AI Architecture Analysis
This repository is indexed by RepoMind. By analyzing github/gh-aw-mcpg in our AI interface, you can instantly generate complete architecture diagrams, visualize control flows, and perform automated security audits across the entire codebase.
Our Agentic Context Augmented Generation (Agentic CAG) engine loads full source files into context on-demand, avoiding the fragmentation of traditional RAG systems. Ask questions about the architecture, dependencies, or specific features to see it in action.
Embed this Badge
Showcase RepoMind's analysis directly in your repository's README.
Repository Overview (README excerpt)
Crawler viewMCP Gateway A gateway for Model Context Protocol (MCP) servers. This gateway is used with GitHub Agentic Workflows via the configuration to provide MCP server access to AI agents running in sandboxed environments. Quick Start • **Pull the Docker image** (when available): • **Create a configuration file** ( ): • **Run the container**: The gateway starts in routed mode on , proxying MCP requests to your configured backend servers. **Required flags:** • : Enables stdin for passing JSON configuration • : Required for spawning backend MCP servers • : Port mapping must match Guard Policies Guard policies enforce integrity filtering and private-data leaking at the gateway level, restricting what data agents can access and where they can write. Each server can have either an or a policy. allow-only (source servers) Restricts which repositories a guard allows and at what integrity level: ** ** — Repository access scope: • — All repositories accessible by the token • — Public repositories only • — Exact match • — All repos under owner • — Repos matching prefix ** ** — Minimum integrity level required for content items. Levels from highest to lowest: • — Objects reachable from main branch • — Members (OWNER, MEMBER, COLLABORATOR); private repo items; trusted bots • — Contributors (CONTRIBUTOR, FIRST_TIME_CONTRIBUTOR) • — All objects (FIRST_TIMER, NONE) • — Items from (always denied; not a configurable value) ** ** *(optional)* — Array of GitHub usernames whose content is unconditionally blocked. Items from these users receive integrity (below ) and are always denied, even when is . Cannot be overridden by . ** ** *(optional)* — Array of GitHub label names that promote a content item's effective integrity to when present. Enables human-review gates where a maintainer labels an item to allow it through. Uses so it never lowers integrity. Does not override . For comprehensive documentation on integrity filtering, see the Integrity Filtering Reference. write-sink (output servers) **Required for ALL output servers** when guards are enabled. Marks a server as a write-only channel that accepts writes from agents with matching secrecy labels: The entries must match the secrecy tags assigned by the guard. Key mappings: | | | |---|---| | or | | | | | | | | | | | See **docs/CONFIGURATION.md** for the complete mapping table and accept pattern reference. Architecture **Transport**: JSON-RPC 2.0 over stdio (containerized Docker) or HTTP (session state preserved) **Routing**: Routed mode ( ) exposes each backend at its own endpoint. Unified mode ( ) routes to all configured servers through a single endpoint. **Security**: WASM-based DIFC guards enforce secrecy and integrity labels per request. Guards are loaded from and assigned per-server. Authentication uses plain API keys per MCP spec 7.1 ( ). **Logging**: Per-server log files ( ), unified , markdown workflow previews ( ), and machine-readable . API Endpoints • — Routed mode (default): JSON-RPC request to specific server • — Unified mode: JSON-RPC request routed to configured servers • — Health check; returns JSON Supported MCP methods: , , and any other method (forwarded as-is). Proxy Mode The gateway can also run as an HTTP forward proxy ( ) that intercepts GitHub API requests from tools like CLI and applies the same DIFC filtering: This maps ~25 REST URL patterns and GraphQL queries to guard tool names, then runs the same 6-phase DIFC pipeline used by the MCP gateway. See docs/PROXY_MODE.md for full documentation. Further Reading | Topic | Link | |-------|------| | **Proxy Mode** | docs/PROXY_MODE.md — HTTP forward proxy for DIFC filtering of CLI and REST/GraphQL requests | | **Integrity Filtering** | Integrity Filtering Reference — Integrity levels, blocked-users, approval-labels, and filtering configuration | | **Configuration Reference** | docs/CONFIGURATION.md — Server fields, TOML/JSON formats, guard-policy details, custom schemas, gateway fields, validation rules | | **Environment Variables** | docs/ENVIRONMENT_VARIABLES.md — All env vars for production, development, Docker, and guard configuration | | **Full Specification** | MCP Gateway Configuration Reference — Upstream spec with complete validation rules | | **Guard Response Labeling** | docs/GUARD_RESPONSE_LABELING.md — How guards label MCP responses with secrecy/integrity tags | | **HTTP Backend Sessions** | docs/HTTP_BACKEND_SESSION_ID.md — Session ID management for HTTP transport backends | | **Architecture Patterns** | docs/MCP_SERVER_ARCHITECTURE_PATTERNS.md — MCP server design patterns and compatibility | | **Security Model** | docs/aw-security.md — Security architecture overview | | **Contributing** | CONTRIBUTING.md — Development setup, building, testing, project structure | License MIT License