I ran into the exact same 406 confusion last week when wiring up an MCP server. The Accept header trick is elegant, but I'm wondering — how do you handle clients that send `Accept: /`? Some older HTTP libraries do this by default and it'd match both html and json conditions.
A 7-day cooldown feels like a low-effort band-aid. The real fix is probably reproducible builds + signed attestations, but most teams won't pay that tax until they've already been burned.