You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When gateway.apiKey is configured, the gateway MUST:
2. Reject requests with missing or invalid tokens (HTTP 401)
3. Reject requests with malformed Authorization headers (HTTP 400)
Current State: internal/server/auth.go returns HTTP 401 for all auth failures — missing headers, invalid keys, and malformed headers alike. There is no distinct HTTP 400 path:
ifauthHeader=="" {
rejectRequest(w, r, http.StatusUnauthorized, ...) // 401return
}
ifauthHeader!=apiKey {
rejectRequest(w, r, http.StatusUnauthorized, ...) // 401 — should be 400 for malformed headersreturn
}
Gap:
The spec distinguishes between two cases that MUST return different status codes:
Severity: Important (MUST violation per spec §7.2 item 3)
File References:
internal/server/auth.go:42-60
Suggested Fix:
Add a pre-check for malformed headers (e.g., non-printable characters, invalid encoding) before the API key comparison and return HTTP 400 for those cases:
The gateway MUST reject configurations containing unrecognized fields at the top level with an error message indicating the unrecognized field name, location, and a suggestion to check the specification version.
Current State: internal/config/config_core.go:259-275 explicitly warns but continues loading:
// Design decision: We use warnings rather than hard errors to maintain // backward compatibility and allow gradual config migration.undecoded:=md.Undecoded()
iflen(undecoded) >0 {
for_, key:=rangeundecoded {
logger.LogWarn("config", "Unknown configuration key '%s' - check for typos...", key)
}
}
Gap:
The JSON stdin format is fully compliant (schema uses additionalProperties: false to reject unknown fields). However, TOML format silently accepts unknown fields. The spec says MUST reject without qualification.
Note: This is a conscious design decision for backward compatibility. JSON stdin config is compliant.
Severity: Important (MUST violation for TOML format; JSON stdin is compliant)
File References:
internal/config/config_core.go:259-275
Suggested Fix:
Return an error when unknown TOML keys are found, rather than just warning:
iflen(undecoded) >0 {
returnnil, fmt.Errorf("configuration contains unrecognized field(s): %v. Check the MCP Gateway Specification for supported fields.", undecoded)
}
The gateway SHOULD NOT modify: Tool names, Tool parameters, Tool return values, Method signatures
Current State: In unified mode (/mcp), tools from all backends are prefixed with backendID___ (e.g., github___search_code). In routed mode (/mcp/{server}), the prefix is correctly stripped.
// tool_registry.go:169prefixedName:=fmt.Sprintf("%s___%s", serverID, tool.Name)
// Stored as prefixedName and exposed to clients in unified mode
Gap: Clients using unified mode see modified tool names. Routed mode is compliant.
Note: This modification is architecturally necessary in unified mode to avoid name collisions across backends. Routed mode is fully compliant.
Severity: Minor (SHOULD NOT — architecturally necessary in unified mode)
File References:
internal/server/tool_registry.go:169-180
internal/server/unified.go:606-628
Compliance Status
Section
Description
Status
3.2.1
Containerization Requirement
✅ Compliant
4.1
Configuration Format
✅ Compliant
4.2
Variable Expression Rendering
✅ Compliant
4.3.1
Unknown Fields — JSON stdin
✅ Compliant
4.3.1
Unknown Fields — TOML
⚠️ Warn only (not reject)
4.3.2
Schema Validation
✅ Compliant
4.3.3
Fail-Fast Requirements
✅ Compliant
4.1.4
Custom Server Types
✅ Compliant
4.1.5
Volume Mounts
✅ Compliant
4.1.3.1
Payload Dir Path Validation
✅ Compliant
4.1.3.4
Trusted Bots Configuration
✅ Compliant
5.1.1
Endpoint Structure
✅ Compliant
5.1.3
Close Endpoint
✅ Compliant
5.2.3
Tool Name Preservation (routed)
✅ Compliant
5.2.3
Tool Name Preservation (unified)
⚠️ Prefixed with backendID___
5.4
Stdout Configuration Output
✅ Compliant
6
Server Isolation
✅ Compliant
7.2
Auth — HTTP 401 for invalid
✅ Compliant
7.2
Auth — HTTP 400 for malformed
❌ Returns 401 instead
7.3
Random API Key Generation
⚠️ Not implemented (SHOULD)
7.4
Health Exemption from Auth
✅ Compliant
8
Health Monitoring
✅ Compliant
9
Error Handling
✅ Compliant
Remediation Tasks
Task 1: HTTP 400 for Malformed Authorization Headers
MCP Gateway Compliance Review — 2026-04-02
Daily compliance review of commit
1a09953(refactor: remove redundant config default fallbacks in server and launcher).Summary
Found 4 compliance gaps — 1 Critical MUST violation, 1 borderline MUST, and 2 SHOULD deviations.
