(calendar_name, event_data)
+        event_uid = result.get("uid")
+
+        if not event_uid:
+            pytest.fail("Failed to create temporary event")
+
+        logger.info(f"Created temporary event with UID: {event_uid}")
+        yield {"uid": event_uid, "calendar_name": calendar_name, "data": event_data}
+
+    finally:
+        # Cleanup
+        if event_uid:
+            try:
+                logger.info(f"Cleaning up temporary event: {event_uid}")
+                await nc_client.calendar.delete_event(calendar_name, event_uid)
+                logger.info(f"Successfully deleted temporary event: {event_uid}")
+            except HTTPStatusError as e:
+                if e.response.status_code != 404:
+                    logger.error(f"Error deleting temporary event {event_uid}: {e}")
+            except Exception as e:
+                logger.error(
+                    f"Unexpected error deleting temporary event {event_uid}: {e}"
+                )
+
+
+async def test_list_calendars(nc_client: NextcloudClient):
+    """Test listing available calendars."""
+    calendars = await nc_client.calendar.list_calendars()
+
+    assert isinstance(calendars, list)
+
+    if not calendars:
+        pytest.skip("No calendars available - Calendar app may not be enabled")
+
+    logger.info(f"Found {len(calendars)} calendars")
+
+    # Check structure of calendars
+    for calendar in calendars:
+        assert "name" in calendar
+        assert "display_name" in calendar
+        assert "href" in calendar
+        # Optional fields
+        assert "description" in calendar
+        assert "color" in calendar
+
+        logger.info(f"Calendar: {calendar['name']} - {calendar['display_name']}")
+
+
+async def test_create_and_delete_event(
+    nc_client: NextcloudClient, temporary_calendar: str
+):
+    """Test creating and deleting a basic event."""
+    calendar_name = temporary_calendar
+
+    # Create event
+    tomorrow = datetime.now() + timedelta(days=1)
+    event_data = {
+        "title": "Integration Test Event",
+        "start_datetime": tomorrow.strftime("%Y-%m-%dT10:00:00"),
+        "end_datetime": tomorrow.strftime("%Y-%m-%dT11:00:00"),
+        "description": "Test event for integration testing",
+        "location": "Test Room",
+        "categories": "testing,integration",
+        "status": "CONFIRMED",
+        "priority": 3,
+    }
+
+    try:
+        result = await nc_client.calendar.create_event(calendar_name, event_data)
+        assert "uid" in result
+        assert result["status_code"] in [200, 201, 204]
+
+        event_uid = result["uid"]
+        logger.info(f"Created event with UID: {event_uid}")
+
+        # Verify event was created by retrieving it
+        retrieved_event, etag = await nc_client.calendar.get_event(
+            calendar_name, event_uid
+        )
+        assert retrieved_event["uid"] == event_uid
+        assert retrieved_event["title"] == "Integration Test Event"
+        assert retrieved_event["location"] == "Test Room"
+
+        # Delete event
+        delete_result = await nc_client.calendar.delete_event(calendar_name, event_uid)
+        assert delete_result["status_code"] in [200, 204, 404]
+
+        logger.info(f"Successfully deleted event: {event_uid}")
+
+    except Exception as e:
+        logger.error(f"Test failed: {e}")
+        raise
+
+
+async def test_create_all_day_event(
+    nc_client: NextcloudClient, temporary_calendar: str
+):
+    """Test creating an all-day event."""
+    calendar_name = temporary_calendar
+
+    tomorrow = datetime.now() + timedelta(days=1)
+    event_data = {
+        "title": "All Day Test Event",
+        "start_datetime": tomorrow.strftime("%Y-%m-%d"),
+        "all_day": True,
+        "description": "Test all-day event",
+        "categories": "testing",
+    }
+
+    try:
+        result = await nc_client.calendar.create_event(calendar_name, event_data)
+        event_uid = result["uid"]
+        logger.info(f"Created all-day event with UID: {event_uid}")
+
+        # Verify event
+        retrieved_event, _ = await nc_client.calendar.get_event(
+            calendar_name, event_uid
+        )
+        assert retrieved_event["title"] == "All Day Test Event"
+        assert retrieved_event.get("all_day") is True
+
+        # Cleanup
+        await nc_client.calendar.delete_event(calendar_name, event_uid)
+
+    except Exception as e:
+        logger.error(f"All-day event test failed: {e}")
+        raise
+
+
+async def test_create_recurring_event(
+    nc_client: NextcloudClient, temporary_calendar: str
+):
+    """Test creating a recurring event."""
+    calendar_name = temporary_calendar
+
+    tomorrow = datetime.now() + timedelta(days=1)
+    event_data = {
+        "title": "Weekly Recurring Test",
+        "start_datetime": tomorrow.strftime("%Y-%m-%dT14:00:00"),
+        "end_datetime": tomorrow.strftime("%Y-%m-%dT15:00:00"),
+        "description": "Test recurring event",
+        "recurring": True,
+        "recurrence_rule": "FREQ=WEEKLY;BYDAY=MO,WE,FR",
+        "reminder_minutes": 30,
+    }
+
+    try:
+        result = await nc_client.calendar.create_event(calendar_name, event_data)
+        event_uid = result["uid"]
+        logger.info(f"Created recurring event with UID: {event_uid}")
+
+        # Verify event
+        retrieved_event, _ = await nc_client.calendar.get_event(
+            calendar_name, event_uid
+        )
+        assert retrieved_event["title"] == "Weekly Recurring Test"
+        assert retrieved_event.get("recurring") is True
+
+        # Cleanup
+        await nc_client.calendar.delete_event(calendar_name, event_uid)
+
+    except Exception as e:
+        logger.error(f"Recurring event test failed: {e}")
+        raise
+
+
+async def test_list_events_in_range(nc_client: NextcloudClient, temporary_event: dict):
+    """Test listing events within a date range."""
+    calendar_name = temporary_event["calendar_name"]
+
+    # Get events for the next week
+    start_datetime = datetime.now()
+    end_datetime = datetime.now() + timedelta(days=7)
+
+    events = await nc_client.calendar.get_calendar_events(
+        calendar_name=calendar_name,
+        start_datetime=start_datetime,
+        end_datetime=end_datetime,
+        limit=50,
+    )
+
+    assert isinstance(events, list)
+    logger.info(f"Found {len(events)} events in date range")
+
+    # Our temporary event should be in the list
+    event_uids = [event.get("uid") for event in events]
+    assert temporary_event["uid"] in event_uids
+
+    # Check event structure
+    for event in events:
+        assert "uid" in event
+        assert "title" in event
+        assert "start_datetime" in event
+
+
+async def test_update_event(nc_client: NextcloudClient, temporary_event: dict):
+    """Test updating an existing event."""
+    calendar_name = temporary_event["calendar_name"]
+    event_uid = temporary_event["uid"]
+
+    # Update event data
+    updated_data = {
+        "title": "Updated Test Event Title",
+        "description": "Updated description for test event",
+        "location": "Updated Location",
+        "priority": 1,  # High priority
+    }
+
+    try:
+        result = await nc_client.calendar.update_event(
+            calendar_name, event_uid, updated_data
+        )
+        assert result["uid"] == event_uid
+
+        # Verify updates
+        updated_event, _ = await nc_client.calendar.get_event(calendar_name, event_uid)
+        assert updated_event["title"] == "Updated Test Event Title"
+        assert updated_event["description"] == "Updated description for test event"
+        assert updated_event["location"] == "Updated Location"
+        assert updated_event["priority"] == 1
+
+        logger.info(f"Successfully updated event: {event_uid}")
+
+    except Exception as e:
+        logger.error(f"Event update test failed: {e}")
+        raise
+
+
+async def test_create_event_with_attendees(
+    nc_client: NextcloudClient, temporary_calendar: str
+):
+    """Test creating an event with attendees."""
+    calendar_name = temporary_calendar
+
+    tomorrow = datetime.now() + timedelta(days=1)
+    event_data = {
+        "title": "Meeting with Attendees",
+        "start_datetime": tomorrow.strftime("%Y-%m-%dT16:00:00"),
+        "end_datetime": tomorrow.strftime("%Y-%m-%dT17:00:00"),
+        "description": "Test meeting with multiple attendees",
+        "location": "Conference Room A",
+        "attendees": "test1@example.com,test2@example.com",
+        "reminder_minutes": 15,
+        "status": "TENTATIVE",
+    }
+
+    try:
+        result = await nc_client.calendar.create_event(calendar_name, event_data)
+        event_uid = result["uid"]
+        logger.info(f"Created event with attendees, UID: {event_uid}")
+
+        # Verify event
+        retrieved_event, _ = await nc_client.calendar.get_event(
+            calendar_name, event_uid
+        )
+        assert retrieved_event["title"] == "Meeting with Attendees"
+        assert "test1@example.com" in retrieved_event.get("attendees", "")
+        assert retrieved_event["status"] == "TENTATIVE"
+
+        # Cleanup
+        await nc_client.calendar.delete_event(calendar_name, event_uid)
+
+    except Exception as e:
+        logger.error(f"Event with attendees test failed: {e}")
+        raise
+
+
+async def test_get_nonexistent_event(
+    nc_client: NextcloudClient, temporary_calendar: str
+):
+    """Test retrieving a non-existent event."""
+    calendar_name = temporary_calendar
+    fake_uid = f"nonexistent-{uuid.uuid4()}"
+
+    with pytest.raises(HTTPStatusError) as exc_info:
+        await nc_client.calendar.get_event(calendar_name, fake_uid)
+
+    assert exc_info.value.response.status_code == 404
+    logger.info(f"Correctly got 404 for nonexistent event: {fake_uid}")
+
+
+async def test_delete_nonexistent_event(
+    nc_client: NextcloudClient, temporary_calendar: str
+):
+    """Test deleting a non-existent event."""
+    calendar_name = temporary_calendar
+    fake_uid = f"nonexistent-{uuid.uuid4()}"
+
+    result = await nc_client.calendar.delete_event(calendar_name, fake_uid)
+    assert result["status_code"] == 404
+    logger.info(f"Correctly got 404 for deleting nonexistent event: {fake_uid}")
+
+
+async def test_event_with_url_and_categories(
+    nc_client: NextcloudClient, temporary_calendar: str
+):
+    """Test creating an event with URL and multiple categories."""
+    calendar_name = temporary_calendar
+
+    tomorrow = datetime.now() + timedelta(days=1)
+    event_data = {
+        "title": "Event with URL and Categories",
+        "start_datetime": tomorrow.strftime("%Y-%m-%dT09:00:00"),
+        "end_datetime": tomorrow.strftime("%Y-%m-%dT10:30:00"),
+        "description": "Test event with additional metadata",
+        "categories": "work,meeting,important,quarterly",
+        "url": "https://zoom.us/j/123456789",
+        "privacy": "PRIVATE",
+        "priority": 2,
+    }
+
+    try:
+        result = await nc_client.calendar.create_event(calendar_name, event_data)
+        event_uid = result["uid"]
+        logger.info(f"Created event with metadata, UID: {event_uid}")
+
+        # Verify event
+        retrieved_event, _ = await nc_client.calendar.get_event(
+            calendar_name, event_uid
+        )
+        assert retrieved_event["title"] == "Event with URL and Categories"
+        assert "work" in retrieved_event.get("categories", "")
+        assert "important" in retrieved_event.get("categories", "")
+        assert retrieved_event.get("url") == "https://zoom.us/j/123456789"
+        assert retrieved_event.get("privacy") == "PRIVATE"
+        assert retrieved_event.get("priority") == 2
+
+        # Cleanup
+        await nc_client.calendar.delete_event(calendar_name, event_uid)
+
+    except Exception as e:
+        logger.error(f"Event with metadata test failed: {e}")
+        raise
+
+
+async def test_calendar_operations_error_handling(
+    nc_client: NextcloudClient,
+):
+    """Test error handling for calendar operations."""
+
+    # Test with non-existent calendar
+    fake_calendar = f"nonexistent_calendar_{uuid.uuid4().hex}"
+
+    with pytest.raises(HTTPStatusError):
+        await nc_client.calendar.get_calendar_events(fake_calendar)
+
+    logger.info("Error handling tests completed successfully")
@@ -0,0 +1,437 @@
+"""Integration tests for CalDAV and CardDAV field preservation.
+
+This test module demonstrates data loss issues when non-supported fields
+are present in calendar events and contacts during round-trip operations.
+"""
+
+import logging
+import uuid
+from datetime import datetime, timedelta
+
+import pytest
+
+logger = logging.getLogger(__name__)
+
+
+@pytest.mark.integration
+async def test_calendar_event_custom_fields_preservation(nc_client):
+    """Test that demonstrates loss of non-supported iCal fields during round-trip operations."""
+    calendar_name = "personal"
+
+    # Create an event with standard fields
+    event_data = {
+        "title": "Test Event with Custom Fields",
+        "description": "Event to test custom field preservation",
+        "start_datetime": (datetime.now() + timedelta(days=1)).isoformat(),
+        "end_datetime": (datetime.now() + timedelta(days=1, hours=1)).isoformat(),
+        "location": "Test Location",
+    }
+
+    # Create the event
+    result = await nc_client.calendar.create_event(calendar_name, event_data)
+    event_uid = result["uid"]
+
+    try:
+        # Now manually inject a custom iCal property by creating a new version with raw iCal
+        # This simulates what would happen if the event was created by another CalDAV client
+        # with extended properties
+        custom_ical = f"""BEGIN:VCALENDAR
+VERSION:2.0
+PRODID:-//Test Client//EN
+BEGIN:VEVENT
+UID:{event_uid}
+DTSTART:{(datetime.now() + timedelta(days=1)).strftime("%Y%m%dT%H%M%SZ")}
+DTEND:{(datetime.now() + timedelta(days=1, hours=1)).strftime("%Y%m%dT%H%M%SZ")}
+SUMMARY:Test Event with Custom Fields
+DESCRIPTION:Event to test custom field preservation
+LOCATION:Test Location
+X-CUSTOM-FIELD:This is a custom field that should be preserved
+X-VENDOR-SPECIFIC:Vendor specific data
+CATEGORIES:work,testing
+STATUS:CONFIRMED
+PRIORITY:5
+CLASS:PUBLIC
+CREATED:{datetime.now().strftime("%Y%m%dT%H%M%SZ")}
+DTSTAMP:{datetime.now().strftime("%Y%m%dT%H%M%SZ")}
+LAST-MODIFIED:{datetime.now().strftime("%Y%m%dT%H%M%SZ")}
+END:VEVENT
+END:VCALENDAR"""
+
+        # Direct CalDAV PUT to inject the custom iCal
+        event_path = f"/remote.php/dav/calendars/{nc_client.calendar.username}/{calendar_name}/{event_uid}.ics"
+        await nc_client.calendar._make_request(
+            "PUT",
+            event_path,
+            content=custom_ical,
+            headers={"Content-Type": "text/calendar; charset=utf-8"},
+        )
+
+        logger.info(f"Injected custom iCal properties into event {event_uid}")
+
+        # Retrieve the event to confirm custom fields are present in raw iCal
+        response = await nc_client.calendar._make_request(
+            "GET", event_path, headers={"Accept": "text/calendar"}
+        )
+        raw_ical_before = response.text
+
+        logger.info("Raw iCal before update:")
+        logger.info(raw_ical_before)
+
+        # Verify custom fields exist in raw iCal
+        assert (
+            "X-CUSTOM-FIELD:This is a custom field that should be preserved"
+            in raw_ical_before
+        )
+        assert "X-VENDOR-SPECIFIC:Vendor specific data" in raw_ical_before
+
+        # Now update the event through the MCP client (simulating normal usage)
+        update_data = {
+            "title": "Updated Test Event with Custom Fields",
+            "description": "Updated description - custom fields should be preserved",
+        }
+
+        await nc_client.calendar.update_event(calendar_name, event_uid, update_data)
+        logger.info(f"Updated event {event_uid} through MCP client")
+
+        # Retrieve the event again to see if custom fields survived
+        response_after = await nc_client.calendar._make_request(
+            "GET", event_path, headers={"Accept": "text/calendar"}
+        )
+        raw_ical_after = response_after.text
+
+        logger.info("Raw iCal after update:")
+        logger.info(raw_ical_after)
+
+        # THIS IS THE TEST THAT SHOULD FAIL - custom fields should be preserved but won't be
+        try:
+            assert (
+                "X-CUSTOM-FIELD:This is a custom field that should be preserved"
+                in raw_ical_after
+            ), "Custom field X-CUSTOM-FIELD was lost during round-trip update"
+            assert "X-VENDOR-SPECIFIC:Vendor specific data" in raw_ical_after, (
+                "Custom field X-VENDOR-SPECIFIC was lost during round-trip update"
+            )
+            logger.info(
+                "✓ Custom fields were preserved (unexpected - this should fail with current implementation)"
+            )
+        except AssertionError as e:
+            logger.error(f"✗ Custom fields were lost during round-trip update: {e}")
+            # Re-raise to show the test failure
+            raise
+
+    finally:
+        # Cleanup
+        try:
+            await nc_client.calendar.delete_event(calendar_name, event_uid)
+        except Exception as cleanup_error:
+            logger.warning(f"Failed to cleanup event {event_uid}: {cleanup_error}")
+
+
+@pytest.mark.integration
+async def test_contact_extended_fields_preservation(nc_client):
+    """Test that demonstrates loss of extended vCard fields during round-trip operations."""
+    addressbook_name = f"test_preservation_{uuid.uuid4().hex[:8]}"
+
+    # Create a temporary addressbook
+    await nc_client.contacts.create_addressbook(
+        name=addressbook_name, display_name="Test Preservation Addressbook"
+    )
+
+    try:
+        contact_uid = str(uuid.uuid4())
+
+        # Create a contact with minimal data first
+        basic_contact_data = {
+            "fn": "John Extended Doe",
+            "email": "john.extended@example.com",
+        }
+
+        await nc_client.contacts.create_contact(
+            addressbook=addressbook_name,
+            uid=contact_uid,
+            contact_data=basic_contact_data,
+        )
+
+        logger.info(f"Created basic contact {contact_uid}")
+
+        # Now inject a rich vCard with extended fields directly via CardDAV
+        extended_vcard = f"""BEGIN:VCARD
+VERSION:4.0
+UID:{contact_uid}
+FN:John Extended Doe
+N:Doe;John;Extended;;
+NICKNAME:Johnny,JD
+EMAIL;TYPE=work:john.work@company.com
+EMAIL;TYPE=home:john.extended@example.com
+TEL;TYPE=cell:+1-555-123-4567
+TEL;TYPE=work:+1-555-987-6543
+ADR;TYPE=home:;;123 Main St;Hometown;ST;12345;USA
+ADR;TYPE=work:;;456 Work Ave;Worktown;ST;54321;USA
+ORG:Example Corporation
+TITLE:Senior Developer
+URL;TYPE=work:https://company.com/john
+URL;TYPE=personal:https://johndoe.dev
+BDAY:1985-06-15
+NOTE:This is a note with important information that should be preserved.
+CATEGORIES:colleagues,developers,friends
+X-CUSTOM-FIELD:This should be preserved
+X-SKYPE:john.doe.skype
+X-LINKEDIN:https://linkedin.com/in/johndoe
+REV:{datetime.now().strftime("%Y%m%dT%H%M%SZ")}
+END:VCARD"""
+
+        # Direct CardDAV PUT to inject the extended vCard
+        contact_path = f"/remote.php/dav/addressbooks/users/{nc_client.contacts.username}/{addressbook_name}/{contact_uid}.vcf"
+        await nc_client.contacts._make_request(
+            "PUT",
+            contact_path,
+            content=extended_vcard,
+            headers={"Content-Type": "text/vcard; charset=utf-8"},
+        )
+
+        logger.info(f"Injected extended vCard for contact {contact_uid}")
+
+        # Retrieve the contact to confirm extended fields are present in raw vCard
+        response = await nc_client.contacts._make_request("GET", contact_path)
+        raw_vcard_before = response.text
+
+        logger.info("Raw vCard before any operations:")
+        logger.info(raw_vcard_before)
+
+        # Verify extended fields exist in raw vCard
+        assert "TEL;TYPE=cell:+1-555-123-4567" in raw_vcard_before
+        assert "ADR;TYPE=home:;;123 Main St;Hometown;ST;12345;USA" in raw_vcard_before
+        assert "ORG:Example Corporation" in raw_vcard_before
+        assert "TITLE:Senior Developer" in raw_vcard_before
+        assert "X-CUSTOM-FIELD:This should be preserved" in raw_vcard_before
+        assert "X-LINKEDIN:https://linkedin.com/in/johndoe" in raw_vcard_before
+        assert "NOTE:This is a note with important information" in raw_vcard_before
+
+        # List contacts through the MCP client (this will parse and return limited fields)
+        contacts = await nc_client.contacts.list_contacts(addressbook=addressbook_name)
+        our_contact = next((c for c in contacts if c["vcard_id"] == contact_uid), None)
+
+        assert our_contact is not None
+        logger.info("Contact as parsed by MCP client:")
+        logger.info(our_contact)
+
+        # Check what fields are accessible through the parsed contact
+        parsed_contact = our_contact["contact"]
+
+        # These should be available (basic fields that are parsed)
+        assert parsed_contact["fullname"] == "John Extended Doe"
+        assert parsed_contact["email"] is not None  # Some email should be present
+
+        # The raw vCard should still be available in addressdata
+        raw_addressdata = our_contact["addressdata"]
+        assert "X-CUSTOM-FIELD:This should be preserved" in raw_addressdata
+        assert "ORG:Example Corporation" in raw_addressdata
+
+        # The key test: Can we update this contact without losing extended field data?
+        logger.info("Testing contact update preservation...")
