Fix large payload tester mount isolation - remove test data from gateway

.github/agentics/large-payload-tester.md

@@ -14,12 +14,17 @@ Test that when the MCP Gateway receives large responses from backend MCP servers
 
 ## Test Protocol
 
-This test uses a **secret-based verification approach**:
-1. A secret UUID is embedded in a large test file (~500KB) before the test runs
-2. You will use the filesystem MCP server to read a large file containing this secret
-3. The gateway will intercept the large response, store it to disk, and return metadata with a `payloadPath`
-4. You must then read the payload file from the path provided and extract the secret
-5. Finally, report whether you successfully retrieved the secret from the payload
+This test uses a **secret-based verification approach** to ensure end-to-end correctness:
+
+1. A secret UUID is embedded in a large test file (~500KB) BEFORE the test runs
+2. The large test file is stored in `/tmp/mcp-test-fs` on the runner (NOT accessible to gateway)
+3. The payload directory `/tmp/jq-payloads` starts EMPTY (created on-demand by gateway)
+4. You will use the filesystem MCP server to read the large file containing the secret
+5. The gateway will intercept the large response, store it to `/tmp/jq-payloads`, and return metadata
+6. You must then read the payload file from the stored location and extract the secret
+7. Finally, report whether you successfully retrieved the secret from the payload
+
+**Key Architecture**: The test file is isolated from the gateway. The gateway can only access it by querying the filesystem MCP server through the MCP protocol, which properly tests the payload storage feature.
 
 ## Test Steps
 

.github/workflows/large-payload-tester-README.md

@@ -15,20 +15,31 @@ This agentic workflow tests the MCP Gateway's large payload handling feature, sp
 ```
 ┌─────────────────┐          ┌──────────────────┐          ┌────────────────┐
 │  Agent          │          │  MCP Gateway      │          │  Filesystem    │
-│  Container      │◄────────►│  Container        │◄────────►│  MCP Server    │
+│  (via Copilot)  │◄────────►│  Container        │◄────────►│  MCP Server    │
 └─────────────────┘          └──────────────────┘          └────────────────┘
         │                            │                             │
         │                            │                             │
-   Reads payload              Stores payload              Reads large file
-   from mounted dir           to /tmp/jq-payloads         from /tmp/mcp-test-fs
+   Reads via                   Stores payload              Reads test file
+   filesystem MCP              to /tmp/jq-payloads         from /tmp/mcp-test-fs
         │                            │                             │
         ▼                            ▼                             ▼
-   /workspace/                /tmp/jq-payloads/           /tmp/mcp-test-fs/
-   mcp-payloads/              {sessionID}/                large-test-file.json
-                              {queryID}/                  (contains secret)
-                              payload.json
+   /workspace/mcp-payloads/   /tmp/jq-payloads/           /workspace/test-data/
+   (mounted from runner)      (gateway writes)            (mounted from runner)
+                              {sessionID}/{queryID}/       large-test-file.json
+                              payload.json                 (contains secret)
+
+Runner Filesystem:
+/tmp/mcp-test-fs/          →  Only accessible to filesystem MCP server
+/tmp/jq-payloads/          →  Shared between gateway (writes) and filesystem server (reads)
 ```
 
+**Flow**:
+1. Agent requests file via gateway → filesystem MCP server
+2. Filesystem server reads from its `/workspace/test-data/` (mounted from `/tmp/mcp-test-fs`)
+3. Gateway intercepts large response
+4. Gateway stores to `/tmp/jq-payloads/{sessionID}/{queryID}/payload.json`
+5. Agent reads payload via filesystem server's `/workspace/mcp-payloads/` mount
+
 ### Test Protocol
 
 The workflow uses a **secret-based verification** approach:
@@ -56,30 +67,39 @@ The workflow uses a **secret-based verification** approach:
 
 ### Volume Mounts
 
-The workflow uses three volume mounts to enable the test:
+### Volume Mounts
+
+The workflow uses a carefully structured mount configuration to ensure proper isolation:
 
-1. **Test Data Mount** (filesystem MCP server):
+1. **Test Data Mount** (filesystem MCP server ONLY):
    ```yaml
    /tmp/mcp-test-fs:/workspace/test-data:ro
    ```
-   - Contains the control secret file and large test file
+   - Contains the control secret file and large test file on the actions runner
+   - Mounted ONLY to the filesystem MCP server container (NOT to the gateway)
    - Read-only access for safety
-   - Accessible to agent via `/workspace/test-data/`
+   - Accessible to agent via filesystem MCP server at `/workspace/test-data/`
+   - Gateway does NOT have direct access to test files
 
 2. **Payload Mount** (filesystem MCP server):
    ```yaml
    /tmp/jq-payloads:/workspace/mcp-payloads:ro
    ```
-   - Allows agent to read stored payloads
+   - Allows agent to read stored payloads through filesystem MCP server
    - Read-only to prevent accidental corruption
    - Accessible to agent via `/workspace/mcp-payloads/`
+   - Initially empty/non-existent until gateway stores first payload
 
 3. **Gateway Payload Mount** (MCP gateway container):
    ```yaml
    /tmp/jq-payloads:/tmp/jq-payloads:rw
    ```
    - Allows gateway to write payload files
    - Read-write for payload storage
+   - Gateway creates directory structure on-demand
+   - This is the ONLY directory the gateway container has mounted
+
+**Key Design Principle**: The test data directory (`/tmp/mcp-test-fs`) is isolated from the gateway. The gateway only has access to the payload directory (`/tmp/jq-payloads`). This ensures that the gateway cannot directly access test files and must retrieve them through the filesystem MCP server, properly testing the MCP protocol flow.
 
 ### Path Translation
 

.github/workflows/large-payload-tester.md

@@ -32,7 +32,6 @@ sandbox:
   mcp:
     container: "ghcr.io/github/gh-aw-mcpg"
     mounts:
-      - "/tmp/mcp-test-fs:/tmp/mcp-test-fs:ro"
       - "/tmp/jq-payloads:/tmp/jq-payloads:rw"
 
 safe-outputs:
@@ -45,9 +44,8 @@ safe-outputs:
 steps:
   - name: Setup Test Environment
     run: |
-      # Create test directories
+      # Create test data directory (payload directory will be created by gateway on-demand)
       mkdir -p /tmp/mcp-test-fs
-      mkdir -p /tmp/jq-payloads
 
       # Generate a unique secret for this test run
       # Use uuidgen if available, otherwise use timestamp with nanoseconds for better entropy