Skip to content

docs: document --force-public-repos flag for proxy subcommand#44360

Merged
lpcox merged 2 commits into
mainfrom
copilot/proxy-force-public-repos
Jul 8, 2026
Merged

docs: document --force-public-repos flag for proxy subcommand#44360
lpcox merged 2 commits into
mainfrom
copilot/proxy-force-public-repos

Conversation

@lpcox

@lpcox lpcox commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Summary

Extends the forcePublicRepos documentation in the MCP gateway reference to cover the awmg proxy subcommand's --force-public-repos flag.

Changes

File: docs/src/content/docs/reference/mcp-gateway.md

  • New "Applies to both modes" paragraph: Documents that the forcePublicRepos runtime check covers both the MCP gateway (unified/routed mode, gateway.forcePublicRepos config) and the CLI proxy (awmg proxy, --force-public-repos flag). Clarifies that in proxy mode the override modifies --policy JSON before it reaches the WASM guard.
  • Detection mechanism: Adds proxy-mode prerequisite — the check runs only when the launcher forwards GITHUB_REPOSITORY and a GitHub token into the proxy process/container.
  • Precedence bullet: Broadens "the gateway falls back" to "the gateway/proxy falls back" to cover both modes.
  • Opt-out section: Tightens the config key path to gateway.forcePublicRepos: false in the generated gateway JSON stdin config; adds proxy opt-out guidance (--force-public-repos=false).
  • Environment variable override: Documents that --force-public-repos inherits from MCP_GATEWAY_FORCE_PUBLIC_REPOS (defaulting to true when unset).

Type

docs — no code or generated file changes.

Affected components

Component Change
awmg proxy Now documented alongside gateway for forcePublicRepos behaviour
gateway.forcePublicRepos Config key path clarified in opt-out guidance
--force-public-repos flag Default value and env-var inheritance documented

Reviewer notes

  • Pure documentation patch; no behaviour change.
  • Proxy mode prerequisite (launcher must inject GITHUB_REPOSITORY + token) is a new, actionable constraint that was previously undocumented.
  • No related tests required.

Generated by PR Description Updater for #44360 · 32.5 AIC · ⌖ 8.91 AIC · ⊞ 4.7K ·

Update section 4.1.3.8 to document that the forcePublicRepos runtime
check applies to both the MCP gateway (via config) and the CLI proxy
(via --force-public-repos flag). The compiler passes
--force-public-repos=false when private-to-public-flows: allow is
declared in workflow frontmatter.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 8, 2026 16:51

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the MCP Gateway specification to document that the forcePublicRepos runtime behavior applies not only to the gateway’s unified/routed mode configuration, but also to the CLI proxy mode via a --force-public-repos flag.

Changes:

  • Adds an explicit “applies to both modes” note covering gateway config vs. awmg proxy flag behavior.
  • Updates the visibility detection description to refer to gateway/proxy behavior.
  • Expands the opt-out and environment-variable sections to describe proxy invocation and flag defaulting.
Show a summary per file
File Description
docs/src/content/docs/reference/mcp-gateway.md Documents proxy-mode semantics for forcePublicRepos, including detection, opt-out behavior, and env var defaulting.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 2
  • Review effort level: Low

**Detection mechanism**: The gateway reads `GITHUB_REPOSITORY` and calls `GET /repos/{owner}/{repo}` at startup to determine repository visibility. If the repository is public and `forcePublicRepos` is `true`, the override is applied — subject to the availability of `GITHUB_REPOSITORY`, the GitHub token, and a successful API response (see Precedence rules below).
**Applies to both modes**: This runtime check applies to both the MCP gateway (unified/routed mode, via `gateway.forcePublicRepos` config) and the CLI proxy (`awmg proxy`, via the `--force-public-repos` flag). In proxy mode, the override modifies the `--policy` JSON before passing it to the WASM guard.

**Detection mechanism**: The gateway/proxy reads `GITHUB_REPOSITORY` and calls `GET /repos/{owner}/{repo}` at startup to determine repository visibility. If the repository is public and `forcePublicRepos` is `true`, the override is applied — subject to the availability of `GITHUB_REPOSITORY`, the GitHub token, and a successful API response (see Precedence rules below).
Comment on lines +578 to +582
**Opt-out**: Workflow authors who intentionally allow private→public data flows set `private-to-public-flows: allow` in frontmatter (Section 10.9). The compiler translates this to:
- `gateway.forcePublicRepos: false` in the generated gateway JSON stdin config
- `--force-public-repos=false` flag when launching the proxy subcommand

**Environment variable override**: `MCP_GATEWAY_FORCE_PUBLIC_REPOS=false` disables the override without requiring a config change.
**Environment variable override**: `MCP_GATEWAY_FORCE_PUBLIC_REPOS=false` disables the override without requiring a config change. The `--force-public-repos` flag defaults to the value of this environment variable (defaulting to `true` when unset).
@lpcox

lpcox commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator Author

@copilot run pr-finisher skill

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

@copilot run pr-finisher skill

Done in 08d4810. I ran PR-finisher workflow for this PR, triaged checks/reviews/mergeability, and applied a docs-only fix to align proxy-mode wording with current launcher behavior.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🎬 THE ENDSmoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨

Testing safeoutputs connectivity

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot Small failed. Please review the logs for details.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing...

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing...

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Agent Container Tool Check

Tool Status Version
bash 5.2.21
sh available
git 2.54.0
jq 1.7
yq v4.53.3
curl 8.5.0
gh 2.95.0
node v22.23.1
python3 3.11.15 (PyPy 7.3.23)
go 1.24.13
java openjdk 21.0.11
dotnet 10.0.301

Result: 12/12 tools available ✅

Overall Status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔧 Tool validation by Agent Container Smoke Test · 13.4 AIC · ⌖ 4.77 AIC · ⊞ 4.6K ·
Comment /smoke-test-tools to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results\n1. GitHub MCP Testing: ✅\n2. Web Fetch Testing: ✅\n3. File Writing Testing: ✅\n4. Bash Tool Testing: ✅\n5. Build gh-aw: ❌\n\nOverall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

Smoke Gemini — Powered by Gemini · 12 AIC · ⌖ 1.55 AIC · ⊞ 9.3K ·
Comment /smoke-gemini to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Comment Memory

Late July builds hum
Quiet caches hold their breath now
Smoke drifts through green logs

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

🔮 The oracle has spoken through Smoke Codex · 5.29 AIC · ⊞ 14.2K ·
Comment /smoke-codex to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

💥 Smoke Test: Claude — Run 28961987714

Core #1-12: ✅ all passed
PR Review #13-17: ✅ passed
#18 Push: ⚠️ blocked by allowed-files (PR edits docs file)
#19 Close PR: ⚠️ skipped (no safe PR)

Overall: PARTIAL (2 skipped, 0 failed)

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 69.4 AIC · ⌖ 31.3 AIC · ⊞ 8.4K ·
Comment /smoke-claude to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💥 Automated smoke test review - all systems nominal!

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · 69.4 AIC · ⌖ 31.3 AIC · ⊞ 8.4K
Comment /smoke-claude to run again


**Detection mechanism**: The gateway reads `GITHUB_REPOSITORY` and calls `GET /repos/{owner}/{repo}` at startup to determine repository visibility. If the repository is public and `forcePublicRepos` is `true`, the override is applied — subject to the availability of `GITHUB_REPOSITORY`, the GitHub token, and a successful API response (see Precedence rules below).
**Applies to both modes**: This runtime check applies to both the MCP gateway (unified/routed mode, via `gateway.forcePublicRepos` config) and the CLI proxy (`awmg proxy`, via the `--force-public-repos` flag). In proxy mode, the override modifies the `--policy` JSON before passing it to the WASM guard.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice clarification on dual-mode behavior. Consider linking to the proxy CLI reference for discoverability.

**Applies to both modes**: This runtime check applies to both the MCP gateway (unified/routed mode, via `gateway.forcePublicRepos` config) and the CLI proxy (`awmg proxy`, via the `--force-public-repos` flag). In proxy mode, the override modifies the `--policy` JSON before passing it to the WASM guard.

