docs(site): document well-known MCP names and automatic network allowlisting

[github-actions]

Summary

• Users who name their mcp-servers: key with a recognised service identifier (kusto, icm, bluebird, es-chat, msft-learn, asa, stack, calculator, github) no longer need to manually add network.allowed: entries — the compiler silently auto-adds the required hosts. This behavior was completely undocumented.
• The Security Notes section previously told users they "must explicitly allow external domains via network.allowed" with no mention of the exception.

Changes

• site/src/content/docs/reference/mcp.mdx
  • Added new ## Well-Known MCP Names and Automatic Networking section (between the Example section and Security Notes) with:
    • Explanation of the auto-networking mechanism
    • Reference table of all 9 well-known identifiers and their automatically allowed host patterns
    • Minimal YAML example (kusto MCP with no network.allowed: needed)
    • :::note callout distinguishing ado/ado-ext (reserved for tools.azure-devops) from user-defined MCP keys
  • Updated Security Notes item 4 to note that well-known MCP names get hosts added automatically, linking back to the new section

Accuracy checks

• mcp_required_hosts() in src/allowed_hosts.rs confirmed as the source of truth for all 9 identifiers and their host lists — verified by reading lines 64–117
• generate_allowed_domains() in src/compile/common.rs (lines 2911–2948) confirmed: iterates front_matter.mcp_servers enabled names, calls mcp_required_hosts(mcp) for each, inserts into the host set
• ado/ado-ext entries confirmed reserved for tools/azure_devops/extension.rs — not intended as user-facing mcp-servers: keys

Validation

• cd site && npm ci && npm run build
• All internal links valid (confirmed by build output)

---

Created by the docs-writer workflow.

Generated by Docs Writer · sonnet46 3.7M · ◷