Critical Issue (MUST Violation)
1. HTTP 400 Not Returned for Malformed Authorization Headers
Specification Section: 7.2 API Key Authentication
Deep Link: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#72-api-key-authentication
Requirement:
Current State:
internal/server/auth.goreturns HTTP 401 for all auth failures — missing headers, invalid keys, and malformed headers alike. There is no distinct HTTP 400 path:Gap:
The spec distinguishes between two cases that MUST return different status codes:
Severity: Important (MUST violation per spec §7.2 item 3)
File References:
internal/server/auth.go:42-60Suggested Fix:
Add a pre-check for malformed headers (e.g., non-printable characters, invalid encoding) before the API key comparison and return HTTP 400 for those cases:
Important Issue (Borderline MUST)
2. TOML Unknown Fields Warned But Not Rejected
Specification Section: 4.3.1 Unknown Features
Deep Link: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#431-unknown-features
Requirement:
Current State:
internal/config/config_core.go:259-275explicitly warns but continues loading:Gap:
The JSON stdin format is fully compliant (schema uses
additionalProperties: falseto reject unknown fields). However, TOML format silently accepts unknown fields. The spec says MUST reject without qualification.Note: This is a conscious design decision for backward compatibility. JSON stdin config is compliant.
Severity: Important (MUST violation for TOML format; JSON stdin is compliant)
File References:
internal/config/config_core.go:259-275Suggested Fix:
Return an error when unknown TOML keys are found, rather than just warning:
Minor Issues (SHOULD Violations)
3. No Random API Key Auto-Generation on Startup
Specification Section: 7.3 Optimal Temporary API Key
Deep Link: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#73-optimal-temporary-api-key
Requirement:
Current State: No random API key generation in
internal/cmd/root.go. IfapiKeyis empty, the gateway runs without authentication.Severity: Minor (SHOULD violation)
File References:
internal/cmd/root.go:324-336Suggested Fix: Generate a cryptographically random key at startup when none is configured, include it in the stdout configuration output.
4. Unified Mode Prefixes Tool Names with
backendID___Specification Section: 5.2.3 Tool Signature Preservation
Deep Link: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#523-tool-signature-preservation
Requirement:
Current State: In unified mode (
/mcp), tools from all backends are prefixed withbackendID___(e.g.,github___search_code). In routed mode (/mcp/{server}), the prefix is correctly stripped.Gap: Clients using unified mode see modified tool names. Routed mode is compliant.
Note: This modification is architecturally necessary in unified mode to avoid name collisions across backends. Routed mode is fully compliant.
Severity: Minor (SHOULD NOT — architecturally necessary in unified mode)
File References:
internal/server/tool_registry.go:169-180internal/server/unified.go:606-628Compliance Status
Remediation Tasks
Task 1: HTTP 400 for Malformed Authorization Headers
Description: Add detection of malformed Authorization header content before the API key comparison. Return HTTP 400 for headers containing invalid characters.
Files:
internal/server/auth.goReference: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#72-api-key-authentication
Effort: Small (1–2 hours)
Task 2: Reject Unknown TOML Fields
Description: Treat unknown TOML configuration keys as fatal errors rather than warnings, to bring TOML parity with the JSON stdin schema enforcement.
Files:
internal/config/config_core.goReference: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#431-unknown-features
Effort: Small (1–2 hours; may need careful backward compat consideration)
Task 3: Random API Key Auto-Generation
Description: When no
apiKeyis configured, generate a cryptographically random key at startup and include it in stdout config output.Files:
internal/cmd/root.goReference: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#73-optimal-temporary-api-key
Effort: Small (1–2 hours)
References
1a09953— refactor: remove redundant config default fallbacks in server and launcherNote
🔒 Integrity filter blocked 1 item
The following item were blocked because they don't meet the GitHub integrity level.
get_file_contents: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".To allow these resources, lower
min-integrityin your GitHub frontmatter: