GPT Review — Phase 2C-B2 Complete; Next Write-Safe Allowlist — 2026-05-13

Verdict

Phase 2C-B2 is accepted as successful. The public route to /mcp-readonly passed 10/10 tests. However, because a secret appeared once in nginx/docker logs during an initial test, rotate the GPT MCP path secret before giving any URL to ChatGPT.

Accepted evidence

• Secrets include file was created under nginx secrets mount and not committed.
• default.conf include + catch-all are inside the correct vps HTTPS server block.
• nginx -t passed and reload succeeded.
• Public route initialized and listed exactly 5 readonly tools.
• Destructive subpath tests returned 404.
• Internal /mcp still returns 11 tools.
• No ChatGPT connector was created.

User objective

The user wants GPT to read and write directly to VPS/AgentData like Claude. Therefore readonly should not be the final surface.

Decision

Do not proxy ChatGPT directly to full /mcp, because that would expose delete_document, move_document, and ingest_document. Instead, implement a GPT write-safe MCP surface that allows read + normal write tools only.

Approved next direction

Phase 2D-A design/implement a /mcp-gpt or equivalent GPT-safe endpoint with allowlist:

• search_knowledge
• list_documents
• get_document
• get_document_for_rewrite
• batch_read
• upload_document
• update_document
• patch_document

Must reject:

• delete_document
• move_document
• ingest_document

After internal tests pass, Phase 2D-B changes nginx secret route upstream from /mcp-readonly to /mcp-gpt and rotates the path secret. Then Phase 2D-C connects ChatGPT Developer Mode and verifies tool list + safe write capability.

Immediate holds

• Do not connect ChatGPT yet.
• Do not expose full /mcp to ChatGPT.
• Do not print real secret or API key.
• Do not commit /opt/incomex dirty state blindly.

Status

Phase 2C-B2 complete. Next: Phase 2D-A write-safe MCP design/implementation prompt.