From 9323d0c2c9d5327dceeee7380a5255670c951866 Mon Sep 17 00:00:00 2001 From: Landon Cox Date: Wed, 8 Jul 2026 09:51:10 -0700 Subject: [PATCH 1/2] docs: document --force-public-repos flag for proxy subcommand Update section 4.1.3.8 to document that the forcePublicRepos runtime check applies to both the MCP gateway (via config) and the CLI proxy (via --force-public-repos flag). The compiler passes --force-public-repos=false when private-to-public-flows: allow is declared in workflow frontmatter. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> --- docs/src/content/docs/reference/mcp-gateway.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/docs/src/content/docs/reference/mcp-gateway.md b/docs/src/content/docs/reference/mcp-gateway.md index 06ad1f234bc..e317062e5c9 100644 --- a/docs/src/content/docs/reference/mcp-gateway.md +++ b/docs/src/content/docs/reference/mcp-gateway.md @@ -562,7 +562,9 @@ The gateway MUST NOT fail to start if the OpenTelemetry collector endpoint is un When `forcePublicRepos` is `true` (the default), the gateway overrides the compiled allow-only policy to `repos="public"` at startup if it detects the workflow is running in a public repository. This prevents agents from accumulating private-data secrecy tags in the first place — even when the compiled config grants broader access. -**Detection mechanism**: The gateway reads `GITHUB_REPOSITORY` and calls `GET /repos/{owner}/{repo}` at startup to determine repository visibility. If the repository is public and `forcePublicRepos` is `true`, the override is applied — subject to the availability of `GITHUB_REPOSITORY`, the GitHub token, and a successful API response (see Precedence rules below). +**Applies to both modes**: This runtime check applies to both the MCP gateway (unified/routed mode, via `gateway.forcePublicRepos` config) and the CLI proxy (`awmg proxy`, via the `--force-public-repos` flag). In proxy mode, the override modifies the `--policy` JSON before passing it to the WASM guard. + +**Detection mechanism**: The gateway/proxy reads `GITHUB_REPOSITORY` and calls `GET /repos/{owner}/{repo}` at startup to determine repository visibility. If the repository is public and `forcePublicRepos` is `true`, the override is applied — subject to the availability of `GITHUB_REPOSITORY`, the GitHub token, and a successful API response (see Precedence rules below). **Scope of the override**: Only the allow-only policy is affected. Guard policies, tool permissions, and other configuration are unchanged. @@ -571,11 +573,13 @@ When `forcePublicRepos` is `true` (the default), the gateway overrides the compi - Runtime detection of a public repo with `forcePublicRepos: true` **adds** the public restriction; it does not relax any existing constraint. - `forcePublicRepos: false` disables the runtime override entirely — the compiled allow-only policy is used as-is. - This override is **skipped** when `GITHUB_REPOSITORY` or the GitHub token is unavailable. -- API errors during visibility detection result in a non-fatal warning; the gateway falls back to the compiled policy. +- API errors during visibility detection result in a non-fatal warning; the gateway/proxy falls back to the compiled policy. -**Opt-out**: Workflow authors who intentionally allow private→public data flows set `private-to-public-flows: allow` in frontmatter (Section 10.9). The compiler translates this to `forcePublicRepos: false` in the generated gateway config. See Section 10.8 and 10.9 for the write-sink guard policy interaction. +**Opt-out**: Workflow authors who intentionally allow private→public data flows set `private-to-public-flows: allow` in frontmatter (Section 10.9). The compiler translates this to: +- `gateway.forcePublicRepos: false` in the generated gateway JSON stdin config +- `--force-public-repos=false` flag when launching the proxy subcommand -**Environment variable override**: `MCP_GATEWAY_FORCE_PUBLIC_REPOS=false` disables the override without requiring a config change. +**Environment variable override**: `MCP_GATEWAY_FORCE_PUBLIC_REPOS=false` disables the override without requiring a config change. The `--force-public-repos` flag defaults to the value of this environment variable (defaulting to `true` when unset). **Configuration Example**: From 08d4810b56305838d2e2382e838066e54e8f2ae6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 8 Jul 2026 17:12:24 +0000 Subject: [PATCH 2/2] docs: clarify proxy forcePublicRepos runtime prerequisites Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --- docs/src/content/docs/reference/mcp-gateway.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/src/content/docs/reference/mcp-gateway.md b/docs/src/content/docs/reference/mcp-gateway.md index e317062e5c9..14ed523df62 100644 --- a/docs/src/content/docs/reference/mcp-gateway.md +++ b/docs/src/content/docs/reference/mcp-gateway.md @@ -564,7 +564,7 @@ When `forcePublicRepos` is `true` (the default), the gateway overrides the compi **Applies to both modes**: This runtime check applies to both the MCP gateway (unified/routed mode, via `gateway.forcePublicRepos` config) and the CLI proxy (`awmg proxy`, via the `--force-public-repos` flag). In proxy mode, the override modifies the `--policy` JSON before passing it to the WASM guard. -**Detection mechanism**: The gateway/proxy reads `GITHUB_REPOSITORY` and calls `GET /repos/{owner}/{repo}` at startup to determine repository visibility. If the repository is public and `forcePublicRepos` is `true`, the override is applied — subject to the availability of `GITHUB_REPOSITORY`, the GitHub token, and a successful API response (see Precedence rules below). +**Detection mechanism**: The gateway reads `GITHUB_REPOSITORY` and calls `GET /repos/{owner}/{repo}` at startup to determine repository visibility. Proxy mode uses the same check only when the launcher forwards `GITHUB_REPOSITORY` and a GitHub token into the proxy process/container. If the repository is public and `forcePublicRepos` is `true`, the override is applied — subject to those inputs and a successful API response (see Precedence rules below). **Scope of the override**: Only the allow-only policy is affected. Guard policies, tool permissions, and other configuration are unchanged. @@ -575,9 +575,7 @@ When `forcePublicRepos` is `true` (the default), the gateway overrides the compi - This override is **skipped** when `GITHUB_REPOSITORY` or the GitHub token is unavailable. - API errors during visibility detection result in a non-fatal warning; the gateway/proxy falls back to the compiled policy. -**Opt-out**: Workflow authors who intentionally allow private→public data flows set `private-to-public-flows: allow` in frontmatter (Section 10.9). The compiler translates this to: -- `gateway.forcePublicRepos: false` in the generated gateway JSON stdin config -- `--force-public-repos=false` flag when launching the proxy subcommand +**Opt-out**: Workflow authors who intentionally allow private→public data flows set `private-to-public-flows: allow` in frontmatter (Section 10.9). The compiler translates this to `gateway.forcePublicRepos: false` in the generated gateway JSON stdin config. For proxy mode, launchers should pass `--force-public-repos=false` when they need equivalent opt-out behavior. **Environment variable override**: `MCP_GATEWAY_FORCE_PUBLIC_REPOS=false` disables the override without requiring a config change. The `--force-public-repos` flag defaults to the value of this environment variable (defaulting to `true` when unset).