potiuk opened a new pull request, #279: URL: https://github.com/apache/airflow-steward/pull/279
## Summary Re-point the PonyMail MCP setup documentation at the official ASF implementation at [`apache/comdev`'s `mcp/ponymail-mcp/`](https://github.com/apache/comdev/tree/main/mcp/ponymail-mcp). The `rbowen/ponymail-mcp` fork that the framework previously documented has been promoted into ComDev as the canonical ASF MCP for PonyMail; the install shape and tooling differ enough that adopters following the old docs verbatim would silently end up with the wrong setup. ### What changes for adopters | Area | Before | After | |---|---|---| | Source | `rbowen/ponymail-mcp` (Python, `uv tool install`) | `apache/comdev` `mcp/ponymail-mcp/` (Node.js 20+, `git clone` + `npm install`) | | MCP entry | `"command": "ponymail-mcp"` (on `PATH`) | `"command": "node"`, `"args": ["/abs/path/.../index.js"]` | | Private lists | Available with LDAP cookie | **Default-denied**; opt-in per list via `PONYMAIL_ALLOWED_LISTS` | | Session cookie path | `~/.ponymail-mcp/session.json` | unchanged | | Tool catalogue | `mcp__ponymail__*` (search / get_email / get_thread / auth / list_restrictions / …) | unchanged | The biggest behavioural delta is the default-deny on private lists in the comdev implementation — added there as a guardrail against accidental LLM ingestion of confidential content. Adopters with private-list reads (most security teams) need to declare their `<security-list>` / `<private-list>` in `PONYMAIL_ALLOWED_LISTS`. ### Files touched - `tools/ponymail/tool.md` — install + registration recipe + env-var note. - `tools/ponymail/operations.md` — header backend pointer. - `docs/prerequisites.md` — "on the horizon" paragraph rewritten; PMC-gate paragraph softened. - `.claude/skills/security-cve-allocate/SKILL.md` — drop "on the horizon" phrase. ## Test plan - [x] `prek run` on touched files — all hooks pass. - [x] Verified the session cookie path is unchanged against `comdev/mcp/ponymail-mcp/auth.js:30-31`, so existing docs about `~/.ponymail-mcp/session.json` remain correct. - [x] Tested the recipe end-to-end on my own setup — `claude mcp add ponymail node /abs/path/to/comdev/mcp/ponymail-mcp/index.js -s user` connects ✓. - [ ] First adopter running the new recipe surfaces any rough edges (especially around `PONYMAIL_ALLOWED_LISTS` wording). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
