Skip to content

[compliance] Compliance Gap: registry field rejected despite being valid per spec #1162

New issue
New issue
Closed
#1176
Closed
[compliance] Compliance Gap: registry field rejected despite being valid per spec#1162
#1176
Assignees
lpcoxanthropic-code-agent
Labels
automationcompliancespecification
@github-actions

Description

@github-actions
github-actions
bot
opened on Feb 20, 2026

MCP Gateway Compliance Review — 2026-02-20

Summary

Found 2 compliance issues during daily review. One important issue (spec-valid field causes validation failure) and one minor gap (missing SHOULD feature).

Recent Changes Reviewed

Important Issues (spec-valid field rejected)

1. registry Field Defined in Spec but Rejected by Schema Validation

Specification Section: 4.1.2 Server Configuration Fields
Deep Link: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#412-server-configuration-fields

Requirement:

| registry | string | No | URI to the installation location when MCP is installed from a registry. This is an informational field used for documentation and tooling discovery. Applies to both stdio and HTTP servers. Example: "https://api.mcp.github.com/v0/servers/microsoft/markitdown" |

Current State:

The registry field is:

  • Not present in StdinServerConfig struct (internal/config/config_stdin.go)
  • Not present in ServerConfig struct (internal/config/config_core.go:88–112)
  • Not present in the pinned JSON schema at v0.41.1 for either stdioServerConfig or httpServerConfig
  • Not present in the latest JSON schema on main for either type either

Both stdioServerConfig and httpServerConfig in the JSON schema use "additionalProperties": false, so any configuration that includes registry will fail schema validation with an "additional property" error.

Gap:

The spec explicitly defines registry as a valid optional field for both stdio and http servers. Appendix A.5 includes complete examples of its use. However, the current implementation will reject any configuration containing this field.

Severity: Important (spec defines a valid optional field that the implementation actively rejects)

File References:

  • internal/config/config_stdin.goStdinServerConfig struct (missing Registry field)
  • internal/config/config_core.go:88–112ServerConfig struct (missing Registry field)
  • internal/config/validation_schema.go:38 — pinned schema URL at v0.41.1
  • JSON schema at v0.41.1: stdioServerConfig.additionalProperties = false, no registry property
  • JSON schema at main: same — registry not present

Suggested Fix:

  1. Add Registry field to StdinServerConfig:

    // Registry is the URI to the installation location in an MCP registry (informational)
Registry string `json:"registry,omitempty"`

  2. Add Registry field to ServerConfig:

    // Registry is the URI to the installation location in an MCP registry (informational)
Registry string `toml:"registry" json:"registry,omitempty"`

  3. Add registry property to the JSON schema (or open a PR in gh-aw to update the pinned schema), and update the schema pin version once merged.

  4. Pass registry through in convertStdinConfig if it needs to be preserved in the internal config.

Estimated Effort: Small (1–2 hours)

Minor Suggestions (SHOULD improvements)

2. No Random API Key Generation When apiKey Is Not Configured

Specification Section: 7.3 Optimal Temporary API Key
Deep Link: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#73-optimal-temporary-api-key

Requirement:

The gateway SHOULD support temporary API keys:

  1. Generate a random API key on startup if not provided
  2. Include key in stdout configuration output

Current State:

In internal/cmd/root.go:380, apiKey is set to "" when cfg.Gateway.APIKey is empty. No random key is generated, and the stdout output configuration omits headers entirely when there is no API key (internal/cmd/root.go:406).

Gap:

Clients connecting to a gateway with no configured API key must know to send no Authorization header. If a random key were auto-generated, the gateway would always have an auth layer and clients would get the key from the stdout configuration output.

Severity: Minor (SHOULD, not MUST)

File References:

  • internal/cmd/root.go:380,406
  • internal/server/transport.go:62

Estimated Effort: Small (1–2 hours)

Compliance Status

Section Requirement Status
3.2.1 Containerization Requirement stdio MUST be containerized ✅ Compliant
4.1.2 Server Configuration Fields — registry Valid optional field ❌ Field rejected by schema
4.2 Variable Expression Rendering Fail immediately on undefined variable ✅ Compliant
4.3 Configuration Validation Unknown fields rejected, schema validated ✅ Compliant
4.1.4 Custom Server Types customSchemas registration ✅ Compliant
4.1.5 Volume Mounts mounts field for stdio servers ✅ Compliant
5.1.1 Endpoint Structure POST /mcp/{server-name}, GET /health, POST /close ✅ Compliant
5.1.3 Close Endpoint Idempotency (410 on second call), auth required ✅ Compliant
7.2 API Key Authentication 401 on missing/invalid token, health exempt ✅ Compliant
7.3 Temporary API Key Random key if not configured ⚠️ SHOULD not implemented
8.1.1 Health Endpoint specVersion and gatewayVersion present ✅ Compliant

References

Generated by Daily Compliance Checker

Metadata

Metadata

Assignees

Labels

automationcompliancespecification

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions