You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Problem: These three variables are documented as overriding the corresponding config fields automatically (e.g. "overrides config port field"). In reality the getter functions GetGatewayPortFromEnv(), GetGatewayDomainFromEnv(), and GetGatewayAPIKeyFromEnv() are defined in config_env.go but are never called from production code. They are only referenced in validation_env.go for the --validate-env Docker port-mapping check.
Actual Behavior: No automatic override occurs. To use an env var value, users must explicitly write ${MCP_GATEWAY_API_KEY} etc. in their config file. The listen address is controlled exclusively via the --listen flag (default 0.0.0.0:3000).
Impact: Users following the docs may set these environment variables expecting them to take effect and then be confused when nothing changes β especially for MCP_GATEWAY_API_KEY, where a silent no-op is a potential security misconfiguration.
Suggested Fix: Either:
Wire the getters into the startup path so the env vars actually override config values (the likely intent), OR
Update AGENTS.md to say these are used for environment validation only (via --validate-env) and document that ${VAR} syntax in config files is the actual override mechanism.
2. tool_response_filters server field is completely undocumented
Location:docs/CONFIGURATION.md, config.example.toml, README.md β Server Configuration Fields
Problem: The tool_response_filters field (type map[string]string, accepts per-tool jq expressions that transform tool responses before large-payload processing) is a production-validated feature that appears in zero documentation files.
Actual Behavior: Field is defined and validated in config_core.go:206 and config_stdin.go:115. Validation logic at config_core.go:427 compiles jq expressions at startup.
Suggested Fix: Add a section under Server Configuration Fields in docs/CONFIGURATION.md and a commented example in config.example.toml.
3. github.com/spf13/pflag direct dependency missing from CONTRIBUTING.md
Location:CONTRIBUTING.md β Dependencies section
Problem:github.com/spf13/pflag is a direct (non-indirect) dependency in go.mod and is directly imported in production code (internal/cmd/tracing.go:33 as *pflag.FlagSet), but it is not listed in the Dependencies section of CONTRIBUTING.md.
Suggested Fix: Add github.com/spf13/pflag to the Dependencies list in CONTRIBUTING.md.
Problem: Several high-impact server-level fields documented in docs/CONFIGURATION.md are absent from config.example.toml: connect_timeout, rate_limit_threshold, rate_limit_cooldown, per-server tool_timeout, working_directory, auth block (github-oidc), registry. Users using the example file as a template may not discover these options.
Suggested Fix: Add commented examples for at least connect_timeout, rate_limit_threshold, rate_limit_cooldown, and the auth block.
6. AGENTS.md note conflates PORT (run.sh) with MCP_GATEWAY_PORT (binary)
Location:AGENTS.md β bottom note in Environment Variables section
Problem: The note says "PORT, HOST, and MODE are not read by the awmg binary directly" β but MCP_GATEWAY_PORTis read by the binary (validation_env.go:111). The note correctly refers to the bare PORT shell variable used by run.sh, but the wording is confusing given that MCP_GATEWAY_PORT appears right above it.
Suggested Fix: Clarify that MCP_GATEWAY_PORT is read by the binary for validation, while the plain PORT (no prefix) is only used by run.sh.
tool_response_filters server field β not in docs/CONFIGURATION.md or config.example.toml despite being a production feature with jq expression validation
GetGatewayPortFromEnv / GetGatewayDomainFromEnv / GetGatewayAPIKeyFromEnv β dead code (defined but never called from production); either document intended future use or remove
AGENTS.md: MCP_GATEWAY_PORT β documented as automatic override but getter is dead code
AGENTS.md: MCP_GATEWAY_DOMAIN β same (dead code)
AGENTS.md: MCP_GATEWAY_API_KEY β same (dead code; silent no-op is a potential security concern)
Accurate Sections β
Go version: go.modgo 1.25.0 matches CONTRIBUTING.md exactly
Binary name awmg: consistent across Makefile, CONTRIBUTING.md, README.md
golangci-lint version v2.8.0: matches AGENTS.md and Makefile
All make targets in CONTRIBUTING.md verified to exist in Makefile: build, test, test-unit, test-integration, test-all, lint, format, coverage, test-ci, clean, install, agent-finished
Session timeout default (6h): confirmed in internal/config/config_env.go:83
Default payload size threshold (524288 bytes): confirmed in internal/config/config_payload.go:20
Default port 3000: consistent across all docs and code
Auth header format (plain API key, no Bearer): correctly documented and implemented
TLS flags (--tls-cert, --tls-key, --tls-ca) and env vars: correctly documented
HMAC secret flag and MCP_GATEWAY_HMAC_SECRET: correctly documented
Summary
Found 7 discrepancies between documentation and implementation during nightly reconciliation check.
Critical Issues π΄
Issues that would cause user confusion or broken workflows if followed:
1.
MCP_GATEWAY_PORT,MCP_GATEWAY_DOMAIN,MCP_GATEWAY_API_KEYdocumented as automatic overrides but are dead codeLocation:
AGENTS.mdβ Environment Variables sectionProblem: These three variables are documented as overriding the corresponding config fields automatically (e.g. "overrides config
portfield"). In reality the getter functionsGetGatewayPortFromEnv(),GetGatewayDomainFromEnv(), andGetGatewayAPIKeyFromEnv()are defined inconfig_env.gobut are never called from production code. They are only referenced invalidation_env.gofor the--validate-envDocker port-mapping check.Actual Behavior: No automatic override occurs. To use an env var value, users must explicitly write
${MCP_GATEWAY_API_KEY}etc. in their config file. The listen address is controlled exclusively via the--listenflag (default0.0.0.0:3000).Impact: Users following the docs may set these environment variables expecting them to take effect and then be confused when nothing changes β especially for
MCP_GATEWAY_API_KEY, where a silent no-op is a potential security misconfiguration.Suggested Fix: Either:
AGENTS.mdto say these are used for environment validation only (via--validate-env) and document that${VAR}syntax in config files is the actual override mechanism.Code References:
internal/config/config_env.go:37-66,internal/config/validation_env.go:16-18,internal/cmd/flags_core.go:37Important Issues π‘
2.
tool_response_filtersserver field is completely undocumentedLocation:
docs/CONFIGURATION.md,config.example.toml,README.mdβ Server Configuration FieldsProblem: The
tool_response_filtersfield (typemap[string]string, accepts per-tool jq expressions that transform tool responses before large-payload processing) is a production-validated feature that appears in zero documentation files.Actual Behavior: Field is defined and validated in
config_core.go:206andconfig_stdin.go:115. Validation logic atconfig_core.go:427compiles jq expressions at startup.Suggested Fix: Add a section under Server Configuration Fields in
docs/CONFIGURATION.mdand a commented example inconfig.example.toml.Code References:
internal/config/config_core.go:206,427,internal/config/config_stdin.go:1153.
github.com/spf13/pflagdirect dependency missing from CONTRIBUTING.mdLocation:
CONTRIBUTING.mdβ Dependencies sectionProblem:
github.com/spf13/pflagis a direct (non-indirect) dependency ingo.modand is directly imported in production code (internal/cmd/tracing.go:33as*pflag.FlagSet), but it is not listed in the Dependencies section ofCONTRIBUTING.md.Suggested Fix: Add
github.com/spf13/pflagto the Dependencies list inCONTRIBUTING.md.Code References:
go.mod:15,internal/cmd/tracing.go:33Minor Issues π΅
4. CONTRIBUTING.md project structure shows
awmg/as root directoryLocation:
CONTRIBUTING.mdline ~250 β Project Structure sectionProblem: The project structure diagram labels the root as
awmg/, which is the binary name, not the repository/directory name (gh-aw-mcpg).Suggested Fix: Change
awmg/togh-aw-mcpg/in the diagram.Code References:
CONTRIBUTING.md:250,Makefile:8(BINARY_NAME=awmg)5.
config.example.tomlmissing per-server operational fieldsLocation:
config.example.tomlProblem: Several high-impact server-level fields documented in
docs/CONFIGURATION.mdare absent fromconfig.example.toml:connect_timeout,rate_limit_threshold,rate_limit_cooldown, per-servertool_timeout,working_directory,authblock (github-oidc),registry. Users using the example file as a template may not discover these options.Suggested Fix: Add commented examples for at least
connect_timeout,rate_limit_threshold,rate_limit_cooldown, and theauthblock.Code References:
internal/config/config_core.go:174-240,config.example.toml6. AGENTS.md note conflates
PORT(run.sh) withMCP_GATEWAY_PORT(binary)Location:
AGENTS.mdβ bottom note in Environment Variables sectionProblem: The note says "
PORT,HOST, andMODEare not read by theawmgbinary directly" β butMCP_GATEWAY_PORTis read by the binary (validation_env.go:111). The note correctly refers to the barePORTshell variable used byrun.sh, but the wording is confusing given thatMCP_GATEWAY_PORTappears right above it.Suggested Fix: Clarify that
MCP_GATEWAY_PORTis read by the binary for validation, while the plainPORT(no prefix) is only used byrun.sh.Code References:
AGENTS.md,internal/config/validation_env.go:111,run.shDocumentation Completeness
Missing Documentation
tool_response_filtersserver field β not indocs/CONFIGURATION.mdorconfig.example.tomldespite being a production feature with jq expression validationGetGatewayPortFromEnv/GetGatewayDomainFromEnv/GetGatewayAPIKeyFromEnvβ dead code (defined but never called from production); either document intended future use or removeconfig.example.tomllacks commented examples for:connect_timeout,rate_limit_threshold,rate_limit_cooldown, per-servertool_timeout,authblock,working_directory,registryOutdated Documentation
AGENTS.md:MCP_GATEWAY_PORTβ documented as automatic override but getter is dead codeAGENTS.md:MCP_GATEWAY_DOMAINβ same (dead code)AGENTS.md:MCP_GATEWAY_API_KEYβ same (dead code; silent no-op is a potential security concern)Accurate Sections β
go.modgo 1.25.0matchesCONTRIBUTING.mdexactlyawmg: consistent acrossMakefile,CONTRIBUTING.md,README.mdgolangci-lintversionv2.8.0: matchesAGENTS.mdandMakefileCONTRIBUTING.mdverified to exist inMakefile:build,test,test-unit,test-integration,test-all,lint,format,coverage,test-ci,clean,install,agent-finishedinternal/config/config_env.go:83internal/config/config_payload.go:20--tls-cert,--tls-key,--tls-ca) and env vars: correctly documentedMCP_GATEWAY_HMAC_SECRET: correctly documentedTested Commands
make --dry-run buildgo mod tidy && go build -o awmg .as documentedmake --dry-run testtest-unitβgo test -v ./internal/...make --dry-run test-unitmake --dry-run test-integrationgo test ./test/integration/...make --dry-run test-allgo test -v ./...make --dry-run lintgo mod tidy,go vet,gofmtcheck,golangci-lintmake --dry-run coveragego test -coverprofile=coverage.out ./internal/...make --dry-run installgolangci-lint, runsgo mod downloadmake build(actual)./awmg --help--config-stdinflag verified to exist viainternal/cmd/flags_core.go:36Recommendations
Immediate Actions Required
MCP_GATEWAY_PORT/DOMAIN/API_KEYβ either wire the getters into startup or correct the docstool_response_filtersindocs/CONFIGURATION.mdandconfig.example.tomlNice to Have
spf13/pflagtoCONTRIBUTING.mddependenciesawmg/βgh-aw-mcpg/inCONTRIBUTING.mdproject structure diagramconfig.example.tomlwith commented examples for per-server operational fieldsPORTvsMCP_GATEWAY_PORTnote inAGENTS.mdCode References
internal/config/config_core.gointernal/config/validation.go,internal/config/validation_env.gointernal/config/config_env.go:37-66internal/cmd/flags_core.go,internal/cmd/flags_tls.gointernal/cmd/tracing.go:33Warning
Firewall blocked 1 domain
The following domain was blocked by the firewall during workflow execution:
proxy.golang.orgSee Network Configuration for more information.