pub fn sanitize_root_patch(patch_obj: &mut Map<String, Value>)Expand description
Remove forbidden fields from a config patch before application.
Strips encrypted auth material, data_dir, and MCP secret fields that should never be set directly by clients.