You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Test (internal/config/load_from_stdin_coverage_test.go lines 183–217) — TestLoadFromStdin_OpenTelemetryHeaders explicitly verifies the non-compliant behavior:
// verifies that gateway.opentelemetry.headers passes schema validation// and is converted into the runtime tracing config.
Gap:
The spec v1.14.0 Breaking change says headers must be REMOVED from the JSON schema and no longer accepted in the JSON stdin config. The implementation still accepts and processes it.
Note on resolveHeaders priority: The current implementation in internal/tracing/config_resolver.go gives cfg.Headers (from JSON/TOML config) higher priority than OTEL_EXPORTER_OTLP_HEADERS env var — the env var is only a fallback. The spec requires the env var to be the only way to pass headers in the JSON config context.
Severity: Important (MUST violation / Breaking spec change)
internal/config/load_from_stdin_coverage_test.go:183–217 — test verifies non-compliant behavior
Note: The TOML config (TracingConfig.Headers with toml:"headers") is a separate concern — the spec's breaking change specifically targets the JSON stdin config, so TOML support for headers may be retained.
Suggested Fix:
Remove headers from JSON schema — delete the headers property from the opentelemetryConfig definition in mcp-gateway-config.schema.json.
Remove Headers from StdinOpenTelemetryConfig — delete the Headers string field in config_stdin.go.
Update stdin converter — remove Headers: otel.Headers from the stdin→config conversion in config_tracing.go.
Update resolveHeaders — once the stdin-config field is removed, the env var becomes the primary/only source. Consider logging a clear warning if a caller still somehow passes headers config so the change is discoverable.
Update test — replace TestLoadFromStdin_OpenTelemetryHeaders with a test that verifies headers is rejected (fails schema validation) when provided in the JSON stdin config.
MCP Gateway Compliance Review — 2026-07-01
Summary
Found 1 compliance issue during daily review of commit
843d8d38([test] Add tests for guard.NewWasmGuardWithOptions coverage paths).Spec Version: 1.14.0 (Breaking change —
headersremoval from JSON config)Commits Reviewed:
843d8d38445e5516a37adf23a8d0533f47fac428(HEAD, shallow clone)Previous Review: 2026-06-30 (all other aspects confirmed compliant)
Critical/Important Issues (MUST violations)
1. OTEL
headersfield still present in JSON schema andStdinOpenTelemetryConfigSpecification Section: 4.1.3.7 — OpenTelemetry Configuration
Deep Link: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#4137-opentelemetry-configuration
Requirement:
From the Spec v1.14.0 changelog (Breaking change):
From spec Section 4.1.3.7 requirements:
The spec's field table for
opentelemetryconfig (Section 4.1.3.7) lists only:endpoint(required)traceId(no)spanId(no)serviceName(no)No
headersfield is listed.Current State:
JSON Schema (
internal/config/schema/mcp-gateway-config.schema.jsonlines 460–464) — still containsheadersinopentelemetryConfigdefinition:Stdin config struct (
internal/config/config_stdin.goline 81) —StdinOpenTelemetryConfigstill has:Stdin converter (
internal/config/config_tracing.goline 102) — still copies headers from stdin config:Test (
internal/config/load_from_stdin_coverage_test.golines 183–217) —TestLoadFromStdin_OpenTelemetryHeadersexplicitly verifies the non-compliant behavior:Gap:
The spec v1.14.0 Breaking change says
headersmust be REMOVED from the JSON schema and no longer accepted in the JSON stdin config. The implementation still accepts and processes it.Note on
resolveHeaderspriority: The current implementation ininternal/tracing/config_resolver.gogivescfg.Headers(from JSON/TOML config) higher priority thanOTEL_EXPORTER_OTLP_HEADERSenv var — the env var is only a fallback. The spec requires the env var to be the only way to pass headers in the JSON config context.Severity: Important (MUST violation / Breaking spec change)
File References:
internal/config/schema/mcp-gateway-config.schema.json—opentelemetryConfig.headersproperty (lines 460–464)internal/config/config_stdin.go:81—StdinOpenTelemetryConfig.Headersfieldinternal/config/config_tracing.go:102— stdin converter readsotel.Headersinternal/config/load_from_stdin_coverage_test.go:183–217— test verifies non-compliant behaviorNote: The TOML config (
TracingConfig.Headerswithtoml:"headers") is a separate concern — the spec's breaking change specifically targets the JSON stdin config, so TOML support forheadersmay be retained.Suggested Fix:
Remove
headersfrom JSON schema — delete theheadersproperty from theopentelemetryConfigdefinition inmcp-gateway-config.schema.json.Remove
HeadersfromStdinOpenTelemetryConfig— delete theHeaders stringfield inconfig_stdin.go.Update stdin converter — remove
Headers: otel.Headersfrom the stdin→config conversion inconfig_tracing.go.Update
resolveHeaders— once the stdin-config field is removed, the env var becomes the primary/only source. Consider logging a clear warning if a caller still somehow passes headers config so the change is discoverable.Update test — replace
TestLoadFromStdin_OpenTelemetryHeaderswith a test that verifiesheadersis rejected (fails schema validation) when provided in the JSON stdin config.Estimated Effort: Small (1–2 hours)
Compliance Status (Full)
headersremovalrefusal-labels)Recent Changes Reviewed
843d8d38— [test] Add tests forguard.NewWasmGuardWithOptionscoverage paths ([test] Add tests for guard.NewWasmGuardWithOptions coverage paths #8455)References
refusal-labels— resolved)