+
+        # Update the contact through the MCP client with a simple change
+        try:
+            await nc_client.contacts.update_contact(
+                addressbook=addressbook_name,
+                uid=contact_uid,
+                contact_data={"email": "john.updated@example.com"},
+            )
+            logger.info("✓ Contact updated successfully")
+        except Exception as e:
+            logger.error(f"✗ Failed to update contact: {e}")
+            raise
+
+        # Retrieve the contact again to see if extended fields survived
+        contacts_after = await nc_client.contacts.list_contacts(
+            addressbook=addressbook_name
+        )
+        updated_contact = next(
+            (c for c in contacts_after if c["vcard_id"] == contact_uid), None
+        )
+
+        assert updated_contact is not None, "Contact not found after update"
+        updated_addressdata = updated_contact["addressdata"]
+
+        logger.info("Raw vCard after contact update:")
+        logger.info(updated_addressdata)
+
+        # THIS IS THE CRITICAL TEST - extended fields should be preserved during updates
+        extended_field_checks = [
+            ("ORG:Example Corporation", "organization field"),
+            ("TITLE:Senior Developer", "title field"),
+            ("TEL;TYPE=cell:+1-555-123-4567", "cell phone"),
+            ("TEL;TYPE=work:+1-555-987-6543", "work phone"),
+            ("ADR;TYPE=home:;;123 Main St;Hometown;ST;12345;USA", "home address"),
+            ("ADR;TYPE=work:;;456 Work Ave;Worktown;ST;54321;USA", "work address"),
+            ("URL;TYPE=work;VALUE=URI:https://company.com/john", "work URL"),
+            ("NOTE:This is a note with important information", "note field"),
+            ("CATEGORIES:colleagues,developers,friends", "categories"),
+            ("X-CUSTOM-FIELD:This should be preserved", "custom field"),
+            ("X-LINKEDIN:https://linkedin.com/in/johndoe", "LinkedIn custom field"),
+            ("john.updated@example.com", "updated email"),
+        ]
+
+        all_preserved = True
+        for field_pattern, field_name in extended_field_checks:
+            if field_pattern in updated_addressdata:
+                logger.info(f"✓ {field_name} preserved")
+            else:
+                logger.error(f"✗ {field_name} was lost during update")
+                all_preserved = False
+
+        # The test should PASS - field preservation should work
+        assert all_preserved, (
+            "Contact update lost extended field data - this indicates the preservation mechanism failed"
+        )
+
+        logger.info("🎉 SUCCESS: All extended fields preserved during contact update!")
+
+    finally:
+        # Cleanup
+        try:
+            await nc_client.contacts.delete_addressbook(name=addressbook_name)
+        except Exception as cleanup_error:
+            logger.warning(
+                f"Failed to cleanup addressbook {addressbook_name}: {cleanup_error}"
+            )
+
+
+@pytest.mark.integration
+async def test_calendar_event_roundtrip_data_loss_demonstration(nc_client):
+    """Demonstrates specific data loss scenarios in calendar events."""
+    calendar_name = "personal"
+
+    event_data = {
+        "title": "Roundtrip Test Event",
+        "description": "Testing data preservation",
+        "start_datetime": (datetime.now() + timedelta(days=2)).isoformat(),
+        "end_datetime": (datetime.now() + timedelta(days=2, hours=1)).isoformat(),
+    }
+
+    result = await nc_client.calendar.create_event(calendar_name, event_data)
+    event_uid = result["uid"]
+
+    try:
+        # Inject additional iCal properties that are valid but not supported by our parser
+        extended_ical = f"""BEGIN:VCALENDAR
+VERSION:2.0
+PRODID:-//Extended Client//EN
+BEGIN:VEVENT
+UID:{event_uid}
+DTSTART:{(datetime.now() + timedelta(days=2)).strftime("%Y%m%dT%H%M%SZ")}
+DTEND:{(datetime.now() + timedelta(days=2, hours=1)).strftime("%Y%m%dT%H%M%SZ")}
+SUMMARY:Roundtrip Test Event
+DESCRIPTION:Testing data preservation
+STATUS:CONFIRMED
+PRIORITY:5
+CLASS:PUBLIC
+SEQUENCE:1
+X-MICROSOFT-CDO-ALLDAYEVENT:FALSE
+X-MICROSOFT-CDO-IMPORTANCE:1
+X-CUSTOM-MEETING-ID:12345-67890
+X-ZOOM-MEETING-URL:https://zoom.us/j/1234567890
+ORGANIZER;CN=Test Organizer:mailto:organizer@example.com
+COMMENT:This is a comment that should be preserved
+LOCATION:Conference Room A
+GEO:40.7128;-74.0060
+TRANSP:OPAQUE
+CREATED:{datetime.now().strftime("%Y%m%dT%H%M%SZ")}
+DTSTAMP:{datetime.now().strftime("%Y%m%dT%H%M%SZ")}
+LAST-MODIFIED:{datetime.now().strftime("%Y%m%dT%H%M%SZ")}
+END:VEVENT
+END:VCALENDAR"""
+
+        # Inject the extended iCal
+        event_path = f"/remote.php/dav/calendars/{nc_client.calendar.username}/{calendar_name}/{event_uid}.ics"
+        await nc_client.calendar._make_request(
+            "PUT",
+            event_path,
+            content=extended_ical,
+            headers={"Content-Type": "text/calendar; charset=utf-8"},
+        )
+
+        # Verify extended properties are present
+        response = await nc_client.calendar._make_request(
+            "GET", event_path, headers={"Accept": "text/calendar"}
+        )
+        original_ical = response.text
+
+        # Confirm extended properties exist
+        extended_properties = [
+            "SEQUENCE:1",
+            "X-MICROSOFT-CDO-ALLDAYEVENT:FALSE",
+            "X-CUSTOM-MEETING-ID:12345-67890",
+            "X-ZOOM-MEETING-URL:https://zoom.us/j/1234567890",
+            "ORGANIZER;CN=Test Organizer:mailto:organizer@example.com",
+            "COMMENT:This is a comment that should be preserved",
+            "GEO:40.7128;-74.0060",
+            "TRANSP:OPAQUE",
+        ]
+
+        # More flexible patterns for properties that might be reformatted
+        flexible_patterns = {
+            "ORGANIZER;CN=Test Organizer:mailto:organizer@example.com": [
+                "ORGANIZER;CN=Test Organizer:mailto:organizer@example.com",
+                'ORGANIZER;CN="Test Organizer":mailto:organizer@example.com',
+            ],
+            "GEO:40.7128;-74.0060": [
+                "GEO:40.7128;-74.0060",
+                "GEO:40.7128;-74.006",  # May lose trailing zero
+            ],
+        }
+
+        for prop in extended_properties:
+            assert prop in original_ical, (
+                f"Extended property {prop} not found in original iCal"
+            )
+
+        logger.info("✓ All extended properties confirmed in original iCal")
+
+        # Now perform a simple update through MCP
+        update_data = {"location": "Conference Room B"}  # Simple location change
+        await nc_client.calendar.update_event(calendar_name, event_uid, update_data)
+
+        # Check what survived the round-trip
+        response_after = await nc_client.calendar._make_request(
+            "GET", event_path, headers={"Accept": "text/calendar"}
+        )
+        updated_ical = response_after.text
+
+        logger.info("Checking which properties survived the update...")
+
+        # Check which extended properties survived
+        survived = []
+        lost = []
+
+        for prop in extended_properties:
+            # Check if this property has flexible patterns
+            if prop in flexible_patterns:
+                # Check if any of the flexible patterns match
+                found = any(
+                    pattern in updated_ical for pattern in flexible_patterns[prop]
+                )
+                if found:
+                    survived.append(prop)
+                else:
+                    lost.append(prop)
+            else:
+                # Standard exact match
+                if prop in updated_ical:
+                    survived.append(prop)
+                else:
+                    lost.append(prop)
+
+        logger.info(f"Properties that SURVIVED: {survived}")
+        logger.error(f"Properties that were LOST: {lost}")
+
+        # This test should fail - we expect data loss
+        assert len(lost) == 0, (
+            f"Round-trip update lost {len(lost)} extended properties: {lost}"
+        )
+
+    finally:
+        try:
+            await nc_client.calendar.delete_event(calendar_name, event_uid)
+        except Exception as cleanup_error:
+            logger.warning(f"Failed to cleanup event {event_uid}: {cleanup_error}")
@@ -0,0 +1,88 @@
+"""Integration tests for Contacts CardDAV operations."""
+
+import logging
+import uuid
+
+import pytest
+
+from nextcloud_mcp_server.client import NextcloudClient
+
+logger = logging.getLogger(__name__)
+
+# Mark all tests in this module as integration tests
+pytestmark = pytest.mark.integration
+
+
+async def test_list_addressbooks(nc_client: NextcloudClient):
+    """Test listing available addressbooks."""
+    addressbooks = await nc_client.contacts.list_addressbooks()
+
+    assert isinstance(addressbooks, list)
+
+    if not addressbooks:
+        pytest.skip("No addressbooks available - Contacts app may not be enabled")
+
+    logger.info(f"Found {len(addressbooks)} addressbooks")
+
+    # Check structure of addressbooks
+    for addressbook in addressbooks:
+        assert "name" in addressbook
+        assert "display_name" in addressbook
+        assert "getctag" in addressbook
+
+        logger.info(
+            f"Addressbook: {addressbook['name']} - {addressbook['display_name']}"
+        )
+
+
+async def test_create_and_delete_addressbook(
+    nc_client: NextcloudClient, temporary_addressbook: str
+):
+    """Test creating and deleting a basic addressbook."""
+    addressbooks = await nc_client.contacts.list_addressbooks()
+    addressbook_names = [ab["name"] for ab in addressbooks]
+    assert temporary_addressbook in addressbook_names
+
+
+async def test_list_contacts(
+    nc_client: NextcloudClient, temporary_addressbook: str, temporary_contact: str
+):
+    """Test listing contacts in an addressbook."""
+    contacts = await nc_client.contacts.list_contacts(addressbook=temporary_addressbook)
+    contact_uids = [c["vcard_id"] for c in contacts]
+    assert temporary_contact in contact_uids
+
+
+async def test_full_contact_workflow(
+    nc_client: NextcloudClient, temporary_addressbook: str
+):
+    """Test the full workflow of creating, retrieving, and deleting a contact."""
+    addressbook_name = temporary_addressbook
+    contact_uid = f"test-contact-{uuid.uuid4().hex[:8]}"
+    contact_data = {
+        "fn": "Jane Doe",
+        "email": "jane.doe@example.com",
+        "tel": "9876543210",
+    }
+
+    # Create contact
+    await nc_client.contacts.create_contact(
+        addressbook=addressbook_name,
+        uid=contact_uid,
+        contact_data=contact_data,
+    )
+
+    # Verify contact was created by listing
+    contacts = await nc_client.contacts.list_contacts(addressbook=addressbook_name)
+    contact_uids = [c["vcard_id"] for c in contacts]
+    assert contact_uid in contact_uids
+
+    # Delete contact
+    await nc_client.contacts.delete_contact(
+        addressbook=addressbook_name, uid=contact_uid
+    )
+
+    # Verify contact was deleted
+    contacts = await nc_client.contacts.list_contacts(addressbook=addressbook_name)
+    contact_uids = [c["vcard_id"] for c in contacts]
+    assert contact_uid not in contact_uids
@@ -0,0 +1,327 @@
+import logging
+import uuid
+
+import pytest
+from httpx import HTTPStatusError
+
+from nextcloud_mcp_server.client import NextcloudClient
+from nextcloud_mcp_server.models.deck import DeckCard, DeckLabel, DeckStack
+
+logger = logging.getLogger(__name__)
+pytestmark = pytest.mark.integration
+
+
+# Board CRUD Tests
+
+
+async def test_deck_board_crud_workflow(
+    nc_client: NextcloudClient, temporary_board: dict
+):
+    """
+    Test complete board CRUD workflow using the temporary_board fixture.
+    """
+    board_data = temporary_board
+    board_id = board_data["id"]
+    original_title = board_data["title"]
+    original_color = board_data["color"]
+
+    logger.info(f"Testing CRUD operations on board ID: {board_id}")
+
+    # Read the board
+    read_board = await nc_client.deck.get_board(board_id)
+    assert read_board.id == board_id
+    assert read_board.title == original_title
+    assert read_board.color == original_color
+    logger.info(f"Successfully read board ID: {board_id}")
+
+    # Update the board
+    updated_title = f"Updated {original_title}"
+    updated_color = "00FF00"  # Green color
+    await nc_client.deck.update_board(
+        board_id, title=updated_title, color=updated_color
+    )
+
+    # Verify the update
+    updated_board = await nc_client.deck.get_board(board_id)
+    assert updated_board.title == updated_title
+    assert updated_board.color == updated_color
+    logger.info(f"Successfully updated board ID: {board_id}")
+
+
+async def test_deck_list_boards(nc_client: NextcloudClient):
+    """
+    Test listing all boards with different options.
+    """
+    # Test basic listing
+    boards = await nc_client.deck.get_boards()
+    assert isinstance(boards, list)
+    logger.info(f"Found {len(boards)} boards")
+
+    # Test with details
+    detailed_boards = await nc_client.deck.get_boards(details=True)
+    assert isinstance(detailed_boards, list)
+    logger.info(f"Found {len(detailed_boards)} boards with details")
+
+
+async def test_deck_board_operations_nonexistent(nc_client: NextcloudClient):
+    """
+    Test operations on non-existent board return appropriate errors.
+    """
+    non_existent_id = 999999999
+
+    # Test get non-existent board
+    with pytest.raises(HTTPStatusError) as excinfo:
+        await nc_client.deck.get_board(non_existent_id)
+    assert excinfo.value.response.status_code in [
+        404,
+        403,
+    ]  # 403 might be returned for access denied
+    logger.info(
+        f"Get non-existent board correctly failed with {excinfo.value.response.status_code}"
+    )
+
+    # Test update non-existent board
+    with pytest.raises(HTTPStatusError) as excinfo:
+        await nc_client.deck.update_board(non_existent_id, title="Should Fail")
+    assert excinfo.value.response.status_code in [
+        404,
+        403,
+        400,
+    ]  # 400 for bad request on invalid board ID
+    logger.info(
+        f"Update non-existent board correctly failed with {excinfo.value.response.status_code}"
+    )
+
+
+# Stack CRUD Tests
+
+
+async def test_deck_stack_crud_workflow(
+    nc_client: NextcloudClient, temporary_board: dict
+):
+    """
+    Test complete stack CRUD workflow.
+    """
+    board_id = temporary_board["id"]
+    stack_title = f"Test Stack {uuid.uuid4().hex[:8]}"
+    stack_order = 1
+    stack = None
+
+    try:
+        # Create stack
+        stack = await nc_client.deck.create_stack(board_id, stack_title, stack_order)
+        assert isinstance(stack, DeckStack)
+        assert stack.title == stack_title
+        assert stack.order == stack_order
+        stack_id = stack.id
+        logger.info(f"Created stack ID: {stack_id}")
+
+        # Read stack
+        read_stack = await nc_client.deck.get_stack(board_id, stack_id)
+        assert read_stack.id == stack_id
+        assert read_stack.title == stack_title
+        logger.info(f"Successfully read stack ID: {stack_id}")
+
+        # Update stack
+        updated_title = f"Updated {stack_title}"
+        updated_order = 2
+        await nc_client.deck.update_stack(
+            board_id, stack_id, title=updated_title, order=updated_order
+        )
+
+        # Verify update
+        updated_stack = await nc_client.deck.get_stack(board_id, stack_id)
+        assert updated_stack.title == updated_title
+        assert updated_stack.order == updated_order
+        logger.info(f"Successfully updated stack ID: {stack_id}")
+
+        # List stacks
+        stacks = await nc_client.deck.get_stacks(board_id)
+        assert isinstance(stacks, list)
+        assert any(s.id == stack_id for s in stacks)
+        logger.info(f"Found stack ID: {stack_id} in board stacks list")
+
+    finally:
+        # Clean up - delete stack
+        if stack and hasattr(stack, "id"):
+            try:
+                await nc_client.deck.delete_stack(board_id, stack.id)
+                logger.info(f"Cleaned up stack ID: {stack.id}")
+            except Exception as e:
+                logger.warning(f"Failed to clean up stack ID: {stack.id}: {e}")
+
+
+# Card CRUD Tests
+
+
+async def test_deck_card_crud_workflow(
+    nc_client: NextcloudClient, temporary_board_with_stack: tuple
+):
+    """
+    Test complete card CRUD workflow.
+    """
+    board_data, stack_data = temporary_board_with_stack
+    board_id = board_data["id"]
+    stack_id = stack_data["id"]
+
+    card_title = f"Test Card {uuid.uuid4().hex[:8]}"
+    card_description = f"Test description for card {uuid.uuid4().hex[:8]}"
+    card = None
+
+    try:
+        # Create card
+        card = await nc_client.deck.create_card(
+            board_id, stack_id, card_title, description=card_description
+        )
+        assert isinstance(card, DeckCard)
+        assert card.title == card_title
+        assert card.description == card_description
+        card_id = card.id
+        logger.info(f"Created card ID: {card_id}")
+
+        # Read card
+        read_card = await nc_client.deck.get_card(board_id, stack_id, card_id)
+        assert read_card.id == card_id
+        assert read_card.title == card_title
+        logger.info(f"Successfully read card ID: {card_id}")
+
+        # Update card
+        updated_title = f"Updated {card_title}"
+        updated_description = f"Updated description for {card_title}"
+        await nc_client.deck.update_card(
+            board_id,
+            stack_id,
+            card_id,
+            title=updated_title,
+            description=updated_description,
+        )
+
+        # Verify update
+        updated_card = await nc_client.deck.get_card(board_id, stack_id, card_id)
+        assert updated_card.title == updated_title
+        assert updated_card.description == updated_description
+        logger.info(f"Successfully updated card ID: {card_id}")
+
+        # Archive and unarchive card
+        await nc_client.deck.archive_card(board_id, stack_id, card_id)
+        logger.info(f"Archived card ID: {card_id}")
+
+        await nc_client.deck.unarchive_card(board_id, stack_id, card_id)
+        logger.info(f"Unarchived card ID: {card_id}")
+
+    finally:
+        # Clean up - delete card
+        if card and hasattr(card, "id"):
+            try:
+                await nc_client.deck.delete_card(board_id, stack_id, card.id)
+                logger.info(f"Cleaned up card ID: {card.id}")
+            except Exception as e:
+                logger.warning(f"Failed to clean up card ID: {card.id}: {e}")
+
+
+# Label CRUD Tests
+
+
+async def test_deck_label_crud_workflow(
+    nc_client: NextcloudClient, temporary_board: dict
+):
+    """
+    Test complete label CRUD workflow.
+    """
+    board_id = temporary_board["id"]
+    label_title = f"Test Label {uuid.uuid4().hex[:8]}"
+    label_color = "FF0000"  # Red
+    label = None
+
+    try:
+        # Create label
+        label = await nc_client.deck.create_label(board_id, label_title, label_color)
+        assert isinstance(label, DeckLabel)
+        assert label.title == label_title
+        assert label.color == label_color
+        label_id = label.id
+        logger.info(f"Created label ID: {label_id}")
+
+        # Read label
+        read_label = await nc_client.deck.get_label(board_id, label_id)
+        assert read_label.id == label_id
+        assert read_label.title == label_title
+        logger.info(f"Successfully read label ID: {label_id}")
+
+        # Update label
+        updated_title = f"Updated {label_title}"
+        updated_color = "00FF00"  # Green
+        await nc_client.deck.update_label(
+            board_id, label_id, title=updated_title, color=updated_color
+        )
+
+        # Verify update
+        updated_label = await nc_client.deck.get_label(board_id, label_id)
+        assert updated_label.title == updated_title
+        assert updated_label.color == updated_color
+        logger.info(f"Successfully updated label ID: {label_id}")
+
+    finally:
+        # Clean up - delete label
+        if label and hasattr(label, "id"):
+            try:
+                await nc_client.deck.delete_label(board_id, label.id)
+                logger.info(f"Cleaned up label ID: {label.id}")
+            except Exception as e:
+                logger.warning(f"Failed to clean up label ID: {label.id}: {e}")
+
+
+# Configuration and Comments Tests
+
+
+async def test_deck_config_operations(nc_client: NextcloudClient):
+    """
+    Test deck configuration operations.
+    """
+    # Get config
+    config = await nc_client.deck.get_config()
+    assert config is not None
+    logger.info(f"Retrieved deck config: {config}")
+
+
+async def test_deck_comments_workflow(
+    nc_client: NextcloudClient, temporary_board_with_card: tuple
+):
+    """
+    Test comment operations on a card.
