Lpcox/print failed container logs

.gitignore

@@ -57,3 +57,7 @@ scripts/rebase-github-difc.sh
 
 # Serena cache directories
 .serena/
+
+# WASM guard build artifacts
+examples/guards/*/guard.wasm
+*.wasm

.serena/.gitignore

@@ -0,0 +1 @@
+/cache

.serena/project.yml

@@ -0,0 +1,89 @@
+# list of languages for which language servers are started; choose from:
+#   al                  bash                clojure             cpp                 csharp
+#   csharp_omnisharp    dart                elixir              elm                 erlang
+#   fortran             fsharp              go                  groovy              haskell
+#   java                julia               kotlin              lua                 markdown
+#   matlab              nix                 pascal              perl                php
+#   powershell          python              python_jedi         r                   rego
+#   ruby                ruby_solargraph     rust                scala               swift
+#   terraform           toml                typescript          typescript_vts      vue
+#   yaml                zig
+#   (This list may be outdated. For the current list, see values of Language enum here:
+#   https://github.com/oraios/serena/blob/main/src/solidlsp/ls_config.py
+#   For some languages, there are alternative language servers, e.g. csharp_omnisharp, ruby_solargraph.)
+# Note:
+#   - For C, use cpp
+#   - For JavaScript, use typescript
+#   - For Free Pascal/Lazarus, use pascal
+# Special requirements:
+#   - csharp: Requires the presence of a .sln file in the project folder.
+#   - pascal: Requires Free Pascal Compiler (fpc) and optionally Lazarus.
+# When using multiple languages, the first language server that supports a given file will be used for that file.
+# The first language is the default language and the respective language server will be used as a fallback.
+# Note that when using the JetBrains backend, language servers are not used and this list is correspondingly ignored.
+languages:
+- go
+
+# the encoding used by text files in the project
+# For a list of possible encodings, see https://docs.python.org/3.11/library/codecs.html#standard-encodings
+encoding: "utf-8"
+
+# whether to use project's .gitignore files to ignore files
+ignore_all_files_in_gitignore: true
+
+# list of additional paths to ignore in all projects
+# same syntax as gitignore, so you can use * and **
+ignored_paths: []
+
+# whether the project is in read-only mode
+# If set to true, all editing tools will be disabled and attempts to use them will result in an error
+# Added on 2025-04-18
+read_only: false
+
+# list of tool names to exclude. We recommend not excluding any tools, see the readme for more details.
+# Below is the complete list of tools for convenience.
+# To make sure you have the latest list of tools, and to view their descriptions, 
+# execute `uv run scripts/print_tool_overview.py`.
+#
+#  * `activate_project`: Activates a project by name.
+#  * `check_onboarding_performed`: Checks whether project onboarding was already performed.
+#  * `create_text_file`: Creates/overwrites a file in the project directory.
+#  * `delete_lines`: Deletes a range of lines within a file.
+#  * `delete_memory`: Deletes a memory from Serena's project-specific memory store.
+#  * `execute_shell_command`: Executes a shell command.
+#  * `find_referencing_code_snippets`: Finds code snippets in which the symbol at the given location is referenced.
+#  * `find_referencing_symbols`: Finds symbols that reference the symbol at the given location (optionally filtered by type).
+#  * `find_symbol`: Performs a global (or local) search for symbols with/containing a given name/substring (optionally filtered by type).
+#  * `get_current_config`: Prints the current configuration of the agent, including the active and available projects, tools, contexts, and modes.
+#  * `get_symbols_overview`: Gets an overview of the top-level symbols defined in a given file.
+#  * `initial_instructions`: Gets the initial instructions for the current project.
+#     Should only be used in settings where the system prompt cannot be set,
+#     e.g. in clients you have no control over, like Claude Desktop.
+#  * `insert_after_symbol`: Inserts content after the end of the definition of a given symbol.
+#  * `insert_at_line`: Inserts content at a given line in a file.
+#  * `insert_before_symbol`: Inserts content before the beginning of the definition of a given symbol.
+#  * `list_dir`: Lists files and directories in the given directory (optionally with recursion).
+#  * `list_memories`: Lists memories in Serena's project-specific memory store.
+#  * `onboarding`: Performs onboarding (identifying the project structure and essential tasks, e.g. for testing or building).
+#  * `prepare_for_new_conversation`: Provides instructions for preparing for a new conversation (in order to continue with the necessary context).
+#  * `read_file`: Reads a file within the project directory.
+#  * `read_memory`: Reads the memory with the given name from Serena's project-specific memory store.
+#  * `remove_project`: Removes a project from the Serena configuration.
+#  * `replace_lines`: Replaces a range of lines within a file with new content.
+#  * `replace_symbol_body`: Replaces the full definition of a symbol.
+#  * `restart_language_server`: Restarts the language server, may be necessary when edits not through Serena happen.
+#  * `search_for_pattern`: Performs a search for a pattern in the project.
+#  * `summarize_changes`: Provides instructions for summarizing the changes made to the codebase.
+#  * `switch_modes`: Activates modes by providing a list of their names
+#  * `think_about_collected_information`: Thinking tool for pondering the completeness of collected information.
+#  * `think_about_task_adherence`: Thinking tool for determining whether the agent is still on track with the current task.
+#  * `think_about_whether_you_are_done`: Thinking tool for determining whether the task is truly completed.
+#  * `write_memory`: Writes a named memory (for future reference) to Serena's project-specific memory store.
+excluded_tools: []
+
+# initial prompt for the project. It will always be given to the LLM upon activating the project
+# (contrary to the memories, which are loaded on demand).
+initial_prompt: ""
+
+project_name: "gh-aw-mcpg"
+included_optional_tools: []

AGENTS.md

@@ -364,6 +364,18 @@ DEBUG_COLORS=0 DEBUG=* ./awmg --config config.toml
 - `DEBUG_COLORS` - Control colored output (0 to disable, auto-disabled when piping)
 - `MCP_GATEWAY_LOG_DIR` - Log file directory (sets default for `--log-dir` flag, default: `/tmp/gh-aw/mcp-logs`)
 - `MCP_GATEWAY_PAYLOAD_DIR` - Large payload storage directory (sets default for `--payload-dir` flag, default: `/tmp/jq-payloads`)
+- `MCP_GATEWAY_CONFIG_EXTENSIONS` - Enable config extensions for DIFC features (sets default for `--enable-config-extensions` flag)
+- `MCP_GATEWAY_ENABLE_DIFC` - Enable DIFC enforcement (requires `MCP_GATEWAY_CONFIG_EXTENSIONS=1`)
+- `MCP_GATEWAY_DIFC_FILTER` - Enable DIFC response filtering (requires DIFC enabled)
+- `MCP_GATEWAY_SESSION_SECRECY` - Initial secrecy labels for sessions (requires config extensions)
+- `MCP_GATEWAY_SESSION_INTEGRITY` - Initial integrity labels for sessions (requires config extensions)
+
+**Config Extensions:**
+Config extensions (guards, session labels) require `--enable-config-extensions` or `MCP_GATEWAY_CONFIG_EXTENSIONS=1`.
+This gates all DIFC-related configuration including:
+- `guards` section in config
+- `gateway.session` section in config
+- `--enable-difc`, `--difc-filter`, `--session-secrecy`, `--session-integrity` flags
 
 **File Logging:**
 - Operational logs are always written to `mcp-gateway.log` in the configured log directory

Makefile

@@ -1,4 +1,4 @@
-.PHONY: build lint test test-unit test-integration test-all test-serena test-serena-gateway coverage test-ci format clean install release help agent-finished
+.PHONY: build lint test test-unit test-integration test-all test-serena test-serena-gateway coverage test-ci format clean install release help agent-finished echo-guard-demo echo-guard-build echo-guard-test echo-guard-codex echo-guard-tmux
 
 # Default target
 .DEFAULT_GOAL := help
@@ -21,15 +21,15 @@ build:
 lint:
 	@echo "Running linters..."
 	@go mod tidy
-	@go vet ./...
+	@go vet $$(go list ./... | grep -v '/examples/guards/')
 	@echo "Running gofmt check..."
-	@test -z "$$(gofmt -l .)" || (echo "The following files are not formatted:"; gofmt -l .; exit 1)
+	@test -z "$$(gofmt -l $$(find . -name '*.go' -not -path './examples/guards/*'))" || (echo "The following files are not formatted:"; gofmt -l $$(find . -name '*.go' -not -path './examples/guards/*'); exit 1)
 	@echo "Running golangci-lint..."
 	@GOPATH=$$(go env GOPATH); \
 	if [ -f "$$GOPATH/bin/golangci-lint" ]; then \
-		$$GOPATH/bin/golangci-lint run --timeout=5m || echo "⚠ Warning: golangci-lint failed (compatibility issue with Go 1.25.0). Continuing with other checks..."; \
+		$$GOPATH/bin/golangci-lint run --timeout=5m --skip-dirs examples/guards || echo "⚠ Warning: golangci-lint failed (compatibility issue with Go 1.25.0). Continuing with other checks..."; \
 	elif command -v golangci-lint >/dev/null 2>&1; then \
-		golangci-lint run --timeout=5m || echo "⚠ Warning: golangci-lint failed (compatibility issue with Go 1.25.0). Continuing with other checks..."; \
+		golangci-lint run --timeout=5m --skip-dirs examples/guards || echo "⚠ Warning: golangci-lint failed (compatibility issue with Go 1.25.0). Continuing with other checks..."; \
 	else \
 		echo "⚠ Warning: golangci-lint not found. Run 'make install' to install it."; \
 		echo "  Skipping golangci-lint checks..."; \
@@ -261,4 +261,43 @@ help:
 	@echo "  install         - Install required toolchains and dependencies"
 	@echo "  release         - Create and push a release tag (usage: make release patch|minor|major)"
 	@echo "  agent-finished  - Run format, build, lint, and all tests (for agents before completion)"
+	@echo "  echo-guard-demo - Run quick echo guard test demo (shows guard I/O)"
+	@echo "  echo-guard-codex - Start gateway with echo guard for Codex integration"
+	@echo "  echo-guard-tmux - Interactive tmux demo (gateway + instructions)"
+	@echo "  echo-guard-build - Build the echo guard WASM file"
+	@echo "  echo-guard-test - Run echo guard integration tests"
 	@echo "  help            - Display this help message"
+
+# Echo Guard Demo targets
+echo-guard-demo:
+	@echo ""
+	@echo "╔═══════════════════════════════════════════════════════════════╗"
+	@echo "║              ECHO GUARD DEMO                                  ║"
+	@echo "║  Demonstrates guard I/O for debugging guard implementations   ║"
+	@echo "╚═══════════════════════════════════════════════════════════════╝"
+	@echo ""
+	@./scripts/echo-guard-demo.sh all
+
+echo-guard-codex:
+	@echo ""
+	@echo "╔═══════════════════════════════════════════════════════════════╗"
+	@echo "║        ECHO GUARD END-TO-END DEMO WITH CODEX                  ║"
+	@echo "╚═══════════════════════════════════════════════════════════════╝"
+	@echo ""
+	@./scripts/echo-guard-demo.sh codex
+
+echo-guard-tmux:
+	@echo ""
+	@echo "╔═══════════════════════════════════════════════════════════════╗"
+	@echo "║        ECHO GUARD INTERACTIVE TMUX DEMO                       ║"
+	@echo "╚═══════════════════════════════════════════════════════════════╝"
+	@echo ""
+	@./scripts/echo-guard-demo.sh tmux
+
+echo-guard-build:
+	@echo "Building echo guard WASM..."
+	@./scripts/echo-guard-demo.sh build
+
+echo-guard-test:
+	@echo "Running echo guard tests..."
+	@go test -v -run "TestEchoGuard" ./test/integration/...

config.example.toml

@@ -104,7 +104,7 @@ args = [
 # ============================================================================
 
 # Enable Data Information Flow Control (DIFC) security model (default: false)
-# When true, requires sys___init call before tool access
+# When true, enables DIFC enforcement. Sessions are auto-created from Authorization header.
 # This is an experimental feature - keep disabled for standard MCP compatibility
 # enable_difc = false