Skip to content

docs(config): document admin clean room policy in config example#5

Closed
crypdick wants to merge 0 commit intomainfrom
docs/admin-clean-room-config-example
Closed

docs(config): document admin clean room policy in config example#5
crypdick wants to merge 0 commit intomainfrom
docs/admin-clean-room-config-example

Conversation

@crypdick
Copy link
Owner

@crypdick crypdick commented Feb 25, 2026

Summary

  • Adds a CLEAN ROOM POLICY warning block after the admin sandbox examples in config.toml.EXAMPLE, explaining that admin workspaces cannot have public_source = true MCPs (or undeclared MCPs, which default to public_source = true), that Pynchy refuses to start if violated, and linking to the docs
  • Fixes the misleading mcp_servers = ["all"] admin sandbox example — using "all" fails validation if any declared server has public_source = true, which is the default; replaced with a ["caldav"] example and an explanatory comment
  • Adds # pragma: allowlist secret to pre-existing fake CalDAV passwords in the example to unblock detect-secrets

Context

Motivated by today's incident where pynchy-server crash-looped after pulling the admin clean room enforcement commit (0713e6a), because admin-1 and admin-2 both had playwright (which has public_source = true) in their mcp_servers. The config example had no indication this was invalid.

Test plan

  • uv run mkdocs build --strict passes (no broken links)
  • detect-secrets pre-commit hook passes

@crypdick crypdick closed this Feb 26, 2026
@crypdick crypdick force-pushed the docs/admin-clean-room-config-example branch from 606ed0f to 214e369 Compare February 26, 2026 00:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@crypdick