+    """
+    board_data, stack_data, card_data = temporary_board_with_card
+    card_id = card_data["id"]
+
+    comment_message = f"Test comment {uuid.uuid4().hex[:8]}"
+    comment = None
+
+    try:
+        # Create comment
+        comment = await nc_client.deck.create_comment(card_id, comment_message)
+        assert comment.message == comment_message
+        comment_id = comment.id
+        logger.info(f"Created comment ID: {comment_id}")
+
+        # List comments
+        comments = await nc_client.deck.get_comments(card_id)
+        assert isinstance(comments, list)
+        assert any(c.id == comment_id for c in comments)
+        logger.info(f"Found comment ID: {comment_id} in card comments")
+
+        # Update comment
+        updated_message = f"Updated {comment_message}"
+        updated_comment = await nc_client.deck.update_comment(
+            card_id, comment_id, updated_message
+        )
+        assert updated_comment.message == updated_message
+        logger.info(f"Successfully updated comment ID: {comment_id}")
+
+    finally:
+        # Clean up - delete comment
+        if comment and hasattr(comment, "id"):
+            try:
+                await nc_client.deck.delete_comment(card_id, comment.id)
+                logger.info(f"Cleaned up comment ID: {comment.id}")
+            except Exception as e:
+                logger.warning(f"Failed to clean up comment ID: {comment.id}: {e}")
@@ -1,7 +1,8 @@
-import pytest
 import logging
 import time
 import uuid
+
+import pytest
 from httpx import HTTPStatusError

 from nextcloud_mcp_server.client import NextcloudClient
@@ -1,10 +1,11 @@
-import pytest
+import logging
 import time
 import uuid
-import logging
-from PIL import Image, ImageDraw
 from io import BytesIO
+
+import pytest
 from httpx import HTTPStatusError  # Import if needed for specific error checks
+from PIL import Image, ImageDraw

 from nextcloud_mcp_server.client import NextcloudClient

@@ -1,7 +1,8 @@
-import pytest
-import logging
 import asyncio
+import logging
 import uuid  # Keep uuid if needed for generating unique data within tests
+
+import pytest
 from httpx import HTTPStatusError

 from nextcloud_mcp_server.client import NextcloudClient
@@ -1,9 +1,10 @@
-import pytest
-import logging
 import asyncio
+import logging
 import uuid
+from typing import Any, Dict
+
+import pytest
 from httpx import HTTPStatusError
-from typing import Dict, Any

 from nextcloud_mcp_server.client import NextcloudClient

@@ -13,7 +14,7 @@ logger = logging.getLogger(__name__)
 pytestmark = pytest.mark.integration


-@pytest.fixture(scope="session")
+@pytest.fixture(scope="module")
 async def sample_table_info(nc_client: NextcloudClient) -> Dict[str, Any]:
    """
    Fixture to get information about the sample table that comes with Nextcloud Tables.
@@ -0,0 +1,103 @@
+"""Integration tests for OAuth authentication."""
+
+import logging
+import os
+
+import pytest
+from httpx import HTTPStatusError
+
+from nextcloud_mcp_server.auth import BearerAuth
+from nextcloud_mcp_server.client import NextcloudClient
+
+logger = logging.getLogger(__name__)
+
+pytestmark = [pytest.mark.integration, pytest.mark.oauth]
+
+
+# OAuth Client Tests
+
+
+async def test_oauth_client_capabilities(nc_oauth_client: NextcloudClient):
+    """Test that OAuth client can fetch capabilities."""
+    capabilities = await nc_oauth_client.capabilities()
+
+    assert capabilities is not None
+    assert "ocs" in capabilities
+    logger.info(
+        f"OAuth client successfully fetched capabilities: {capabilities.get('ocs').get('meta')}"
+    )
+
+
+async def test_oauth_client_notes_list(nc_oauth_client: NextcloudClient):
+    """Test that OAuth client can list notes."""
+    notes = await nc_oauth_client.notes.get_all_notes()
+
+    assert isinstance(notes, list)
+    logger.info(f"OAuth client successfully listed {len(notes)} notes")
+
+
+async def test_oauth_client_create_note(nc_oauth_client: NextcloudClient):
+    """Test that OAuth client can create and delete a note."""
+    # Create note
+    note_title = "OAuth Test Note"
+    note_content = "This note was created with OAuth authentication"
+
+    created_note = await nc_oauth_client.notes.create_note(
+        title=note_title, content=note_content
+    )
+
+    assert created_note is not None
+    assert created_note.get("title") == note_title
+    note_id = created_note.get("id")
+    assert note_id is not None
+
+    logger.info(f"OAuth client successfully created note with ID: {note_id}")
+
+    # Clean up - delete the note
+    try:
+        await nc_oauth_client.notes.delete_note(note_id=note_id)
+        logger.info(f"OAuth client successfully deleted note {note_id}")
+    except Exception as e:
+        logger.error(f"Failed to clean up test note {note_id}: {e}")
+        raise
+
+
+# OAuth Token Validation Tests
+
+
+async def test_token_in_request_headers(
+    nc_oauth_client: NextcloudClient, playwright_oauth_token: str
+):
+    """Verify that bearer token is being used in requests."""
+    # The client should be using BearerAuth
+    assert nc_oauth_client._client.auth is not None
+
+    # Make a request and verify it works
+    capabilities = await nc_oauth_client.capabilities()
+    assert capabilities is not None
+
+    logger.info("OAuth bearer token is correctly included in requests")
+
+
+async def test_invalid_token_fails():
+    """Test that an invalid token results in authentication failure."""
+    nextcloud_host = os.getenv("NEXTCLOUD_HOST")
+    if not nextcloud_host:
+        pytest.skip("NEXTCLOUD_HOST not set")
+
+    # Create client with invalid token using BearerAuth
+    invalid_client = NextcloudClient(
+        base_url=nextcloud_host,
+        username="testuser",
+        auth=BearerAuth("invalid_token_12345"),
+    )
+
+    # Attempt to use a protected endpoint - should fail with 401
+    # Note: capabilities endpoint is public and doesn't require auth
+    with pytest.raises(HTTPStatusError) as exc_info:
+        await invalid_client.notes.get_all_notes()
+
+    assert exc_info.value.response.status_code == 401
+
+    await invalid_client.close()
+    logger.info("Invalid OAuth token correctly rejected")
@@ -0,0 +1,41 @@
+"""Interactive integration tests for OAuth authentication."""
+
+import logging
+import os
+
+import pytest
+
+logger = logging.getLogger(__name__)
+
+pytestmark = [pytest.mark.integration, pytest.mark.oauth]
+
+
+@pytest.mark.skipif(
+    "GITHUB_ACTIONS" in os.environ,
+    reason="Unable to access interactive browser in GitHub Actions",
+)
+async def test_oauth_client_with_interactive_flow(nc_oauth_client_interactive):
+    """Test that OAuth client created via interactive flow can access Nextcloud APIs."""
+    # Test 1: Check capabilities
+    capabilities = await nc_oauth_client_interactive.capabilities()
+    assert capabilities is not None
+    logger.info("OAuth client (interactive) successfully fetched capabilities")
+
+    # Test 2: List notes
+    notes = await nc_oauth_client_interactive.notes.get_all_notes()
+    assert isinstance(notes, list)
+    logger.info(f"OAuth client (interactive) successfully listed {len(notes)} notes")
+
+    # Test 3: Create and delete a note
+    test_note = await nc_oauth_client_interactive.notes.create_note(
+        title="OAuth Interactive Test Note",
+        content="This note was created during OAuth interactive testing",
+    )
+    assert test_note is not None
+    assert test_note.get("id") is not None
+    note_id = test_note["id"]
+    logger.info(f"OAuth client (interactive) successfully created note {note_id}")
+
+    # Clean up
+    await nc_oauth_client_interactive.notes.delete_note(note_id=note_id)
+    logger.info(f"OAuth client (interactive) successfully deleted note {note_id}")
@@ -0,0 +1,32 @@
+"""Integration tests for Playwright-based OAuth authentication."""
+
+import logging
+
+import pytest
+
+logger = logging.getLogger(__name__)
+
+pytestmark = [pytest.mark.integration, pytest.mark.oauth]
+
+
+async def test_playwright_oauth_token_acquisition(playwright_oauth_token: str):
+    """Test that Playwright can acquire an OAuth token automatically."""
+    assert playwright_oauth_token is not None
+    assert isinstance(playwright_oauth_token, str)
+    assert len(playwright_oauth_token) > 0
+    logger.info(
+        f"Successfully acquired OAuth token via Playwright: {playwright_oauth_token[:20]}..."
+    )
+
+
+async def test_oauth_client_with_playwright_flow(nc_oauth_client_playwright):
+    """Test that OAuth client created via Playwright flow can access Nextcloud APIs."""
+    # Test 1: Check capabilities
+    capabilities = await nc_oauth_client_playwright.capabilities()
+    assert capabilities is not None
+    logger.info("OAuth client (Playwright) successfully fetched capabilities")
+
+    # Test 2: List notes
+    notes = await nc_oauth_client_playwright.notes.get_all_notes()
+    assert isinstance(notes, list)
+    logger.info(f"OAuth client (Playwright) successfully listed {len(notes)} notes")
@@ -0,0 +1,172 @@
+"""Integration tests for Nextcloud Sharing API client."""
+
+import logging
+
+import pytest
+
+logger = logging.getLogger(__name__)
+
+pytestmark = pytest.mark.integration
+
+
+@pytest.mark.asyncio
+async def test_create_and_delete_share(nc_client):
+    """Test creating and deleting a file share."""
+    # Create a test user to share with
+    test_user = "testuser3"
+    try:
+        await nc_client.users.create_user(
+            userid=test_user, password="SecureP@ssw0rd!2024TestUser"
+        )
+    except Exception:
+        pass  # User might already exist
+
+    # Create a test file
+    file_path = "/test_share_file.txt"
+    file_content = b"Test file for sharing"
+
+    await nc_client.webdav.write_file(file_path, file_content)
+
+    share_id = None
+    try:
+        # Create a share
+        share_data = await nc_client.sharing.create_share(
+            path=file_path,
+            share_with=test_user,  # Share with test user
+            share_type=0,  # User share
+            permissions=1,  # Read-only
+        )
+
+        assert share_data is not None
+        assert "id" in share_data
+        share_id = share_data["id"]
+        logger.info(f"Created share: {share_id}")
+
+        # Get share info
+        share_info = await nc_client.sharing.get_share(share_id)
+        assert share_info["id"] == share_id
+        assert share_info["path"] == file_path
+        assert share_info["permissions"] == 1
+
+        # List shares
+        shares = await nc_client.sharing.list_shares(path=file_path)
+        assert len(shares) > 0
+        assert any(s["id"] == share_id for s in shares)
+
+    finally:
+        # Cleanup
+        if share_id:
+            await nc_client.sharing.delete_share(share_id)
+            logger.info(f"Deleted share: {share_id}")
+
+        await nc_client.webdav.delete_resource(file_path)
+
+        # Cleanup test user
+        try:
+            await nc_client.users.delete_user(test_user)
+        except Exception:
+            pass
+
+
+@pytest.mark.asyncio
+async def test_update_share_permissions(nc_client):
+    """Test updating share permissions."""
+    # Create a test user to share with
+    test_user = "testuser3"
+    try:
+        await nc_client.users.create_user(
+            userid=test_user, password="SecureP@ssw0rd!2024TestUser"
+        )
+    except Exception:
+        pass  # User might already exist
+
+    # Create a test file
+    file_path = "/test_share_update.txt"
+    file_content = b"Test file for permission updates"
+
+    await nc_client.webdav.write_file(file_path, file_content)
+
+    share_id = None
+    try:
+        # Create a share with read-only permissions
+        share_data = await nc_client.sharing.create_share(
+            path=file_path,
+            share_with=test_user,
+            share_type=0,
+            permissions=1,  # Read-only
+        )
+        share_id = share_data["id"]
+
+        # Update to read+write permissions
+        updated_share = await nc_client.sharing.update_share(
+            share_id=share_id,
+            permissions=3,  # Read + Write
+        )
+
+        assert updated_share["id"] == share_id
+        assert updated_share["permissions"] == 3
+
+    finally:
+        # Cleanup
+        if share_id:
+            await nc_client.sharing.delete_share(share_id)
+
+        await nc_client.webdav.delete_resource(file_path)
+
+        # Cleanup test user
+        try:
+            await nc_client.users.delete_user(test_user)
+        except Exception:
+            pass
+
+
+@pytest.mark.asyncio
+async def test_list_shares(nc_client):
+    """Test listing all shares."""
+    # Create a test user to share with
+    test_user = "testuser3"
+    try:
+        await nc_client.users.create_user(
+            userid=test_user, password="SecureP@ssw0rd!2024TestUser"
+        )
+    except Exception:
+        pass  # User might already exist
+
+    # Create a test file
+    file_path = "/test_list_shares.txt"
+    file_content = b"Test file for listing shares"
+
+    await nc_client.webdav.write_file(file_path, file_content)
+
+    share_id = None
+    try:
+        # Create a share
+        share_data = await nc_client.sharing.create_share(
+            path=file_path,
+            share_with=test_user,
+            share_type=0,
+            permissions=1,
+        )
+        share_id = share_data["id"]
+
+        # List all shares
+        all_shares = await nc_client.sharing.list_shares()
+        assert len(all_shares) > 0
+
+        # List shares for specific file
+        file_shares = await nc_client.sharing.list_shares(path=file_path)
+        assert len(file_shares) > 0
+        assert any(s["id"] == share_id for s in file_shares)
+
+    finally:
+        # Cleanup
+        if share_id:
+            await nc_client.sharing.delete_share(share_id)
+
+        await nc_client.webdav.delete_resource(file_path)
+
+        # Cleanup test user
+        try:
+            await nc_client.users.delete_user(test_user)
+        except Exception:
+            pass
@@ -1,7 +1,8 @@
-import pytest
 import logging
 import time
 import uuid
+
+import pytest
 from httpx import HTTPStatusError

 from nextcloud_mcp_server.client import NextcloudClient
@@ -0,0 +1,273 @@
+"""Integration tests for WebDAV operations."""
+
+import logging
+import uuid
+
+import pytest
+from httpx import HTTPStatusError
+
+from nextcloud_mcp_server.client import NextcloudClient
+
+logger = logging.getLogger(__name__)
+
+# Mark all tests in this module as integration tests
+pytestmark = pytest.mark.integration
+
+
+@pytest.fixture
+async def test_base_path(nc_client: NextcloudClient):
+    """Base path for test files/directories."""
+    test_dir = f"mcp_test_{uuid.uuid4().hex[:8]}"
+    await nc_client.webdav.create_directory(test_dir)
+    yield test_dir
+    await nc_client.webdav.delete_resource(test_dir)
+
+
+async def test_create_and_delete_directory(
+    nc_client: NextcloudClient, test_base_path: str
+):
+    """Test creating and deleting directories."""
+    test_dir = f"{test_base_path}/test_directory"
+
+    try:
+        # Create directory
+        result = await nc_client.webdav.create_directory(test_dir)
+        assert result["status_code"] == 201  # Created
+        logger.info(f"Created directory: {test_dir}")
+
+        # Verify directory exists by listing parent
+        parent_listing = await nc_client.webdav.list_directory(test_base_path)
+        dir_names = [item["name"] for item in parent_listing]
+        assert "test_directory" in dir_names
+
+        # Delete directory
+        delete_result = await nc_client.webdav.delete_resource(test_dir)
+        assert delete_result["status_code"] in [204, 404]  # No Content or Not Found
+        logger.info(f"Deleted directory: {test_dir}")
+
+    finally:
+        # Cleanup: ensure directory is deleted
+        try:
+            await nc_client.webdav.delete_resource(test_dir)
+        except Exception:
+            pass
+
+
+async def test_write_read_delete_file(nc_client: NextcloudClient, test_base_path: str):
+    """Test writing, reading, and deleting files."""
+    test_file = f"{test_base_path}/test_file.txt"
+    test_content = f"Test content {uuid.uuid4().hex}"
+
+    try:
+        # Create base directory first
+        await nc_client.webdav.create_directory(test_base_path)
+
+        # Write file
+        write_result = await nc_client.webdav.write_file(
+            test_file, test_content.encode("utf-8"), content_type="text/plain"
+        )
+        assert write_result["status_code"] in [200, 201, 204]  # Success codes
+        logger.info(f"Wrote file: {test_file}")
+
+        # Read file back
+        content, content_type = await nc_client.webdav.read_file(test_file)
+        assert content.decode("utf-8") == test_content
+        assert "text/plain" in content_type
+        logger.info(f"Read file: {test_file}")
+
+        # Verify file appears in directory listing
+        listing = await nc_client.webdav.list_directory(test_base_path)
+        file_names = [item["name"] for item in listing]
+        assert "test_file.txt" in file_names
+
+        # Delete file
+        delete_result = await nc_client.webdav.delete_resource(test_file)
+        assert delete_result["status_code"] in [204, 404]  # No Content or Not Found
+        logger.info(f"Deleted file: {test_file}")
+
+    finally:
+        # Cleanup
+        try:
+            await nc_client.webdav.delete_resource(test_file)
+            await nc_client.webdav.delete_resource(test_base_path)
+        except Exception:
+            pass
+
+
+async def test_list_directory_empty_and_populated(
+    nc_client: NextcloudClient, test_base_path: str
+):
+    """Test listing empty and populated directories."""
+    try:
+        # Create base directory
+        await nc_client.webdav.create_directory(test_base_path)
+
+        # List empty directory
+        empty_listing = await nc_client.webdav.list_directory(test_base_path)
+        assert isinstance(empty_listing, list)
+        assert len(empty_listing) == 0
+        logger.info(f"Empty directory listing: {len(empty_listing)} items")
+
+        # Add some files and directories
+        await nc_client.webdav.create_directory(f"{test_base_path}/subdir1")
+        await nc_client.webdav.create_directory(f"{test_base_path}/subdir2")
+        await nc_client.webdav.write_file(
+            f"{test_base_path}/file1.txt", b"content1", content_type="text/plain"
+        )
+        await nc_client.webdav.write_file(
+            f"{test_base_path}/file2.md",
+            b"# Markdown content",
+            content_type="text/markdown",
+        )
+
+        # List populated directory
+        populated_listing = await nc_client.webdav.list_directory(test_base_path)
+        assert len(populated_listing) == 4  # 2 dirs + 2 files
+
+        # Check that we have both files and directories
+        names = [item["name"] for item in populated_listing]
+        assert "subdir1" in names
+        assert "subdir2" in names
+        assert "file1.txt" in names
+        assert "file2.md" in names
+
+        # Check metadata is present
+        for item in populated_listing:
+            assert "name" in item
+            assert "path" in item
+            assert "is_directory" in item
+            assert "size" in item
+            assert "content_type" in item
+            assert "last_modified" in item
+
+        logger.info(f"Populated directory listing: {len(populated_listing)} items")
+
+    finally:
+        # Cleanup
+        try:
+            await nc_client.webdav.delete_resource(f"{test_base_path}/file1.txt")
+            await nc_client.webdav.delete_resource(f"{test_base_path}/file2.md")
+            await nc_client.webdav.delete_resource(f"{test_base_path}/subdir1")
+            await nc_client.webdav.delete_resource(f"{test_base_path}/subdir2")
+            await nc_client.webdav.delete_resource(test_base_path)
+        except Exception:
+            pass
+
+
+async def test_read_nonexistent_file(nc_client: NextcloudClient):
+    """Test reading a file that doesn't exist."""
+    nonexistent_file = f"nonexistent_{uuid.uuid4().hex}.txt"
+
+    with pytest.raises(HTTPStatusError) as exc_info:
+        await nc_client.webdav.read_file(nonexistent_file)
+
+    assert exc_info.value.response.status_code == 404
+    logger.info(f"Correctly got 404 for nonexistent file: {nonexistent_file}")
+
+
+async def test_delete_nonexistent_resource(nc_client: NextcloudClient):
+    """Test deleting a resource that doesn't exist."""
+    nonexistent_resource = f"nonexistent_{uuid.uuid4().hex}"
+
+    result = await nc_client.webdav.delete_resource(nonexistent_resource)
+    assert result["status_code"] == 404
+    logger.info(f"Correctly got 404 for nonexistent resource: {nonexistent_resource}")
+
+
+async def test_create_nested_directories(
+    nc_client: NextcloudClient, test_base_path: str
+):
+    """Test creating nested directory structures."""
+    nested_path = f"{test_base_path}/level1/level2/level3"
+
+    try:
+        # Create nested directories (should create parent directories automatically)
+        result = await nc_client.webdav.create_directory(nested_path, True)
+        assert result["status_code"] == 201
+
+        # Verify the structure was created
+        level1_listing = await nc_client.webdav.list_directory(
+            f"{test_base_path}/level1"
+        )
+        assert len(level1_listing) == 1
+        assert level1_listing[0]["name"] == "level2"
+        assert level1_listing[0]["is_directory"] is True
+
+        level2_listing = await nc_client.webdav.list_directory(
+            f"{test_base_path}/level1/level2"
+        )
+        assert len(level2_listing) == 1
+        assert level2_listing[0]["name"] == "level3"
+        assert level2_listing[0]["is_directory"] is True
+
+        logger.info(f"Created nested directory structure: {nested_path}")
+
+    finally:
+        # Cleanup - delete from deepest to shallowest
+        try:
+            await nc_client.webdav.delete_resource(nested_path)
+            await nc_client.webdav.delete_resource(f"{test_base_path}/level1/level2")
+            await nc_client.webdav.delete_resource(f"{test_base_path}/level1")
+        except Exception:
+            pass
+
+
+async def test_overwrite_existing_file(nc_client: NextcloudClient, test_base_path: str):
+    """Test overwriting an existing file."""
+    test_file = f"{test_base_path}/overwrite_test.txt"
+    original_content = "Original content"
+    new_content = "New content after overwrite"
+
+    try:
+        # Create base directory
+        await nc_client.webdav.create_directory(test_base_path)
+
+        # Write original file
+        await nc_client.webdav.write_file(
+            test_file, original_content.encode("utf-8"), content_type="text/plain"
+        )
+
+        # Verify original content
+        content, _ = await nc_client.webdav.read_file(test_file)
+        assert content.decode("utf-8") == original_content
+
+        # Overwrite with new content
+        overwrite_result = await nc_client.webdav.write_file(
+            test_file, new_content.encode("utf-8"), content_type="text/plain"
+        )
+        assert overwrite_result["status_code"] in [200, 204]  # OK or No Content
+
+        # Verify new content
+        content, _ = await nc_client.webdav.read_file(test_file)
+        assert content.decode("utf-8") == new_content
+
+        logger.info(f"Successfully overwrote file: {test_file}")
+
+    finally:
+        # Cleanup
+        try:
+            await nc_client.webdav.delete_resource(test_file)
+            await nc_client.webdav.delete_resource(test_base_path)
+        except Exception:
+            pass
+
+
+async def test_list_root_directory(nc_client: NextcloudClient):
+    """Test listing the root directory."""
