diff --git a/nginx/conf.d/default.conf b/nginx/conf.d/default.conf
index 3c1697b..cd6bb87 100644
--- a/nginx/conf.d/default.conf
+++ b/nginx/conf.d/default.conf
@@ -422,6 +422,21 @@ server {
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
     ssl_prefer_server_ciphers off;
 
+    # CRA MCP server for the external repo-scanner (Streamable HTTP + Bearer).
+    # Separate container (bp-compliance-mcp:8099); buffering off for SSE streaming.
+    location /mcp {
+        set $upstream_mcp bp-compliance-mcp:8099;
+        proxy_pass http://$upstream_mcp;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header Connection "";
+        proxy_buffering off;
+        proxy_read_timeout 3600s;
+    }
+
     location / {
         set $upstream_compliance bp-compliance-backend:8002;
         proxy_pass http://$upstream_compliance;