diff --git a/RUNBOOK.md b/RUNBOOK.md
index 4b40e59..5cca4b0 100644
--- a/RUNBOOK.md
+++ b/RUNBOOK.md
@@ -187,6 +187,56 @@ grpcurl -cacert ca.pem -cert client.pem -key client-key.pem \
   -d '{"rule": {"type": "FIREWALL_RULE_TYPE_IP", "value": "203.0.113.50"}}'
 ```
 
+## Deployment with MCP
+
+mc-proxy runs on rift as a single container managed by MCP. The service
+definition lives at `~/.config/mcp/services/mc-proxy.toml` on rift (reference
+copy at `deploy/mc-proxy-rift.toml` in this repo). The container mounts
+`/srv/mc-proxy` which holds the config file, SQLite database, GeoIP database,
+and TLS certificates for backends. It runs as `--user 0:0` under rootless
+podman.
+
+Listeners: `:443` (L7 terminating), `:8443` (L4 passthrough), `:9443` (L4
+passthrough).
+
+### Deploy or Update
+
+```bash
+mcp deploy mc-proxy
+```
+
+### Restart / Stop
+
+```bash
+mcp restart mc-proxy
+mcp stop mc-proxy
+```
+
+### Check Status
+
+```bash
+mcp ps
+mcp status mc-proxy
+```
+
+### View Logs
+
+```bash
+ssh rift 'doas su - mcp -s /bin/sh -c "podman logs mc-proxy"'
+```
+
+### Update Routes
+
+Edit the config at `/srv/mc-proxy/mc-proxy.toml` on rift, then restart:
+
+```bash
+mcp restart mc-proxy
+```
+
+Routes added at runtime via the gRPC admin API are persisted in the database
+and survive restarts. Editing the TOML config is only necessary for changing
+listener definitions or static seed routes.
+
 ## Incident Procedures
 
 ### Proxy Not Starting