+    root_listing = await nc_client.webdav.list_directory("")
+
+    # Root directory should exist and be listable
+    assert isinstance(root_listing, list)
+    # Should have at least some default folders/files
+    assert len(root_listing) >= 0
+
+    # Check structure of items
+    for item in root_listing:
+        assert "name" in item
+        assert "path" in item
+        assert "is_directory" in item
+        assert "size" in item
+        assert "content_type" in item
+        assert "last_modified" in item
+
+    logger.info(f"Root directory contains {len(root_listing)} items")
@@ -0,0 +1,86 @@
+"""Integration tests for Contacts MCP tools."""
+
+import logging
+import uuid
+
+import pytest
+from mcp import ClientSession
+
+from nextcloud_mcp_server.client import NextcloudClient
+
+logger = logging.getLogger(__name__)
+pytestmark = pytest.mark.integration
+
+
+async def test_mcp_contacts_workflow(
+    nc_mcp_client: ClientSession, nc_client: NextcloudClient
+):
+    """Test complete Contacts workflow via MCP tools with verification via NextcloudClient."""
+
+    addressbook_name = f"mcp-test-addressbook-{uuid.uuid4().hex[:8]}"
+    unique_suffix = uuid.uuid4().hex[:8]
+    contact_uid = f"mcp-contact-{unique_suffix}"
+    contact_data = {
+        "fn": f"MCP Contact {unique_suffix}",
+        "email": f"mcp.contact.{unique_suffix}@example.com",
+        "tel": "1234567890",
+    }
+
+    try:
+        # 1. Create address book via MCP
+        logger.info(f"Creating address book via MCP: {addressbook_name}")
+        create_ab_result = await nc_mcp_client.call_tool(
+            "nc_contacts_create_addressbook",
+            {"name": addressbook_name, "display_name": f"MCP Test {addressbook_name}"},
+        )
+        assert create_ab_result.isError is False
+
+        # 2. Verify address book creation
+        addressbooks = await nc_client.contacts.list_addressbooks()
+        assert any(ab["name"] == addressbook_name for ab in addressbooks)
+
+        # 3. Create contact via MCP
+        logger.info(f"Creating contact in {addressbook_name} via MCP")
+        create_c_result = await nc_mcp_client.call_tool(
+            "nc_contacts_create_contact",
+            {
+                "addressbook": addressbook_name,
+                "uid": contact_uid,
+                "contact_data": contact_data,
+            },
+        )
+        assert create_c_result.isError is False
+
+        # 4. Verify contact creation
+        contacts = await nc_client.contacts.list_contacts(addressbook=addressbook_name)
+        assert any(c["vcard_id"] == contact_uid for c in contacts)
+
+        # 5. Delete contact via MCP
+        logger.info(f"Deleting contact {contact_uid} via MCP")
+        delete_c_result = await nc_mcp_client.call_tool(
+            "nc_contacts_delete_contact",
+            {"addressbook": addressbook_name, "uid": contact_uid},
+        )
+        assert delete_c_result.isError is False
+
+        # 6. Verify contact deletion
+        contacts = await nc_client.contacts.list_contacts(addressbook=addressbook_name)
+        assert not any(c["vcard_id"] == contact_uid for c in contacts)
+
+        # 7. Delete address book via MCP
+        logger.info(f"Deleting address book {addressbook_name} via MCP")
+        delete_ab_result = await nc_mcp_client.call_tool(
+            "nc_contacts_delete_addressbook", {"name": addressbook_name}
+        )
+        assert delete_ab_result.isError is False
+
+        # 8. Verify address book deletion
+        addressbooks = await nc_client.contacts.list_addressbooks()
+        assert not any(ab["name"] == addressbook_name for ab in addressbooks)
+
+    finally:
+        # Cleanup in case of failure
+        try:
+            await nc_client.contacts.delete_addressbook(name=addressbook_name)
+        except Exception:
+            pass
@@ -0,0 +1,569 @@
+import json
+import logging
+import uuid
+
+import pytest
+from mcp import ClientSession
+
+from nextcloud_mcp_server.client import NextcloudClient
+
+logger = logging.getLogger(__name__)
+pytestmark = pytest.mark.integration
+
+
+# Stack MCP Tools Tests
+async def test_deck_stack_mcp_tools(
+    nc_mcp_client: ClientSession, nc_client: NextcloudClient, temporary_board: dict
+):
+    """Test complete deck stack operations via MCP tools."""
+    board_id = temporary_board["id"]
+    stack_title = f"MCP Test Stack {uuid.uuid4().hex[:8]}"
+    stack_order = 1
+
+    # 1. Create stack via MCP tool
+    logger.info(f"Creating stack via MCP: {stack_title}")
+    create_result = await nc_mcp_client.call_tool(
+        "deck_create_stack",
+        {"board_id": board_id, "title": stack_title, "order": stack_order},
+    )
+
+    assert create_result.isError is False, (
+        f"MCP stack creation failed: {create_result.content}"
+    )
+    created_stack_response = json.loads(create_result.content[0].text)
+    stack_id = created_stack_response["id"]
+    assert created_stack_response["title"] == stack_title
+    assert created_stack_response["order"] == stack_order
+    logger.info(f"Stack created via MCP with ID: {stack_id}")
+
+    try:
+        # 2. Get stack via MCP resource
+        logger.info(f"Getting stack via MCP resource: {stack_id}")
+        get_result = await nc_mcp_client.read_resource(
+            f"nc://Deck/boards/{board_id}/stacks/{stack_id}"
+        )
+
+        assert len(get_result.contents) == 1, "Expected exactly one content item"
+        get_stack_response = json.loads(get_result.contents[0].text)
+        assert get_stack_response["title"] == stack_title
+        logger.info("Stack retrieved via MCP resource successfully")
+
+        # 3. Update stack via MCP tool
+        updated_title = f"Updated {stack_title}"
+        updated_order = 2
+        logger.info(f"Updating stack via MCP tool: {stack_id}")
+        update_result = await nc_mcp_client.call_tool(
+            "deck_update_stack",
+            {
+                "board_id": board_id,
+                "stack_id": stack_id,
+                "title": updated_title,
+                "order": updated_order,
+            },
+        )
+
+        assert update_result.isError is False, (
+            f"MCP stack update failed: {update_result.content}"
+        )
+        logger.info("Stack updated via MCP tool successfully")
+
+        # 4. Verify update via direct client
+        updated_stack = await nc_client.deck.get_stack(board_id, stack_id)
+        assert updated_stack.title == updated_title
+        assert updated_stack.order == updated_order
+        logger.info("Stack update verified via direct client")
+
+        # 5. List stacks via MCP resource
+        logger.info("Listing stacks via MCP resource")
+        list_result = await nc_mcp_client.read_resource(
+            f"nc://Deck/boards/{board_id}/stacks"
+        )
+
+        assert len(list_result.contents) == 1, "Expected exactly one content item"
+        stacks_data = json.loads(list_result.contents[0].text)
+        assert isinstance(stacks_data, list)
+
+        # Verify our stack is in the list
+        stack_ids = [stack["id"] for stack in stacks_data]
+        assert stack_id in stack_ids, "Updated stack not found in list"
+        logger.info(f"Stack {stack_id} found in stacks list")
+
+        # 6. Read stack via MCP resource
+        logger.info(f"Reading stack via MCP resource: {stack_id}")
+        read_result = await nc_mcp_client.read_resource(
+            f"nc://Deck/boards/{board_id}/stacks/{stack_id}"
+        )
+        read_stack_data = json.loads(read_result.contents[0].text)
+        assert read_stack_data["title"] == updated_title
+        logger.info("Stack read via MCP resource successfully")
+
+    finally:
+        # Clean up
+        await nc_client.deck.delete_stack(board_id, stack_id)
+        logger.info(f"Cleaned up stack ID: {stack_id}")
+
+
+# Card MCP Tools Tests
+async def test_deck_card_mcp_tools(
+    nc_mcp_client: ClientSession,
+    nc_client: NextcloudClient,
+    temporary_board_with_stack: tuple,
+):
+    """Test complete deck card operations via MCP tools."""
+    board_data, stack_data = temporary_board_with_stack
+    board_id = board_data["id"]
+    stack_id = stack_data["id"]
+    card_title = f"MCP Test Card {uuid.uuid4().hex[:8]}"
+    card_description = f"Test description for {card_title}"
+
+    # 1. Create card via MCP tool
+    logger.info(f"Creating card via MCP: {card_title}")
+    create_result = await nc_mcp_client.call_tool(
+        "deck_create_card",
+        {
+            "board_id": board_id,
+            "stack_id": stack_id,
+            "title": card_title,
+            "description": card_description,
+            "type": "plain",
+            "order": 1,
+        },
+    )
+
+    assert create_result.isError is False, (
+        f"MCP card creation failed: {create_result.content}"
+    )
+    created_card_response = json.loads(create_result.content[0].text)
+    card_id = created_card_response["id"]
+    assert created_card_response["title"] == card_title
+    assert created_card_response["description"] == card_description
+    logger.info(f"Card created via MCP with ID: {card_id}")
+
+    try:
+        # 2. Get card via MCP resource
+        logger.info(f"Getting card via MCP resource: {card_id}")
+        get_result = await nc_mcp_client.read_resource(
+            f"nc://Deck/boards/{board_id}/stacks/{stack_id}/cards/{card_id}"
+        )
+
+        assert len(get_result.contents) == 1, "Expected exactly one content item"
+        get_card_response = json.loads(get_result.contents[0].text)
+        assert get_card_response["title"] == card_title
+        logger.info("Card retrieved via MCP resource successfully")
+
+        # 3. Update card via MCP tool
+        updated_title = f"Updated {card_title}"
+        updated_description = f"Updated description for {card_title}"
+        logger.info(f"Updating card via MCP tool: {card_id}")
+        update_result = await nc_mcp_client.call_tool(
+            "deck_update_card",
+            {
+                "board_id": board_id,
+                "stack_id": stack_id,
+                "card_id": card_id,
+                "title": updated_title,
+                "description": updated_description,
+            },
+        )
+
+        assert update_result.isError is False, (
+            f"MCP card update failed: {update_result.content}"
+        )
+        logger.info("Card updated via MCP tool successfully")
+
+        # 4. Verify update via direct client
+        updated_card = await nc_client.deck.get_card(board_id, stack_id, card_id)
+        assert updated_card.title == updated_title
+        assert updated_card.description == updated_description
+        logger.info("Card update verified via direct client")
+
+        # 5. Archive/unarchive card via MCP tools
+        logger.info(f"Archiving card via MCP tool: {card_id}")
+        archive_result = await nc_mcp_client.call_tool(
+            "deck_archive_card",
+            {"board_id": board_id, "stack_id": stack_id, "card_id": card_id},
+        )
+
+        assert archive_result.isError is False, (
+            f"MCP card archive failed: {archive_result.content}"
+        )
+        logger.info("Card archived via MCP tool successfully")
+
+        logger.info(f"Unarchiving card via MCP tool: {card_id}")
+        unarchive_result = await nc_mcp_client.call_tool(
+            "deck_unarchive_card",
+            {"board_id": board_id, "stack_id": stack_id, "card_id": card_id},
+        )
+
+        assert unarchive_result.isError is False, (
+            f"MCP card unarchive failed: {unarchive_result.content}"
+        )
+        logger.info("Card unarchived via MCP tool successfully")
+
+        # 6. Move card to different position via MCP tool
+        logger.info(f"Reordering card via MCP tool: {card_id}")
+        reorder_result = await nc_mcp_client.call_tool(
+            "deck_reorder_card",
+            {
+                "board_id": board_id,
+                "stack_id": stack_id,
+                "card_id": card_id,
+                "order": 10,
+                "target_stack_id": stack_id,
+            },
+        )
+
+        assert reorder_result.isError is False, (
+            f"MCP card reorder failed: {reorder_result.content}"
+        )
+        logger.info("Card reordered via MCP tool successfully")
+
+        # 7. Read card via MCP resource
+        logger.info(f"Reading card via MCP resource: {card_id}")
+        read_result = await nc_mcp_client.read_resource(
+            f"nc://Deck/boards/{board_id}/stacks/{stack_id}/cards/{card_id}"
+        )
+        read_card_data = json.loads(read_result.contents[0].text)
+        assert read_card_data["title"] == updated_title
+        logger.info("Card read via MCP resource successfully")
+
+    finally:
+        # Clean up
+        await nc_client.deck.delete_card(board_id, stack_id, card_id)
+        logger.info(f"Cleaned up card ID: {card_id}")
+
+
+# Label MCP Tools Tests
+async def test_deck_label_mcp_tools(
+    nc_mcp_client: ClientSession, nc_client: NextcloudClient, temporary_board: dict
+):
+    """Test complete deck label operations via MCP tools."""
+    board_id = temporary_board["id"]
+    label_title = f"MCP Test Label {uuid.uuid4().hex[:8]}"
+    label_color = "FF0000"  # Red
+
+    # 1. Create label via MCP tool
+    logger.info(f"Creating label via MCP: {label_title}")
+    create_result = await nc_mcp_client.call_tool(
+        "deck_create_label",
+        {"board_id": board_id, "title": label_title, "color": label_color},
+    )
+
+    assert create_result.isError is False, (
+        f"MCP label creation failed: {create_result.content}"
+    )
+    created_label_response = json.loads(create_result.content[0].text)
+    label_id = created_label_response["id"]
+    assert created_label_response["title"] == label_title
+    assert created_label_response["color"] == label_color
+    logger.info(f"Label created via MCP with ID: {label_id}")
+
+    try:
+        # 2. Get label via MCP resource
+        logger.info(f"Getting label via MCP resource: {label_id}")
+        get_result = await nc_mcp_client.read_resource(
+            f"nc://Deck/boards/{board_id}/labels/{label_id}"
+        )
+
+        assert len(get_result.contents) == 1, "Expected exactly one content item"
+        get_label_response = json.loads(get_result.contents[0].text)
+        assert get_label_response["title"] == label_title
+        logger.info("Label retrieved via MCP resource successfully")
+
+        # 3. Update label via MCP tool
+        updated_title = f"Updated {label_title}"
+        updated_color = "00FF00"  # Green
+        logger.info(f"Updating label via MCP tool: {label_id}")
+        update_result = await nc_mcp_client.call_tool(
+            "deck_update_label",
+            {
+                "board_id": board_id,
+                "label_id": label_id,
+                "title": updated_title,
+                "color": updated_color,
+            },
+        )
+
+        assert update_result.isError is False, (
+            f"MCP label update failed: {update_result.content}"
+        )
+        logger.info("Label updated via MCP tool successfully")
+
+        # 4. Verify update via direct client
+        updated_label = await nc_client.deck.get_label(board_id, label_id)
+        assert updated_label.title == updated_title
+        assert updated_label.color == updated_color
+        logger.info("Label update verified via direct client")
+
+        # 5. Read label via MCP resource
+        logger.info(f"Reading label via MCP resource: {label_id}")
+        read_result = await nc_mcp_client.read_resource(
+            f"nc://Deck/boards/{board_id}/labels/{label_id}"
+        )
+        read_label_data = json.loads(read_result.contents[0].text)
+        assert read_label_data["title"] == updated_title
+        logger.info("Label read via MCP resource successfully")
+
+    finally:
+        # Clean up
+        await nc_client.deck.delete_label(board_id, label_id)
+        logger.info(f"Cleaned up label ID: {label_id}")
+
+
+# Label-Card Assignment Tests
+async def test_deck_card_label_assignment_mcp_tools(
+    nc_mcp_client: ClientSession,
+    nc_client: NextcloudClient,
+    temporary_board_with_card: tuple,
+):
+    """Test card-label assignment operations via MCP tools."""
+    board_data, stack_data, card_data = temporary_board_with_card
+    board_id = board_data["id"]
+    stack_id = stack_data["id"]
+    card_id = card_data["id"]
+
+    # Create a label for assignment
+    label = await nc_client.deck.create_label(
+        board_id, "Assignment Test Label", "0000FF"
+    )
+    label_id = label.id
+
+    try:
+        # 1. Assign label to card via MCP tool
+        logger.info(f"Assigning label {label_id} to card {card_id} via MCP")
+        assign_result = await nc_mcp_client.call_tool(
+            "deck_assign_label_to_card",
+            {
+                "board_id": board_id,
+                "stack_id": stack_id,
+                "card_id": card_id,
+                "label_id": label_id,
+            },
+        )
+
+        assert assign_result.isError is False, (
+            f"MCP label assignment failed: {assign_result.content}"
+        )
+        logger.info("Label assigned to card via MCP tool successfully")
+
+        # 2. Verify assignment via direct client
+        card = await nc_client.deck.get_card(board_id, stack_id, card_id)
+        if card.labels:
+            label_ids = [label.id for label in card.labels]
+            assert label_id in label_ids, "Label not found in card labels"
+        logger.info("Label assignment verified via direct client")
+
+        # 3. Remove label from card via MCP tool
+        logger.info(f"Removing label {label_id} from card {card_id} via MCP")
+        remove_result = await nc_mcp_client.call_tool(
+            "deck_remove_label_from_card",
+            {
+                "board_id": board_id,
+                "stack_id": stack_id,
+                "card_id": card_id,
+                "label_id": label_id,
+            },
+        )
+
+        assert remove_result.isError is False, (
+            f"MCP label removal failed: {remove_result.content}"
+        )
+        logger.info("Label removed from card via MCP tool successfully")
+
+        # 4. Verify removal via direct client
+        card = await nc_client.deck.get_card(board_id, stack_id, card_id)
+        if card.labels:
+            label_ids = [label.id for label in card.labels]
+            assert label_id not in label_ids, (
+                "Label still found in card labels after removal"
+            )
+        logger.info("Label removal verified via direct client")
+
+    finally:
+        # Clean up
+        await nc_client.deck.delete_label(board_id, label_id)
+        logger.info(f"Cleaned up label ID: {label_id}")
+
+
+# User Assignment Tests
+async def test_deck_card_user_assignment_mcp_tools(
+    nc_mcp_client: ClientSession,
+    nc_client: NextcloudClient,
+    temporary_board_with_card: tuple,
+):
+    """Test card-user assignment operations via MCP tools."""
+    board_data, stack_data, card_data = temporary_board_with_card
+    board_id = board_data["id"]
+    stack_id = stack_data["id"]
+    card_id = card_data["id"]
+
+    # Use the current user ID (admin in most test environments)
+    user_id = "admin"
+
+    # 1. Assign user to card via MCP tool
+    logger.info(f"Assigning user {user_id} to card {card_id} via MCP")
+    assign_result = await nc_mcp_client.call_tool(
+        "deck_assign_user_to_card",
+        {
+            "board_id": board_id,
+            "stack_id": stack_id,
+            "card_id": card_id,
+            "user_id": user_id,
+        },
+    )
+
+    assert assign_result.isError is False, (
+        f"MCP user assignment failed: {assign_result.content}"
+    )
+    logger.info("User assigned to card via MCP tool successfully")
+
+    # 2. Verify assignment via direct client
+    card = await nc_client.deck.get_card(board_id, stack_id, card_id)
+    if card.assignedUsers:
+        user_ids = []
+        for user in card.assignedUsers:
+            if hasattr(user, "participant"):
+                # It's a DeckAssignedUser with participant
+                user_ids.append(user.participant.uid)
+            elif hasattr(user, "uid"):
+                # It's a direct DeckUser
+                user_ids.append(user.uid)
+        assert user_id in user_ids, "User not found in card assigned users"
+    logger.info("User assignment verified via direct client")
+
+    # 3. Unassign user from card via MCP tool
+    logger.info(f"Unassigning user {user_id} from card {card_id} via MCP")
+    unassign_result = await nc_mcp_client.call_tool(
+        "deck_unassign_user_from_card",
+        {
+            "board_id": board_id,
+            "stack_id": stack_id,
+            "card_id": card_id,
+            "user_id": user_id,
+        },
+    )
+
+    assert unassign_result.isError is False, (
+        f"MCP user unassignment failed: {unassign_result.content}"
+    )
+    logger.info("User unassigned from card via MCP tool successfully")
+
+    # 4. Verify unassignment via direct client
+    card = await nc_client.deck.get_card(board_id, stack_id, card_id)
+    if card.assignedUsers:
+        user_ids = []
+        for user in card.assignedUsers:
+            if hasattr(user, "participant"):
+                # It's a DeckAssignedUser with participant
+                user_ids.append(user.participant.uid)
+            elif hasattr(user, "uid"):
+                # It's a direct DeckUser
+                user_ids.append(user.uid)
+        assert user_id not in user_ids, (
+            "User still found in card assigned users after removal"
+        )
+    logger.info("User unassignment verified via direct client")
+
+
+# Error handling tests
+async def test_deck_mcp_tools_error_handling(nc_mcp_client: ClientSession):
+    """Test error handling for deck MCP tools with invalid parameters."""
+    non_existent_id = 999999999
+
+    # Test stack operations with non-existent board
+    stack_result = await nc_mcp_client.call_tool(
+        "deck_create_stack",
+        {"board_id": non_existent_id, "title": "Should Fail", "order": 1},
+    )
+    assert stack_result.isError is True, (
+        "Expected error for stack creation on non-existent board"
+    )
+
+    # Test card operations with non-existent IDs
+    card_result = await nc_mcp_client.call_tool(
+        "deck_create_card",
+        {
+            "board_id": non_existent_id,
+            "stack_id": non_existent_id,
+            "title": "Should Fail",
+            "type": "plain",
+        },
+    )
+    assert card_result.isError is True, (
+        "Expected error for card creation with non-existent IDs"
+    )
+
+    # Test label operations with non-existent board
+    label_result = await nc_mcp_client.call_tool(
+        "deck_create_label",
+        {"board_id": non_existent_id, "title": "Should Fail", "color": "FF0000"},
+    )
+    assert label_result.isError is True, (
+        "Expected error for label creation on non-existent board"
+    )
+
+    logger.info("Error handling tests passed for deck MCP tools")
+
+
+# Resource template tests
+async def test_deck_mcp_resource_templates(nc_mcp_client: ClientSession):
+    """Test deck MCP resource templates are properly registered."""
