You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Found 1 compliance issue during daily review of commit 7e969ac (grafted HEAD).
The specification was updated to version 1.9.0 (adding the trustedBots field, Section 7.5, and compliance test T-AUTH-006). The trustedBots feature is fully implemented in the codebase — configuration parsing, validation, wiring to the WASM guard, and tests are all in place. However, the MCPGatewaySpecVersion constant that is broadcast via the /health endpoint was not updated to match.
specVersion: The version of this MCP Gateway Specification that the implementation conforms to. This field MUST use semantic versioning (MAJOR.MINOR.PATCH format).
These version fields enable clients to verify specification compatibility and ensure feature availability based on specification version.
Current State: internal/server/unified.go:29:
constMCPGatewaySpecVersion="1.8.0"
Spec Changelog (v1.9.0):
The spec changelog at the bottom of the document lists version 1.9.0 as adding:
trustedBots field to gateway configuration (§4.1.3, §4.1.3.4)
Section 7.5 — Trusted Bot Identity Configuration
Compliance test T-AUTH-006
Gap:
The trustedBots feature from spec v1.9.0 is fully implemented in the codebase:
internal/config/config_core.go:110 — TrustedBots field parsed
internal/config/config_stdin.go:41,284-288 — JSON stdin support
internal/config/validation.go:383-406 — validation per §4.1.3.4
The only missing piece is updating the constant so the /health endpoint accurately reflects that this implementation conforms to spec v1.9.0, not v1.8.0. Clients relying on specVersion to detect trustedBots availability will incorrectly believe it is absent.
Severity: Important — the spec MUST requirement is to include correct version information so clients can verify compatibility.
After the change, also update internal/server/health_test.go if it asserts the exact version string.
Suggested Remediation Task
Task: Update MCPGatewaySpecVersion to "1.9.0"
Description: Bump the MCPGatewaySpecVersion constant to "1.9.0" to reflect that the trustedBots feature (spec §4.1.3.4) is fully implemented and the gateway now conforms to spec version 1.9.0.
MCP Gateway Compliance Review — 2026-03-30
Summary
Found 1 compliance issue during daily review of commit
7e969ac(grafted HEAD).The specification was updated to version 1.9.0 (adding the
trustedBotsfield, Section 7.5, and compliance test T-AUTH-006). ThetrustedBotsfeature is fully implemented in the codebase — configuration parsing, validation, wiring to the WASM guard, and tests are all in place. However, theMCPGatewaySpecVersionconstant that is broadcast via the/healthendpoint was not updated to match.Recent Changes Reviewed
7e969aca670137563092713b9a046df8193ca2ed:docs: add GITHUB_PERSONAL_ACCESS_TOKEN to proxy mode auth token docsdocs/ENVIRONMENT_VARIABLES.md— docs-only change, no code impactCompliance Status
/mcp/{server},/health,/closeImportant Issue (SHOULD-level — spec version tracking)
Issue:
MCPGatewaySpecVersionconstant stale at"1.8.0"— should be"1.9.0"Specification Section: 8.1.1 — General Health (
/health)Deep Link: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#811-general-health-health
Compliance Test: T-HLT-006 (
specVersionfield present and correct), T-HLT-008 (specVersionuses semantic versioning)Requirement (spec §8.1.1):
Current State:
internal/server/unified.go:29:Spec Changelog (v1.9.0):
The spec changelog at the bottom of the document lists version 1.9.0 as adding:
trustedBotsfield to gateway configuration (§4.1.3, §4.1.3.4)Gap:
The
trustedBotsfeature from spec v1.9.0 is fully implemented in the codebase:internal/config/config_core.go:110—TrustedBotsfield parsedinternal/config/config_stdin.go:41,284-288— JSON stdin supportinternal/config/validation.go:383-406— validation per §4.1.3.4internal/config/validation_schema.go:250-262— JSON schema injectioninternal/config/config_stdin_test.go:973-1028— testsThe only missing piece is updating the constant so the
/healthendpoint accurately reflects that this implementation conforms to spec v1.9.0, not v1.8.0. Clients relying onspecVersionto detecttrustedBotsavailability will incorrectly believe it is absent.Severity: Important — the spec MUST requirement is to include correct version information so clients can verify compatibility.
File Reference:
internal/server/unified.go:29Suggested Fix:
After the change, also update
internal/server/health_test.goif it asserts the exact version string.Suggested Remediation Task
Task: Update MCPGatewaySpecVersion to "1.9.0"
Description: Bump the
MCPGatewaySpecVersionconstant to"1.9.0"to reflect that thetrustedBotsfeature (spec §4.1.3.4) is fully implemented and the gateway now conforms to spec version 1.9.0.Files:
internal/server/unified.go— change"1.8.0"→"1.9.0"internal/server/health_test.go— update any test assertions on the exact version stringSpecification Reference: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#811-general-health-health
Estimated Effort: Trivial (< 30 minutes)
References
7e969aca670137563092713b9a046df8193ca2edNote
🔒 Integrity filter blocked 1 item
The following item were blocked because they don't meet the GitHub integrity level.
get_file_contents: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".To allow these resources, lower
min-integrityin your GitHub frontmatter: