CommunityConfiguration's configuration reader needs to only allow loading a subset of MediaWiki configuration variables from it. If that would not be the case, admins would be able to configure anything (including sensitive variables like wgGroupPermissions or wgRawHTML), which is not desirable. To avoid that, we need to allow CommunityConfiguration clients to define a list of MediaWiki configuration variables they mark as community configurable by a given provider. Then, CommunityConfiguration could verify requirements listed in this allowlist are met.

As of now, CommunityConfiguration's validation layer prescribes Ivalidator::getSupportedTopLevelKeys needs to be implemented. The original idea was to make a validator return a list of allowed top-level keys in a configuration page, and when a page contains MediaWiki config, interpret this allowlist as a list of MediaWiki config variables name. However, this design is probably not ideal – non-MW config uses of CommunityConfiguration don't have a fixed allowlist. For example, https://cs.wikipedia.org/wiki/mediawiki:NewcomerTasks.json is currently written with community-defined tasks being a possibility in the future, and a fixed allowlist of top-level keys would break that assumption.

An alternate approach could be moving this down to the provider level, and instead create a way to read the schema itself (by T351232, for example).