docs: clarify allow_private_registry_fetch is a blanket SSRF opt-out (MCP-3206)

[Dumbris]

Summary

Docs-only clarification surfaced in the v0.45.0 QA pass (SSRF-05, MCP-1076/#745).

The allow_private_registry_fetch flag is all-or-nothing: when true it lifts the registry SSRF guard for every non-routable range at once — loopback, RFC1918/CGNAT private, link-local and the 169.254.169.254 cloud-metadata endpoint. So enabling it for a localhost dev registry also re-opens the cloud-metadata SSRF vector (verified: registry add-source https://169.254.169.254/... then succeeds). This is by design, but a sharp edge worth spelling out.

Changes (docs-only)

• internal/config/config.go — expand the AllowPrivateRegistryFetch doc comment to state the blanket nature, the cloud-metadata re-exposure, the trusted-host recommendation, and that the flag only takes effect on daemon (re)start / config reload.
• docs/configuration.md — add a ⚠️ callout under the SSRF-guard section.
• docs/registries.md — add the opt-out note alongside the existing SSRF guard description.
• oas/swagger.yaml / oas/docs.go — regenerated (swag derives the schema description from the config doc comment).

Verification

• gofmt -l clean; go build ./internal/config/ ok.
• make swagger regenerated and committed; pre-push swagger-verify passes.

Provenance: QA report ~/mcpproxy-qa/mcpproxy-qa-v0.45.0.html (SSRF-05 + security note).

Related #745

[cloudflare-workers-and-pages]

Deploying mcpproxy-docs with    Cloudflare Pages

Latest commit:	f4d706d
Status:	✅  Deploy successful!
Preview URL:	https://10bbc79f.mcpproxy-docs.pages.dev
Branch Preview URL:	https://docs-mcp-3206-ssrf-optout-cl.mcpproxy-docs.pages.dev

View logs

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[github-actions]

📦 Build Artifacts

Workflow Run: View Run
Branch: docs/mcp-3206-ssrf-optout-clarify

Available Artifacts

• archive-darwin-amd64 (28 MB)
• archive-darwin-arm64 (25 MB)
• archive-linux-amd64 (16 MB)
• archive-linux-arm64 (14 MB)
• archive-windows-amd64 (28 MB)
• archive-windows-arm64 (25 MB)
• frontend-dist-pr (0 MB)
• installer-dmg-darwin-amd64 (21 MB)
• installer-dmg-darwin-arm64 (19 MB)

How to Download

Option 1: GitHub Web UI (easiest)

1. Go to the workflow run page linked above
2. Scroll to the bottom "Artifacts" section
3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 28118907756 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.

[github-actions]

Approved (CEO fallback MCP-3392 / MCP-3066): review verdict ACCEPT at f4d706d. Docs + comment-only PR; qa-gate blessed by CEO after confirming no functional Go changes. Arming auto-merge.