MCP ConfigsMay 12, 2026·2 min read

gh-aw-mcpg — MCP Gateway for Sandboxed Agents

gh-aw-mcpg is a Docker-first MCP gateway that exposes backend MCP servers over HTTP so sandboxed agents call tools through one controlled entrypoint.

Agent ready

Safe staging for this asset

This asset is staged first. The copied prompt tells the agent to inspect the staged files and ask before activating scripts, MCP config, or global config.

Stage only · 17/100Policy: stage
Agent surface
Any MCP/CLI agent
Kind
Mcp Config
Install
Stage only
Trust
Trust: Established
Entrypoint
Asset
Safe staging command
npx -y tokrepo@latest install 9c0b34f6-a08a-4723-8547-8cad70ca35ed --target codex

Stages files first; activation requires review of the staged README and plan.

Intro

gh-aw-mcpg is a Docker-first MCP gateway that exposes backend MCP servers over HTTP so sandboxed agents call tools through one controlled entrypoint.

  • Best for: teams running agents in containers who need a single, auditable MCP entrypoint with guardrails
  • Works with: Docker, HTTP-based MCP clients, containerized stdio MCP servers
  • Setup time: 20 minutes

Practical Notes

  • One HTTP endpoint can route to multiple MCP backends (config-driven)
  • Default quick start uses port 8000 and mounts /var/run/docker.sock to spawn backend servers
  • GitHub stars/forks (verified): see Source & Thanks

A gateway matters when your agent environment is constrained:

  • Your agent runs in a sandbox/container and shouldn't have direct network access to every tool.
  • You want one place to apply policy (what repos can be read, what data can be written), logging, and health checks.

Operationally, treat the gateway as “MCP ingress”:

  1. Put all tool access behind it (even if some tools are stdio-in-container).
  2. Keep the configuration file in version control so changes are reviewable.
  3. Rotate API keys and restrict backend credentials (e.g., GitHub tokens) the same way you would for CI.

If you're already using GitHub Agentic Workflows, this repo is designed as the MCP access layer for sandboxed runs.

FAQ

Q: What does it do? A: It proxies/routs MCP requests over HTTP to multiple configured backend MCP servers.

Q: Why is Docker required in quick start? A: The gateway can spawn containerized stdio servers, so it mounts Docker socket to run them.

Q: How do I secure it? A: Use API keys, restrict backend tokens, and keep guard/policy configuration under review.

🙏

Source & Thanks

Source: https://github.com/github/gh-aw-mcpg > License: MIT > GitHub stars: 126 · forks: 22

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets