Minor polishing

danbarr · danbarr · commit a5719e90ed91 · 2025-06-24T10:41:31.000-04:00
diff --git a/docs/toolhive/guides-cli/custom-permissions.mdx b/docs/toolhive/guides-cli/custom-permissions.mdx
@@ -1,8 +1,8 @@
 ---
 title: Custom permissions
 description:
-  How to create and apply custom permission profiles for MCP servers in
-  ToolHive.
+  How to create and apply filesystem permissions and network isolation for MCP
+  servers using permission profiles in ToolHive.
 sidebar_position: 50
 ---
 
@@ -40,17 +40,18 @@ Profiles include the following sections:
   the container's file system.
 - `write`: List of file system paths that the MCP server can write to (this also
   implies read access).
-- `network`: Network access rules for outbound connections.
+- `network`: Network access rules for outbound connections (see
+  [Network isolation](#network-isolation) for details):
   - `outbound`: Outbound network access rules, which include:
     - `insecure_allow_all`: If set to `true`, allows unrestricted outbound
       network access. This isn't recommended for production use.
-    - `allow_transport`: List of allowed transport protocols (e.g., `tcp`,
-      `udp`).
     - `allow_host`: List of allowed hostnames or IP addresses for outbound
       connections. To allow all subdomains of a domain, prefix the domain with a
       period (e.g., `.github.com` allows any subdomain of `github.com`).
       Wildcards are not supported.
     - `allow_port`: List of allowed ports for outbound connections.
+    - `allow_transport`: List of allowed transport protocols (e.g., `tcp`,
+      `udp`).
 
 ## Default permissions in the ToolHive registry
 
@@ -100,8 +101,8 @@ output in JSON format for easier customization. Use the contents of the
 ToolHive includes two built-in profiles that you can use without creating a
 custom file:
 
-- The `network` profile permits outbound network access. It's the default
-  profile applied to MCP servers when you run a server without the
+- The `network` profile permits all outbound network access. It's the default
+  profile applied to MCP servers when you run a custom server without the
   `--permission-profile` flag.
 
   :::important
@@ -116,7 +117,7 @@ custom file:
   that don't require any external connectivity. File system access is limited to
   paths you explicitly mount using the `--volume` flag.
 
-## Create a custom permissions profile
+## Create a custom permission profile
 
 Create a JSON file with your desired permissions, like `~/custom-profile.json`.
 For example:
@@ -144,7 +145,7 @@ This profile:
 - Allows outbound TCP or UDP connections to `localhost` and `google.com`
   (including subdomains) on ports 80 and 443
 
-## Apply a permissions profile
+## Apply a permission profile
 
 ### Using a built-in profile
 
@@ -177,11 +178,12 @@ thv run --isolate-network --permission-profile </path/to/custom-profile.json> <s
 
 ## Network isolation
 
-To enforce the network access rules defined in your permission profile, use the
-`--isolate-network` flag when running the MCP server:
+To enforce the network access rules defined in the registry or your custom
+permission profile, use the `--isolate-network` flag when running the MCP
+server:
 
 ```bash
-thv run --isolate-network --permission-profile </path/to/custom-profile.json> <server-name>
+thv run --isolate-network [--permission-profile </path/to/custom-profile.json>] <server-name>
 ```
 
 When you enable network isolation, ToolHive creates a secure network
@@ -208,7 +210,7 @@ ToolHive creates two separate networks in the container runtime:
 - An internal network (`toolhive-<server-name>-internal`) for each MCP server
   that isolates it from external access
 
-The MCP server container connects only to the internal network, while the proxy
+The MCP server container only connects to the internal network, while the proxy
 and DNS containers connect to both networks. This design ensures that all
 network traffic flows through controlled points, allowing ToolHive to enforce
 the access rules you specify in your permission profile.
diff --git a/docs/toolhive/guides-cli/secrets-management.mdx b/docs/toolhive/guides-cli/secrets-management.mdx
@@ -15,7 +15,7 @@ configuration files.
 
 ## Secrets providers
 
-ToolHive supports multiple secret providers:
+ToolHive supports multiple secrets providers:
 
 - `encrypted` (default) - ToolHive encrypts secrets using a password that it
   stores in your operating system's keyring.
