diff --git a/configuration.nix b/configuration.nix
index 2af8ca7..3b0f4a1 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -174,9 +174,8 @@ in
     defaults.email = "dlei@duck.com";
   };
 
-  # Allow deprecated olm library for Matrix bridges
-  # Note: olm is deprecated with known CVEs but required by mautrix bridges
-  # This is necessary for Matrix bridge functionality until alternatives are available
+  # Allow deprecated olm library for Matrix bridges (maubot uses mautrix which needs olm)
+  # Note: Also permitted in flake.nix for pkgs-unstable (mautrix-slack)
   nixpkgs.config.permittedInsecurePackages = [
     "olm-3.2.16"
   ];
diff --git a/hosts/ops-jrz1-vm.nix b/hosts/ops-jrz1-vm.nix
index 0ea39e1..8f338fc 100644
--- a/hosts/ops-jrz1-vm.nix
+++ b/hosts/ops-jrz1-vm.nix
@@ -19,12 +19,7 @@
     # Note: Skip matrix-secrets for VM (no sops-nix in VM)
   ];
 
-  # Allow deprecated olm library for Matrix bridges (VM testing only)
-  # Note: olm is deprecated with known CVEs but required by mautrix bridges
-  # This is acceptable for local testing; production should migrate to newer crypto
-  nixpkgs.config.permittedInsecurePackages = [
-    "olm-3.2.16"
-  ];
+  # Note: olm-3.2.16 is permitted in flake.nix where pkgs-unstable is defined
 
   # VM-specific settings
   networking.hostName = "ops-jrz1-vm";