Skip to content

[SECURITY FEATURE]: Simple Endpoint Feature Flags (selectively enable or disable tools, resources, prompts, servers, gateways, roots) #537

New issue
New issue
Open
Feature
Open
[SECURITY FEATURE]: Simple Endpoint Feature Flags (selectively enable or disable tools, resources, prompts, servers, gateways, roots)#537
Feature
Assignees
crivetimihai
Labels
enhancementNew feature or requestfrontendFrontend development (HTML, CSS, JavaScript)pythonPython / backend development (FastAPI)securityImproves securitytriageIssues / Features awaiting triage
Milestone
Release 1.0.0
@crivetimihai

Description

@crivetimihai
crivetimihai
opened on Jul 20, 2025

🎛️ FEATURE: Enhanced Endpoint Feature Flags

Summary: Add configuration-based feature flags to enable/disable MCP capabilities (tools, resources, prompts, servers, gateways, roots) and additional system endpoints (REST API tools, metrics, version, docs, connection tester). Features are toggled via environment variables, and the UI/version endpoint shows which features are enabled.

All Feature Flags to Implement

Existing Flags (already implemented):

MCPGATEWAY_UI_ENABLED=false # Admin UI interface MCPGATEWAY_ADMIN_API_ENABLED=false # Admin API endpoints  MCPGATEWAY_BULK_IMPORT_ENABLED=true # Bulk import endpoint MCP_CLIENT_AUTH_ENABLED=true # JWT auth for MCP clients CORS_ENABLED=true # CORS middleware SECURITY_HEADERS_ENABLED=true # Security headers middleware FEDERATION_ENABLED=true # Gateway federation SSE_KEEPALIVE_ENABLED=true # SSE keepalive events JSON_RESPONSE_ENABLED=true # JSON vs SSE responses PLUGINS_ENABLED=false # Plugin framework

MCP Capability Flags (all missing):

FEATURES_TOOLS_ENABLED=true # /tools router FEATURES_RESOURCES_ENABLED=false # /resources router  FEATURES_PROMPTS_ENABLED=false # /prompts router FEATURES_SERVERS_ENABLED=true # /servers router FEATURES_GATEWAYS_ENABLED=true # /gateways router FEATURES_ROOTS_ENABLED=false # /roots router

System Feature Flags (all missing):

FEATURES_VERSION_ENABLED=true # /version router FEATURES_METRICS_ENABLED=true # /metrics router FEATURES_DOCS_ENABLED=true # /docs, /redoc endpoints FEATURES_REDOC_ENABLED=true # /redoc specifically FEATURES_REST_API_TOOLS_ENABLED=true # REST API conversion FEATURES_CONNECTION_TESTER_ENABLED=true # Admin UI testing

Additional Flags Needed:

FEATURES_TAGS_ENABLED=true # /tags router FEATURES_REVERSE_PROXY_ENABLED=false # reverse proxy functionality (conditional import exists)

Implementation

1. Update config.py

Add feature flag settings to the Settings class:

# In mcpgateway/config.py class Settings(BaseSettings): # ... existing settings ... # Feature Flags - MCP Capabilities # These control which endpoints/features are enabled features_tools_enabled: bool = True features_resources_enabled: bool = False features_prompts_enabled: bool = False features_servers_enabled: bool = True features_gateways_enabled: bool = True features_roots_enabled: bool = False # Feature Flags - Additional Features  features_tags_enabled: bool = True # /tags endpoint features_reverse_proxy_enabled: bool = False # reverse proxy functionality features_rest_api_tools_enabled: bool = True # REST API to MCP Tools conversion (future/not implemented) features_metrics_enabled: bool = True # /metrics endpoint features_version_enabled: bool = True # /version endpoint features_docs_enabled: bool = True # /docs endpoint features_redoc_enabled: bool = True # /redoc endpoint features_connection_tester_enabled: bool = True # Connection testing in UI (future/not implemented) # Helper property to get enabled features as a list @property def enabled_features(self) -> List[str]: """Get list of enabled MCP features.""" features = [] if self.features_tools_enabled: features.append("tools") if self.features_resources_enabled: features.append("resources") if self.features_prompts_enabled: features.append("prompts") if self.features_servers_enabled: features.append("servers") if self.features_gateways_enabled: features.append("gateways") if self.features_roots_enabled: features.append("roots") if self.features_tags_enabled: features.append("tags") return features @property def enabled_system_features(self) -> List[str]: """Get list of enabled system features.""" features = [] if self.features_reverse_proxy_enabled: features.append("reverse_proxy") if self.features_rest_api_tools_enabled: features.append("rest_api_tools") if self.features_metrics_enabled: features.append("metrics") if self.features_version_enabled: features.append("version") if self.features_docs_enabled: features.append("docs") if self.features_redoc_enabled: features.append("redoc") if self.features_connection_tester_enabled: features.append("connection_tester") return features # Helper to check if a feature is enabled def is_feature_enabled(self, feature: str) -> bool: """Check if a specific feature is enabled.""" return feature in self.enabled_features or feature in self.enabled_system_features

2. Update .env.example

Add the new feature flag sections:

##################################### # Feature Flags - MCP Capabilities ##################################### # Control which MCP features are enabled # Default: tools, servers, gateways enabled; resources, prompts, roots disabled # Tools - Enable tool discovery and execution FEATURES_TOOLS_ENABLED=true # Resources - Enable resource serving FEATURES_RESOURCES_ENABLED=false # Prompts - Enable prompt template management FEATURES_PROMPTS_ENABLED=false # Servers - Enable server management FEATURES_SERVERS_ENABLED=true # Gateways - Enable federation with other gateways or upstream MCP Servers FEATURES_GATEWAYS_ENABLED=true # Roots - Enable root capability exposure FEATURES_ROOTS_ENABLED=false # Tags - Enable /tags endpoint for entity tagging FEATURES_TAGS_ENABLED=true ##################################### # Feature Flags - System Features ##################################### # Control additional system features and endpoints # Reverse Proxy - Enable reverse proxy functionality FEATURES_REVERSE_PROXY_ENABLED=false # REST API Tools - Enable automatic REST API to MCP Tool conversion (future/not implemented) FEATURES_REST_API_TOOLS_ENABLED=true # Metrics - Enable /metrics endpoint for Prometheus monitoring FEATURES_METRICS_ENABLED=true # Version - Enable /version endpoint (both UI and API) FEATURES_VERSION_ENABLED=true # Docs - Enable /docs endpoint (Swagger UI) FEATURES_DOCS_ENABLED=true # ReDoc - Enable /redoc endpoint (ReDoc UI) FEATURES_REDOC_ENABLED=true # Connection Tester - Enable connection testing functionality in UI (future/not implemented) FEATURES_CONNECTION_TESTER_ENABLED=true

3. Update main.py to conditionally include routers and middleware

# In mcpgateway/main.py # Always create the base app app = FastAPI( title=settings.app_name, version=__version__, docs_url="/docs" if settings.features_docs_enabled else None, redoc_url="/redoc" if settings.features_redoc_enabled else None, openapi_url="/openapi.json" if (settings.features_docs_enabled or settings.features_redoc_enabled) else None, ) # Include routers based on feature flags app.include_router(protocol_router) # Always include protocol # Version endpoint - conditional if settings.features_version_enabled: app.include_router(version_router) else: logger.info("Version feature disabled - not mounting version routes") # Conditionally include feature routers if settings.features_tools_enabled: app.include_router(tool_router) else: logger.info("Tools feature disabled - not mounting tool routes") if settings.features_resources_enabled: app.include_router(resource_router) else: logger.info("Resources feature disabled - not mounting resource routes") if settings.features_prompts_enabled: app.include_router(prompt_router) else: logger.info("Prompts feature disabled - not mounting prompt routes") if settings.features_servers_enabled: app.include_router(server_router) else: logger.info("Servers feature disabled - not mounting server routes") if settings.features_gateways_enabled: app.include_router(gateway_router) else: logger.info("Gateways feature disabled - not mounting gateway routes") if settings.features_roots_enabled: app.include_router(root_router) else: logger.info("Roots feature disabled - not mounting root routes") # Tags endpoint - conditional if settings.features_tags_enabled: app.include_router(tag_router) else: logger.info("Tags feature disabled - not mounting tag routes") # Always include utility router app.include_router(utility_router) # Metrics endpoint - conditional if settings.features_metrics_enabled: app.include_router(metrics_router) else: logger.info("Metrics feature disabled - not mounting metrics routes") # Reverse proxy router - conditional (handles existing conditional import) if settings.features_reverse_proxy_enabled: try: from mcpgateway.routers.reverse_proxy import router as reverse_proxy_router app.include_router(reverse_proxy_router) logger.info("Reverse proxy router included") except ImportError: logger.warning("Reverse proxy router not available - feature disabled") else: logger.info("Reverse proxy feature disabled - not mounting reverse proxy routes") # Admin UI - if enabled if settings.mcpgateway_ui_enabled: app.include_router(admin_router)

4. Update version.py to show all enabled features

# In mcpgateway/version.py from mcpgateway.config import settings @router.get("/version", summary="Diagnostics (auth required)") async def version_endpoint( request: Request, fmt: Optional[str] = None, partial: Optional[bool] = False, _user=Depends(require_auth), ) -> Response: """Update existing version endpoint to include feature information.""" # ... existing Redis health check and payload building logic ... # Extend the existing payload with feature information payload = _build_payload(redis_version, redis_ok) # Add feature information to existing payload payload.update({ "features_enabled": settings.enabled_features, "system_features_enabled": settings.enabled_system_features, "features": { # MCP Features "tools": settings.features_tools_enabled, "resources": settings.features_resources_enabled, "prompts": settings.features_prompts_enabled, "servers": settings.features_servers_enabled, "gateways": settings.features_gateways_enabled, "roots": settings.features_roots_enabled, "tags": settings.features_tags_enabled, # System Features "reverse_proxy": settings.features_reverse_proxy_enabled, "rest_api_tools": settings.features_rest_api_tools_enabled, "metrics": settings.features_metrics_enabled, "version": settings.features_version_enabled, "docs": settings.features_docs_enabled, "redoc": settings.features_redoc_enabled, "connection_tester": settings.features_connection_tester_enabled, } }) # Return response using existing format logic if partial: templates = Jinja2Templates(directory=str(settings.templates_dir)) return templates.TemplateResponse(request, "version_info_partial.html", {"request": request, "payload": payload}) wants_html = fmt == "html" or "text/html" in request.headers.get("accept", "") if wants_html: return HTMLResponse(_render_html(payload)) return JSONResponse(payload)

5. Update Protocol Capabilities (Fix File Path)

CORRECTION: Update capabilities in mcpgateway/cache/session_registry.py (method: handle_initialize_logic):

# In mcpgateway/cache/session_registry.py async def handle_initialize_logic(self, body: Dict[str, Any]) -> InitializeResult: """Handle initialize request, only advertising enabled capabilities.""" # ... existing validation logic ... capabilities = {} if settings.features_tools_enabled: capabilities["tools"] = {"listChanged": True} if settings.features_resources_enabled: capabilities["resources"] = {"subscribe": True, "listChanged": True} if settings.features_prompts_enabled: capabilities["prompts"] = {"listChanged": True} if settings.features_roots_enabled: capabilities["roots"] = {"listChanged": True} # Always include logging capability capabilities["logging"] = {} return InitializeResult( protocolVersion=settings.protocol_version, capabilities=ServerCapabilities(**capabilities), serverInfo=Implementation( name=settings.app_name, version=__version__, features_enabled=settings.enabled_features, system_features_enabled=settings.enabled_system_features, ), instructions=("MCP Gateway providing federated tools, resources and prompts. Use /admin interface for configuration."), )

6. Update REST API Tools Integration (Future/Not Implemented)

NOTE: REST API to MCP tools auto-conversion doesn't exist yet. This flag is for future use or can gate bulk import functionality:

# Future implementation or in bulk import logic async def discover_rest_api_tools(): """Discover and convert REST APIs to MCP tools.""" if not settings.features_rest_api_tools_enabled: logger.info("REST API tools feature disabled - skipping REST API discovery") return [] # ... future REST API discovery logic ...

7. Update Admin UI Navigation and Features (Fix Template Path)

CORRECTION: Update mcpgateway/templates/admin.html (not admin_base.html). Note: No config object is currently passed to templates - this would need to be added:

# In mcpgateway/admin.py - pass settings to template context @admin_router.get("/") async def admin_dashboard(request: Request, user: str = Depends(require_auth)): """Admin dashboard.""" return templates.TemplateResponse( "admin.html", {"request": request, "config": settings} # Add settings to context )

Then conditionally show navigation items in template:

<!-- In mcpgateway/templates/admin.html - Update the tabs navigation --> <nav class="-mb-px flex space-x-8"> {% if config.features_servers_enabled %} <a href="#catalog" id="tab-catalog" data-testid="servers-tab" class="tab-link border-indigo-500 text-indigo-600 dark:text-indigo-500 whitespace-nowrap py-4 px-1 border-b-2 font-medium text-sm"> Virtual Servers Catalog </a> {% endif %} {% if config.features_tools_enabled %} <a href="#tools" id="tab-tools" data-testid="tools-tab" class="tab-link border-transparent text-gray-500 dark:text-gray-300 hover:text-gray-700 hover:border-gray-300 whitespace-nowrap py-4 px-1 border-b-2 font-medium text-sm"> Global Tools </a> {% endif %} {% if config.features_resources_enabled %} <a href="#resources" id="tab-resources" class="tab-link border-transparent text-gray-500 dark:text-gray-300 hover:text-gray-700 hover:border-gray-300 whitespace-nowrap py-4 px-1 border-b-2 font-medium text-sm"> Global Resources </a> {% endif %} {% if config.features_prompts_enabled %} <a href="#prompts" id="tab-prompts" class="tab-link border-transparent text-gray-500 dark:text-gray-300 hover:text-gray-700 hover:border-gray-300 whitespace-nowrap py-4 px-1 border-b-2 font-medium text-sm"> Global Prompts </a> {% endif %} {% if config.features_gateways_enabled %} <a href="#gateways" id="tab-gateways" data-testid="gateways-tab" class="tab-link border-transparent text-gray-500 dark:text-gray-300 hover:text-gray-700 hover:border-gray-300 whitespace-nowrap py-4 px-1 border-b-2 font-medium text-sm"> Gateways/MCP Servers </a> {% endif %} {% if config.features_roots_enabled %} <a href="#roots" id="tab-roots" class="tab-link border-transparent text-gray-500 dark:text-gray-300 hover:text-gray-700 hover:border-gray-300 whitespace-nowrap py-4 px-1 border-b-2 font-medium text-sm"> Roots </a> {% endif %} {% if config.features_metrics_enabled %} <a href="#metrics" id="tab-metrics" class="tab-link border-transparent text-gray-500 dark:text-gray-300 hover:text-gray-700 hover:border-gray-300 whitespace-nowrap py-4 px-1 border-b-2 font-medium text-sm"> Metrics </a> {% endif %} <a href="#logs" id="tab-logs" class="tab-link border-transparent text-gray-500 dark:text-gray-300 hover:text-gray-700 hover:border-gray-300 whitespace-nowrap py-4 px-1 border-b-2 font-medium text-sm"> Logs </a> {% if config.features_version_enabled %} <a href="#version-info" id="tab-version-info" class="tab-link border-transparent text-gray-500 dark:text-gray-300 hover:text-gray-700 hover:border-gray-300 whitespace-nowrap py-4 px-1 border-b-2 font-medium text-sm"> Version and Environment Info </a> {% endif %} <button @click="darkMode = !darkMode" class="p-2"> <span x-text="darkMode ? '☀️' : '🌙'"></span> </button> </nav>

8. Connection Tester (DEFERRED - Future Implementation)

NOTE: Connection Tester UI and API endpoints don't exist yet. The FEATURES_CONNECTION_TESTER_ENABLED flag is reserved for future implementation.

