Skip to content

Commit 8442f97

Browse files
jpicklykclaude
jpicklyk
and
claude
committed
docs: scope config mount to .taskorchestrator/ only — not entire project
Previously the advanced config mounted the whole project workspace into the container, giving the MCP server read access to all source files, .env, etc. Mount only the .taskorchestrator/ subfolder instead. The container's /project path contains nothing else, eliminating unnecessary filesystem exposure. No code change required — AGENT_CONFIG_DIR resolves config.yaml via .taskorchestrator/ subdirectory convention, so mount path is the fix. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent f8b3e1c commit 8442f97

File tree

1 file changed

+4
-2
lines changed

1 file changed

+4
-2
lines changed

README.md

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -110,7 +110,7 @@ Configure your client with the same JSON as Option A above. STDIO transport work
110110

111111
By default the server runs in schema-free mode — all 13 tools work with no additional configuration. If you want to define custom note schemas that gate role transitions (e.g., require an acceptance-criteria note before a work item can advance), you can point the server at your project's `.taskorchestrator/config.yaml`.
112112

113-
Add the project mount to your **Option B** `.mcp.json` only (not the global Option A registration — a globally-registered server should not have its schema config vary per project):
113+
Add the config mount to your **Option B** `.mcp.json` only (not the global Option A registration — a globally-registered server should not have its schema config vary per project):
114114

115115
```json
116116
{
@@ -120,7 +120,7 @@ Add the project mount to your **Option B** `.mcp.json` only (not the global Opti
120120
"args": [
121121
"run", "--rm", "-i",
122122
"-v", "mcp-task-data:/app/data",
123-
"-v", "${workspaceFolder}:/project:ro",
123+
"-v", "${workspaceFolder}/.taskorchestrator:/project/.taskorchestrator:ro",
124124
"-e", "AGENT_CONFIG_DIR=/project",
125125
"ghcr.io/jpicklyk/task-orchestrator:latest"
126126
]
@@ -129,6 +129,8 @@ Add the project mount to your **Option B** `.mcp.json` only (not the global Opti
129129
}
130130
```
131131

132+
> **Security note:** Only the `.taskorchestrator/` folder is mounted — the server has no access to the rest of your project. The container's `/project` path contains nothing else.
133+
132134
See [Workflow Guide](current/docs/workflow-guide.md) for the `.taskorchestrator/config.yaml` schema format and examples.
133135

134136
### Step 3: Claude Code Plugin (optional)

0 commit comments

Comments
 (0)