+    templates = await nc_mcp_client.list_resource_templates()
+    template_uris = [template.uriTemplate for template in templates.resourceTemplates]
+
+    expected_templates = [
+        "nc://Deck/boards/{board_id}/stacks/{stack_id}",
+        "nc://Deck/boards/{board_id}/stacks/{stack_id}/cards/{card_id}",
+        "nc://Deck/boards/{board_id}/labels/{label_id}",
+    ]
+
+    for expected_template in expected_templates:
+        assert expected_template in template_uris, (
+            f"Expected template '{expected_template}' not found"
+        )
+        logger.info(f"Found expected deck resource template: {expected_template}")
+
+
+# Listing resource tests
+async def test_deck_mcp_listing_resources(
+    nc_mcp_client: ClientSession, temporary_board_with_card: tuple
+):
+    """Test deck MCP listing resources for stacks and cards."""
+    board_data, stack_data, card_data = temporary_board_with_card
+    board_id = board_data["id"]
+    stack_id = stack_data["id"]
+
+    # 1. Test listing stacks resource
+    logger.info(f"Reading stacks list via MCP resource for board {board_id}")
+    stacks_resource_result = await nc_mcp_client.read_resource(
+        f"nc://Deck/boards/{board_id}/stacks"
+    )
+    stacks_resource_data = json.loads(stacks_resource_result.contents[0].text)
+    assert isinstance(stacks_resource_data, list)
+
+    # Verify our stack is in the resource list
+    stack_ids = [stack["id"] for stack in stacks_resource_data]
+    assert stack_id in stack_ids, "Stack not found in stacks resource list"
+    logger.info("Stack found in stacks resource list")
+
+    # 2. Test listing cards resource
+    logger.info(f"Reading cards list via MCP resource for stack {stack_id}")
+    cards_resource_result = await nc_mcp_client.read_resource(
+        f"nc://Deck/boards/{board_id}/stacks/{stack_id}/cards"
+    )
+    cards_resource_data = json.loads(cards_resource_result.contents[0].text)
+    assert isinstance(cards_resource_data, list)
+
+    # Verify our card is in the resource list
+    card_ids = [card["id"] for card in cards_resource_data]
+    assert card_data["id"] in card_ids, "Card not found in cards resource list"
+    logger.info("Card found in cards resource list")
+
+    # 3. Test listing labels resource
+    logger.info(f"Reading labels list via MCP resource for board {board_id}")
+    labels_resource_result = await nc_mcp_client.read_resource(
+        f"nc://Deck/boards/{board_id}/labels"
+    )
+    labels_resource_data = json.loads(labels_resource_result.contents[0].text)
+    assert isinstance(labels_resource_data, list)
+    logger.info("Labels resource read successfully")
@@ -0,0 +1,223 @@
+import json
+import logging
+import uuid
+
+import pytest
+from mcp import ClientSession
+
+from nextcloud_mcp_server.client import NextcloudClient
+
+logger = logging.getLogger(__name__)
+pytestmark = pytest.mark.integration
+
+
+async def test_deck_mcp_connectivity(nc_mcp_client: ClientSession):
+    """Test deck MCP tools are available and functional."""
+
+    # List available tools
+    tools = await nc_mcp_client.list_tools()
+    tool_names = [tool.name for tool in tools.tools]
+
+    # Verify expected deck tools are present
+    expected_deck_tools = ["deck_create_board"]
+
+    for expected_tool in expected_deck_tools:
+        assert expected_tool in tool_names, (
+            f"Expected deck tool '{expected_tool}' not found in available tools"
+        )
+        logger.info(f"Found expected deck tool: {expected_tool}")
+
+    # List available resource templates
+    templates = await nc_mcp_client.list_resource_templates()
+    template_uris = [template.uriTemplate for template in templates.resourceTemplates]
+
+    # Verify expected deck resource templates
+    expected_deck_templates = [
+        "nc://Deck/boards/{board_id}",
+    ]
+
+    for expected_template in expected_deck_templates:
+        assert expected_template in template_uris, (
+            f"Expected deck template '{expected_template}' not found"
+        )
+        logger.info(f"Found expected deck resource template: {expected_template}")
+
+    # List available resources
+    resources = await nc_mcp_client.list_resources()
+    resource_uris = [str(resource.uri) for resource in resources.resources]
+
+    # Verify expected deck resources
+    expected_deck_resources = [
+        "nc://Deck/boards",
+    ]
+
+    for expected_resource in expected_deck_resources:
+        assert expected_resource in resource_uris, (
+            f"Expected deck resource '{expected_resource}' not found"
+        )
+        logger.info(f"Found expected deck resource: {expected_resource}")
+
+
+async def test_deck_board_crud_workflow_mcp(
+    nc_mcp_client: ClientSession, nc_client: NextcloudClient
+):
+    """Test complete Deck board CRUD workflow via MCP tools with verification via NextcloudClient."""
+
+    unique_suffix = uuid.uuid4().hex[:8]
+    board_title = f"MCP Test Board {unique_suffix}"
+    board_color = "0000FF"  # Blue
+
+    # 1. Create board via MCP
+    logger.info(f"Creating board via MCP: {board_title}")
+    create_result = await nc_mcp_client.call_tool(
+        "deck_create_board",
+        {"title": board_title, "color": board_color},
+    )
+
+    assert create_result.isError is False, (
+        f"MCP board creation failed: {create_result.content}"
+    )
+    created_board_json = create_result.content[0].text
+    created_board_response = json.loads(created_board_json)
+    board_id = created_board_response["id"]
+
+    logger.info(f"Board created via MCP with ID: {board_id}")
+    assert created_board_response["title"] == board_title
+    assert created_board_response["color"] == board_color
+
+    # 2. Verify creation via direct NextcloudClient
+    direct_board = await nc_client.deck.get_board(board_id)
+    assert direct_board.title == board_title, (
+        f"Title mismatch: {direct_board.title} != {board_title}"
+    )
+    assert direct_board.color == board_color, "Color mismatch"
+    logger.info("Board creation verified via direct client")
+
+    # 3. Read board via MCP resource
+    logger.info(f"Reading board via MCP resource: {board_id}")
+    read_result = await nc_mcp_client.read_resource(f"nc://Deck/boards/{board_id}")
+    assert len(read_result.contents) == 1, "Expected exactly one content item"
+    read_board_data = json.loads(read_result.contents[0].text)
+
+    assert read_board_data["title"] == board_title
+    assert read_board_data["color"] == board_color
+    logger.info("Board read via MCP resource successfully")
+
+    # 4. Verify board via direct read of resource
+    logger.info(f"Verifying board via resource read: {board_id}")
+    # This was already done in step 3, so we'll just log confirmation
+    logger.info("Board structure verified successfully")
+
+    # 5. Read boards list via MCP resource
+    logger.info("Reading boards list via MCP resource")
+    boards_resource_result = await nc_mcp_client.read_resource("nc://Deck/boards")
+    assert len(boards_resource_result.contents) == 1, (
+        "Expected exactly one content item"
+    )
+    boards_resource_data = json.loads(boards_resource_result.contents[0].text)
+    assert isinstance(boards_resource_data, list)  # Resources return raw lists
+
+    # Verify our board is in the resource list
+    resource_board_ids = [board["id"] for board in boards_resource_data]
+    assert board_id in resource_board_ids, "Created board not found in resource list"
+    logger.info("Board found in boards resource list")
+
+    # Clean up - delete board
+    await nc_client.deck.delete_board(board_id)
+    logger.info(f"Cleaned up board ID: {board_id}")
+
+
+async def test_deck_board_operations_error_handling_mcp(nc_mcp_client: ClientSession):
+    """Test MCP deck tools handle errors appropriately."""
+
+    non_existent_id = 999999999
+
+    # Test create board with invalid parameters via MCP tool
+    logger.info("Testing board creation with invalid parameters via MCP")
+    create_result = await nc_mcp_client.call_tool(
+        "deck_create_board",
+        {"title": "", "color": "FF0000"},
+    )
+
+    assert create_result.isError is True, "Expected error for invalid board creation"
+    logger.info("Invalid board creation correctly failed via MCP tool")
+
+    # Test read non-existent board via MCP resource
+    logger.info(f"Testing read non-existent board via MCP resource: {non_existent_id}")
+    try:
+        read_result = await nc_mcp_client.read_resource(
+            f"nc://Deck/boards/{non_existent_id}"
+        )
+        # If no error is thrown, check if the result indicates an error
+        assert len(read_result.contents) == 0, (
+            "Expected empty content for non-existent board"
+        )
+    except Exception as e:
+        logger.info(f"Read non-existent board correctly failed via MCP resource: {e}")
+
+
+async def test_deck_board_creation_validation_mcp(nc_mcp_client: ClientSession):
+    """Test deck board creation validation via MCP tools."""
+
+    # Test creating board with empty title should fail
+    logger.info("Testing board creation with empty title via MCP")
+    create_result = await nc_mcp_client.call_tool(
+        "deck_create_board",
+        {"title": "", "color": "FF0000"},
+    )
+
+    assert create_result.isError is True, "Expected error for empty board title"
+    logger.info("Empty title board creation correctly failed via MCP")
+
+
+async def test_deck_board_creation_success_mcp(
+    nc_mcp_client: ClientSession, nc_client: NextcloudClient
+):
+    """Test deck board creation with valid parameters via MCP tools."""
+
+    # Test creating board with valid parameters
+    logger.info("Testing board creation with valid parameters via MCP")
+    create_result = await nc_mcp_client.call_tool(
+        "deck_create_board",
+        {"title": f"Valid Board {uuid.uuid4().hex[:8]}", "color": "00FF00"},
+    )
+
+    assert create_result.isError is False, "Valid board creation should succeed"
+    created_board = json.loads(create_result.content[0].text)
+    board_id = created_board["id"]
+    logger.info(f"Valid board created successfully with ID: {board_id}")
+
+    # Clean up - delete board
+    await nc_client.deck.delete_board(board_id)
+    logger.info(f"Cleaned up board ID: {board_id}")
+
+
+async def test_deck_workflow_integration_mcp(
+    nc_mcp_client: ClientSession, temporary_board_with_card: tuple
+):
+    """Test a complete deck workflow using MCP tools with temporary resources."""
+
+    board_data, stack_data, card_data = temporary_board_with_card
+    board_id = board_data["id"]
+    board_title = board_data["title"]
+
+    # 1. Read board via MCP to verify the structure
+    logger.info(f"Reading board via MCP resource: {board_id}")
+    read_result = await nc_mcp_client.read_resource(f"nc://Deck/boards/{board_id}")
+    board_mcp_data = json.loads(read_result.contents[0].text)
+
+    assert board_mcp_data["title"] == board_title
+    logger.info("Board structure verified via MCP resource")
+
+    # 2. List boards via MCP resource and verify our board is there
+    logger.info("Listing boards via MCP resource")
+    list_result = await nc_mcp_client.read_resource("nc://Deck/boards")
+    boards_data = json.loads(list_result.contents[0].text)
+
+    board_found = any(board["id"] == board_id for board in boards_data)
+    assert board_found, "Board not found in boards list"
+    logger.info("Board found in boards list")
+
+    # 3. Verify board data matches via resource (already done in step 1)
+    logger.info(f"Board data verification completed for board: {board_id}")
+    logger.info("Board structure and data verified successfully")
@@ -0,0 +1,170 @@
+"""Test error propagation in the MCP server for various error scenarios."""
+
+import logging
+
+import pytest
+from mcp import ClientSession
+
+logger = logging.getLogger(__name__)
+
+# Mark all tests in this module as integration tests
+pytestmark = pytest.mark.integration
+
+
+async def test_missing_note_tool_error(nc_mcp_client: ClientSession):
+    """Test that accessing a non-existent note via tool returns proper error."""
+    # Try to get a non-existent note via tool - should return error response
+    response = await nc_mcp_client.call_tool("nc_notes_get_note", {"note_id": 999999})
+
+    # Should return error response (not raise exception) for tools
+    assert response is not None
+    assert response.isError is True
+    assert "Note 999999 not found" in response.content[0].text
+
+
+async def test_delete_missing_note_tool_error(nc_mcp_client: ClientSession):
+    """Test that deleting a non-existent note returns proper error."""
+    # Try to delete a non-existent note - should return error response
+    response = await nc_mcp_client.call_tool(
+        "nc_notes_delete_note", {"note_id": 999999}
+    )
+
+    # Should return error response (not raise exception) for tools
+    assert response is not None
+    assert response.isError is True
+    assert "Note 999999 not found" in response.content[0].text
+
+
+async def test_search_with_empty_query(nc_mcp_client: ClientSession):
+    """Test search behavior with empty query."""
+    # Search with empty query
+    response = await nc_mcp_client.call_tool("nc_notes_search_notes", {"query": ""})
+
+    logger.info(f"Empty search query response: {response}")
+
+    # Should return successful response with empty or valid results
+    assert response is not None
+    assert response.isError is False
+
+
+async def test_tool_missing_required_parameters(nc_mcp_client: ClientSession):
+    """Test calling a tool with missing required parameters."""
+    # Try to create note with missing parameters
+    response = await nc_mcp_client.call_tool(
+        "nc_notes_create_note",
+        {"title": "Test"},  # Missing content and category
+    )
+    logger.info(f"Missing params response: {response}")
+
+    # Should return error response for missing required parameters
+    assert response is not None
+    assert response.isError is True
+    assert (
+        "required" in response.content[0].text.lower()
+        or "missing" in response.content[0].text.lower()
+    )
+
+
+async def test_update_note_with_invalid_etag(nc_mcp_client: ClientSession, nc_client):
+    """Test updating a note with invalid ETag."""
+    # First create a note
+    note_data = await nc_client.notes.create_note(
+        title="Test Note for ETag", content="Test content", category=""
+    )
+    note_id = note_data["id"]
+
+    try:
+        # Try to update with invalid ETag - should return error response
+        response = await nc_mcp_client.call_tool(
+            "nc_notes_update_note",
+            {
+                "note_id": note_id,
+                "etag": "invalid-etag",
+                "title": "Updated Title",
+                "content": None,
+                "category": None,
+            },
+        )
+
+        # Should return error response (not raise exception) for tools
+        assert response is not None
+        assert response.isError is True
+        assert "modified by someone else" in response.content[0].text
+
+    finally:
+        # Clean up
+        await nc_client.notes.delete_note(note_id)
+
+
+async def test_calendar_missing_calendar_error(nc_mcp_client: ClientSession):
+    """Test calendar operations with non-existent calendar."""
+    # Try to create event in non-existent calendar
+    response = await nc_mcp_client.call_tool(
+        "nc_calendar_create_event",
+        {
+            "calendar_name": "non-existent-calendar",
+            "title": "Test Event",
+            "start_datetime": "2025-01-15T14:00:00",
+        },
+    )
+
+    logger.info(f"Non-existent calendar response: {response}")
+
+    # Should return structured error response
+    assert response is not None
+    # Note: Some modules may not have improved error handling yet
+    # Check if we have structured content with success=false or isError=true
+    if (
+        hasattr(response, "structuredContent")
+        and response.structuredContent
+        and "result" in response.structuredContent
+    ):
+        assert response.structuredContent["result"]["success"] is False
+    else:
+        assert response.isError is True
+
+
+async def test_webdav_read_missing_file_error(nc_mcp_client: ClientSession):
+    """Test WebDAV operations with non-existent file."""
+    # Try to read a non-existent file
+    response = await nc_mcp_client.call_tool(
+        "nc_webdav_read_file", {"path": "non-existent-file.txt"}
+    )
+
+    logger.info(f"Missing file response: {response}")
+
+    # Should return structured error response
+    assert response is not None
+    # Note: Some modules may not have improved error handling yet
+    # Check if we have structured content with success=false or isError=true
+    if (
+        hasattr(response, "structuredContent")
+        and response.structuredContent
+        and "result" in response.structuredContent
+    ):
+        assert response.structuredContent["result"]["success"] is False
+    else:
+        assert response.isError is True
+
+
+async def test_tables_missing_table_error(nc_mcp_client: ClientSession):
+    """Test Tables operations with non-existent table."""
+    # Try to get schema of non-existent table
+    response = await nc_mcp_client.call_tool(
+        "nc_tables_get_schema", {"table_id": 999999}
+    )
+
+    logger.info(f"Missing table response: {response}")
+
+    # Should return structured error response
+    assert response is not None
+    # Note: Some modules may not have improved error handling yet
+    # Check if we have structured content with success=false or isError=true
+    if (
+        hasattr(response, "structuredContent")
+        and response.structuredContent
+        and "result" in response.structuredContent
+    ):
+        assert response.structuredContent["result"]["success"] is False
+    else:
+        assert response.isError is True
@@ -0,0 +1,795 @@
+import json
+import logging
+import uuid
+
+import pytest
+from mcp import ClientSession
+
+from nextcloud_mcp_server.client import NextcloudClient
+
+logger = logging.getLogger(__name__)
+pytestmark = pytest.mark.integration
+
+
+async def test_mcp_connectivity(nc_mcp_client: ClientSession):
+    """Test basic MCP server connectivity and list available tools/resources."""
+
+    # List available tools
+    tools = await nc_mcp_client.list_tools()
+    logger.info("Available MCP tools:")
+    tool_names = []
+    for tool in tools.tools:
+        logger.info(f"  - {tool.name}: {tool.description}")
+        tool_names.append(tool.name)
+
+    # Verify expected tools are present
+    expected_tools = [
+        "nc_notes_create_note",
+        "nc_notes_update_note",
+        "nc_notes_append_content",
+        "nc_notes_search_notes",
+        "nc_notes_delete_note",
+        "nc_tables_list_tables",
+        "nc_tables_get_schema",
+        "nc_tables_read_table",
+        "nc_tables_insert_row",
+        "nc_tables_update_row",
+        "nc_tables_delete_row",
+        "nc_webdav_list_directory",
+        "nc_webdav_read_file",
+        "nc_webdav_write_file",
+        "nc_webdav_create_directory",
+        "nc_webdav_delete_resource",
+        "nc_calendar_list_calendars",
+        "nc_calendar_create_event",
+        "nc_calendar_list_events",
+        "nc_calendar_get_event",
+        "nc_calendar_update_event",
+        "nc_calendar_delete_event",
+        "nc_calendar_create_meeting",
+        "nc_calendar_get_upcoming_events",
+        "nc_calendar_find_availability",
+        "nc_calendar_bulk_operations",
+        "nc_calendar_manage_calendar",
+        "deck_create_board",
+    ]
+
+    for expected_tool in expected_tools:
+        assert expected_tool in tool_names, (
+            f"Expected tool '{expected_tool}' not found in available tools"
+        )
+
+    # List available resource templates
+    templates = await nc_mcp_client.list_resource_templates()
+    logger.info("\nAvailable resource templates:")
+    template_uris = []
+    for template in templates.resourceTemplates:
+        logger.info(f"  - {template.uriTemplate}")
+        template_uris.append(template.uriTemplate)
+
+    # Verify expected resource templates
+    # Note: Notes attachments are now handled via tools, not resource templates
+    expected_templates = []
+
+    for expected_template in expected_templates:
+        assert expected_template in template_uris, (
+            f"Expected template '{expected_template}' not found"
+        )
+
+    # List available resources
+    resources = await nc_mcp_client.list_resources()
+    logger.info("\nAvailable resources:")
+    resource_uris = []
+    for resource in resources.resources:
+        logger.info(f"  - {resource.uri}: {resource.name}")
+        resource_uris.append(str(resource.uri))  # Convert to string for comparison
+
+    # Verify expected resources
+    expected_resources = ["nc://capabilities", "notes://settings", "nc://Deck/boards"]
+
+    for expected_resource in expected_resources:
+        assert expected_resource in resource_uris, (
+            f"Expected resource '{expected_resource}' not found"
+        )
+
+    # List available prompts
+    prompts = await nc_mcp_client.list_prompts()
+    logger.info("\nAvailable prompts:")
+    for prompt in prompts.prompts:
+        logger.info(f"  - {prompt.name}")
+
+
+async def test_mcp_notes_crud_workflow(
+    nc_mcp_client: ClientSession, nc_client: NextcloudClient
+):
+    """Test complete Notes CRUD workflow via MCP tools with verification via NextcloudClient."""
+
+    unique_suffix = uuid.uuid4().hex[:8]
+    test_title = f"MCP Test Note {unique_suffix}"
+    test_content = f"This is test content for note {unique_suffix}"
+    test_category = "MCPTesting"
+
+    created_note = None
+
+    try:
+        # 1. Create note via MCP
+        logger.info(f"Creating note via MCP: {test_title}")
+        create_result = await nc_mcp_client.call_tool(
+            "nc_notes_create_note",
+            {"title": test_title, "content": test_content, "category": test_category},
+        )
+
+        assert create_result.isError is False, (
+            f"MCP note creation failed: {create_result.content}"
+        )
+        created_note = create_result.content[0].text
+        note_data = json.loads(created_note)  # Parse the returned JSON
+        note_id = note_data["id"]
+        create_etag = note_data["etag"]  # Verify create response includes ETag
+
+        logger.info(f"Note created via MCP with ID: {note_id}, ETag: {create_etag}")
+        assert "etag" in note_data, "Create response should include ETag"
+        assert create_etag, "Create ETag should not be empty"
+
+        # 2. Verify creation via direct NextcloudClient
+        direct_note = await nc_client.notes.get_note(note_id)
+        assert direct_note["title"] == test_title, (
+            f"Title mismatch: {direct_note['title']} != {test_title}"
+        )
+        assert direct_note["content"] == test_content, "Content mismatch"
+        assert direct_note["category"] == test_category, "Category mismatch"
+
+        # 3. Read note via MCP
+        logger.info(f"Reading note via MCP: {note_id}")
+        read_result = await nc_mcp_client.call_tool(
+            "nc_notes_get_note", {"note_id": note_id}
+        )
+        read_note_data = read_result.content[0].text
+        read_note_data = json.loads(read_note_data)
+
+        assert read_note_data["title"] == test_title
+        assert read_note_data["content"] == test_content
+        assert read_note_data["category"] == test_category
+
+        # 4. Update note via MCP
+        updated_title = f"Updated {test_title}"
+        updated_content = f"Updated content: {test_content}"
+        etag = read_note_data["etag"]
+
+        logger.info(f"Updating note via MCP: {note_id}")
+        update_result = await nc_mcp_client.call_tool(
+            "nc_notes_update_note",
+            {
+                "note_id": note_id,
+                "etag": etag,
+                "title": updated_title,
+                "content": updated_content,
+                "category": test_category,
+            },
+        )
+
+        assert update_result.isError is False, (
+            f"MCP note update failed: {update_result.content}"
+        )
+
+        # Verify update response includes new ETag
+        updated_note_data = json.loads(update_result.content[0].text)
+        update_etag = updated_note_data["etag"]
+
+        logger.info(f"Note updated via MCP, new ETag: {update_etag}")
+        assert "etag" in updated_note_data, "Update response should include ETag"
+        assert update_etag, "Update ETag should not be empty"
+        assert update_etag != etag, "ETag should change after update"
+
+        # 5. Verify update via direct NextcloudClient
+        updated_direct_note = await nc_client.notes.get_note(note_id)
+        assert updated_direct_note["title"] == updated_title
+        assert updated_direct_note["content"] == updated_content
+
+        # 6. Append content via MCP
+        append_content = "\n\nThis is appended content via MCP."
+        logger.info(f"Appending content to note via MCP: {note_id}")
+        append_result = await nc_mcp_client.call_tool(
+            "nc_notes_append_content", {"note_id": note_id, "content": append_content}
+        )
+
+        assert append_result.isError is False, (
+            f"MCP note append failed: {append_result.content}"
+        )
+
+        # Verify append response includes new ETag
+        appended_note_data = json.loads(append_result.content[0].text)
+        append_etag = appended_note_data["etag"]
+
+        logger.info(f"Content appended via MCP, new ETag: {append_etag}")
+        assert "etag" in appended_note_data, "Append response should include ETag"
+        assert append_etag, "Append ETag should not be empty"
+        assert append_etag != update_etag, "ETag should change after append"
+
+        # 7. Verify append via direct NextcloudClient
+        appended_direct_note = await nc_client.notes.get_note(note_id)
+        assert append_content in appended_direct_note["content"]
+
+        # 8. Search for note via MCP
+        logger.info(f"Searching for note via MCP with query: {unique_suffix}")
+        search_result = await nc_mcp_client.call_tool(
+            "nc_notes_search_notes", {"query": unique_suffix}
+        )
+
+        assert search_result.isError is False, (
+            f"MCP note search failed: {search_result.content}"
+        )
+        search_notes_text = search_result.content[0].text
+        logger.info(f"Search result text: {search_notes_text}")
+        search_response = json.loads(search_notes_text)
+
+        # Expect structured response with Pydantic format
+        assert isinstance(search_response, dict), (
+            f"Expected search response to be a dict with structured format, got: {type(search_response)}"
+        )
+        assert "results" in search_response, (
+            f"Expected 'results' field in search response, got keys: {list(search_response.keys())}"
+        )
+        assert "success" in search_response and search_response["success"], (
+            f"Expected successful search response, got: {search_response}"
+        )
+
+        search_notes = search_response["results"]
+        assert isinstance(search_notes, list), (
+            f"Expected results to be a list, got: {type(search_notes)}"
+        )
+
+        # Find our note in search results
+        found_note = None
+        for note in search_notes:
+            if isinstance(note, dict) and note.get("id") == note_id:
+                found_note = note
+                break
+
+        assert found_note is not None, (
+            f"Created note not found in search results. Search returned: {search_response}"
+        )
+        assert found_note["title"] == updated_title
+
+        # 9. Delete note via MCP
+        logger.info(f"Deleting note via MCP: {note_id}")
+        delete_result = await nc_mcp_client.call_tool(
+            "nc_notes_delete_note", {"note_id": note_id}
+        )
+
+        assert delete_result.isError is False, (
+            f"MCP note deletion failed: {delete_result.content}"
+        )
+
+        # 10. Verify deletion via direct NextcloudClient
+        try:
+            await nc_client.notes.get_note(note_id)
+            pytest.fail("Note should have been deleted but was still found")
+        except Exception:
+            # Expected - note should be deleted
+            logger.info(f"Successfully verified note {note_id} was deleted")
+            created_note = None  # Mark as cleaned up
+
+    finally:
+        # Cleanup in case of test failure
+        if created_note is not None:
+            try:
+                note_data = json.loads(created_note)
+                await nc_client.notes.delete_note(note_data["id"])
+                logger.info(f"Cleaned up note {note_data['id']} after test failure")
+            except Exception as e:
+                logger.warning(f"Failed to cleanup note: {e}")
+
+
+async def test_mcp_notes_etag_conflict(
+    nc_mcp_client: ClientSession, nc_client: NextcloudClient
+):
+    """Test that MCP note updates fail when using stale ETags."""
+
+    unique_suffix = uuid.uuid4().hex[:8]
+    test_title = f"ETag Test Note {unique_suffix}"
+    test_content = f"This is test content for ETag testing {unique_suffix}"
+    test_category = "ETTesting"
+
+    created_note = None
+
+    try:
+        # 1. Create note via MCP
+        logger.info(f"Creating note for ETag conflict test: {test_title}")
+        create_result = await nc_mcp_client.call_tool(
+            "nc_notes_create_note",
+            {"title": test_title, "content": test_content, "category": test_category},
+        )
+
+        assert create_result.isError is False
+        note_data = json.loads(create_result.content[0].text)
+        note_id = note_data["id"]
+        original_etag = note_data["etag"]
+        created_note = note_data
+
+        # 2. Update note to change ETag
+        first_update_result = await nc_mcp_client.call_tool(
+            "nc_notes_update_note",
+            {
+                "note_id": note_id,
+                "etag": original_etag,
+                "title": f"First Update {test_title}",
+                "content": test_content,
+                "category": test_category,
+            },
+        )
+
+        assert first_update_result.isError is False
+        updated_data = json.loads(first_update_result.content[0].text)
+        new_etag = updated_data["etag"]
+        assert new_etag != original_etag, "ETag should have changed after update"
+
+        # 3. Try to update with the stale (original) ETag - this should fail
+        logger.info(f"Attempting update with stale ETag: {original_etag}")
+        conflict_result = await nc_mcp_client.call_tool(
+            "nc_notes_update_note",
+            {
+                "note_id": note_id,
+                "etag": original_etag,  # Use stale ETag
+                "title": "This should fail",
+                "content": "This update should be rejected",
+                "category": test_category,
+            },
+        )
+
+        # 4. Verify the update was rejected with a 412 error
+        # With McpError, tools now return proper error responses
+        assert conflict_result.isError is True, "Update with stale ETag should fail"
+        response_content = conflict_result.content[0].text
+        assert "modified by someone else" in response_content, (
+            f"Expected conflict error message, got: {response_content}"
+        )
+
+        logger.info("Successfully verified ETag conflict handling via MCP")
+
+    finally:
+        # Cleanup
+        if created_note is not None:
+            try:
+                await nc_client.notes.delete_note(created_note["id"])
+                logger.info(f"Cleaned up test note {created_note['id']}")
+            except Exception as e:
+                logger.warning(f"Failed to cleanup test note: {e}")
+
+
+async def test_mcp_webdav_workflow(
+    nc_mcp_client: ClientSession, nc_client: NextcloudClient
+):
+    """Test WebDAV file operations via MCP tools with verification via NextcloudClient."""
+
+    unique_suffix = uuid.uuid4().hex[:8]
+    test_dir = f"mcp_test_dir_{unique_suffix}"
+    test_file = f"mcp_test_file_{unique_suffix}.txt"
+    test_file_path = f"{test_dir}/{test_file}"
+    test_content = f"This is test content for MCP WebDAV testing {unique_suffix}"
+
+    try:
+        # 1. Create directory via MCP
+        logger.info(f"Creating directory via MCP: {test_dir}")
+        create_dir_result = await nc_mcp_client.call_tool(
+            "nc_webdav_create_directory", {"path": test_dir}
+        )
+
+        assert create_dir_result.isError is False, (
+            f"MCP directory creation failed: {create_dir_result.content}"
+        )
+
+        # 2. Verify directory creation via direct WebDAV
+        dir_listing = await nc_client.webdav.list_directory("")
+        dir_names = [item["name"] for item in dir_listing if item["is_directory"]]
+        assert test_dir in dir_names, f"Directory {test_dir} not found in root listing"
+
+        # 3. Write file via MCP
+        logger.info(f"Writing file via MCP: {test_file_path}")
+        write_result = await nc_mcp_client.call_tool(
+            "nc_webdav_write_file",
+            {
+                "path": test_file_path,
+                "content": test_content,
+                "content_type": "text/plain",
+            },
+        )
+
+        assert write_result.isError is False, (
+            f"MCP file write failed: {write_result.content}"
+        )
+
+        # 4. Verify file creation via direct WebDAV
+        file_listing = await nc_client.webdav.list_directory(test_dir)
+        file_names = [item["name"] for item in file_listing if not item["is_directory"]]
+        assert test_file in file_names, (
+            f"File {test_file} not found in directory listing"
+        )
+
+        # 5. Read file via MCP
+        logger.info(f"Reading file via MCP: {test_file_path}")
+        read_result = await nc_mcp_client.call_tool(
+            "nc_webdav_read_file", {"path": test_file_path}
+        )
+
+        assert read_result.isError is False, (
+            f"MCP file read failed: {read_result.content}"
+        )
+        read_data = json.loads(read_result.content[0].text)
+
+        assert read_data["content"] == test_content, "File content mismatch"
+        assert read_data["path"] == test_file_path
+        assert "text/plain" in read_data["content_type"]
+
+        # 6. Verify file content via direct WebDAV
+        direct_content, direct_content_type = await nc_client.webdav.read_file(
+            test_file_path
+        )
+        assert direct_content.decode("utf-8") == test_content
+
+        # 7. List directory via MCP
+        logger.info(f"Listing directory via MCP: {test_dir}")
+        list_result = await nc_mcp_client.call_tool(
+            "nc_webdav_list_directory", {"path": test_dir}
+        )
+
+        assert list_result.isError is False, (
+            f"MCP directory listing failed: {list_result.content}"
+        )
+        listing_text = list_result.content[0].text
+        logger.info(f"Directory listing response: {listing_text}")
+        listing_data = json.loads(listing_text)
+
+        # Ensure listing_data is a list
+        if not isinstance(listing_data, list):
+            logger.warning(
+                f"Expected directory listing to be a list, got: {type(listing_data)}"
+            )
+            listing_data = [listing_data] if listing_data else []
+
+        # Find our file in the listing
+        found_file = None
+        for item in listing_data:
+            if isinstance(item, dict) and item.get("name") == test_file:
+                found_file = item
+                break
+
+        assert found_file is not None, (
+            f"File {test_file} not found in MCP directory listing"
+        )
+        assert found_file["is_directory"] is False
+        assert found_file["size"] == len(test_content.encode("utf-8"))
+
+    finally:
+        # Cleanup
+        try:
+            logger.info(f"Cleaning up test file: {test_file_path}")
+            await nc_mcp_client.call_tool(
+                "nc_webdav_delete_resource", {"path": test_file_path}
+            )
+
+            logger.info(f"Cleaning up test directory: {test_dir}")
+            await nc_mcp_client.call_tool(
+                "nc_webdav_delete_resource", {"path": test_dir}
+            )
+        except Exception as e:
+            logger.warning(f"Failed to cleanup WebDAV resources: {e}")
+
+
+async def test_mcp_resources_access(
+    nc_mcp_client: ClientSession, nc_client: NextcloudClient
+):
+    """Test accessing MCP resources and compare with direct API calls."""
+
+    # 1. Test capabilities resource
+    logger.info("Testing capabilities resource via MCP")
+    caps_result = await nc_mcp_client.read_resource("nc://capabilities")
+    assert len(caps_result.contents) == 1
+    mcp_capabilities = json.loads(caps_result.contents[0].text)
+
+    # Compare with direct API call
+    direct_capabilities = await nc_client.capabilities()
+
+    # Basic validation - both should have similar structure
+    # Both return full OCS response structure
+    assert "ocs" in mcp_capabilities
+    assert "data" in mcp_capabilities["ocs"]
+    assert "version" in mcp_capabilities["ocs"]["data"]
+    assert "ocs" in direct_capabilities
+    assert "data" in direct_capabilities["ocs"]
+    assert "version" in direct_capabilities["ocs"]["data"]
+
+    # 2. Test notes settings resource
+    logger.info("Testing notes settings resource via MCP")
+    settings_result = await nc_mcp_client.read_resource("notes://settings")
+    assert len(settings_result.contents) == 1
+    mcp_settings = json.loads(settings_result.contents[0].text)
+
+    # Compare with direct API call
+    direct_settings = await nc_client.notes.get_settings()
+
+    # Both should have settings data
+    assert isinstance(mcp_settings, dict)
+    assert isinstance(direct_settings, dict)
+
+    logger.info("Successfully verified MCP resources match direct API calls")
+
+
+async def test_mcp_calendar_workflow(
+    nc_mcp_client: ClientSession, nc_client: NextcloudClient
+):
+    """Test complete Calendar workflow via MCP tools with verification via NextcloudClient."""
+
+    unique_suffix = uuid.uuid4().hex[:8]
+    test_event_title = f"MCP Test Event {unique_suffix}"
+    test_location = f"MCP Test Location {unique_suffix}"
+
+    created_event = None
+    calendar_name = None
+
+    try:
+        # 1. List calendars via MCP
+        logger.info("Listing calendars via MCP")
+        calendars_result = await nc_mcp_client.call_tool(
+            "nc_calendar_list_calendars", {}
+        )
+
+        assert calendars_result.isError is False, (
+            f"MCP calendar listing failed: {calendars_result.content}"
+        )
+
+        calendars_response = json.loads(calendars_result.content[0].text)
+
+        # Debug output to understand the structure
+        logger.info(f"calendars_response type: {type(calendars_response)}")
+        logger.info(f"calendars_response content: {calendars_response}")
+
+        # Expect structured response with Pydantic format
+        assert isinstance(calendars_response, dict), (
+            f"Expected calendar response to be a dict with structured format, got: {type(calendars_response)}"
+        )
+        assert "calendars" in calendars_response, (
+            f"Expected 'calendars' field in response, got keys: {list(calendars_response.keys())}"
+        )
+        assert "success" in calendars_response and calendars_response["success"], (
+            f"Expected successful calendar response, got: {calendars_response}"
+        )
+
+        calendars_list = calendars_response["calendars"]
+        assert isinstance(calendars_list, list), (
+            f"Expected calendars to be a list, got: {type(calendars_list)}"
+        )
+
+        if not calendars_list:
+            pytest.skip("No calendars available for testing")
+
+        # Use the first available calendar
+        calendar_name = calendars_list[0]["name"]
+        logger.info(f"Using calendar: {calendar_name}")
+
+        # 2. Create event via MCP
+        from datetime import datetime, timedelta
+
+        tomorrow = datetime.now() + timedelta(days=1)
+        start_datetime = tomorrow.strftime("%Y-%m-%dT14:00:00")
+        end_datetime = tomorrow.strftime("%Y-%m-%dT15:00:00")
+
+        event_data = {
+            "calendar_name": calendar_name,
+            "title": test_event_title,
+            "start_datetime": start_datetime,
+            "end_datetime": end_datetime,
+            "description": f"Test event created via MCP {unique_suffix}",
+            "location": test_location,
+            "categories": "testing,mcp",
+            "status": "CONFIRMED",
+            "priority": 5,
+        }
+
+        logger.info(f"Creating event via MCP: {test_event_title}")
+        create_result = await nc_mcp_client.call_tool(
+            "nc_calendar_create_event", event_data
+        )
+
+        assert create_result.isError is False, (
+            f"MCP event creation failed: {create_result.content}"
+        )
+
+        created_event_data = json.loads(create_result.content[0].text)
+        event_uid = created_event_data["uid"]
+        created_event = {"uid": event_uid, "calendar_name": calendar_name}
+
+        logger.info(f"Event created via MCP with UID: {event_uid}")
+
+        # 3. Verify creation via direct NextcloudClient
+        direct_event, _ = await nc_client.calendar.get_event(calendar_name, event_uid)
+        assert direct_event["title"] == test_event_title
+        assert direct_event["location"] == test_location
+        assert "testing" in direct_event.get("categories", "")
+
+        # 4. Get event via MCP
+        logger.info(f"Getting event via MCP: {event_uid}")
+        get_result = await nc_mcp_client.call_tool(
+            "nc_calendar_get_event",
+            {"calendar_name": calendar_name, "event_uid": event_uid},
+        )
+
+        assert get_result.isError is False, (
+            f"MCP event get failed: {get_result.content}"
+        )
+
+        get_event_data = json.loads(get_result.content[0].text)
+        assert get_event_data["title"] == test_event_title
+        assert get_event_data["location"] == test_location
+
+        # 5. **TEST nc_calendar_list_events - This is the main tool we're testing**
+        logger.info("Testing nc_calendar_list_events via MCP")
+
+        # Get today and next week for date range
+        today = datetime.now()
+        next_week = today + timedelta(days=7)
+        start_date = today.strftime("%Y-%m-%d")
+        end_date = next_week.strftime("%Y-%m-%d")
+
+        list_events_data = {
+            "calendar_name": calendar_name,
+            "start_date": start_date,
+            "end_date": end_date,
+            "limit": 50,
+            "location_contains": "MCP Test",
+            "title_contains": unique_suffix,
+        }
+
+        list_result = await nc_mcp_client.call_tool(
+            "nc_calendar_list_events", list_events_data
+        )
+
+        assert list_result.isError is False, (
+            f"MCP list events failed: {list_result.content}"
+        )
+
+        events_data = json.loads(list_result.content[0].text)
+
+        # Debug output to understand what nc_calendar_list_events returns
+        logger.info(f"list_events result type: {type(events_data)}")
+        logger.info(f"list_events result content: {events_data}")
+
+        # Handle single event returned as dict instead of list (same fix as calendars)
+        if isinstance(events_data, dict):
+            # Single event returned as dict instead of list
+            events_data = [events_data]
+
+        assert isinstance(events_data, list), "Expected events list"
+
+        # Our created event should be in the list
+        found_event = None
+        for event in events_data:
+            if event.get("uid") == event_uid:
+                found_event = event
+                break
+
+        assert found_event is not None, (
+            f"Created event {event_uid} not found in events list"
+        )
+        assert found_event["title"] == test_event_title
+
+        # 6. Test list events across all calendars
+        logger.info("Testing nc_calendar_list_events across all calendars")
+
+        all_calendars_data = {
+            "calendar_name": "",  # Will be ignored
+            "search_all_calendars": True,
+            "start_date": start_date,
+            "end_date": end_date,
+            "title_contains": unique_suffix,
+        }
+
+        all_list_result = await nc_mcp_client.call_tool(
+            "nc_calendar_list_events", all_calendars_data
+        )
+
+        assert all_list_result.isError is False, (
+            f"MCP list all events failed: {all_list_result.content}"
+        )
+
+        all_events_data = json.loads(all_list_result.content[0].text)
+
+        # Handle single event returned as dict instead of list (same fix as calendars)
+        if isinstance(all_events_data, dict):
+            # Single event returned as dict instead of list
+            all_events_data = [all_events_data]
+
+        assert isinstance(all_events_data, list), "Expected events list"
+
+        # Our event should still be found when searching all calendars
+        found_in_all = any(event.get("uid") == event_uid for event in all_events_data)
+        assert found_in_all, "Event not found when searching all calendars"
+
+        # 7. Update event via MCP
+        updated_title = f"Updated {test_event_title}"
+        updated_description = f"Updated description {unique_suffix}"
+
+        update_data = {
+            "calendar_name": calendar_name,
+            "event_uid": event_uid,
+            "title": updated_title,
+            "description": updated_description,
+            "priority": 1,
+        }
+
+        logger.info(f"Updating event via MCP: {event_uid}")
+        update_result = await nc_mcp_client.call_tool(
+            "nc_calendar_update_event", update_data
+        )
+
+        assert update_result.isError is False, (
+            f"MCP event update failed: {update_result.content}"
+        )
+
+        # 8. Verify update via direct NextcloudClient
+        updated_direct_event, _ = await nc_client.calendar.get_event(
+            calendar_name, event_uid
+        )
+        assert updated_direct_event["title"] == updated_title
+        assert updated_direct_event["description"] == updated_description
+        assert updated_direct_event["priority"] == 1
+
+        # 9. Test upcoming events via MCP
+        logger.info("Testing nc_calendar_get_upcoming_events via MCP")
+        upcoming_result = await nc_mcp_client.call_tool(
+            "nc_calendar_get_upcoming_events",
+            {"calendar_name": calendar_name, "days_ahead": 7, "limit": 10},
+        )
+
+        assert upcoming_result.isError is False, (
+            f"MCP upcoming events failed: {upcoming_result.content}"
+        )
+
+        upcoming_events = json.loads(upcoming_result.content[0].text)
+
+        # Handle single event returned as dict instead of list (same fix as other tools)
+        if isinstance(upcoming_events, dict):
+            # Single event returned as dict instead of list
+            upcoming_events = [upcoming_events]
+
+        assert isinstance(upcoming_events, list), "Expected upcoming events list"
+
+        # 10. Delete event via MCP
+        logger.info(f"Deleting event via MCP: {event_uid}")
+        delete_result = await nc_mcp_client.call_tool(
+            "nc_calendar_delete_event",
+            {"calendar_name": calendar_name, "event_uid": event_uid},
+        )
+
+        assert delete_result.isError is False, (
+            f"MCP event deletion failed: {delete_result.content}"
+        )
+
+        # 11. Verify deletion via direct NextcloudClient
+        try:
+            await nc_client.calendar.get_event(calendar_name, event_uid)
+            pytest.fail("Event should have been deleted but was still found")
+        except Exception:
+            # Expected - event should be deleted
+            logger.info(f"Successfully verified event {event_uid} was deleted")
+            created_event = None  # Mark as cleaned up
+
+    except Exception as e:
+        if "Calendar app may not be enabled" in str(
+            e
+        ) or "No calendars available" in str(e):
+            pytest.skip("Calendar functionality not available for testing")
+        raise
+
+    finally:
+        # Cleanup in case of test failure
+        if created_event is not None:
+            try:
+                await nc_client.calendar.delete_event(
+                    created_event["calendar_name"], created_event["uid"]
+                )
+                logger.info(
+                    f"Cleaned up event {created_event['uid']} after test failure"
+                )
+            except Exception as e:
+                logger.warning(f"Failed to cleanup event: {e}")
@@ -0,0 +1,59 @@
+import json
+import logging
+import pytest
+
+logger = logging.getLogger(__name__)
+
+pytestmark = [pytest.mark.integration, pytest.mark.oauth]
+
+
+async def test_mcp_oauth_server_connection(nc_mcp_oauth_client):
+    """Test connection to OAuth-enabled MCP server."""
