[compliance] Compliance Gap: MCPGatewaySpecVersion constant not updated to 1.9.0

[github-actions]

MCP Gateway Compliance Review — 2026-03-30

Summary

Found 1 compliance issue during daily review of commit 7e969ac (grafted HEAD).

The specification was updated to version 1.9.0 (adding the trustedBots field, Section 7.5, and compliance test T-AUTH-006). The trustedBots feature is fully implemented in the codebase — configuration parsing, validation, wiring to the WASM guard, and tests are all in place. However, the MCPGatewaySpecVersion constant that is broadcast via the /health endpoint was not updated to match.

Recent Changes Reviewed

• Commit 7e969aca670137563092713b9a046df8193ca2ed: docs: add GITHUB_PERSONAL_ACCESS_TOKEN to proxy mode auth token docs
• Modified file: docs/ENVIRONMENT_VARIABLES.md — docs-only change, no code impact

Compliance Status

Section	Requirement	Status
§3.2.1 Containerization	stdio servers must be containerized	✅ Compliant
§4.1 Configuration Format	JSON stdin, mcpServers structure	✅ Compliant
§4.1.3.1 PayloadDir	Absolute path validation	✅ Compliant
§4.1.3.4 TrustedBots	Feature implemented	✅ Compliant
§4.2 Variable Expansion	Fail-fast on undefined vars	✅ Compliant
§4.3.1 Unknown Fields	JSON stdin rejects unknown fields	✅ Compliant
§5.1.1 HTTP Endpoints	/mcp/{server}, /health, /close	✅ Compliant
§5.1.3 Close Endpoint	Idempotent, auth-gated	✅ Compliant
§6 Server Isolation	Container isolation, env isolation	✅ Compliant
§7.2 Authentication	API key, 401 on missing/invalid, health exempt	✅ Compliant
§7.2 No plaintext key logging	Sanitizer in place	✅ Compliant
§8.1.1 Health specVersion	Reports correct spec version	⚠️ Stale

---

Important Issue (SHOULD-level — spec version tracking)

Issue: MCPGatewaySpecVersion constant stale at "1.8.0" — should be "1.9.0"

Specification Section: 8.1.1 — General Health (/health)
Deep Link: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#811-general-health-health
Compliance Test: T-HLT-006 (specVersion field present and correct), T-HLT-008 (specVersion uses semantic versioning)

Requirement (spec §8.1.1):

specVersion: The version of this MCP Gateway Specification that the implementation conforms to. This field MUST use semantic versioning (MAJOR.MINOR.PATCH format).

These version fields enable clients to verify specification compatibility and ensure feature availability based on specification version.

Current State:
internal/server/unified.go:29:

const MCPGatewaySpecVersion = "1.8.0"

Spec Changelog (v1.9.0):
The spec changelog at the bottom of the document lists version 1.9.0 as adding:

• trustedBots field to gateway configuration (§4.1.3, §4.1.3.4)
• Section 7.5 — Trusted Bot Identity Configuration
• Compliance test T-AUTH-006

Gap:
The trustedBots feature from spec v1.9.0 is fully implemented in the codebase:

• internal/config/config_core.go:110 — TrustedBots field parsed
• internal/config/config_stdin.go:41,284-288 — JSON stdin support
• internal/config/validation.go:383-406 — validation per §4.1.3.4
• internal/config/validation_schema.go:250-262 — JSON schema injection
• internal/config/config_stdin_test.go:973-1028 — tests

The only missing piece is updating the constant so the /health endpoint accurately reflects that this implementation conforms to spec v1.9.0, not v1.8.0. Clients relying on specVersion to detect trustedBots availability will incorrectly believe it is absent.

Severity: Important — the spec MUST requirement is to include correct version information so clients can verify compatibility.

File Reference:

• internal/server/unified.go:29

Suggested Fix:

// internal/server/unified.go:29
const MCPGatewaySpecVersion = "1.9.0"

After the change, also update internal/server/health_test.go if it asserts the exact version string.

---

Suggested Remediation Task

Task: Update MCPGatewaySpecVersion to "1.9.0"

Description: Bump the MCPGatewaySpecVersion constant to "1.9.0" to reflect that the trustedBots feature (spec §4.1.3.4) is fully implemented and the gateway now conforms to spec version 1.9.0.

Files:

• internal/server/unified.go — change "1.8.0" → "1.9.0"
• internal/server/health_test.go — update any test assertions on the exact version string

Specification Reference: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#811-general-health-health

Estimated Effort: Trivial (< 30 minutes)

---

References

• MCP Gateway Specification v1.9.0
• Commits reviewed: 7e969aca670137563092713b9a046df8193ca2ed
• Run date: 2026-03-30

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

• get_file_contents get_file_contents: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by Daily Compliance Checker · ◷