# Future implementation in mcpgateway/admin.py when connection tester is built # @admin_router.get("/test-connection") # Future endpoint # async def test_connection_page(request: Request): # """Connection test page (future implementation).""" # if not settings.features_connection_tester_enabled: # raise HTTPException(status_code=404, detail="Connection tester is disabled") #  # # Future: return test connection UI template

Testing

  1. Default configuration (all features enabled):

    curl http://localhost:4444/version # Should show all features enabled

  2. Disable documentation endpoints:

    FEATURES_DOCS_ENABLED=false FEATURES_REDOC_ENABLED=false mcpgateway --host 0.0.0.0 --port 4444 # /docs and /redoc should return 404

  3. Disable metrics:

    FEATURES_METRICS_ENABLED=false mcpgateway --host 0.0.0.0 --port 4444 # /metrics should return 404

  4. Disable REST API tools:

    FEATURES_REST_API_TOOLS_ENABLED=false mcpgateway --host 0.0.0.0 --port 4444 # REST APIs won't be converted to MCP tools

  5. Disable version endpoint:

    FEATURES_VERSION_ENABLED=false mcpgateway --host 0.0.0.0 --port 4444 # /version should return 404

  6. Minimal mode (only core MCP protocol):

    FEATURES_RESOURCES_ENABLED=false \ FEATURES_PROMPTS_ENABLED=false \ FEATURES_ROOTS_ENABLED=false \ FEATURES_REST_API_TOOLS_ENABLED=false \ FEATURES_METRICS_ENABLED=false \ FEATURES_VERSION_ENABLED=false \ FEATURES_DOCS_ENABLED=false \ FEATURES_REDOC_ENABLED=false \ FEATURES_CONNECTION_TESTER_ENABLED=false \ mcpgateway --host 0.0.0.0 --port 4444

Alternative using uvicorn:

FEATURES_DOCS_ENABLED=false uvicorn mcpgateway.main:app --host 0.0.0.0 --port 4444

Benefits

  • Granular Control: Fine-grained control over individual features
  • Security: Can disable unnecessary endpoints in production
  • Performance: Reduced overhead by not loading unused features
  • Compliance: Disable documentation/metrics in sensitive environments
  • Simple: Just environment variables, no complex runtime management
  • Clear: Version endpoint (when enabled) shows what's active
  • Safe: Disabled features don't expose endpoints or functionality
  • Visual: UI adapts to show only enabled features

Documentation and Deployment Updates

9. Update README.md

Add feature flags section to environment variables table:

## Feature Flags Control which MCP capabilities and system endpoints are enabled: | Variable | Description | Default | |----------|-------------|---------| | `FEATURES_TOOLS_ENABLED` | Enable /tools router and tool functionality | `true` | | `FEATURES_RESOURCES_ENABLED` | Enable /resources router and resource serving | `false` | | `FEATURES_PROMPTS_ENABLED` | Enable /prompts router and prompt templates | `false` | | `FEATURES_SERVERS_ENABLED` | Enable /servers router and virtual server management | `true` | | `FEATURES_GATEWAYS_ENABLED` | Enable /gateways router and federation | `true` | | `FEATURES_ROOTS_ENABLED` | Enable /roots router and root capabilities | `false` | | `FEATURES_TAGS_ENABLED` | Enable /tags router and entity tagging | `true` | | `FEATURES_REVERSE_PROXY_ENABLED` | Enable reverse proxy functionality | `false` | | `FEATURES_METRICS_ENABLED` | Enable /metrics endpoint for Prometheus | `true` | | `FEATURES_VERSION_ENABLED` | Enable /version endpoint | `true` | | `FEATURES_DOCS_ENABLED` | Enable /docs Swagger UI endpoint | `true` | | `FEATURES_REDOC_ENABLED` | Enable /redoc documentation endpoint | `true` | | `FEATURES_REST_API_TOOLS_ENABLED` | Enable REST API to MCP tool conversion (future) | `true` | | `FEATURES_CONNECTION_TESTER_ENABLED` | Enable connection testing in UI (future) | `true` | ### Security Use Cases - **Production hardening**: Disable documentation endpoints (`FEATURES_DOCS_ENABLED=false`) - **Minimal deployment**: Enable only required capabilities - **Compliance**: Disable metrics/monitoring in sensitive environments - **Development**: Enable all features for testing

10. Update Helm Charts

Update charts/mcp-stack/values.yaml to include feature flags:

# Feature Flags Configuration mcpgateway: features: # MCP Capabilities tools_enabled: true resources_enabled: false prompts_enabled: false servers_enabled: true gateways_enabled: true roots_enabled: false tags_enabled: true # System Features reverse_proxy_enabled: false rest_api_tools_enabled: true metrics_enabled: true version_enabled: true docs_enabled: true redoc_enabled: true connection_tester_enabled: true

Update charts/mcp-stack/templates/configmap-gateway.yaml:

data: # ... existing config ... # Feature Flags FEATURES_TOOLS_ENABLED: "{{ .Values.mcpgateway.features.tools_enabled }}" FEATURES_RESOURCES_ENABLED: "{{ .Values.mcpgateway.features.resources_enabled }}" FEATURES_PROMPTS_ENABLED: "{{ .Values.mcpgateway.features.prompts_enabled }}" FEATURES_SERVERS_ENABLED: "{{ .Values.mcpgateway.features.servers_enabled }}" FEATURES_GATEWAYS_ENABLED: "{{ .Values.mcpgateway.features.gateways_enabled }}" FEATURES_ROOTS_ENABLED: "{{ .Values.mcpgateway.features.roots_enabled }}" FEATURES_TAGS_ENABLED: "{{ .Values.mcpgateway.features.tags_enabled }}" FEATURES_REVERSE_PROXY_ENABLED: "{{ .Values.mcpgateway.features.reverse_proxy_enabled }}" FEATURES_REST_API_TOOLS_ENABLED: "{{ .Values.mcpgateway.features.rest_api_tools_enabled }}" FEATURES_METRICS_ENABLED: "{{ .Values.mcpgateway.features.metrics_enabled }}" FEATURES_VERSION_ENABLED: "{{ .Values.mcpgateway.features.version_enabled }}" FEATURES_DOCS_ENABLED: "{{ .Values.mcpgateway.features.docs_enabled }}" FEATURES_REDOC_ENABLED: "{{ .Values.mcpgateway.features.redoc_enabled }}" FEATURES_CONNECTION_TESTER_ENABLED: "{{ .Values.mcpgateway.features.connection_tester_enabled }}"

11. Update Docker Compose

Add feature flags to docker-compose.yml:

services: mcpgateway: # ... existing config ... environment: # ... existing environment ... # Feature Flags - MCP Capabilities FEATURES_TOOLS_ENABLED: "true" FEATURES_RESOURCES_ENABLED: "false" FEATURES_PROMPTS_ENABLED: "false" FEATURES_SERVERS_ENABLED: "true" FEATURES_GATEWAYS_ENABLED: "true" FEATURES_ROOTS_ENABLED: "false" FEATURES_TAGS_ENABLED: "true" # Feature Flags - System Features  FEATURES_REVERSE_PROXY_ENABLED: "false" FEATURES_REST_API_TOOLS_ENABLED: "true" FEATURES_METRICS_ENABLED: "true" FEATURES_VERSION_ENABLED: "true" FEATURES_DOCS_ENABLED: "true" FEATURES_REDOC_ENABLED: "true" FEATURES_CONNECTION_TESTER_ENABLED: "true"

12. Update Kubernetes Deployments

Update deployment/k8s/mcp-context-forge-deployment.yaml:

apiVersion: apps/v1 kind: Deployment metadata: name: mcp-context-forge spec: template: spec: containers: - name: mcpgateway env: # ... existing env vars ... # Feature Flags - name: FEATURES_TOOLS_ENABLED value: "true" - name: FEATURES_RESOURCES_ENABLED value: "false" - name: FEATURES_PROMPTS_ENABLED value: "false" - name: FEATURES_SERVERS_ENABLED value: "true" - name: FEATURES_GATEWAYS_ENABLED value: "true" - name: FEATURES_ROOTS_ENABLED value: "false" - name: FEATURES_TAGS_ENABLED value: "true" - name: FEATURES_REVERSE_PROXY_ENABLED value: "false" - name: FEATURES_REST_API_TOOLS_ENABLED value: "true" - name: FEATURES_METRICS_ENABLED value: "true" - name: FEATURES_VERSION_ENABLED value: "true" - name: FEATURES_DOCS_ENABLED value: "true" - name: FEATURES_REDOC_ENABLED value: "true" - name: FEATURES_CONNECTION_TESTER_ENABLED value: "true"

13. Update Management Documentation

Add new section to docs/docs/manage/index.md:

## 🎛️ Feature Flags Control which endpoints and capabilities are enabled through environment variables. ### MCP Capability Flags | Flag | Default | Description | |------|---------|-------------| | `FEATURES_TOOLS_ENABLED` | `true` | Enable tool discovery and execution | | `FEATURES_RESOURCES_ENABLED` | `false` | Enable resource serving | | `FEATURES_PROMPTS_ENABLED` | `false` | Enable prompt template management | | `FEATURES_SERVERS_ENABLED` | `true` | Enable virtual server management | | `FEATURES_GATEWAYS_ENABLED` | `true` | Enable federation with other gateways | | `FEATURES_ROOTS_ENABLED` | `false` | Enable root capability exposure | | `FEATURES_TAGS_ENABLED` | `true` | Enable entity tagging | ### System Feature Flags | Flag | Default | Description | |------|---------|-------------| | `FEATURES_REVERSE_PROXY_ENABLED` | `false` | Enable reverse proxy functionality | | `FEATURES_METRICS_ENABLED` | `true` | Enable /metrics endpoint | | `FEATURES_VERSION_ENABLED` | `true` | Enable /version endpoint | | `FEATURES_DOCS_ENABLED` | `true` | Enable /docs Swagger UI | | `FEATURES_REDOC_ENABLED` | `true` | Enable /redoc documentation | ### Security Hardening Examples Disable documentation in production: ```bash FEATURES_DOCS_ENABLED=false FEATURES_REDOC_ENABLED=false

Minimal mode (only core protocol):

FEATURES_RESOURCES_ENABLED=false FEATURES_PROMPTS_ENABLED=false FEATURES_ROOTS_ENABLED=false FEATURES_METRICS_ENABLED=false FEATURES_DOCS_ENABLED=false FEATURES_REDOC_ENABLED=false

Check enabled features:

curl http://localhost:4444/version | jq .features
 ### 14. Update Deployment Guides Add feature flag sections to: - `docs/docs/deployment/kubernetes.md` - `docs/docs/deployment/helm.md` - `docs/docs/deployment/compose.md` - `docs/docs/deployment/container.md` ### 15. Update Security Documentation Add to `docs/docs/manage/securing.md`: ```markdown ## Endpoint Security via Feature Flags Disable unnecessary endpoints in production environments: ### Production Hardening Checklist - [ ] `FEATURES_DOCS_ENABLED=false` - Disable Swagger UI - [ ] `FEATURES_REDOC_ENABLED=false` - Disable ReDoc - [ ] Disable unused MCP capabilities (resources, prompts, roots) - [ ] `FEATURES_METRICS_ENABLED=false` - If not using monitoring - [ ] Verify `/version` endpoint doesn't expose sensitive info ### Compliance Scenarios **HIPAA/SOX Compliance:** ```bash FEATURES_DOCS_ENABLED=false FEATURES_REDOC_ENABLED=false FEATURES_METRICS_ENABLED=false FEATURES_VERSION_ENABLED=false

Zero-Trust Environment:

# Only enable absolutely required features FEATURES_RESOURCES_ENABLED=false FEATURES_PROMPTS_ENABLED=false FEATURES_ROOTS_ENABLED=false
 ## Out-of-Scope/Deferred Features - **Connection Tester UI/API**: No existing endpoints or templates (future implementation) - **REST API → MCP Tools auto-discovery**: No dedicated conversion module exists yet - **Transport-level gating**: MCP mount points can be handled separately This enhanced approach provides comprehensive control over all gateway features while maintaining simplicity through configuration flags.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requestfrontendFrontend development (HTML, CSS, JavaScript)pythonPython / backend development (FastAPI)securityImproves securitytriageIssues / Features awaiting triage

Type

Feature

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions