MCP Gateway (MCPG)
MCP Gateway (MCPG)
Section titled “MCP Gateway (MCPG)”The MCP Gateway (gh-aw-mcpg) is the upstream MCP routing layer that connects agents to their configured MCP servers. It replaces the previous custom MCP firewall with the standard gh-aw gateway implementation.
Architecture
Section titled “Architecture” Host┌─────────────────────────────────────────────────┐│ ││ ┌──────────────┐ ┌──────────────────────┐ ││ │ SafeOutputs │ │ MCPG Gateway │ ││ │ HTTP Server │◀────│ (Docker, --network │ ││ │ (ado-aw │ │ host, port 80) │ ││ │ mcp-http) │ │ │ ││ │ port 8100 │ │ Routes tool calls │ ││ └──────────────┘ │ to upstreams │ ││ └──────────┬───────────┘ ││ │ ││ ┌─────────────────┐ │ ││ │ Custom MCP │◀────┘ ││ │ (stdio server) │ ││ └─────────────────┘ │└─────────────────────────────────────────────────┘ │ host.docker.internal:80 │┌─────────────────────────────────────────────────┐│ AWF Container ││ ││ ┌──────────┐ ││ │ Copilot │──── HTTP ──── MCPG (via host) ││ │ Agent │ ││ └──────────┘ │└─────────────────────────────────────────────────┘How It Works
Section titled “How It Works”- SafeOutputs HTTP server starts on the host (port 8100) via
ado-aw mcp-http - MCPG container starts on the host network (
docker run --network host) - MCPG config (generated by the compiler) defines:
- SafeOutputs as an HTTP backend (
type: "http", URL points to localhost:8100) - Custom MCPs as stdio servers (
type: "stdio", spawned by MCPG) - Gateway settings (port 80, API key, payload directory)
- SafeOutputs as an HTTP backend (
- Agent inside AWF connects to MCPG via
http://host.docker.internal:80/mcp - MCPG routes tool calls to the appropriate upstream (SafeOutputs or custom MCPs)
- After the agent completes, MCPG and SafeOutputs are stopped
MCPG Configuration Format
Section titled “MCPG Configuration Format”The compiler generates MCPG configuration JSON from the mcp-servers: front matter:
{ "mcpServers": { "safeoutputs": { "type": "http", "url": "http://localhost:8100/mcp", "headers": { "Authorization": "Bearer <api-key>" } }, "custom-tool": { "type": "stdio", "container": "node:20-slim", "entrypoint": "node", "entrypointArgs": ["server.js"], "tools": ["process_data", "get_status"] } }, "gateway": { "port": 80, "domain": "host.docker.internal", "apiKey": "<gateway-api-key>", "payloadDir": "/tmp/gh-aw/mcp-payloads" }}Runtime placeholders (${SAFE_OUTPUTS_PORT}, ${SAFE_OUTPUTS_API_KEY}, ${MCP_GATEWAY_API_KEY}) are substituted by the pipeline before passing the config to MCPG.
Pipeline Integration
Section titled “Pipeline Integration”The MCPG is automatically configured in generated standalone pipelines:
- Config Generation: The compiler generates
mcpg-config.jsonfrom the agent’smcp-servers:front matter - SafeOutputs Start:
ado-aw mcp-httpstarts as a background process on the host - MCPG Start: The MCPG Docker container starts on the host network with config via stdin
- Agent Execution: AWF runs the agent with
--enable-host-access, copilot connects to MCPG via HTTP - Cleanup: Both MCPG and SafeOutputs are stopped after the agent completes (condition: always)
The MCPG config is written to $(Agent.TempDirectory)/staging/mcpg-config.json in its own pipeline step, making it easy to inspect and debug.