Remove X-GitHub-Actor header logic; trustedBots is config-only; wire frontmatter to renderer

Copilot · lpcox · web-flow · commit 80d9f1e3441f · 2026-03-19T22:37:01.000Z
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/a5944233-9f4e-4300-907c-57f2cb82dafe
diff --git a/docs/public/schemas/mcp-gateway-config.schema.json b/docs/public/schemas/mcp-gateway-config.schema.json
@@ -249,7 +249,7 @@
         },
         "trustedBots": {
           "type": "array",
-          "description": "Additional trusted bot identities that are permitted to call the gateway, merged with the gateway's built-in internal trusted identity list. When bot identity enforcement is active, only requests whose 'X-GitHub-Actor' header matches an entry in the combined list (built-in + this field) are accepted. Typically GitHub bot usernames such as 'github-actions[bot]' or 'copilot-swe-agent[bot]'. This field is additive and cannot remove entries from the gateway's internal built-in trusted identity list.",
+          "description": "Additional trusted bot identity strings passed to the gateway and merged with its built-in internal trusted identity list. This field is additive and cannot remove entries from the gateway's built-in list. Typically GitHub bot usernames such as 'github-actions[bot]' or 'copilot-swe-agent[bot]'.",
           "items": {
             "type": "string",
             "minLength": 1
diff --git a/docs/src/content/docs/reference/mcp-gateway.md b/docs/src/content/docs/reference/mcp-gateway.md
@@ -248,7 +248,7 @@ The `gateway` section is required and configures gateway-specific behavior:
 | `payloadDir` | string | No | Directory path for storing large payload JSON files for authenticated clients |
 | `payloadPathPrefix` | string | No | Path prefix to remap payload paths for agent containers (e.g., /workspace/payloads) |
 | `payloadSizeThreshold` | integer | No | Size threshold in bytes for storing payloads to disk (default: 524288 = 512KB) |
-| `trustedBots` | array[string] | No | Additional GitHub bot identity strings (e.g., `github-actions[bot]`) added to the gateway's built-in trusted identity list. This field is additive — it extends the internal list but cannot remove built-in entries. When bot identity enforcement is active, only callers whose `X-GitHub-Actor` header matches an entry in the combined list are accepted. |
+| `trustedBots` | array[string] | No | Additional GitHub bot identity strings (e.g., `github-actions[bot]`) passed to the gateway and merged with its built-in trusted identity list. This field is additive — it extends the internal list but cannot remove built-in entries. |
 
 #### 4.1.3.1 Payload Directory Path Validation
 
@@ -370,16 +370,9 @@ payload_size_threshold = 262144   # 256KB - more aggressive disk storage
 
 #### 4.1.3.4 Trusted Bot Identity Configuration
 
-The optional `trustedBots` field in the gateway configuration provides an identity-based allowlist of additional GitHub bot accounts that are permitted to call the gateway. This is independent of the `apiKey` mechanism and operates at the HTTP request level by inspecting the `X-GitHub-Actor` header.
+The optional `trustedBots` field in the gateway configuration passes an additional list of GitHub bot identity strings to the gateway. The gateway merges this list with its own built-in trusted identity list to form the effective set of identities it recognises.
 
-> **Important**: `trustedBots` is **additive**. The gateway maintains its own internal list of trusted bot identities that are always permitted regardless of this field. The `trustedBots` field extends that internal list with additional identities; it cannot remove or override the gateway's built-in trusted identities.
-
-**How it works**:
-
-1. The caller includes an `X-GitHub-Actor` header in each request identifying the GitHub actor (bot or user) making the request
-2. The gateway checks the header value against its **combined** list of trusted identities: the gateway's internal built-in list **plus** any entries in `trustedBots`
-3. If bot identity enforcement is active and the actor does not match any entry in the combined list, the gateway rejects the request with HTTP 403
-4. If `trustedBots` is not configured, the gateway still permits callers that match its internal built-in identities; no additional identities are added
+> **Important**: `trustedBots` is **additive**. The gateway maintains its own internal list of trusted bot identities. The `trustedBots` field extends that internal list with additional identities; it cannot remove or override the gateway's built-in trusted identities.
 
 **Configuration Example**:
 
@@ -397,23 +390,23 @@ The optional `trustedBots` field in the gateway configuration provides an identi
 }
 ```
 
+**Frontmatter Example** (workflow author):
+
+```yaml
+sandbox:
+  mcp:
+    trusted-bots:
+      - github-actions[bot]
+      - copilot-swe-agent[bot]
+```
+
 **Requirements**:
 - `trustedBots` MUST be a non-empty array of strings when present
 - Each entry MUST be a non-empty string (typically a GitHub username such as `github-actions[bot]`)
-- `trustedBots` entries are **merged** with the gateway's internal built-in trusted identities to form the effective allowlist
+- `trustedBots` entries are **merged** with the gateway's internal built-in trusted identities to form the effective list passed to the gateway
 - `trustedBots` MUST NOT be used to remove or override entries in the gateway's internal built-in trusted identity list
-- When bot identity enforcement is active, the gateway MUST reject requests where `X-GitHub-Actor` is absent or does not match any entry in the combined list (HTTP 403)
-- When `trustedBots` is omitted, only the gateway's built-in trusted identities are consulted
-- Bot identity checks are applied **after** API key authentication; a request must pass both checks when both are configured
-- Entries are compared case-sensitively
-
-**Security Considerations**:
-- `trustedBots` provides defense-in-depth: even if an API key is leaked, callers that cannot supply a matching `X-GitHub-Actor` header are denied
-- Because `trustedBots` is additive, the internal built-in identities cannot be narrowed through configuration — only expanded
-- The `X-GitHub-Actor` header MUST be treated as an untrusted claim unless the deployment ensures that only the gateway's own infrastructure can set it (e.g., the gateway runs inside a trusted network boundary)
-- Implementations SHOULD log rejected bot identity mismatches at the warning level without logging the header value in plaintext
 
-**Compliance Test**: T-AUTH-006, T-AUTH-007 - Trusted Bot Identity Enforcement
+**Compliance Test**: T-AUTH-006 - Trusted Bot Identity Configuration
 
 #### 4.1.3a Top-Level Configuration Fields
 
@@ -991,32 +984,13 @@ The following endpoints MUST NOT require authentication:
 
 - `/health`
 
-### 7.5 Trusted Bot Identity Authentication
-
-When bot identity enforcement is active (either via `gateway.trustedBots` or the gateway's internal built-in trusted identity list), the gateway enforces an additional identity check **after** API key authentication:
-
-1. The gateway inspects the `X-GitHub-Actor` request header on all RPC requests to `/mcp/{server-name}` and `/close` endpoints
-2. The header value is checked against the **combined** list of trusted identities: the gateway's built-in internal list **plus** any entries supplied in `gateway.trustedBots`
-3. `gateway.trustedBots` is **additive** — it extends the built-in list but cannot remove entries from it
-4. If the header is absent or does not match any entry in the combined list, the gateway MUST reject the request with HTTP 403
-
-**Example request** (both API key and bot identity supplied):
-
-```http
-POST /mcp/github HTTP/1.1
-Authorization: my-secret-api-key-12345
-X-GitHub-Actor: github-actions[bot]
-Content-Type: application/json
-```
+### 7.5 Trusted Bot Identity Configuration
 
-**Error responses**:
+The `gateway.trustedBots` field allows workflow authors to pass additional trusted bot identity strings to the gateway via the generated gateway configuration file. The gateway merges these entries with its own built-in trusted identity list.
 
-| Condition | HTTP Status | Description |
-|-----------|-------------|-------------|
-| `X-GitHub-Actor` header missing | 403 | Bot identity required but not supplied |
-| `X-GitHub-Actor` does not match any trusted bot | 403 | Caller is not in the trusted bot list |
+`gateway.trustedBots` is **additive** — it extends the gateway's built-in list but cannot remove entries from it.
 
-**Security Note**: The `/health` endpoint MUST remain exempt from trusted bot identity checks (same as API key exemption).
+Workflow authors set this via the `sandbox.mcp.trusted-bots` frontmatter field; the compiler translates it into the `trustedBots` array in the generated `gateway` section of the MCP config file.
 
 ---
 
@@ -1205,8 +1179,7 @@ A conforming implementation MUST pass the following test categories:
 - **T-AUTH-003**: Missing token rejection
 - **T-AUTH-004**: Health endpoint exemption
 - **T-AUTH-005**: Token rotation support
-- **T-AUTH-006**: Trusted bot identity acceptance — request with matching `X-GitHub-Actor` header is accepted when `trustedBots` is configured
-- **T-AUTH-007**: Trusted bot identity rejection — request with absent or non-matching `X-GitHub-Actor` header is rejected with HTTP 403 when `trustedBots` is configured
+- **T-AUTH-006**: Trusted bot identity configuration — `trustedBots` entries are present in the generated gateway config and merged with the gateway's built-in list
 
 #### 10.1.5 Timeout Tests
 
@@ -1549,18 +1522,13 @@ Content-Type: application/json
 ### Version 1.9.0 (Draft)
 
 - **Added**: `trustedBots` field to gateway configuration (Section 4.1.3, 4.1.3.4)
-  - Optional array of GitHub bot identity strings permitted to call the gateway
-  - When configured, the gateway enforces an `X-GitHub-Actor` header check on all RPC requests
-  - Requests whose `X-GitHub-Actor` does not match any entry are rejected with HTTP 403
-  - When omitted, bot identity is not checked (any authenticated caller is accepted)
-  - Entries are compared case-sensitively
-  - The `/health` endpoint is exempt from bot identity checks
-- **Added**: Section 7.5 — Trusted Bot Identity Authentication
-  - Specifies HTTP 403 error behavior for absent or non-matching `X-GitHub-Actor` headers
-  - Bot identity check runs after API key authentication
-- **Added**: Compliance tests for trusted bot identities (Section 10.1.4)
-  - T-AUTH-006: Trusted bot identity acceptance
-  - T-AUTH-007: Trusted bot identity rejection
+  - Optional array of GitHub bot identity strings passed to the gateway via the generated config
+  - Merged with the gateway's built-in trusted identity list (additive — cannot remove built-in entries)
+  - Workflow authors configure via `sandbox.mcp.trusted-bots` in frontmatter; the compiler translates it into the gateway config
+- **Added**: Section 7.5 — Trusted Bot Identity Configuration
+  - Describes `trustedBots` as a config-passing mechanism from frontmatter to gateway config
+- **Added**: Compliance test for trusted bot identity configuration (Section 10.1.4)
+  - T-AUTH-006: Trusted bot identity configuration
 - **Updated**: JSON Schema with `trustedBots` property in `gatewayConfig` definition
 
 ### Version 1.8.0 (Draft)
diff --git a/pkg/workflow/frontmatter_extraction_security.go b/pkg/workflow/frontmatter_extraction_security.go
@@ -479,6 +479,22 @@ func (c *Compiler) extractMCPGatewayConfig(mcpVal any) *MCPGatewayRuntimeConfig
 		}
 	}
 
+	// Extract trustedBots / trusted-bots (additional bot identities to pass to the gateway)
+	for _, key := range []string{"trustedBots", "trusted-bots"} {
+		if trustedBotsVal, hasTrustedBots := mcpObj[key]; hasTrustedBots {
+			if trustedBotsSlice, ok := trustedBotsVal.([]any); ok {
+				for _, bot := range trustedBotsSlice {
+					if botStr, ok := bot.(string); ok {
+						mcpConfig.TrustedBots = append(mcpConfig.TrustedBots, botStr)
+					}
+				}
+			}
+			if len(mcpConfig.TrustedBots) > 0 {
+				break
+			}
+		}
+	}
+
 	return mcpConfig
 }
 
diff --git a/pkg/workflow/frontmatter_extraction_security_test.go b/pkg/workflow/frontmatter_extraction_security_test.go
@@ -218,3 +218,37 @@ func TestExtractMCPGatewayConfigPayloadFields(t *testing.T) {
 		assert.Equal(t, 0, config.PayloadSizeThreshold, "PayloadSizeThreshold should be 0 when not specified")
 	})
 }
+
+// TestExtractMCPGatewayConfigTrustedBots tests extraction of trustedBots from MCP gateway frontmatter
+func TestExtractMCPGatewayConfigTrustedBots(t *testing.T) {
+	compiler := &Compiler{}
+
+	t.Run("extracts trustedBots using camelCase key", func(t *testing.T) {
+		mcpObj := map[string]any{
+			"container":   "ghcr.io/github/gh-aw-mcpg",
+			"trustedBots": []any{"github-actions[bot]", "copilot-swe-agent[bot]"},
+		}
+		config := compiler.extractMCPGatewayConfig(mcpObj)
+		require.NotNil(t, config, "Should extract MCP gateway config")
+		assert.Equal(t, []string{"github-actions[bot]", "copilot-swe-agent[bot]"}, config.TrustedBots, "Should extract trustedBots")
+	})
+
+	t.Run("extracts trustedBots using kebab-case key", func(t *testing.T) {
+		mcpObj := map[string]any{
+			"container":    "ghcr.io/github/gh-aw-mcpg",
+			"trusted-bots": []any{"github-actions[bot]"},
+		}
+		config := compiler.extractMCPGatewayConfig(mcpObj)
+		require.NotNil(t, config, "Should extract MCP gateway config")
+		assert.Equal(t, []string{"github-actions[bot]"}, config.TrustedBots, "Should extract trusted-bots")
+	})
+
+	t.Run("leaves trustedBots nil when not specified", func(t *testing.T) {
+		mcpObj := map[string]any{
+			"container": "ghcr.io/github/gh-aw-mcpg",
+		}
+		config := compiler.extractMCPGatewayConfig(mcpObj)
+		require.NotNil(t, config, "Should extract MCP gateway config")
+		assert.Nil(t, config.TrustedBots, "TrustedBots should be nil when not specified")
+	})
+}
diff --git a/pkg/workflow/mcp_gateway_config.go b/pkg/workflow/mcp_gateway_config.go
@@ -137,6 +137,7 @@ func buildMCPGatewayConfig(workflowData *WorkflowData) *MCPGatewayRuntimeConfig
 		PayloadDir:           "${MCP_GATEWAY_PAYLOAD_DIR}",                     // Gateway variable expression for payload directory
 		PayloadPathPrefix:    workflowData.SandboxConfig.MCP.PayloadPathPrefix, // Optional path prefix for agent containers
 		PayloadSizeThreshold: payloadSizeThreshold,                             // Size threshold in bytes
+		TrustedBots:          workflowData.SandboxConfig.MCP.TrustedBots,       // Additional trusted bot identities from frontmatter
 	}
 }
 
diff --git a/pkg/workflow/mcp_gateway_config_test.go b/pkg/workflow/mcp_gateway_config_test.go
@@ -315,6 +315,24 @@ func TestBuildMCPGatewayConfig(t *testing.T) {
 				PayloadSizeThreshold: constants.DefaultMCPGatewayPayloadSizeThreshold,
 			},
 		},
+		{
+			name: "propagates trustedBots from frontmatter config",
+			workflowData: &WorkflowData{
+				SandboxConfig: &SandboxConfig{
+					MCP: &MCPGatewayRuntimeConfig{
+						TrustedBots: []string{"github-actions[bot]", "copilot-swe-agent[bot]"},
+					},
+				},
+			},
+			expected: &MCPGatewayRuntimeConfig{
+				Port:                 int(DefaultMCPGatewayPort),
+				Domain:               "${MCP_GATEWAY_DOMAIN}",
+				APIKey:               "${MCP_GATEWAY_API_KEY}",
+				PayloadDir:           "${MCP_GATEWAY_PAYLOAD_DIR}",
+				PayloadSizeThreshold: constants.DefaultMCPGatewayPayloadSizeThreshold,
+				TrustedBots:          []string{"github-actions[bot]", "copilot-swe-agent[bot]"},
+			},
+		},
 	}
 
 	for _, tt := range tests {
@@ -330,6 +348,7 @@ func TestBuildMCPGatewayConfig(t *testing.T) {
 				assert.Equal(t, tt.expected.PayloadDir, result.PayloadDir, "PayloadDir should match")
 				assert.Equal(t, tt.expected.PayloadPathPrefix, result.PayloadPathPrefix, "PayloadPathPrefix should match")
 				assert.Equal(t, tt.expected.PayloadSizeThreshold, result.PayloadSizeThreshold, "PayloadSizeThreshold should match")
+				assert.Equal(t, tt.expected.TrustedBots, result.TrustedBots, "TrustedBots should match")
 			}
 		})
 	}
diff --git a/pkg/workflow/mcp_renderer.go b/pkg/workflow/mcp_renderer.go
@@ -193,6 +193,16 @@ func RenderJSONMCPConfig(
 		if options.GatewayConfig.PayloadDir != "" {
 			fmt.Fprintf(&configBuilder, ",\n              \"payloadDir\": \"%s\"", options.GatewayConfig.PayloadDir)
 		}
+		if len(options.GatewayConfig.TrustedBots) > 0 {
+			configBuilder.WriteString(",\n              \"trustedBots\": [")
+			for i, bot := range options.GatewayConfig.TrustedBots {
+				if i > 0 {
+					configBuilder.WriteString(", ")
+				}
+				fmt.Fprintf(&configBuilder, "%q", bot)
+			}
+			configBuilder.WriteString("]")
+		}
 		configBuilder.WriteString("\n")
 		configBuilder.WriteString("            }\n")
 	} else {
diff --git a/pkg/workflow/schemas/mcp-gateway-config.schema.json b/pkg/workflow/schemas/mcp-gateway-config.schema.json
@@ -218,7 +218,7 @@
         },
         "trustedBots": {
           "type": "array",
-          "description": "Additional trusted bot identities that are permitted to call the gateway, merged with the gateway's built-in internal trusted identity list. When bot identity enforcement is active, only requests whose 'X-GitHub-Actor' header matches an entry in the combined list (built-in + this field) are accepted. Typically GitHub bot usernames such as 'github-actions[bot]' or 'copilot-swe-agent[bot]'. This field is additive and cannot remove entries from the gateway's internal built-in trusted identity list.",
+          "description": "Additional trusted bot identity strings passed to the gateway and merged with its built-in internal trusted identity list. This field is additive and cannot remove entries from the gateway's built-in list. Typically GitHub bot usernames such as 'github-actions[bot]' or 'copilot-swe-agent[bot]'.",
           "items": {
             "type": "string",
             "minLength": 1
diff --git a/pkg/workflow/tools_types.go b/pkg/workflow/tools_types.go
@@ -396,6 +396,7 @@ type MCPGatewayRuntimeConfig struct {
 	PayloadDir           string            `yaml:"payload-dir,omitempty"`            // Directory path for storing large payload JSON files (must be absolute path)
 	PayloadPathPrefix    string            `yaml:"payload-path-prefix,omitempty"`    // Path prefix to remap payload paths for agent containers (e.g., /workspace/payloads)
 	PayloadSizeThreshold int               `yaml:"payload-size-threshold,omitempty"` // Size threshold in bytes for storing payloads to disk (default: 524288 = 512KB)
+	TrustedBots          []string          `yaml:"trusted-bots,omitempty"`           // Additional bot identity strings to pass to the gateway, merged with its built-in list
 }
 
 // HasTool checks if a tool is present in the configuration

Original file line number	Diff line number	Diff line change
`@@ -137,6 +137,7 @@ func buildMCPGatewayConfig(workflowData WorkflowData) MCPGatewayRuntimeConfig`
`137`	`137`	`PayloadDir: "${MCP_GATEWAY_PAYLOAD_DIR}", // Gateway variable expression for payload directory`
`138`	`138`	`PayloadPathPrefix: workflowData.SandboxConfig.MCP.PayloadPathPrefix, // Optional path prefix for agent containers`
`139`	`139`	`PayloadSizeThreshold: payloadSizeThreshold, // Size threshold in bytes`
	`140`	`+ TrustedBots: workflowData.SandboxConfig.MCP.TrustedBots, // Additional trusted bot identities from frontmatter`
`140`	`141`	`}`
`141`	`142`	`}`
`142`	`143`
Original file line number	Diff line number	Diff line change
`@@ -396,6 +396,7 @@ type MCPGatewayRuntimeConfig struct {`
`396`	`396`	PayloadDir string `yaml:"payload-dir,omitempty"` // Directory path for storing large payload JSON files (must be absolute path)
`397`	`397`	PayloadPathPrefix string `yaml:"payload-path-prefix,omitempty"` // Path prefix to remap payload paths for agent containers (e.g., /workspace/payloads)
`398`	`398`	PayloadSizeThreshold int `yaml:"payload-size-threshold,omitempty"` // Size threshold in bytes for storing payloads to disk (default: 524288 = 512KB)
	`399`	+ TrustedBots []string `yaml:"trusted-bots,omitempty"` // Additional bot identity strings to pass to the gateway, merged with its built-in list
`399`	`400`	`}`
`400`	`401`
`401`	`402`	`// HasTool checks if a tool is present in the configuration`