Skip to content

Remove DIFC documentation from user-facing docs #393

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lpcox merged 2 commits into from
Jan 20, 2026
Merged

Remove DIFC documentation from user-facing docs #393

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
40b93e3
Initial plan
Copilot Jan 20, 2026
b441697
Remove DIFC mentions from documentation
Copilot Jan 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 0 additions & 3 deletions AGENTS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ Quick reference for AI agents working with MCP Gateway (Go-based MCP proxy serve
- `internal/server/` - HTTP server (routed/unified modes)
- `internal/mcp/` - MCP protocol types with enhanced error logging
- `internal/launcher/` - Backend process management
- `internal/difc/` - Security labels (not enabled)
- `internal/guard/` - Security guards (NoopGuard active)
- `internal/auth/` - Authentication header parsing and middleware
- `internal/logger/` - Debug logging framework (micro logger)
Expand Down Expand Up @@ -355,11 +354,9 @@ DEBUG_COLORS=0 DEBUG=* ./awmg --config config.toml

- **Auth**: `Authorization: <apiKey>` header (plain API key per spec 7.1, NOT Bearer scheme)
- **Sessions**: Session ID extracted from Authorization header value
- **DIFC**: Implemented but disabled (NoopGuard active)
- **Stdio servers**: Containerized execution only (no direct command support)

## Resources

- [README.md](./README.md) - Full documentation
- [DIFC Proposal](./docs/DIFC_INTEGRATION_PROPOSAL.md) - Security design
- [MCP Protocol](https://github.com/modelcontextprotocol) - Specification
8 changes: 0 additions & 8 deletions CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -216,7 +216,6 @@ awmg/
├── launcher/ # Backend server management
├── mcp/ # MCP protocol types & connection
├── server/ # HTTP server (routed/unified modes)
├── difc/ # Security labels (not enabled)
├── guard/ # Security guards (NoopGuard active)
├── logger/ # Debug logging framework
├── timeutil/ # Time formatting utilities
Expand All @@ -230,7 +229,6 @@ awmg/
- **`internal/server/`** - HTTP server with routed and unified modes
- **`internal/mcp/`** - MCP protocol types and JSON-RPC handling
- **`internal/launcher/`** - Backend process management (Docker, stdio)
- **`internal/difc/`** - DIFC security infrastructure (not yet enabled)
- **`internal/guard/`** - Guard framework for resource labeling
- **`internal/logger/`** - Micro logger for debug output

Expand Down Expand Up @@ -481,12 +479,6 @@ When you push a release tag, the automated release workflow:
- Unified mode: All backends at `/mcp`
- Basic request/response proxying

### DIFC Integration (Not Yet Enabled)

The codebase includes a complete **Decentralized Information Flow Control (DIFC)** implementation that is not yet enabled by default. See [`docs/DIFC_INTEGRATION_PROPOSAL.md`](docs/DIFC_INTEGRATION_PROPOSAL.md) for full design details.

**Current Status**: All DIFC infrastructure is implemented and tested, but only the `NoopGuard` is active (which returns empty labels, effectively disabling enforcement).

## Questions or Issues?

- Check existing [issues](https://github.com/githubnext/gh-aw-mcpg/issues)
Expand Down
49 changes: 0 additions & 49 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,6 @@ Usage:
Flags:
-c, --config string Path to config file (default "config.toml")
--config-stdin Read MCP server configuration from stdin (JSON format). When enabled, overrides --config
--enable-difc Enable DIFC enforcement and session requirement (requires sys___init call before tool access)
--env string Path to .env file to load environment variables
-h, --help help for awmg
-l, --listen string HTTP server listen address (default "127.0.0.1:3000")
Expand Down Expand Up @@ -448,54 +447,6 @@ This Go port focuses on core MCP proxy functionality with optional security feat
- ✅ Basic request/response proxying
- ✅ Enhanced error debugging and troubleshooting

### DIFC Integration (Not Yet Enabled)

MCPG includes a complete implementation of **Decentralized Information Flow Control (DIFC)** for information security, but it is **not yet enabled by default**. The DIFC system provides:

- **Label-based Security**: Track information flow with secrecy and integrity labels
- **Reference Monitor**: Centralized policy enforcement for all MCP operations
- **Guard Framework**: Domain-specific resource labeling (e.g., GitHub repos, files)
- **Agent Tracking**: Per-agent taint tracking across requests
- **Fine-grained Control**: Collection filtering for partial access to resources

#### DIFC Components (Implemented)

```
internal/difc/
├── labels.go # Secrecy/integrity labels with flow semantics
├── resource.go # Resource labeling (coarse & fine-grained)
├── evaluator.go # DIFC policy evaluation & enforcement
├── agent.go # Per-agent label tracking (taint tracking)
└── capabilities.go # Global tag registry

internal/guard/
├── guard.go # Guard interface definition
├── noop.go # NoopGuard (default, allows all operations)
├── registry.go # Guard registration & lookup
└── context.go # Agent ID extraction utilities
```

#### How DIFC Works (When Enabled)

1. **Resource Labeling**: Guards label resources based on domain knowledge (e.g., "repo:owner/name", "visibility:private")
2. **Agent Tracking**: Each agent has secrecy/integrity labels that accumulate through reads (taint tracking)
3. **Policy Enforcement**: Reference Monitor checks if operations violate label flow semantics:
- **Read**: Resource secrecy must flow to agent secrecy (resource ⊆ agent)
- **Write**: Agent integrity must flow to resource integrity (agent ⊆ resource)
4. **Fine-grained Filtering**: Collections (e.g., search results) automatically filtered to allowed items

#### Enabling DIFC (Future)

To enable DIFC enforcement, you'll need to:

1. **Implement domain-specific guards** (e.g., GitHub, filesystem)
2. **Configure agent labels** in `config.toml`
3. **Register guards** in server initialization

See [`docs/DIFC_INTEGRATION_PROPOSAL.md`](docs/DIFC_INTEGRATION_PROPOSAL.md) for full design details.

**Current Status**: All DIFC infrastructure is implemented and tested, but only the `NoopGuard` is active (which returns empty labels, effectively disabling enforcement). Custom guards for specific backends (GitHub, filesystem, etc.) are not yet implemented.

## MCP Server Compatibility

**Not all MCP servers work the same way through the HTTP gateway.** The key difference is **architecture** (stateless vs stateful), not transport.
Expand Down