+    result = await nc_mcp_oauth_client.list_tools()
+    assert result is not None
+    assert len(result.tools) > 0
+
+    logger.info(f"OAuth MCP server has {len(result.tools)} tools available")
+
+
+async def test_mcp_oauth_tool_execution(nc_mcp_oauth_client):
+    """Test executing a tool on the OAuth-enabled MCP server."""
+    import json
+
+    # Example: Execute the 'nc_notes_search_notes' tool
+    result = await nc_mcp_oauth_client.call_tool(
+        "nc_notes_search_notes", arguments={"query": ""}
+    )
+
+    assert result.isError is False, f"Tool execution failed: {result.content}"
+    assert result.content is not None
+    response_data = json.loads(result.content[0].text)
+
+    # The search response should have a 'results' field containing the list
+    assert "results" in response_data
+    assert isinstance(response_data["results"], list)
+
+    logger.info(
+        f"Successfully executed 'nc_notes_search_notes' tool on OAuth MCP server and got {len(response_data['results'])} notes."
+    )
+
+
+async def test_mcp_oauth_client_with_playwright(nc_mcp_oauth_client_playwright):
+    """Test that MCP OAuth client via Playwright can execute tools."""
+
+    # Test: Execute the 'nc_notes_search_notes' tool
+    result = await nc_mcp_oauth_client_playwright.call_tool(
+        "nc_notes_search_notes", arguments={"query": ""}
+    )
+
+    assert result.isError is False, f"Tool execution failed: {result.content}"
+    assert result.content is not None
+    response_data = json.loads(result.content[0].text)
+
+    # The search response should have a 'results' field containing the list
+    assert "results" in response_data
+    assert isinstance(response_data["results"], list)
+
+    logger.info(
+        f"Successfully executed 'nc_notes_search_notes' tool on Playwright OAuth MCP server and got {len(response_data['results'])} notes."
+    )
@@ -0,0 +1,358 @@
+"""
+Multi-user OAuth tests for Nextcloud Deck board permissions.
+
+Tests verify that the MCP server respects Nextcloud Deck board ACL permissions
+when accessed via OAuth authentication with different users.
+"""
+
+import json
+import logging
+
+import pytest
+
+logger = logging.getLogger(__name__)
+
+pytestmark = [pytest.mark.integration, pytest.mark.oauth]
+
+
+async def add_board_acl(nc_client, board_id: int, user: str, permission_type: int = 0):
+    """
+    Helper to add ACL entry to a Deck board.
+
+    Args:
+        nc_client: Admin NextcloudClient
+        board_id: Board ID
+        user: Username to grant access
+        permission_type: 0=view, 1=edit, 2=manage
+
+    Returns:
+        ACL entry ID
+    """
+    acl = await nc_client.deck.add_acl_rule(
+        board_id=board_id,
+        type=0,  # 0 = user, 1 = group
+        participant=user,
+        permission_edit=permission_type >= 1,
+        permission_share=permission_type >= 2,
+        permission_manage=permission_type >= 2,
+    )
+    logger.info(f"Added ACL for board {board_id}: {user} (type={permission_type})")
+    return acl.id
+
+
+async def delete_board_acl(nc_client, board_id: int, acl_id: int):
+    """Helper to delete a board ACL entry."""
+    await nc_client.deck.delete_acl_rule(board_id, acl_id)
+    logger.info(f"Deleted ACL {acl_id} from board {board_id}")
+
+
+@pytest.mark.asyncio
+async def test_deck_board_view_permissions(
+    nc_client, alice_mcp_client, bob_mcp_client, diana_mcp_client
+):
+    """
+    Test that Deck boards respect view permissions.
+
+    Scenario:
+    1. Admin creates a board as alice
+    2. Admin adds bob to board with view-only permissions
+    3. Bob can view the board via MCP tools
+    4. Diana cannot access the board (no ACL entry)
+    """
+    # Create a board as alice
+    logger.info("Creating Deck board as alice...")
+    board = await nc_client.deck.create_board(
+        "Alice's Shared Board - View Test", "FF0000"
+    )
+    board_id = board.id
+
+    bob_acl_id = None
+
+    try:
+        # Add bob to board with view-only permission
+        logger.info("Adding bob to board with view permission...")
+        bob_acl_id = await add_board_acl(nc_client, board_id, "bob", permission_type=0)
+
+        # Test: Bob can view the board via MCP
+        logger.info("Bob attempting to list boards via MCP...")
+        result = await bob_mcp_client.call_tool("deck_get_boards", arguments={})
+
+        if not result.isError:
+            response_data = json.loads(result.content[0].text)
+            # The response is directly a list of boards
+            if not isinstance(response_data, list):
+                response_data = [response_data] if response_data else []
+            board_ids = [b["id"] for b in response_data]
+            logger.info(f"Bob can see {len(response_data)} boards: {board_ids}")
+
+            # Bob should see the shared board
+            if board_id in board_ids:
+                logger.info(f"Bob can see shared board {board_id}")
+            else:
+                logger.warning(f"Bob cannot see shared board {board_id}")
+        else:
+            logger.warning(f"Bob could not list boards: {result.content}")
+
+        # Test: Diana cannot see the board
+        logger.info("Diana attempting to list boards via MCP...")
+        result = await diana_mcp_client.call_tool("deck_get_boards", arguments={})
+
+        if not result.isError:
+            response_data = json.loads(result.content[0].text)
+            # The response is directly a list of boards
+            if not isinstance(response_data, list):
+                response_data = [response_data] if response_data else []
+            board_ids = [b["id"] for b in response_data]
+            logger.info(f"Diana can see {len(response_data)} boards")
+
+            # Diana should NOT see the board
+            assert board_id not in board_ids, "Diana should not see board without ACL"
+            logger.info("Diana correctly cannot see board without ACL")
+        else:
+            logger.warning(f"Diana could not list boards: {result.content}")
+
+    finally:
+        # Cleanup
+        if bob_acl_id:
+            await delete_board_acl(nc_client, board_id, bob_acl_id)
+        logger.info(f"Deleting board {board_id}")
+        await nc_client.deck.delete_board(board_id)
+
+
+@pytest.mark.asyncio
+async def test_deck_board_edit_permissions(
+    nc_client, alice_mcp_client, charlie_mcp_client, bob_mcp_client
+):
+    """
+    Test that Deck boards respect edit permissions.
+
+    Scenario:
+    1. Admin creates a board as alice with a stack
+    2. Admin adds charlie with edit permission
+    3. Admin adds bob with view-only permission
+    4. Charlie can create cards via MCP tools
+    5. Bob cannot create cards
+    """
+    # Create a board as alice
+    logger.info("Creating Deck board as alice...")
+    board = await nc_client.deck.create_board(
+        "Alice's Shared Board - Edit Test", "00FF00"
+    )
+    board_id = board.id
+
+    # Create a stack in the board
+    logger.info("Creating stack in board...")
+    stack = await nc_client.deck.create_stack(board_id, "Test Stack", 1)
+    stack_id = stack.id
+
+    charlie_acl_id = None
+    bob_acl_id = None
+
+    try:
+        # Add charlie with edit permission
+        logger.info("Adding charlie to board with edit permission...")
+        charlie_acl_id = await add_board_acl(
+            nc_client, board_id, "charlie", permission_type=1
+        )
+
+        # Add bob with view-only permission
+        logger.info("Adding bob to board with view permission...")
+        bob_acl_id = await add_board_acl(nc_client, board_id, "bob", permission_type=0)
+
+        # Test: Charlie can create a card
+        logger.info("Charlie attempting to create card via MCP...")
+        result = await charlie_mcp_client.call_tool(
+            "deck_create_card",
+            arguments={
+                "board_id": board_id,
+                "stack_id": stack_id,
+                "title": "Charlie's Card",
+                "description": "Created by Charlie with edit permission",
+            },
+        )
+
+        if not result.isError:
+            response_data = json.loads(result.content[0].text)
+            card_id = response_data.get("id")
+            logger.info(f"Charlie successfully created card {card_id}")
+
+            # Cleanup the card
+            await nc_client.deck.delete_card(board_id, stack_id, card_id)
+        else:
+            logger.warning(f"Charlie could not create card: {result.content}")
+
+        # Test: Bob attempts to create a card (should fail)
+        logger.info("Bob attempting to create card via MCP...")
+        result = await bob_mcp_client.call_tool(
+            "deck_create_card",
+            arguments={
+                "board_id": board_id,
+                "stack_id": stack_id,
+                "title": "Bob's Card",
+                "description": "Bob trying to create a card",
+            },
+        )
+
+        if result.isError:
+            logger.info("Bob correctly denied card creation (view-only)")
+        else:
+            logger.warning("Bob unexpectedly succeeded in creating card")
+            # Cleanup if bob somehow created a card
+            response_data = json.loads(result.content[0].text)
+            if "id" in response_data:
+                await nc_client.deck.delete_card(
+                    board_id, stack_id, response_data["id"]
+                )
+
+    finally:
+        # Cleanup
+        if charlie_acl_id:
+            await delete_board_acl(nc_client, board_id, charlie_acl_id)
+        if bob_acl_id:
+            await delete_board_acl(nc_client, board_id, bob_acl_id)
+        logger.info(f"Deleting board {board_id}")
+        await nc_client.deck.delete_board(board_id)
+
+
+@pytest.mark.asyncio
+async def test_deck_board_manage_permissions(
+    nc_client, alice_mcp_client, charlie_mcp_client
+):
+    """
+    Test that Deck boards respect manage permissions.
+
+    Scenario:
+    1. Admin creates a board as alice
+    2. Admin adds charlie with manage permission
+    3. Charlie can create stacks and modify board settings
+    """
+    # Create a board as alice
+    logger.info("Creating Deck board as alice...")
+    board = await nc_client.deck.create_board(
+        "Alice's Shared Board - Manage Test", "0000FF"
+    )
+    board_id = board.id
+
+    charlie_acl_id = None
+
+    try:
+        # Add charlie with manage permission
+        logger.info("Adding charlie to board with manage permission...")
+        charlie_acl_id = await add_board_acl(
+            nc_client, board_id, "charlie", permission_type=2
+        )
+
+        # Test: Charlie can create a stack
+        logger.info("Charlie attempting to create stack via MCP...")
+        result = await charlie_mcp_client.call_tool(
+            "deck_create_stack",
+            arguments={"board_id": board_id, "title": "Charlie's Stack", "order": 1},
+        )
+
+        if not result.isError:
+            response_data = json.loads(result.content[0].text)
+            stack_id = response_data.get("id")
+            logger.info(f"Charlie successfully created stack {stack_id}")
+
+            # Cleanup the stack
+            await nc_client.deck.delete_stack(board_id, stack_id)
+        else:
+            logger.warning(f"Charlie could not create stack: {result.content}")
+
+        # Test: Charlie can delete a stack (manage permission)
+        logger.info("Charlie attempting to delete stack via MCP...")
+        # First create a temporary stack to delete
+        temp_stack = await nc_client.deck.create_stack(
+            board_id, "Temp Stack for Deletion", 99
+        )
+
+        result = await charlie_mcp_client.call_tool(
+            "deck_delete_stack",
+            arguments={"board_id": board_id, "stack_id": temp_stack.id},
+        )
+
+        if not result.isError:
+            logger.info("Charlie successfully deleted stack")
+        else:
+            logger.warning(f"Charlie could not delete stack: {result.content}")
+            # Cleanup if deletion via MCP failed
+            try:
+                await nc_client.deck.delete_stack(board_id, temp_stack.id)
+            except Exception:
+                pass
+
+    finally:
+        # Cleanup
+        if charlie_acl_id:
+            await delete_board_acl(nc_client, board_id, charlie_acl_id)
+        logger.info(f"Deleting board {board_id}")
+        await nc_client.deck.delete_board(board_id)
+
+
+@pytest.mark.asyncio
+async def test_deck_user_isolation(nc_client, alice_mcp_client, bob_mcp_client):
+    """
+    Test that users can only see their own boards when not shared.
+
+    Scenario:
+    1. Admin creates a board as alice (not shared)
+    2. Admin creates a board as bob (not shared)
+    3. Alice can only see her own board
+    4. Bob can only see his own board
+    """
+    # Create alice's board
+    logger.info("Creating alice's private board...")
+    alice_board = await nc_client.deck.create_board("Alice's Private Board", "FF00FF")
+    alice_board_id = alice_board.id
+
+    # Create bob's board
+    logger.info("Creating bob's private board...")
+    bob_board = await nc_client.deck.create_board("Bob's Private Board", "00FFFF")
+    bob_board_id = bob_board.id
+
+    try:
+        # Test: Alice lists boards
+        logger.info("Alice listing boards via MCP...")
+        result = await alice_mcp_client.call_tool("deck_get_boards", arguments={})
+
+        if not result.isError:
+            response_data = json.loads(result.content[0].text)
+            # The response is directly a list of boards
+            if not isinstance(response_data, list):
+                response_data = [response_data] if response_data else []
+            board_ids = [b["id"] for b in response_data]
+            logger.info(f"Alice can see boards: {board_ids}")
+
+            # Alice should NOT see Bob's board
+            assert bob_board_id not in board_ids, (
+                "Alice should not see Bob's private board"
+            )
+        else:
+            logger.warning(f"Alice could not list boards: {result.content}")
+
+        # Test: Bob lists boards
+        logger.info("Bob listing boards via MCP...")
+        result = await bob_mcp_client.call_tool("deck_get_boards", arguments={})
+
+        if not result.isError:
+            response_data = json.loads(result.content[0].text)
+            # The response is directly a list of boards
+            if not isinstance(response_data, list):
+                response_data = [response_data] if response_data else []
+            board_ids = [b["id"] for b in response_data]
+            logger.info(f"Bob can see boards: {board_ids}")
+
+            # Bob should NOT see Alice's board
+            assert alice_board_id not in board_ids, (
+                "Bob should not see Alice's private board"
+            )
+        else:
+            logger.warning(f"Bob could not list boards: {result.content}")
+
+        logger.info("User isolation test passed: users can only see their own boards")
+
+    finally:
+        # Cleanup
+        logger.info("Cleaning up test boards...")
+        await nc_client.deck.delete_board(alice_board_id)
+        await nc_client.deck.delete_board(bob_board_id)
@@ -0,0 +1,425 @@
+"""
+Multi-user OAuth tests for Nextcloud WebDAV file permissions.
+
+Tests verify that the MCP server respects Nextcloud file sharing permissions
+when accessed via OAuth authentication with different users.
+
+All operations (file creation, sharing, access) are performed through MCP tools
+to ensure the MCP server properly supports multi-user scenarios.
+"""
+
+import json
+import logging
+
+import pytest
+
+logger = logging.getLogger(__name__)
+
+pytestmark = [pytest.mark.integration, pytest.mark.oauth]
+
+
+@pytest.mark.asyncio
+async def test_file_share_read_permissions(
+    alice_mcp_client, bob_mcp_client, diana_mcp_client
+):
+    """
+    Test that shared files respect read permissions.
+
+    Scenario:
+    1. Alice creates a file via MCP
+    2. Alice shares the file with Bob (read-only) via MCP
+    3. Bob can read the file via MCP tools
+    4. Diana cannot access the file (no share)
+    """
+    file_path = "/alice_shared_file_read.txt"
+    file_content = "This file is shared with Bob for reading only."
+
+    # Alice creates a file
+    logger.info(f"Alice creating file: {file_path}")
+    result = await alice_mcp_client.call_tool(
+        "nc_webdav_write_file",
+        arguments={"path": file_path, "content": file_content},
+    )
+    assert not result.isError, f"Alice failed to create file: {result.content}"
+
+    share_id = None
+
+    try:
+        # Alice shares the file with bob (read-only, permissions=1)
+        logger.info("Alice sharing file with bob (read-only)...")
+        result = await alice_mcp_client.call_tool(
+            "nc_share_create",
+            arguments={
+                "path": file_path,
+                "share_with": "bob",
+                "share_type": 0,
+                "permissions": 1,
+            },
+        )
+        assert not result.isError, f"Alice failed to create share: {result.content}"
+        share_data = json.loads(result.content[0].text)
+        share_id = share_data["id"]
+        logger.info(f"Created share {share_id}")
+
+        # Test: Bob reads the file via MCP
+        logger.info("Bob attempting to read file via MCP...")
+        result = await bob_mcp_client.call_tool(
+            "nc_webdav_read_file", arguments={"path": file_path}
+        )
+
+        # Bob should be able to read the shared file
+        if not result.isError:
+            response_data = json.loads(result.content[0].text)
+            logger.info(
+                f"Bob successfully read file: {response_data.get('content', '')[:50]}..."
+            )
+            assert "content" in response_data
+            assert file_content in response_data["content"]
+        else:
+            logger.warning(f"Bob could not read file: {result.content}")
+            # This might fail if the share path is different for bob
+
+        # Test: Diana attempts to read the file
+        logger.info("Diana attempting to read file via MCP...")
+        result = await diana_mcp_client.call_tool(
+            "nc_webdav_read_file", arguments={"path": file_path}
+        )
+
+        # Diana should NOT be able to read (no share)
+        if result.isError:
+            logger.info("Diana correctly denied access to unshared file")
+        else:
+            logger.warning("Diana unexpectedly could read unshared file")
+
+    finally:
+        # Cleanup - Alice deletes the share and file
+        if share_id:
+            logger.info(f"Alice deleting share {share_id}")
+            await alice_mcp_client.call_tool(
+                "nc_share_delete", arguments={"share_id": share_id}
+            )
+        logger.info(f"Alice deleting file {file_path}")
+        await alice_mcp_client.call_tool(
+            "nc_webdav_delete_resource", arguments={"path": file_path}
+        )
+
+
+@pytest.mark.asyncio
+async def test_file_share_write_permissions(
+    alice_mcp_client, charlie_mcp_client, bob_mcp_client
+):
+    """
+    Test that shared files respect write permissions.
+
+    Scenario:
+    1. Alice creates a file via MCP
+    2. Alice shares the file with Charlie (edit permission) via MCP
+    3. Alice shares the file with Bob (read-only) via MCP
+    4. Charlie can edit the file via MCP tools
+    5. Bob cannot edit the file
+    """
+    file_path = "/alice_shared_file_write.txt"
+    file_content = "This file is shared with Charlie for editing."
+
+    logger.info(f"Alice creating file: {file_path}")
+    result = await alice_mcp_client.call_tool(
+        "nc_webdav_write_file",
+        arguments={"path": file_path, "content": file_content},
+    )
+    assert not result.isError, f"Alice failed to create file: {result.content}"
+
+    charlie_share_id = None
+    bob_share_id = None
+
+    try:
+        # Alice shares with Charlie (read+write, permissions=3)
+        logger.info("Alice sharing file with Charlie (edit permission)...")
+        result = await alice_mcp_client.call_tool(
+            "nc_share_create",
+            arguments={
+                "path": file_path,
+                "share_with": "charlie",
+                "share_type": 0,
+                "permissions": 3,
+            },
+        )
+        assert not result.isError, (
+            f"Alice failed to share with Charlie: {result.content}"
+        )
+        charlie_share_data = json.loads(result.content[0].text)
+        charlie_share_id = charlie_share_data["id"]
+        logger.info(f"Created share {charlie_share_id} for Charlie")
+
+        # Alice shares with Bob (read-only, permissions=1)
+        logger.info("Alice sharing file with Bob (read-only)...")
+        result = await alice_mcp_client.call_tool(
+            "nc_share_create",
+            arguments={
+                "path": file_path,
+                "share_with": "bob",
+                "share_type": 0,
+                "permissions": 1,
+            },
+        )
+        assert not result.isError, f"Alice failed to share with Bob: {result.content}"
+        bob_share_data = json.loads(result.content[0].text)
+        bob_share_id = bob_share_data["id"]
+        logger.info(f"Created share {bob_share_id} for Bob")
+
+        # Test: Charlie can write to the file
+        logger.info("Charlie attempting to write to file via MCP...")
+        updated_content = f"{file_content}\nCharlie added this line."
+        result = await charlie_mcp_client.call_tool(
+            "nc_webdav_write_file",
+            arguments={"path": file_path, "content": updated_content},
+        )
+
+        if not result.isError:
+            logger.info("Charlie successfully wrote to file")
+        else:
+            logger.warning(f"Charlie could not write to file: {result.content}")
+
+        # Test: Bob attempts to write (should fail)
+        logger.info("Bob attempting to write to file via MCP...")
+        result = await bob_mcp_client.call_tool(
+            "nc_webdav_write_file",
+            arguments={"path": file_path, "content": "Bob tries to overwrite this."},
+        )
+
+        # Bob should be denied
+        if result.isError:
+            logger.info("Bob correctly denied write access")
+        else:
+            logger.warning("Bob unexpectedly succeeded in writing (permissions issue?)")
+
+    finally:
+        # Cleanup - Alice deletes shares and file
+        if charlie_share_id:
+            logger.info(f"Alice deleting Charlie's share {charlie_share_id}")
+            await alice_mcp_client.call_tool(
+                "nc_share_delete", arguments={"share_id": charlie_share_id}
+            )
+        if bob_share_id:
+            logger.info(f"Alice deleting Bob's share {bob_share_id}")
+            await alice_mcp_client.call_tool(
+                "nc_share_delete", arguments={"share_id": bob_share_id}
+            )
+        logger.info(f"Alice deleting file {file_path}")
+        await alice_mcp_client.call_tool(
+            "nc_webdav_delete_resource", arguments={"path": file_path}
+        )
+
+
+@pytest.mark.asyncio
+async def test_file_list_permissions(alice_mcp_client, bob_mcp_client):
+    """
+    Test that file listing respects share permissions.
+
+    Scenario:
+    1. Alice creates her private file via MCP
+    2. Bob creates his private file via MCP
+    3. Alice creates a file and shares it with Bob via MCP
+    4. Alice can list her own files + shared files
+    5. Bob can list his own files + shared files from Alice
+    """
+    alice_file = "/alice_private_file.txt"
+    bob_file = "/bob_private_file.txt"
+    shared_file = "/alice_shared_with_bob.txt"
+
+    # Alice creates her private file
+    logger.info(f"Alice creating private file: {alice_file}")
+    result = await alice_mcp_client.call_tool(
+        "nc_webdav_write_file",
+        arguments={"path": alice_file, "content": "Alice's private file"},
+    )
+    assert not result.isError, f"Alice failed to create file: {result.content}"
+
+    # Bob creates his private file
+    logger.info(f"Bob creating private file: {bob_file}")
+    result = await bob_mcp_client.call_tool(
+        "nc_webdav_write_file",
+        arguments={"path": bob_file, "content": "Bob's private file"},
+    )
+    assert not result.isError, f"Bob failed to create file: {result.content}"
+
+    # Alice creates a shared file
+    logger.info(f"Alice creating shared file: {shared_file}")
+    result = await alice_mcp_client.call_tool(
+        "nc_webdav_write_file",
+        arguments={"path": shared_file, "content": "Shared file content"},
+    )
+    assert not result.isError, f"Alice failed to create shared file: {result.content}"
+
+    share_id = None
+
+    try:
+        # Alice shares the file with Bob
+        logger.info("Alice sharing file with Bob...")
+        result = await alice_mcp_client.call_tool(
+            "nc_share_create",
+            arguments={
+                "path": shared_file,
+                "share_with": "bob",
+                "share_type": 0,
+                "permissions": 1,
+            },
+        )
+        assert not result.isError, f"Alice failed to create share: {result.content}"
+        share_data = json.loads(result.content[0].text)
+        share_id = share_data["id"]
+
+        # Test: Alice lists files in root
+        logger.info("Alice listing files via MCP...")
+        result = await alice_mcp_client.call_tool(
+            "nc_webdav_list_directory", arguments={"path": "/"}
+        )
+
+        if not result.isError:
+            response_data = json.loads(result.content[0].text)
+            if not isinstance(response_data, list):
+                response_data = [response_data] if response_data else []
+            file_names = [f["name"] for f in response_data]
+            logger.info(f"Alice can see files: {file_names}")
+
+            # Alice should see her own files
+            # Note: Exact assertions depend on test isolation
+        else:
+            logger.warning(f"Alice could not list files: {result.content}")
+
+        # Test: Bob lists files in root
+        logger.info("Bob listing files via MCP...")
+        result = await bob_mcp_client.call_tool(
+            "nc_webdav_list_directory", arguments={"path": "/"}
+        )
+
+        if not result.isError:
+            response_data = json.loads(result.content[0].text)
+            if not isinstance(response_data, list):
+                response_data = [response_data] if response_data else []
+            file_names = [f["name"] for f in response_data]
+            logger.info(f"Bob can see files: {file_names}")
+
+            # Bob should see his own file, but not Alice's private file
+            # Bob may see shared files in his shared folder or via different path
+        else:
+            logger.warning(f"Bob could not list files: {result.content}")
+
+    finally:
+        # Cleanup
+        if share_id:
+            logger.info(f"Alice deleting share {share_id}")
+            await alice_mcp_client.call_tool(
+                "nc_share_delete", arguments={"share_id": share_id}
+            )
+
+        logger.info("Cleaning up Alice's files...")
+        await alice_mcp_client.call_tool(
+            "nc_webdav_delete_resource", arguments={"path": alice_file}
+        )
+        await alice_mcp_client.call_tool(
+            "nc_webdav_delete_resource", arguments={"path": shared_file}
+        )
+
+        logger.info("Cleaning up Bob's files...")
+        await bob_mcp_client.call_tool(
+            "nc_webdav_delete_resource", arguments={"path": bob_file}
+        )
+
+
+@pytest.mark.asyncio
+async def test_folder_share_permissions(alice_mcp_client, bob_mcp_client):
+    """
+    Test that folder sharing works correctly.
+
+    Scenario:
+    1. Alice creates a folder via MCP
+    2. Alice creates files in the folder via MCP
+    3. Alice shares the folder with Bob via MCP
+    4. Bob can access files in the shared folder via MCP
+    """
+    folder_path = "/alice_shared_folder"
+    file_in_folder = f"{folder_path}/document.txt"
+    file_content = "This is a document in Alice's shared folder"
+
+    # Alice creates folder
+    logger.info(f"Alice creating folder: {folder_path}")
+    result = await alice_mcp_client.call_tool(
+        "nc_webdav_create_directory", arguments={"path": folder_path}
+    )
+    assert not result.isError, f"Alice failed to create folder: {result.content}"
+
+    # Alice creates file in folder
+    logger.info(f"Alice creating file in folder: {file_in_folder}")
+    result = await alice_mcp_client.call_tool(
+        "nc_webdav_write_file",
+        arguments={"path": file_in_folder, "content": file_content},
+    )
+    assert not result.isError, f"Alice failed to create file: {result.content}"
+
+    share_id = None
+
+    try:
+        # Alice shares the folder with Bob
+        logger.info("Alice sharing folder with Bob...")
+        result = await alice_mcp_client.call_tool(
+            "nc_share_create",
+            arguments={
+                "path": folder_path,
+                "share_with": "bob",
+                "share_type": 0,
+                "permissions": 1,
+            },
+        )
+        assert not result.isError, f"Alice failed to create share: {result.content}"
+        share_data = json.loads(result.content[0].text)
+        share_id = share_data["id"]
+        logger.info(f"Created folder share {share_id}")
+
+        # Test: Bob lists the shared folder
+        logger.info("Bob attempting to list shared folder via MCP...")
+        result = await bob_mcp_client.call_tool(
+            "nc_webdav_list_directory", arguments={"path": folder_path}
+        )
+
+        if not result.isError:
+            response_data = json.loads(result.content[0].text)
+            if not isinstance(response_data, list):
+                response_data = [response_data] if response_data else []
+            logger.info(f"Bob can see {len(response_data)} files in shared folder")
+
+            # Bob should see the file in the shared folder
+            file_names = [f["name"] for f in response_data]
+            assert "document.txt" in file_names, (
+                "Bob should see the file in shared folder"
+            )
+        else:
+            logger.warning(f"Bob could not list shared folder: {result.content}")
+
+        # Test: Bob reads the file in the shared folder
+        logger.info("Bob attempting to read file in shared folder via MCP...")
+        result = await bob_mcp_client.call_tool(
+            "nc_webdav_read_file", arguments={"path": file_in_folder}
+        )
+
+        if not result.isError:
+            response_data = json.loads(result.content[0].text)
+            logger.info("Bob successfully read file in shared folder")
+            assert "content" in response_data
+            assert file_content in response_data["content"]
+        else:
+            logger.warning(
+                f"Bob could not read file in shared folder: {result.content}"
+            )
+
+    finally:
+        # Cleanup - Alice deletes the share and folder
+        if share_id:
+            logger.info(f"Alice deleting share {share_id}")
+            await alice_mcp_client.call_tool(
+                "nc_share_delete", arguments={"share_id": share_id}
+            )
+
+        logger.info("Alice cleaning up test folder...")
+        await alice_mcp_client.call_tool(
+            "nc_webdav_delete_resource", arguments={"path": folder_path}
+        )
@@ -0,0 +1,260 @@
+"""
+Multi-user OAuth tests for Nextcloud Notes permissions.
+
+Tests verify that the MCP server respects Nextcloud Notes sharing permissions
+when accessed via OAuth authentication with different users.
+"""
+
+import json
+import logging
+
+import pytest
+
+logger = logging.getLogger(__name__)
+
+pytestmark = [pytest.mark.integration, pytest.mark.oauth]
+
+
+@pytest.mark.asyncio
+async def test_notes_share_read_permissions(
+    nc_client, alice_mcp_client, bob_mcp_client, diana_mcp_client
+):
+    """
+    Test that shared notes respect read permissions.
+
+    Scenario:
+    1. Admin creates a note as alice
+    2. Admin shares the note with bob (read-only)
+    3. Bob can read the note via MCP tools
+    4. Diana cannot access the note (no share)
+    """
+    # Create a note as alice (using admin client to set up data)
+    note_title = "Alice's Shared Note - Read Test"
+    note_content = "This note is shared with Bob for reading only."
+    note_category = "SharedNotes"
+
+    logger.info("Creating note as alice...")
+    created_note = await nc_client.notes.create_note(
+        title=note_title, content=note_content, category=note_category
+    )
+    note_id = created_note.get("id")
+
+    try:
+        # TODO: Share the note with bob (read-only)
+        # Note: Nextcloud Notes API doesn't have direct sharing endpoints
+        # Sharing is typically done at the folder level via WebDAV
+        # For now, this test documents the expected behavior
+
+        # Test: Bob searches for notes via MCP
+        logger.info("Bob searching for notes via MCP...")
+        result = await bob_mcp_client.call_tool(
+            "nc_notes_search_notes", arguments={"query": "Alice's Shared"}
+        )
+
+        assert result.isError is False, f"Bob's search failed: {result.content}"
+        response_data = json.loads(result.content[0].text)
+
+        # Bob should see the shared note in search results
+        # (assuming proper share setup)
+        assert "results" in response_data
+        logger.info(f"Bob found {len(response_data['results'])} notes")
+
+        # Test: Diana searches for the same note
+        logger.info("Diana searching for notes via MCP...")
+        result = await diana_mcp_client.call_tool(
+            "nc_notes_search_notes", arguments={"query": "Alice's Shared"}
+        )
+
+        assert result.isError is False
+        response_data = json.loads(result.content[0].text)
+
+        # Diana should NOT see the note (no share)
+        assert "results" in response_data
+        shared_note_ids = [
+            n["id"] for n in response_data["results"] if n["id"] == note_id
+        ]
+        assert len(shared_note_ids) == 0, "Diana should not see unshared note"
+        logger.info("Diana correctly cannot see unshared note")
+
+    finally:
+        # Cleanup
+        logger.info(f"Cleaning up note {note_id}")
+        await nc_client.notes.delete_note(note_id)
+
+
+@pytest.mark.asyncio
+async def test_notes_share_write_permissions(
+    nc_client, alice_mcp_client, charlie_mcp_client, bob_mcp_client
+):
+    """
+    Test that shared notes respect write permissions.
+
+    Scenario:
+    1. Admin creates a note as alice
+    2. Admin shares the note with charlie (edit permission)
+    3. Admin shares the note with bob (read-only)
+    4. Charlie can edit the note via MCP tools
+    5. Bob cannot edit the note
+    """
+    # Create a note as alice
+    note_title = "Alice's Shared Note - Write Test"
+    note_content = "This note is shared with Charlie for editing."
+    note_category = "SharedNotes"
+
+    logger.info("Creating note as alice...")
+    created_note = await nc_client.notes.create_note(
+        title=note_title, content=note_content, category=note_category
+    )
+    note_id = created_note.get("id")
+
+    try:
+        # TODO: Share the note with charlie (edit permission) and bob (read-only)
+        # Note: Nextcloud Notes sharing is folder-based
+
+        # Test: Charlie can append content to the note
+        logger.info("Charlie attempting to append content via MCP...")
+        result = await charlie_mcp_client.call_tool(
+            "nc_notes_append_content",
+            arguments={
+                "note_id": note_id,
+                "content": "\n\nCharlie added this content.",
+            },
+        )
+
+        # If sharing is properly configured, Charlie should succeed
+        # Without proper sharing setup, this will fail
+        logger.info(f"Charlie's append result: isError={result.isError}")
+        if not result.isError:
+            logger.info("Charlie successfully appended content (shares configured)")
+        else:
+            logger.warning("Charlie could not append (shares not yet configured)")
+
+        # Test: Bob attempts to append content (should fail)
+        logger.info("Bob attempting to append content via MCP...")
+        result = await bob_mcp_client.call_tool(
+            "nc_notes_append_content",
+            arguments={"note_id": note_id, "content": "\n\nBob tried to add this."},
+        )
+
+        # Bob should fail (read-only access)
+        logger.info(f"Bob's append result: isError={result.isError}")
+        if result.isError:
+            logger.info("Bob correctly denied write access")
+        else:
+            logger.warning("Bob unexpectedly succeeded (permissions issue?)")
+
+    finally:
+        # Cleanup
+        logger.info(f"Cleaning up note {note_id}")
+        await nc_client.notes.delete_note(note_id)
+
+
+@pytest.mark.asyncio
+async def test_user_isolation_notes(nc_client, alice_mcp_client, bob_mcp_client):
+    """
+    Test that users can only see their own notes when not shared.
+
+    Scenario:
+    1. Admin creates a note as alice (not shared)
+    2. Admin creates a note as bob (not shared)
+    3. Alice can only see her own note
+    4. Bob can only see his own note
+    """
+    # Create alice's note
+    logger.info("Creating alice's private note...")
+    alice_note = await nc_client.notes.create_note(
+        title="Alice's Private Note",
+        content="This is Alice's private content.",
+        category="AlicePrivate",
+    )
+    alice_note_id = alice_note.get("id")
+
+    # Create bob's note
+    logger.info("Creating bob's private note...")
+    bob_note = await nc_client.notes.create_note(
+        title="Bob's Private Note",
+        content="This is Bob's private content.",
+        category="BobPrivate",
+    )
+    bob_note_id = bob_note.get("id")
+
+    try:
+        # Test: Alice searches all notes
+        logger.info("Alice searching all notes via MCP...")
+        result = await alice_mcp_client.call_tool(
+            "nc_notes_search_notes", arguments={"query": ""}
+        )
+
+        assert result.isError is False
+        response_data = json.loads(result.content[0].text)
+        alice_notes = response_data.get("results", [])
+        alice_note_ids = [n["id"] for n in alice_notes]
+
+        logger.info(f"Alice can see {len(alice_notes)} notes")
+        # Alice should NOT see Bob's note
+        assert bob_note_id not in alice_note_ids, (
+            "Alice should not see Bob's private note"
+        )
+
+        # Test: Bob searches all notes
+        logger.info("Bob searching all notes via MCP...")
+        result = await bob_mcp_client.call_tool(
+            "nc_notes_search_notes", arguments={"query": ""}
+        )
+
+        assert result.isError is False
+        response_data = json.loads(result.content[0].text)
+        bob_notes = response_data.get("results", [])
+        bob_note_ids = [n["id"] for n in bob_notes]
+
+        logger.info(f"Bob can see {len(bob_notes)} notes")
+        # Bob should NOT see Alice's note
+        assert alice_note_id not in bob_note_ids, (
+            "Bob should not see Alice's private note"
+        )
+
+        logger.info("User isolation test passed: users can only see their own notes")
+
+    finally:
+        # Cleanup
+        logger.info("Cleaning up test notes...")
+        await nc_client.notes.delete_note(alice_note_id)
+        await nc_client.notes.delete_note(bob_note_id)
+
+
+@pytest.mark.asyncio
+async def test_oauth_mcp_clients_initialized(
+    alice_mcp_client, bob_mcp_client, charlie_mcp_client, diana_mcp_client
+):
+    """
+    Smoke test to verify all OAuth MCP clients are properly initialized.
+    """
+    logger.info("Testing alice_mcp_client initialization...")
+    result = await alice_mcp_client.call_tool(
+        "nc_notes_search_notes", arguments={"query": ""}
+    )
+    assert result.isError is False, f"Alice MCP client failed: {result.content}"
+    logger.info("Alice MCP client working")
+
+    logger.info("Testing bob_mcp_client initialization...")
+    result = await bob_mcp_client.call_tool(
+        "nc_notes_search_notes", arguments={"query": ""}
+    )
+    assert result.isError is False, f"Bob MCP client failed: {result.content}"
+    logger.info("Bob MCP client working")
+
+    logger.info("Testing charlie_mcp_client initialization...")
+    result = await charlie_mcp_client.call_tool(
+        "nc_notes_search_notes", arguments={"query": ""}
+    )
+    assert result.isError is False, f"Charlie MCP client failed: {result.content}"
+    logger.info("Charlie MCP client working")
+
+    logger.info("Testing diana_mcp_client initialization...")
+    result = await diana_mcp_client.call_tool(
+        "nc_notes_search_notes", arguments={"query": ""}
+    )
+    assert result.isError is False, f"Diana MCP client failed: {result.content}"
+    logger.info("Diana MCP client working")
+
+    logger.info("All OAuth MCP clients successfully initialized!")
@@ -0,0 +1,108 @@
+import pytest
+from nextcloud_mcp_server.client import NextcloudClient
+
+
+@pytest.mark.asyncio
+async def test_create_and_delete_user(nc_client: NextcloudClient, test_user):
+    """Test creating a user and verifying deletion (cleanup by fixture)."""
+    user_config = test_user
+
+    # Create user
+    await nc_client.users.create_user(**user_config)
+
+    # Verify user exists
+    users = await nc_client.users.search_users(search=user_config["userid"])
+    assert user_config["userid"] in users
+
+    user_details = await nc_client.users.get_user_details(user_config["userid"])
+    assert user_details.id == user_config["userid"]
+    assert user_details.displayname == user_config["display_name"]
+    assert user_details.email == user_config["email"]
+
+    # Test deletion explicitly as part of test functionality
+    await nc_client.users.delete_user(user_config["userid"])
+
+    # Verify user is deleted
+    users = await nc_client.users.search_users(search=user_config["userid"])
+    assert user_config["userid"] not in users
+    # Note: Fixture cleanup will also try to delete but handle 404 gracefully
+
+
+@pytest.mark.asyncio
+async def test_update_user_field(nc_client: NextcloudClient, test_user):
+    """Test updating user fields."""
+    user_config = test_user
+
+    await nc_client.users.create_user(**user_config)
+
+    new_email = f"new.{user_config['email']}"
+    await nc_client.users.update_user_field(user_config["userid"], "email", new_email)
+
+    user_details = await nc_client.users.get_user_details(user_config["userid"])
+    assert user_details.email == new_email
+    # Fixture will handle cleanup
+
+
+@pytest.mark.asyncio
+async def test_user_groups(nc_client: NextcloudClient, test_user_in_group):
+    """Test adding and removing users from groups."""
+    user_config, groupid = test_user_in_group
+    userid = user_config["userid"]
+
+    # Verify user is in group
+    groups = await nc_client.users.get_user_groups(userid)
+    assert groupid in groups
+
+    # Remove user from group
+    await nc_client.users.remove_user_from_group(userid, groupid)
+    groups = await nc_client.users.get_user_groups(userid)
+    assert groupid not in groups
+    # Fixtures will handle cleanup
+
+
+@pytest.mark.asyncio
+async def test_user_subadmins(nc_client: NextcloudClient, test_user, test_group):
+    """Test promoting and demoting subadmins."""
+    user_config = test_user
+    groupid = test_group
+    userid = user_config["userid"]
+
+    await nc_client.users.create_user(**user_config)
+
+    # Promote to subadmin
+    await nc_client.users.promote_user_to_subadmin(userid, groupid)
+    subadmin_groups = await nc_client.users.get_user_subadmin_groups(userid)
+    assert groupid in subadmin_groups
+
+    # Demote from subadmin
+    await nc_client.users.demote_user_from_subadmin(userid, groupid)
+    subadmin_groups = await nc_client.users.get_user_subadmin_groups(userid)
+    assert groupid not in subadmin_groups
+    # Fixtures will handle cleanup
+
+
+@pytest.mark.asyncio
+async def test_disable_enable_user(nc_client: NextcloudClient, test_user):
+    """Test disabling and enabling users."""
+    user_config = test_user
+    userid = user_config["userid"]
+
+    await nc_client.users.create_user(**user_config)
+
+    # Disable user
+    await nc_client.users.disable_user(userid)
+    user_details = await nc_client.users.get_user_details(userid)
+    assert not user_details.enabled
+
+    # Enable user
+    await nc_client.users.enable_user(userid)
+    user_details = await nc_client.users.get_user_details(userid)
+    assert user_details.enabled
+    # Fixture will handle cleanup
+
+
+@pytest.mark.asyncio
+async def test_get_editable_user_fields(nc_client: NextcloudClient):
+    editable_fields = await nc_client.users.get_editable_user_fields()
+    assert "displayname" in editable_fields
+    assert "email" in editable_fields
--- a/Show More
+++ b/Show More