Add gh-aw-mcpg gateway support (replacing awmg) #9172
Conversation
Co-authored-by: Mossaka <[email protected]>
- Update mcp_gateway_constants.go with new constants for gh-aw-mcpg Docker container - Add SessionToken field to MCPGatewayRuntimeConfig in tools_types.go - Create gateway.go with Docker command generation and HTTP transport transformation - Add gateway_test.go with comprehensive tests - Add MCP field to SandboxConfig for gateway configuration - Add extractMCPGatewayConfig method for frontmatter parsing - Update verify_mcp_gateway_health.sh for gh-aw-mcpg container checks - Remove awmg references from Makefile help text Co-authored-by: Mossaka <[email protected]>
…heck - Add MCP gateway version validation in validateSandboxConfig() - Update verify_mcp_gateway_health.sh to accept session token as parameter - Replace hardcoded 'awf-session' with configurable session_token variable - Add TestValidateSandboxConfigMCPGatewayVersion test - Fix linting issues using fmt.Fprintf instead of WriteString(Sprintf) Co-authored-by: Mossaka <[email protected]>
|
@copilot enable the gateway for all the smoke tests. (including the one without the firewall) |
Add sandbox.mcp with version v0.1.0 to all smoke-* workflows: - smoke-copilot.md - smoke-copilot-no-firewall.md (updated existing mcp config) - smoke-copilot-playwright.md - smoke-copilot-safe-inputs.md - smoke-claude.md - smoke-codex.md - smoke-codex-firewall.md - smoke-srt.md - smoke-srt-custom-config.md - smoke-detector.md Co-authored-by: Mossaka <[email protected]>
Enabled MCP gateway for all smoke tests in commit 29c657d. Added
|
|
@copilot can you regenerate all the workflow yamls and push them? |
Ran |
- Add IsMCPGatewayEnabled check in generateMCPSetup - Generate 'Start MCP Gateway' step when gateway is enabled - Transform MCP configs to HTTP transport for agent communication - Support Copilot (JSON), Claude (JSON), and Codex (TOML) config formats This integrates the gateway functions that were added but not connected to the compilation pipeline, enabling the gh-aw-mcpg Docker container to run as MCP gateway with HTTP transport for AWF containers.
|
📰 VERDICT: Smoke Copilot Playwright has concluded. All systems operational. This is a developing story. 🎤 |
|
💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges... |
|
❌ Firewall validation failed... Smoke Codex Firewall failed. Network sandboxing may not be working correctly. |
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
|
🤖 DIAGNOSTIC COMPLETE: Smoke Copilot No Firewall STATUS: ALL_UNITS_OPERATIONAL. MISSION_SUCCESS. |
|
💀 Blimey! Changeset Generator failed and walked the plank! No treasure today, matey! ☠️ |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
🤖 DIAGNOSTIC COMPLETE: Smoke Copilot No Firewall STATUS: ALL_UNITS_OPERATIONAL. MISSION_SUCCESS. |
|
🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰 |
Smoke Test Results: Copilot Engine (No Firewall)✅ PR Review - Last 2 merged PRs reviewed successfully
|
The MCP gateway was starting successfully but couldn't spawn stdio-based MCP servers (cache-memory, safe-outputs, etc.) because the server scripts at /tmp/gh-aw/actions/*.cjs were not accessible inside the Docker container. This adds -v /tmp:/tmp:rw to the gateway Docker command so it can access the MCP server scripts on the host filesystem. Root cause: The gateway config specifies stdio servers with host paths like "/tmp/gh-aw/actions/cache-memory-mcp-server.cjs" but the gateway container only had /var/run/docker.sock mounted, not /tmp. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
|
✅ Firewall validation complete... Smoke Codex Firewall confirmed network sandboxing is operational. 🛡️ |
|
🤖 DIAGNOSTIC COMPLETE: Smoke Copilot No Firewall STATUS: ALL_UNITS_OPERATIONAL. MISSION_SUCCESS. |
|
🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰 |
|
🎉 Yo ho ho! Smoke Copilot Safe Inputs found the treasure and completed successfully! ⚓💰 |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges... |
|
📰 VERDICT: Smoke Copilot Playwright has concluded. All systems operational. This is a developing story. 🎤 |
Smoke Test Results - Copilot Engine (No Firewall) ✅All tests passed successfully:
|