**Detection mechanism**: The gateway reads `GITHUB_REPOSITORY` and calls `GET /repos/{owner}/{repo}` at startup to determine repository visibility. Proxy mode uses the same check only when the launcher forwards `GITHUB_REPOSITORY` and a GitHub token into the proxy process/container. If the repository is public and `forcePublicRepos` is `true`, the override is applied — subject to those inputs and a successful API response (see Precedence rules below).

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good detail on GITHUB_REPOSITORY forwarding — maybe note the exact token scope required for the visibility API call.

@lpcox lpcox merged commit 2877be8 into main Jul 8, 2026
191 of 192 checks passed
@lpcox lpcox deleted the copilot/proxy-force-public-repos branch July 8, 2026 17:32
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Comment Memory

Robots test the dawn
Browsers blink on GitHub blue
Logs drift into checks

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 100.7 AIC · ⌖ 3.05 AIC · ⊞ 19K ·
Comment /smoke-copilot to run again
Add label smoke to run again

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Smoke validation review comments attached.

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · 100.7 AIC · ⌖ 3.05 AIC · ⊞ 19K
Comment /smoke-copilot to run again
Add label smoke to run again

@github-actions

This comment has been minimized.

@github-actions

This comment has been minimized.

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Hey @lpcox — thanks for keeping the MCP Gateway spec in sync with the companion proxy implementation! The forcePublicRepos documentation update is clear, well-scoped, and the PR body is excellent — the Summary/Changes/Companion PR structure makes it very easy to follow.

One small flag from the automated checklist:

  • No test files changed — this is a pure docs update, so there is nothing to unit-test here. If there are any snapshot or rendering tests for the reference docs (e.g. Starlight/Astro build checks that validate frontmatter or internal links), it might be worth confirming they still pass cleanly with the new paragraphs.

If you would like an agent to double-check the surrounding spec for consistency, here is a ready-to-use prompt:

Review docs/src/content/docs/reference/mcp-gateway.md around section 4.1.3.8 (forcePublicRepos).
Verify that:
1. All references to the detection mechanism now mention both gateway mode and CLI proxy (awmg proxy).
2. The opt-out description (--force-public-repos=false) is consistent with any other places in the docs that describe compiler flags or proxy flags.
3. The MCP_GATEWAY_FORCE_PUBLIC_REPOS env var is documented consistently across any other sections that list environment variables.
Report any inconsistencies found.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • patchdiff.githubusercontent.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "patchdiff.githubusercontent.com"

See Network Configuration for more information.

Generated by ✅ Contribution Check · 296.9 AIC · ⌖ 13.7 AIC · ⊞ 6.2K ·

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Test 28962044215 Results:

  1. github tool - ✅
  2. mcpscripts-gh - ✅
  3. Serena CLI - ❌
  4. Playwright CLI - ✅
  5. web-fetch - ✅
  6. file + bash - ✅
  7. discussion interaction - ✅
  8. build - ✅
  9. artifact upload - ❌
  10. discussion create - ✅
  11. workflow dispatch - ❌
  12. PR review tools - ❌
  13. comment memory - ✅
  14. sub-agent summarizer - ❌
  15. check run - ✅
    Overall: FAIL
    @lpcox

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot - AOAI (Entra) · 49.9 AIC · ⌖ 3.12 AIC · ⊞ 17.6K ·
Comment /smoke-copilot-aoai-entra to run again
Add label smoke to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Comment Memory

An azure morning
Smoke trails on silent code base
Whispers of success

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot - AOAI (Entra) · 49.9 AIC · ⌖ 3.12 AIC · ⊞ 17.6K ·
Comment /smoke-copilot-aoai-entra to run again
Add label smoke to run again

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Smoke Test Results - Run 28962042801
1 ✅
2 ✅
3 ❌
4 ❌
5 ✅
6 ✅
7 ✅
8 ❌
Overall: FAIL
@lpcox

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

  • accounts.google.com
  • android.clients.google.com
  • clients2.google.com
  • contentautofill.googleapis.com
  • safebrowsingohttpgateway.googleapis.com
  • www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot - AOAI (apikey) · 37.5 AIC · ⌖ 2.92 AIC · ⊞ 17.9K ·
Comment /smoke-copilot-aoai-apikey to run again
Add label smoke to run again

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants