[compliance] Compliance Gap: Gateway Timeout Defaults Deviate from Spec §4.1.3

[github-actions]

MCP Gateway Compliance Review — 2026-04-11

Summary

Found 1 compliance issue during daily review of commit f2e4e44 ("Add OIDC fail-fast validation to TOML config path").

Recent Changes Reviewed

• internal/config/config_core.go — OIDC auth validation added to TOML path (LoadFromFile)
• internal/config/config_core_test.go — Tests for new OIDC validation

Note: The OIDC validation change itself is compliant and correctly aligns the TOML path behavior with the JSON stdin path per Spec §9 (Fail-Fast Startup). No regression from this change.

---

Minor Issues (Informational Deviation)

Issue: Gateway Timeout Default Values Deviate from Specification

Specification Section: §4.1.3 Gateway Configuration Fields
Deep Link: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#413-gateway-configuration-fields

Requirement:
The specification table defines these defaults:

Field	Type	Default
startupTimeout	integer	30 seconds
toolTimeout	integer	60 seconds

Current State:
internal/config/config_core.go:41-42 defines:

const (
    DefaultStartupTimeout    = 60   // seconds
    DefaultToolTimeout       = 120  // seconds
)

Gap:
The implementation defaults are 2× the spec-defined defaults:

Field	Spec Default	Code Default
startupTimeout	30s	60s
toolTimeout	60s	120s

When a user does not configure these fields, they will get 60s/120s timeouts instead of the spec-documented 30s/60s, causing a discrepancy between spec documentation and observable gateway behavior.

Severity: Minor (informational — spec says "default: 30" and "default: 60"; code uses 60 and 120)

File References:

• internal/config/config_core.go:41-42 — constant definitions
• internal/config/config_core.go:225-229 — applyGatewayDefaults() applies them

Suggested Fix:
Option A — Align code to spec (preferred for spec compliance):

const (
    DefaultStartupTimeout = 30  // seconds (per spec §4.1.3)
    DefaultToolTimeout    = 60  // seconds (per spec §4.1.3)
)

Option B — Update spec to reflect intentional higher defaults (if these values were chosen deliberately for production reliability):
Open a spec PR updating the table to show (default: 60) and (default: 120).

---

Compliance Status

Section	Status	Notes
✅ §3.2.1 Containerization	Compliant	TOML and JSON stdin both enforce Docker container requirement
✅ §4.1 Configuration Format	Compliant	JSON stdin + TOML paths both validated correctly
✅ §4.2 Variable Expansion	Compliant	Fails fast on undefined \$\{VAR_NAME}
✅ §4.3 Config Validation	Compliant	Unknown fields rejected; fail-fast on errors
⚠️ §4.1.3 Timeout Defaults	Deviation	Code defaults 2× spec-documented values
✅ §5.1.3 /close Endpoint	Compliant	Idempotent, auth-gated, 30s drain timeout
✅ §7 Authentication	Compliant	API key in Authorization header, no plaintext logging
✅ §7.4 Health Auth Exemption	Compliant	/health exempt from auth middleware
✅ §7.6 OIDC Upstream Auth	Compliant	Fail-fast on missing env vars; TOML path parity fixed in #3538
✅ §8.1.1 Health Endpoint	Compliant	Returns status, specVersion, gatewayVersion, servers
✅ §9.1 Startup Failures	Compliant	Exits with status code 1, writes error to stdout

Suggested Remediation Task

Task: Align DefaultStartupTimeout and DefaultToolTimeout with spec §4.1.3

• File: internal/config/config_core.go
• Change: Update constants to DefaultStartupTimeout = 30 and DefaultToolTimeout = 60 (or open spec PR if higher values are intentional)
• Spec Reference: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#413-gateway-configuration-fields
• Estimated Effort: Trivial (2-line change) — but coordinate with team to confirm whether the higher values are intentional

References

• MCP Gateway Specification
• Commit reviewed: f2e4e444f542875cb81d61de4c8a46b52925474e
• Related: Add OIDC fail-fast validation to TOML config path #3538 (OIDC fail-fast — compliant, no action needed)

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

• get_file_contents get_file_contents: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by Daily Compliance Checker · ● 1.6M · ◷