The MCP gateway needs more time to initialize its backend servers (GitHub MCP, Playwright, etc. running in containers). The previous 2-second wait was insufficient, causing Claude Code to fail with "MCP server(s) failed to launch" because it couldn't connect to the gateway in time. Changes: - Increase initial wait from 2s to 5s - Add health check loop (up to 5 attempts with 2s intervals) - Better logging of gateway startup status This should give the gateway enough time to: 1. Start the Docker container 2. Initialize backend MCP servers 3. Be ready to accept HTTP requests 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
|
💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges... |
|
📰 VERDICT: Smoke Copilot Playwright has concluded. All systems operational. This is a developing story. 🎤 |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰 |
|
🎉 Yo ho ho! Smoke Copilot Safe Inputs found the treasure and completed successfully! ⚓💰 |
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
|
✅ Firewall validation complete... Smoke Codex Firewall confirmed network sandboxing is operational. 🛡️ |
|
🤖 DIAGNOSTIC COMPLETE: Smoke Copilot No Firewall STATUS: ALL_UNITS_OPERATIONAL. MISSION_SUCCESS. |
|
✅ Smoke test passed - All 4 tests successful:
|
The gh-aw-mcpg gateway v0.0.4 only accepts servers with `type: "local"`. gh-aw was generating: - `type: "container"` for github and playwright servers - `type: "stdio"` for safe-outputs, cache-memory, and agentic-workflows This caused ALL MCP servers to be silently skipped by the gateway with warnings like: "skipping server 'X' with unsupported type 'Y'" Changes: - Change all MCP server types to "local" in generateMCPGatewayConfigJSON - Use "entrypointArgs" instead of "args" for container-based servers (gateway expects entrypointArgs for Docker containers) The gateway determines spawn method from config fields: - `container` field present → spawn via Docker - `command` field present → spawn process directly 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
|
Let's restart from the spec. If need, update spec, the update code. |
Adds foundation for gh-aw-mcpg as the MCP gateway, running as a Docker container on port 80 with HTTP transport for AWF containers to access via
host.docker.internal.Changes
Gateway Core (
pkg/workflow/gateway.go)GenerateMCPGatewayDockerCommands()- Docker run command generation with socket mount, port mapping, and routed modeTransformMCPConfigForGateway()- Converts MCP server configs to HTTP transport with Bearer authValidateGatewayVersion()- Rejectslatesttag for reproducibilityIsMCPGatewayEnabled()- Checks AWF + MCP server conditionsConfiguration
MCPfield toSandboxConfigfor gateway config in frontmatterSessionTokenfield toMCPGatewayRuntimeConfigv0.1.0Validation
validateSandboxConfig()v, cannot be empty orlatestHealth Check
verify_mcp_gateway_health.shfor Docker container checksawf-session)Smoke Tests
sandbox.mcp.version: v0.1.0) for all smoke test workflows:Example Usage
Generates Docker command:
cat /tmp/gh-aw/mcpg-config.json | docker run \ --rm -i --name gh-aw-mcpg \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 80:8000 \ --add-host host.docker.internal:host-gateway \ ghcr.io/githubnext/gh-aw-mcpg:v0.1.0 \ --routed --listen 0.0.0.0:8000 --config-stdinAnd transforms client config to HTTP transport:
{ "github": { "type": "http", "url": "http://host.docker.internal/mcp/github", "headers": { "Authorization": "Bearer awf-session" } } }Original prompt
Implementation Plan: Replace awmg with gh-aw-mcpg
This plan modifies the gh-aw compiler to use gh-aw-mcpg as the MCP gateway instead of awmg, working together with AWF (Agentic Workflow Firewall).
Overview
Current State:
Target State:
host.docker.internaltype: "http"with Bearer token authenticationArchitecture Diagram
Phase 1: Update Gateway Constants and Types
1.1 Update Constants (
pkg/workflow/gateway.go)CRITICAL: All container versions MUST be pinned to specific tags, never use
latest.1.2 Update MCPGatewayRuntimeConfig (
pkg/workflow/tools_types.go)Add new field for session token:
Phase 2: Rewrite Gateway Start Step Generation
2.1 Replace
generateDefaultAWMGCommands()with gh-aw-mcpg DockerFile:
pkg/workflow/gateway.goReplace the default awmg binary commands with gh-aw-mcpg Docker container:
Key Docker flags:
-v /var/run/docker.sock:/var/run/docker.sock- Mount Docker socket for spawning backend MCP servers-p 80:8000- Map host port 80 to container port 8000--add-host host.docker.internal:host-gateway- Enable host access from gateway container-e GITHUB_PERSONAL_ACCESS_TOKEN- Pass through token for GitHub MCP server--routed- Use routed mode with/mcp/{serverID}endpoints--config-stdin- Read config from stdin (piped)2.2 Version Pinning Validation
Add compile-time validation to prevent
latesttag: